From mbasti at redhat.com Wed Jun 1 04:04:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 06:04:54 +0200 Subject: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout In-Reply-To: <98ffcdc1-e89e-06fb-2c0f-11d659b70d76@redhat.com> References: <304a20ca-ca5b-8df7-f1ca-090c60ec3a01@redhat.com> <58d3d9ef-d8c5-50be-1348-3c8b2835d70d@redhat.com> <5c8a4e16-98b1-2e0c-3e78-c7e6e54098e9@redhat.com> <98ffcdc1-e89e-06fb-2c0f-11d659b70d76@redhat.com> Message-ID: On 31.05.2016 09:41, Stanislav Laznicka wrote: > On 05/30/2016 02:12 PM, Petr Spacek wrote: >> On 28.5.2016 15:59, Martin Basti wrote: >>> On 27.05.2016 14:52, Stanislav Laznicka wrote: >>>> https://fedorahosted.org/freeipa/ticket/5833 >>>> >>>> >>>> >>> Is possible to remove timeout completely as it used to be before? >>> >>> Even if this timeout is exceeded, command continue in execution and >>> it just >>> doesnt print result to user >> I agree with Martin. The timeout is pointless, please remove it or >> set it to >> 2^31 or so. >> > The documentation does not clearly state what happens in the corner > cases of this setting. However, by looking at the source code, I'm > guessing that 0 is the default value which would eventually point to > the Apache TimeOut and negative values seem just wrong for them here. > They are converting it with atoi(), so I propose to set this to 2^31-1. > > Please put your findings to the ticket, patch LGTM I will test it today. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed Jun 1 04:49:06 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 1 Jun 2016 14:49:06 +1000 Subject: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals In-Reply-To: <98e01be1-16c2-5f3c-6f95-a6e6447a1f1f@redhat.com> References: <20160408142339.GV18277@dhcp-40-8.bne.redhat.com> <1460126839.7463.195.camel@redhat.com> <20160409001100.GY18277@dhcp-40-8.bne.redhat.com> <1460467890.8657.25.camel@redhat.com> <20160413011550.GI18277@dhcp-40-8.bne.redhat.com> <20160414063300.GN18277@dhcp-40-8.bne.redhat.com> <1461008648.30315.24.camel@redhat.com> <20160420062254.GE18277@dhcp-40-8.bne.redhat.com> <98e01be1-16c2-5f3c-6f95-a6e6447a1f1f@redhat.com> Message-ID: <20160601044906.GY4744@dhcp-40-8.bne.redhat.com> Updated patch attached; comments inline below. On Mon, Apr 25, 2016 at 07:55:46AM +0200, Jan Cholasta wrote: > I think it would be better to merge the `client` and `client_servicename` > into a single `client_principal` argument, as both of the arguments are used > only to specify the principal name of the client. > Done. > Also I would prefer if the keyfile and keytab arguments were required, > because it's better if you can explicitly see what values are used at the > call site. > Done. > Why is init_creds() now called from __init__()? Why is it still called from > _auth_header()? > I invoke it from __init__ for more eager failure if there's a problem (e.g. service is not in keytab), giving better error locality. It remains necessary to invoke it from _auth_header in case of short-lived credentials. I added some comments to the source. > Why is ldap_uri now passed to IPAKEMKeys()? > It tries to use LDAPI by default, so ldap_uri needs to be passed through if process owner cannot access LDAPI socket. I added commentary to source. Regarding your suggestion to make a base class and override class variables, I prefer to pass values around. There are very few instantiations of CustodiaClient so it is easy enough to follow. Thanks, Fraser -------------- next part -------------- From ba34a8f5c9b3e31a511e01266e3d3fedd53bcca6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 Apr 2016 15:21:19 +1000 Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals Currently CustodiaClient assumes that the client is the host principal, and it is hard-coded to read the host keytab and server keys. For the Lightweight CAs feature, Dogtag on CA replicas will use CustodiaClient to retrieve signing keys from the originating replica. Because this process runs as 'pkiuser', the host keys cannot be used; instead, each Dogtag replica will have a service principal to use for Custodia authentication. Update CustodiaClient to require specifying the client keytab and Custodia keyfile to use, and change the client argument to be a full GSS service name (instead of hard-coding host service) to load from the keytab. Update call sites accordingly. Also pass the given 'ldap_uri' argument through to IPAKEMKeys because without it, the client tries to use LDAPI, but may not have access. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/secrets/client.py | 20 +++++++++++++------- ipaserver/install/custodiainstance.py | 14 +++++++++++--- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py index 5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..56ed6f7944c46393ed225cde1b5e0bb80fe6bef0 100644 --- a/ipapython/secrets/client.py +++ b/ipapython/secrets/client.py @@ -41,16 +41,22 @@ class CustodiaClient(object): return iSecStore(config) - def __init__(self, client, server, realm, ldap_uri=None, auth_type=None): - self.client = client - self.creds = None + def __init__( + self, client_service, keyfile, keytab, server, realm, + ldap_uri=None, auth_type=None): + self.client_service = client_service + self.keytab = keytab + + # Init creds immediately to make sure they are valid. Creds + # can also be re-inited by _auth_header to avoid expiry. + # + self.creds = self.init_creds() self.service_name = gssapi.Name('HTTP@%s' % (server,), gssapi.NameType.hostbased_service) self.server = server - keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys') - self.ikk = IPAKEMKeys({'server_keys': keyfile}) + self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri}) self.kemcli = KEMClient(self._server_keys(server, realm), self._client_keys()) @@ -61,9 +67,9 @@ class CustodiaClient(object): requests.packages.urllib3.disable_warnings() def init_creds(self): - name = gssapi.Name('host@%s' % (self.client,), + name = gssapi.Name(self.client_service, gssapi.NameType.hostbased_service) - store = {'client_keytab': paths.KRB5_KEYTAB, + store = {'client_keytab': self.keytab, 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))} return gssapi.Credentials(name=name, store=store, usage='initiate') diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index d5c5bf738752ab4cf84f98285a37b820c80fa3be..be3f661caa4291bba91a90d5adaf17d63f903d30 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -12,6 +12,7 @@ from ipaserver.install import ldapupdate from ipaserver.install import sysupgrade from base64 import b64encode, b64decode from jwcrypto.common import json_decode +import functools import shutil import os import tempfile @@ -28,6 +29,13 @@ class CustodiaInstance(SimpleServiceInstance): self.fqdn = host_name self.realm = realm self.ca_is_configured = ca_is_configured + self.__CustodiaClient = functools.partial( + CustodiaClient, + client_service='host@' + self.fqdn, + keyfile=self.server_keys, + keytab=paths.KRB5_KEYTAB, + realm=realm, + ) def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -94,11 +102,11 @@ class CustodiaInstance(SimpleServiceInstance): updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')]) def __import_ra_key(self): - cli = CustodiaClient(self.fqdn, self.master_host_name, self.realm) + cli = self.__CustodiaClient(server=self.master_host_name) cli.fetch_key('ra/ipaCert') def import_dm_password(self, master_host_name): - cli = CustodiaClient(self.fqdn, master_host_name, self.realm) + cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): @@ -108,7 +116,7 @@ class CustodiaInstance(SimpleServiceInstance): prefix = data['prefix'] certlist = data['list'] - cli = CustodiaClient(self.fqdn, ca_host, self.realm) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) -- 2.5.5 From ftweedal at redhat.com Wed Jun 1 04:49:29 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 1 Jun 2016 14:49:29 +1000 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> References: <20160414063937.GO18277@dhcp-40-8.bne.redhat.com> <20160421033003.GH18277@dhcp-40-8.bne.redhat.com> <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> Message-ID: <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> Updated patches attached; comments inline. On Thu, May 05, 2016 at 04:52:29PM +1000, Fraser Tweedale wrote: > > I would rather add a new ACI than have one super-ACI for everything. That > > way you don't have to invent any complicated naming schemes *and* it will be > > more apparent what the ACI does. > > > OK, I'll simplify the scheme and create corresponding ACIs. > I added new ACIs for hosts to manage Dogtag keys; they keys live in a container with RDN cn=dogtag, nested under the main custodia keys container. > > >>However, calling `CAInstance.setup_lightweight_ca_key_retrieval()' > > >>*directly* from `ca.install_step_1' would probably work. Are you > > >>happy with putting it there, instead of `configure_instance()'? > > > > Works for me. > > > Cool, thanks. > This is implemented in the latest patch. Cheers, Fraser -------------- next part -------------- From 7395f98bcec1e54b076cf9e2ceac1e4368cfe7c9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 3 May 2016 13:22:39 +1000 Subject: [PATCH] Add ACIs for Dogtag custodia client The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to retrieve lightweight CA signing keys, and therefore needs search and read access to Custodia keys. Add an ACI to permit this. Also add ACIs to allow host principals to manage Dogtag custodia keys for the same host. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- install/updates/20-aci.update | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 4802ae0458e8b870bf3127764ebabac1a48f7cf2..0d617d849be8a1fdc76bdeeda7560b032a45e629 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -136,3 +136,11 @@ add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5R dn: cn=ipa,cn=etc,$SUFFIX add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# IPA server hosts can create and manage Dogtag Custodia secrets for same host +dn: cn=ipa,cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create Dogtag Custodia secrets for same host"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia secrets for same host"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# Dogtag service principals can search Custodia keys +add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";) -- 2.5.5 -------------- next part -------------- From 78bdf20af5dfaaa67ba0ba8b160f18c8cf31d54c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 Apr 2016 12:42:35 +1000 Subject: [PATCH 53/54] Optionally add service name to Custodia key DNs Lightweight CAs support introduces new service principals for Dogtag, with Custodia keys. The current Custodia key creation uses a DN that contains only they key type and the hostname, so keys for multiple services on the same host cannot be created. Add the 'generate_keys' method to generate keys for a host or an arbitrary service. When a service name is given, add the key entries in a nested container with RDN 'cn='. (The container is assumed to exist). This change does not affect searching because subtree search is used, filtering on the ipaKeyUsage and memberPrincipal attributes. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/secrets/kem.py | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index 0abf28ae4403a7b6225404df361d12cb07ccc70b..0b810b090a0e7dff09d64a5ef8752eba2676babc 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -3,6 +3,7 @@ from __future__ import print_function from ipaplatform.paths import paths from six.moves.configparser import ConfigParser +from ipapython.dn import DN from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa, ec @@ -105,11 +106,23 @@ class KEMLdap(iSecLdap): encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo) - def set_key(self, usage, host, principal, key): + def set_key(self, usage, servicename, host, principal, key): + """ + Write key for the host or service. + + Service keys are nested one level beneath the 'cn=custodia' + container, in the 'cn=' container; this allows + fine-grained control over key management permissions for + specific services. + + The container is assumed to exist. + + """ public_key = self._format_public_key(key) conn = self.connect() name = '%s/%s' % (KEY_USAGE_MAP[usage], host) - dn = 'cn=%s,%s' % (name, self.keysbase) + service_rdn = ('cn', servicename) if servicename else DN() + dn = str(DN(('cn', name), service_rdn, self.keysbase)) try: mods = [('objectClass', ['nsContainer', 'ipaKeyPolicy', @@ -170,15 +183,18 @@ class IPAKEMKeys(KEMKeysStore): return conn.get_key(usage, kid) def generate_server_keys(self): - principal = 'host/%s@%s' % (self.host, self.realm) + self.generate_keys() + + def generate_keys(self, servicename=None): + principal = '%s/%s@%s' % (servicename or 'host', self.host, self.realm) # Neutralize the key with read if any self._server_keys = None # Generate private key and store it pubkeys = newServerKeys(self.config['server_keys'], principal) # Store public key in LDAP ldapconn = KEMLdap(self.ldap_uri) - ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0]) - ldapconn.set_key(KEY_USAGE_ENC, self.host, principal, pubkeys[1]) + ldapconn.set_key(KEY_USAGE_SIG, servicename, self.host, principal, pubkeys[0]) + ldapconn.set_key(KEY_USAGE_ENC, servicename, self.host, principal, pubkeys[1]) @property def server_keys(self): -- 2.5.5 -------------- next part -------------- From 38f0d556f355eba118be0f838e637279f7aae55b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 1 Jun 2016 08:07:33 +1000 Subject: [PATCH 54/54] Setup lightweight CA key retrieval on install/upgrade Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Part of: https://fedorahosted.org/freeipa/ticket/4559 --- freeipa.spec.in | 1 + install/share/bootstrap-template.ldif | 6 ++++ install/tools/Makefile.am | 1 + install/tools/ipa-pki-retrieve-key | 44 +++++++++++++++++++++++++++ install/updates/73-custodia.update | 5 ++++ ipalib/constants.py | 1 + ipaserver/install/ca.py | 9 +++++- ipaserver/install/cainstance.py | 56 +++++++++++++++++++++++++++++++++++ ipaserver/install/server/install.py | 6 ++-- ipaserver/install/server/upgrade.py | 4 ++- 10 files changed, 128 insertions(+), 5 deletions(-) create mode 100755 install/tools/ipa-pki-retrieve-key diff --git a/freeipa.spec.in b/freeipa.spec.in index c6499a5c6073ac4c2814d7ad14964927b88b1981..0946b30bcf6d2624d4e2baf3a6fed3436a61a58c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1074,6 +1074,7 @@ fi %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-pki-retrieve-key %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..456633012510acbce3c73fb9bf9b20f7d80944fe 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -173,6 +173,12 @@ objectClass: nsContainer objectClass: top cn: custodia +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: dogtag + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7212dabdbf968ee76cb2830e5054fe1a27712225..2866a30b2feacfec29a22eaf7965216fbbd69665 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ ipa-httpd-kdcproxy \ + ipa-pki-retrieve-key \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key new file mode 100755 index 0000000000000000000000000000000000000000..6f6ea44fba7fbcddbd55ba8be373efb5e1301d06 --- /dev/null +++ b/install/tools/ipa-pki-retrieve-key @@ -0,0 +1,44 @@ +#!/usr/bin/python2 + +from __future__ import print_function + +import ConfigParser +import base64 +import os +import sys + +from jwcrypto.common import json_decode + +from ipalib import constants +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +conf = ConfigParser.ConfigParser() +conf.read(paths.IPA_DEFAULT_CONF) +hostname = conf.get('global', 'host') +realm = conf.get('global', 'realm') + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +client = CustodiaClient( + client_service='%s@%s' % (service, hostname), server=servername, + realm=realm, ldap_uri="ldaps://" + hostname, + keyfile=client_keyfile, keytab=client_keytab, + ) + +result_json = client.fetch_key(keyname, store=False) +result = json_decode(result_json) +certificate = result["certificate"] +wrapped_key = base64.b64decode(result["wrapped_key"]) + +# Custodia returns a PEM-encoded certificate and a base64-encoded +# DER PKIArchiveOptions object. Output these values, separated by a +# null byte (certificate first), to be read by the Java +# IPACustodiaKeyRetriever that invoked this program. + +print(certificate, wrapped_key, sep='\0', end='') diff --git a/install/updates/73-custodia.update b/install/updates/73-custodia.update index f6520fb2e36dd1b234344a8cc4199ab72c664163..60f805ab82f141777c0d7731d4a0362e76961cce 100644 --- a/install/updates/73-custodia.update +++ b/install/updates/73-custodia.update @@ -2,3 +2,8 @@ dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: custodia + +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: dogtag diff --git a/ipalib/constants.py b/ipalib/constants.py index 021f18cd366b821427bdbfcc5e354d2047ef39b1..d544595898e52d3910cff94fc3cc0276fe099a98 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -261,3 +261,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' +PKI_GSSAPI_SERVICE_NAME = 'dogtag' diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 3a827aee86616d874bdc3d1a5735e46d1ab9bf9b..ac72c76883fda00e2f258a9ecfe9925722041fe9 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -182,7 +182,7 @@ def install_step_1(standalone, replica_config, options): basedn = ipautil.realm_to_suffix(realm_name) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') @@ -197,6 +197,13 @@ def install_step_1(standalone, replica_config, options): # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) + # Lightweight CA key retrieval is configured in step 1 instead + # of CAInstance.configure_instance (which is invoked from step + # 0) because kadmin_addprinc fails until krb5.conf is installed + # by krb.create_instance. + # + ca.setup_lightweight_ca_key_retrieval() + if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 475e74d7fbf796a87e1673fc997c05e41e352d2a..9f6a5037f92ad0168e80267999c7fbf5b7634ae0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -45,6 +45,7 @@ from six.moves.configparser import ConfigParser, RawConfigParser from ipalib import api from ipalib import pkcs10, x509 from ipalib import errors +import ipalib.constants from ipaplatform import services from ipaplatform.constants import constants @@ -59,6 +60,7 @@ from ipapython.certdb import get_ca_nickname from ipapython.dn import DN from ipapython.ipa_log_manager import log_mgr,\ standard_logging_setup, root_logger +from ipapython.secrets.kem import IPAKEMKeys from ipaserver.install import certs from ipaserver.install import dsinstance @@ -66,6 +68,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service +from ipaserver.install import sysupgrade from ipaserver.install.dogtaginstance import (export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 @@ -1356,11 +1359,64 @@ class CAInstance(DogtagInstance): self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) + self.step("Configure lightweight CA key retrieval", + self.setup_lightweight_ca_key_retrieval) self.step("enabling CA instance", self.__enable_instance) self.start_creation(runtime=210) + def setup_lightweight_ca_key_retrieval(self): + if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'): + return + + root_logger.info('[Set up lightweight CA key retrieval]') + + self.__setup_lightweight_ca_key_retrieval_kerberos() + self.__setup_lightweight_ca_key_retrieval_custodia() + + root_logger.info('Configuring key retriever') + directives = [ + ('features.authority.keyRetrieverClass', + 'com.netscape.ca.ExternalProcessKeyRetriever'), + ('features.authority.keyRetrieverConfig.executable', + '/usr/libexec/ipa/ipa-pki-retrieve-key'), + ] + for k, v in directives: + installutils.set_directive( + paths.CA_CS_CFG_PATH, k, v, quotes=False, separator='=') + + sysupgrade.set_upgrade_state('dogtag', 'setup_lwca_key_retieval', True) + + def __setup_lightweight_ca_key_retrieval_kerberos(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + principal = '{}/{}@{}'.format(service, api.env.host, self.realm) + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating principal') + installutils.kadmin_addprinc(principal) + self.suffix = ipautil.realm_to_suffix(self.realm) + if not self.admin_conn: + self.ldap_connect() + self.move_service(principal) + + root_logger.info('Retrieving keytab') + keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + installutils.create_keytab(keytab, principal) + os.chmod(keytab, 0o600) + os.chown(keytab, pent.pw_uid, pent.pw_gid) + + def __setup_lightweight_ca_key_retrieval_custodia(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating Custodia keys') + keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') + keystore = IPAKEMKeys({'server_keys': keyfile}) + keystore.generate_keys(service) + os.chmod(keyfile, 0o600) + os.chown(keyfile, pent.pw_uid, pent.pw_gid) + def replica_ca_install_check(config): if not config.setup_ca: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index e4d4ab1635598eb083b2aec0c5e51a1eec63c8ce..36e8f330bcc3f124116a13f03c890436651a2654 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,6 @@ def install(installer): # we now need to enable ssl on the ds ds.enable_ssl() - if setup_ca: - ca.install_step_1(False, None, options) - krb = krbinstance.KrbInstance(fstore) if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, @@ -907,6 +904,9 @@ def install(installer): setup_pkinit=not options.no_pkinit, subject_base=options.subject) + if setup_ca: + ca.install_step_1(False, None, options) + # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2398aea90bb1def6ab1534d3640a6bfa20a6b237..1a1090f0c767238062916ec715a59983ddc59fdb 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1492,7 +1492,8 @@ def upgrade_configuration(): if subject_base: sub_dict['SUBJECT_BASE'] = subject_base - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, host_name=api.env.host) ca_running = ca.is_running() with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): @@ -1697,6 +1698,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() + ca.setup_lightweight_ca_key_retrieval() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 From ftweedal at redhat.com Wed Jun 1 04:49:55 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 1 Jun 2016 14:49:55 +1000 Subject: [Freeipa-devel] V4/Sub-CAs review In-Reply-To: <25104587-46d2-6574-2220-3b453b0af599@redhat.com> References: <57161E1F.6020001@redhat.com> <6b09c0a9-2887-92a0-b284-4b5af947dfde@redhat.com> <20160510103617.GP1237@dhcp-40-8.bne.redhat.com> <9eb88563-3d22-3c6e-f314-fc6ce2d69985@redhat.com> <20160517125029.GJ1323@dhcp-40-8.bne.redhat.com> <25104587-46d2-6574-2220-3b453b0af599@redhat.com> Message-ID: <20160601044955.GA4744@dhcp-40-8.bne.redhat.com> On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote: > > > > > 2) > > > > > > > > > > It should be mentioned here that the primary CA is also handled by this > > > > > plugin. > > > > > > > > > > I would like to propose two additional fields: > > > > > > > > > > * subject (required) - subject name of the CA, to be able to look up > > > > > sub-CA that issued a certificate from its issuer name. > > > > > > > > > > * issuer_ca (optional) - name of the sub-CA which issued certificate for > > > > > this CA, to have information about the sub-CA hierarchy. If there is no > > > > > sub-CA entry for the issuer, it would be unset. > > > > > > > > > These data exist in the Dogtag database. Adding them to IPA might > > > > be useful for avoiding round trips so it is probably worth doing, > > > > but are you aware of use cases that would absolutely require them? > > > > > > As for subject, we are adding the ability to look up information about > > > arbitrary certificates to cert-{show,find} as part of > > > . Part of this information > > > should be whether the certificate was issued by our CA and what CA it was, > > > so that the web UI can present an appropriate "revoke certificate" button > > > for the certificate. > > > > > > As for issuer CA, I believe we need it to fix automatic CA certificate > > > renewal. The current renewal code uses virtual "profiles" to handle CA > > > certificate renewal, but that turned out to be an issue, especially with > > > externally signed CA certificates: > > > . Instead it could use > > > the issuer CA information from LDAP to figure out what needs to be done. > > > (Note that during the renewal, Dogtag is offline.) > > > > > > Also, both the attributes should be included for compatibility with external > > > CAs. At this point, I think it's only a matter of time when support for them > > > will be added (there were already several requests for such a feature), and > > > I would very much prefer to have to maintain only a single code path for the > > > generic stuff (which includes both of the attributes), instead of one for > > > Dogtag and one for external CAs. > > > > > OK, I'll add issuer DN and subject DN attributes to the ipaCa > > objectClass. > > Just to be clear, what I meant is for the issuer attribute to contain the DN > of the CA entry in LDAP, not the issuer DN itself. > I see; thanks for the clarification. I'm going to publish the first version of the patchset soon - it will not have this implemented yet, but I think it's more important for me to get patches out for review ASAP, and add this aspect in a subsequent patchset. > > > > > """ > > > > > The Python script shall be installed at /usr/libexec/pki-ipa-retrieve-key > > > > > and shall be executed as pkiuser. > > > > > """ > > > > > > > > > > Could you please use a subdirectory? Like /usr/libexec/pki (if the script is > > > > > going to be distributed with Dogtag) or /usr/libexec/ipa (if the script is > > > > > going to be distributed with IPA). > > > > > > > > > What is the rationale - is it a packaging guideline or just common > > > > sense? > > > > > > I'm not sure if it's an actual guideline, but IMHO it's definitely common > > > sense - I don't think littering the global namespace (i.e. /usr/libexec) is > > > ever preferable to keeping your stuff in your own namespace. > > > > > I'll drop the script in a subdir. While I'm at it, I think I will > > move it to the IPA codebase, to improve locality of the Python code. > > e.g. if CustodiaClient API or any other IPA Python API changes, the > > code in pki repo will be too easily missed. > > OK, makes sense. > Latest version of patch 0054 installs the helper program under /usr/libexec/ipa. > > > Please don't use ipaUniqueId as the RDN unless absolutely necessary. Not > > > only it makes debugging harder (because you can't tell which object is which > > > just by looking at the DN), it also requires the framework to do an extra > > > LDAP search every time the DN needs to be translated to primary key. > > > > > If cn is used in RDN, will changing cn (which then will be a modrdn > > operation) correctly update the references from CA ACLs? > > Yes, the referint DS plugin takes care of that. > cn it is; no more ipaUniqueId. > > > > > "host-authority" does not strike me as something familiar, and the "host" > > > bit is kind of confusing, since it is not at all related to IPA hosts. Could > > > we use something more obvious ("default", "root", ...)? > > > > > We shouldn't use "root" because it might not be a root CA. > > > > We probably shouldn't use "default" because we might later want to > > allow different default CAs for different profiles or principal > > types. > > What about "main"? > > > > > Perhaps simply "IPA CA", "ipa", or some variation on that theme? > > Something like this might be the best, as we currently refer to this CA as > "IPA CA". > I went with 'cn=ipa' and 'description=IPA CA'. > > > > As discussed above, there will now also be attributes for issuer DN > > and subject DN. > > > > > Why does a Dogtag lightweight CA need to be created before the LDAP entry? I > > > assume it's because deleting an LDAP entry is easier than deleting a Dogtag > > > lightweight CA in case something goes wrong, in which case I think ipaCaId > > > should be required and use a placeholder value in the initial LDAP entry. > > > > > The IPA object is created first to ensure that the user has the > > permissions to do so. Apart from that it is not important which > > happens first. I can check permissions with can_add() but defer IPA > > object creation until after the Dogtag LWCA has been created. In > > fact this is a cleaner approach. > > Yes, I agree. > Everything works fine with can_add(); design updated. > > ca-del results in deletion of the signing key from Dogtag's NSSDB, > > and deletion of the Dogtag lightweight authority object. On IPA > > side it removes the ipaCa object, removes references from CA ACLs, > > etc. ca-del should be a command. > > OK, but should the certificates issued by the CA stay valid? I would think > not - when authorization is based on group membership and the group is > deleted, it is no longer possible to authorize - when authorization is based > on the CA, I assume it should work analogically and authorization should > stop working when the CA is deleted. Or am I missing something? > It makes sense to revoke the CA certificate when the CA is deleted. There is a Dogtag ticket: https://fedorahosted.org/pki/ticket/1638. After that is implemented, I don't think extra behaviour is needed in IPA - but we should clearly document what happens with revocation when a CA is deleted. Until it is implemented, revocation can be performed manually. (I'll add the preceding commentary to the design page.) > > > > We can add ca-disable and ca-enable - these behaviours are > > implemented in Dogtag already. I prefer the more fine-grained > > control that CA ACLs give you, but I suppose people will want > > wholesale enable/disable as well? Or is it premature to assume so? > > I think it can be added later. The advantage over CA ACLs is that you don't > have to go through potentially many ACLs to enable/disable a single CA. > Agreed. Thanks, Fraser From ftweedal at redhat.com Wed Jun 1 04:51:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 1 Jun 2016 14:51:04 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs Message-ID: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> Hi team, This patchset implements the 'ca' plugin for creating and managing lightweight sub-CAs, and updates the 'caacl' plugin and 'cert-request' command to support multiple CAs. A brief overview of the patches: 0059 'ca' plugin, associated schema changes and container objects, Dogtag REST API wrapper 0060 Add CA entry for the IPA CA on install/upgrade 0061 Update 'caacl' plugin with CA support (including enforcement) 0062 Update ra.request_certificate() to support specifying target CA 0063 Add '--ca' option to 'cert-request' command 0064 Add '--issuer' option to 'cert-find' command These patches depend on other pending patches: 0051, 0052, 0053, 0054, 0055, 0056 Signing key replication depends on unmerged Dogtag patches. Builds of Dogtag with the required patches, and of FreeIPA with all completed sub-CAs work, should be available from my COPR soon: https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ Some parts of the design are not implemented in the current patchset, including: - local parent CA (ipaca object) references - sub-CA certificate renewal - 'cert-show' command '--ca=NAME' option - certmonger support for specifying CA - revocation of deleted CAs I look forward to your reviews! Thanks, Fraser -------------- next part -------------- From bd30332dee424aebdedec9de1615320c3384bbac Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/64] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 ++ API.txt | 60 +++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 2 + install/share/bootstrap-template.ldif | 6 + install/updates/41-subca.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipalib/plugins/ca.py | 206 ++++++++++++++++++++++++++++++ ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 ++- ipaserver/plugins/dogtag.py | 44 ++++++- 13 files changed, 358 insertions(+), 6 deletions(-) create mode 100644 install/updates/41-subca.update create mode 100644 ipalib/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index cea814a0ceb7aea48b709236f0f88677e851ac92..dfa962ad9d43f9e7d7c750b865123150d282d4e5 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description || ipacaid")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..ad5691a035e261afa329fbdb33461c4cd3a0051a 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,72 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: DNParam('subject') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,9,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 45fdb09788dbc6496272da786bb6d6afa45bf118..d7c08b5ccf5840c44f352e7864e5d77a8554b3b3 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=170 -# Last change: mbasti - *-find: do not search for members by default +IPA_API_VERSION_MINOR=171 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..e9132aa7037cd09c2ff1b3a60a21d516846d3787 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,7 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 456633012510acbce3c73fb9bf9b20f7d80944fe..de1475607a6b36fef45f18758e809349edde0212 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -470,3 +470,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/install/updates/41-subca.update b/install/updates/41-subca.update new file mode 100644 index 0000000000000000000000000000000000000000..72313e2ab12ab520eb12ade404fb5b6dd55a9d71 --- /dev/null +++ b/install/updates/41-subca.update @@ -0,0 +1,4 @@ +dn: cn=cas,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: cas diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 3edc21473d676bd282e9ea2b88769c097fb8a63a..a83f202b390429bdc70c02417d853967be2f53db 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -37,6 +37,7 @@ app_DATA = \ 40-otp.update \ 40-vault.update \ 41-caacl.update \ + 41-subca.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index d544595898e52d3910cff94fc3cc0276fe099a98..1478d3a14533e42735586b4610eb7c0df0f9a7cd 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -262,3 +263,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipalib/plugins/ca.py b/ipalib/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..9836b893dfa8733588ee4af258eb38113ccd5c97 --- /dev/null +++ b/ipalib/plugins/ca.py @@ -0,0 +1,206 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipalib.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipalib.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = ['cn', 'description', 'ipacaid'] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid?', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + }, + 'replaces': [ + '(targetattr = "cn || description || ipacaid")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + takes_options = ( + DNParam('subject', + label=_('Subject DN'), + ), + ) + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_id = ca_api.create_ca(options['subject']) + entry['ipacaid'] = [ca_id] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + return dn + + def execute(self, *args, **kwargs): + ca_obj = self.api.Command.ca_show(args[0][0])['result'] + if 'ipacaid' in ca_obj: + have_ca_id = True + ca_id = ca_obj['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + else: + have_ca_id = False + + result = super(ca_del, self).execute(*args, **kwargs) + + if have_ca_id: + return result + else: + raise errors.NonFatalError( + reason=_( + "The CA was deleted but could not be deleted " + "from Dogtag due to missing 'ipaCaId' attribute" + ) + ) + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + return dn diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 85cdda61428a9586be940e1aec3648ee3e9b13cc..a153bf371ff31d6da721936b2b17344746d951ff 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1628,6 +1628,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index acec25982d8f9072a9c7d58256c8253c7e620223..83661fd0f48e82dcca91bc17826653620c3bfe46 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2071,7 +2071,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2145,3 +2148,42 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + Will be created as child of IPA CA. Nested sub-CAs are not + yet supported. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body)["id"] + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From 35302749c7c320c7df21bf715e94f949ca6876ae Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/64] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 33 +++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 34 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a153bf371ff31d6da721936b2b17344746d951ff..fb38034ed9d238e2f6e91627a978dc260976a4e1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -432,6 +432,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1899,6 +1900,38 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', 'ca'), api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['ca'], + ) + ensure_entry( + DN(api.env.container_ca, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['cas'], + ) + ensure_entry( + DN(('cn', 'ipa'), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + ipacaid='host-authority', + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From 18259b719551b316431fa8f7c4fb6af53b6eecc9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/64] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 +++++++++++++-- VERSION | 4 +- ipalib/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++++---------------- ipalib/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index ad5691a035e261afa329fbdb33461c4cd3a0051a..0f0f6616ae9dfd1d34fbecaada98a1de1b7818c6 100644 --- a/API.txt +++ b/API.txt @@ -517,12 +517,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -534,6 +535,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -603,12 +615,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -624,13 +637,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -643,6 +657,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index d7c08b5ccf5840c44f352e7864e5d77a8554b3b3..01e570065e5e45634e5c246154e966c28e80d342 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=171 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=172 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index c97ca88665d130d4b2f2761fc12d1646a6e10782..aee2dfba15df677bd5292016389bce8b80f89708 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -30,6 +30,7 @@ from ipalib import pkcs10 from ipalib import x509 from ipalib import util from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -237,7 +238,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -319,7 +320,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From 57c267e52f89afb53a6bf94d93b7f71b5e04b277 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/64] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipalib/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index aee2dfba15df677bd5292016389bce8b80f89708..377486f1d41dce93d87f8e98b3cb2bded0e7058a 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -498,7 +498,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 83661fd0f48e82dcca91bc17826653620c3bfe46..839c0831d3ab6e088eac9e519c828a078f4b15a0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1552,10 +1552,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1584,13 +1586,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', self.fullname) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 8ba60c1b34053e159c0fa0e6d5471b3af96f945d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/64] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/cert.py | 22 +++++++++++++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 0f0f6616ae9dfd1d34fbecaada98a1de1b7818c6..54376faa0ee44a08d817a287e58c2823561446dd 100644 --- a/API.txt +++ b/API.txt @@ -754,9 +754,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('ca?') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index 01e570065e5e45634e5c246154e966c28e80d342..bdb415a521499f37a6496db6638b6984b0973c56 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=172 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=173 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 377486f1d41dce93d87f8e98b3cb2bded0e7058a..f74d5e65cedadb7c7305d729a4d7d7dc5f8e2dad 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -273,7 +273,11 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('ca?', + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -320,7 +324,19 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + ca = kw.get('ca', IPA_CA_CN) + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) + # + ca_obj = api.Command.ca_show(ca)['result'] + + # Look up Dogtag authority ID. + # + ca_id = None + if ca != IPA_CA_CN and 'ipacaid' in ca_obj: + ca_id = ca_obj['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -498,7 +514,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From 357d8c12e8e36c96d9f6423fcfedd2352afca20e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH 64/64] Add --issuer option to cert-find Add the --issuer option to the cert-find command, for filtering the search by issuer DN. Also add the issuer DN to the output of the command. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipalib/plugins/cert.py | 5 +++++ ipaserver/plugins/dogtag.py | 9 +++++++++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 54376faa0ee44a08d817a287e58c2823561446dd..40268d50dcf197b7c961f674a965c34f30bbd2f6 100644 --- a/API.txt +++ b/API.txt @@ -726,11 +726,12 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,18,4 option: Flag('all', autofill=True, cli_name='all', default=False) option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION b/VERSION index bdb415a521499f37a6496db6638b6984b0973c56..52960b21c1e417795e8c499cb1426c8860a4931b 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=173 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=174 +# Last change: ftweedal - add --issuer option to cert-find diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index f74d5e65cedadb7c7305d729a4d7d7dc5f8e2dad..5b82abf331eb278ac9a81dac2888d4ad8257f70a 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -748,6 +748,11 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10)'), diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 839c0831d3ab6e088eac9e519c828a078f4b15a0..92cfadf347d00e670fc56a7884fe8d76db3969a1 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1807,6 +1807,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1895,6 +1899,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From ldoudova at redhat.com Wed Jun 1 06:06:45 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 1 Jun 2016 08:06:45 +0200 Subject: [Freeipa-devel] [Testplan] Thin client In-Reply-To: <6e123456-c1d2-32fb-18ca-1d41f244fbaf@redhat.com> References: <5068918e-4233-98f5-60d3-311f253fdf3c@redhat.com> <6e123456-c1d2-32fb-18ca-1d41f244fbaf@redhat.com> Message-ID: Hi, thanks for reviewing, I changed the test plan to reflect your comments. Lenka On 05/31/2016 06:07 PM, Petr Vobornik wrote: > On 05/31/2016 03:30 PM, Lenka Doudova wrote: >> Hi all, >> >> here's [1] a draft of test plan for V4 RFE Thin client. >> >> Please review this and let me know if there's something missing or wrong. >> >> >> Thanks, >> >> Lenka >> >> >> [1] http://www.freeipa.org/page/V4/Thin_Client/Test_Plan >> > Hi Lenka, > > It is implied, but somewhere should be mentioned that "the command" is a > command of IPA CLI - `ipa`. E.g. once in overview. > > Missing: > > Install 4.4 client against newer server, e.g. non-existant 4.5. Could be > simulated. I'm not sure if API version file is still relevant here. > Maybe it could be simulated by adding custom plugin which would > automatically change version hash (assuming it was implemented that way, > if not, please correct me). From mbasti at redhat.com Wed Jun 1 06:27:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 08:27:59 +0200 Subject: [Freeipa-devel] [PATCH 0490] Tests: fix failing host_test Message-ID: Regression caused by patches related to https://fedorahosted.org/freeipa/ticket/5710 Patch attached and pushed under one-liner rule master: * 05c8808c76c39d697008912477dc45a76409ac67 Test: fix failing host_test ipa-4-3: * be65f1e2352e02086c3511f6f5a3cb4e4b5cb883 Test: fix failing host_test -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0490-Test-fix-failing-host_test.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: From ldoudova at redhat.com Wed Jun 1 06:44:59 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 1 Jun 2016 08:44:59 +0200 Subject: [Freeipa-devel] [Testplan] External trust to AD Message-ID: <92b5bdda-62de-780c-603a-a38b6de89e8d@redhat.com> Hi all, here's [1] a draft of test plan for V4 RFE External trust to Active Directory. Please review this and let me know if there's something missing or wrong. Thanks, Lenka [1] http://www.freeipa.org/page/V4/External_trust_to_AD/Test_Plan -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Wed Jun 1 08:41:46 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 1 Jun 2016 10:41:46 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> Message-ID: <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: > > > On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>> Hi, >>>>> >>>>> the patch adds webui part for authentication indicators. >>>>> >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>> The otp option displays as: OTP. >>>> The radius option displays as: Radius. >>>> >>>> However, both are acronyms. The capitalization should be >>>> consistent. >>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>> 'Radius'. So it should not require any change. >> That is incorrect. It should be: OTP and RADIUS. > I'm sorry, I didn't understand correctly. Fixed patch attached. > > > The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0034-3-Add-authentication-indicators-to-webui.patch Type: text/x-patch Size: 6109 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 1 13:59:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 15:59:00 +0200 Subject: [Freeipa-devel] [PATCH 0491] Fix: Local variable s_indent might be referenced before defined Message-ID: https://fedorahosted.org/freeipa/ticket/5921 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0491-Fix-Local-variable-s_indent-might-be-referenced-befo.patch Type: text/x-patch Size: 931 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 1 14:13:25 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 1 Jun 2016 16:13:25 +0200 Subject: [Freeipa-devel] [PATCH 0491] Fix: Local variable s_indent might be referenced before defined In-Reply-To: References: Message-ID: <4ad10b83-c29b-abee-5716-20a721a3a502@redhat.com> On 06/01/2016 03:59 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5921 > > Patch attached. > > > ACK -- Martin^3 Babinsky From mbasti at redhat.com Wed Jun 1 15:10:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 17:10:24 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations Message-ID: Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0492-Translations-update-translations-for-IPA-4.3.x.patch Type: text/x-patch Size: 866777 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 1 15:39:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 17:39:14 +0200 Subject: [Freeipa-devel] [PATCH] 0002 New User Role Tests In-Reply-To: References: <1698677244.50966760.1462789150686.JavaMail.zimbra@redhat.com> <19bc3a86-8e60-f023-6bab-b807a3d03364@redhat.com> Message-ID: <90b63ac5-f298-eb7f-f9ec-469c9a88b795@redhat.com> On 09.05.2016 13:06, Martin Basti wrote: > > > > On 09.05.2016 13:04, Martin Basti wrote: >> >> >> On 09.05.2016 12:19, Peter Lacko wrote: >>> +# pylint: disable=unicode-builtin >> I'm not doing complete review, just the line above hit my eyes. >> >> unicode() is not in Py3 because all strings there are unicode, thus >> you cannot use it directly, you need something like >> >> if six.PY2: >> str = unicode >> >> and use str() everywhere and remove that #pylint line >> >> FYI all enabled pylint checks are there for a good reason, be careful >> with disabling it (mainly disabling it for a whole module) rather ask >> before if you are not sure. >> >> Martin^2 >> > > Nope, sorry, I temporarily forgot how to python > > instead of pylint disable use this > if six.PY3: > unicode =str > and keep unicode there. Sorry > > Martin^2 > > Hello, it is 3 weeks since last message, any updates? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 1 16:00:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 1 Jun 2016 18:00:30 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> Message-ID: updated patches attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch Type: text/x-patch Size: 4774 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch Type: text/x-patch Size: 4186 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch Type: text/x-patch Size: 12815 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0476.6-DNS-Locations-API-tests.patch Type: text/x-patch Size: 9339 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0478.6-Allow-to-use-non-Str-attributes-as-keys-for-members.patch Type: text/x-patch Size: 2147 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0479.6-DNS-Locations-extend-server-command-with-locations.patch Type: text/x-patch Size: 9387 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0480.6-DNS-Location-location-show-return-list-of-servers-in.patch Type: text/x-patch Size: 8523 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0481.6-DNS-Locations-prevent-to-remove-used-locations.patch Type: text/x-patch Size: 3841 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0482.6-DNS-Locations-extend-tests-with-server-commands.patch Type: text/x-patch Size: 13850 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 2 05:54:31 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jun 2016 07:54:31 +0200 Subject: [Freeipa-devel] [PATCH] 0004 Report missing certificate in external trust chain In-Reply-To: <45575d05-92a0-bc30-d287-a547d76dd62e@redhat.com> References: <45575d05-92a0-bc30-d287-a547d76dd62e@redhat.com> Message-ID: Hi, On 30.5.2016 19:58, Florence Blanc-Renaud wrote: > Hi all, > > this patch adds in the error message the missing certificate that caused > i/pa-server-install --external-cert-file=.../ to fail. > > https://fedorahosted.org/freeipa/ticket/5792 I think someone may confuse "issuer" with the "issuer name" field in the certificate, also IMO we should use "certificate" rather than "cert" in error messages, so I would rather use something like "missing certificate with subject '%s'" or maybe just "missing certificate '%s'". Honza -- Jan Cholasta From ftweedal at redhat.com Thu Jun 2 06:55:25 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 2 Jun 2016 16:55:25 +1000 Subject: [Freeipa-devel] [PATCH] 0004 Report missing certificate in external trust chain In-Reply-To: References: <45575d05-92a0-bc30-d287-a547d76dd62e@redhat.com> Message-ID: <20160602065525.GG4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 02, 2016 at 07:54:31AM +0200, Jan Cholasta wrote: > Hi, > > On 30.5.2016 19:58, Florence Blanc-Renaud wrote: > > Hi all, > > > > this patch adds in the error message the missing certificate that caused > > i/pa-server-install --external-cert-file=.../ to fail. > > > > https://fedorahosted.org/freeipa/ticket/5792 > > I think someone may confuse "issuer" with the "issuer name" field in the > certificate, also IMO we should use "certificate" rather than "cert" in > error messages, so I would rather use something like "missing certificate > with subject '%s'" or maybe just "missing certificate '%s'". > Let us be as specific as possible; Honza's suggestion "missing certificate with subject '%s'" is preferable. Cheers, Fraser From mbasti at redhat.com Thu Jun 2 07:26:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 09:26:02 +0200 Subject: [Freeipa-devel] [PATCH 0494] Bump required version of pki-ca and pki-kra due bug in parsing '%' in DM password Message-ID: https://fedorahosted.org/freeipa/ticket/5690 Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0494-Bump-required-version-of-pki-ca-and-pki-kra-to-allow.patch Type: text/x-patch Size: 1103 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 2 07:41:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 09:41:04 +0200 Subject: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches In-Reply-To: References: <49fa67bc-5181-7cf2-738b-831839ea19a5@redhat.com> Message-ID: <95bd2879-5a64-b95e-19aa-b8a4b938ce39@redhat.com> On 31.05.2016 14:10, Martin Basti wrote: > > > On 31.05.2016 14:08, Martin Babinsky wrote: >> On 05/31/2016 01:57 PM, Martin Basti wrote: >>> >>> >>> On 31.05.2016 12:44, Martin Babinsky wrote: >>>> On 05/28/2016 01:17 PM, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/4995 >>>>> >>>>> Patches attached >>>>> >>>>> >>>>> >>>> >>>> Hi, >>>> >>>> PATCH 0488: LGTM >>>> >>>> PATCH 0489: >>>> >>>> @@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters, >>>> topo_errors, starting_host): >>>> i = 0 >>>> while True: >>>> left = api.Command.topologysegment_find( >>>> - suffix_name, iparepltoposegmentleftnode=hostname, >>>> sizelimit=0 >>>> + suffix_name, iparepltoposegmentleftnode=hostname, >>>> sizelimit=0, >>>> )['result'] >>>> right = api.Command.topologysegment_find( >>>> - suffix_name, iparepltoposegmentrightnode=hostname, >>>> sizelimit=0 >>>> + suffix_name, iparepltoposegmentrightnode=hostname, >>>> sizelimit=0, >>>> )['result'] >>>> >>>> it seems that you added 'no_members=True' there and then removed it >>>> because reasons. Please revert the this part to the original code so >>>> that it does not stick out. >>>> >>> >>> Better (the right one) patches attached. >> >> ACK >> > master: > * 91572afc60f590f0d81ad18234189a0b48144bf5 Make option --no-members > public in CLI > * 5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 Performance: Find commands: > do not process members by default > We found and issue, I used flag 'no_cli' instead of 'no_option' fixed and pushed under oneliner rule master: * 5c58751d72de27eae2181f2c0e620df03f8dbc82 Fix: replace incorrect no_cli with no_option flag -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0493-Fix-replace-incorrect-no_cli-with-no_option-flag.patch Type: text/x-patch Size: 1216 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 2 07:48:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 09:48:09 +0200 Subject: [Freeipa-devel] [PATCH 0038] Reduced time for IO blocking of DS In-Reply-To: <655db353-b7f2-cee7-3cff-2635ee6bd523@redhat.com> References: <655db353-b7f2-cee7-3cff-2635ee6bd523@redhat.com> Message-ID: On 31.05.2016 17:10, Stanislav Laznicka wrote: > Hello, > > This is a fix to https://fedorahosted.org/freeipa/ticket/5383. From > the comments I am not sure if nsslapd-idletimeout should be reduced as > well. If so, could you please propose a value that you find reasonable? > > Thanks, > Standa > > It looks that only ioblocktimeout is safe to change and we should not change the second attribute, Thierry can you confirm this? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Thu Jun 2 08:09:26 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 2 Jun 2016 10:09:26 +0200 Subject: [Freeipa-devel] [PATCH 0038] Reduced time for IO blocking of DS In-Reply-To: References: <655db353-b7f2-cee7-3cff-2635ee6bd523@redhat.com> Message-ID: <574FE9B6.2040809@redhat.com> On 06/02/2016 09:48 AM, Martin Basti wrote: > > > > On 31.05.2016 17:10, Stanislav Laznicka wrote: >> Hello, >> >> This is a fix to https://fedorahosted.org/freeipa/ticket/5383. From >> the comments I am not sure if nsslapd-idletimeout should be reduced >> as well. If so, could you please propose a value that you find >> reasonable? >> >> Thanks, >> Standa >> >> > It looks that only ioblocktimeout is safe to change and we should not > change the second attribute, Thierry can you confirm this? > Martin^2 The patch looks ok to me. It is safe to tune idletimeout as well but here it does not bring real benefit. The patch leaves idletimeout to the default value that is no close on idle connection. ioblock is set to 10s that is in a good range of values (DS team recommended 10-30s). Note that ioblock is sensitive for slow ldap client. If a client is not able to read fast enough, the server will close the connection. This can happen for example if a client did a large SRCH and is processing slowly the received entries. thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 08:42:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 10:42:10 +0200 Subject: [Freeipa-devel] [PATCH] 0001 (update 2) provide more information for "ipa cert-revoke -h" In-Reply-To: References: <0ffbca59-c6ad-3f82-a4c6-127f0b8365e6@gmail.com> Message-ID: On 06.05.2016 14:45, Martin Basti wrote: > > > > On 04.05.2016 14:30, Gabe Alford wrote: >> On Wed, May 4, 2016 at 1:35 AM, Patrice Duc-Jacquet >> wrote: >> >> Hi everyone >> >> this is a second update that take into account review feedback. >> >> In case the proposal fix is K what are the next step to commit >> this change. I'm not sure to really understand the process. >> Thanks and regards >> >> >> If the fix is good, you receive an ack and a core member of the >> FreeIPA team will take your ack'ed patch and push it to the official >> git repository. >> >> ACK from me >> >> Gabe >> >> Pat >> >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> >> >> >> > Hello, I agree with ACk, but I cannot apply the patch using git am -3, > can you please send rebased version? > > Martin^2 > > I rebased patch Pushed to master: deb896768f395dc535ad72715bad4339c97a6a8b -------------- next part -------------- An HTML attachment was scrubbed... URL: From placko at redhat.com Thu Jun 2 09:49:37 2016 From: placko at redhat.com (Peter Lacko) Date: Thu, 2 Jun 2016 05:49:37 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0002 New User Role Tests In-Reply-To: References: <1698677244.50966760.1462789150686.JavaMail.zimbra@redhat.com> <19bc3a86-8e60-f023-6bab-b807a3d03364@redhat.com> Message-ID: <651798515.57202911.1464860977307.JavaMail.zimbra@redhat.com> Sorry for late response, I wasn't working these days. Fixed patch is in attachment. Peter ----- Original Message ----- From: "Martin Basti" To: "Peter Lacko" , freeipa-devel at redhat.com Sent: Monday, May 9, 2016 1:06:08 PM Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests On 09.05.2016 13:04, Martin Basti wrote: > > > On 09.05.2016 12:19, Peter Lacko wrote: >> +# pylint: disable=unicode-builtin > I'm not doing complete review, just the line above hit my eyes. > > unicode() is not in Py3 because all strings there are unicode, thus > you cannot use it directly, you need something like > > if six.PY2: > str = unicode > > and use str() everywhere and remove that #pylint line > > FYI all enabled pylint checks are there for a good reason, be careful > with disabling it (mainly disabling it for a whole module) rather ask > before if you are not sure. > > Martin^2 > Nope, sorry, I temporarily forgot how to python instead of pylint disable use this if six.PY3: unicode =str and keep unicode there. Sorry Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-placko-0002-2-New-User-Role-Tests.patch Type: text/x-patch Size: 68003 bytes Desc: not available URL: From frenaud at redhat.com Thu Jun 2 10:38:58 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 2 Jun 2016 12:38:58 +0200 Subject: [Freeipa-devel] [PATCH] 0004 Report missing certificate in external trust chain In-Reply-To: <20160602065525.GG4744@dhcp-40-8.bne.redhat.com> References: <45575d05-92a0-bc30-d287-a547d76dd62e@redhat.com> <20160602065525.GG4744@dhcp-40-8.bne.redhat.com> Message-ID: <6b99905c-5520-d4b2-f825-28983ee6f31d@redhat.com> Hi, thanks to Jan and Fraser for the review and the suggested error message. Please find the updated patch attached. Flo. On 06/02/2016 08:55 AM, Fraser Tweedale wrote: > On Thu, Jun 02, 2016 at 07:54:31AM +0200, Jan Cholasta wrote: >> Hi, >> >> On 30.5.2016 19:58, Florence Blanc-Renaud wrote: >>> Hi all, >>> >>> this patch adds in the error message the missing certificate that caused >>> i/pa-server-install --external-cert-file=.../ to fail. >>> >>> https://fedorahosted.org/freeipa/ticket/5792 >> I think someone may confuse "issuer" with the "issuer name" field in the >> certificate, also IMO we should use "certificate" rather than "cert" in >> error messages, so I would rather use something like "missing certificate >> with subject '%s'" or maybe just "missing certificate '%s'". >> > Let us be as specific as possible; Honza's suggestion "missing > certificate with subject '%s'" is preferable. > > Cheers, > Fraser -- Florence Blanc-Renaud Identity Management Team, Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0004-2-Report-missing-certificate-in-external-trust-chain.patch Type: text/x-patch Size: 1518 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 2 11:02:15 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 2 Jun 2016 13:02:15 +0200 Subject: [Freeipa-devel] [PATCHES] 0786-0788 More Python 3 fixes In-Reply-To: <7282e0c5-342a-39ea-7b82-167414f984a0@redhat.com> References: <572C9798.5030009@redhat.com> <7282e0c5-342a-39ea-7b82-167414f984a0@redhat.com> Message-ID: <25314f3d-8c98-f9f3-a426-36760672461f@redhat.com> On 10.5.2016 12:48, Martin Basti wrote: > > > On 06.05.2016 15:09, Petr Viktorin wrote: >> Hi, >> With these patches, xmlrpc_tests pass for me (except those that fail on >> py2, and, if python3-ipaserver is installed, some in permission that use >> ldap2 plugin). >> >> >> >> >> > ACK > > master: > * a9a13530988c616b331545ea02f539d39df64e27 Fix remaining relative import and > enable Pylint check > * 5dbb0f6fec59defd795dd501b67740a79616e86b ipalib.cli: Improve reporting of > binary values in the CLI > * 7d4d819b90f23cffbe437566818e29c394800b9e test_cert_plugin: Encode > 'certificate' for comparison with 'usercertificate' > > ipa-4-3: > * 2c5b29fe9247ee4b96c63406499ea40ed8e968cf Fix remaining relative import and > enable Pylint check > * 39132fd1f3a9798957e8c96529bc235ed14c5db3 ipalib.cli: Improve reporting of > binary values in the CLI > * 0ebbb48dc4cf0b9df78363f6a683c388634c595f test_cert_plugin: Encode > 'certificate' for comparison with 'usercertificate' Hi, even with very latest patches (5c58751d72de27eae2181f2c0e620df03f8dbc82) the permission system is somehow broken: # ipa privilege-add-permission loc --permission='System: Show IPA Locations' Privilege name: loc Permissions: System: Modify IPA Locations Granting privilege to roles: loc Failed members: ipa: ERROR: TypeError: sequence item 0: expected str instance, bytes found Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1348, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1111, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python3.5/site-packages/ipalib/frontend.py", line 1074, in output_for_cli textui.print_entry(result, order, labels, flags, print_all) File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 391, in print_entry indent=indent+1 File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 402, in print_entry label, value, format, indent, one_value_per_line File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 306, in print_attribute text = ': '.join(l) TypeError: sequence item 0: expected str instance, bytes found ipa: ERROR: an internal error has occurred -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 2 11:40:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 13:40:49 +0200 Subject: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches In-Reply-To: <95bd2879-5a64-b95e-19aa-b8a4b938ce39@redhat.com> References: <49fa67bc-5181-7cf2-738b-831839ea19a5@redhat.com> <95bd2879-5a64-b95e-19aa-b8a4b938ce39@redhat.com> Message-ID: <6ad1fb4f-aa33-32a2-7848-048265c37281@redhat.com> On 02.06.2016 09:41, Martin Basti wrote: > > > On 31.05.2016 14:10, Martin Basti wrote: >> >> >> On 31.05.2016 14:08, Martin Babinsky wrote: >>> On 05/31/2016 01:57 PM, Martin Basti wrote: >>>> >>>> >>>> On 31.05.2016 12:44, Martin Babinsky wrote: >>>>> On 05/28/2016 01:17 PM, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/4995 >>>>>> >>>>>> Patches attached >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> PATCH 0488: LGTM >>>>> >>>>> PATCH 0489: >>>>> >>>>> @@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters, >>>>> topo_errors, starting_host): >>>>> i = 0 >>>>> while True: >>>>> left = api.Command.topologysegment_find( >>>>> - suffix_name, iparepltoposegmentleftnode=hostname, >>>>> sizelimit=0 >>>>> + suffix_name, iparepltoposegmentleftnode=hostname, >>>>> sizelimit=0, >>>>> )['result'] >>>>> right = api.Command.topologysegment_find( >>>>> - suffix_name, iparepltoposegmentrightnode=hostname, >>>>> sizelimit=0 >>>>> + suffix_name, iparepltoposegmentrightnode=hostname, >>>>> sizelimit=0, >>>>> )['result'] >>>>> >>>>> it seems that you added 'no_members=True' there and then removed it >>>>> because reasons. Please revert the this part to the original code so >>>>> that it does not stick out. >>>>> >>>> >>>> Better (the right one) patches attached. >>> >>> ACK >>> >> master: >> * 91572afc60f590f0d81ad18234189a0b48144bf5 Make option --no-members >> public in CLI >> * 5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 Performance: Find >> commands: do not process members by default >> > > We found and issue, I used flag 'no_cli' instead of 'no_option' > > fixed and pushed under oneliner rule > > master: > * 5c58751d72de27eae2181f2c0e620df03f8dbc82 Fix: replace incorrect > no_cli with no_option flag > > > > I found another one-liner issue, there was extra no_members=False in topologysuffix_find in replication.py, which caused error in ipa-replica-manage Pushed to master: f077fab23fe9dc8a71562d1ba3c0d603d2957d3b -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0495-Fix-topologysuffix_find-doesn-t-have-no_members-opti.patch Type: text/x-patch Size: 1101 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 2 11:40:49 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 2 Jun 2016 13:40:49 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles Message-ID: Hello, please review my patches which add webui for server roles. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0036-Association-table-can-be-read-only.patch Type: text/x-patch Size: 1413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0037-Extend-table-facet.patch Type: text/x-patch Size: 5355 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0038-Add-server-roles-on-topology-page.patch Type: text/x-patch Size: 7670 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 2 11:50:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 13:50:06 +0200 Subject: [Freeipa-devel] [PATCH] 0002 New User Role Tests In-Reply-To: <651798515.57202911.1464860977307.JavaMail.zimbra@redhat.com> References: <1698677244.50966760.1462789150686.JavaMail.zimbra@redhat.com> <19bc3a86-8e60-f023-6bab-b807a3d03364@redhat.com> <651798515.57202911.1464860977307.JavaMail.zimbra@redhat.com> Message-ID: Your patch doesn't apply anymore on master, there were changes in role test and patch have to be updated and rebased Please look at this for new changes in test_role_plugin.py https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 Martin^2 On 02.06.2016 11:49, Peter Lacko wrote: > Sorry for late response, I wasn't working these days. > Fixed patch is in attachment. > > Peter > > > ----- Original Message ----- > From: "Martin Basti" > To: "Peter Lacko" , freeipa-devel at redhat.com > Sent: Monday, May 9, 2016 1:06:08 PM > Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests > > > > On 09.05.2016 13:04, Martin Basti wrote: >> >> On 09.05.2016 12:19, Peter Lacko wrote: >>> +# pylint: disable=unicode-builtin >> I'm not doing complete review, just the line above hit my eyes. >> >> unicode() is not in Py3 because all strings there are unicode, thus >> you cannot use it directly, you need something like >> >> if six.PY2: >> str = unicode >> >> and use str() everywhere and remove that #pylint line >> >> FYI all enabled pylint checks are there for a good reason, be careful >> with disabling it (mainly disabling it for a whole module) rather ask >> before if you are not sure. >> >> Martin^2 >> > Nope, sorry, I temporarily forgot how to python > > instead of pylint disable use this > > if six.PY3: > unicode =str > > and keep unicode there. Sorry > > Martin^2 From pvomacka at redhat.com Thu Jun 2 11:54:37 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 2 Jun 2016 13:54:37 +0200 Subject: [Freeipa-devel] [PATCH 0149-0152] Server Roles: user-facing part In-Reply-To: <7d27e63b-a93a-30dd-b661-aa4f31535609@redhat.com> References: <7d27e63b-a93a-30dd-b661-aa4f31535609@redhat.com> Message-ID: <8117e414-56fe-6b3f-3f25-3990d38bfdff@redhat.com> On 05/30/2016 07:13 PM, Martin Babinsky wrote: > These patches implement the usable part of Server Roles design. There > might be some discrepancies between the design and actual > implementation, I was head first in hacking and was not very > disciplined in keeping the design up to date. > > I will fix this ASAP. > > http://www.freeipa.org/page/V4/Server_Roles > https://fedorahosted.org/freeipa/ticket/5181 > https://fedorahosted.org/freeipa/ticket/5689 > > > Hello Martin, when I was implementing WebUI for server roles I found one small bug: The search bars above tables call again entity_find with searched string as 'criteria' (the first) argument for filtering. If I use server_role_find call with any criteria it always returns the whole list. So this kind of filtering doesn't work. -- Pavel^3 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 2 12:06:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 2 Jun 2016 14:06:32 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> Message-ID: <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> On 1.6.2016 18:00, Martin Basti wrote: > > > updated patches attached > > freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch > > > From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 4 May 2016 17:33:52 +0200 > Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges > > DNS privileges are important for handling DNS locations which can be > created without DNS servers in IPA topology. We will also need this > privileges presented for future feature 'External DNS support' > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/share/delegation.ldif | 16 ++++++++++++++++ > install/share/dns.ldif | 16 ---------------- > install/updates/37-locations.update | 0 > install/updates/40-delegation.update | 16 ++++++++++++++++ > 4 files changed, 32 insertions(+), 16 deletions(-) > create mode 100644 install/updates/37-locations.update > > diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif > index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 > --- a/install/share/delegation.ldif > +++ b/install/share/delegation.ldif > @@ -80,6 +80,22 @@ objectClass: nestedgroup > cn: Delegation Administrator > description: Role administration > > +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > +changetype: add > +objectClass: top > +objectClass: groupofnames > +objectClass: nestedgroup > +cn: DNS Administrators > +description: DNS Administrators > + > +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX > +changetype: add > +objectClass: top > +objectClass: groupofnames > +objectClass: nestedgroup > +cn: DNS Servers > +description: DNS Servers > + > dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX > changetype: add > objectClass: top > diff --git a/install/share/dns.ldif b/install/share/dns.ldif > index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 > --- a/install/share/dns.ldif > +++ b/install/share/dns.ldif > @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) > aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) > - > -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > -changetype: add > -objectClass: top > -objectClass: groupofnames > -objectClass: nestedgroup > -cn: DNS Administrators > -description: DNS Administrators > - > -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX > -changetype: add > -objectClass: top > -objectClass: groupofnames > -objectClass: nestedgroup > -cn: DNS Servers > -description: DNS Servers > diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update > new file mode 100644 > index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 > diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update > index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 > --- a/install/updates/40-delegation.update > +++ b/install/updates/40-delegation.update > @@ -274,3 +274,19 @@ default:objectClass: groupofnames > default:objectClass: top > default:cn: Vault Administrators > default:description: Vault Administrators > + > + > +# Locations - always create DNS related privileges > +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: DNS Administrators > +default:description: DNS Administrators > + > +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: DNS Servers > +default:description: DNS Servers > -- 2.5.5 > > > freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch > > > From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Thu, 12 May 2016 10:53:37 +0200 > Subject: [PATCH 2/4] DNS Locations: add new attributes and objectclasses > > http://www.freeipa.org/page/V4/DNS_Location_Mechanism > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/share/60ipadns.ldif | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif > index 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 100644 > --- a/install/share/60ipadns.ldif > +++ b/install/share/60ipadns.ldif > @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY S > attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) > attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) > attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) > +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) > +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME 'ipaLocationWeight' DESC 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) > objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) ) > objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) > objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) > @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY > objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) > objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) > objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) > +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME 'ipaLocationObject' DESC 'Object for storing IPA server location' STRUCTURAL MUST ( idnsName ) MAY ( description ) X-ORIGIN 'IPA v4.4' ) > +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember' DESC 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) > -- 2.5.5 > > > freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch > > > From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Thu, 12 May 2016 10:54:20 +0200 > Subject: [PATCH 3/4] DNS Locations: location-* commands > > http://www.freeipa.org/page/V4/DNS_Location_Mechanism > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ACI.txt | 8 ++ > API.txt | 59 ++++++++++++++ > VERSION | 4 +- > install/share/bootstrap-template.ldif | 6 ++ > install/updates/37-locations.update | 4 + > install/updates/Makefile.am | 1 + > ipalib/constants.py | 1 + > ipalib/plugins/location.py | 149 ++++++++++++++++++++++++++++++++++ > 8 files changed, 230 insertions(+), 2 deletions(-) > create mode 100644 ipalib/plugins/location.py > > diff --git a/ACI.txt b/ACI.txt > index cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 100644 > --- a/ACI.txt > +++ b/ACI.txt > @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example > aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket > Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=users,cn=accounts,dc=ipa,dc=example > aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket > Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=locations,cn=etc,dc=ipa,dc=example > +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=locations,cn=etc,dc=ipa,dc=example > +aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=locations,cn=etc,dc=ipa,dc=example > +aci: (targetattr = "createtimestamp || description || entryusn || idnsname || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=locations,cn=etc,dc=ipa,dc=example > +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=ng,cn=alt,dc=ipa,dc=example > aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=ng,cn=alt,dc=ipa,dc=example > diff --git a/API.txt b/API.txt > index 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 100644 > --- a/API.txt > +++ b/API.txt > @@ -2759,6 +2759,65 @@ option: Str('version?') > output: Entry('result') > output: Output('summary', type=[, ]) > output: PrimaryKey('value') > +command: location_add > +args: 1,6,3 > +arg: DNSNameParam('idnsname', cli_name='name') > +option: Str('addattr*', cli_name='addattr') > +option: Flag('all', autofill=True, cli_name='all', default=False) > +option: Str('description?') > +option: Flag('raw', autofill=True, cli_name='raw', default=False) > +option: Str('setattr*', cli_name='setattr') > +option: Str('version?') > +output: Entry('result') > +output: Output('summary', type=[, ]) > +output: PrimaryKey('value') > +command: location_del > +args: 1,2,3 > +arg: DNSNameParam('idnsname+', cli_name='name') > +option: Flag('continue', autofill=True, cli_name='continue', default=False) > +option: Str('version?') > +output: Output('result', type=[]) > +output: Output('summary', type=[, ]) > +output: ListOfPrimaryKeys('value') > +command: location_find > +args: 1,8,4 > +arg: Str('criteria?') > +option: Flag('all', autofill=True, cli_name='all', default=False) > +option: Str('description?', autofill=False) > +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') > +option: Flag('pkey_only?', autofill=True, default=False) > +option: Flag('raw', autofill=True, cli_name='raw', default=False) > +option: Int('sizelimit?', autofill=False) > +option: Int('timelimit?', autofill=False) > +option: Str('version?') > +output: Output('count', type=[]) > +output: ListOfEntries('result') > +output: Output('summary', type=[, ]) > +output: Output('truncated', type=[]) > +command: location_mod > +args: 1,8,3 > +arg: DNSNameParam('idnsname', cli_name='name') > +option: Str('addattr*', cli_name='addattr') > +option: Flag('all', autofill=True, cli_name='all', default=False) > +option: Str('delattr*', cli_name='delattr') > +option: Str('description?', autofill=False) > +option: Flag('raw', autofill=True, cli_name='raw', default=False) > +option: Flag('rights', autofill=True, default=False) > +option: Str('setattr*', cli_name='setattr') > +option: Str('version?') > +output: Entry('result') > +output: Output('summary', type=[, ]) > +output: PrimaryKey('value') > +command: location_show > +args: 1,4,3 > +arg: DNSNameParam('idnsname', cli_name='name') > +option: Flag('all', autofill=True, cli_name='all', default=False) > +option: Flag('raw', autofill=True, cli_name='raw', default=False) > +option: Flag('rights', autofill=True, default=False) > +option: Str('version?') > +output: Entry('result') > +output: Output('summary', type=[, ]) > +output: PrimaryKey('value') > command: migrate_ds > args: 2,20,4 > arg: Str('ldapuri', cli_name='ldap_uri') > diff --git a/VERSION b/VERSION > index 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 100644 > --- a/VERSION > +++ b/VERSION > @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 > # # > ######################################################## > IPA_API_VERSION_MAJOR=2 > -IPA_API_VERSION_MINOR=170 > -# Last change: mbasti - *-find: do not search for members by default > +IPA_API_VERSION_MINOR=171 > +# Last change: mbasti - location-* commands > diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif > index 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 100644 > --- a/install/share/bootstrap-template.ldif > +++ b/install/share/bootstrap-template.ldif > @@ -119,6 +119,12 @@ objectClass: nsContainer > objectClass: top > cn: etc > > +dn: cn=locations,cn=etc,$SUFFIX > +changetype: add > +objectClass: nsContainer > +objectClass: top > +cn: locations > + > dn: cn=sysaccounts,cn=etc,$SUFFIX > changetype: add > objectClass: nsContainer > diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update > index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 100644 > --- a/install/updates/37-locations.update > +++ b/install/updates/37-locations.update > @@ -0,0 +1,4 @@ > +dn: cn=locations,cn=etc,$SUFFIX > +default: objectClass: nsContainer > +default: objectClass: top > +default: cn: locations > diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am > index 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 100644 > --- a/install/updates/Makefile.am > +++ b/install/updates/Makefile.am > @@ -28,6 +28,7 @@ app_DATA = \ > 25-referint.update \ > 30-provisioning.update \ > 30-s4u2proxy.update \ > + 37-locations.update \ > 40-delegation.update \ > 40-realm_domains.update \ > 40-replication.update \ > diff --git a/ipalib/constants.py b/ipalib/constants.py > index 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 100644 > --- a/ipalib/constants.py > +++ b/ipalib/constants.py > @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( > ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), > ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), > ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), > + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), > > # Ports, hosts, and URIs: > ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), > diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py > new file mode 100644 > index 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc > --- /dev/null > +++ b/ipalib/plugins/location.py > @@ -0,0 +1,149 @@ > +# > +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license > +# > + > +from __future__ import absolute_import > + > +from ipalib import ( > + _, > + ngettext, > + api, > + Str, > + DNSNameParam > +) > +from ipalib.plugable import Registry > +from ipalib.plugins.baseldap import ( > + LDAPCreate, > + LDAPSearch, > + LDAPRetrieve, > + LDAPDelete, > + LDAPObject, > + LDAPUpdate, > +) > +from ipapython.dnsutil import DNSName > + > +__doc__ = _(""" > +IPA locations > +""") + _(""" > +Manipulate DNS locations > +""") + _(""" > +EXAMPLES: > +""") + _(""" > + Find all locations: > + ipa location-find > +""") + _(""" > + Show specific location: > + ipa location-show location > +""") + _(""" > + Add location: > + ipa location-add location --description 'My location' > +""") + _(""" > + Delete location: > + ipa location-del location > +""") > + > +register = Registry() > + > + > + at register() > +class location(LDAPObject): > + """ > + IPA locations > + """ > + container_dn = api.env.container_locations > + object_name = _('location') > + object_name_plural = _('locations') > + object_class = ['ipaLocationObject'] > + search_attributes = ['idnsName'] > + default_attributes = [ > + 'idnsname', 'description' > + ] > + label = _('IPA Locations') > + label_singular = _('IPA Location') > + > + permission_filter_objectclasses = ['ipaLocationObject'] > + managed_permissions = { > + 'System: Read IPA Locations': { > + 'ipapermright': {'read', 'search', 'compare'}, > + 'ipapermdefaultattr': { > + 'objectclass', 'idnsname', 'description', > + }, > + 'default_privileges': {'DNS Administrators'}, > + }, > + 'System: Add IPA Locations': { > + 'ipapermright': {'add'}, > + 'default_privileges': {'DNS Administrators'}, > + }, > + 'System: Remove IPA Locations': { > + 'ipapermright': {'delete'}, > + 'default_privileges': {'DNS Administrators'}, > + }, > + 'System: Modify IPA Locations': { > + 'ipapermright': {'write'}, > + 'ipapermdefaultattr': { > + 'description', > + }, > + 'default_privileges': {'DNS Administrators'}, > + }, > + } > + > + takes_params = ( > + DNSNameParam( > + 'idnsname', > + cli_name='name', > + primary_key=True, > + label=_('Location name'), > + doc=_('IPA location name'), > + # dns name must be relative, we will put it into middle of > + # location domain name for location records > + only_relative=True, > + ), > + Str( > + 'description?', > + label=_('Description'), > + doc=_('IPA Location description'), > + ), > + ) > + > + def get_dn(self, *keys, **options): > + loc = keys[-1] > + assert isinstance(loc, DNSName) > + loc_a = loc.ToASCII() > + > + return super(location, self).get_dn(loc_a, **options) > + > + > + at register() > +class location_add(LDAPCreate): > + __doc__ = _('Add a new IPA location.') > + > + msg_summary = _('Added IPA location "%(value)s"') > + > + > + at register() > +class location_del(LDAPDelete): > + __doc__ = _('Delete an IPA location.') > + > + msg_summary = _('Deleted IPA location "%(value)s"') > + > + > + at register() > +class location_mod(LDAPUpdate): > + __doc__ = _('Modify information about an IPA location .') Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI are not there. I'm open to changing this to ACK if you open a separate ticket for this omission so we do not forget to add them later on. -- Petr^2 Spacek From slaznick at redhat.com Thu Jun 2 12:15:12 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 2 Jun 2016 14:15:12 +0200 Subject: [Freeipa-devel] [PATCH 0039] Deprecate --domain-level option from ipa-server-install Message-ID: I had a different solution prepared but it seems that the deprecated flag in KnobBase does the trick. Although if the only thing it does is to remove the option from help, it may need to be renamed (help_hidden, maybe?). https://fedorahosted.org/freeipa/ticket/5907 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0039-Deprecated-the-domain-level-option-in-ipa-server-ins.patch Type: text/x-patch Size: 861 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 2 12:20:34 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jun 2016 14:20:34 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> Message-ID: <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> On 2.6.2016 14:06, Petr Spacek wrote: > On 1.6.2016 18:00, Martin Basti wrote: >> >> >> updated patches attached >> >> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >> >> >> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 4 May 2016 17:33:52 +0200 >> Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges >> >> DNS privileges are important for handling DNS locations which can be >> created without DNS servers in IPA topology. We will also need this >> privileges presented for future feature 'External DNS support' >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/share/delegation.ldif | 16 ++++++++++++++++ >> install/share/dns.ldif | 16 ---------------- >> install/updates/37-locations.update | 0 >> install/updates/40-delegation.update | 16 ++++++++++++++++ >> 4 files changed, 32 insertions(+), 16 deletions(-) >> create mode 100644 install/updates/37-locations.update >> >> diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif >> index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 >> --- a/install/share/delegation.ldif >> +++ b/install/share/delegation.ldif >> @@ -80,6 +80,22 @@ objectClass: nestedgroup >> cn: Delegation Administrator >> description: Role administration >> >> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >> +changetype: add >> +objectClass: top >> +objectClass: groupofnames >> +objectClass: nestedgroup >> +cn: DNS Administrators >> +description: DNS Administrators >> + >> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >> +changetype: add >> +objectClass: top >> +objectClass: groupofnames >> +objectClass: nestedgroup >> +cn: DNS Servers >> +description: DNS Servers >> + >> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >> changetype: add >> objectClass: top >> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >> index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 >> --- a/install/share/dns.ldif >> +++ b/install/share/dns.ldif >> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) >> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) >> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >> - >> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >> -changetype: add >> -objectClass: top >> -objectClass: groupofnames >> -objectClass: nestedgroup >> -cn: DNS Administrators >> -description: DNS Administrators >> - >> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >> -changetype: add >> -objectClass: top >> -objectClass: groupofnames >> -objectClass: nestedgroup >> -cn: DNS Servers >> -description: DNS Servers >> diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update >> new file mode 100644 >> index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >> diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update >> index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 >> --- a/install/updates/40-delegation.update >> +++ b/install/updates/40-delegation.update >> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >> default:objectClass: top >> default:cn: Vault Administrators >> default:description: Vault Administrators >> + >> + >> +# Locations - always create DNS related privileges >> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >> +default:objectClass: top >> +default:objectClass: groupofnames >> +default:objectClass: nestedgroup >> +default:cn: DNS Administrators >> +default:description: DNS Administrators >> + >> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >> +default:objectClass: top >> +default:objectClass: groupofnames >> +default:objectClass: nestedgroup >> +default:cn: DNS Servers >> +default:description: DNS Servers >> -- 2.5.5 >> >> >> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >> >> >> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Thu, 12 May 2016 10:53:37 +0200 >> Subject: [PATCH 2/4] DNS Locations: add new attributes and objectclasses >> >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/share/60ipadns.ldif | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif >> index 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 100644 >> --- a/install/share/60ipadns.ldif >> +++ b/install/share/60ipadns.ldif >> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME 'idnsSecKeySep' DESC 'DNSKEY S >> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME 'ipaLocationWeight' DESC 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord $ HIPRecord $ SPFRecord ) ) >> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) >> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME 'ipaDNSZone' SUP top AUXILIARY >> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) >> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) >> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) >> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME 'ipaLocationObject' DESC 'Object for storing IPA server location' STRUCTURAL MUST ( idnsName ) MAY ( description ) X-ORIGIN 'IPA v4.4' ) >> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember' DESC 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >> -- 2.5.5 >> >> >> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >> >> >> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Thu, 12 May 2016 10:54:20 +0200 >> Subject: [PATCH 3/4] DNS Locations: location-* commands >> >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ACI.txt | 8 ++ >> API.txt | 59 ++++++++++++++ >> VERSION | 4 +- >> install/share/bootstrap-template.ldif | 6 ++ >> install/updates/37-locations.update | 4 + >> install/updates/Makefile.am | 1 + >> ipalib/constants.py | 1 + >> ipalib/plugins/location.py | 149 ++++++++++++++++++++++++++++++++++ >> 8 files changed, 230 insertions(+), 2 deletions(-) >> create mode 100644 ipalib/plugins/location.py >> >> diff --git a/ACI.txt b/ACI.txt >> index cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 100644 >> --- a/ACI.txt >> +++ b/ACI.txt >> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >> aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket >> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=users,cn=accounts,dc=ipa,dc=example >> aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket >> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> +dn: cn=locations,cn=etc,dc=ipa,dc=example >> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = "ldap:///cn=System: Add IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> +dn: cn=locations,cn=etc,dc=ipa,dc=example >> +aci: (targetattr = "description")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> +dn: cn=locations,cn=etc,dc=ipa,dc=example >> +aci: (targetattr = "createtimestamp || description || entryusn || idnsname || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> +dn: cn=locations,cn=etc,dc=ipa,dc=example >> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Remove IPA Locations";allow (delete) groupdn = "ldap:///cn=System: Remove IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=ng,cn=alt,dc=ipa,dc=example >> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=ng,cn=alt,dc=ipa,dc=example >> diff --git a/API.txt b/API.txt >> index 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 100644 >> --- a/API.txt >> +++ b/API.txt >> @@ -2759,6 +2759,65 @@ option: Str('version?') >> output: Entry('result') >> output: Output('summary', type=[, ]) >> output: PrimaryKey('value') >> +command: location_add >> +args: 1,6,3 >> +arg: DNSNameParam('idnsname', cli_name='name') >> +option: Str('addattr*', cli_name='addattr') >> +option: Flag('all', autofill=True, cli_name='all', default=False) >> +option: Str('description?') >> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >> +option: Str('setattr*', cli_name='setattr') >> +option: Str('version?') >> +output: Entry('result') >> +output: Output('summary', type=[, ]) >> +output: PrimaryKey('value') >> +command: location_del >> +args: 1,2,3 >> +arg: DNSNameParam('idnsname+', cli_name='name') >> +option: Flag('continue', autofill=True, cli_name='continue', default=False) >> +option: Str('version?') >> +output: Output('result', type=[]) >> +output: Output('summary', type=[, ]) >> +output: ListOfPrimaryKeys('value') >> +command: location_find >> +args: 1,8,4 >> +arg: Str('criteria?') >> +option: Flag('all', autofill=True, cli_name='all', default=False) >> +option: Str('description?', autofill=False) >> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >> +option: Flag('pkey_only?', autofill=True, default=False) >> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >> +option: Int('sizelimit?', autofill=False) >> +option: Int('timelimit?', autofill=False) >> +option: Str('version?') >> +output: Output('count', type=[]) >> +output: ListOfEntries('result') >> +output: Output('summary', type=[, ]) >> +output: Output('truncated', type=[]) >> +command: location_mod >> +args: 1,8,3 >> +arg: DNSNameParam('idnsname', cli_name='name') >> +option: Str('addattr*', cli_name='addattr') >> +option: Flag('all', autofill=True, cli_name='all', default=False) >> +option: Str('delattr*', cli_name='delattr') >> +option: Str('description?', autofill=False) >> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >> +option: Flag('rights', autofill=True, default=False) >> +option: Str('setattr*', cli_name='setattr') >> +option: Str('version?') >> +output: Entry('result') >> +output: Output('summary', type=[, ]) >> +output: PrimaryKey('value') >> +command: location_show >> +args: 1,4,3 >> +arg: DNSNameParam('idnsname', cli_name='name') >> +option: Flag('all', autofill=True, cli_name='all', default=False) >> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >> +option: Flag('rights', autofill=True, default=False) >> +option: Str('version?') >> +output: Entry('result') >> +output: Output('summary', type=[, ]) >> +output: PrimaryKey('value') >> command: migrate_ds >> args: 2,20,4 >> arg: Str('ldapuri', cli_name='ldap_uri') >> diff --git a/VERSION b/VERSION >> index 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 100644 >> --- a/VERSION >> +++ b/VERSION >> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >> # # >> ######################################################## >> IPA_API_VERSION_MAJOR=2 >> -IPA_API_VERSION_MINOR=170 >> -# Last change: mbasti - *-find: do not search for members by default >> +IPA_API_VERSION_MINOR=171 >> +# Last change: mbasti - location-* commands >> diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif >> index 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 100644 >> --- a/install/share/bootstrap-template.ldif >> +++ b/install/share/bootstrap-template.ldif >> @@ -119,6 +119,12 @@ objectClass: nsContainer >> objectClass: top >> cn: etc >> >> +dn: cn=locations,cn=etc,$SUFFIX >> +changetype: add >> +objectClass: nsContainer >> +objectClass: top >> +cn: locations >> + >> dn: cn=sysaccounts,cn=etc,$SUFFIX >> changetype: add >> objectClass: nsContainer >> diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update >> index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 100644 >> --- a/install/updates/37-locations.update >> +++ b/install/updates/37-locations.update >> @@ -0,0 +1,4 @@ >> +dn: cn=locations,cn=etc,$SUFFIX >> +default: objectClass: nsContainer >> +default: objectClass: top >> +default: cn: locations >> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >> index 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 100644 >> --- a/install/updates/Makefile.am >> +++ b/install/updates/Makefile.am >> @@ -28,6 +28,7 @@ app_DATA = \ >> 25-referint.update \ >> 30-provisioning.update \ >> 30-s4u2proxy.update \ >> + 37-locations.update \ >> 40-delegation.update \ >> 40-realm_domains.update \ >> 40-replication.update \ >> diff --git a/ipalib/constants.py b/ipalib/constants.py >> index 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 100644 >> --- a/ipalib/constants.py >> +++ b/ipalib/constants.py >> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), >> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), >> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >> >> # Ports, hosts, and URIs: >> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >> new file mode 100644 >> index 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >> --- /dev/null >> +++ b/ipalib/plugins/location.py >> @@ -0,0 +1,149 @@ >> +# >> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >> +# >> + >> +from __future__ import absolute_import >> + >> +from ipalib import ( >> + _, >> + ngettext, >> + api, >> + Str, >> + DNSNameParam >> +) >> +from ipalib.plugable import Registry >> +from ipalib.plugins.baseldap import ( >> + LDAPCreate, >> + LDAPSearch, >> + LDAPRetrieve, >> + LDAPDelete, >> + LDAPObject, >> + LDAPUpdate, >> +) >> +from ipapython.dnsutil import DNSName >> + >> +__doc__ = _(""" >> +IPA locations >> +""") + _(""" >> +Manipulate DNS locations >> +""") + _(""" >> +EXAMPLES: >> +""") + _(""" >> + Find all locations: >> + ipa location-find >> +""") + _(""" >> + Show specific location: >> + ipa location-show location >> +""") + _(""" >> + Add location: >> + ipa location-add location --description 'My location' >> +""") + _(""" >> + Delete location: >> + ipa location-del location >> +""") >> + >> +register = Registry() >> + >> + >> + at register() >> +class location(LDAPObject): >> + """ >> + IPA locations >> + """ >> + container_dn = api.env.container_locations >> + object_name = _('location') >> + object_name_plural = _('locations') >> + object_class = ['ipaLocationObject'] >> + search_attributes = ['idnsName'] >> + default_attributes = [ >> + 'idnsname', 'description' >> + ] >> + label = _('IPA Locations') >> + label_singular = _('IPA Location') >> + >> + permission_filter_objectclasses = ['ipaLocationObject'] >> + managed_permissions = { >> + 'System: Read IPA Locations': { >> + 'ipapermright': {'read', 'search', 'compare'}, >> + 'ipapermdefaultattr': { >> + 'objectclass', 'idnsname', 'description', >> + }, >> + 'default_privileges': {'DNS Administrators'}, >> + }, >> + 'System: Add IPA Locations': { >> + 'ipapermright': {'add'}, >> + 'default_privileges': {'DNS Administrators'}, >> + }, >> + 'System: Remove IPA Locations': { >> + 'ipapermright': {'delete'}, >> + 'default_privileges': {'DNS Administrators'}, >> + }, >> + 'System: Modify IPA Locations': { >> + 'ipapermright': {'write'}, >> + 'ipapermdefaultattr': { >> + 'description', >> + }, >> + 'default_privileges': {'DNS Administrators'}, >> + }, >> + } >> + >> + takes_params = ( >> + DNSNameParam( >> + 'idnsname', >> + cli_name='name', >> + primary_key=True, >> + label=_('Location name'), >> + doc=_('IPA location name'), >> + # dns name must be relative, we will put it into middle of >> + # location domain name for location records >> + only_relative=True, >> + ), >> + Str( >> + 'description?', >> + label=_('Description'), >> + doc=_('IPA Location description'), >> + ), >> + ) >> + >> + def get_dn(self, *keys, **options): >> + loc = keys[-1] >> + assert isinstance(loc, DNSName) >> + loc_a = loc.ToASCII() >> + >> + return super(location, self).get_dn(loc_a, **options) >> + >> + >> + at register() >> +class location_add(LDAPCreate): >> + __doc__ = _('Add a new IPA location.') >> + >> + msg_summary = _('Added IPA location "%(value)s"') >> + >> + >> + at register() >> +class location_del(LDAPDelete): >> + __doc__ = _('Delete an IPA location.') >> + >> + msg_summary = _('Deleted IPA location "%(value)s"') >> + >> + >> + at register() >> +class location_mod(LDAPUpdate): >> + __doc__ = _('Modify information about an IPA location .') > > Typo - redundant ' ' at the end. > > > Conditional NACK, warnings mentioned in > http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI > are not there. > > I'm open to changing this to ACK if you open a separate ticket for this > omission so we do not forget to add them later on. +1 Patch 480: 1) The code in location_show.execute() looks like it could be moved to location_show.post_callback() 2) Before calling super().output_for_cli(), pop 'servers' from result, so that it is not displayed with --all. Patch 481: 1) Could we rename --force to --nonempty (or something better)? I would like to reserve --force for "ignore NotFound when deleting the entry", which is not the case here. -- Jan Cholasta From pspacek at redhat.com Thu Jun 2 12:39:22 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 2 Jun 2016 14:39:22 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> Message-ID: <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> On 2.6.2016 14:20, Jan Cholasta wrote: > On 2.6.2016 14:06, Petr Spacek wrote: >> On 1.6.2016 18:00, Martin Basti wrote: >>> >>> >>> updated patches attached >>> >>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>> >>> >>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 4 May 2016 17:33:52 +0200 >>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges >>> >>> DNS privileges are important for handling DNS locations which can be >>> created without DNS servers in IPA topology. We will also need this >>> privileges presented for future feature 'External DNS support' >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/delegation.ldif | 16 ++++++++++++++++ >>> install/share/dns.ldif | 16 ---------------- >>> install/updates/37-locations.update | 0 >>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>> 4 files changed, 32 insertions(+), 16 deletions(-) >>> create mode 100644 install/updates/37-locations.update >>> >>> diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif >>> index >>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>> 100644 >>> --- a/install/share/delegation.ldif >>> +++ b/install/share/delegation.ldif >>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>> cn: Delegation Administrator >>> description: Role administration >>> >>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Administrators >>> +description: DNS Administrators >>> + >>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Servers >>> +description: DNS Servers >>> + >>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>> changetype: add >>> objectClass: top >>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>> index >>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>> 100644 >>> --- a/install/share/dns.ldif >>> +++ b/install/share/dns.ldif >>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read >>> access"; allow (read,search >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add >>> DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>> "Remove DNS entries from a zone";allow (delete) userattr = >>> "parent[1].managedby#GROUPDN";) >>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || >>> arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || >>> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord >>> || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || >>> idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || >>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || >>> idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || >>> idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || >>> kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord >>> || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || >>> rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || >>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = >>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in >>> a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>> - >>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Administrators >>> -description: DNS Administrators >>> - >>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Servers >>> -description: DNS Servers >>> diff --git a/install/updates/37-locations.update >>> b/install/updates/37-locations.update >>> new file mode 100644 >>> index >>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>> >>> diff --git a/install/updates/40-delegation.update >>> b/install/updates/40-delegation.update >>> index >>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>> 100644 >>> --- a/install/updates/40-delegation.update >>> +++ b/install/updates/40-delegation.update >>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>> default:objectClass: top >>> default:cn: Vault Administrators >>> default:description: Vault Administrators >>> + >>> + >>> +# Locations - always create DNS related privileges >>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:cn: DNS Administrators >>> +default:description: DNS Administrators >>> + >>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:cn: DNS Servers >>> +default:description: DNS Servers >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>> >>> >>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Thu, 12 May 2016 10:53:37 +0200 >>> Subject: [PATCH 2/4] DNS Locations: add new attributes and objectclasses >>> >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/60ipadns.ldif | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif >>> index >>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>> 100644 >>> --- a/install/share/60ipadns.ldif >>> +++ b/install/share/60ipadns.ldif >>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME >>> 'idnsSecKeySep' DESC 'DNSKEY S >>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC >>> 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match >>> SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC >>> 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC >>> 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch >>> SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC >>> 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME 'ipaLocationWeight' DESC >>> 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns >>> Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ >>> idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ >>> nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ >>> mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord >>> $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord >>> $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ >>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ >>> DHCIDRecord $ HIPRecord $ SPFRecord ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone >>> class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ >>> idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ >>> idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ >>> idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ >>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC >>> 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ >>> idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) >>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME >>> 'ipaDNSZone' SUP top AUXILIARY >>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC >>> 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) >>> MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC >>> key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ >>> idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ >>> idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ >>> idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) >>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC >>> 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) >>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME 'ipaLocationObject' DESC >>> 'Object for storing IPA server location' STRUCTURAL MUST ( idnsName ) MAY ( >>> description ) X-ORIGIN 'IPA v4.4' ) >>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember' DESC >>> 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ >>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>> >>> >>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Thu, 12 May 2016 10:54:20 +0200 >>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>> >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> ACI.txt | 8 ++ >>> API.txt | 59 ++++++++++++++ >>> VERSION | 4 +- >>> install/share/bootstrap-template.ldif | 6 ++ >>> install/updates/37-locations.update | 4 + >>> install/updates/Makefile.am | 1 + >>> ipalib/constants.py | 1 + >>> ipalib/plugins/location.py | 149 >>> ++++++++++++++++++++++++++++++++++ >>> 8 files changed, 230 insertions(+), 2 deletions(-) >>> create mode 100644 ipalib/plugins/location.py >>> >>> diff --git a/ACI.txt b/ACI.txt >>> index >>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>> 100644 >>> --- a/ACI.txt >>> +++ b/ACI.txt >>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>> aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes >>> || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || >>> modifytimestamp || objectclass")(targetfilter = >>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: >>> Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = >>> "ldap:///cn=System: Read Default Kerberos Ticket >>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>> aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter >>> = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: >>> Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = >>> "ldap:///cn=System: Read User Kerberos Ticket >>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >>> "permission:System: Add IPA Locations";allow (add) groupdn = >>> "ldap:///cn=System: Add IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetattr = "description")(targetfilter = >>> "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: >>> Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify >>> IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetattr = "createtimestamp || description || entryusn || idnsname >>> || modifytimestamp || objectclass")(targetfilter = >>> "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read >>> IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: >>> Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >>> "permission:System: Remove IPA Locations";allow (delete) groupdn = >>> "ldap:///cn=System: Remove IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl >>> "permission:System: Add Netgroups";allow (add) groupdn = >>> "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>> diff --git a/API.txt b/API.txt >>> index >>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>> 100644 >>> --- a/API.txt >>> +++ b/API.txt >>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>> output: Entry('result') >>> output: Output('summary', type=[, ]) >>> output: PrimaryKey('value') >>> +command: location_add >>> +args: 1,6,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Str('addattr*', cli_name='addattr') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('description?') >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Str('setattr*', cli_name='setattr') >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> +command: location_del >>> +args: 1,2,3 >>> +arg: DNSNameParam('idnsname+', cli_name='name') >>> +option: Flag('continue', autofill=True, cli_name='continue', default=False) >>> +option: Str('version?') >>> +output: Output('result', type=[]) >>> +output: Output('summary', type=[, ]) >>> +output: ListOfPrimaryKeys('value') >>> +command: location_find >>> +args: 1,8,4 >>> +arg: Str('criteria?') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('description?', autofill=False) >>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>> +option: Flag('pkey_only?', autofill=True, default=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Int('sizelimit?', autofill=False) >>> +option: Int('timelimit?', autofill=False) >>> +option: Str('version?') >>> +output: Output('count', type=[]) >>> +output: ListOfEntries('result') >>> +output: Output('summary', type=[, ]) >>> +output: Output('truncated', type=[]) >>> +command: location_mod >>> +args: 1,8,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Str('addattr*', cli_name='addattr') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('delattr*', cli_name='delattr') >>> +option: Str('description?', autofill=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Flag('rights', autofill=True, default=False) >>> +option: Str('setattr*', cli_name='setattr') >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> +command: location_show >>> +args: 1,4,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Flag('rights', autofill=True, default=False) >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> command: migrate_ds >>> args: 2,20,4 >>> arg: Str('ldapuri', cli_name='ldap_uri') >>> diff --git a/VERSION b/VERSION >>> index >>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>> 100644 >>> --- a/VERSION >>> +++ b/VERSION >>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>> # # >>> ######################################################## >>> IPA_API_VERSION_MAJOR=2 >>> -IPA_API_VERSION_MINOR=170 >>> -# Last change: mbasti - *-find: do not search for members by default >>> +IPA_API_VERSION_MINOR=171 >>> +# Last change: mbasti - location-* commands >>> diff --git a/install/share/bootstrap-template.ldif >>> b/install/share/bootstrap-template.ldif >>> index >>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>> 100644 >>> --- a/install/share/bootstrap-template.ldif >>> +++ b/install/share/bootstrap-template.ldif >>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>> objectClass: top >>> cn: etc >>> >>> +dn: cn=locations,cn=etc,$SUFFIX >>> +changetype: add >>> +objectClass: nsContainer >>> +objectClass: top >>> +cn: locations >>> + >>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>> changetype: add >>> objectClass: nsContainer >>> diff --git a/install/updates/37-locations.update >>> b/install/updates/37-locations.update >>> index >>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>> 100644 >>> --- a/install/updates/37-locations.update >>> +++ b/install/updates/37-locations.update >>> @@ -0,0 +1,4 @@ >>> +dn: cn=locations,cn=etc,$SUFFIX >>> +default: objectClass: nsContainer >>> +default: objectClass: top >>> +default: cn: locations >>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >>> index >>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>> 100644 >>> --- a/install/updates/Makefile.am >>> +++ b/install/updates/Makefile.am >>> @@ -28,6 +28,7 @@ app_DATA = \ >>> 25-referint.update \ >>> 30-provisioning.update \ >>> 30-s4u2proxy.update \ >>> + 37-locations.update \ >>> 40-delegation.update \ >>> 40-realm_domains.update \ >>> 40-replication.update \ >>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>> index >>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>> 100644 >>> --- a/ipalib/constants.py >>> +++ b/ipalib/constants.py >>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), >>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', >>> 'etc'))), >>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>> >>> # Ports, hosts, and URIs: >>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>> new file mode 100644 >>> index >>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>> >>> --- /dev/null >>> +++ b/ipalib/plugins/location.py >>> @@ -0,0 +1,149 @@ >>> +# >>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>> +# >>> + >>> +from __future__ import absolute_import >>> + >>> +from ipalib import ( >>> + _, >>> + ngettext, >>> + api, >>> + Str, >>> + DNSNameParam >>> +) >>> +from ipalib.plugable import Registry >>> +from ipalib.plugins.baseldap import ( >>> + LDAPCreate, >>> + LDAPSearch, >>> + LDAPRetrieve, >>> + LDAPDelete, >>> + LDAPObject, >>> + LDAPUpdate, >>> +) >>> +from ipapython.dnsutil import DNSName >>> + >>> +__doc__ = _(""" >>> +IPA locations >>> +""") + _(""" >>> +Manipulate DNS locations >>> +""") + _(""" >>> +EXAMPLES: >>> +""") + _(""" >>> + Find all locations: >>> + ipa location-find >>> +""") + _(""" >>> + Show specific location: >>> + ipa location-show location >>> +""") + _(""" >>> + Add location: >>> + ipa location-add location --description 'My location' >>> +""") + _(""" >>> + Delete location: >>> + ipa location-del location >>> +""") >>> + >>> +register = Registry() >>> + >>> + >>> + at register() >>> +class location(LDAPObject): >>> + """ >>> + IPA locations >>> + """ >>> + container_dn = api.env.container_locations >>> + object_name = _('location') >>> + object_name_plural = _('locations') >>> + object_class = ['ipaLocationObject'] >>> + search_attributes = ['idnsName'] >>> + default_attributes = [ >>> + 'idnsname', 'description' >>> + ] >>> + label = _('IPA Locations') >>> + label_singular = _('IPA Location') >>> + >>> + permission_filter_objectclasses = ['ipaLocationObject'] >>> + managed_permissions = { >>> + 'System: Read IPA Locations': { >>> + 'ipapermright': {'read', 'search', 'compare'}, >>> + 'ipapermdefaultattr': { >>> + 'objectclass', 'idnsname', 'description', >>> + }, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Add IPA Locations': { >>> + 'ipapermright': {'add'}, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Remove IPA Locations': { >>> + 'ipapermright': {'delete'}, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Modify IPA Locations': { >>> + 'ipapermright': {'write'}, >>> + 'ipapermdefaultattr': { >>> + 'description', >>> + }, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + } >>> + >>> + takes_params = ( >>> + DNSNameParam( >>> + 'idnsname', >>> + cli_name='name', >>> + primary_key=True, >>> + label=_('Location name'), >>> + doc=_('IPA location name'), >>> + # dns name must be relative, we will put it into middle of >>> + # location domain name for location records >>> + only_relative=True, >>> + ), >>> + Str( >>> + 'description?', >>> + label=_('Description'), >>> + doc=_('IPA Location description'), >>> + ), >>> + ) >>> + >>> + def get_dn(self, *keys, **options): >>> + loc = keys[-1] >>> + assert isinstance(loc, DNSName) >>> + loc_a = loc.ToASCII() >>> + >>> + return super(location, self).get_dn(loc_a, **options) >>> + >>> + >>> + at register() >>> +class location_add(LDAPCreate): >>> + __doc__ = _('Add a new IPA location.') >>> + >>> + msg_summary = _('Added IPA location "%(value)s"') >>> + >>> + >>> + at register() >>> +class location_del(LDAPDelete): >>> + __doc__ = _('Delete an IPA location.') >>> + >>> + msg_summary = _('Deleted IPA location "%(value)s"') >>> + >>> + >>> + at register() >>> +class location_mod(LDAPUpdate): >>> + __doc__ = _('Modify information about an IPA location .') >> >> Typo - redundant ' ' at the end. >> >> >> Conditional NACK, warnings mentioned in >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >> are not there. >> >> I'm open to changing this to ACK if you open a separate ticket for this >> omission so we do not forget to add them later on. > > +1 > > > Patch 480: > > 1) The code in location_show.execute() looks like it could be moved to > location_show.post_callback() > > > 2) Before calling super().output_for_cli(), pop 'servers' from result, so that > it is not displayed with --all. > > > Patch 481: > > 1) Could we rename --force to --nonempty (or something better)? I would like > to reserve --force for "ignore NotFound when deleting the entry", which is not > the case here. IMHO option is unnecessary. Just delete the location (and unset location from all member servers). The design does not contain --force anyway :-) -- Petr^2 Spacek From pvomacka at redhat.com Thu Jun 2 12:41:13 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 2 Jun 2016 14:41:13 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> Message-ID: <41c6ee10-49c5-167b-0741-1db4434511a0@redhat.com> On 06/02/2016 02:20 PM, Jan Cholasta wrote: > On 2.6.2016 14:06, Petr Spacek wrote: >> On 1.6.2016 18:00, Martin Basti wrote: >>> >>> >>> updated patches attached >>> >>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>> >>> >>> >>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 4 May 2016 17:33:52 +0200 >>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related >>> privileges >>> >>> DNS privileges are important for handling DNS locations which can be >>> created without DNS servers in IPA topology. We will also need this >>> privileges presented for future feature 'External DNS support' >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/delegation.ldif | 16 ++++++++++++++++ >>> install/share/dns.ldif | 16 ---------------- >>> install/updates/37-locations.update | 0 >>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>> 4 files changed, 32 insertions(+), 16 deletions(-) >>> create mode 100644 install/updates/37-locations.update >>> >>> diff --git a/install/share/delegation.ldif >>> b/install/share/delegation.ldif >>> index >>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>> 100644 >>> --- a/install/share/delegation.ldif >>> +++ b/install/share/delegation.ldif >>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>> cn: Delegation Administrator >>> description: Role administration >>> >>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Administrators >>> +description: DNS Administrators >>> + >>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Servers >>> +description: DNS Servers >>> + >>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>> changetype: add >>> objectClass: top >>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>> index >>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>> 100644 >>> --- a/install/share/dns.ldif >>> +++ b/install/share/dns.ldif >>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow >>> read access"; allow (read,search >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>> "Add DNS entries in a zone";allow (add) userattr = >>> "parent[1].managedby#GROUPDN";) >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>> "Remove DNS entries from a zone";allow (delete) userattr = >>> "parent[1].managedby#GROUPDN";) >>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || >>> aplrecord || arecord || certrecord || cn || cnamerecord || >>> dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || >>> dsrecord || hinforecord || hiprecord || idnsallowdynupdate || >>> idnsallowquery || idnsallowsyncptr || idnsallowtransfer || >>> idnsforwarders || idnsforwardpolicy || idnsname || >>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || >>> idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || >>> idnssoaserial || idnsupdatepolicy || idnszoneactive || >>> ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || >>> minforecord || mxrecord || naptrrecord || nsecrecord || >>> nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord >>> || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord >>> || tlsarecord || txtrecord || unknownrecord ")(target = >>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS >>> entries in a zone";allow (write) userattr = "parent[0,1].managedby#! > GROUPDN";) >>> - >>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Administrators >>> -description: DNS Administrators >>> - >>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Servers >>> -description: DNS Servers >>> diff --git a/install/updates/37-locations.update >>> b/install/updates/37-locations.update >>> new file mode 100644 >>> index >>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>> diff --git a/install/updates/40-delegation.update >>> b/install/updates/40-delegation.update >>> index >>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>> 100644 >>> --- a/install/updates/40-delegation.update >>> +++ b/install/updates/40-delegation.update >>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>> default:objectClass: top >>> default:cn: Vault Administrators >>> default:description: Vault Administrators >>> + >>> + >>> +# Locations - always create DNS related privileges >>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:cn: DNS Administrators >>> +default:description: DNS Administrators >>> + >>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> +default:objectClass: top >>> +default:objectClass: groupofnames >>> +default:objectClass: nestedgroup >>> +default:cn: DNS Servers >>> +default:description: DNS Servers >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>> >>> >>> >>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Thu, 12 May 2016 10:53:37 +0200 >>> Subject: [PATCH 2/4] DNS Locations: add new attributes and >>> objectclasses >>> >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/60ipadns.ldif | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif >>> index >>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>> 100644 >>> --- a/install/share/60ipadns.ldif >>> +++ b/install/share/60ipadns.ldif >>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME >>> 'idnsSecKeySep' DESC 'DNSKEY S >>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME >>> 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' >>> EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' >>> DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' >>> DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING >>> integerOrderingMatch SINGLE-VALUE SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' >>> DESC 'Reference to IPA location' EQUALITY distinguishedNameMatch >>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME >>> 'ipaLocationWeight' DESC 'Weight for the server in IPA location' >>> EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 >>> SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC >>> 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( >>> cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ >>> a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ >>> tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ >>> aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ >>> nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ >>> sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ >>> UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord >>> $ HIPRecord $ SPFRecord ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC >>> 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ >>> idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ >>> idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( >>> idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ >>> idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ >>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' >>> DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy >>> $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ >>> idnsPersistentSearch ) ) >>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME >>> 'ipaDNSZone' SUP top AUXILIARY >>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' >>> DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ >>> idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC >>> 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ >>> idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ >>> idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ >>> idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN >>> 'IPA v4.1' ) >>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' >>> DESC 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN >>> 'IPA v4.3' ) >>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME 'ipaLocationObject' >>> DESC 'Object for storing IPA server location' STRUCTURAL MUST ( >>> idnsName ) MAY ( description ) X-ORIGIN 'IPA v4.4' ) >>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember' >>> DESC 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ >>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>> >>> >>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Thu, 12 May 2016 10:54:20 +0200 >>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>> >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> ACI.txt | 8 ++ >>> API.txt | 59 ++++++++++++++ >>> VERSION | 4 +- >>> install/share/bootstrap-template.ldif | 6 ++ >>> install/updates/37-locations.update | 4 + >>> install/updates/Makefile.am | 1 + >>> ipalib/constants.py | 1 + >>> ipalib/plugins/location.py | 149 >>> ++++++++++++++++++++++++++++++++++ >>> 8 files changed, 230 insertions(+), 2 deletions(-) >>> create mode 100644 ipalib/plugins/location.py >>> >>> diff --git a/ACI.txt b/ACI.txt >>> index >>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>> 100644 >>> --- a/ACI.txt >>> +++ b/ACI.txt >>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>> aci: (targetattr = "createtimestamp || entryusn || >>> krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || >>> krbsupportedencsalttypes || modifytimestamp || >>> objectclass")(targetfilter = >>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>> "permission:System: Read Default Kerberos Ticket Policy";allow >>> (compare,read,search) groupdn = "ldap:///cn=System: Read Default >>> Kerberos Ticket >>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>> aci: (targetattr = "krbmaxrenewableage || >>> krbmaxticketlife")(targetfilter = >>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>> "permission:System: Read User Kerberos Ticket Policy";allow >>> (compare,read,search) groupdn = "ldap:///cn=System: Read User >>> Kerberos Ticket >>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>> 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn = >>> "ldap:///cn=System: Add IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetattr = "description")(targetfilter = >>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>> "permission:System: Modify IPA Locations";allow (write) groupdn = >>> "ldap:///cn=System: Modify IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetattr = "createtimestamp || description || entryusn || >>> idnsname || modifytimestamp || objectclass")(targetfilter = >>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>> "permission:System: Read IPA Locations";allow (compare,read,search) >>> groupdn = "ldap:///cn=System: Read IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>> 3.0;acl "permission:System: Remove IPA Locations";allow (delete) >>> groupdn = "ldap:///cn=System: Remove IPA >>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version >>> 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = >>> "ldap:///cn=System: Add >>> Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>> diff --git a/API.txt b/API.txt >>> index >>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>> 100644 >>> --- a/API.txt >>> +++ b/API.txt >>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>> output: Entry('result') >>> output: Output('summary', type=[, ]) >>> output: PrimaryKey('value') >>> +command: location_add >>> +args: 1,6,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Str('addattr*', cli_name='addattr') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('description?') >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Str('setattr*', cli_name='setattr') >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> +command: location_del >>> +args: 1,2,3 >>> +arg: DNSNameParam('idnsname+', cli_name='name') >>> +option: Flag('continue', autofill=True, cli_name='continue', >>> default=False) >>> +option: Str('version?') >>> +output: Output('result', type=[]) >>> +output: Output('summary', type=[, ]) >>> +output: ListOfPrimaryKeys('value') >>> +command: location_find >>> +args: 1,8,4 >>> +arg: Str('criteria?') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('description?', autofill=False) >>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>> +option: Flag('pkey_only?', autofill=True, default=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Int('sizelimit?', autofill=False) >>> +option: Int('timelimit?', autofill=False) >>> +option: Str('version?') >>> +output: Output('count', type=[]) >>> +output: ListOfEntries('result') >>> +output: Output('summary', type=[, ]) >>> +output: Output('truncated', type=[]) >>> +command: location_mod >>> +args: 1,8,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Str('addattr*', cli_name='addattr') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Str('delattr*', cli_name='delattr') >>> +option: Str('description?', autofill=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Flag('rights', autofill=True, default=False) >>> +option: Str('setattr*', cli_name='setattr') >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> +command: location_show >>> +args: 1,4,3 >>> +arg: DNSNameParam('idnsname', cli_name='name') >>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>> +option: Flag('rights', autofill=True, default=False) >>> +option: Str('version?') >>> +output: Entry('result') >>> +output: Output('summary', type=[, ]) >>> +output: PrimaryKey('value') >>> command: migrate_ds >>> args: 2,20,4 >>> arg: Str('ldapuri', cli_name='ldap_uri') >>> diff --git a/VERSION b/VERSION >>> index >>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>> 100644 >>> --- a/VERSION >>> +++ b/VERSION >>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>> # # >>> ######################################################## >>> IPA_API_VERSION_MAJOR=2 >>> -IPA_API_VERSION_MINOR=170 >>> -# Last change: mbasti - *-find: do not search for members by default >>> +IPA_API_VERSION_MINOR=171 >>> +# Last change: mbasti - location-* commands >>> diff --git a/install/share/bootstrap-template.ldif >>> b/install/share/bootstrap-template.ldif >>> index >>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>> 100644 >>> --- a/install/share/bootstrap-template.ldif >>> +++ b/install/share/bootstrap-template.ldif >>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>> objectClass: top >>> cn: etc >>> >>> +dn: cn=locations,cn=etc,$SUFFIX >>> +changetype: add >>> +objectClass: nsContainer >>> +objectClass: top >>> +cn: locations >>> + >>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>> changetype: add >>> objectClass: nsContainer >>> diff --git a/install/updates/37-locations.update >>> b/install/updates/37-locations.update >>> index >>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>> 100644 >>> --- a/install/updates/37-locations.update >>> +++ b/install/updates/37-locations.update >>> @@ -0,0 +1,4 @@ >>> +dn: cn=locations,cn=etc,$SUFFIX >>> +default: objectClass: nsContainer >>> +default: objectClass: top >>> +default: cn: locations >>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >>> index >>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>> 100644 >>> --- a/install/updates/Makefile.am >>> +++ b/install/updates/Makefile.am >>> @@ -28,6 +28,7 @@ app_DATA = \ >>> 25-referint.update \ >>> 30-provisioning.update \ >>> 30-s4u2proxy.update \ >>> + 37-locations.update \ >>> 40-delegation.update \ >>> 40-realm_domains.update \ >>> 40-replication.update \ >>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>> index >>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>> 100644 >>> --- a/ipalib/constants.py >>> +++ b/ipalib/constants.py >>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', >>> 'ca'))), >>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), >>> ('cn', 'etc'))), >>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>> >>> # Ports, hosts, and URIs: >>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>> new file mode 100644 >>> index >>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>> --- /dev/null >>> +++ b/ipalib/plugins/location.py >>> @@ -0,0 +1,149 @@ >>> +# >>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>> +# >>> + >>> +from __future__ import absolute_import >>> + >>> +from ipalib import ( >>> + _, >>> + ngettext, >>> + api, >>> + Str, >>> + DNSNameParam >>> +) >>> +from ipalib.plugable import Registry >>> +from ipalib.plugins.baseldap import ( >>> + LDAPCreate, >>> + LDAPSearch, >>> + LDAPRetrieve, >>> + LDAPDelete, >>> + LDAPObject, >>> + LDAPUpdate, >>> +) >>> +from ipapython.dnsutil import DNSName >>> + >>> +__doc__ = _(""" >>> +IPA locations >>> +""") + _(""" >>> +Manipulate DNS locations >>> +""") + _(""" >>> +EXAMPLES: >>> +""") + _(""" >>> + Find all locations: >>> + ipa location-find >>> +""") + _(""" >>> + Show specific location: >>> + ipa location-show location >>> +""") + _(""" >>> + Add location: >>> + ipa location-add location --description 'My location' >>> +""") + _(""" >>> + Delete location: >>> + ipa location-del location >>> +""") >>> + >>> +register = Registry() >>> + >>> + >>> + at register() >>> +class location(LDAPObject): >>> + """ >>> + IPA locations >>> + """ >>> + container_dn = api.env.container_locations >>> + object_name = _('location') >>> + object_name_plural = _('locations') >>> + object_class = ['ipaLocationObject'] >>> + search_attributes = ['idnsName'] >>> + default_attributes = [ >>> + 'idnsname', 'description' >>> + ] >>> + label = _('IPA Locations') >>> + label_singular = _('IPA Location') >>> + >>> + permission_filter_objectclasses = ['ipaLocationObject'] >>> + managed_permissions = { >>> + 'System: Read IPA Locations': { >>> + 'ipapermright': {'read', 'search', 'compare'}, >>> + 'ipapermdefaultattr': { >>> + 'objectclass', 'idnsname', 'description', >>> + }, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Add IPA Locations': { >>> + 'ipapermright': {'add'}, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Remove IPA Locations': { >>> + 'ipapermright': {'delete'}, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + 'System: Modify IPA Locations': { >>> + 'ipapermright': {'write'}, >>> + 'ipapermdefaultattr': { >>> + 'description', >>> + }, >>> + 'default_privileges': {'DNS Administrators'}, >>> + }, >>> + } >>> + >>> + takes_params = ( >>> + DNSNameParam( >>> + 'idnsname', >>> + cli_name='name', >>> + primary_key=True, >>> + label=_('Location name'), >>> + doc=_('IPA location name'), >>> + # dns name must be relative, we will put it into middle of >>> + # location domain name for location records >>> + only_relative=True, >>> + ), >>> + Str( >>> + 'description?', >>> + label=_('Description'), >>> + doc=_('IPA Location description'), >>> + ), >>> + ) >>> + >>> + def get_dn(self, *keys, **options): >>> + loc = keys[-1] >>> + assert isinstance(loc, DNSName) >>> + loc_a = loc.ToASCII() >>> + >>> + return super(location, self).get_dn(loc_a, **options) >>> + >>> + >>> + at register() >>> +class location_add(LDAPCreate): >>> + __doc__ = _('Add a new IPA location.') >>> + >>> + msg_summary = _('Added IPA location "%(value)s"') >>> + >>> + >>> + at register() >>> +class location_del(LDAPDelete): >>> + __doc__ = _('Delete an IPA location.') >>> + >>> + msg_summary = _('Deleted IPA location "%(value)s"') >>> + >>> + >>> + at register() >>> +class location_mod(LDAPUpdate): >>> + __doc__ = _('Modify information about an IPA location .') >> >> Typo - redundant ' ' at the end. >> >> >> Conditional NACK, warnings mentioned in >> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >> are not there. >> >> I'm open to changing this to ACK if you open a separate ticket for this >> omission so we do not forget to add them later on. > > +1 > > > Patch 480: > > 1) The code in location_show.execute() looks like it could be moved to > location_show.post_callback() > > > 2) Before calling super().output_for_cli(), pop 'servers' from result, > so that it is not displayed with --all. > > > Patch 481: > > 1) Could we rename --force to --nonempty (or something better)? I > would like to reserve --force for "ignore NotFound when deleting the > entry", which is not the case here. > I tried to build freeIPA with your patches on Fedora 23 and I got following pylint error: ************* Module ipalib.plugins.location ipalib/plugins/location.py:218: [W1619(old-division), location_show.execute] division w/o __future__ statement) Makefile:137: recipe for target 'lint' failed From mbasti at redhat.com Thu Jun 2 12:53:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 14:53:24 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <41c6ee10-49c5-167b-0741-1db4434511a0@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <41c6ee10-49c5-167b-0741-1db4434511a0@redhat.com> Message-ID: <12cb6e78-6d76-7498-d9b9-5cc632cfbbf0@redhat.com> On 02.06.2016 14:41, Pavel Vomacka wrote: > > On 06/02/2016 02:20 PM, Jan Cholasta wrote: >> On 2.6.2016 14:06, Petr Spacek wrote: >>> On 1.6.2016 18:00, Martin Basti wrote: >>>> >>>> >>>> updated patches attached >>>> >>>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>>> >>>> >>>> >>>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 4 May 2016 17:33:52 +0200 >>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related >>>> privileges >>>> >>>> DNS privileges are important for handling DNS locations which can be >>>> created without DNS servers in IPA topology. We will also need this >>>> privileges presented for future feature 'External DNS support' >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/share/delegation.ldif | 16 ++++++++++++++++ >>>> install/share/dns.ldif | 16 ---------------- >>>> install/updates/37-locations.update | 0 >>>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>>> 4 files changed, 32 insertions(+), 16 deletions(-) >>>> create mode 100644 install/updates/37-locations.update >>>> >>>> diff --git a/install/share/delegation.ldif >>>> b/install/share/delegation.ldif >>>> index >>>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>>> 100644 >>>> --- a/install/share/delegation.ldif >>>> +++ b/install/share/delegation.ldif >>>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>>> cn: Delegation Administrator >>>> description: Role administration >>>> >>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> +changetype: add >>>> +objectClass: top >>>> +objectClass: groupofnames >>>> +objectClass: nestedgroup >>>> +cn: DNS Administrators >>>> +description: DNS Administrators >>>> + >>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> +changetype: add >>>> +objectClass: top >>>> +objectClass: groupofnames >>>> +objectClass: nestedgroup >>>> +cn: DNS Servers >>>> +description: DNS Servers >>>> + >>>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> changetype: add >>>> objectClass: top >>>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>>> index >>>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>>> 100644 >>>> --- a/install/share/dns.ldif >>>> +++ b/install/share/dns.ldif >>>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow >>>> read access"; allow (read,search >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>> 3.0;acl "Add DNS entries in a zone";allow (add) userattr = >>>> "parent[1].managedby#GROUPDN";) >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>> 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = >>>> "parent[1].managedby#GROUPDN";) >>>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || >>>> aplrecord || arecord || certrecord || cn || cnamerecord || >>>> dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || >>>> dsrecord || hinforecord || hiprecord || idnsallowdynupdate || >>>> idnsallowquery || idnsallowsyncptr || idnsallowtransfer || >>>> idnsforwarders || idnsforwardpolicy || idnsname || >>>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || >>>> idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || >>>> idnssoaserial || idnsupdatepolicy || idnszoneactive || >>>> ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || >>>> minforecord || mxrecord || naptrrecord || nsecrecord || >>>> nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord >>>> || rrsigrecord || sigrecord || spfrecord || srvrecord || >>>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = >>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS >>>> entries in a zone";allow (write) userattr = "parent[0,1].managedby#! >> GROUPDN";) >>>> - >>>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> -changetype: add >>>> -objectClass: top >>>> -objectClass: groupofnames >>>> -objectClass: nestedgroup >>>> -cn: DNS Administrators >>>> -description: DNS Administrators >>>> - >>>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> -changetype: add >>>> -objectClass: top >>>> -objectClass: groupofnames >>>> -objectClass: nestedgroup >>>> -cn: DNS Servers >>>> -description: DNS Servers >>>> diff --git a/install/updates/37-locations.update >>>> b/install/updates/37-locations.update >>>> new file mode 100644 >>>> index >>>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>>> diff --git a/install/updates/40-delegation.update >>>> b/install/updates/40-delegation.update >>>> index >>>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>>> 100644 >>>> --- a/install/updates/40-delegation.update >>>> +++ b/install/updates/40-delegation.update >>>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>>> default:objectClass: top >>>> default:cn: Vault Administrators >>>> default:description: Vault Administrators >>>> + >>>> + >>>> +# Locations - always create DNS related privileges >>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> +default:objectClass: top >>>> +default:objectClass: groupofnames >>>> +default:objectClass: nestedgroup >>>> +default:cn: DNS Administrators >>>> +default:description: DNS Administrators >>>> + >>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> +default:objectClass: top >>>> +default:objectClass: groupofnames >>>> +default:objectClass: nestedgroup >>>> +default:cn: DNS Servers >>>> +default:description: DNS Servers >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>>> >>>> >>>> >>>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Thu, 12 May 2016 10:53:37 +0200 >>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and >>>> objectclasses >>>> >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/share/60ipadns.ldif | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif >>>> index >>>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>>> 100644 >>>> --- a/install/share/60ipadns.ldif >>>> +++ b/install/share/60ipadns.ldif >>>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME >>>> 'idnsSecKeySep' DESC 'DNSKEY S >>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME >>>> 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as mnemonic' >>>> EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA >>>> v4.1' ) >>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' >>>> DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' >>>> DESC 'IPA DNS data version' EQUALITY integerMatch ORDERING >>>> integerOrderingMatch SINGLE-VALUE SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' >>>> DESC 'Reference to IPA location' EQUALITY distinguishedNameMatch >>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA >>>> v4.4' ) >>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME >>>> 'ipaLocationWeight' DESC 'Weight for the server in IPA location' >>>> EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 >>>> SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC >>>> 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( >>>> cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord >>>> $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ >>>> tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ mInfoRecord $ >>>> aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ nXTRecord $ >>>> nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ dSRecord $ >>>> sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ TLSARecord $ >>>> UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ DHCIDRecord >>>> $ HIPRecord $ SPFRecord ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC >>>> 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ >>>> idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ >>>> idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( >>>> idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ >>>> idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ >>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' >>>> DESC 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy >>>> $ idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ >>>> idnsPersistentSearch ) ) >>>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME >>>> 'ipaDNSZone' SUP top AUXILIARY >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' >>>> DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ >>>> idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC >>>> 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ >>>> idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ >>>> idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ >>>> idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN >>>> 'IPA v4.1' ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME >>>> 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( >>>> ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) >>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME >>>> 'ipaLocationObject' DESC 'Object for storing IPA server location' >>>> STRUCTURAL MUST ( idnsName ) MAY ( description ) X-ORIGIN 'IPA v4.4' ) >>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME >>>> 'ipaLocationMember' DESC 'Member object of IPA location' AUXILIARY >>>> MAY ( ipaLocation $ ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>>> >>>> >>>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Thu, 12 May 2016 10:54:20 +0200 >>>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>>> >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> ACI.txt | 8 ++ >>>> API.txt | 59 ++++++++++++++ >>>> VERSION | 4 +- >>>> install/share/bootstrap-template.ldif | 6 ++ >>>> install/updates/37-locations.update | 4 + >>>> install/updates/Makefile.am | 1 + >>>> ipalib/constants.py | 1 + >>>> ipalib/plugins/location.py | 149 >>>> ++++++++++++++++++++++++++++++++++ >>>> 8 files changed, 230 insertions(+), 2 deletions(-) >>>> create mode 100644 ipalib/plugins/location.py >>>> >>>> diff --git a/ACI.txt b/ACI.txt >>>> index >>>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>>> 100644 >>>> --- a/ACI.txt >>>> +++ b/ACI.txt >>>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>>> aci: (targetattr = "createtimestamp || entryusn || >>>> krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || >>>> krbsupportedencsalttypes || modifytimestamp || >>>> objectclass")(targetfilter = >>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>> "permission:System: Read Default Kerberos Ticket Policy";allow >>>> (compare,read,search) groupdn = "ldap:///cn=System: Read Default >>>> Kerberos Ticket >>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>>> aci: (targetattr = "krbmaxrenewableage || >>>> krbmaxticketlife")(targetfilter = >>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>> "permission:System: Read User Kerberos Ticket Policy";allow >>>> (compare,read,search) groupdn = "ldap:///cn=System: Read User >>>> Kerberos Ticket >>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>> 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn >>>> = "ldap:///cn=System: Add IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetattr = "description")(targetfilter = >>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>> "permission:System: Modify IPA Locations";allow (write) groupdn = >>>> "ldap:///cn=System: Modify IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetattr = "createtimestamp || description || entryusn || >>>> idnsname || modifytimestamp || objectclass")(targetfilter = >>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>> "permission:System: Read IPA Locations";allow (compare,read,search) >>>> groupdn = "ldap:///cn=System: Read IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>> 3.0;acl "permission:System: Remove IPA Locations";allow (delete) >>>> groupdn = "ldap:///cn=System: Remove IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version >>>> 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = >>>> "ldap:///cn=System: Add >>>> Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>> diff --git a/API.txt b/API.txt >>>> index >>>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>>> 100644 >>>> --- a/API.txt >>>> +++ b/API.txt >>>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>>> output: Entry('result') >>>> output: Output('summary', type=[, ]) >>>> output: PrimaryKey('value') >>>> +command: location_add >>>> +args: 1,6,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Str('addattr*', cli_name='addattr') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('description?') >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Str('setattr*', cli_name='setattr') >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> +command: location_del >>>> +args: 1,2,3 >>>> +arg: DNSNameParam('idnsname+', cli_name='name') >>>> +option: Flag('continue', autofill=True, cli_name='continue', >>>> default=False) >>>> +option: Str('version?') >>>> +output: Output('result', type=[]) >>>> +output: Output('summary', type=[, ]) >>>> +output: ListOfPrimaryKeys('value') >>>> +command: location_find >>>> +args: 1,8,4 >>>> +arg: Str('criteria?') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('description?', autofill=False) >>>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>>> +option: Flag('pkey_only?', autofill=True, default=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Int('sizelimit?', autofill=False) >>>> +option: Int('timelimit?', autofill=False) >>>> +option: Str('version?') >>>> +output: Output('count', type=[]) >>>> +output: ListOfEntries('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: Output('truncated', type=[]) >>>> +command: location_mod >>>> +args: 1,8,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Str('addattr*', cli_name='addattr') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('delattr*', cli_name='delattr') >>>> +option: Str('description?', autofill=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Flag('rights', autofill=True, default=False) >>>> +option: Str('setattr*', cli_name='setattr') >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> +command: location_show >>>> +args: 1,4,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Flag('rights', autofill=True, default=False) >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> command: migrate_ds >>>> args: 2,20,4 >>>> arg: Str('ldapuri', cli_name='ldap_uri') >>>> diff --git a/VERSION b/VERSION >>>> index >>>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>>> 100644 >>>> --- a/VERSION >>>> +++ b/VERSION >>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>>> # # >>>> ######################################################## >>>> IPA_API_VERSION_MAJOR=2 >>>> -IPA_API_VERSION_MINOR=170 >>>> -# Last change: mbasti - *-find: do not search for members by default >>>> +IPA_API_VERSION_MINOR=171 >>>> +# Last change: mbasti - location-* commands >>>> diff --git a/install/share/bootstrap-template.ldif >>>> b/install/share/bootstrap-template.ldif >>>> index >>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>>> 100644 >>>> --- a/install/share/bootstrap-template.ldif >>>> +++ b/install/share/bootstrap-template.ldif >>>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>>> objectClass: top >>>> cn: etc >>>> >>>> +dn: cn=locations,cn=etc,$SUFFIX >>>> +changetype: add >>>> +objectClass: nsContainer >>>> +objectClass: top >>>> +cn: locations >>>> + >>>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>>> changetype: add >>>> objectClass: nsContainer >>>> diff --git a/install/updates/37-locations.update >>>> b/install/updates/37-locations.update >>>> index >>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>>> 100644 >>>> --- a/install/updates/37-locations.update >>>> +++ b/install/updates/37-locations.update >>>> @@ -0,0 +1,4 @@ >>>> +dn: cn=locations,cn=etc,$SUFFIX >>>> +default: objectClass: nsContainer >>>> +default: objectClass: top >>>> +default: cn: locations >>>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >>>> index >>>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>>> 100644 >>>> --- a/install/updates/Makefile.am >>>> +++ b/install/updates/Makefile.am >>>> @@ -28,6 +28,7 @@ app_DATA = \ >>>> 25-referint.update \ >>>> 30-provisioning.update \ >>>> 30-s4u2proxy.update \ >>>> + 37-locations.update \ >>>> 40-delegation.update \ >>>> 40-realm_domains.update \ >>>> 40-replication.update \ >>>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>>> index >>>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>>> 100644 >>>> --- a/ipalib/constants.py >>>> +++ b/ipalib/constants.py >>>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', >>>> 'ca'))), >>>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), >>>> ('cn', 'etc'))), >>>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>>> >>>> # Ports, hosts, and URIs: >>>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>>> new file mode 100644 >>>> index >>>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>>> --- /dev/null >>>> +++ b/ipalib/plugins/location.py >>>> @@ -0,0 +1,149 @@ >>>> +# >>>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>>> +# >>>> + >>>> +from __future__ import absolute_import >>>> + >>>> +from ipalib import ( >>>> + _, >>>> + ngettext, >>>> + api, >>>> + Str, >>>> + DNSNameParam >>>> +) >>>> +from ipalib.plugable import Registry >>>> +from ipalib.plugins.baseldap import ( >>>> + LDAPCreate, >>>> + LDAPSearch, >>>> + LDAPRetrieve, >>>> + LDAPDelete, >>>> + LDAPObject, >>>> + LDAPUpdate, >>>> +) >>>> +from ipapython.dnsutil import DNSName >>>> + >>>> +__doc__ = _(""" >>>> +IPA locations >>>> +""") + _(""" >>>> +Manipulate DNS locations >>>> +""") + _(""" >>>> +EXAMPLES: >>>> +""") + _(""" >>>> + Find all locations: >>>> + ipa location-find >>>> +""") + _(""" >>>> + Show specific location: >>>> + ipa location-show location >>>> +""") + _(""" >>>> + Add location: >>>> + ipa location-add location --description 'My location' >>>> +""") + _(""" >>>> + Delete location: >>>> + ipa location-del location >>>> +""") >>>> + >>>> +register = Registry() >>>> + >>>> + >>>> + at register() >>>> +class location(LDAPObject): >>>> + """ >>>> + IPA locations >>>> + """ >>>> + container_dn = api.env.container_locations >>>> + object_name = _('location') >>>> + object_name_plural = _('locations') >>>> + object_class = ['ipaLocationObject'] >>>> + search_attributes = ['idnsName'] >>>> + default_attributes = [ >>>> + 'idnsname', 'description' >>>> + ] >>>> + label = _('IPA Locations') >>>> + label_singular = _('IPA Location') >>>> + >>>> + permission_filter_objectclasses = ['ipaLocationObject'] >>>> + managed_permissions = { >>>> + 'System: Read IPA Locations': { >>>> + 'ipapermright': {'read', 'search', 'compare'}, >>>> + 'ipapermdefaultattr': { >>>> + 'objectclass', 'idnsname', 'description', >>>> + }, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Add IPA Locations': { >>>> + 'ipapermright': {'add'}, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Remove IPA Locations': { >>>> + 'ipapermright': {'delete'}, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Modify IPA Locations': { >>>> + 'ipapermright': {'write'}, >>>> + 'ipapermdefaultattr': { >>>> + 'description', >>>> + }, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + } >>>> + >>>> + takes_params = ( >>>> + DNSNameParam( >>>> + 'idnsname', >>>> + cli_name='name', >>>> + primary_key=True, >>>> + label=_('Location name'), >>>> + doc=_('IPA location name'), >>>> + # dns name must be relative, we will put it into >>>> middle of >>>> + # location domain name for location records >>>> + only_relative=True, >>>> + ), >>>> + Str( >>>> + 'description?', >>>> + label=_('Description'), >>>> + doc=_('IPA Location description'), >>>> + ), >>>> + ) >>>> + >>>> + def get_dn(self, *keys, **options): >>>> + loc = keys[-1] >>>> + assert isinstance(loc, DNSName) >>>> + loc_a = loc.ToASCII() >>>> + >>>> + return super(location, self).get_dn(loc_a, **options) >>>> + >>>> + >>>> + at register() >>>> +class location_add(LDAPCreate): >>>> + __doc__ = _('Add a new IPA location.') >>>> + >>>> + msg_summary = _('Added IPA location "%(value)s"') >>>> + >>>> + >>>> + at register() >>>> +class location_del(LDAPDelete): >>>> + __doc__ = _('Delete an IPA location.') >>>> + >>>> + msg_summary = _('Deleted IPA location "%(value)s"') >>>> + >>>> + >>>> + at register() >>>> +class location_mod(LDAPUpdate): >>>> + __doc__ = _('Modify information about an IPA location .') >>> >>> Typo - redundant ' ' at the end. >>> >>> >>> Conditional NACK, warnings mentioned in >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>> are not there. >>> >>> I'm open to changing this to ACK if you open a separate ticket for this >>> omission so we do not forget to add them later on. >> >> +1 >> >> >> Patch 480: >> >> 1) The code in location_show.execute() looks like it could be moved >> to location_show.post_callback() >> >> >> 2) Before calling super().output_for_cli(), pop 'servers' from >> result, so that it is not displayed with --all. >> >> >> Patch 481: >> >> 1) Could we rename --force to --nonempty (or something better)? I >> would like to reserve --force for "ignore NotFound when deleting the >> entry", which is not the case here. >> > > I tried to build freeIPA with your patches on Fedora 23 and I got > following pylint error: > ************* Module ipalib.plugins.location > ipalib/plugins/location.py:218: [W1619(old-division), > location_show.execute] division w/o __future__ statement) > Makefile:137: recipe for target 'lint' failed > This is a bug in older pylint, I have that import there, I don't see this with pylint on F24 I will put there # pylint: disable=old-division to unblock build on F23 From frenaud at redhat.com Thu Jun 2 12:58:57 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 2 Jun 2016 14:58:57 +0200 Subject: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck Message-ID: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> Hi, this patch modifies ipa-replica-conncheck when it performs the SSH connection to the master, so that the username is always fully qualified. https://fedorahosted.org/freeipa/ticket/5812 -- Florence Blanc-Renaud Identity Management Team, Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0005-Always-qualify-requests-for-admin-in-ipa-replica-con.patch Type: text/x-patch Size: 2298 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 2 13:03:22 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 2 Jun 2016 15:03:22 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> Message-ID: <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> On 2.6.2016 14:39, Petr Spacek wrote: > On 2.6.2016 14:20, Jan Cholasta wrote: >> On 2.6.2016 14:06, Petr Spacek wrote: >>> On 1.6.2016 18:00, Martin Basti wrote: >>>> >>>> >>>> updated patches attached >>>> >>>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>>> >>>> >>>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 4 May 2016 17:33:52 +0200 >>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges >>>> >>>> DNS privileges are important for handling DNS locations which can be >>>> created without DNS servers in IPA topology. We will also need this >>>> privileges presented for future feature 'External DNS support' >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/share/delegation.ldif | 16 ++++++++++++++++ >>>> install/share/dns.ldif | 16 ---------------- >>>> install/updates/37-locations.update | 0 >>>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>>> 4 files changed, 32 insertions(+), 16 deletions(-) >>>> create mode 100644 install/updates/37-locations.update >>>> >>>> diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif >>>> index >>>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>>> 100644 >>>> --- a/install/share/delegation.ldif >>>> +++ b/install/share/delegation.ldif >>>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>>> cn: Delegation Administrator >>>> description: Role administration >>>> >>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> +changetype: add >>>> +objectClass: top >>>> +objectClass: groupofnames >>>> +objectClass: nestedgroup >>>> +cn: DNS Administrators >>>> +description: DNS Administrators >>>> + >>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> +changetype: add >>>> +objectClass: top >>>> +objectClass: groupofnames >>>> +objectClass: nestedgroup >>>> +cn: DNS Servers >>>> +description: DNS Servers >>>> + >>>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> changetype: add >>>> objectClass: top >>>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>>> index >>>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>>> 100644 >>>> --- a/install/share/dns.ldif >>>> +++ b/install/share/dns.ldif >>>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read >>>> access"; allow (read,search >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Add >>>> DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) >>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>> "Remove DNS entries from a zone";allow (delete) userattr = >>>> "parent[1].managedby#GROUPDN";) >>>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord || >>>> arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || >>>> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord >>>> || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || >>>> idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || >>>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || >>>> idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || >>>> idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || >>>> kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord >>>> || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || >>>> rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || >>>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = >>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS entries in >>>> a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>>> - >>>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> -changetype: add >>>> -objectClass: top >>>> -objectClass: groupofnames >>>> -objectClass: nestedgroup >>>> -cn: DNS Administrators >>>> -description: DNS Administrators >>>> - >>>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> -changetype: add >>>> -objectClass: top >>>> -objectClass: groupofnames >>>> -objectClass: nestedgroup >>>> -cn: DNS Servers >>>> -description: DNS Servers >>>> diff --git a/install/updates/37-locations.update >>>> b/install/updates/37-locations.update >>>> new file mode 100644 >>>> index >>>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>>> >>>> diff --git a/install/updates/40-delegation.update >>>> b/install/updates/40-delegation.update >>>> index >>>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>>> 100644 >>>> --- a/install/updates/40-delegation.update >>>> +++ b/install/updates/40-delegation.update >>>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>>> default:objectClass: top >>>> default:cn: Vault Administrators >>>> default:description: Vault Administrators >>>> + >>>> + >>>> +# Locations - always create DNS related privileges >>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>> +default:objectClass: top >>>> +default:objectClass: groupofnames >>>> +default:objectClass: nestedgroup >>>> +default:cn: DNS Administrators >>>> +default:description: DNS Administrators >>>> + >>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>> +default:objectClass: top >>>> +default:objectClass: groupofnames >>>> +default:objectClass: nestedgroup >>>> +default:cn: DNS Servers >>>> +default:description: DNS Servers >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>>> >>>> >>>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Thu, 12 May 2016 10:53:37 +0200 >>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and objectclasses >>>> >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/share/60ipadns.ldif | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/install/share/60ipadns.ldif b/install/share/60ipadns.ldif >>>> index >>>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>>> 100644 >>>> --- a/install/share/60ipadns.ldif >>>> +++ b/install/share/60ipadns.ldif >>>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME >>>> 'idnsSecKeySep' DESC 'DNSKEY S >>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME 'idnsSecAlgorithm' DESC >>>> 'DNSKEY algorithm: string used as mnemonic' EQUALITY caseIgnoreIA5Match >>>> SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' DESC >>>> 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME 'ipaDNSVersion' DESC >>>> 'IPA DNS data version' EQUALITY integerMatch ORDERING integerOrderingMatch >>>> SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC >>>> 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME 'ipaLocationWeight' DESC >>>> 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX >>>> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC 'dns >>>> Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ >>>> idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ a6Record $ >>>> nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ mXRecord $ >>>> mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord >>>> $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord >>>> $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ >>>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ >>>> DHCIDRecord $ HIPRecord $ SPFRecord ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone >>>> class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ idnsSOAmName $ >>>> idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ >>>> idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ idnsAllowQuery $ >>>> idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ >>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME 'idnsConfigObject' DESC >>>> 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ >>>> idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ idnsPersistentSearch ) ) >>>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME >>>> 'ipaDNSZone' SUP top AUXILIARY >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' DESC >>>> 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ idnsZoneActive ) >>>> MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC 'DNSSEC >>>> key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ >>>> idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ >>>> idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ idnsSecKeyRevoke $ >>>> idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) >>>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME 'ipaDNSContainer' DESC >>>> 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) >>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME 'ipaLocationObject' DESC >>>> 'Object for storing IPA server location' STRUCTURAL MUST ( idnsName ) MAY ( >>>> description ) X-ORIGIN 'IPA v4.4' ) >>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME 'ipaLocationMember' DESC >>>> 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ >>>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>>> >>>> >>>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Thu, 12 May 2016 10:54:20 +0200 >>>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>>> >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> ACI.txt | 8 ++ >>>> API.txt | 59 ++++++++++++++ >>>> VERSION | 4 +- >>>> install/share/bootstrap-template.ldif | 6 ++ >>>> install/updates/37-locations.update | 4 + >>>> install/updates/Makefile.am | 1 + >>>> ipalib/constants.py | 1 + >>>> ipalib/plugins/location.py | 149 >>>> ++++++++++++++++++++++++++++++++++ >>>> 8 files changed, 230 insertions(+), 2 deletions(-) >>>> create mode 100644 ipalib/plugins/location.py >>>> >>>> diff --git a/ACI.txt b/ACI.txt >>>> index >>>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>>> 100644 >>>> --- a/ACI.txt >>>> +++ b/ACI.txt >>>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>>> aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes >>>> || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || >>>> modifytimestamp || objectclass")(targetfilter = >>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: >>>> Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = >>>> "ldap:///cn=System: Read Default Kerberos Ticket >>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>>> aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter >>>> = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: >>>> Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = >>>> "ldap:///cn=System: Read User Kerberos Ticket >>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >>>> "permission:System: Add IPA Locations";allow (add) groupdn = >>>> "ldap:///cn=System: Add IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetattr = "description")(targetfilter = >>>> "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: >>>> Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: Modify >>>> IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetattr = "createtimestamp || description || entryusn || idnsname >>>> || modifytimestamp || objectclass")(targetfilter = >>>> "(objectclass=ipaLocationObject)")(version 3.0;acl "permission:System: Read >>>> IPA Locations";allow (compare,read,search) groupdn = "ldap:///cn=System: >>>> Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version 3.0;acl >>>> "permission:System: Remove IPA Locations";allow (delete) groupdn = >>>> "ldap:///cn=System: Remove IPA >>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl >>>> "permission:System: Add Netgroups";allow (add) groupdn = >>>> "ldap:///cn=System: Add Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>> diff --git a/API.txt b/API.txt >>>> index >>>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>>> 100644 >>>> --- a/API.txt >>>> +++ b/API.txt >>>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>>> output: Entry('result') >>>> output: Output('summary', type=[, ]) >>>> output: PrimaryKey('value') >>>> +command: location_add >>>> +args: 1,6,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Str('addattr*', cli_name='addattr') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('description?') >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Str('setattr*', cli_name='setattr') >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> +command: location_del >>>> +args: 1,2,3 >>>> +arg: DNSNameParam('idnsname+', cli_name='name') >>>> +option: Flag('continue', autofill=True, cli_name='continue', default=False) >>>> +option: Str('version?') >>>> +output: Output('result', type=[]) >>>> +output: Output('summary', type=[, ]) >>>> +output: ListOfPrimaryKeys('value') >>>> +command: location_find >>>> +args: 1,8,4 >>>> +arg: Str('criteria?') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('description?', autofill=False) >>>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>>> +option: Flag('pkey_only?', autofill=True, default=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Int('sizelimit?', autofill=False) >>>> +option: Int('timelimit?', autofill=False) >>>> +option: Str('version?') >>>> +output: Output('count', type=[]) >>>> +output: ListOfEntries('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: Output('truncated', type=[]) >>>> +command: location_mod >>>> +args: 1,8,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Str('addattr*', cli_name='addattr') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Str('delattr*', cli_name='delattr') >>>> +option: Str('description?', autofill=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Flag('rights', autofill=True, default=False) >>>> +option: Str('setattr*', cli_name='setattr') >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> +command: location_show >>>> +args: 1,4,3 >>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>> +option: Flag('rights', autofill=True, default=False) >>>> +option: Str('version?') >>>> +output: Entry('result') >>>> +output: Output('summary', type=[, ]) >>>> +output: PrimaryKey('value') >>>> command: migrate_ds >>>> args: 2,20,4 >>>> arg: Str('ldapuri', cli_name='ldap_uri') >>>> diff --git a/VERSION b/VERSION >>>> index >>>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>>> 100644 >>>> --- a/VERSION >>>> +++ b/VERSION >>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>>> # # >>>> ######################################################## >>>> IPA_API_VERSION_MAJOR=2 >>>> -IPA_API_VERSION_MINOR=170 >>>> -# Last change: mbasti - *-find: do not search for members by default >>>> +IPA_API_VERSION_MINOR=171 >>>> +# Last change: mbasti - location-* commands >>>> diff --git a/install/share/bootstrap-template.ldif >>>> b/install/share/bootstrap-template.ldif >>>> index >>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>>> 100644 >>>> --- a/install/share/bootstrap-template.ldif >>>> +++ b/install/share/bootstrap-template.ldif >>>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>>> objectClass: top >>>> cn: etc >>>> >>>> +dn: cn=locations,cn=etc,$SUFFIX >>>> +changetype: add >>>> +objectClass: nsContainer >>>> +objectClass: top >>>> +cn: locations >>>> + >>>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>>> changetype: add >>>> objectClass: nsContainer >>>> diff --git a/install/updates/37-locations.update >>>> b/install/updates/37-locations.update >>>> index >>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>>> 100644 >>>> --- a/install/updates/37-locations.update >>>> +++ b/install/updates/37-locations.update >>>> @@ -0,0 +1,4 @@ >>>> +dn: cn=locations,cn=etc,$SUFFIX >>>> +default: objectClass: nsContainer >>>> +default: objectClass: top >>>> +default: cn: locations >>>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >>>> index >>>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>>> 100644 >>>> --- a/install/updates/Makefile.am >>>> +++ b/install/updates/Makefile.am >>>> @@ -28,6 +28,7 @@ app_DATA = \ >>>> 25-referint.update \ >>>> 30-provisioning.update \ >>>> 30-s4u2proxy.update \ >>>> + 37-locations.update \ >>>> 40-delegation.update \ >>>> 40-realm_domains.update \ >>>> 40-replication.update \ >>>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>>> index >>>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>>> 100644 >>>> --- a/ipalib/constants.py >>>> +++ b/ipalib/constants.py >>>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))), >>>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', >>>> 'etc'))), >>>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>>> >>>> # Ports, hosts, and URIs: >>>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>>> new file mode 100644 >>>> index >>>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>>> >>>> --- /dev/null >>>> +++ b/ipalib/plugins/location.py >>>> @@ -0,0 +1,149 @@ >>>> +# >>>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>>> +# >>>> + >>>> +from __future__ import absolute_import >>>> + >>>> +from ipalib import ( >>>> + _, >>>> + ngettext, >>>> + api, >>>> + Str, >>>> + DNSNameParam >>>> +) >>>> +from ipalib.plugable import Registry >>>> +from ipalib.plugins.baseldap import ( >>>> + LDAPCreate, >>>> + LDAPSearch, >>>> + LDAPRetrieve, >>>> + LDAPDelete, >>>> + LDAPObject, >>>> + LDAPUpdate, >>>> +) >>>> +from ipapython.dnsutil import DNSName >>>> + >>>> +__doc__ = _(""" >>>> +IPA locations >>>> +""") + _(""" >>>> +Manipulate DNS locations >>>> +""") + _(""" >>>> +EXAMPLES: >>>> +""") + _(""" >>>> + Find all locations: >>>> + ipa location-find >>>> +""") + _(""" >>>> + Show specific location: >>>> + ipa location-show location >>>> +""") + _(""" >>>> + Add location: >>>> + ipa location-add location --description 'My location' >>>> +""") + _(""" >>>> + Delete location: >>>> + ipa location-del location >>>> +""") >>>> + >>>> +register = Registry() >>>> + >>>> + >>>> + at register() >>>> +class location(LDAPObject): >>>> + """ >>>> + IPA locations >>>> + """ >>>> + container_dn = api.env.container_locations >>>> + object_name = _('location') >>>> + object_name_plural = _('locations') >>>> + object_class = ['ipaLocationObject'] >>>> + search_attributes = ['idnsName'] >>>> + default_attributes = [ >>>> + 'idnsname', 'description' >>>> + ] >>>> + label = _('IPA Locations') >>>> + label_singular = _('IPA Location') >>>> + >>>> + permission_filter_objectclasses = ['ipaLocationObject'] >>>> + managed_permissions = { >>>> + 'System: Read IPA Locations': { >>>> + 'ipapermright': {'read', 'search', 'compare'}, >>>> + 'ipapermdefaultattr': { >>>> + 'objectclass', 'idnsname', 'description', >>>> + }, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Add IPA Locations': { >>>> + 'ipapermright': {'add'}, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Remove IPA Locations': { >>>> + 'ipapermright': {'delete'}, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + 'System: Modify IPA Locations': { >>>> + 'ipapermright': {'write'}, >>>> + 'ipapermdefaultattr': { >>>> + 'description', >>>> + }, >>>> + 'default_privileges': {'DNS Administrators'}, >>>> + }, >>>> + } >>>> + >>>> + takes_params = ( >>>> + DNSNameParam( >>>> + 'idnsname', >>>> + cli_name='name', >>>> + primary_key=True, >>>> + label=_('Location name'), >>>> + doc=_('IPA location name'), >>>> + # dns name must be relative, we will put it into middle of >>>> + # location domain name for location records >>>> + only_relative=True, >>>> + ), >>>> + Str( >>>> + 'description?', >>>> + label=_('Description'), >>>> + doc=_('IPA Location description'), >>>> + ), >>>> + ) >>>> + >>>> + def get_dn(self, *keys, **options): >>>> + loc = keys[-1] >>>> + assert isinstance(loc, DNSName) >>>> + loc_a = loc.ToASCII() >>>> + >>>> + return super(location, self).get_dn(loc_a, **options) >>>> + >>>> + >>>> + at register() >>>> +class location_add(LDAPCreate): >>>> + __doc__ = _('Add a new IPA location.') >>>> + >>>> + msg_summary = _('Added IPA location "%(value)s"') >>>> + >>>> + >>>> + at register() >>>> +class location_del(LDAPDelete): >>>> + __doc__ = _('Delete an IPA location.') >>>> + >>>> + msg_summary = _('Deleted IPA location "%(value)s"') >>>> + >>>> + >>>> + at register() >>>> +class location_mod(LDAPUpdate): >>>> + __doc__ = _('Modify information about an IPA location .') >>> >>> Typo - redundant ' ' at the end. >>> >>> >>> Conditional NACK, warnings mentioned in >>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>> are not there. >>> >>> I'm open to changing this to ACK if you open a separate ticket for this >>> omission so we do not forget to add them later on. >> >> +1 >> >> >> Patch 480: >> >> 1) The code in location_show.execute() looks like it could be moved to >> location_show.post_callback() >> >> >> 2) Before calling super().output_for_cli(), pop 'servers' from result, so that >> it is not displayed with --all. >> >> >> Patch 481: >> >> 1) Could we rename --force to --nonempty (or something better)? I would like >> to reserve --force for "ignore NotFound when deleting the entry", which is not >> the case here. > > IMHO option is unnecessary. Just delete the location (and unset location from > all member servers). The design does not contain --force anyway :-) OK, that's even better :-) -- Jan Cholasta From slaznick at redhat.com Thu Jun 2 14:02:53 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 2 Jun 2016 16:02:53 +0200 Subject: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf Message-ID: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> Hello, In this patch I am adding the mapping = to krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0040-Added-my_hostname-IPA-REALM-mapping-to-krb5.conf.patch Type: text/x-patch Size: 2841 bytes Desc: not available URL: From placko at redhat.com Thu Jun 2 14:16:30 2016 From: placko at redhat.com (Peter Lacko) Date: Thu, 2 Jun 2016 10:16:30 -0400 (EDT) Subject: [Freeipa-devel] [PATCH] 0002 New User Role Tests In-Reply-To: References: <1698677244.50966760.1462789150686.JavaMail.zimbra@redhat.com> <19bc3a86-8e60-f023-6bab-b807a3d03364@redhat.com> <651798515.57202911.1464860977307.JavaMail.zimbra@redhat.com> Message-ID: <479389298.57290567.1464876990869.JavaMail.zimbra@redhat.com> Rebased with updated tests. Peter ----- Original Message ----- From: "Martin Basti" To: "Peter Lacko" Cc: freeipa-devel at redhat.com Sent: Thursday, June 2, 2016 1:50:06 PM Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests Your patch doesn't apply anymore on master, there were changes in role test and patch have to be updated and rebased Please look at this for new changes in test_role_plugin.py https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 Martin^2 On 02.06.2016 11:49, Peter Lacko wrote: > Sorry for late response, I wasn't working these days. > Fixed patch is in attachment. > > Peter > > > ----- Original Message ----- > From: "Martin Basti" > To: "Peter Lacko" , freeipa-devel at redhat.com > Sent: Monday, May 9, 2016 1:06:08 PM > Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests > > > > On 09.05.2016 13:04, Martin Basti wrote: >> >> On 09.05.2016 12:19, Peter Lacko wrote: >>> +# pylint: disable=unicode-builtin >> I'm not doing complete review, just the line above hit my eyes. >> >> unicode() is not in Py3 because all strings there are unicode, thus >> you cannot use it directly, you need something like >> >> if six.PY2: >> str = unicode >> >> and use str() everywhere and remove that #pylint line >> >> FYI all enabled pylint checks are there for a good reason, be careful >> with disabling it (mainly disabling it for a whole module) rather ask >> before if you are not sure. >> >> Martin^2 >> > Nope, sorry, I temporarily forgot how to python > > instead of pylint disable use this > > if six.PY3: > unicode =str > > and keep unicode there. Sorry > > Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-placko-0002-3-New-User-Role-Tests.patch Type: text/x-patch Size: 72254 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 2 14:16:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 16:16:32 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <12cb6e78-6d76-7498-d9b9-5cc632cfbbf0@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <41c6ee10-49c5-167b-0741-1db4434511a0@redhat.com> <12cb6e78-6d76-7498-d9b9-5cc632cfbbf0@redhat.com> Message-ID: On 02.06.2016 14:53, Martin Basti wrote: > > > On 02.06.2016 14:41, Pavel Vomacka wrote: >> >> On 06/02/2016 02:20 PM, Jan Cholasta wrote: >>> On 2.6.2016 14:06, Petr Spacek wrote: >>>> On 1.6.2016 18:00, Martin Basti wrote: >>>>> >>>>> >>>>> updated patches attached >>>>> >>>>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>>>> >>>>> >>>>> >>>>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 4 May 2016 17:33:52 +0200 >>>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related >>>>> privileges >>>>> >>>>> DNS privileges are important for handling DNS locations which can be >>>>> created without DNS servers in IPA topology. We will also need this >>>>> privileges presented for future feature 'External DNS support' >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/delegation.ldif | 16 ++++++++++++++++ >>>>> install/share/dns.ldif | 16 ---------------- >>>>> install/updates/37-locations.update | 0 >>>>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>>>> 4 files changed, 32 insertions(+), 16 deletions(-) >>>>> create mode 100644 install/updates/37-locations.update >>>>> >>>>> diff --git a/install/share/delegation.ldif >>>>> b/install/share/delegation.ldif >>>>> index >>>>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>>>> 100644 >>>>> --- a/install/share/delegation.ldif >>>>> +++ b/install/share/delegation.ldif >>>>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>>>> cn: Delegation Administrator >>>>> description: Role administration >>>>> >>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: top >>>>> +objectClass: groupofnames >>>>> +objectClass: nestedgroup >>>>> +cn: DNS Administrators >>>>> +description: DNS Administrators >>>>> + >>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: top >>>>> +objectClass: groupofnames >>>>> +objectClass: nestedgroup >>>>> +cn: DNS Servers >>>>> +description: DNS Servers >>>>> + >>>>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> changetype: add >>>>> objectClass: top >>>>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>>>> index >>>>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>>>> 100644 >>>>> --- a/install/share/dns.ldif >>>>> +++ b/install/share/dns.ldif >>>>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow >>>>> read access"; allow (read,search >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>> 3.0;acl "Add DNS entries in a zone";allow (add) userattr = >>>>> "parent[1].managedby#GROUPDN";) >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>> 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = >>>>> "parent[1].managedby#GROUPDN";) >>>>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || >>>>> aplrecord || arecord || certrecord || cn || cnamerecord || >>>>> dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || >>>>> dsrecord || hinforecord || hiprecord || idnsallowdynupdate || >>>>> idnsallowquery || idnsallowsyncptr || idnsallowtransfer || >>>>> idnsforwarders || idnsforwardpolicy || idnsname || >>>>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || >>>>> idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || >>>>> idnssoaserial || idnsupdatepolicy || idnszoneactive || >>>>> ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord >>>>> || minforecord || mxrecord || naptrrecord || nsecrecord || >>>>> nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord >>>>> || rrsigrecord || sigrecord || spfrecord || srvrecord || >>>>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target >>>>> = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS >>>>> entries in a zone";allow (write) userattr = "parent[0,1].managedby#! >>> GROUPDN";) >>>>> - >>>>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> -changetype: add >>>>> -objectClass: top >>>>> -objectClass: groupofnames >>>>> -objectClass: nestedgroup >>>>> -cn: DNS Administrators >>>>> -description: DNS Administrators >>>>> - >>>>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> -changetype: add >>>>> -objectClass: top >>>>> -objectClass: groupofnames >>>>> -objectClass: nestedgroup >>>>> -cn: DNS Servers >>>>> -description: DNS Servers >>>>> diff --git a/install/updates/37-locations.update >>>>> b/install/updates/37-locations.update >>>>> new file mode 100644 >>>>> index >>>>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>>>> diff --git a/install/updates/40-delegation.update >>>>> b/install/updates/40-delegation.update >>>>> index >>>>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>>>> 100644 >>>>> --- a/install/updates/40-delegation.update >>>>> +++ b/install/updates/40-delegation.update >>>>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>>>> default:objectClass: top >>>>> default:cn: Vault Administrators >>>>> default:description: Vault Administrators >>>>> + >>>>> + >>>>> +# Locations - always create DNS related privileges >>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> +default:objectClass: top >>>>> +default:objectClass: groupofnames >>>>> +default:objectClass: nestedgroup >>>>> +default:cn: DNS Administrators >>>>> +default:description: DNS Administrators >>>>> + >>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> +default:objectClass: top >>>>> +default:objectClass: groupofnames >>>>> +default:objectClass: nestedgroup >>>>> +default:cn: DNS Servers >>>>> +default:description: DNS Servers >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>>>> >>>>> >>>>> >>>>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 12 May 2016 10:53:37 +0200 >>>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and >>>>> objectclasses >>>>> >>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/60ipadns.ldif | 4 ++++ >>>>> 1 file changed, 4 insertions(+) >>>>> >>>>> diff --git a/install/share/60ipadns.ldif >>>>> b/install/share/60ipadns.ldif >>>>> index >>>>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>>>> 100644 >>>>> --- a/install/share/60ipadns.ldif >>>>> +++ b/install/share/60ipadns.ldif >>>>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 >>>>> NAME 'idnsSecKeySep' DESC 'DNSKEY S >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME >>>>> 'idnsSecAlgorithm' DESC 'DNSKEY algorithm: string used as >>>>> mnemonic' EQUALITY caseIgnoreIA5Match SUBSTR >>>>> caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >>>>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' >>>>> DESC 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE >>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME >>>>> 'ipaDNSVersion' DESC 'IPA DNS data version' EQUALITY integerMatch >>>>> ORDERING integerOrderingMatch SINGLE-VALUE SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA v4.3' ) >>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' >>>>> DESC 'Reference to IPA location' EQUALITY distinguishedNameMatch >>>>> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA >>>>> v4.4' ) >>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME >>>>> 'ipaLocationWeight' DESC 'Weight for the server in IPA location' >>>>> EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 >>>>> SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC >>>>> 'dns Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY >>>>> ( cn $ idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ >>>>> aAAARecord $ a6Record $ nSRecord $ cNAMERecord $ pTRRecord $ >>>>> sRVRecord $ tXTRecord $ mXRecord $ mDRecord $ hInfoRecord $ >>>>> mInfoRecord $ aFSDBRecord $ SigRecord $ KeyRecord $ LocRecord $ >>>>> nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ dNameRecord $ >>>>> dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ >>>>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord >>>>> $ DHCIDRecord $ HIPRecord $ SPFRecord ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC >>>>> 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ >>>>> idnsSOAmName $ idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ >>>>> idnsSOAretry $ idnsSOAexpire $ idnsSOAminimum ) MAY ( >>>>> idnsUpdatePolicy $ idnsAllowQuery $ idnsAllowTransfer $ >>>>> idnsAllowSyncPTR $ idnsForwardPolicy $ idnsForwarders $ >>>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME >>>>> 'idnsConfigObject' DESC 'DNS global config options' STRUCTURAL MAY >>>>> ( idnsForwardPolicy $ idnsForwarders $ idnsAllowSyncPTR $ >>>>> idnsZoneRefresh $ idnsPersistentSearch ) ) >>>>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 >>>>> NAME 'ipaDNSZone' SUP top AUXILIARY >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' >>>>> DESC 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ >>>>> idnsZoneActive ) MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC >>>>> 'DNSSEC key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ >>>>> idnsSecKeyCreated $ idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ >>>>> idnsSecKeyActivate $ idnsSecKeyInactive $ idnsSecKeyDelete $ >>>>> idnsSecKeyZone $ idnsSecKeyRevoke $ idnsSecKeySep $ cn ) X-ORIGIN >>>>> 'IPA v4.1' ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME >>>>> 'ipaDNSContainer' DESC 'IPA DNS container' AUXILIARY MUST ( >>>>> ipaDNSVersion ) X-ORIGIN 'IPA v4.3' ) >>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME >>>>> 'ipaLocationObject' DESC 'Object for storing IPA server location' >>>>> STRUCTURAL MUST ( idnsName ) MAY ( description ) X-ORIGIN 'IPA >>>>> v4.4' ) >>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME >>>>> 'ipaLocationMember' DESC 'Member object of IPA location' AUXILIARY >>>>> MAY ( ipaLocation $ ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>>>> >>>>> >>>>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 12 May 2016 10:54:20 +0200 >>>>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>>>> >>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ACI.txt | 8 ++ >>>>> API.txt | 59 ++++++++++++++ >>>>> VERSION | 4 +- >>>>> install/share/bootstrap-template.ldif | 6 ++ >>>>> install/updates/37-locations.update | 4 + >>>>> install/updates/Makefile.am | 1 + >>>>> ipalib/constants.py | 1 + >>>>> ipalib/plugins/location.py | 149 >>>>> ++++++++++++++++++++++++++++++++++ >>>>> 8 files changed, 230 insertions(+), 2 deletions(-) >>>>> create mode 100644 ipalib/plugins/location.py >>>>> >>>>> diff --git a/ACI.txt b/ACI.txt >>>>> index >>>>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>>>> 100644 >>>>> --- a/ACI.txt >>>>> +++ b/ACI.txt >>>>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>>>> aci: (targetattr = "createtimestamp || entryusn || >>>>> krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife >>>>> || krbsupportedencsalttypes || modifytimestamp || >>>>> objectclass")(targetfilter = >>>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>>> "permission:System: Read Default Kerberos Ticket Policy";allow >>>>> (compare,read,search) groupdn = "ldap:///cn=System: Read Default >>>>> Kerberos Ticket >>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>>>> aci: (targetattr = "krbmaxrenewableage || >>>>> krbmaxticketlife")(targetfilter = >>>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>>> "permission:System: Read User Kerberos Ticket Policy";allow >>>>> (compare,read,search) groupdn = "ldap:///cn=System: Read User >>>>> Kerberos Ticket >>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>>> 3.0;acl "permission:System: Add IPA Locations";allow (add) groupdn >>>>> = "ldap:///cn=System: Add IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetattr = "description")(targetfilter = >>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>>> "permission:System: Modify IPA Locations";allow (write) groupdn = >>>>> "ldap:///cn=System: Modify IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetattr = "createtimestamp || description || entryusn || >>>>> idnsname || modifytimestamp || objectclass")(targetfilter = >>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>>> "permission:System: Read IPA Locations";allow >>>>> (compare,read,search) groupdn = "ldap:///cn=System: Read IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>>> 3.0;acl "permission:System: Remove IPA Locations";allow (delete) >>>>> groupdn = "ldap:///cn=System: Remove IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version >>>>> 3.0;acl "permission:System: Add Netgroups";allow (add) groupdn = >>>>> "ldap:///cn=System: Add >>>>> Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>>> diff --git a/API.txt b/API.txt >>>>> index >>>>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>>>> 100644 >>>>> --- a/API.txt >>>>> +++ b/API.txt >>>>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>>>> output: Entry('result') >>>>> output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> output: PrimaryKey('value') >>>>> +command: location_add >>>>> +args: 1,6,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Str('addattr*', cli_name='addattr') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('description?') >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Str('setattr*', cli_name='setattr') >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> +command: location_del >>>>> +args: 1,2,3 >>>>> +arg: DNSNameParam('idnsname+', cli_name='name') >>>>> +option: Flag('continue', autofill=True, cli_name='continue', >>>>> default=False) >>>>> +option: Str('version?') >>>>> +output: Output('result', type=[]) >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: ListOfPrimaryKeys('value') >>>>> +command: location_find >>>>> +args: 1,8,4 >>>>> +arg: Str('criteria?') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('description?', autofill=False) >>>>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>>>> +option: Flag('pkey_only?', autofill=True, default=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Int('sizelimit?', autofill=False) >>>>> +option: Int('timelimit?', autofill=False) >>>>> +option: Str('version?') >>>>> +output: Output('count', type=[]) >>>>> +output: ListOfEntries('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: Output('truncated', type=[]) >>>>> +command: location_mod >>>>> +args: 1,8,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Str('addattr*', cli_name='addattr') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('delattr*', cli_name='delattr') >>>>> +option: Str('description?', autofill=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Flag('rights', autofill=True, default=False) >>>>> +option: Str('setattr*', cli_name='setattr') >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> +command: location_show >>>>> +args: 1,4,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Flag('rights', autofill=True, default=False) >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> command: migrate_ds >>>>> args: 2,20,4 >>>>> arg: Str('ldapuri', cli_name='ldap_uri') >>>>> diff --git a/VERSION b/VERSION >>>>> index >>>>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>>>> 100644 >>>>> --- a/VERSION >>>>> +++ b/VERSION >>>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>>>> # # >>>>> ######################################################## >>>>> IPA_API_VERSION_MAJOR=2 >>>>> -IPA_API_VERSION_MINOR=170 >>>>> -# Last change: mbasti - *-find: do not search for members by default >>>>> +IPA_API_VERSION_MINOR=171 >>>>> +# Last change: mbasti - location-* commands >>>>> diff --git a/install/share/bootstrap-template.ldif >>>>> b/install/share/bootstrap-template.ldif >>>>> index >>>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>>>> 100644 >>>>> --- a/install/share/bootstrap-template.ldif >>>>> +++ b/install/share/bootstrap-template.ldif >>>>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>>>> objectClass: top >>>>> cn: etc >>>>> >>>>> +dn: cn=locations,cn=etc,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: nsContainer >>>>> +objectClass: top >>>>> +cn: locations >>>>> + >>>>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>>>> changetype: add >>>>> objectClass: nsContainer >>>>> diff --git a/install/updates/37-locations.update >>>>> b/install/updates/37-locations.update >>>>> index >>>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>>>> 100644 >>>>> --- a/install/updates/37-locations.update >>>>> +++ b/install/updates/37-locations.update >>>>> @@ -0,0 +1,4 @@ >>>>> +dn: cn=locations,cn=etc,$SUFFIX >>>>> +default: objectClass: nsContainer >>>>> +default: objectClass: top >>>>> +default: cn: locations >>>>> diff --git a/install/updates/Makefile.am >>>>> b/install/updates/Makefile.am >>>>> index >>>>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>>>> 100644 >>>>> --- a/install/updates/Makefile.am >>>>> +++ b/install/updates/Makefile.am >>>>> @@ -28,6 +28,7 @@ app_DATA = \ >>>>> 25-referint.update \ >>>>> 30-provisioning.update \ >>>>> 30-s4u2proxy.update \ >>>>> + 37-locations.update \ >>>>> 40-delegation.update \ >>>>> 40-realm_domains.update \ >>>>> 40-replication.update \ >>>>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>>>> index >>>>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>>>> 100644 >>>>> --- a/ipalib/constants.py >>>>> +++ b/ipalib/constants.py >>>>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>>>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', >>>>> 'ca'))), >>>>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), >>>>> ('cn', 'etc'))), >>>>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>>>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>>>> >>>>> # Ports, hosts, and URIs: >>>>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>>>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>>>> new file mode 100644 >>>>> index >>>>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>>>> --- /dev/null >>>>> +++ b/ipalib/plugins/location.py >>>>> @@ -0,0 +1,149 @@ >>>>> +# >>>>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>>>> +# >>>>> + >>>>> +from __future__ import absolute_import >>>>> + >>>>> +from ipalib import ( >>>>> + _, >>>>> + ngettext, >>>>> + api, >>>>> + Str, >>>>> + DNSNameParam >>>>> +) >>>>> +from ipalib.plugable import Registry >>>>> +from ipalib.plugins.baseldap import ( >>>>> + LDAPCreate, >>>>> + LDAPSearch, >>>>> + LDAPRetrieve, >>>>> + LDAPDelete, >>>>> + LDAPObject, >>>>> + LDAPUpdate, >>>>> +) >>>>> +from ipapython.dnsutil import DNSName >>>>> + >>>>> +__doc__ = _(""" >>>>> +IPA locations >>>>> +""") + _(""" >>>>> +Manipulate DNS locations >>>>> +""") + _(""" >>>>> +EXAMPLES: >>>>> +""") + _(""" >>>>> + Find all locations: >>>>> + ipa location-find >>>>> +""") + _(""" >>>>> + Show specific location: >>>>> + ipa location-show location >>>>> +""") + _(""" >>>>> + Add location: >>>>> + ipa location-add location --description 'My location' >>>>> +""") + _(""" >>>>> + Delete location: >>>>> + ipa location-del location >>>>> +""") >>>>> + >>>>> +register = Registry() >>>>> + >>>>> + >>>>> + at register() >>>>> +class location(LDAPObject): >>>>> + """ >>>>> + IPA locations >>>>> + """ >>>>> + container_dn = api.env.container_locations >>>>> + object_name = _('location') >>>>> + object_name_plural = _('locations') >>>>> + object_class = ['ipaLocationObject'] >>>>> + search_attributes = ['idnsName'] >>>>> + default_attributes = [ >>>>> + 'idnsname', 'description' >>>>> + ] >>>>> + label = _('IPA Locations') >>>>> + label_singular = _('IPA Location') >>>>> + >>>>> + permission_filter_objectclasses = ['ipaLocationObject'] >>>>> + managed_permissions = { >>>>> + 'System: Read IPA Locations': { >>>>> + 'ipapermright': {'read', 'search', 'compare'}, >>>>> + 'ipapermdefaultattr': { >>>>> + 'objectclass', 'idnsname', 'description', >>>>> + }, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Add IPA Locations': { >>>>> + 'ipapermright': {'add'}, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Remove IPA Locations': { >>>>> + 'ipapermright': {'delete'}, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Modify IPA Locations': { >>>>> + 'ipapermright': {'write'}, >>>>> + 'ipapermdefaultattr': { >>>>> + 'description', >>>>> + }, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + } >>>>> + >>>>> + takes_params = ( >>>>> + DNSNameParam( >>>>> + 'idnsname', >>>>> + cli_name='name', >>>>> + primary_key=True, >>>>> + label=_('Location name'), >>>>> + doc=_('IPA location name'), >>>>> + # dns name must be relative, we will put it into >>>>> middle of >>>>> + # location domain name for location records >>>>> + only_relative=True, >>>>> + ), >>>>> + Str( >>>>> + 'description?', >>>>> + label=_('Description'), >>>>> + doc=_('IPA Location description'), >>>>> + ), >>>>> + ) >>>>> + >>>>> + def get_dn(self, *keys, **options): >>>>> + loc = keys[-1] >>>>> + assert isinstance(loc, DNSName) >>>>> + loc_a = loc.ToASCII() >>>>> + >>>>> + return super(location, self).get_dn(loc_a, **options) >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_add(LDAPCreate): >>>>> + __doc__ = _('Add a new IPA location.') >>>>> + >>>>> + msg_summary = _('Added IPA location "%(value)s"') >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_del(LDAPDelete): >>>>> + __doc__ = _('Delete an IPA location.') >>>>> + >>>>> + msg_summary = _('Deleted IPA location "%(value)s"') >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_mod(LDAPUpdate): >>>>> + __doc__ = _('Modify information about an IPA location .') >>>> >>>> Typo - redundant ' ' at the end. >>>> >>>> >>>> Conditional NACK, warnings mentioned in >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>> are not there. >>>> >>>> I'm open to changing this to ACK if you open a separate ticket for >>>> this >>>> omission so we do not forget to add them later on. >>> >>> +1 >>> >>> >>> Patch 480: >>> >>> 1) The code in location_show.execute() looks like it could be moved >>> to location_show.post_callback() >>> >>> >>> 2) Before calling super().output_for_cli(), pop 'servers' from >>> result, so that it is not displayed with --all. >>> >>> >>> Patch 481: >>> >>> 1) Could we rename --force to --nonempty (or something better)? I >>> would like to reserve --force for "ignore NotFound when deleting the >>> entry", which is not the case here. >>> >> >> I tried to build freeIPA with your patches on Fedora 23 and I got >> following pylint error: >> ************* Module ipalib.plugins.location >> ipalib/plugins/location.py:218: [W1619(old-division), >> location_show.execute] division w/o __future__ statement) >> Makefile:137: recipe for target 'lint' failed >> > This is a bug in older pylint, I have that import there, I don't see > this with pylint on F24 > I will put there # pylint: disable=old-division to unblock build on F23 > I changed my mind, IPA 4.4 won't be on F23, and nothing prevents us to build it on F24 with never and better pylint. In worst case we can put newer pylint to @freeipa/freeipa-master copr repo So, if you disagree scream now or never Martin^2 From mbasti at redhat.com Thu Jun 2 15:43:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 17:43:27 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> References: <33126f9b-0e0a-111c-8ca5-b1fc86d86cb7@redhat.com> <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: On 02.06.2016 15:03, Jan Cholasta wrote: > On 2.6.2016 14:39, Petr Spacek wrote: >> On 2.6.2016 14:20, Jan Cholasta wrote: >>> On 2.6.2016 14:06, Petr Spacek wrote: >>>> On 1.6.2016 18:00, Martin Basti wrote: >>>>> >>>>> >>>>> updated patches attached >>>>> >>>>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>>>> >>>>> >>>>> >>>>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 4 May 2016 17:33:52 +0200 >>>>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related >>>>> privileges >>>>> >>>>> DNS privileges are important for handling DNS locations which can be >>>>> created without DNS servers in IPA topology. We will also need this >>>>> privileges presented for future feature 'External DNS support' >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/delegation.ldif | 16 ++++++++++++++++ >>>>> install/share/dns.ldif | 16 ---------------- >>>>> install/updates/37-locations.update | 0 >>>>> install/updates/40-delegation.update | 16 ++++++++++++++++ >>>>> 4 files changed, 32 insertions(+), 16 deletions(-) >>>>> create mode 100644 install/updates/37-locations.update >>>>> >>>>> diff --git a/install/share/delegation.ldif >>>>> b/install/share/delegation.ldif >>>>> index >>>>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>>>> >>>>> 100644 >>>>> --- a/install/share/delegation.ldif >>>>> +++ b/install/share/delegation.ldif >>>>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>>>> cn: Delegation Administrator >>>>> description: Role administration >>>>> >>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: top >>>>> +objectClass: groupofnames >>>>> +objectClass: nestedgroup >>>>> +cn: DNS Administrators >>>>> +description: DNS Administrators >>>>> + >>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: top >>>>> +objectClass: groupofnames >>>>> +objectClass: nestedgroup >>>>> +cn: DNS Servers >>>>> +description: DNS Servers >>>>> + >>>>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> changetype: add >>>>> objectClass: top >>>>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>>>> index >>>>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>>>> >>>>> 100644 >>>>> --- a/install/share/dns.ldif >>>>> +++ b/install/share/dns.ldif >>>>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow >>>>> read >>>>> access"; allow (read,search >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version >>>>> 3.0;acl "Add >>>>> DNS entries in a zone";allow (add) userattr = >>>>> "parent[1].managedby#GROUPDN";) >>>>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl >>>>> "Remove DNS entries from a zone";allow (delete) userattr = >>>>> "parent[1].managedby#GROUPDN";) >>>>> aci: (targetattr = "a6record || aaaarecord || afsdbrecord || >>>>> aplrecord || >>>>> arecord || certrecord || cn || cnamerecord || dhcidrecord || >>>>> dlvrecord || >>>>> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || >>>>> hiprecord >>>>> || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || >>>>> idnsallowtransfer || idnsforwarders || idnsforwardpolicy || >>>>> idnsname || >>>>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || >>>>> idnssoamname || >>>>> idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || >>>>> idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || >>>>> kxrecord || locrecord || mdrecord || minforecord || mxrecord || >>>>> naptrrecord >>>>> || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || >>>>> ptrrecord || >>>>> rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || >>>>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = >>>>> "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Update DNS >>>>> entries in >>>>> a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>>>> - >>>>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> -changetype: add >>>>> -objectClass: top >>>>> -objectClass: groupofnames >>>>> -objectClass: nestedgroup >>>>> -cn: DNS Administrators >>>>> -description: DNS Administrators >>>>> - >>>>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> -changetype: add >>>>> -objectClass: top >>>>> -objectClass: groupofnames >>>>> -objectClass: nestedgroup >>>>> -cn: DNS Servers >>>>> -description: DNS Servers >>>>> diff --git a/install/updates/37-locations.update >>>>> b/install/updates/37-locations.update >>>>> new file mode 100644 >>>>> index >>>>> 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>>>> >>>>> >>>>> diff --git a/install/updates/40-delegation.update >>>>> b/install/updates/40-delegation.update >>>>> index >>>>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>>>> >>>>> 100644 >>>>> --- a/install/updates/40-delegation.update >>>>> +++ b/install/updates/40-delegation.update >>>>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>>>> default:objectClass: top >>>>> default:cn: Vault Administrators >>>>> default:description: Vault Administrators >>>>> + >>>>> + >>>>> +# Locations - always create DNS related privileges >>>>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>>>> +default:objectClass: top >>>>> +default:objectClass: groupofnames >>>>> +default:objectClass: nestedgroup >>>>> +default:cn: DNS Administrators >>>>> +default:description: DNS Administrators >>>>> + >>>>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>>>> +default:objectClass: top >>>>> +default:objectClass: groupofnames >>>>> +default:objectClass: nestedgroup >>>>> +default:cn: DNS Servers >>>>> +default:description: DNS Servers >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0474.6-DNS-Locations-add-new-attributes-and-objectclasses.patch >>>>> >>>>> >>>>> >>>>> From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 12 May 2016 10:53:37 +0200 >>>>> Subject: [PATCH 2/4] DNS Locations: add new attributes and >>>>> objectclasses >>>>> >>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/60ipadns.ldif | 4 ++++ >>>>> 1 file changed, 4 insertions(+) >>>>> >>>>> diff --git a/install/share/60ipadns.ldif >>>>> b/install/share/60ipadns.ldif >>>>> index >>>>> 71b99d4d03c34591dc83a5706d300727f3f77f30..5bfed905566bdbfe4e011e218c328701ce854943 >>>>> >>>>> 100644 >>>>> --- a/install/share/60ipadns.ldif >>>>> +++ b/install/share/60ipadns.ldif >>>>> @@ -71,6 +71,8 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.26 NAME >>>>> 'idnsSecKeySep' DESC 'DNSKEY S >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.27 NAME >>>>> 'idnsSecAlgorithm' DESC >>>>> 'DNSKEY algorithm: string used as mnemonic' EQUALITY >>>>> caseIgnoreIA5Match >>>>> SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.26 >>>>> SINGLE-VALUE X-ORIGIN 'IPA v4.1' ) >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.5.28 NAME 'idnsSecKeyRef' >>>>> DESC >>>>> 'PKCS#11 URI of the key' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.1' ) >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.74 NAME >>>>> 'ipaDNSVersion' DESC >>>>> 'IPA DNS data version' EQUALITY integerMatch ORDERING >>>>> integerOrderingMatch >>>>> SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 X-ORIGIN 'IPA >>>>> v4.3' ) >>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.32 NAME 'ipaLocation' DESC >>>>> 'Reference to IPA location' EQUALITY distinguishedNameMatch SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>>> +attributeTypes: ( 2.16.840.1.113730.3.8.5.33 NAME >>>>> 'ipaLocationWeight' DESC >>>>> 'Weight for the server in IPA location' EQUALITY integerMatch SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.0 NAME 'idnsRecord' DESC >>>>> 'dns >>>>> Record, usually a host' SUP top STRUCTURAL MUST idnsName MAY ( cn $ >>>>> idnsAllowDynUpdate $ dNSTTL $ dNSClass $ aRecord $ aAAARecord $ >>>>> a6Record $ >>>>> nSRecord $ cNAMERecord $ pTRRecord $ sRVRecord $ tXTRecord $ >>>>> mXRecord $ >>>>> mDRecord $ hInfoRecord $ mInfoRecord $ aFSDBRecord $ SigRecord $ >>>>> KeyRecord >>>>> $ LocRecord $ nXTRecord $ nAPTRRecord $ kXRecord $ certRecord $ >>>>> dNameRecord >>>>> $ dSRecord $ sSHFPRecord $ rRSIGRecord $ nSECRecord $ DLVRecord $ >>>>> TLSARecord $ UnknownRecord $ RPRecord $ APLRecord $ IPSECKEYRecord $ >>>>> DHCIDRecord $ HIPRecord $ SPFRecord ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC >>>>> 'Zone >>>>> class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $ >>>>> idnsSOAmName $ >>>>> idnsSOArName $ idnsSOAserial $ idnsSOArefresh $ idnsSOAretry $ >>>>> idnsSOAexpire $ idnsSOAminimum ) MAY ( idnsUpdatePolicy $ >>>>> idnsAllowQuery $ >>>>> idnsAllowTransfer $ idnsAllowSyncPTR $ idnsForwardPolicy $ >>>>> idnsForwarders $ >>>>> idnsSecInlineSigning $ nSEC3PARAMRecord ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.2 NAME >>>>> 'idnsConfigObject' DESC >>>>> 'DNS global config options' STRUCTURAL MAY ( idnsForwardPolicy $ >>>>> idnsForwarders $ idnsAllowSyncPTR $ idnsZoneRefresh $ >>>>> idnsPersistentSearch ) ) >>>>> @@ -78,3 +80,5 @@ objectClasses: ( 2.16.840.1.113730.3.8.12.18 NAME >>>>> 'ipaDNSZone' SUP top AUXILIARY >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.3 NAME 'idnsForwardZone' >>>>> DESC >>>>> 'Forward Zone class' SUP top STRUCTURAL MUST ( idnsName $ >>>>> idnsZoneActive ) >>>>> MAY ( idnsForwarders $ idnsForwardPolicy ) ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.6.4 NAME 'idnsSecKey' DESC >>>>> 'DNSSEC >>>>> key metadata' STRUCTURAL MUST ( idnsSecKeyRef $ idnsSecKeyCreated $ >>>>> idnsSecAlgorithm ) MAY ( idnsSecKeyPublish $ idnsSecKeyActivate $ >>>>> idnsSecKeyInactive $ idnsSecKeyDelete $ idnsSecKeyZone $ >>>>> idnsSecKeyRevoke $ >>>>> idnsSecKeySep $ cn ) X-ORIGIN 'IPA v4.1' ) >>>>> objectClasses: ( 2.16.840.1.113730.3.8.12.36 NAME >>>>> 'ipaDNSContainer' DESC >>>>> 'IPA DNS container' AUXILIARY MUST ( ipaDNSVersion ) X-ORIGIN 'IPA >>>>> v4.3' ) >>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.7 NAME >>>>> 'ipaLocationObject' DESC >>>>> 'Object for storing IPA server location' STRUCTURAL MUST ( >>>>> idnsName ) MAY ( >>>>> description ) X-ORIGIN 'IPA v4.4' ) >>>>> +objectClasses: ( 2.16.840.1.113730.3.8.6.8 NAME >>>>> 'ipaLocationMember' DESC >>>>> 'Member object of IPA location' AUXILIARY MAY ( ipaLocation $ >>>>> ipaLocationWeight ) X-ORIGIN 'IPA v4.4' ) >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0475.6-DNS-Locations-location-commands.patch >>>>> >>>>> >>>>> From c353f0ecbb0e97d9ff28e38ddea27168e69f9ac5 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 12 May 2016 10:54:20 +0200 >>>>> Subject: [PATCH 3/4] DNS Locations: location-* commands >>>>> >>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ACI.txt | 8 ++ >>>>> API.txt | 59 ++++++++++++++ >>>>> VERSION | 4 +- >>>>> install/share/bootstrap-template.ldif | 6 ++ >>>>> install/updates/37-locations.update | 4 + >>>>> install/updates/Makefile.am | 1 + >>>>> ipalib/constants.py | 1 + >>>>> ipalib/plugins/location.py | 149 >>>>> ++++++++++++++++++++++++++++++++++ >>>>> 8 files changed, 230 insertions(+), 2 deletions(-) >>>>> create mode 100644 ipalib/plugins/location.py >>>>> >>>>> diff --git a/ACI.txt b/ACI.txt >>>>> index >>>>> cea814a0ceb7aea48b709236f0f88677e851ac92..2226eccc74ec6d25c1f6fcc93f3e1c7d636b8146 >>>>> >>>>> 100644 >>>>> --- a/ACI.txt >>>>> +++ b/ACI.txt >>>>> @@ -158,6 +158,14 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example >>>>> aci: (targetattr = "createtimestamp || entryusn || >>>>> krbdefaultencsalttypes >>>>> || krbmaxrenewableage || krbmaxticketlife || >>>>> krbsupportedencsalttypes || >>>>> modifytimestamp || objectclass")(targetfilter = >>>>> "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>>> "permission:System: >>>>> Read Default Kerberos Ticket Policy";allow (compare,read,search) >>>>> groupdn = >>>>> "ldap:///cn=System: Read Default Kerberos Ticket >>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=users,cn=accounts,dc=ipa,dc=example >>>>> aci: (targetattr = "krbmaxrenewableage || >>>>> krbmaxticketlife")(targetfilter >>>>> = "(objectclass=krbticketpolicyaux)")(version 3.0;acl >>>>> "permission:System: >>>>> Read User Kerberos Ticket Policy";allow (compare,read,search) >>>>> groupdn = >>>>> "ldap:///cn=System: Read User Kerberos Ticket >>>>> Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>>> 3.0;acl >>>>> "permission:System: Add IPA Locations";allow (add) groupdn = >>>>> "ldap:///cn=System: Add IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetattr = "description")(targetfilter = >>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>>> "permission:System: >>>>> Modify IPA Locations";allow (write) groupdn = "ldap:///cn=System: >>>>> Modify >>>>> IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetattr = "createtimestamp || description || entryusn || >>>>> idnsname >>>>> || modifytimestamp || objectclass")(targetfilter = >>>>> "(objectclass=ipaLocationObject)")(version 3.0;acl >>>>> "permission:System: Read >>>>> IPA Locations";allow (compare,read,search) groupdn = >>>>> "ldap:///cn=System: >>>>> Read IPA Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> +dn: cn=locations,cn=etc,dc=ipa,dc=example >>>>> +aci: (targetfilter = "(objectclass=ipaLocationObject)")(version >>>>> 3.0;acl >>>>> "permission:System: Remove IPA Locations";allow (delete) groupdn = >>>>> "ldap:///cn=System: Remove IPA >>>>> Locations,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>>> aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl >>>>> "permission:System: Add Netgroups";allow (add) groupdn = >>>>> "ldap:///cn=System: Add >>>>> Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";) >>>>> dn: cn=ng,cn=alt,dc=ipa,dc=example >>>>> diff --git a/API.txt b/API.txt >>>>> index >>>>> 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..0568a6573236ca25c7b2353832f949c95b353758 >>>>> >>>>> 100644 >>>>> --- a/API.txt >>>>> +++ b/API.txt >>>>> @@ -2759,6 +2759,65 @@ option: Str('version?') >>>>> output: Entry('result') >>>>> output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> output: PrimaryKey('value') >>>>> +command: location_add >>>>> +args: 1,6,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Str('addattr*', cli_name='addattr') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('description?') >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Str('setattr*', cli_name='setattr') >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> +command: location_del >>>>> +args: 1,2,3 >>>>> +arg: DNSNameParam('idnsname+', cli_name='name') >>>>> +option: Flag('continue', autofill=True, cli_name='continue', >>>>> default=False) >>>>> +option: Str('version?') >>>>> +output: Output('result', type=[]) >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: ListOfPrimaryKeys('value') >>>>> +command: location_find >>>>> +args: 1,8,4 >>>>> +arg: Str('criteria?') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('description?', autofill=False) >>>>> +option: DNSNameParam('idnsname?', autofill=False, cli_name='name') >>>>> +option: Flag('pkey_only?', autofill=True, default=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Int('sizelimit?', autofill=False) >>>>> +option: Int('timelimit?', autofill=False) >>>>> +option: Str('version?') >>>>> +output: Output('count', type=[]) >>>>> +output: ListOfEntries('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: Output('truncated', type=[]) >>>>> +command: location_mod >>>>> +args: 1,8,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Str('addattr*', cli_name='addattr') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Str('delattr*', cli_name='delattr') >>>>> +option: Str('description?', autofill=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Flag('rights', autofill=True, default=False) >>>>> +option: Str('setattr*', cli_name='setattr') >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> +command: location_show >>>>> +args: 1,4,3 >>>>> +arg: DNSNameParam('idnsname', cli_name='name') >>>>> +option: Flag('all', autofill=True, cli_name='all', default=False) >>>>> +option: Flag('raw', autofill=True, cli_name='raw', default=False) >>>>> +option: Flag('rights', autofill=True, default=False) >>>>> +option: Str('version?') >>>>> +output: Entry('result') >>>>> +output: Output('summary', type=[, >>>> 'NoneType'>]) >>>>> +output: PrimaryKey('value') >>>>> command: migrate_ds >>>>> args: 2,20,4 >>>>> arg: Str('ldapuri', cli_name='ldap_uri') >>>>> diff --git a/VERSION b/VERSION >>>>> index >>>>> 45fdb09788dbc6496272da786bb6d6afa45bf118..03908580e3008b5011588588ad41083310d24095 >>>>> >>>>> 100644 >>>>> --- a/VERSION >>>>> +++ b/VERSION >>>>> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >>>>> # # >>>>> ######################################################## >>>>> IPA_API_VERSION_MAJOR=2 >>>>> -IPA_API_VERSION_MINOR=170 >>>>> -# Last change: mbasti - *-find: do not search for members by default >>>>> +IPA_API_VERSION_MINOR=171 >>>>> +# Last change: mbasti - location-* commands >>>>> diff --git a/install/share/bootstrap-template.ldif >>>>> b/install/share/bootstrap-template.ldif >>>>> index >>>>> 628a8e2e0f5483b9f6f565b0c7d11eb000a5912d..83be4399508a905f8eae7e2f59140a6b4051b661 >>>>> >>>>> 100644 >>>>> --- a/install/share/bootstrap-template.ldif >>>>> +++ b/install/share/bootstrap-template.ldif >>>>> @@ -119,6 +119,12 @@ objectClass: nsContainer >>>>> objectClass: top >>>>> cn: etc >>>>> >>>>> +dn: cn=locations,cn=etc,$SUFFIX >>>>> +changetype: add >>>>> +objectClass: nsContainer >>>>> +objectClass: top >>>>> +cn: locations >>>>> + >>>>> dn: cn=sysaccounts,cn=etc,$SUFFIX >>>>> changetype: add >>>>> objectClass: nsContainer >>>>> diff --git a/install/updates/37-locations.update >>>>> b/install/updates/37-locations.update >>>>> index >>>>> e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..cf47e6d6296af830a76aad2c9b9f5a6ea5d9f3a1 >>>>> >>>>> 100644 >>>>> --- a/install/updates/37-locations.update >>>>> +++ b/install/updates/37-locations.update >>>>> @@ -0,0 +1,4 @@ >>>>> +dn: cn=locations,cn=etc,$SUFFIX >>>>> +default: objectClass: nsContainer >>>>> +default: objectClass: top >>>>> +default: cn: locations >>>>> diff --git a/install/updates/Makefile.am >>>>> b/install/updates/Makefile.am >>>>> index >>>>> 3edc21473d676bd282e9ea2b88769c097fb8a63a..737a8bbbd1a4915a6aefec2d273b90bb3ca31710 >>>>> >>>>> 100644 >>>>> --- a/install/updates/Makefile.am >>>>> +++ b/install/updates/Makefile.am >>>>> @@ -28,6 +28,7 @@ app_DATA = \ >>>>> 25-referint.update \ >>>>> 30-provisioning.update \ >>>>> 30-s4u2proxy.update \ >>>>> + 37-locations.update \ >>>>> 40-delegation.update \ >>>>> 40-realm_domains.update \ >>>>> 40-replication.update \ >>>>> diff --git a/ipalib/constants.py b/ipalib/constants.py >>>>> index >>>>> 021f18cd366b821427bdbfcc5e354d2047ef39b1..d1c9ccf68d01ef1dc032559ca8a353eede7a0e09 >>>>> >>>>> 100644 >>>>> --- a/ipalib/constants.py >>>>> +++ b/ipalib/constants.py >>>>> @@ -121,6 +121,7 @@ DEFAULT_CONFIG = ( >>>>> ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', >>>>> 'ca'))), >>>>> ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), >>>>> ('cn', >>>>> 'etc'))), >>>>> ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), >>>>> + ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), >>>>> >>>>> # Ports, hosts, and URIs: >>>>> ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), >>>>> diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py >>>>> new file mode 100644 >>>>> index >>>>> 0000000000000000000000000000000000000000..efba55aa75e342f566a40a0d10887e173b8a83fc >>>>> >>>>> >>>>> --- /dev/null >>>>> +++ b/ipalib/plugins/location.py >>>>> @@ -0,0 +1,149 @@ >>>>> +# >>>>> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >>>>> +# >>>>> + >>>>> +from __future__ import absolute_import >>>>> + >>>>> +from ipalib import ( >>>>> + _, >>>>> + ngettext, >>>>> + api, >>>>> + Str, >>>>> + DNSNameParam >>>>> +) >>>>> +from ipalib.plugable import Registry >>>>> +from ipalib.plugins.baseldap import ( >>>>> + LDAPCreate, >>>>> + LDAPSearch, >>>>> + LDAPRetrieve, >>>>> + LDAPDelete, >>>>> + LDAPObject, >>>>> + LDAPUpdate, >>>>> +) >>>>> +from ipapython.dnsutil import DNSName >>>>> + >>>>> +__doc__ = _(""" >>>>> +IPA locations >>>>> +""") + _(""" >>>>> +Manipulate DNS locations >>>>> +""") + _(""" >>>>> +EXAMPLES: >>>>> +""") + _(""" >>>>> + Find all locations: >>>>> + ipa location-find >>>>> +""") + _(""" >>>>> + Show specific location: >>>>> + ipa location-show location >>>>> +""") + _(""" >>>>> + Add location: >>>>> + ipa location-add location --description 'My location' >>>>> +""") + _(""" >>>>> + Delete location: >>>>> + ipa location-del location >>>>> +""") >>>>> + >>>>> +register = Registry() >>>>> + >>>>> + >>>>> + at register() >>>>> +class location(LDAPObject): >>>>> + """ >>>>> + IPA locations >>>>> + """ >>>>> + container_dn = api.env.container_locations >>>>> + object_name = _('location') >>>>> + object_name_plural = _('locations') >>>>> + object_class = ['ipaLocationObject'] >>>>> + search_attributes = ['idnsName'] >>>>> + default_attributes = [ >>>>> + 'idnsname', 'description' >>>>> + ] >>>>> + label = _('IPA Locations') >>>>> + label_singular = _('IPA Location') >>>>> + >>>>> + permission_filter_objectclasses = ['ipaLocationObject'] >>>>> + managed_permissions = { >>>>> + 'System: Read IPA Locations': { >>>>> + 'ipapermright': {'read', 'search', 'compare'}, >>>>> + 'ipapermdefaultattr': { >>>>> + 'objectclass', 'idnsname', 'description', >>>>> + }, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Add IPA Locations': { >>>>> + 'ipapermright': {'add'}, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Remove IPA Locations': { >>>>> + 'ipapermright': {'delete'}, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + 'System: Modify IPA Locations': { >>>>> + 'ipapermright': {'write'}, >>>>> + 'ipapermdefaultattr': { >>>>> + 'description', >>>>> + }, >>>>> + 'default_privileges': {'DNS Administrators'}, >>>>> + }, >>>>> + } >>>>> + >>>>> + takes_params = ( >>>>> + DNSNameParam( >>>>> + 'idnsname', >>>>> + cli_name='name', >>>>> + primary_key=True, >>>>> + label=_('Location name'), >>>>> + doc=_('IPA location name'), >>>>> + # dns name must be relative, we will put it into >>>>> middle of >>>>> + # location domain name for location records >>>>> + only_relative=True, >>>>> + ), >>>>> + Str( >>>>> + 'description?', >>>>> + label=_('Description'), >>>>> + doc=_('IPA Location description'), >>>>> + ), >>>>> + ) >>>>> + >>>>> + def get_dn(self, *keys, **options): >>>>> + loc = keys[-1] >>>>> + assert isinstance(loc, DNSName) >>>>> + loc_a = loc.ToASCII() >>>>> + >>>>> + return super(location, self).get_dn(loc_a, **options) >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_add(LDAPCreate): >>>>> + __doc__ = _('Add a new IPA location.') >>>>> + >>>>> + msg_summary = _('Added IPA location "%(value)s"') >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_del(LDAPDelete): >>>>> + __doc__ = _('Delete an IPA location.') >>>>> + >>>>> + msg_summary = _('Deleted IPA location "%(value)s"') >>>>> + >>>>> + >>>>> + at register() >>>>> +class location_mod(LDAPUpdate): >>>>> + __doc__ = _('Modify information about an IPA location .') >>>> >>>> Typo - redundant ' ' at the end. >>>> >>>> >>>> Conditional NACK, warnings mentioned in >>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>> are not there. >>>> >>>> I'm open to changing this to ACK if you open a separate ticket for >>>> this >>>> omission so we do not forget to add them later on. >>> >>> +1 >>> Done >>> >>> Patch 480: >>> >>> 1) The code in location_show.execute() looks like it could be moved to >>> location_show.post_callback() >>> I had to add it to execute because I modifies result entry not just entry_attrs >>> >>> 2) Before calling super().output_for_cli(), pop 'servers' from >>> result, so that >>> it is not displayed with --all. >>> >>> Done >>> Patch 481: >>> >>> 1) Could we rename --force to --nonempty (or something better)? I >>> would like >>> to reserve --force for "ignore NotFound when deleting the entry", >>> which is not >>> the case here. >> >> IMHO option is unnecessary. Just delete the location (and unset >> location from >> all member servers). The design does not contain --force anyway :-) > > OK, that's even better :-) > Done Updated patches attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0473.7-DNS-Locations-Always-create-DNS-related-privileges.patch Type: text/x-patch Size: 4774 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0474.7-DNS-Locations-add-new-attributes-and-objectclasses.patch Type: text/x-patch Size: 4186 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0475.7-DNS-Locations-location-commands.patch Type: text/x-patch Size: 12814 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0476.7-DNS-Locations-API-tests.patch Type: text/x-patch Size: 9339 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0478.7-Allow-to-use-non-Str-attributes-as-keys-for-members.patch Type: text/x-patch Size: 2147 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0479.7-DNS-Locations-extend-server-command-with-locations.patch Type: text/x-patch Size: 9387 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0480.7-DNS-Location-location-show-return-list-of-servers-in.patch Type: text/x-patch Size: 8590 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0481.7-DNS-Locations-when-removing-location-remove-it-from-.patch Type: text/x-patch Size: 1859 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0482.7-DNS-Locations-extend-tests-with-server-commands.patch Type: text/x-patch Size: 13761 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 2 15:53:11 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 17:53:11 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <9eb51025-62e4-add4-5d54-c7d01c0e4310@redhat.com> <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: >>>>> Typo - redundant ' ' at the end. >>>>> >>>>> >>>>> Conditional NACK, warnings mentioned in >>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>>> are not there. >>>>> >>>>> I'm open to changing this to ACK if you open a separate ticket for >>>>> this >>>>> omission so we do not forget to add them later on. I forgot to add, this will be in next batch of patches (you may see that there are not marked DNS servers in output of location show), I do not see reason to open ticket when the current one is not finished. >>>> >>>> +1 >>>> > Done > >>>> >>>> Patch 480: >>>> >>>> 1) The code in location_show.execute() looks like it could be moved to >>>> location_show.post_callback() >>>> > I had to add it to execute because I modifies result entry not just > entry_attrs > >>>> >>>> 2) Before calling super().output_for_cli(), pop 'servers' from >>>> result, so that >>>> it is not displayed with --all. >>>> >>>> > Done > >>>> Patch 481: >>>> >>>> 1) Could we rename --force to --nonempty (or something better)? I >>>> would like >>>> to reserve --force for "ignore NotFound when deleting the entry", >>>> which is not >>>> the case here. >>> >>> IMHO option is unnecessary. Just delete the location (and unset >>> location from >>> all member servers). The design does not contain --force anyway :-) >> >> OK, that's even better :-) >> > Done > > Updated patches attached > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jun 2 16:22:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 2 Jun 2016 18:22:48 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> Message-ID: <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> On 06/01/2016 10:41 AM, Pavel Vomacka wrote: > > > On 05/27/2016 05:58 PM, Pavel Vomacka wrote: >> >> >> On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >>> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>>> Hi, >>>>>> >>>>>> the patch adds webui part for authentication indicators. >>>>>> >>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>>> The otp option displays as: OTP. >>>>> The radius option displays as: Radius. >>>>> >>>>> However, both are acronyms. The capitalization should be >>>>> consistent. >>>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>>> 'Radius'. So it should not require any change. >>> That is incorrect. It should be: OTP and RADIUS. >> I'm sorry, I didn't understand correctly. Fixed patch attached. >> >> >> > The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. > After some though, we should really support the arbitrary values also in Web UI. I'd reuse aci.attributes_widget - move the widget elsewhere, make it a general widget and a base class for the original aci.attributes_widget. The only difference should be populate method and some strings. The base widget can populate from options - same as normal checkboxes widget so that service page doesn't need to inherit from the base class. -- Petr Vobornik From pvoborni at redhat.com Thu Jun 2 16:39:19 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 2 Jun 2016 18:39:19 +0200 Subject: [Freeipa-devel] [PATCH] 0011 webui: Offer OTP generation for host enrollment in the UI In-Reply-To: References: <56FD3B3C.9020307@redhat.com> <3a1c38eb-2283-a7c4-fef3-5e5269cd127d@redhat.com> Message-ID: <791ec080-c2e3-cf89-29ea-ed0e55449c6e@redhat.com> On 05/12/2016 02:49 PM, Pavel Vomacka wrote: > > > On 05/11/2016 03:28 PM, Petr Vobornik wrote: >> On 03/31/2016 04:59 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> This patch adds option to add host dialog which allows to show generated >>> OTP. >>> The patch also changes the way of informing user about success of adding >>> host >>> but only when the 'Generate OTP' option is checked. >>> >>> https://fedorahosted.org/freeipa/ticket/4602 >> >> The patch copy&pastes behavior of entity adder dialog buttons when the >> purpose is to do additional stuff on success. IMHO it copies to much >> logic. >> >> Also the following method of redefining add handler is not very object >> oriented: >> that.get_button('add_and_edit').click = function() { >> >> Wouldn't it be better to move anonymous success handlers in >> entity_adder_dialog to a class methods to achieve it. E.g: >> >> """ >> click: function() { >> that.hide_message(); >> that.add( >> function(data, text_status, xhr) { >> that.added.notify([data], that); >> that.close(); >> var result = data.result.result; >> that.show_edit_page(that.entity, result); >> that.notify_success(data); >> }, >> that.on_error); >> } >> """ >> to >> """ >> click: function() { >> that.hide_message(); >> that.add(that.on_add_success, that.on_error); >> } >> >> that.on_add_success = function(data, text_status, xhr) { >> that.added.notify([data], that); >> that.close(); >> var result = data.result.result; >> that.show_edit_page(that.entity, result); >> that.notify_success(data); >> }; >> >> that.entity_adder_dialog_on_add_success = that.on_add_success; >> >> """ >> >> so in child class it would be overriden e.g. by: >> >> that.on_add_success = function(data, text_status, xhr) { >> that.entity_adder_dialog_on_add_success(data, text_status, xhr); >> // .. my new code >> }; >> >> It follows the pattern as in other code. >> >> Other possible emthod is to implement in parent class >> handle_notifications override point and then change calls of >> that.notify_success(data); to that.handle_notifications(data, method); >> Which could be overridden in child. >> >> Or probably my favorite: >> entity_adder_dialog has 'added' event which is raised prior closing the >> dialog (in 'add' and 'add and edit'). We could either register new event >> handler which would to the stuff. It will need a way to distinguish >> buttons. The button name/method could be added as addional param in the >> base class: >> that.added.notify([data, 'add'], that); >> >> Or a new event could be created if it is important to call it after >> dialog is closed. >> that.post_added = IPA.observer(); >> that.post_added.notify([data, 'add'], that); >> >> dialog.post_added.attach(function(data, method) { >> // do something; >> }); >> >> > Thank you for awesome explanation of how it should be done. I've chosen > the last solution which you described. I added another parameter to the > 'added' event and I also added init method which allows to register > listener to 'added' event only once. Edited patch is attached. > > Pavel^3 ACK pushed to master: * 3b37e29ac6e918027b06e574c2c793f6c521100c Add option to show OTP when adding host -- Petr Vobornik From pvoborni at redhat.com Thu Jun 2 16:43:23 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 2 Jun 2016 18:43:23 +0200 Subject: [Freeipa-devel] [PATCH] 0014 webui: Update delete dialog on active user details page In-Reply-To: <570F493C.6060800@redhat.com> References: <570F493C.6060800@redhat.com> Message-ID: <7b8c41fd-dda8-97eb-b04d-98b47a11c4ba@redhat.com> On 04/14/2016 09:39 AM, Pavel Vomacka wrote: > Hi, > > The attached patch fixes this ticket: > https://fedorahosted.org/freeipa/ticket/5370 . > > It adds radio button to choose whether you want to preserve or delete > user when performing delete action from details page. > > -- > Pavel^3 Vomacka > > ACK master: * 5f7433839fa9772d19d81832941158244a54dc53 Update the delete dialog on details user page -- Petr Vobornik From pvoborni at redhat.com Thu Jun 2 16:45:07 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 2 Jun 2016 18:45:07 +0200 Subject: [Freeipa-devel] [PATCH] 0013, 0017 webui: Add ability to convert users from preserved to staged state In-Reply-To: <5717B6DF.2010000@redhat.com> References: <570E4210.1090409@redhat.com> <57111A54.5070005@redhat.com> <5717B6DF.2010000@redhat.com> Message-ID: On 04/20/2016 07:05 PM, Pavel Vomacka wrote: > > > On 04/15/2016 06:44 PM, Petr Vobornik wrote: >> On 04/13/2016 02:56 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> This patch adds ability to convert users from preserved to staged state. >>> >>> Fixes this ticket: https://fedorahosted.org/freeipa/ticket/5371 >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> The patch requires rebase. > Attached rebased patches. I split this one patch into two patches. Patch 13: ACK Maybe a nitpick, why the icon have opacity 0.5? Patch 17: needs rebase -- Petr Vobornik From pvoborni at redhat.com Thu Jun 2 17:02:57 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 2 Jun 2016 19:02:57 +0200 Subject: [Freeipa-devel] [PATCH 0093] Enable service authentication indicator management In-Reply-To: <1464703025.11210.28.camel@redhat.com> References: <1464362755.3425.7.camel@redhat.com> <20160527153505.4627dvyqdwqwbyuf@redhat.com> <1464364503.3425.13.camel@redhat.com> <1464364830.3425.14.camel@redhat.com> <20160530160827.3rodv6htgn2dodeq@redhat.com> <1464698986.11210.3.camel@redhat.com> <250582ba-814e-79d0-7169-54198d0fa79f@redhat.com> <1464703025.11210.28.camel@redhat.com> Message-ID: On 05/31/2016 03:57 PM, Nathaniel McCallum wrote: > On Tue, 2016-05-31 at 15:25 +0200, Petr Vobornik wrote: >> On 05/31/2016 02:49 PM, Nathaniel McCallum wrote: >>> On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote: >>>> On Mon, 30 May 2016, Petr Vobornik wrote: >>>>> On 05/27/2016 06:00 PM, Nathaniel McCallum wrote: >>>>>> Pavel, since we made the change here from a StrEnum to a Str, >>>>>> we >>>>>> need >>>>>> to update the UI patch accordingly. >>>>> >>>>> How should admin know what to write there intuitively? >>>>> >>>>> Shouldn't Web UI or CLI advertise the indicators supported by >>>>> IPA? >>>>> E.g. >>>>> CLI in doc string. Web UI might even combine checkboxes (otp, >>>>> radius) >>>>> with textbox. >>>> That would be better, I think. We still need to keep the API with >>>> a >>>> free >>>> text field but Web UI, of course, should provide some pre-defined >>>> labels. >>> >>> I *think* this means that this patch doesn't need any changes. Is >>> that >>> correct? If so, can I get a review? :) >>> >> >> I meant that the param's 'doc' attribute can get the supported >> values. >> So that they would be shown in `ipa service-mod --help` >> >> Btw, the `required: false` and `multivalued: true` can be simplified >> into Str('krbprincipalauthind*') > > I fixed the doc string as well as the verbosity. I also rebased against > the current master. > ACK master: * 4ded2ffc161ec649ba1ccf8d0b528d24028080df Enable service authentication indicator management -- Petr Vobornik From mbasti at redhat.com Thu Jun 2 17:05:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 19:05:19 +0200 Subject: [Freeipa-devel] [PATCH 0039] Deprecate --domain-level option from ipa-server-install In-Reply-To: References: Message-ID: <59835797-107a-00f0-cce0-8ee05a28f7ae@redhat.com> On 02.06.2016 14:15, Stanislav Laznicka wrote: > I had a different solution prepared but it seems that the deprecated > flag in KnobBase does the trick. Although if the only thing it does is > to remove the option from help, it may need to be renamed > (help_hidden, maybe?). > > https://fedorahosted.org/freeipa/ticket/5907 > > > ACK Pushed to: master: 3076cb9dcc8afc3f7d2525226772f2494b6d2cd5 ipa-4-3: de23e96795b3a707d313092c8a1b9d6b296ce819 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 17:18:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 19:18:00 +0200 Subject: [Freeipa-devel] [PATCH] 0002 Add the culprit line when a configuration file has an incorrect format In-Reply-To: <93631e86-725f-ba0e-ce17-6e8b99325f23@redhat.com> References: <7c482bfd-c466-a2c9-ca29-bcd2a28163df@redhat.com> <93631e86-725f-ba0e-ce17-6e8b99325f23@redhat.com> Message-ID: <8ce7f9fe-ae8f-ed1e-f1b5-259e62030fae@redhat.com> On 30.05.2016 18:11, Florence Blanc-Renaud wrote: > > Hi Martin, > > thanks for the review and the suggestion. Please find the updated > patch attached. > > Flo. > > On 05/30/2016 11:00 AM, Martin Basti wrote: >> >> >> >> On 27.05.2016 11:35, Florence Blanc-Renaud wrote: >>> >>> Hi all, >>> >>> this patch adds information to the output of ipa-client-install when >>> it fails due to invalid format in a configuration file: >>> ipa-client-install failing with SyntaxError: Syntax Error: Unknown >>> line format >>> >>> Fixes: https://fedorahosted.org/freeipa/ticket/5811 >>> >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >>> >>> >> Thank you for your patch, I have just one nitpick. Can you please >> reuse the original exception? >> >> - curopts.append(self.parseLine(line)) >> + try: >> + curopts.append(self.parseLine(line)) >> + except SyntaxError as e: >> + raise SyntaxError('{error} in file {fname}: >> [{line}]'.format( >> + error=e, fname=f.name, line=line)) >> >> Martin^2 > > -- > Florence Blanc-Renaud > Identity Management Team, Red Hat We are almost there SyntaxError: Syntax Error: Unknown line format in file /etc/nsswitch.conf: [sudoers sss ] I don't like that extra newline, probably we should use line.rstrip() to line, to remove any whitespaces on right side, I'm not sure about left side, it probably should stay with whitespaces Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 17:21:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 19:21:32 +0200 Subject: [Freeipa-devel] [PATCH 0033] Fix CA being presented as running even if it weren't In-Reply-To: References: <4967dac0-c475-17da-45b5-399da32e545c@redhat.com> <651ee173-8f3d-b01f-7bf5-9d1f67dab451@redhat.com> <07c4d154-954f-eee0-127c-3574ceab7435@redhat.com> <654f3bb1-384d-e914-c7fc-67647558b0d0@redhat.com> Message-ID: <7f19fdcf-84d1-4af8-91bd-5fefc22daf86@redhat.com> On 31.05.2016 16:32, Stanislav Laznicka wrote: > On 05/31/2016 11:40 AM, Stanislav Laznicka wrote: >> On 05/31/2016 10:22 AM, Stanislav Laznicka wrote: >>> On 05/30/2016 12:54 PM, Jan Cholasta wrote: >>>> On 30.5.2016 12:36, Martin Basti wrote: >>>>> >>>>> >>>>> On 26.05.2016 19:31, Stanislav Laznicka wrote: >>>>>> >>>>>> Self NACK. I should not post patches when tired, sorry. Minor fix is >>>>>> attached. >>>>>> >>>>>> >>>>>> On 05/26/2016 07:21 PM, Stanislav Laznicka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Please, see the attached patch. Fixes >>>>>>> https://fedorahosted.org/freeipa/ticket/5898 >>>>>>> >>>>>>> Standa >>>>>>> >>>>>> >>>>> >>>>> LGTM, if nobody is against this, I will push it in 2 days >>>> >>>> NACK, please add `wait` argument and call >>>> self.wait_until_running(), same as in start() and restart(). >>>> >>> A pretty good point, please see the modified patch. >> Self.NACK - can't add 'wait' agrument to service.Service.is_running >> this easy. >> > Should be fixed now. works for me, can be pushed if Honza agree Martin^2 From mbasti at redhat.com Thu Jun 2 17:34:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 19:34:22 +0200 Subject: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout In-Reply-To: References: <304a20ca-ca5b-8df7-f1ca-090c60ec3a01@redhat.com> <58d3d9ef-d8c5-50be-1348-3c8b2835d70d@redhat.com> <5c8a4e16-98b1-2e0c-3e78-c7e6e54098e9@redhat.com> <98ffcdc1-e89e-06fb-2c0f-11d659b70d76@redhat.com> Message-ID: <51d52653-ef87-6232-f7a9-e7787583286d@redhat.com> On 01.06.2016 06:04, Martin Basti wrote: > > > > On 31.05.2016 09:41, Stanislav Laznicka wrote: >> On 05/30/2016 02:12 PM, Petr Spacek wrote: >>> On 28.5.2016 15:59, Martin Basti wrote: >>>> On 27.05.2016 14:52, Stanislav Laznicka wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5833 >>>>> >>>>> >>>>> >>>> Is possible to remove timeout completely as it used to be before? >>>> >>>> Even if this timeout is exceeded, command continue in execution and >>>> it just >>>> doesnt print result to user >>> I agree with Martin. The timeout is pointless, please remove it or >>> set it to >>> 2^31 or so. >>> >> The documentation does not clearly state what happens in the corner >> cases of this setting. However, by looking at the source code, I'm >> guessing that 0 is the default value which would eventually point to >> the Apache TimeOut and negative values seem just wrong for them here. >> They are converting it with atoi(), so I propose to set this to 2^31-1. >> >> > Please put your findings to the ticket, patch LGTM I will test it today. > > Martin^2 > > ACK Pushed to master: 12d8a0cf22a271ff41e02f4bcf862877dd680ae5 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 17:59:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 19:59:12 +0200 Subject: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf In-Reply-To: References: <20160528042451.lewcj5jnicq2noxd@redhat.com> <20160528203855.yoyipbmpkej2pxkc@redhat.com> Message-ID: On 31.05.2016 19:19, Robbie Harwood wrote: > Alexander Bokovoy writes: > >> On Sat, 28 May 2016, Robbie Harwood wrote: >>> Alexander Bokovoy writes: >>>> On Fri, 27 May 2016, Robbie Harwood wrote: >>>>> Stanislav Laznicka writes: >>>>>> From: Stanislav Laznicka >>>>>> >>>>>> The include of /etc/krb5.conf.d/ is required for crypto-policies >>>>>> to work properly >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5912 >>>>> Thank you for working on this. Is the intent on the part of >>>>> FreeIPA to keep a separate, freeipa-speicifc directory? And if so, >>>>> can I suggest that we not do that? >>>> SSSD cannot write to /etc and I don't think we have to change it. >>> Can you elaborate on this? Why can't sssd write the stuff it puts in >>> /var/lib into /etc, or symlink it? >> Writing to /etc is considered a privilege of a system administrator. A >> runtime override is typically done outside it, in /run like systemd >> allows for its configuration for volatile setups and in /var/lib >> for non-volatile ones. The latter has long been a state of affairs in >> Linux. >> >> Currently SSSD runs under root but it is already made possible to run as >> non-root user and we intend to switch to that mode in future releases. > I guess I don't see a meaningful difference here. We're still writing > to /etc when we modify krb5.conf. > > My reading of the FHS is that this is not an intended use of /var/lib: > /var/lib is for state information [0], and the only time the FHS > mentions config files is to point out that they go in the /etc tree. > > Anyway, I've said my piece and won't derail this further. If you want > to merge, this is a cosmetic issue and I can live with it. > > [0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION > > ACK, this patch works as expected. If nobody is against it, I will push it (tomorrow). Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 18:11:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 20:11:34 +0200 Subject: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf In-Reply-To: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> References: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> Message-ID: On 02.06.2016 16:02, Stanislav Laznicka wrote: > Hello, > > In this patch I am adding the mapping = to > krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903. > > > ACK I have just one question, where is install/share/krb5.conf.template file used in code? Anyway, for the god of consistency I'm pushing this and that template can be updated and removed in another patch, if unused. Pushed to master: f0160a2ed28325e46be2921ac44d71ee88d1b3b1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 2 18:47:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 2 Jun 2016 20:47:19 +0200 Subject: [Freeipa-devel] [PATCH 0038] Reduced time for IO blocking of DS In-Reply-To: <574FE9B6.2040809@redhat.com> References: <655db353-b7f2-cee7-3cff-2635ee6bd523@redhat.com> <574FE9B6.2040809@redhat.com> Message-ID: <3ca2bfef-205a-239b-bc84-88abed201e41@redhat.com> On 02.06.2016 10:09, thierry bordaz wrote: > > > On 06/02/2016 09:48 AM, Martin Basti wrote: >> >> >> >> On 31.05.2016 17:10, Stanislav Laznicka wrote: >>> Hello, >>> >>> This is a fix to https://fedorahosted.org/freeipa/ticket/5383. From >>> the comments I am not sure if nsslapd-idletimeout should be reduced >>> as well. If so, could you please propose a value that you find >>> reasonable? >>> >>> Thanks, >>> Standa >>> >>> >> It looks that only ioblocktimeout is safe to change and we should not >> change the second attribute, Thierry can you confirm this? >> Martin^2 > The patch looks ok to me. It is safe to tune idletimeout as well but > here it does not bring real benefit. > The patch leaves idletimeout to the default value that is no close on > idle connection. > > ioblock is set to 10s that is in a good range of values (DS team > recommended 10-30s). > Note that ioblock is sensitive for slow ldap client. If a client is > not able to read fast enough, the server will close the connection. > This can happen for example if a client did a large SRCH and is > processing slowly the received entries. > > thierry ACK, works for me Pushed to master: e9f0e9d8fafb35acf0adbd99d40c16edf510ff9f -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Fri Jun 3 05:15:59 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 3 Jun 2016 15:15:59 +1000 Subject: [Freeipa-devel] [PATCH] 0065 Remove service and host cert issuer validation Message-ID: <20160603051559.GL4744@dhcp-40-8.bne.redhat.com> The attached patch enables cert issuance to hosts and services using sub-CAs. Thanks, Fraser -------------- next part -------------- From 3432c6322d823dd53a477a6c37021bfe4fbb11b3 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 3 Jun 2016 14:01:49 +1000 Subject: [PATCH] Remove service and host cert issuer validation When adding certifiates to a host or service entry, we currently check that the issuer matches the issuer DN of the IPA CA. Now that sub-CAs have been implemented, this check is no longer valid and will cause false negatives. Remove it and update call sites. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipalib/plugins/host.py | 4 ---- ipalib/plugins/service.py | 4 ---- ipalib/x509.py | 26 -------------------------- ipatests/test_xmlrpc/xmlrpc_test.py | 3 +-- 4 files changed, 1 insertion(+), 36 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 4cd08ebb2f507faa3fd193b323ac3d196fc4895d..9fa38ecaf03b857aa62acbbde84669f68b90233f 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -657,8 +657,6 @@ class host_add(LDAPCreate): setattr(context, 'randompassword', entry_attrs['userpassword']) certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] - for cert in certs_der: - x509.verify_cert_subject(ldap, keys[-1], cert) entry_attrs['usercertificate'] = certs_der entry_attrs['managedby'] = dn entry_attrs['objectclass'].append('ieee802device') @@ -869,8 +867,6 @@ class host_mod(LDAPUpdate): # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] - for cert in certs_der: - x509.verify_cert_subject(ldap, keys[-1], cert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index ec2071b873013513240a480c26c92d477f995c18..6f73dcd989a444a75fd11fb8030884556875671a 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -566,8 +566,6 @@ class service_add(LDAPCreate): certs = options.get('usercertificate', []) certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) entry_attrs['usercertificate'] = certs_der if not options.get('force', False): @@ -642,8 +640,6 @@ class service_mod(LDAPUpdate): # verify certificates certs = entry_attrs.get('usercertificate') or [] certs_der = [x509.normalize_certificate(c) for c in certs] - for dercert in certs_der: - x509.verify_cert_subject(ldap, hostname, dercert) # revoke removed certificates if certs and self.api.Command.ca_is_enabled()['result']: try: diff --git a/ipalib/x509.py b/ipalib/x509.py index 7903441c550eea74a99595026918f3f0b7d35851..82194922d151a1b0f2df03df3578ad45b43b71c9 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -74,14 +74,6 @@ def subject_base(): return _subject_base -def valid_issuer(issuer): - if not api.Command.ca_is_enabled()['result']: - return True - # Handle all supported forms of issuer -- currently dogtag only. - if api.env.ra_plugin == 'dogtag': - return DN(issuer) == DN(('CN', 'Certificate Authority'), subject_base()) - return True - def strip_header(pem): """ Remove the header and footer from a certificate. @@ -357,24 +349,6 @@ def write_certificate_list(rawcerts, filename): except (IOError, OSError) as e: raise errors.FileError(reason=str(e)) -def verify_cert_subject(ldap, hostname, dercert): - """ - Verify that the certificate issuer we're adding matches the issuer - base of our installation. - - This assumes the certificate has already been normalized. - - This raises an exception on errors and returns nothing otherwise. - """ - nsscert = load_certificate(dercert, datatype=DER) - subject = str(nsscert.subject) - issuer = str(nsscert.issuer) - del(nsscert) - - if (not valid_issuer(issuer)): - raise errors.CertificateOperationError(error=_('Issuer "%(issuer)s" does not match the expected issuer') % \ - {'issuer' : issuer}) - class _Extension(univ.Sequence): componentType = namedtype.NamedTypes( namedtype.NamedType('extnID', univ.ObjectIdentifier()), diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py index 4052ab91868b0f0e2400b6533e5adba3fe72200d..36c6060f9d693d02cd896efe569c30f9788525e9 100644 --- a/ipatests/test_xmlrpc/xmlrpc_test.py +++ b/ipatests/test_xmlrpc/xmlrpc_test.py @@ -30,7 +30,6 @@ import six from ipatests.util import assert_deepequal, Fuzzy from ipalib import api, request, errors -from ipalib.x509 import valid_issuer from ipapython.version import API_VERSION @@ -91,7 +90,7 @@ fuzzy_hash = Fuzzy('^([a-f0-9][a-f0-9]:)+[a-f0-9][a-f0-9]$', type=six.string_typ # Matches a date, like Tue Apr 26 17:45:35 2016 UTC fuzzy_date = Fuzzy('^[a-zA-Z]{3} [a-zA-Z]{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} UTC$') -fuzzy_issuer = Fuzzy(type=six.string_types, test=lambda issuer: valid_issuer(issuer)) +fuzzy_issuer = Fuzzy(type=six.string_types) fuzzy_hex = Fuzzy('^0x[0-9a-fA-F]+$', type=six.string_types) -- 2.5.5 From dkupka at redhat.com Fri Jun 3 06:08:55 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 3 Jun 2016 08:08:55 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <433047ff-0677-1606-c16c-0960cffbdc2b@redhat.com> <9f84d44c-cca0-fc87-d8ff-8e502ab702b8@redhat.com> Message-ID: <6ecca459-a93d-c86d-6f4d-9bb93ac5c580@redhat.com> On 25/05/16 16:07, Jan Cholasta wrote: > On 25.5.2016 15:03, David Kupka wrote: >> On 18/05/16 08:01, Jan Cholasta wrote: >>> On 16.5.2016 16:35, Martin Basti wrote: >>>> >>>> >>>> On 09.05.2016 14:07, Jan Cholasta wrote: >>>>> On 6.5.2016 14:32, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 28.04.2016 14:45, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I have pushed my thin client WIP branch to GitHub: >>>>>>> . >>>>>>> >>>>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>>>> imports" should be good for review. The rest is subject to change >>>>>>> (WARNING: I will force push into this branch). >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> I did not test it yet, I just checked the code >>>>>> >>>>>> * automount: do not inherit automountlocation_tofiles from >>>>>> LDAPQuery * >>>>>> LGTM >>>>>> >>>>>> * dns: move all dnsrecord code called on client to a single class * >>>>>> LGTM >>>>>> >>>>>> * dns: do not rely on server data structures in code called on >>>>>> client * >>>>>> 1) >>>>>> you forgot to increment VERSION >>>>> >>>>> This was deliberate, as it will no longer be necessary to bump VERSION >>>>> for backward compatible changes after this whole patchset is merged. >>>>> But we're not there yet, so fixed. >>>>> >>>> How we should handle VERSION after your patches? >>>>>> >>>>>> Otherwise LGTM >>>>>> >>>>>> * otptoken: fix import of DN * >>>>>> ACK >>>>>> >>>>>> * otptoken_yubikey: fix otptoken_add_yubikey arguments * >>>>>> 1) >>>>>> you forgot to increment VERSION >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> 2) >>>>>> Did you find out why this was issue? >>>>>> - del answer['value'] # Why does this cause an error if >>>>>> omitted? >>>>>> - del answer['summary'] # Why does this cause an error if >>>>>> omitted? >>>>> >>>>> The command definition was not complete, it was missing has_output. >>>>> >>>>>> >>>>>> Otherwise LGTM >>>>>> >>>>>> * vault: move client-side code to the module level * >>>>>> LGTM >>>>>> >>>>>> * vault: copy arguments of client commands from server counterparts * >>>>>> 1) >>>>>> you forgot to increment Version >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> * ipalib: use relative imports for cross-plugin imports * >>>>>> 1) Missing explanation for future generations why this change is >>>>>> needed >>>>>> in commit message >>>>> >>>>> Fixed. >>>>> >>>>>> >>>>>> The other commits I will check later. >>>>>> Martin^2 >>>>>> >>>>> >>>>> Okay. Thanks. >>>>> >>>> >>>> * frontend: remove the unused Command.soft_validate method >>>> LGTM >>>> >>>> * frontend: perform argument value validation only on server >>>> LGTM >>>> >>>> * frontend: do not forward argument defaults to server >>>> I'm not a fan of returning None in promt_param function, but I havent >>>> found anything better to use. >>> >>> It always returned None for unset params. >>> >>>> LGTM >>>> >>>> * ipalib: optimize API.txt >>>> this contains a lot of black magic, but because this is mainly copy of >>>> current to proper places, LGTM >>> >>> It's actually mostly cut-n-paste. >>> >>>> >>>> * makeaci: load additional plugins using API.add_module >>>> Looks good, but I miss explanation why is this change needed >>> >>> The next change would be impossible without this. >>> >>>> >>>> * plugable: replace API.import_plugins with new API.add_package >>>> LGTM >>>> >>>> >>>> * ipalib, ipaserver: migrate all plugins to Registry-based registration >>>> ACK >>>> >>>> * ipalib, ipaserver: fix incorrect API.register calls in docstrings >>>> LGTM >>>> >>>> >>>> * plugable: remove the unused deprecated API.register method >>>> LGTM >>>> >>>> >>>> * plugable: switch API to Registry-based plugin discovery >>>> LGTM >>>> >>>> * frontend: merge baseldap.CallbackRegistry into Command >>>> LGTM >>>> >>>> *frontend: move the interactive_prompt callback type to Command >>>> LGTM >>>> >>>> Martin^2 >>>> >>>> >>> >>> >> >> Hello, >> first batch of 30 patches from Honza's trac-4739 branch >> (https://github.com/jcholast/freeipa/commits/trac-4739) is ready to be >> pushed into master. >> All upto "frontend: allow commands to have an argument named `name`" got >> over numerous test&fix cycles in last week+ and is working as expected >> now, ACK. > > Thanks for the review. > >> >> Honzo, please rebase and push them, thanks! >> > > Attaching the patches for reference. > > Pushed to master: 2b50fc617024f18a81e97f30f75ed1b9221c4055 > Hello, another patchset is ready. There are still some minor issues with interactive prompt in dns* commands but these can be fixed later. Otherwise all work as expected, ACK. Also it would be good to have tests for schema plugin, I have filled a ticket [1]. List of commits in Honza's trac-4739 branch: frontend: do not check API minor version of the client ipalib: move server-side plugins to ipaserver ipaclient: implement thin client misc: hide the unused --all option of `env` and `plugins` in CLI ipalib: move File command arguments to ipaclient ipactl: use server API client install: finalize API after CA certs are available rpc: do not validate command name in RPCClient.forward rpc: optimize JSON-RPC response handling rpc: specify connection options in API config rpc: allow overriding NSS DB directory in API config rpc: respect API config in RPCClient.create_connection ipalib: introduce API schema plugins ipalib: replace DeprecatedParam with `deprecated` Param argument parameters: introduce no_convert keyword argument parameters: introduce cli_metavar keyword argument ipalib: split off client-side plugin code into ipaclient dns: move code shared by client and server to separate module ipaclient: add client-side command override class frontend: turn Method attributes into properties plugable: remember overriden plugins in API plugable: simplify API plugin initialization code plugable: turn Plugin attributes into properties help, makeapi: do not use hardcoded plugin package name help, makeapi: specify module topic by name help, makeapi: allow setting command topic explicitly ipalib: move client-side plugins to ipaclient ipaclient: introduce ipaclient.plugins dns: fix dnsrecord interactive mode cli: make optional positional command arguments actually optional [1] https://fedorahosted.org/freeipa/ticket/5929 -- David Kupka From pvomacka at redhat.com Fri Jun 3 06:27:59 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 3 Jun 2016 08:27:59 +0200 Subject: [Freeipa-devel] [PATCH] 0013, 0017 webui: Add ability to convert users from preserved to staged state In-Reply-To: References: <570E4210.1090409@redhat.com> <57111A54.5070005@redhat.com> <5717B6DF.2010000@redhat.com> Message-ID: <975ff3a5-2fd6-60de-27fe-3e3a7af9cb9c@redhat.com> On 06/02/2016 06:45 PM, Petr Vobornik wrote: > On 04/20/2016 07:05 PM, Pavel Vomacka wrote: >> On 04/15/2016 06:44 PM, Petr Vobornik wrote: >>> On 04/13/2016 02:56 PM, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> This patch adds ability to convert users from preserved to staged state. >>>> >>>> Fixes this ticket:https://fedorahosted.org/freeipa/ticket/5371 >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> >>> The patch requires rebase. >> Attached rebased patches. I split this one patch into two patches. > Patch 13: ACK > > Maybe a nitpick, why the icon have opacity 0.5? I was not sure which icon I should use, so we talked about it with Honza and we've chosen the the user icon which will be lighter than default. It would be better to do it using text color. So, updated patch attached. > Patch 17: needs rebase Rebased patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0013-3-Add-ability-to-stage-multiple-users.patch Type: text/x-patch Size: 5658 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0017-2-Add-option-to-stage-user-from-details-page.patch Type: text/x-patch Size: 5388 bytes Desc: not available URL: From jcholast at redhat.com Fri Jun 3 06:56:09 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 3 Jun 2016 08:56:09 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <6ecca459-a93d-c86d-6f4d-9bb93ac5c580@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <433047ff-0677-1606-c16c-0960cffbdc2b@redhat.com> <9f84d44c-cca0-fc87-d8ff-8e502ab702b8@redhat.com> <6ecca459-a93d-c86d-6f4d-9bb93ac5c580@redhat.com> Message-ID: On 3.6.2016 08:08, David Kupka wrote: > On 25/05/16 16:07, Jan Cholasta wrote: >> On 25.5.2016 15:03, David Kupka wrote: >>> On 18/05/16 08:01, Jan Cholasta wrote: >>>> On 16.5.2016 16:35, Martin Basti wrote: >>>>> >>>>> >>>>> On 09.05.2016 14:07, Jan Cholasta wrote: >>>>>> On 6.5.2016 14:32, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 28.04.2016 14:45, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> I have pushed my thin client WIP branch to GitHub: >>>>>>>> . >>>>>>>> >>>>>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>>>>> imports" should be good for review. The rest is subject to change >>>>>>>> (WARNING: I will force push into this branch). >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> I did not test it yet, I just checked the code >>>>>>> >>>>>>> * automount: do not inherit automountlocation_tofiles from >>>>>>> LDAPQuery * >>>>>>> LGTM >>>>>>> >>>>>>> * dns: move all dnsrecord code called on client to a single class * >>>>>>> LGTM >>>>>>> >>>>>>> * dns: do not rely on server data structures in code called on >>>>>>> client * >>>>>>> 1) >>>>>>> you forgot to increment VERSION >>>>>> >>>>>> This was deliberate, as it will no longer be necessary to bump >>>>>> VERSION >>>>>> for backward compatible changes after this whole patchset is merged. >>>>>> But we're not there yet, so fixed. >>>>>> >>>>> How we should handle VERSION after your patches? >>>>>>> >>>>>>> Otherwise LGTM >>>>>>> >>>>>>> * otptoken: fix import of DN * >>>>>>> ACK >>>>>>> >>>>>>> * otptoken_yubikey: fix otptoken_add_yubikey arguments * >>>>>>> 1) >>>>>>> you forgot to increment VERSION >>>>>> >>>>>> Fixed. >>>>>> >>>>>>> >>>>>>> 2) >>>>>>> Did you find out why this was issue? >>>>>>> - del answer['value'] # Why does this cause an error if >>>>>>> omitted? >>>>>>> - del answer['summary'] # Why does this cause an error if >>>>>>> omitted? >>>>>> >>>>>> The command definition was not complete, it was missing has_output. >>>>>> >>>>>>> >>>>>>> Otherwise LGTM >>>>>>> >>>>>>> * vault: move client-side code to the module level * >>>>>>> LGTM >>>>>>> >>>>>>> * vault: copy arguments of client commands from server >>>>>>> counterparts * >>>>>>> 1) >>>>>>> you forgot to increment Version >>>>>> >>>>>> Fixed. >>>>>> >>>>>>> >>>>>>> * ipalib: use relative imports for cross-plugin imports * >>>>>>> 1) Missing explanation for future generations why this change is >>>>>>> needed >>>>>>> in commit message >>>>>> >>>>>> Fixed. >>>>>> >>>>>>> >>>>>>> The other commits I will check later. >>>>>>> Martin^2 >>>>>>> >>>>>> >>>>>> Okay. Thanks. >>>>>> >>>>> >>>>> * frontend: remove the unused Command.soft_validate method >>>>> LGTM >>>>> >>>>> * frontend: perform argument value validation only on server >>>>> LGTM >>>>> >>>>> * frontend: do not forward argument defaults to server >>>>> I'm not a fan of returning None in promt_param function, but I havent >>>>> found anything better to use. >>>> >>>> It always returned None for unset params. >>>> >>>>> LGTM >>>>> >>>>> * ipalib: optimize API.txt >>>>> this contains a lot of black magic, but because this is mainly copy of >>>>> current to proper places, LGTM >>>> >>>> It's actually mostly cut-n-paste. >>>> >>>>> >>>>> * makeaci: load additional plugins using API.add_module >>>>> Looks good, but I miss explanation why is this change needed >>>> >>>> The next change would be impossible without this. >>>> >>>>> >>>>> * plugable: replace API.import_plugins with new API.add_package >>>>> LGTM >>>>> >>>>> >>>>> * ipalib, ipaserver: migrate all plugins to Registry-based >>>>> registration >>>>> ACK >>>>> >>>>> * ipalib, ipaserver: fix incorrect API.register calls in docstrings >>>>> LGTM >>>>> >>>>> >>>>> * plugable: remove the unused deprecated API.register method >>>>> LGTM >>>>> >>>>> >>>>> * plugable: switch API to Registry-based plugin discovery >>>>> LGTM >>>>> >>>>> * frontend: merge baseldap.CallbackRegistry into Command >>>>> LGTM >>>>> >>>>> *frontend: move the interactive_prompt callback type to Command >>>>> LGTM >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> >>>> >>> >>> Hello, >>> first batch of 30 patches from Honza's trac-4739 branch >>> (https://github.com/jcholast/freeipa/commits/trac-4739) is ready to be >>> pushed into master. >>> All upto "frontend: allow commands to have an argument named `name`" got >>> over numerous test&fix cycles in last week+ and is working as expected >>> now, ACK. >> >> Thanks for the review. >> >>> >>> Honzo, please rebase and push them, thanks! >>> >> >> Attaching the patches for reference. >> >> Pushed to master: 2b50fc617024f18a81e97f30f75ed1b9221c4055 >> > > Hello, > another patchset is ready. There are still some minor issues with > interactive prompt in dns* commands but these can be fixed later. > Otherwise all work as expected, ACK. Thanks for review. I already have patches for most of the minor issues, but I didn't want to stall this batch any more, so they will be in the next batch. > > Also it would be good to have tests for schema plugin, I have filled a > ticket [1]. OK, thanks. > > List of commits in Honza's trac-4739 branch: > frontend: do not check API minor version of the client > ipalib: move server-side plugins to ipaserver > ipaclient: implement thin client > misc: hide the unused --all option of `env` and `plugins` in CLI > ipalib: move File command arguments to ipaclient > ipactl: use server API > client install: finalize API after CA certs are available > rpc: do not validate command name in RPCClient.forward > rpc: optimize JSON-RPC response handling > rpc: specify connection options in API config > rpc: allow overriding NSS DB directory in API config > rpc: respect API config in RPCClient.create_connection > ipalib: introduce API schema plugins > ipalib: replace DeprecatedParam with `deprecated` Param argument > parameters: introduce no_convert keyword argument > parameters: introduce cli_metavar keyword argument > ipalib: split off client-side plugin code into ipaclient > dns: move code shared by client and server to separate module > ipaclient: add client-side command override class > frontend: turn Method attributes into properties > plugable: remember overriden plugins in API > plugable: simplify API plugin initialization code > plugable: turn Plugin attributes into properties > help, makeapi: do not use hardcoded plugin package name > help, makeapi: specify module topic by name > help, makeapi: allow setting command topic explicitly > ipalib: move client-side plugins to ipaclient > ipaclient: introduce ipaclient.plugins > dns: fix dnsrecord interactive mode > cli: make optional positional command arguments actually optional Attaching the patches for reference. Pushed to master: 984ced60558950292b8894a26b13d9f85c54952c > > [1] https://fedorahosted.org/freeipa/ticket/5929 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: 588-cli-make-optional-positional-command-arguments-actua.patch Type: text/x-patch Size: 1157 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 589-dns-fix-dnsrecord-interactive-mode.patch Type: text/x-patch Size: 1230 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 590-ipaclient-introduce-ipaclient.plugins.patch Type: text/x-patch Size: 2681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 591-ipalib-move-client-side-plugins-to-ipaclient.patch Type: text/x-patch Size: 103582 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 592-help-makeapi-allow-setting-command-topic-explicitly.patch Type: text/x-patch Size: 9018 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 593-help-makeapi-specify-module-topic-by-name.patch Type: text/x-patch Size: 9301 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 594-help-makeapi-do-not-use-hardcoded-plugin-package-nam.patch Type: text/x-patch Size: 5221 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 595-plugable-turn-Plugin-attributes-into-properties.patch Type: text/x-patch Size: 9830 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 596-plugable-simplify-API-plugin-initialization-code.patch Type: text/x-patch Size: 3395 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 597-plugable-remember-overriden-plugins-in-API.patch Type: text/x-patch Size: 1575 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 598-frontend-turn-Method-attributes-into-properties.patch Type: text/x-patch Size: 2305 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 599-ipaclient-add-client-side-command-override-class.patch Type: text/x-patch Size: 2326 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 600-dns-move-code-shared-by-client-and-server-to-separat.patch Type: text/x-patch Size: 8111 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 601-ipalib-split-off-client-side-plugin-code-into-ipacli.patch Type: text/x-patch Size: 93247 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 602-parameters-introduce-cli_metavar-keyword-argument.patch Type: text/x-patch Size: 2619 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 603-parameters-introduce-no_convert-keyword-argument.patch Type: text/x-patch Size: 2392 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 604-ipalib-replace-DeprecatedParam-with-deprecated-Param.patch Type: text/x-patch Size: 16291 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 605-ipalib-introduce-API-schema-plugins.patch Type: text/x-patch Size: 25019 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 606-rpc-respect-API-config-in-RPCClient.create_connectio.patch Type: text/x-patch Size: 2022 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 607-rpc-allow-overriding-NSS-DB-directory-in-API-config.patch Type: text/x-patch Size: 2460 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 608-rpc-specify-connection-options-in-API-config.patch Type: text/x-patch Size: 15987 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 609-rpc-optimize-JSON-RPC-response-handling.patch Type: text/x-patch Size: 1016 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 610-rpc-do-not-validate-command-name-in-RPCClient.forwar.patch Type: text/x-patch Size: 1121 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 611-client-install-finalize-API-after-CA-certs-are-avail.patch Type: text/x-patch Size: 1329 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 612-ipactl-use-server-API.patch Type: text/x-patch Size: 811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 613-ipalib-move-File-command-arguments-to-ipaclient.patch Type: text/x-patch Size: 6779 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 614-misc-hide-the-unused-all-option-of-env-and-plugins-i.patch Type: text/x-patch Size: 1193 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 615-ipaclient-implement-thin-client.patch Type: text/x-patch Size: 15355 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 616-ipalib-move-server-side-plugins-to-ipaserver.patch Type: text/x-patch Size: 2648910 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 617-frontend-do-not-check-API-minor-version-of-the-clien.patch Type: text/x-patch Size: 1041 bytes Desc: not available URL: From pspacek at redhat.com Fri Jun 3 06:53:42 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 3 Jun 2016 08:53:42 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <5136f7ac-7e72-bad9-121e-230351057734@redhat.com> <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: On 2.6.2016 17:53, Martin Basti wrote: > >>>>>> Typo - redundant ' ' at the end. >>>>>> >>>>>> >>>>>> Conditional NACK, warnings mentioned in >>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>>>> are not there. >>>>>> >>>>>> I'm open to changing this to ACK if you open a separate ticket for this >>>>>> omission so we do not forget to add them later on. > I forgot to add, this will be in next batch of patches (you may see that there > are not marked DNS servers in output of location show), I do not see reason to > open ticket when the current one is not finished. > >>>>> >>>>> +1 >>>>> >> Done >> >>>>> >>>>> Patch 480: >>>>> >>>>> 1) The code in location_show.execute() looks like it could be moved to >>>>> location_show.post_callback() >>>>> >> I had to add it to execute because I modifies result entry not just entry_attrs >> >>>>> >>>>> 2) Before calling super().output_for_cli(), pop 'servers' from result, so >>>>> that >>>>> it is not displayed with --all. >>>>> >>>>> >> Done >> >>>>> Patch 481: >>>>> >>>>> 1) Could we rename --force to --nonempty (or something better)? I would like >>>>> to reserve --force for "ignore NotFound when deleting the entry", which >>>>> is not >>>>> the case here. >>>> >>>> IMHO option is unnecessary. Just delete the location (and unset location from >>>> all member servers). The design does not contain --force anyway :-) >>> >>> OK, that's even better :-) >>> >> Done >> >> Updated patches attached I had to add top object class to the plugin and tests to make tests pass. Patch is attached. CondACK: Fix this before pushing somehow. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: top_objclass.patch Type: text/x-patch Size: 1084 bytes Desc: not available URL: From slaznick at redhat.com Fri Jun 3 07:44:09 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 3 Jun 2016 09:44:09 +0200 Subject: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf In-Reply-To: References: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> Message-ID: <489eb401-731d-a4ea-7ecf-8a2a59496b48@redhat.com> On 06/02/2016 08:11 PM, Martin Basti wrote: > > On 02.06.2016 16:02, Stanislav Laznicka wrote: >> Hello, >> >> In this patch I am adding the mapping = to >> krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903. >> > ACK > > I have just one question, where is install/share/krb5.conf.template > file used in code? > > Anyway, for the god of consistency I'm pushing this and that template > can be updated and removed in another patch, if unused. > > Pushed to master: f0160a2ed28325e46be2921ac44d71ee88d1b3b1 > It's rather cryptically hidden in the code (took me a while to find it again, I used it in some other patch before). It's used in creation of the krbinstance. See ipaserver/install/krbinstance.py:293 for the funzies and profit. From frenaud at redhat.com Fri Jun 3 07:45:50 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Fri, 3 Jun 2016 09:45:50 +0200 Subject: [Freeipa-devel] [PATCH] 0002 Add the culprit line when a configuration file has an incorrect format In-Reply-To: <8ce7f9fe-ae8f-ed1e-f1b5-259e62030fae@redhat.com> References: <7c482bfd-c466-a2c9-ca29-bcd2a28163df@redhat.com> <93631e86-725f-ba0e-ce17-6e8b99325f23@redhat.com> <8ce7f9fe-ae8f-ed1e-f1b5-259e62030fae@redhat.com> Message-ID: On 06/02/2016 07:18 PM, Martin Basti wrote: > > > > On 30.05.2016 18:11, Florence Blanc-Renaud wrote: >> >> Hi Martin, >> >> thanks for the review and the suggestion. Please find the updated >> patch attached. >> >> Flo. >> >> On 05/30/2016 11:00 AM, Martin Basti wrote: >>> >>> >>> >>> On 27.05.2016 11:35, Florence Blanc-Renaud wrote: >>>> >>>> Hi all, >>>> >>>> this patch adds information to the output of ipa-client-install >>>> when it fails due to invalid format in a configuration file: >>>> ipa-client-install failing with SyntaxError: Syntax Error: Unknown >>>> line format >>>> >>>> Fixes: https://fedorahosted.org/freeipa/ticket/5811 >>>> >>>> -- >>>> Florence Blanc-Renaud >>>> Identity Management Team, Red Hat >>>> >>>> >>> Thank you for your patch, I have just one nitpick. Can you please >>> reuse the original exception? >>> >>> - curopts.append(self.parseLine(line)) >>> + try: >>> + curopts.append(self.parseLine(line)) >>> + except SyntaxError as e: >>> + raise SyntaxError('{error} in file {fname}: >>> [{line}]'.format( >>> + error=e, fname=f.name, line=line)) >>> >>> Martin^2 >> >> -- >> Florence Blanc-Renaud >> Identity Management Team, Red Hat > > > We are almost there > > SyntaxError: Syntax Error: Unknown line format in file > /etc/nsswitch.conf: [sudoers sss > ] > > I don't like that extra newline, probably we should use line.rstrip() > to line, to remove any whitespaces on right side, I'm not sure about > left side, it probably should stay with whitespaces > > Martin^2 Hi Martin, good catch. Please find the updated patch attached. -- Florence Blanc-Renaud Identity Management Team, Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0002-3-Add-the-culprit-line-when-a-configuration-file-has-a.patch Type: text/x-patch Size: 1414 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jun 3 08:15:50 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 3 Jun 2016 11:15:50 +0300 Subject: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf In-Reply-To: References: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> Message-ID: <20160603081550.ng2yawl5zzpnhubt@redhat.com> On Thu, 02 Jun 2016, Martin Basti wrote: > > >On 02.06.2016 16:02, Stanislav Laznicka wrote: >>Hello, >> >>In this patch I am adding the mapping = to >>krb5.conf as requested in >>https://fedorahosted.org/freeipa/ticket/5903. >> >> >> >ACK > >I have just one question, where is install/share/krb5.conf.template >file used in code? For setting up Kerberos instance as we have to do a lot more on IPA master than IPA server. > >Anyway, for the god of consistency I'm pushing this and that template >can be updated and removed in another patch, if unused. No, it should not be removed or you'll break FreeIPA completely. -- / Alexander Bokovoy From akasurde at redhat.com Fri Jun 3 09:30:36 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 3 Jun 2016 15:00:36 +0530 Subject: [Freeipa-devel] [python-pytest-multihost][PATCH 0003] Added force option to rmdir Message-ID: <57514E3C.4000307@redhat.com> Hi All, Please review this patch. -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- A non-text attachment was scrubbed... Name: pytest-multihost-akasurde-0003-Added-force-option-to-rmdir.patch Type: text/x-patch Size: 1197 bytes Desc: not available URL: From dkupka at redhat.com Fri Jun 3 10:35:35 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 3 Jun 2016 12:35:35 +0200 Subject: [Freeipa-devel] [PATCH 0102] test: test_cli: Do not expect defaults in kwargs. Message-ID: https://fedorahosted.org/freeipa/ticket/4739 With this patch all but one test in test_cli.py will pass again. The one failing is bug in the dns* commands prompt behavior and will be fixed soon. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: dkupka-freeipa-0102.0-test-test_cli-Do-not-expect-defaults-in-kwargs.patch Type: text/x-patch Size: 10295 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 3 10:51:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 12:51:24 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <60948047-fcd6-2221-c220-8cf53b2bfdde@redhat.com> <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: On 03.06.2016 08:53, Petr Spacek wrote: > On 2.6.2016 17:53, Martin Basti wrote: >> >>>>>>> Typo - redundant ' ' at the end. >>>>>>> >>>>>>> >>>>>>> Conditional NACK, warnings mentioned in >>>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>>>>> are not there. >>>>>>> >>>>>>> I'm open to changing this to ACK if you open a separate ticket for this >>>>>>> omission so we do not forget to add them later on. >> I forgot to add, this will be in next batch of patches (you may see that there >> are not marked DNS servers in output of location show), I do not see reason to >> open ticket when the current one is not finished. >> >>>>>> +1 >>>>>> >>> Done >>> >>>>>> Patch 480: >>>>>> >>>>>> 1) The code in location_show.execute() looks like it could be moved to >>>>>> location_show.post_callback() >>>>>> >>> I had to add it to execute because I modifies result entry not just entry_attrs >>> >>>>>> 2) Before calling super().output_for_cli(), pop 'servers' from result, so >>>>>> that >>>>>> it is not displayed with --all. >>>>>> >>>>>> >>> Done >>> >>>>>> Patch 481: >>>>>> >>>>>> 1) Could we rename --force to --nonempty (or something better)? I would like >>>>>> to reserve --force for "ignore NotFound when deleting the entry", which >>>>>> is not >>>>>> the case here. >>>>> IMHO option is unnecessary. Just delete the location (and unset location from >>>>> all member servers). The design does not contain --force anyway :-) >>>> OK, that's even better :-) >>>> >>> Done >>> >>> Updated patches attached > I had to add top object class to the plugin and tests to make tests pass. > Patch is attached. > > CondACK: Fix this before pushing somehow. > Updated and heavily rebased patches attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0473.8-DNS-Locations-Always-create-DNS-related-privileges.patch Type: text/x-patch Size: 4774 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0474.8-DNS-Locations-add-new-attributes-and-objectclasses.patch Type: text/x-patch Size: 4186 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0475.8-DNS-Locations-location-commands.patch Type: text/x-patch Size: 12819 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0476.8-DNS-Locations-API-tests.patch Type: text/x-patch Size: 9339 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0478.8-Allow-to-use-non-Str-attributes-as-keys-for-members.patch Type: text/x-patch Size: 2162 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0479.8-DNS-Locations-extend-server-command-with-locations.patch Type: text/x-patch Size: 9419 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0480.8-DNS-Location-location-show-return-list-of-servers-in.patch Type: text/x-patch Size: 9287 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0481.8-DNS-Locations-when-removing-location-remove-it-from-.patch Type: text/x-patch Size: 1871 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0482.8-DNS-Locations-extend-tests-with-server-commands.patch Type: text/x-patch Size: 13450 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 3 11:24:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 13:24:51 +0200 Subject: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf In-Reply-To: <20160603081550.ng2yawl5zzpnhubt@redhat.com> References: <28b17241-27d9-12ce-c79c-ba54508030cb@redhat.com> <20160603081550.ng2yawl5zzpnhubt@redhat.com> Message-ID: <5f95b86f-8c8d-c77b-8fb4-b6be1bbb1055@redhat.com> On 03.06.2016 10:15, Alexander Bokovoy wrote: > On Thu, 02 Jun 2016, Martin Basti wrote: >> >> >> On 02.06.2016 16:02, Stanislav Laznicka wrote: >>> Hello, >>> >>> In this patch I am adding the mapping = to >>> krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903. >>> >>> >>> >> ACK >> >> I have just one question, where is install/share/krb5.conf.template >> file used in code? > For setting up Kerberos instance as we have to do a lot more on IPA > master than IPA server. > >> >> Anyway, for the god of consistency I'm pushing this and that template >> can be updated and removed in another patch, if unused. > No, it should not be removed or you'll break FreeIPA completely. > > Ok, thanks for info From slaznick at redhat.com Fri Jun 3 11:38:30 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 3 Jun 2016 13:38:30 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks Message-ID: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> Hello, The attached patch implements solution to https://fedorahosted.org/freeipa/ticket/5914. The patch is rather hacky as nsslapd-db-locks requires to be modified when DS is not running although I accept proposals for better solution. Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0041-Increase-nsslapd-db-locks-to-100000.patch Type: text/x-patch Size: 2269 bytes Desc: not available URL: From ofayans at redhat.com Fri Jun 3 12:09:57 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 3 Jun 2016 14:09:57 +0200 Subject: [Freeipa-devel] [Test][patch-0042] Automated 2 testcases from Managed Topology testplan Message-ID: <57517395.9010102@redhat.com> The patch applies and passes pylint -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0042-Automated-2-managed-topology-4.4-testcases.patch Type: text/x-patch Size: 3526 bytes Desc: not available URL: From slaznick at redhat.com Fri Jun 3 12:13:23 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 3 Jun 2016 14:13:23 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember Message-ID: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> https://fedorahosted.org/freeipa/ticket/5892 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0042-Removed-dead-code-from-LDAPRemoveReverseMember.patch Type: text/x-patch Size: 1258 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 3 12:19:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 14:19:49 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> Message-ID: <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> On 03.06.2016 14:13, Stanislav Laznicka wrote: > https://fedorahosted.org/freeipa/ticket/5892 > > > NACK please remove it from LDAPAddReverseMember too, it contains the same code Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Jun 3 12:23:37 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jun 2016 14:23:37 +0200 Subject: [Freeipa-devel] [Test][patch-0042] Automated 2 testcases from Managed Topology testplan In-Reply-To: <57517395.9010102@redhat.com> References: <57517395.9010102@redhat.com> Message-ID: On 06/03/2016 02:09 PM, Oleg Fayans wrote: > The patch applies and passes pylint > > > Hi Oleg, You don't need to implement server-del tests as I have an extensive CI test suite for that already, see https://www.redhat.com/archives/freeipa-devel/2016-April/msg00101.html. -- Martin^3 Babinsky From slaznick at redhat.com Fri Jun 3 12:28:19 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 3 Jun 2016 14:28:19 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> Message-ID: <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> On 06/03/2016 02:19 PM, Martin Basti wrote: > > On 03.06.2016 14:13, Stanislav Laznicka wrote: >> https://fedorahosted.org/freeipa/ticket/5892 >> >> > NACK > > please remove it from LDAPAddReverseMember too, it contains the same code > > Martin^2 Please see the modified patch. Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0042-2-Removed-dead-code-from-LDAP-Remove-Add-ReverseMember.patch Type: text/x-patch Size: 1929 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 3 12:50:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 14:50:10 +0200 Subject: [Freeipa-devel] [PATCH 0031] Fix replica deletion when there's no RUVs on the server In-Reply-To: <7c3115cc-dc99-5708-4e68-7efc8870ba86@redhat.com> References: <7762e407-0401-174a-2baf-6ecdfd5eb9b4@redhat.com> <3cc137f2-6fab-2c6f-c3b7-d06d48bf1acc@redhat.com> <7c3115cc-dc99-5708-4e68-7efc8870ba86@redhat.com> Message-ID: <73436a01-0894-4909-2648-efc8c086cf0f@redhat.com> On 13.05.2016 15:48, Stanislav Laznicka wrote: > Fix. > > On 05/13/2016 03:43 PM, Stanislav Laznicka wrote: >> Got distracted with the code, beautifying replacement of previous >> patch attached. >> >> On 05/13/2016 03:30 PM, Stanislav Laznicka wrote: >>> https://fedorahosted.org/freeipa/ticket/5307 >>> >>> Please see the patch attached. >>> >>> >> >> >> > > > ACK Pushed to: master: 72f5c52d8cca32d8de5e8e0228d8ad3246efda48 ipa-4-3: 66be65c477ff029737adf89202a5c555092b5157 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Fri Jun 3 13:10:06 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 15:10:06 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: References: Message-ID: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> On 06/02/2016 01:40 PM, Pavel Vomacka wrote: > Hello, > > please review my patches which add webui for server roles. > Did not test yet. I'm waiting for rebase of backend. Patch 36: ACK (assuming it works when ^^ is available) Patch 37: 1. typo: 'overriden' - twice 2. 'create_column_link' is a bad name for the method. The method doesn't create a column link. It is a link's click handler. So the name should be e.g. on_column_link_click Patch 38: 1. in serverroles_nested_search_facet wouldn't it be better to override only get_refresh_command_options and maybe get_refresh_command_args instead of full create_refresh_command? -- Petr Vobornik From yurchor at ukr.net Fri Jun 3 13:20:32 2016 From: yurchor at ukr.net (Yuri Chornoivan) Date: Fri, 03 Jun 2016 16:20:32 +0300 Subject: [Freeipa-devel] [PATCH] Fix minor typo Message-ID: Hi, There is a minor typo in one of the FreeIPA user visible messages: "you OTP device" -> "your OTP device". Thanks for fixing it. Best regards, Yuri -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-minor-typo.patch Type: application/octet-stream Size: 899 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 3 13:23:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 15:23:12 +0200 Subject: [Freeipa-devel] [PATCH 0032] Remove dangling RUVs even if replicas are offline In-Reply-To: References: <63420bab-1cb0-562c-bc93-1bb834210506@redhat.com> <2770a518-35f7-144d-bfbe-1baa9dd92f01@redhat.com> <573D629B.4070804@redhat.com> Message-ID: On 19.05.2016 09:30, Stanislav Laznicka wrote: > On 05/19/2016 08:52 AM, Ludwig Krispenz wrote: >> >> On 05/19/2016 08:02 AM, Stanislav Laznicka wrote: >>> On 05/18/2016 04:44 PM, Petr Vobornik wrote: >>>> On 05/18/2016 04:36 PM, Stanislav Laznicka wrote: >>>>> There's no ticket for this patch but as there was a fix to 389-ds >>>>> mentioned in https://fedorahosted.org/freeipa/ticket/5396, the TODO >>>>> section in clean_dangling_ruvs could be removed. >>>>> >>>> What about using >>>> 'replica-force-cleaning':'yes', >>>> >>>> every time? >>>> >>>> Is there a drawback which we would like to avoid? >>>> >>> The DS website mentions two possible risks >>> - possible loss of changes on deleted replica should these have not >>> been reflected to some other replicas >> this is a theoretical concern that there might be changes from the >> replica to be removed which are not yet on all servers, but to me the >> problem that cleaning ruvs hangs because replicas cannot be reached >> is the worse scenario. >>> - if some offline replica comes back online, it may re-pollute the >>> RUVs back >>> >>> I'm not sure of the probability of the second scenario, in my rather >>> simple environment the re-pollution did not happen. >> there have been fixes in 389-ds to prevent the repollution, so it >> should no longer happen. >> > Thank you, Ludwig. It seems reasonable to have the option set to 'yes' > all the time, then. > > ACK Pushed to: master: 0492ab9c0a014735f09e82d5db1c4c1aa2bd6d81 ipa-4-3: d7985af911d54d3ea2637cd8200aeff5d66638d5 -------------- next part -------------- An HTML attachment was scrubbed... URL: From akasurde at redhat.com Fri Jun 3 13:23:47 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Fri, 3 Jun 2016 18:53:47 +0530 Subject: [Freeipa-devel] [PATCH] Fix minor typo In-Reply-To: References: Message-ID: <575184E3.2040600@redhat.com> On 06/03/2016 06:50 PM, Yuri Chornoivan wrote: > Hi, > > There is a minor typo in one of the FreeIPA user visible messages: > "you OTP device" -> "your OTP device". > > Thanks for fixing it. > > Best regards, > Yuri > > LGTM -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 3 13:25:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 15:25:48 +0200 Subject: [Freeipa-devel] [PATCH] Fix minor typo In-Reply-To: References: Message-ID: On 03.06.2016 15:20, Yuri Chornoivan wrote: > Hi, > > There is a minor typo in one of the FreeIPA user visible messages: > "you OTP device" -> "your OTP device". > > Thanks for fixing it. > > Best regards, > Yuri > > Thank you! ACK Pushed to master: fd4386d5c98e4b823a9f05e18c8b0db857bf1284 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 3 13:33:26 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 3 Jun 2016 15:33:26 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> References: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> Message-ID: <8b8750c8-d2a5-f004-7787-459eb954d423@redhat.com> On 03.06.2016 15:10, Petr Vobornik wrote: > On 06/02/2016 01:40 PM, Pavel Vomacka wrote: >> Hello, >> >> please review my patches which add webui for server roles. >> > Did not test yet. I'm waiting for rebase of backend. > > Patch 36: ACK (assuming it works when ^^ is available) > > Patch 37: > > 1. typo: 'overriden' - twice > > 2. 'create_column_link' is a bad name for the method. The method doesn't > create a column link. It is a link's click handler. So the name should > be e.g. on_column_link_click > > Patch 38: > > 1. in serverroles_nested_search_facet wouldn't it be better to override > only get_refresh_command_options and maybe get_refresh_command_args > instead of full create_refresh_command? > Works for me, but I borrow my VM to Petr to be sure if you meet all webUI requirements :) Martin^2 From pspacek at redhat.com Fri Jun 3 13:42:55 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 3 Jun 2016 15:42:55 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: On 3.6.2016 12:51, Martin Basti wrote: > > > On 03.06.2016 08:53, Petr Spacek wrote: >> On 2.6.2016 17:53, Martin Basti wrote: >>> >>>>>>>> Typo - redundant ' ' at the end. >>>>>>>> >>>>>>>> >>>>>>>> Conditional NACK, warnings mentioned in >>>>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>>>>>> are not there. >>>>>>>> >>>>>>>> I'm open to changing this to ACK if you open a separate ticket for this >>>>>>>> omission so we do not forget to add them later on. >>> I forgot to add, this will be in next batch of patches (you may see that there >>> are not marked DNS servers in output of location show), I do not see reason to >>> open ticket when the current one is not finished. >>> >>>>>>> +1 >>>>>>> >>>> Done >>>> >>>>>>> Patch 480: >>>>>>> >>>>>>> 1) The code in location_show.execute() looks like it could be moved to >>>>>>> location_show.post_callback() >>>>>>> >>>> I had to add it to execute because I modifies result entry not just >>>> entry_attrs >>>> >>>>>>> 2) Before calling super().output_for_cli(), pop 'servers' from result, so >>>>>>> that >>>>>>> it is not displayed with --all. >>>>>>> >>>>>>> >>>> Done >>>> >>>>>>> Patch 481: >>>>>>> >>>>>>> 1) Could we rename --force to --nonempty (or something better)? I would >>>>>>> like >>>>>>> to reserve --force for "ignore NotFound when deleting the entry", which >>>>>>> is not >>>>>>> the case here. >>>>>> IMHO option is unnecessary. Just delete the location (and unset location >>>>>> from >>>>>> all member servers). The design does not contain --force anyway :-) >>>>> OK, that's even better :-) >>>>> >>>> Done >>>> >>>> Updated patches attached >> I had to add top object class to the plugin and tests to make tests pass. >> Patch is attached. >> >> CondACK: Fix this before pushing somehow. >> > > Updated and heavily rebased patches attached. ACK -- Petr^2 Spacek From pvoborni at redhat.com Fri Jun 3 14:14:04 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 16:14:04 +0200 Subject: [Freeipa-devel] [PATCH] 0013, 0017 webui: Add ability to convert users from preserved to staged state In-Reply-To: <975ff3a5-2fd6-60de-27fe-3e3a7af9cb9c@redhat.com> References: <570E4210.1090409@redhat.com> <57111A54.5070005@redhat.com> <5717B6DF.2010000@redhat.com> <975ff3a5-2fd6-60de-27fe-3e3a7af9cb9c@redhat.com> Message-ID: On 06/03/2016 08:27 AM, Pavel Vomacka wrote: > > > On 06/02/2016 06:45 PM, Petr Vobornik wrote: >> On 04/20/2016 07:05 PM, Pavel Vomacka wrote: >>> On 04/15/2016 06:44 PM, Petr Vobornik wrote: >>>> On 04/13/2016 02:56 PM, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> This patch adds ability to convert users from preserved to staged >>>>> state. >>>>> >>>>> Fixes this ticket:https://fedorahosted.org/freeipa/ticket/5371 >>>>> >>>>> -- >>>>> Pavel^3 Vomacka >>>>> >>>>> >>>> The patch requires rebase. >>> Attached rebased patches. I split this one patch into two patches. >> Patch 13: ACK >> >> Maybe a nitpick, why the icon have opacity 0.5? > I was not sure which icon I should use, so we talked about it with Honza > and we've chosen the the user icon which will be lighter than default. > It would be better to do it using text color. So, updated patch attached. >> Patch 17: needs rebase > Rebased patch attached. ACK for both patches. Rebased(due to internal.py move) and pushed. master: * b71d1b431d7393187de162c4c0d921a2dc4b3a49 Add ability to stage multiple users * 46e3245fdedbf88050fffa6039d176914c242418 Add option to stage user from details page -- Petr Vobornik From pvoborni at redhat.com Fri Jun 3 14:19:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 16:19:33 +0200 Subject: [Freeipa-devel] [PATCH] 0032 webui: change lang.hitch to the javascript bind method In-Reply-To: <55715965-5c5f-baea-1db0-7a47956a407a@redhat.com> References: <55715965-5c5f-baea-1db0-7a47956a407a@redhat.com> Message-ID: <9533da1e-1026-c80d-b41f-69c1ef0239c6@redhat.com> On 04/29/2016 03:15 PM, Pavel Vomacka wrote: > Hi, > > please review the attached patch. > > https://fedorahosted.org/freeipa/ticket/5702 > > -- > > Pavel^3 Vomacka > ACK pushed to master: * b16e59bdaa4acba7b8a190a4ca32b7a113b32cd1 Change lang.hitch to javascript bind method -- Petr Vobornik From pvoborni at redhat.com Fri Jun 3 14:30:21 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 16:30:21 +0200 Subject: [Freeipa-devel] [PATCH] 0035: webui: change Restore cert to Remove cert hold In-Reply-To: References: Message-ID: On 05/20/2016 01:17 PM, Pavel Vomacka wrote: > Hi, > > please review attached patch. It change Restore certificate strings to > Remove certificate hold to be consistent with CLI. > > https://fedorahosted.org/freeipa/ticket/5878 > > -- > > Pavel^3 Vomacka > > ACK rebased (internal.py move) and pushed: master: * fdd2265bc4a0894fa5a33bc4c5fd026593185c8b Change 'Restore' to 'Remove Hold' -- Petr Vobornik From mbabinsk at redhat.com Fri Jun 3 15:15:59 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jun 2016 17:15:59 +0200 Subject: [Freeipa-devel] [PATCH 0146-0147] Server Roles: basic infrastructure In-Reply-To: <28b45db2-8116-359c-d28f-90201fa16271@redhat.com> References: <28b45db2-8116-359c-d28f-90201fa16271@redhat.com> Message-ID: <92b19099-7ef0-44f6-9eb2-2faeb5b57153@redhat.com> On 05/19/2016 04:59 PM, Martin Babinsky wrote: > Patch 0146 implements lower-lever infrastructure for querying server > roles/attributes > > Patch 0147 are some basic tests slapped together for the `serverroles` > backend to ensure that it works as expected. > > The new/modified CLI commands specified in the design page [1] will be > coming soon. > > Also coming soon will be an interface to construct DNS records for each > role requested by Petr^2 and Martin^2 which I will start implement when > we agree on the backend implementation. > > https://fedorahosted.org/freeipa/ticket/5181 > > [1] https://www.freeipa.org/page/V4/Server_Roles#CLI > > > Ignore this thread please, all other revisions will be sent together with user-facing part in separate thread. -- Martin^3 Babinsky From mbabinsk at redhat.com Fri Jun 3 15:16:35 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jun 2016 17:16:35 +0200 Subject: [Freeipa-devel] [PATCH 0149-0152] Server Roles: user-facing part In-Reply-To: <7d27e63b-a93a-30dd-b661-aa4f31535609@redhat.com> References: <7d27e63b-a93a-30dd-b661-aa4f31535609@redhat.com> Message-ID: On 05/30/2016 07:13 PM, Martin Babinsky wrote: > These patches implement the usable part of Server Roles design. There > might be some discrepancies between the design and actual > implementation, I was head first in hacking and was not very disciplined > in keeping the design up to date. > > I will fix this ASAP. > > http://www.freeipa.org/page/V4/Server_Roles > https://fedorahosted.org/freeipa/ticket/5181 > https://fedorahosted.org/freeipa/ticket/5689 > > > Ignore this thread please, all other revisions will be sent together with user-facing part in separate thread. -- Martin^3 Babinsky From pvoborni at redhat.com Fri Jun 3 15:17:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 17:17:12 +0200 Subject: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate' In-Reply-To: References: Message-ID: On 05/10/2016 04:52 PM, Pavel Vomacka wrote: > Hi all, > > please review the patch for webUI which adds SAN names into 'Issue new > certificate' dialog. The SAN names are mentioned only in dialogs for > requesting for host and service certificate, according to the design page: > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not > sure whether this change provides enough information. If you think that > we should add more information to these dialogs or even extend also > dialog on Authentication -> Certificates page, just let me know. > Should we also include SAN for user certs? E.g.: -7 emailAddrs Adding Fraser to loop... Otherwise the patch looks good. -- Petr Vobornik From mbabinsk at redhat.com Fri Jun 3 15:25:14 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 3 Jun 2016 17:25:14 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 Message-ID: I am sending rebased patches implementing http://www.freeipa.org/page/V4/Server_Roles I hope the patches work since I have had a lot of fun rebasing them on top of thin client and DNS locations effort. https://fedorahosted.org/freeipa/ticket/5181 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0146.3-Server-roles-definitions-of-server-roles-and-attribu.patch Type: text/x-patch Size: 20283 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0147.3-Server-Roles-Backend-plugin-to-query-roles-and-attri.patch Type: text/x-patch Size: 6044 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0148.3-Test-suite-for-serverroles-backend.patch Type: text/x-patch Size: 25312 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0149.1-Server-Roles-public-API-for-server-roles.patch Type: text/x-patch Size: 6724 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0150.1-Server-Roles-make-server-show-find-utilize-role-info.patch Type: text/x-patch Size: 8509 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0151.1-Server-Roles-make-config-show-consume-relevant-roles.patch Type: text/x-patch Size: 9712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0152.1-Server-Roles-provide-an-API-for-setting-CA-renewal-m.patch Type: text/x-patch Size: 3662 bytes Desc: not available URL: From tbordaz at redhat.com Fri Jun 3 15:49:34 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 3 Jun 2016 17:49:34 +0200 Subject: [Freeipa-devel] [PATCH] script for provisioning Message-ID: <5751A70E.2080306@redhat.com> Hello, A performance bottleneck during provisioning was described http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... I wrote the attached script that is following http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm This is a preliminary script that needs to be improved but just to check it matches basic requirements I am sending it to the alias to get some feedback. The output of a provisioning session is below. The steps are: * install freeipa-server * create a provisioning file using https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py * ipa-provision.py prepare * ipa-provision.py import * ipa-provision.py finish Note: you will likely need to define the DM password with the option '-w ' regards thierry /tmp/ipa-provision.py prepare -f /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -d 1 entrycache = 10485760 dncache = 10485760 dbcache = 209715200 dblock = 10000 Preparation of the bulk import is now completed If you want to continue: - run /tmp/ipa-provision.py import -f /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif - run /tmp/ipa-provision.py finish -b If you want to not continue: - run /tmp/ipa-provision.py abort /tmp/ipa-provision import -f /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -debug 2 adding new entry "uid=user0,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" adding new entry "uid=user1,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" adding new entry "uid=user2,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" ... adding new entry "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" adding new entry "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" Bulk import is now completed You need to run: - run /tmp/ipa-provision.py finish -b /tmp/ipa-provision.py finish Waiting for (objectClass=inetorgperson) fixup to complete... Completed filter (objectClass=inetorgperson) Waiting for (objectClass=ipausergroup) fixup to complete... Completed filter (objectClass=ipausergroup) Waiting for (objectClass=ipahost) fixup to complete... Completed filter (objectClass=ipahost) Waiting for (objectClass=ipahostgroup) fixup to complete... Completed filter (objectClass=ipahostgroup) Waiting for (objectClass=ipasudorule) fixup to complete... Completed filter (objectClass=ipasudorule) Waiting for (objectClass=ipahbacrule) fixup to complete... Completed filter (objectClass=ipahbacrule) Bulk import and fixup tasks are now completed -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ipa-provision.py Type: text/x-python Size: 23915 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 3 16:29:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 3 Jun 2016 18:29:09 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency Message-ID: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> admintools doesn't pull python[2|3]-ipaclient by default which ends with exception if CLI is used. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0958-admintools-missing-python3-ipaclient-dependency.patch Type: text/x-patch Size: 941 bytes Desc: not available URL: From ftweedal at redhat.com Sat Jun 4 00:17:59 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 4 Jun 2016 10:17:59 +1000 Subject: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate' In-Reply-To: References: Message-ID: <20160604001759.GX4744@dhcp-40-8.bne.redhat.com> On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote: > On 05/10/2016 04:52 PM, Pavel Vomacka wrote: > > Hi all, > > > > please review the patch for webUI which adds SAN names into 'Issue new > > certificate' dialog. The SAN names are mentioned only in dialogs for > > requesting for host and service certificate, according to the design page: > > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not > > sure whether this change provides enough information. If you think that > > we should add more information to these dialogs or even extend also > > dialog on Authentication -> Certificates page, just let me know. > > > > Should we also include SAN for user certs? > > E.g.: > -7 emailAddrs > > Adding Fraser to loop... > > Otherwise the patch looks good. > We *could* add rfc822Name example for user certs, but I don't think we should. Especially for user certs, we might as well hold off because the "CSR templates" feature is intended to relieve users of having to generate CSRs themselves. Cheers, Fraser From mbasti at redhat.com Sun Jun 5 07:48:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Sun, 5 Jun 2016 09:48:07 +0200 Subject: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf In-Reply-To: References: <20160528042451.lewcj5jnicq2noxd@redhat.com> <20160528203855.yoyipbmpkej2pxkc@redhat.com> Message-ID: <8baa342f-4d91-05b6-31bc-f8f27c2575fa@redhat.com> On 02.06.2016 19:59, Martin Basti wrote: > > > > On 31.05.2016 19:19, Robbie Harwood wrote: >> Alexander Bokovoy writes: >> >>> On Sat, 28 May 2016, Robbie Harwood wrote: >>>> Alexander Bokovoy writes: >>>>> On Fri, 27 May 2016, Robbie Harwood wrote: >>>>>> Stanislav Laznicka writes: >>>>>>> From: Stanislav Laznicka >>>>>>> >>>>>>> The include of /etc/krb5.conf.d/ is required for crypto-policies >>>>>>> to work properly >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5912 >>>>>> Thank you for working on this. Is the intent on the part of >>>>>> FreeIPA to keep a separate, freeipa-speicifc directory? And if so, >>>>>> can I suggest that we not do that? >>>>> SSSD cannot write to /etc and I don't think we have to change it. >>>> Can you elaborate on this? Why can't sssd write the stuff it puts in >>>> /var/lib into /etc, or symlink it? >>> Writing to /etc is considered a privilege of a system administrator. A >>> runtime override is typically done outside it, in /run like systemd >>> allows for its configuration for volatile setups and in /var/lib >>> for non-volatile ones. The latter has long been a state of affairs in >>> Linux. >>> >>> Currently SSSD runs under root but it is already made possible to run as >>> non-root user and we intend to switch to that mode in future releases. >> I guess I don't see a meaningful difference here. We're still writing >> to /etc when we modify krb5.conf. >> >> My reading of the FHS is that this is not an intended use of /var/lib: >> /var/lib is for state information [0], and the only time the FHS >> mentions config files is to point out that they go in the /etc tree. >> >> Anyway, I've said my piece and won't derail this further. If you want >> to merge, this is a cosmetic issue and I can live with it. >> >> [0]:http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION >> >> > ACK, this patch works as expected. If nobody is against it, I will > push it (tomorrow). > > Martin^2 > > Pushed to master: 2026677635c6d4b086670cb9d8f3570bd1b95c27 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Sun Jun 5 08:45:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Sun, 5 Jun 2016 10:45:28 +0200 Subject: [Freeipa-devel] [PATCH] script for provisioning In-Reply-To: <5751A70E.2080306@redhat.com> References: <5751A70E.2080306@redhat.com> Message-ID: On 03.06.2016 17:49, thierry bordaz wrote: > Hello, > > A performance bottleneck during provisioning was described > http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... > > I wrote the attached script that is following > http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm > > This is a preliminary script that needs to be improved but just to > check it matches basic requirements I am sending it to the alias to > get some feedback. > > The output of a provisioning session is below. The steps are: > > * install freeipa-server > * create a provisioning file using > https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py > * ipa-provision.py prepare > * ipa-provision.py import > * ipa-provision.py finish > > Note: you will likely need to define the DM password with the option > '-w ' > > regards > thierry > > > /tmp/ipa-provision.py prepare -f > /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -d 1 > entrycache = 10485760 > dncache = 10485760 > dbcache = 209715200 > dblock = 10000 > Preparation of the bulk import is now completed > If you want to continue: > - run /tmp/ipa-provision.py import -f > /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif > - run /tmp/ipa-provision.py finish -b > > If you want to not continue: > - run /tmp/ipa-provision.py abort > > > > /tmp/ipa-provision import -f > /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif > -debug 2 > adding new entry > "uid=user0,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" > > adding new entry > "uid=user1,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" > > adding new entry > "uid=user2,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" > ... > adding new entry > "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" > > adding new entry > "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" > > Bulk import is now completed > You need to run: > - run /tmp/ipa-provision.py finish -b > > > > /tmp/ipa-provision.py finish > > Waiting for (objectClass=inetorgperson) fixup to complete... > Completed filter (objectClass=inetorgperson) > > Waiting for (objectClass=ipausergroup) fixup to complete... > Completed filter (objectClass=ipausergroup) > > Waiting for (objectClass=ipahost) fixup to complete... > Completed filter (objectClass=ipahost) > > Waiting for (objectClass=ipahostgroup) fixup to complete... > Completed filter (objectClass=ipahostgroup) > > Waiting for (objectClass=ipasudorule) fixup to complete... > Completed filter (objectClass=ipasudorule) > > Waiting for (objectClass=ipahbacrule) fixup to complete... > Completed filter (objectClass=ipahbacrule) > > Bulk import and fixup tasks are now completed > > > Thank you for provisioning script: * should be this part of freeIPA or is it just script for testing purposes? * the code isn't pythonic much, if it is just for testing I don't care, but if this will be part of freeIPA I care a lot (I can help in this case :) ) * maybe some parts of IPA code can be reused for this script, is has to run on installed server anyway Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Sun Jun 5 16:34:42 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Sun, 5 Jun 2016 18:34:42 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI Message-ID: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> Hello, please review attached patches which add WebUI part of DNS Locations feature. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0039-Add-adapter-attribute-for-choosing-record.patch Type: text/x-patch Size: 1664 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0040-DNS-Locations-WebUI-part.patch Type: text/x-patch Size: 12650 bytes Desc: not available URL: From pvomacka at redhat.com Sun Jun 5 17:22:06 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Sun, 5 Jun 2016 19:22:06 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> References: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> Message-ID: <6c5ee253-49b1-5f24-00a1-15feb77728e4@redhat.com> On 06/03/2016 03:10 PM, Petr Vobornik wrote: > On 06/02/2016 01:40 PM, Pavel Vomacka wrote: >> Hello, >> >> please review my patches which add webui for server roles. >> > Did not test yet. I'm waiting for rebase of backend. > > Patch 36: ACK (assuming it works when ^^ is available) > > Patch 37: > > 1. typo: 'overriden' - twice Fixed. > > 2. 'create_column_link' is a bad name for the method. The method doesn't > create a column link. It is a link's click handler. So the name should > be e.g. on_column_link_click Yes, this is better. Fixed. > Patch 38: > > 1. in serverroles_nested_search_facet wouldn't it be better to override > only get_refresh_command_options and maybe get_refresh_command_args > instead of full create_refresh_command? > Fixed. Attached the whole patchset with edited patches. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0036-Association-table-can-be-read-only.patch Type: text/x-patch Size: 1413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0037-2-Extend-table-facet.patch Type: text/x-patch Size: 5361 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0038-2-Add-server-roles-on-topology-page.patch Type: text/x-patch Size: 7566 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 6 05:28:53 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Jun 2016 07:28:53 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency In-Reply-To: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> References: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> Message-ID: <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> Hi, On 3.6.2016 18:29, Petr Vobornik wrote: > admintools doesn't pull python[2|3]-ipaclient by default which ends > with exception if CLI is used. Please use this ticket URL: Honza -- Jan Cholasta From jcholast at redhat.com Mon Jun 6 05:52:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Jun 2016 07:52:05 +0200 Subject: [Freeipa-devel] [NOTICE] Thin client has been merged Message-ID: <081920e5-a726-78e8-3d4d-cbca0bce597b@redhat.com> Hi, on Friday, the initial thin client patchset was merged. This will affect you in two ways: * As a user, you will notice that it takes the ipa tool a long time to execute a command. This will be fixed in a subsequent patch set this week. * As a developer, you will need to rebase your patches if you touched plugin code, because ipalib/plugins is now gone. Most of the plugin code resides in ipaserver/plugins now, and usually it should be good enough to rename your files accordingly. However, if your command implements any of the `interactive_prompt_callback`, `forward` or `output_for_cli` methods, you will need to split it into server and client parts. See ipaclient/plugins for examples on how to do it. If you need help with anything, please contact me. Honza -- Jan Cholasta From jcholast at redhat.com Mon Jun 6 06:29:16 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Jun 2016 08:29:16 +0200 Subject: [Freeipa-devel] V4/Sub-CAs review In-Reply-To: <20160601044955.GA4744@dhcp-40-8.bne.redhat.com> References: <57161E1F.6020001@redhat.com> <6b09c0a9-2887-92a0-b284-4b5af947dfde@redhat.com> <20160510103617.GP1237@dhcp-40-8.bne.redhat.com> <9eb88563-3d22-3c6e-f314-fc6ce2d69985@redhat.com> <20160517125029.GJ1323@dhcp-40-8.bne.redhat.com> <25104587-46d2-6574-2220-3b453b0af599@redhat.com> <20160601044955.GA4744@dhcp-40-8.bne.redhat.com> Message-ID: <5be644e6-2858-c08f-cadd-ca2f99dfcef3@redhat.com> On 1.6.2016 06:49, Fraser Tweedale wrote: > On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote: >>>>>> 2) >>>>>> >>>>>> It should be mentioned here that the primary CA is also handled by this >>>>>> plugin. >>>>>> >>>>>> I would like to propose two additional fields: >>>>>> >>>>>> * subject (required) - subject name of the CA, to be able to look up >>>>>> sub-CA that issued a certificate from its issuer name. >>>>>> >>>>>> * issuer_ca (optional) - name of the sub-CA which issued certificate for >>>>>> this CA, to have information about the sub-CA hierarchy. If there is no >>>>>> sub-CA entry for the issuer, it would be unset. >>>>>> >>>>> These data exist in the Dogtag database. Adding them to IPA might >>>>> be useful for avoiding round trips so it is probably worth doing, >>>>> but are you aware of use cases that would absolutely require them? >>>> >>>> As for subject, we are adding the ability to look up information about >>>> arbitrary certificates to cert-{show,find} as part of >>>> . Part of this information >>>> should be whether the certificate was issued by our CA and what CA it was, >>>> so that the web UI can present an appropriate "revoke certificate" button >>>> for the certificate. >>>> >>>> As for issuer CA, I believe we need it to fix automatic CA certificate >>>> renewal. The current renewal code uses virtual "profiles" to handle CA >>>> certificate renewal, but that turned out to be an issue, especially with >>>> externally signed CA certificates: >>>> . Instead it could use >>>> the issuer CA information from LDAP to figure out what needs to be done. >>>> (Note that during the renewal, Dogtag is offline.) >>>> >>>> Also, both the attributes should be included for compatibility with external >>>> CAs. At this point, I think it's only a matter of time when support for them >>>> will be added (there were already several requests for such a feature), and >>>> I would very much prefer to have to maintain only a single code path for the >>>> generic stuff (which includes both of the attributes), instead of one for >>>> Dogtag and one for external CAs. >>>> >>> OK, I'll add issuer DN and subject DN attributes to the ipaCa >>> objectClass. >> >> Just to be clear, what I meant is for the issuer attribute to contain the DN >> of the CA entry in LDAP, not the issuer DN itself. >> > I see; thanks for the clarification. Actually, the more I think of this, I think the attribute should contain the issuer DN rather than the CA entry DN. That way it could be mandatory, thus simplifying the related logic, and it should make adding external CAs easier in the future. > I'm going to publish the first > version of the patchset soon - it will not have this implemented > yet, but I think it's more important for me to get patches out for > review ASAP, and add this aspect in a subsequent patchset. OK, but please make sure it is done before 4.4, adding new mandatory attributes is a backward incompatible change, and we most certainly don't want to deal with that after the release. > >>>>>> """ >>>>>> The Python script shall be installed at /usr/libexec/pki-ipa-retrieve-key >>>>>> and shall be executed as pkiuser. >>>>>> """ >>>>>> >>>>>> Could you please use a subdirectory? Like /usr/libexec/pki (if the script is >>>>>> going to be distributed with Dogtag) or /usr/libexec/ipa (if the script is >>>>>> going to be distributed with IPA). >>>>>> >>>>> What is the rationale - is it a packaging guideline or just common >>>>> sense? >>>> >>>> I'm not sure if it's an actual guideline, but IMHO it's definitely common >>>> sense - I don't think littering the global namespace (i.e. /usr/libexec) is >>>> ever preferable to keeping your stuff in your own namespace. >>>> >>> I'll drop the script in a subdir. While I'm at it, I think I will >>> move it to the IPA codebase, to improve locality of the Python code. >>> e.g. if CustodiaClient API or any other IPA Python API changes, the >>> code in pki repo will be too easily missed. >> >> OK, makes sense. >> > Latest version of patch 0054 installs the helper program under > /usr/libexec/ipa. OK. > >>>> Please don't use ipaUniqueId as the RDN unless absolutely necessary. Not >>>> only it makes debugging harder (because you can't tell which object is which >>>> just by looking at the DN), it also requires the framework to do an extra >>>> LDAP search every time the DN needs to be translated to primary key. >>>> >>> If cn is used in RDN, will changing cn (which then will be a modrdn >>> operation) correctly update the references from CA ACLs? >> >> Yes, the referint DS plugin takes care of that. >> > cn it is; no more ipaUniqueId. OK. > >>> >>>> "host-authority" does not strike me as something familiar, and the "host" >>>> bit is kind of confusing, since it is not at all related to IPA hosts. Could >>>> we use something more obvious ("default", "root", ...)? >>>> >>> We shouldn't use "root" because it might not be a root CA. >>> >>> We probably shouldn't use "default" because we might later want to >>> allow different default CAs for different profiles or principal >>> types. >> >> What about "main"? >> >>> >>> Perhaps simply "IPA CA", "ipa", or some variation on that theme? >> >> Something like this might be the best, as we currently refer to this CA as >> "IPA CA". >> > I went with 'cn=ipa' and 'description=IPA CA'. OK. > >>> >>> As discussed above, there will now also be attributes for issuer DN >>> and subject DN. >>> >>>> Why does a Dogtag lightweight CA need to be created before the LDAP entry? I >>>> assume it's because deleting an LDAP entry is easier than deleting a Dogtag >>>> lightweight CA in case something goes wrong, in which case I think ipaCaId >>>> should be required and use a placeholder value in the initial LDAP entry. >>>> >>> The IPA object is created first to ensure that the user has the >>> permissions to do so. Apart from that it is not important which >>> happens first. I can check permissions with can_add() but defer IPA >>> object creation until after the Dogtag LWCA has been created. In >>> fact this is a cleaner approach. >> >> Yes, I agree. >> > Everything works fine with can_add(); design updated. OK. > >>> ca-del results in deletion of the signing key from Dogtag's NSSDB, >>> and deletion of the Dogtag lightweight authority object. On IPA >>> side it removes the ipaCa object, removes references from CA ACLs, >>> etc. ca-del should be a command. >> >> OK, but should the certificates issued by the CA stay valid? I would think >> not - when authorization is based on group membership and the group is >> deleted, it is no longer possible to authorize - when authorization is based >> on the CA, I assume it should work analogically and authorization should >> stop working when the CA is deleted. Or am I missing something? >> > It makes sense to revoke the CA certificate when the CA is deleted. > There is a Dogtag ticket: https://fedorahosted.org/pki/ticket/1638. > > After that is implemented, I don't think extra behaviour is needed > in IPA - but we should clearly document what happens with revocation > when a CA is deleted. > > Until it is implemented, revocation can be performed manually. > > (I'll add the preceding commentary to the design page.) OK. > >>> >>> We can add ca-disable and ca-enable - these behaviours are >>> implemented in Dogtag already. I prefer the more fine-grained >>> control that CA ACLs give you, but I suppose people will want >>> wholesale enable/disable as well? Or is it premature to assume so? >> >> I think it can be added later. The advantage over CA ACLs is that you don't >> have to go through potentially many ACLs to enable/disable a single CA. >> > Agreed. > > Thanks, > Fraser > -- Jan Cholasta From mkosek at redhat.com Mon Jun 6 06:34:44 2016 From: mkosek at redhat.com (Martin Kosek) Date: Mon, 6 Jun 2016 08:34:44 +0200 Subject: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue In-Reply-To: References: <7bc96540-1300-56dc-140e-8fd8c624bc57@redhat.com> <3a2dd3ab-c323-15f8-ef63-4492c63333ad@redhat.com> <643bf3a9-b802-9283-e185-63e81a8cbb37@redhat.com> <262dd078-9791-43aa-71e0-39d9b8da2691@redhat.com> <6a678451-e4ec-fb49-5050-a863693e2a5c@redhat.com> <5c0558b4-9980-c6be-5dfe-4fa38ecf84e2@redhat.com> <5fcb9376-d94f-b110-c184-04203484aae6@redhat.com> <8343ffba-26e1-64e2-2804-edece67722bd@redhat.com> <0b2a5b41-ff48-24c2-67bc-10c995f98890@redhat.com> <8d1c03f1-0b24-29dd-e297-2ffc8cf6d2d4@redhat.com> Message-ID: <051496f2-9d89-a9c5-67be-fe86a310ac10@redhat.com> On 06/03/2016 12:51 PM, Martin Basti wrote: > > > On 03.06.2016 08:53, Petr Spacek wrote: >> On 2.6.2016 17:53, Martin Basti wrote: >>> >>>>>>>> Typo - redundant ' ' at the end. >>>>>>>> >>>>>>>> >>>>>>>> Conditional NACK, warnings mentioned in >>>>>>>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI >>>>>>>> are not there. >>>>>>>> >>>>>>>> I'm open to changing this to ACK if you open a separate ticket for this >>>>>>>> omission so we do not forget to add them later on. >>> I forgot to add, this will be in next batch of patches (you may see that there >>> are not marked DNS servers in output of location show), I do not see reason to >>> open ticket when the current one is not finished. >>> >>>>>>> +1 >>>>>>> >>>> Done >>>> >>>>>>> Patch 480: >>>>>>> >>>>>>> 1) The code in location_show.execute() looks like it could be moved to >>>>>>> location_show.post_callback() >>>>>>> >>>> I had to add it to execute because I modifies result entry not just >>>> entry_attrs >>>> >>>>>>> 2) Before calling super().output_for_cli(), pop 'servers' from result, so >>>>>>> that >>>>>>> it is not displayed with --all. >>>>>>> >>>>>>> >>>> Done >>>> >>>>>>> Patch 481: >>>>>>> >>>>>>> 1) Could we rename --force to --nonempty (or something better)? I would >>>>>>> like >>>>>>> to reserve --force for "ignore NotFound when deleting the entry", which >>>>>>> is not >>>>>>> the case here. >>>>>> IMHO option is unnecessary. Just delete the location (and unset location >>>>>> from >>>>>> all member servers). The design does not contain --force anyway :-) >>>>> OK, that's even better :-) >>>>> >>>> Done >>>> >>>> Updated patches attached >> I had to add top object class to the plugin and tests to make tests pass. >> Patch is attached. >> >> CondACK: Fix this before pushing somehow. >> > > Updated and heavily rebased patches attached. Hi guys, I saw the patches were merged, great! I just noticed that you added referential integrity for dnslocation attribute. In that case, you will want to also add QE, PRES index for it, to keep performance on reasonable level. Or was the omission of index already discussed and justified? Thanks, Martin From jcholast at redhat.com Mon Jun 6 06:58:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Jun 2016 08:58:32 +0200 Subject: [Freeipa-devel] [PATCH] 0065 Remove service and host cert issuer validation In-Reply-To: <20160603051559.GL4744@dhcp-40-8.bne.redhat.com> References: <20160603051559.GL4744@dhcp-40-8.bne.redhat.com> Message-ID: <836245e3-09cc-ddd6-d722-405f5c6a5359@redhat.com> On 3.6.2016 07:15, Fraser Tweedale wrote: > The attached patch enables cert issuance to hosts and services using > sub-CAs. Thanks, ACK. Rebased and pushed to master: fa149cff86a67ebfe2739df6467a6e10e47742cd -- Jan Cholasta From akasurde at redhat.com Mon Jun 6 07:15:42 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Mon, 6 Jun 2016 12:45:42 +0530 Subject: [Freeipa-devel] [python-pytest-multihost][PATCH 0003] Added force option to rmdir In-Reply-To: <57514E3C.4000307@redhat.com> References: <57514E3C.4000307@redhat.com> Message-ID: <5755231E.9090103@redhat.com> On 06/03/2016 03:00 PM, Abhijeet Kasurde wrote: > Hi All, > > Please review this patch. > > > Self-NACK -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Mon Jun 6 08:00:17 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 6 Jun 2016 10:00:17 +0200 Subject: [Freeipa-devel] [Testplan Review] In-Reply-To: References: <573D97BE.8020202@redhat.com> <15def057-454b-8fe1-7e93-0e63d81c2a62@redhat.com> <5742B00F.4090509@redhat.com> Message-ID: <57552D91.9030402@redhat.com> Hi Petr, I've updated the testplan according to your notes. What should we do with this testcase about abort-clean-ruv? I mean, it would be quite complicated to reliably automate. Should we leave the testcase anyway with a note that the stem may fail if the command is not issued fast enough? On 05/31/2016 06:36 PM, Petr Vobornik wrote: > On 05/23/2016 09:23 AM, Oleg Fayans wrote: >> Hi Petr, >> >> The test plan is updated. > > Thanks, > > is it possible to number test cases? It is hard to refer to them without > copying the full name. > > 1. first test case: `ipa host-find` will show the host entry, but cert > will be revoked and kerb key removed > > 2. "Test case: server_del API call is executed at ipa-server-install > --uninstall on the replica under domain " > In dom. lvl 1(after step 3), checks/output from first test case should > apply here + server should be uninstalled. > > 3. *-ruv subcommands of ipa-replica-manage are extended to handle > CA-specific RUVs > > I'll assume that '97' is just an example. It might be different. > > It is possible that step 3 will fail - it's racy. > > 4. Last test case with the "autogenerated" placeholder is not much > important - so only if you have nothing more important to do. > > Web UI will get interactive add of segments + some other improvements in > a topology graph but I don't know if it can be tested easily. > >> >> On 05/19/2016 12:54 PM, Petr Vobornik wrote: >>> On 05/19/2016 12:38 PM, Oleg Fayans wrote: >>>> Hi all, >>>> >>>> I've created the first versio of the testplan for Topology Management >>>> feature in 4.4 release: >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>> >>>> Could someone please review it? >>>> >>> >>> I'll mention what are the important parts. >>> >>> 1. In the 3 scenarios, the most important one is testing the >>> `ipa-server-install --uninstall`. There it is more important to check >>> whether it did the same as `ipa-csreplica-manage del`, >>> `ipa-replica-manage del` and `ipa-server-install --uninstall` procedure. >>> Which means removal of master entry, DNS records, Kerberos keys, >>> revocation of certificates... Checking RUVs is not the critical part. >>> >>> 2. I miss test for move of `ipa-replica-manage set-renewal-master` to API >> >> Isn't it more related to the server roles feature? Will it be one of the >> ipa server* commands? > > True > >> >>> >>> 3. test of new `ipa server-del` method >>> >>> when these three are done then I'd focus on RUVs >>> >> > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From tbordaz at redhat.com Mon Jun 6 08:40:54 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 6 Jun 2016 10:40:54 +0200 Subject: [Freeipa-devel] [PATCH] script for provisioning In-Reply-To: References: <5751A70E.2080306@redhat.com> Message-ID: <57553716.7030501@redhat.com> On 06/05/2016 10:45 AM, Martin Basti wrote: > > > > On 03.06.2016 17:49, thierry bordaz wrote: >> Hello, >> >> A performance bottleneck during provisioning was described >> http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds... >> >> I wrote the attached script that is following >> http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm >> >> This is a preliminary script that needs to be improved but just to >> check it matches basic requirements I am sending it to the alias to >> get some feedback. >> >> The output of a provisioning session is below. The steps are: >> >> * install freeipa-server >> * create a provisioning file using >> https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py >> * ipa-provision.py prepare >> * ipa-provision.py import >> * ipa-provision.py finish >> >> Note: you will likely need to define the DM password with the option >> '-w ' >> >> regards >> thierry >> >> >> /tmp/ipa-provision.py prepare -f >> /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -d 1 >> entrycache = 10485760 >> dncache = 10485760 >> dbcache = 209715200 >> dblock = 10000 >> Preparation of the bulk import is now completed >> If you want to continue: >> - run /tmp/ipa-provision.py import -f >> /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif >> - run /tmp/ipa-provision.py finish -b >> >> If you want to not continue: >> - run /tmp/ipa-provision.py abort >> >> >> >> /tmp/ipa-provision import -f >> /tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif >> -debug 2 >> adding new entry >> "uid=user0,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >> >> adding new entry >> "uid=user1,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >> >> adding new entry >> "uid=user2,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >> ... >> adding new entry >> "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >> >> adding new entry >> "ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" >> >> Bulk import is now completed >> You need to run: >> - run /tmp/ipa-provision.py finish -b >> >> >> >> /tmp/ipa-provision.py finish >> >> Waiting for (objectClass=inetorgperson) fixup to complete... >> Completed filter (objectClass=inetorgperson) >> >> Waiting for (objectClass=ipausergroup) fixup to complete... >> Completed filter (objectClass=ipausergroup) >> >> Waiting for (objectClass=ipahost) fixup to complete... >> Completed filter (objectClass=ipahost) >> >> Waiting for (objectClass=ipahostgroup) fixup to complete... >> Completed filter (objectClass=ipahostgroup) >> >> Waiting for (objectClass=ipasudorule) fixup to complete... >> Completed filter (objectClass=ipasudorule) >> >> Waiting for (objectClass=ipahbacrule) fixup to complete... >> Completed filter (objectClass=ipahbacrule) >> >> Bulk import and fixup tasks are now completed >> >> >> > > Thank you for provisioning script: > > * should be this part of freeIPA or is it just script for testing > purposes? > * the code isn't pythonic much, if it is just for testing I don't > care, but if this will be part of freeIPA I care a lot (I can help in > this case :) ) > * maybe some parts of IPA code can be reused for this script, is has > to run on installed server anyway > > Martin^2 > > Hi Martin, Thanks for your review of that script.. over the weekend :-) It should be part of freeipa as a way to support provisioning of large number of entries. I am not really surprised it is not pythonic, I tried first to use IPA code but got lost and finally decided to do it that easy way. I am fine if it needs to be rewritten and would really appreciate your help :-) Yes it has to run on an installed server. But even being part of Freeipa deliver, this script would preferably run with freeipa being stop and only DS running. It saves memory and limits DS ops. Thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 6 08:59:25 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 6 Jun 2016 10:59:25 +0200 Subject: [Freeipa-devel] ipapwd_extop vs password_extop Message-ID: <57553B6D.4020804@redhat.com> Hello, In DS it is possible to register callbacks for extended op. For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), there is a default callback that is implemented in DS core server. Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' that also register a callback ipapwd_extop/ipapwd_chpwop, for that same extop. The server calls the callbacks until it can find one that can handle the OID. But the order is not guaranty. So the extop can be handled either by password_extop or either by ipapwd_chpwop. Those two functions are not doing the same checking/updates. I would like to confirm if in Freeipa context, if only ipapwd_extop/ipapwd_chpwop should be called thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jun 6 09:07:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 12:07:49 +0300 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <57553B6D.4020804@redhat.com> References: <57553B6D.4020804@redhat.com> Message-ID: <20160606090749.yljbo6zrfxgcda7m@redhat.com> On Mon, 06 Jun 2016, thierry bordaz wrote: >Hello, > > In DS it is possible to register callbacks for extended op. > For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), > there is a default callback that is implemented in DS core server. > Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' > that also register a callback ipapwd_extop/ipapwd_chpwop, for that > same extop. > > The server calls the callbacks until it can find one that can handle > the OID. But the order is not guaranty. > So the extop can be handled either by password_extop or either by > ipapwd_chpwop. > > Those two functions are not doing the same checking/updates. > > I would like to confirm if in Freeipa context, if only > ipapwd_extop/ipapwd_chpwop should be called Correct. I think we have also added plugin priority to allow handling this type of conflicts gracefully. -- / Alexander Bokovoy From mbasti at redhat.com Mon Jun 6 09:53:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 11:53:08 +0200 Subject: [Freeipa-devel] [Testplan Review] Manage replication topology In-Reply-To: <57552D91.9030402@redhat.com> References: <573D97BE.8020202@redhat.com> <15def057-454b-8fe1-7e93-0e63d81c2a62@redhat.com> <5742B00F.4090509@redhat.com> <57552D91.9030402@redhat.com> Message-ID: <3295cc21-06db-56a1-52e6-f8cb65309d7b@redhat.com> On 06.06.2016 10:00, Oleg Fayans wrote: > Hi Petr, > > I've updated the testplan according to your notes. What should we do > with this testcase about abort-clean-ruv? I mean, it would be quite > complicated to reliably automate. Should we leave the testcase anyway > with a note that the stem may fail if the command is not issued fast > enough? It might be enough to just put some broken RUV there by using ldapmodify during test provision. * edited subject Martin^2 > On 05/31/2016 06:36 PM, Petr Vobornik wrote: >> On 05/23/2016 09:23 AM, Oleg Fayans wrote: >>> Hi Petr, >>> >>> The test plan is updated. >> Thanks, >> >> is it possible to number test cases? It is hard to refer to them without >> copying the full name. >> >> 1. first test case: `ipa host-find` will show the host entry, but cert >> will be revoked and kerb key removed >> >> 2. "Test case: server_del API call is executed at ipa-server-install >> --uninstall on the replica under domain " >> In dom. lvl 1(after step 3), checks/output from first test case should >> apply here + server should be uninstalled. >> >> 3. *-ruv subcommands of ipa-replica-manage are extended to handle >> CA-specific RUVs >> >> I'll assume that '97' is just an example. It might be different. >> >> It is possible that step 3 will fail - it's racy. >> >> 4. Last test case with the "autogenerated" placeholder is not much >> important - so only if you have nothing more important to do. >> >> Web UI will get interactive add of segments + some other improvements in >> a topology graph but I don't know if it can be tested easily. >> >>> On 05/19/2016 12:54 PM, Petr Vobornik wrote: >>>> On 05/19/2016 12:38 PM, Oleg Fayans wrote: >>>>> Hi all, >>>>> >>>>> I've created the first versio of the testplan for Topology Management >>>>> feature in 4.4 release: >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>> >>>>> Could someone please review it? >>>>> >>>> I'll mention what are the important parts. >>>> >>>> 1. In the 3 scenarios, the most important one is testing the >>>> `ipa-server-install --uninstall`. There it is more important to check >>>> whether it did the same as `ipa-csreplica-manage del`, >>>> `ipa-replica-manage del` and `ipa-server-install --uninstall` procedure. >>>> Which means removal of master entry, DNS records, Kerberos keys, >>>> revocation of certificates... Checking RUVs is not the critical part. >>>> >>>> 2. I miss test for move of `ipa-replica-manage set-renewal-master` to API >>> Isn't it more related to the server roles feature? Will it be one of the >>> ipa server* commands? >> True >> >>>> 3. test of new `ipa server-del` method >>>> >>>> when these three are done then I'd focus on RUVs >>>> >> From mbasti at redhat.com Mon Jun 6 09:55:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 11:55:48 +0200 Subject: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used In-Reply-To: References: <511dce5e-4f52-6f29-9ea5-19d189885cbf@redhat.com> <269d1dec-6677-a6c6-5b79-df0d2ce697a7@redhat.com> <56c1e83f-5629-1da7-8090-ba55355c6bf9@redhat.com> Message-ID: <3cb48b3a-4261-1e2e-c4d0-7d2e14801c70@redhat.com> On 30.05.2016 12:49, Petr Spacek wrote: > On 29.5.2016 14:45, Martin Basti wrote: >> >> On 27.05.2016 14:12, Petr Spacek wrote: >>> On 25.5.2016 12:50, Martin Basti wrote: >>>> On 20.05.2016 12:19, Petr Spacek wrote: >>>>> On 11.5.2016 12:08, Martin Basti wrote: >>>>>> On 03.05.2016 14:59, Petr Spacek wrote: >>>>>>> Hello, >>>>>>> >>>>>>> DNS upgrade: change forwarding policy to "only" if private IPs are used. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5710 >>>>>>> >>>>>>> This is the upgrade part. I will add one more patch to print a warning in >>>>>>> dnsforwardzone* commands to avoid surprises. Please do not close the ticket >>>>>>> yet. >>>>>>> >>>>>>> >>>>>>> >>>>>> 1) >>>>>> Upgrade failed with 'BindInstance' object has no attribute >>>>>> 'named_conf_get_directive' >>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>> ipa-server-upgrade manually. >>>>>> ('IPA upgrade failed.', 1) >>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more >>>>>> information >>>>>> >>>>>> 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object has no >>>>>> attribute 'named_conf_get_directive' >>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>> line >>>>>> 213, in __upgrade >>>>>> self.modified = (ld.update(self.files) or self.modified) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>> line 917, in update >>>>>> self._run_updates(all_updates) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>> line 889, in _run_updates >>>>>> self._run_update_plugin(update['plugin']) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>> line 862, in _run_update_plugin >>>>>> restart_ds, updates = self.api.Updater[plugin_name]() >>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >>>>>> 1418, in >>>>>> __call__ >>>>>> return self.execute(**options) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>> line 547, in execute >>>>>> self.update_global_named_conf_forwarder(bind) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>> line 508, in update_global_named_conf_forwarder >>>>>> if bind.named_conf_get_directive( >>>>>> AttributeError: 'BindInstance' object has no attribute >>>>>> 'named_conf_get_directive' >>>>>> >>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 447, in start_creation >>>>>> run_step(full_msg, method) >>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>> line >>>>>> 437, in run_step >>>>>> method() >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>> line >>>>>> 221, in __upgrade >>>>>> raise RuntimeError(e) >>>>>> RuntimeError: 'BindInstance' object has no attribute >>>>>> 'named_conf_get_directive' >>>>>> >>>>>> PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new >>>>>> attribute * >>>>>> 2) >>>>>> + Int('ipadnsversion?', >>>>>> + label=_('IPA DNS version'), >>>>>> + ), >>>>>> >>>>>> Shouldn't be this part of System: Read DNS Configuration permission? >>>>>> >>>>>> 3) >>>>>> - def postprocess_result(self, result): >>>>>> + def postprocess_result(self, result, show_version): >>>>>> if not any(param in result['result'] for param in self.params): >>>>>> result['summary'] = unicode(_('Global DNS configuration is >>>>>> empty')) >>>>>> >>>>>> show_version param was added but I don't see it used in this patch. >>>>>> >>>>>> 4) >>>>>> + Int('ipadnsversion?', >>>>>> + label=_('IPA DNS version'), >>>>>> + ), >>>>>> >>>>>> Could we add comment here that this option is accessible only from >>>>>> installers >>>>>> and upgrade? >>>>>> >>>>>> 5) >>>>>> + for config_option in container_entry.get("ipaConfigString", []): >>>>>> + matched = re.match("^DNSVersion\s+(?P\d+)$", >>>>>> + config_option, flags=re.I) >>>>>> + if matched: >>>>>> + version = int(matched.group("version")) >>>>>> >>>>>> Shouldn't we print error if version cannot be parsed? >>>>>> >>>>>> PATCH * DNS upgrade: separate backup logic to make it reusable * >>>>>> >>>>>> LGTM >>>>>> >>>>>> PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * >>>>>> >>>>>> 7) >>>>>> I'm curious why do you need to check superdomains? >>>>>> >>>>>> PATCH * DNS upgrade: change forwarding policy to = only for conflicting >>>>>> forward zones* >>>>>> >>>>>> 8) >>>>>> + self.log.debug('Zone %s was sucessfully modified to use ' >>>>>> + 'forward policy "only"', zone['idnsname'][0]) >>>>>> <---missing empty line----> >>>>>> + def execute(self, **options): >>>>>> >>>>>> PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if >>>>>> private IPs are used * >>>>>> 9) >>>>>> - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) >>>>>> + dnsutil.related_to_auto_empty_zone( >>>>>> + dnsutil.DNSName(zone.get('idnsname')[0])) >>>>>> >>>>>> Should be in previous commit >>>>>> >>>>>> 10) >>>>>> - return >>>>>> + return False, [] >>>>>> This should be fixed in the previous commit >>>>>> >>>>>> PATCH * DNS upgrade: change global forwarding policy in named.conf to "only" >>>>>> if private IPs are used * >>>>>> 11) >>>>>> IMO this is an upgrade of configuration and this should be in >>>>>> ipaserver/install/server/upgrade.py, upgrade plugins are used only for >>>>>> updating of LDAP values >>>>>> >>>>>> Unless you really want to use this as precedence, but then it requires >>>>>> broader >>>>>> discussion. >>>>>> >>>>>> 12) >>>>>> >>>>>> bind.named_conf_get_directive >>>>>> should be >>>>>> bindinstance.named_conf_get_directive >>>>>> >>>>>> see 1) >>>>> This new patchset completely obsoletes the old one. I had to reshuffle few >>>>> things to to make the split between server config & LDAP upgrade possible. >>>>> >>>>> Hopefully I addressed all your comment. >>>>> >>>> commits >>>> * Move IP address resolution from ipaserver.install.installutils to >>>> ipapython.dnsutil * and * Turn verify_host_resolvable() into a wrapper around >>>> ipapython.dnsutil * >>>> >>>> cause regression in case that dns.python resolver returns NoNameservers >>>> exception, it is handled as 'Internal server error' >>>> >>>> In original code every exception was caught and transformed to >>>> DNSNotARecordError. >>>> >>>> So we have following options: >>>> * keep the old behavior in 'resolve_rrsets' and catch all exceptions there >>>> * or catch all DNS errors in 'verify_host_resolvable' and raise it as new >>>> PublicError (DNSGenericError (doesn't exist) for example) >>>> >>>> >>>> E InternalError: an internal error has occurred >>>> >>>> ../ipalib/rpc.py:1100: InternalError >>>> test_forwardzone_delegation_warnings.test_command[0017: dnsrecord_mod: >>>> Delete >>>> (using dnsrecord-mod) NS record which delegates zone >>>> u'fw.sub2.sub.dnszone.test.' from zone u'dnszone.test' (expected warning for >>>> u'fw.sub2.sub.dnszone.test.')] >>>> >>>> [Wed May 25 12:17:00.172143 2016] [wsgi:error] [pid 62789] Traceback (most >>>> recent call last): >>>> [Wed May 25 12:17:00.172152 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in >>>> wsgi_execute >>>> [Wed May 25 12:17:00.172158 2016] [wsgi:error] [pid 62789] result = >>>> self.Command[name](*args, **options) >>>> [Wed May 25 12:17:00.172164 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 434, in __call__ >>>> [Wed May 25 12:17:00.172168 2016] [wsgi:error] [pid 62789] return >>>> self.__do_call(*args, **options) >>>> [Wed May 25 12:17:00.172173 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 460, in __do_call >>>> [Wed May 25 12:17:00.172178 2016] [wsgi:error] [pid 62789] ret = >>>> self.run(*args, **options) >>>> [Wed May 25 12:17:00.172183 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 777, in run >>>> [Wed May 25 12:17:00.172189 2016] [wsgi:error] [pid 62789] return >>>> self.execute(*args, **options) >>>> [Wed May 25 12:17:00.172194 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3774, in >>>> execute >>>> [Wed May 25 12:17:00.172199 2016] [wsgi:error] [pid 62789] result = >>>> super(dnsrecord_add, self).execute(*keys, **options) >>>> [Wed May 25 12:17:00.172204 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1230, in >>>> execute >>>> [Wed May 25 12:17:00.172209 2016] [wsgi:error] [pid 62789] *keys, **options) >>>> [Wed May 25 12:17:00.172213 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3719, in >>>> pre_callback >>>> [Wed May 25 12:17:00.172229 2016] [wsgi:error] [pid 62789] >>>> self.obj.run_precallback_validators(dn, entry_attrs, *keys, **options) >>>> [Wed May 25 12:17:00.172237 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3135, in >>>> run_precallback_validators >>>> [Wed May 25 12:17:00.172242 2016] [wsgi:error] [pid 62789] rtype_cb(ldap, dn, >>>> entry_attrs, *keys, **options) >>>> [Wed May 25 12:17:00.172247 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3057, in >>>> _nsrecord_pre_callback >>>> [Wed May 25 12:17:00.172252 2016] [wsgi:error] [pid 62789] >>>> check_ns_rec_resolvable(keys[0], DNSName(nsrecord), self.log) >>>> [Wed May 25 12:17:00.172256 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 1577, in >>>> check_ns_rec_resolvable >>>> [Wed May 25 12:17:00.172261 2016] [wsgi:error] [pid 62789] >>>> verify_host_resolvable(name) >>>> [Wed May 25 12:17:00.172265 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipalib/util.py", line 70, in >>>> verify_host_resolvable >>>> [Wed May 25 12:17:00.172270 2016] [wsgi:error] [pid 62789] if not >>>> resolve_ip_addresses(fqdn): >>>> [Wed May 25 12:17:00.172274 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 328, in >>>> resolve_ip_addresses >>>> [Wed May 25 12:17:00.172278 2016] [wsgi:error] [pid 62789] rrsets = >>>> resolve_rrsets(fqdn, ['A', 'AAAA']) >>>> [Wed May 25 12:17:00.172282 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 305, in >>>> resolve_rrsets >>>> [Wed May 25 12:17:00.172287 2016] [wsgi:error] [pid 62789] answer = >>>> dns.resolver.query(fqdn, rdtype) >>>> [Wed May 25 12:17:00.172292 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 1029, in query >>>> [Wed May 25 12:17:00.172296 2016] [wsgi:error] [pid 62789] raise_on_no_answer, >>>> source_port) >>>> [Wed May 25 12:17:00.172301 2016] [wsgi:error] [pid 62789] File >>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 856, in query >>>> [Wed May 25 12:17:00.172328 2016] [wsgi:error] [pid 62789] raise >>>> NoNameservers(request=request, errors=errors) >>> Fixed patches are attached. >>> >>> >>> Please note that I've renumbered the patches because the naming does not match >>> the original set anymore. >>> >> NACK >> >> # ipa-run-tests test_xmlrpc/test_host_plugin.py >> =============================================================================================== >> test session starts >> =============================================================================================== >> >> platform linux2 -- Python 2.7.11, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 >> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >> plugins: sourceorder-0.5, multihost-1.0 >> collected 41 items >> >> test_xmlrpc/test_host_plugin.py ...................F...........s......... >> >> ==================================================================================================== >> FAILURES >> ===================================================================================================== >> >> ________________________________________________________________________________________ >> TestCRUD.test_try_add_not_in_dns >> _________________________________________________________________________________________ >> >> >> self = > 0x7efc061e4110>, host = > object at 0x7efc0623bb90> >> >> def test_try_add_not_in_dns(self, host): >> host.ensure_missing() >> command = host.make_create_command(force=False) >> with raises_exact(errors.DNSNotARecordError( >>> reason=u'Host does not have corresponding DNS A/AAAA record')): >> test_xmlrpc/test_host_plugin.py:315: >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> ../ipalib/errors.py:264: in __init__ >> messages.process_message_arguments(self, format, message, **kw) >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >> >> obj = DNSNotARecordError(), format = None, message = None, kw = {'reason': >> 'Host does not have corresponding DNS A/AAAA record'}, key = 'reason', value = >> 'Host does not have corresponding DNS A/AAAA record' >> name = 'DNSNotARecordError' >> >> def process_message_arguments(obj, format=None, message=None, **kw): >> for key, value in kw.items(): >> if not isinstance(value, six.integer_types): >> try: >> kw[key] = unicode(value) >> except UnicodeError: >> pass >> obj.kw = kw >> name = obj.__class__.__name__ >> if obj.format is not None and format is not None: >> raise ValueError( >> 'non-generic %r needs format=None; got format=%r' % ( >> name, format) >> ) >> if message is None: >> if obj.format is None: >> if format is None: >> raise ValueError( >> '%s.format is None yet format=None, message=None' % name >> ) >> obj.format = format >> obj.forwarded = False >>> obj.msg = obj.format % kw >> E KeyError: 'hostname' > Sorry, this got lost in all the 'normal' failures :-) > > I do not 100% understand this test logic so I hope that attached patch fixes > it correctly. > We broke IPA 4.3 tests, patch that fixes them is attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0496-Fix-exceptions-in-DNS-tests-should-not-have-data-att.patch Type: text/x-patch Size: 1616 bytes Desc: not available URL: From lkrispen at redhat.com Mon Jun 6 10:10:59 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 06 Jun 2016 12:10:59 +0200 Subject: [Freeipa-devel] [Testplan Review] Manage replication topology In-Reply-To: <3295cc21-06db-56a1-52e6-f8cb65309d7b@redhat.com> References: <573D97BE.8020202@redhat.com> <15def057-454b-8fe1-7e93-0e63d81c2a62@redhat.com> <5742B00F.4090509@redhat.com> <57552D91.9030402@redhat.com> <3295cc21-06db-56a1-52e6-f8cb65309d7b@redhat.com> Message-ID: <57554C33.9020106@redhat.com> On 06/06/2016 11:53 AM, Martin Basti wrote: > > > On 06.06.2016 10:00, Oleg Fayans wrote: >> Hi Petr, >> >> I've updated the testplan according to your notes. What should we do >> with this testcase about abort-clean-ruv? I mean, it would be quite >> complicated to reliably automate. Should we leave the testcase anyway >> with a note that the stem may fail if the command is not issued fast >> enough? > > It might be enough to just put some broken RUV there by using > ldapmodify during test provision. you cannot change the ruv from a client, it will be rejected. If you want to force a broken ruv you would have to export to ldif, edit the ldif and reimport > > * edited subject > > Martin^2 >> On 05/31/2016 06:36 PM, Petr Vobornik wrote: >>> On 05/23/2016 09:23 AM, Oleg Fayans wrote: >>>> Hi Petr, >>>> >>>> The test plan is updated. >>> Thanks, >>> >>> is it possible to number test cases? It is hard to refer to them >>> without >>> copying the full name. >>> >>> 1. first test case: `ipa host-find` will show the host entry, but cert >>> will be revoked and kerb key removed >>> >>> 2. "Test case: server_del API call is executed at ipa-server-install >>> --uninstall on the replica under domain " >>> In dom. lvl 1(after step 3), checks/output from first test case should >>> apply here + server should be uninstalled. >>> >>> 3. *-ruv subcommands of ipa-replica-manage are extended to handle >>> CA-specific RUVs >>> >>> I'll assume that '97' is just an example. It might be different. >>> >>> It is possible that step 3 will fail - it's racy. >>> >>> 4. Last test case with the "autogenerated" placeholder is not much >>> important - so only if you have nothing more important to do. >>> >>> Web UI will get interactive add of segments + some other >>> improvements in >>> a topology graph but I don't know if it can be tested easily. >>> >>>> On 05/19/2016 12:54 PM, Petr Vobornik wrote: >>>>> On 05/19/2016 12:38 PM, Oleg Fayans wrote: >>>>>> Hi all, >>>>>> >>>>>> I've created the first versio of the testplan for Topology >>>>>> Management >>>>>> feature in 4.4 release: >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >>>>>> >>>>>> >>>>>> Could someone please review it? >>>>>> >>>>> I'll mention what are the important parts. >>>>> >>>>> 1. In the 3 scenarios, the most important one is testing the >>>>> `ipa-server-install --uninstall`. There it is more important to check >>>>> whether it did the same as `ipa-csreplica-manage del`, >>>>> `ipa-replica-manage del` and `ipa-server-install --uninstall` >>>>> procedure. >>>>> Which means removal of master entry, DNS records, Kerberos keys, >>>>> revocation of certificates... Checking RUVs is not the critical part. >>>>> >>>>> 2. I miss test for move of `ipa-replica-manage set-renewal-master` >>>>> to API >>>> Isn't it more related to the server roles feature? Will it be one >>>> of the >>>> ipa server* commands? >>> True >>> >>>>> 3. test of new `ipa server-del` method >>>>> >>>>> when these three are done then I'd focus on RUVs >>>>> >>> > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From pvomacka at redhat.com Mon Jun 6 10:27:06 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 6 Jun 2016 12:27:06 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> Message-ID: <9cb4cdbf-c6be-ddb3-0d2b-50aba3015637@redhat.com> On 06/02/2016 06:22 PM, Petr Vobornik wrote: > On 06/01/2016 10:41 AM, Pavel Vomacka wrote: >> >> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: >>> >>> On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >>>> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>>>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>>>> Hi, >>>>>>> >>>>>>> the patch adds webui part for authentication indicators. >>>>>>> >>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>>>> The otp option displays as: OTP. >>>>>> The radius option displays as: Radius. >>>>>> >>>>>> However, both are acronyms. The capitalization should be >>>>>> consistent. >>>>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>>>> 'Radius'. So it should not require any change. >>>> That is incorrect. It should be: OTP and RADIUS. >>> I'm sorry, I didn't understand correctly. Fixed patch attached. >>> >>> >>> >> The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. >> > After some though, we should really support the arbitrary values also in > Web UI. > > I'd reuse aci.attributes_widget - move the widget elsewhere, make it a > general widget and a base class for the original aci.attributes_widget. > > The only difference should be populate method and some strings. > > The base widget can populate from options - same as normal checkboxes > widget so that service page doesn't need to inherit from the base class. > Ok, thank you for advice. The edited patch is attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0034-4-Auth-Indicators-webUI-part.patch Type: text/x-patch Size: 23291 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 6 10:29:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 12:29:29 +0200 Subject: [Freeipa-devel] [PATCH] 0002 New User Role Tests In-Reply-To: <479389298.57290567.1464876990869.JavaMail.zimbra@redhat.com> References: <1698677244.50966760.1462789150686.JavaMail.zimbra@redhat.com> <19bc3a86-8e60-f023-6bab-b807a3d03364@redhat.com> <651798515.57202911.1464860977307.JavaMail.zimbra@redhat.com> <479389298.57290567.1464876990869.JavaMail.zimbra@redhat.com> Message-ID: <8b36b91f-b93d-c1d8-0bab-7022b7f29949@redhat.com> On 02.06.2016 16:16, Peter Lacko wrote: > Rebased with updated tests. > > Peter > > ----- Original Message ----- > From: "Martin Basti" > To: "Peter Lacko" > Cc: freeipa-devel at redhat.com > Sent: Thursday, June 2, 2016 1:50:06 PM > Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests > > Your patch doesn't apply anymore on master, there were changes in role > test and patch have to be updated and rebased > > Please look at this for new changes in test_role_plugin.py > https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 > > Martin^2 > > > On 02.06.2016 11:49, Peter Lacko wrote: >> Sorry for late response, I wasn't working these days. >> Fixed patch is in attachment. >> >> Peter >> >> >> ----- Original Message ----- >> From: "Martin Basti" >> To: "Peter Lacko" , freeipa-devel at redhat.com >> Sent: Monday, May 9, 2016 1:06:08 PM >> Subject: Re: [Freeipa-devel] [PATCH] 0002 New User Role Tests >> >> >> >> On 09.05.2016 13:04, Martin Basti wrote: >>> On 09.05.2016 12:19, Peter Lacko wrote: >>>> +# pylint: disable=unicode-builtin >>> I'm not doing complete review, just the line above hit my eyes. >>> >>> unicode() is not in Py3 because all strings there are unicode, thus >>> you cannot use it directly, you need something like >>> >>> if six.PY2: >>> str = unicode >>> >>> and use str() everywhere and remove that #pylint line >>> >>> FYI all enabled pylint checks are there for a good reason, be careful >>> with disabling it (mainly disabling it for a whole module) rather ask >>> before if you are not sure. >>> >>> Martin^2 >>> >> Nope, sorry, I temporarily forgot how to python >> >> instead of pylint disable use this >> >> if six.PY3: >> unicode =str >> >> and keep unicode there. Sorry >> >> Martin^2 Hi, I don't have time to continue with full review, maybe somebody else can continue instead of me, but anyway NACK, because using str(unicode()) or unicode(str()) is bad in both ways, it should be just unicode() in case of strings (with correct mapping unicode=str in Py3). I just I noticed this by reading code, but I didn't do deeper review, so there might be more mistakes. Martin^2 From abokovoy at redhat.com Mon Jun 6 10:33:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 13:33:15 +0300 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain Message-ID: <20160606103315.gcndbmnnswa3s2xl@redhat.com> Hi, this patch adds support for external trust to Active Directory. External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external trust to Windows NT 4.0 or earlier domains is not supported. The external trust is not transitive and can be established to any domain in another forest. This means no access beyond the external domain is possible via the trust link. Resolves: https://fedorahosted.org/freeipa/ticket/5743 -- / Alexander Bokovoy -------------- next part -------------- From 4b19b3ff3259884a3e38c8e6e0a136f9f2af0aa8 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 08:55:44 +0300 Subject: [PATCH 1/4] trusts: Add support for an external trust to Active Directory domain External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external trust to Windows NT 4.0 or earlier domains is not supported. The external trust is not transitive and can be established to any domain in another forest. This means no access beyond the external domain is possible via the trust link. Resolves: https://fedorahosted.org/freeipa/ticket/5743 --- API.txt | 3 ++- ipaserver/dcerpc.py | 42 ++++++++++++++++++++++++++------------ ipaserver/plugins/trust.py | 51 +++++++++++++++++++++++++++++++++++++--------- 3 files changed, 72 insertions(+), 24 deletions(-) diff --git a/API.txt b/API.txt index f170930..d5fbc27 100644 --- a/API.txt +++ b/API.txt @@ -5208,12 +5208,13 @@ arg: Str('cn', cli_name='name') option: Str('version?') output: Output('result') command: trust_add -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Int('base_id?', cli_name='base_id') option: Bool('bidirectional?', cli_name='two_way', default=False) +option: Bool('external?', cli_name='external', default=False) option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust']) option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 25ffbfa..3c37b6a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -77,6 +77,10 @@ and Samba4 python bindings. TRUST_ONEWAY = 1 TRUST_BIDIRECTIONAL = 3 +# Trust join behavior +# External trust -- allow creating trust to a non-root domain in the forest +TRUST_JOIN_EXTERNAL = 1 + def is_sid_valid(sid): try: security.dom_sid(sid) @@ -1037,7 +1041,7 @@ class TrustDomainInstance(object): # We can ignore the error here -- setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional'): + def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional', trust_external = False): """ Establishes trust between our and another domain Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call @@ -1060,6 +1064,8 @@ class TrustDomainInstance(object): info.trust_direction |= lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = 0 + if trust_external: + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE try: dname = lsa.String() @@ -1096,14 +1102,15 @@ class TrustDomainInstance(object): # server as that one doesn't support AES encryption types pass - try: - info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) - info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE - self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) - except RuntimeError as e: - root_logger.error('unable to set trust to transitive: %s' % (str(e))) + if not trust_external: + try: + info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) + except RuntimeError as e: + root_logger.error('unable to set trust transitivity status: %s' % (str(e))) - if self.info['is_pdc']: + if self.info['is_pdc'] or trust_external: self.update_ftinfo(another_domain) def verify_trust(self, another_domain): @@ -1262,6 +1269,7 @@ class TrustDomainJoins(object): self.api = api self.local_domain = None self.remote_domain = None + self.__allow_behavior = 0 domain_validator = DomainValidator(api) self.configured = domain_validator.is_configured() @@ -1271,6 +1279,12 @@ class TrustDomainJoins(object): self.local_dn = domain_validator.dn self.__populate_local_domain() + def allow_behavior(self, behavior_set): + if type(behavior_set) is int: + behavior_set = [behavior_set] + if TRUST_JOIN_EXTERNAL in behavior_set: + self.__allow_behavior |= TRUST_JOIN_EXTERNAL + def __populate_local_domain(self): # Initialize local domain info using kerberos only ld = TrustDomainInstance(self.local_flatname) @@ -1359,13 +1373,14 @@ class TrustDomainJoins(object): ) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not (self.__allow_behavior & TRUST_JOIN_EXTERNAL): + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type, bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL)) + self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type, bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL)) # if trust is inbound, we don't need to verify it because AD DC will respond # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. result = True @@ -1382,7 +1397,8 @@ class TrustDomainJoins(object): self.populate_remote_domain(realm, realm_server, realm_passwd=None) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not (self.__allow_behavior & TRUST_JOIN_EXTERNAL): + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) - self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type) + self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type, self.__allow_behavior & TRUST_JOIN_EXTERNAL) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index ee0ab5d..0d30332 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -63,7 +63,7 @@ except Exception as e: if api.env.in_server and api.env.context in ['lite', 'server']: try: import ipaserver.dcerpc #pylint: disable=F0401 - from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL + from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL, TRUST_JOIN_EXTERNAL import dbus import dbus.mainloop.glib _bindings_installed = True @@ -162,11 +162,18 @@ trust_output_params = ( label=_('Trust type')), Str('truststatus', label=_('Trust status')), + Str('ipantadditionalsuffixes*', + label=_('UPN suffixes')), ) +# Trust type is a combination of ipanttrusttype and ipanttrustattributes +# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and +# 2+(1 << 3) becomes 10. _trust_type_dict = {1 : _('Non-Active Directory domain'), 2 : _('Active Directory domain'), - 3 : _('RFC4120-compliant Kerberos realm')} + 3 : _('RFC4120-compliant Kerberos realm'), + 10: _('Non-transitive external trust to a domain in another Active Directory forest')} + _trust_direction_dict = {1 : _('Trusting forest'), 2 : _('Trusted forest'), 3 : _('Two-way trust')} @@ -189,14 +196,17 @@ DBUS_IFACE_TRUST = 'com.redhat.idm.trust' CRED_STYLE_SAMBA = 1 CRED_STYLE_KERBEROS = 2 -def trust_type_string(level): +LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001 + +def trust_type_string(level, attrs): """ Returns a string representing a type of the trust. The original field is an enum: LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001, LSA_TRUST_TYPE_UPLEVEL = 0x00000002, LSA_TRUST_TYPE_MIT = 0x00000003 """ - string = _trust_type_dict.get(int(level), _trust_type_dict_unknown) + transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + string = _trust_type_dict.get(int(level) | (transitive << 3), _trust_type_dict_unknown) return unicode(string) def trust_direction_string(level): @@ -677,6 +687,12 @@ sides. doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')), default=False, ), + Bool('external?', + label=_('External trust'), + cli_name='external', + doc=(_('Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.')), + default=False, + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -735,12 +751,15 @@ sides. fetch_trusted_domains_over_dbus(self.api, self.log, result['value']) # Format the output into human-readable values + attributes = int(result['result'].get('ipanttrustattributes', [0])[0]) result['result']['trusttype'] = [trust_type_string( - result['result']['ipanttrusttype'][0])] + result['result']['ipanttrusttype'][0], attributes)] result['result']['trustdirection'] = [trust_direction_string( result['result']['ipanttrustdirection'][0])] result['result']['truststatus'] = [trust_status_string( result['verified'])] + if attributes: + result['result'].pop('ipanttrustattributes', None) del result['verified'] result['result'].pop('ipanttrustauthoutgoing', None) @@ -929,6 +948,11 @@ sides. trust_type = TRUST_ONEWAY if options.get('bidirectional', False): trust_type = TRUST_BIDIRECTIONAL + + # If we are forced to establish external trust, allow it + if options.get('external', False): + self.trustinstance.allow_behavior(TRUST_JOIN_EXTERNAL) + # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides if full_join: @@ -1033,7 +1057,7 @@ class trust_mod(LDAPUpdate): class trust_find(LDAPSearch): __doc__ = _('Search for trusts.') has_output_params = LDAPSearch.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'),) + (Str('ipanttrusttype'), Str('ipanttrustattributes')) msg_summary = ngettext( '%(count)d trust matched', '%(count)d trusts matched', 0 @@ -1043,7 +1067,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTTrustPartner=*)' + trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) @@ -1061,9 +1085,12 @@ class trust_find(LDAPSearch): for attrs in entries: # Translate ipanttrusttype to trusttype if --raw not used trust_type = attrs.get('ipanttrusttype', [None])[0] + attributes = attrs.get('ipanttrustattributes', [0])[0] if not options.get('raw', False) and trust_type is not None: - attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0]) + attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del attrs['ipanttrusttype'] + if attributes: + del attrs['ipanttrustattributes'] return truncated @@ -1071,7 +1098,7 @@ class trust_find(LDAPSearch): class trust_show(LDAPRetrieve): __doc__ = _('Display information about a trust.') has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'), Str('ipanttrustdirection')) + (Str('ipanttrusttype'), Str('ipanttrustdirection'), Str('ipanttrustattributes')) def execute(self, *keys, **options): result = super(trust_show, self).execute(*keys, **options) @@ -1089,8 +1116,9 @@ class trust_show(LDAPRetrieve): if not options.get('raw', False): trust_type = entry_attrs.get('ipanttrusttype', [None])[0] + attributes = entry_attrs.get('ipanttrustattributes', [0])[0] if trust_type is not None: - entry_attrs['trusttype'] = trust_type_string(trust_type) + entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del entry_attrs['ipanttrusttype'] dir_str = entry_attrs.get('ipanttrustdirection', [None])[0] @@ -1098,6 +1126,9 @@ class trust_show(LDAPRetrieve): entry_attrs['trustdirection'] = [trust_direction_string(dir_str)] del entry_attrs['ipanttrustdirection'] + if attributes: + del entry_attrs['ipanttrustattributes'] + return dn -- 2.7.4 From abokovoy at redhat.com Mon Jun 6 10:34:45 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 13:34:45 +0300 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users Message-ID: <20160606103445.enh3cb6yfunmmqk2@redhat.com> Hi, Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 -- / Alexander Bokovoy -------------- next part -------------- From bb4ebc9fa357ff059c3d72defa8964c31a0b6acd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:41:46 +0300 Subject: [PATCH 2/4] adtrust: support UPNs for trusted domain users Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 --- ACI.txt | 2 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 60 ++++++++++++++++++---- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 + .../ipa-extdom-extop/ipa_extdom_common.c | 9 +++- install/oddjob/com.redhat.idm.trust-fetch-domains | 29 +---------- install/share/60basev3.ldif | 3 +- ipaserver/dcerpc.py | 37 +++++++++---- ipaserver/plugins/trust.py | 50 ++++++++++++------ 8 files changed, 123 insertions(+), 68 deletions(-) diff --git a/ACI.txt b/ACI.txt index a09495e..6f691f2 100644 --- a/ACI.txt +++ b/ACI.txt @@ -309,7 +309,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index d54ca71..80e7055 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2273,7 +2273,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) { - int i; + int i, j; if (!*mspac) return; @@ -2290,6 +2290,12 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) free((*mspac)->trusts[i].sid_blacklist_outgoing); free((*mspac)->trusts[i].parent_name); (*mspac)->trusts[i].parent = NULL; + if ((*mspac)->trusts[i].upn_suffixes) { + for (j = 0; (*mspac)->trusts[i].upn_suffixes[j]; j++) { + free((*mspac)->trusts[i].upn_suffixes[j]); + } + free((*mspac)->trusts[i].upn_suffixes); + } } free((*mspac)->trusts); } @@ -2405,7 +2411,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) LDAP *lc = ipactx->lcontext; char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", - "ipaNTSIDBlacklistOutgoing", NULL }; + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; char *filter = "(objectclass=ipaNTTrustedDomain)"; krb5_error_code kerr; LDAPMessage *res = NULL; @@ -2462,26 +2468,42 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) goto done; } + t[n].flat_name = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTFlatName", &t[n].flat_name); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } + t[n].domain_sid = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTTrustedDomainSID", &t[n].domain_sid); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } ret = string_to_sid(t[n].domain_sid, &t[n].domsid); - if (ret) { + if (ret && t[n].domain_sid != NULL) { ret = EINVAL; goto done; } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTAdditionalSuffixes", + &t[n].upn_suffixes); + + if (ret) { + if (ret == ENOENT) { + /* This attribute is optional */ + ret = 0; + t[n].upn_suffixes = NULL; + } else { + ret = EINVAL; + goto done; + } + } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming", &sid_blacklist_incoming); @@ -2808,6 +2830,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, struct ipadb_context *ipactx; int i, j, length; const char *name; + bool result = false; if (test_realm == NULL || test_realm[0] == '\0') { return KRB5_KDB_NOENTRY; @@ -2829,12 +2852,27 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* Iterate through list of trusts and check if input realm belongs to any of the trust */ for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - if ((strncasecmp(test_realm, - ipactx->mspac->trusts[i].domain_name, - size) == 0) || - (strncasecmp(test_realm, - ipactx->mspac->trusts[i].flat_name, - size) == 0)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].domain_name, + size) == 0; + + if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].flat_name, + size) == 0; + } + + if (!result && (ipactx->mspac->trusts[i].upn_suffixes != NULL)) { + for (j = 0; ipactx->mspac->trusts[i].upn_suffixes[j]; j++) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].upn_suffixes[j], + size) == 0; + if (result) + break; + } + } + + if (result) { /* return the realm if caller supplied a place for it */ if (trusted_realm != NULL) { name = (ipactx->mspac->trusts[i].parent_name != NULL) ? diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h index 1052bb8..30382d2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -47,6 +47,7 @@ struct ipadb_adtrusts { int len_sid_blacklist_outgoing; struct ipadb_adtrusts *parent; char *parent_name; + char **upn_suffixes; }; int string_to_sid(const char *str, struct dom_sid *sid); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 445624f..823c05c 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -1011,8 +1011,13 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; - ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, - domain_name); + if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { + ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, + domain_name); + } else { + /* SSSD_DOMAIN_SEPARATOR already present, assume UPN */ + ret = asprintf(&fq_name, "%s", name); + } if (ret == -1) { ret = LDAP_OPERATIONS_ERROR; set_err_msg(req, "Failed to create fully qualified name"); diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea00f30..4d0d466 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -170,33 +170,8 @@ except gssapi.exceptions.GSSError: ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) - -if domains: - # trust range must exist by the time fetch_domains_from_trust is called - range_name = unicode(trusted_domain.upper() + '_id_range') - old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'][0] - - result = [] - for dom in domains: - dom['trust_type'] = u'ad' - try: - name = dom['cn'] - del dom['cn'] - - res = api.Command.trustdomain_add(trusted_domain, name, **dom) - result.append(res['result']) - - if idrange_type != u'ipa-ad-trust-posix': - range_name = name.upper() + '_id_range' - dom['range_type'] = u'ipa-ad-trust' - # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range - # to force it using existing credentials cache - trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'], - trusted_domain, name, **dom) - except errors.DuplicateEntry: - # Ignore updating duplicate entries - pass +trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] +trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) if old_ccache: os.environ['KRB5CCNAME'] = old_ccache diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5ebe335..059174b 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782 @@ -64,7 +65,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUC objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) ) +objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing $ ipaNTAdditionalSuffixes) ) objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3') diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 3c37b6a..bf6f6ce 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1194,7 +1194,10 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): def communicate(td): td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) - domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call + # but it doesn't provide information about non-domain UPNs associated + # with the forest, thus we have to use netr_DsRGetForestTrustInformation + domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0) return domains domains = None @@ -1222,6 +1225,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): raise assess_dcerpc_exception(message=str(e)) td.info['dc'] = unicode(result.pdc_dns_name) + td.info['name'] = unicode(result.dns_domain) if type(creds) is bool: # Rely on existing Kerberos credentials in the environment td.creds = credentials.Credentials() @@ -1251,16 +1255,29 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): if domains is None: return None - result = [] - for t in domains.array: - if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and - (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): + result = {'domains': {}, 'suffixes' : {}} + # netr_DsRGetForestTrustInformation returns two types of entries: + # domain information -- name, NetBIOS name, SID of the domain + # top level name info -- a name suffix associated with the forest + # We should ignore forest root name/name suffix as it is already part + # of trust information for IPA purposes and only add what's inside the forest + for t in domains.entries: + if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: + tname = unicode(t.forest_trust_data.dns_domain_name.string) + if tname == trustdomain: + continue res = dict() - res['cn'] = unicode(t.dns_name) - res['ipantflatname'] = unicode(t.netbios_name) - res['ipanttrusteddomainsid'] = unicode(t.sid) - res['ipanttrustpartner'] = res['cn'] - result.append(res) + res['cn'] = tname + res['ipantflatname'] = unicode(t.forest_trust_data.netbios_domain_name.string) + res['ipanttrusteddomainsid'] = unicode(t.forest_trust_data.domain_sid) + result['domains'][tname] = res + elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: + tname = unicode(t.forest_trust_data.string) + if tname == trustdomain: + continue + res = dict() + res['cn'] = tname + result['suffixes'][tname] = res return result diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 0d30332..98def2e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -487,9 +487,10 @@ class trust(LDAPObject): default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', 'ipanttrustforesttrustinfo', - 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] + 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes', 'ipantadditionalsuffixes' ] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype'] + 'ipanttrusteddomainsid', 'ipanttrusttype', + 'ipanttrustattributes', 'ipantadditionalsuffixes'] managed_permissions = { 'System: Read Trust Information': { # Allow reading of attributes needed for SSSD subdomains support @@ -503,7 +504,7 @@ class trust(LDAPObject): 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', - 'ipanttrustdirection' + 'ipanttrustdirection', 'ipantadditionalsuffixes', }, }, @@ -1455,8 +1456,10 @@ class trustdomain(LDAPObject): object_name = _('trust domain') object_name_plural = _('trust domains') object_class = ['ipaNTTrustedDomain'] - default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrustpartner'] - search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', ] + default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', + 'ipanttrustpartner', 'ipantadditionalsuffixes'] + search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', + 'ipantadditionalsuffixes' ] label = _('Trusted domains') label_singular = _('Trusted domain') @@ -1498,7 +1501,7 @@ class trustdomain(LDAPObject): class trustdomain_find(LDAPSearch): __doc__ = _('Search domains of the trust') - has_output_params = LDAPSearch.has_output_params + ( + has_output_params = LDAPSearch.has_output_params + trust_output_params + ( Flag('domain_enabled', label= _('Domain enabled')), ) def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): @@ -1509,11 +1512,10 @@ class trustdomain_find(LDAPSearch): return truncated trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') trust_entry = ldap.get_entry(trust_dn) + blacklist = trust_entry.get('ipantsidblacklistincoming') for entry in entries: - sid = entry['ipanttrusteddomainsid'][0] - - blacklist = trust_entry.get('ipantsidblacklistincoming') - if blacklist is None: + sid = entry.get('ipanttrusteddomainsid', [None])[0] + if sid is None: continue if sid in blacklist: @@ -1538,8 +1540,9 @@ class trustdomain_add(LDAPCreate): takes_options = LDAPCreate.takes_options + (_trust_type_option,) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if 'ipanttrustpartner' in options: - entry_attrs['ipanttrustpartner'] = [options['ipanttrustpartner']] + # ipaNTTrustPartner must always be set to the name of the trusted domain + # See MS-ADTS 6.1.6.7.13 + entry_attrs['ipanttrustpartner'] = [dn[0]['cn']] return dn @register() @@ -1598,7 +1601,10 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] - for dom in domains: + suffixes = list() + suffixes.extend(y['cn'] for x,y in domains['suffixes'].iteritems() if x not in domains['domains']) + + for dom in domains['domains'].itervalues(): dom['trust_type'] = u'ad' try: name = dom['cn'] @@ -1611,7 +1617,7 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt res = myapi.Command.trustdomain_add(trust_name, name, **dom) result.append(res['result']) - if idrange_type != u'ipa-ad-trust-posix': + if idrange_type != u'ipa-ad-trust-posix' and dom.get('ipanttrusteddomainsid', False): range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], @@ -1619,6 +1625,18 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt except errors.DuplicateEntry: # Ignore updating duplicate entries pass + + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = list(entry.get('ipantadditionalsuffixes', [])) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + return result @register() @@ -1696,7 +1714,7 @@ class trustdomain_enable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.get('ipanttrusteddomainsid', [None])[0] if sid in trust_entry['ipantsidblacklistincoming']: trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) @@ -1737,7 +1755,7 @@ class trustdomain_disable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.get('ipanttrusteddomainsid', [None])[0] if not (sid in trust_entry['ipantsidblacklistincoming']): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) -- 2.7.4 From abokovoy at redhat.com Mon Jun 6 10:36:36 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 13:36:36 +0300 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter Message-ID: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> Hi, MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent domain's container). Remove the argument that was never used externally but only supplied by trust-specific code inside the IPA framework. Part of https://fedorahosted.org/freeipa/ticket/5354 -- / Alexander Bokovoy -------------- next part -------------- From a7569cf6d9e78da97fcffae78c7e22d30edbf42a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:42:34 +0300 Subject: [PATCH 3/4] adtrust: remove nttrustpartner parameter MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent domain's container). Remove the argument that was never used externally but only supplied by trust-specific code inside the IPA framework. --- API.txt | 9 ++---- install/ui/test/data/ipa_init_commands.json | 43 ----------------------------- install/ui/test/data/ipa_init_objects.json | 13 --------- ipaserver/plugins/trust.py | 4 --- 4 files changed, 3 insertions(+), 66 deletions(-) diff --git a/API.txt b/API.txt index d5fbc27..4247dd7 100644 --- a/API.txt +++ b/API.txt @@ -5323,14 +5323,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: trustdomain_add -args: 2,9,3 +args: 2,8,3 arg: Str('trustcn', cli_name='trust') arg: Str('cn', cli_name='domain') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('ipantflatname?', cli_name='flat_name') option: Str('ipanttrusteddomainsid?', cli_name='sid') -option: Str('ipanttrustpartner?') option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Str('setattr*', cli_name='setattr') option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=[u'ad']) @@ -5364,14 +5363,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: trustdomain_find -args: 2,10,4 +args: 2,9,4 arg: Str('trustcn', cli_name='trust') arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='domain') option: Str('ipantflatname?', autofill=False, cli_name='flat_name') option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='sid') -option: Str('ipanttrustpartner?', autofill=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Int('sizelimit?', autofill=False) @@ -5382,7 +5380,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trustdomain_mod -args: 2,11,3 +args: 2,10,3 arg: Str('trustcn', cli_name='trust') arg: Str('cn', cli_name='domain') option: Str('addattr*', cli_name='addattr') @@ -5390,7 +5388,6 @@ option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('ipantflatname?', autofill=False, cli_name='flat_name') option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='sid') -option: Str('ipanttrustpartner?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr') diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index c7f717c..b5c482e 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -22023,20 +22023,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - }, - { "name": "setattr" }, { @@ -22142,21 +22128,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "query": true, - "type": "unicode" - }, - { "class": "Int", "deprecated_cli_aliases": [], "doc": "Time limit of search in seconds", @@ -22228,20 +22199,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - }, - { "name": "setattr" }, { diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json index ca98a1a..d8dfba2 100644 --- a/install/ui/test/data/ipa_init_objects.json +++ b/install/ui/test/data/ipa_init_objects.json @@ -8527,19 +8527,6 @@ "noextrawhitespace": true, "type": "unicode" }, - { - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - } ], "uuid_attribute": "" }, diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 98def2e..62fe96e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1478,10 +1478,6 @@ class trustdomain(LDAPObject): cli_name='sid', label=_('Domain Security Identifier'), ), - Str('ipanttrustpartner?', - label=_('Trusted domain partner'), - flags=['no_display', 'no_option'], - ), ) # LDAPObject.get_dn() only passes all but last element of keys and no kwargs -- 2.7.4 From abokovoy at redhat.com Mon Jun 6 10:38:55 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 13:38:55 +0300 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user Message-ID: <20160606103855.ptkbthy27mv3qz5g@redhat.com> Hi, In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user. This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or certificates. Admins can define what can be changed by the users via self-service permissions. Part of https://fedorahosted.org/freeipa/ticket/2149 -- / Alexander Bokovoy -------------- next part -------------- From 96bd9f454f3080f71d96a01779882f0b1b19e67c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:51:05 +0300 Subject: [PATCH 4/4] adtrust: support GSSAPI authentication to LDAP as Active Directory user In case an ID override was created for an Active Directory user in the default trust view, allow mapping the incoming GSSAPI authenticated connection to the ID override for this user. This allows to self-manage ID override parameters from the CLI, for example, SSH public keys or certificates. Admins can define what can be changed by the users via self-service permissions. Part of https://fedorahosted.org/freeipa/ticket/2149 --- install/updates/20-idoverride_index.update | 20 ++++++++++++++++++++ install/updates/71-idviews-sasl-mapping.update | 9 +++++++++ install/updates/Makefile.am | 2 ++ 3 files changed, 31 insertions(+) create mode 100644 install/updates/20-idoverride_index.update create mode 100644 install/updates/71-idviews-sasl-mapping.update diff --git a/install/updates/20-idoverride_index.update b/install/updates/20-idoverride_index.update new file mode 100644 index 0000000..a8b9681 --- /dev/null +++ b/install/updates/20-idoverride_index.update @@ -0,0 +1,20 @@ +# +# Make sure ID override attributes have the correct indexing +# + +dn: cn=ipaOriginalUid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres + +dn: cn=ipaAnchorUUID,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaOriginalUid +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only: nsIndexType: eq +only: nsIndexType: pres + diff --git a/install/updates/71-idviews-sasl-mapping.update b/install/updates/71-idviews-sasl-mapping.update new file mode 100644 index 0000000..bd49223 --- /dev/null +++ b/install/updates/71-idviews-sasl-mapping.update @@ -0,0 +1,9 @@ +dn: cn=ID Overridden Principal,cn=mapping,cn=sasl,cn=config +default:cn: ID Overridden Principal +default:nsSaslMapBaseDNTemplate: cn=default trust view,cn=views,cn=accounts,$SUFFIX +default:nsSaslMapFilterTemplate: (&(ipaoriginaluid=\1@\2)(objectclass=ipaUserOverride)) +default:nsSaslMapPriority: 20 +default:nsSaslMapRegexString: \(.*\)@\(.*\) +default:objectClass: top +default:objectClass: nsSaslMapping + diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 737a8bb..fde6917 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -21,6 +21,7 @@ app_DATA = \ 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ + 20-idoverride_index.update \ 20-uuid.update \ 21-replicas_container.update \ 21-ca_renewal_container.update \ @@ -53,6 +54,7 @@ app_DATA = \ 61-trusts-s4u2proxy.update \ 62-ranges.update \ 71-idviews.update \ + 71-idviews-sasl-mapping.update \ 72-domainlevels.update \ 73-custodia.update \ 73-winsync.update \ -- 2.7.4 From mbasti at redhat.com Mon Jun 6 10:57:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 12:57:38 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> Message-ID: <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> On 06.06.2016 12:36, Alexander Bokovoy wrote: > Hi, > > MS-ADTS spec requires that TrustPartner field should be equal to the > commonName (cn) of the trust. We used it a bit wrongly to express > trust relationship between parent and child domains. In fact, we > have parent-child relationship recorded in the DN (child domains > are part of the parent domain's container). > > Remove the argument that was never used externally but only supplied by > trust-specific code inside the IPA framework. > > Part of https://fedorahosted.org/freeipa/ticket/5354 > > > Hello, how is handled backward compatibility here, you just removes the option from API, without any additional logic for older clients. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jun 6 11:14:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 14:14:13 +0300 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> Message-ID: <20160606111413.p37ejfgjk6zuslh7@redhat.com> On Mon, 06 Jun 2016, Martin Basti wrote: > > >On 06.06.2016 12:36, Alexander Bokovoy wrote: >>Hi, >> >>MS-ADTS spec requires that TrustPartner field should be equal to the >>commonName (cn) of the trust. We used it a bit wrongly to express >>trust relationship between parent and child domains. In fact, we >>have parent-child relationship recorded in the DN (child domains >>are part of the parent domain's container). >> >>Remove the argument that was never used externally but only supplied by >>trust-specific code inside the IPA framework. >> >>Part of https://fedorahosted.org/freeipa/ticket/5354 >> >> >> > >Hello, how is handled backward compatibility here, you just removes >the option from API, without any additional logic for older clients. This is not used by the external clients at all. It is part of internal logic of the code in trust.py+com.redhat.trust.fetch-domains which always talk to the same server they are running on. @register() class trustdomain_add(LDAPCreate): __doc__ = _('Allow access from the trusted domain') NO_CLI = True -- / Alexander Bokovoy From mbasti at redhat.com Mon Jun 6 11:22:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 13:22:49 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <20160606111413.p37ejfgjk6zuslh7@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> Message-ID: <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> On 06.06.2016 13:14, Alexander Bokovoy wrote: > On Mon, 06 Jun 2016, Martin Basti wrote: >> >> >> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>> Hi, >>> >>> MS-ADTS spec requires that TrustPartner field should be equal to the >>> commonName (cn) of the trust. We used it a bit wrongly to express >>> trust relationship between parent and child domains. In fact, we >>> have parent-child relationship recorded in the DN (child domains >>> are part of the parent domain's container). >>> >>> Remove the argument that was never used externally but only supplied by >>> trust-specific code inside the IPA framework. >>> >>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>> >>> >>> >> >> Hello, how is handled backward compatibility here, you just removes >> the option from API, without any additional logic for older clients. > This is not used by the external clients at all. It is part of internal > logic of the code in trust.py+com.redhat.trust.fetch-domains which > always talk to the same server they are running on. > > @register() > class trustdomain_add(LDAPCreate): > __doc__ = _('Allow access from the trusted domain') > NO_CLI = True > > Yes sorry, not old IPA clients, but it was part of API, shown in API browser, and since this was in API, it is set to stone. So If you think that it is safe to be removed and nobody can hit this, I'm okay for removing that option. Maybe we should at least wrote it to release notes (I'll let Honza to express his feelings as API versioning/compatibility sensei) And you forgot to increment api version in VERSION file Martin^2 From jcholast at redhat.com Mon Jun 6 11:29:51 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 6 Jun 2016 13:29:51 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> Message-ID: <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> On 6.6.2016 13:22, Martin Basti wrote: > > > On 06.06.2016 13:14, Alexander Bokovoy wrote: >> On Mon, 06 Jun 2016, Martin Basti wrote: >>> >>> >>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>> Hi, >>>> >>>> MS-ADTS spec requires that TrustPartner field should be equal to the >>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>> trust relationship between parent and child domains. In fact, we >>>> have parent-child relationship recorded in the DN (child domains >>>> are part of the parent domain's container). >>>> >>>> Remove the argument that was never used externally but only supplied by >>>> trust-specific code inside the IPA framework. >>>> >>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>> >>>> >>>> >>> >>> Hello, how is handled backward compatibility here, you just removes >>> the option from API, without any additional logic for older clients. >> This is not used by the external clients at all. It is part of internal >> logic of the code in trust.py+com.redhat.trust.fetch-domains which >> always talk to the same server they are running on. >> >> @register() >> class trustdomain_add(LDAPCreate): >> __doc__ = _('Allow access from the trusted domain') >> NO_CLI = True >> >> > > Yes sorry, not old IPA clients, but it was part of API, shown in API > browser, and since this was in API, it is set to stone. So If you think > that it is safe to be removed and nobody can hit this, I'm okay for > removing that option. Maybe we should at least wrote it to release notes > (I'll let Honza to express his feelings as API versioning/compatibility > sensei) IMHO it is safe to remove. > > And you forgot to increment api version in VERSION file > > Martin^2 > -- Jan Cholasta From abokovoy at redhat.com Mon Jun 6 11:37:19 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 14:37:19 +0300 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> Message-ID: <20160606113719.3c2hweabc7xojkad@redhat.com> On Mon, 06 Jun 2016, Jan Cholasta wrote: >On 6.6.2016 13:22, Martin Basti wrote: >> >> >>On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>On Mon, 06 Jun 2016, Martin Basti wrote: >>>> >>>> >>>>On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>Hi, >>>>> >>>>>MS-ADTS spec requires that TrustPartner field should be equal to the >>>>>commonName (cn) of the trust. We used it a bit wrongly to express >>>>>trust relationship between parent and child domains. In fact, we >>>>>have parent-child relationship recorded in the DN (child domains >>>>>are part of the parent domain's container). >>>>> >>>>>Remove the argument that was never used externally but only supplied by >>>>>trust-specific code inside the IPA framework. >>>>> >>>>>Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>> >>>>> >>>>> >>>> >>>>Hello, how is handled backward compatibility here, you just removes >>>>the option from API, without any additional logic for older clients. >>>This is not used by the external clients at all. It is part of internal >>>logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>always talk to the same server they are running on. >>> >>>@register() >>>class trustdomain_add(LDAPCreate): >>> __doc__ = _('Allow access from the trusted domain') >>> NO_CLI = True >>> >>> >> >>Yes sorry, not old IPA clients, but it was part of API, shown in API >>browser, and since this was in API, it is set to stone. So If you think >>that it is safe to be removed and nobody can hit this, I'm okay for >>removing that option. Maybe we should at least wrote it to release notes >>(I'll let Honza to express his feelings as API versioning/compatibility >>sensei) > >IMHO it is safe to remove. > >> >>And you forgot to increment api version in VERSION file Updated patch attached, with a VERSION change. -- / Alexander Bokovoy -------------- next part -------------- From 71feb298933b3e447c060f4ab70d23fb269a40e2 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:42:34 +0300 Subject: [PATCH 3/4] adtrust: remove nttrustpartner parameter MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent domain's container). Remove the argument that was never used externally but only supplied by trust-specific code inside the IPA framework. Part of https://fedorahosted.org/freeipa/ticket/5354 --- API.txt | 9 ++---- VERSION | 4 +-- install/ui/test/data/ipa_init_commands.json | 43 ----------------------------- install/ui/test/data/ipa_init_objects.json | 13 --------- ipaserver/plugins/trust.py | 4 --- 5 files changed, 5 insertions(+), 68 deletions(-) diff --git a/API.txt b/API.txt index d5fbc27..4247dd7 100644 --- a/API.txt +++ b/API.txt @@ -5323,14 +5323,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: trustdomain_add -args: 2,9,3 +args: 2,8,3 arg: Str('trustcn', cli_name='trust') arg: Str('cn', cli_name='domain') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('ipantflatname?', cli_name='flat_name') option: Str('ipanttrusteddomainsid?', cli_name='sid') -option: Str('ipanttrustpartner?') option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Str('setattr*', cli_name='setattr') option: StrEnum('trust_type', autofill=True, cli_name='type', default=u'ad', values=[u'ad']) @@ -5364,14 +5363,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: trustdomain_find -args: 2,10,4 +args: 2,9,4 arg: Str('trustcn', cli_name='trust') arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='domain') option: Str('ipantflatname?', autofill=False, cli_name='flat_name') option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='sid') -option: Str('ipanttrustpartner?', autofill=False) option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Int('sizelimit?', autofill=False) @@ -5382,7 +5380,7 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: trustdomain_mod -args: 2,11,3 +args: 2,10,3 arg: Str('trustcn', cli_name='trust') arg: Str('cn', cli_name='domain') option: Str('addattr*', cli_name='addattr') @@ -5390,7 +5388,6 @@ option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('ipantflatname?', autofill=False, cli_name='flat_name') option: Str('ipanttrusteddomainsid?', autofill=False, cli_name='sid') -option: Str('ipanttrustpartner?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr') diff --git a/VERSION b/VERSION index 4ada746..8945ae5 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=176 -# Last change: mbasti - location-show: list servers in the location +IPA_API_VERSION_MINOR=177 +# Last change: abbra - adtrust: remove nttrustpartner parameter diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json index c7f717c..b5c482e 100644 --- a/install/ui/test/data/ipa_init_commands.json +++ b/install/ui/test/data/ipa_init_commands.json @@ -22023,20 +22023,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - }, - { "name": "setattr" }, { @@ -22142,21 +22128,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "query": true, - "type": "unicode" - }, - { "class": "Int", "deprecated_cli_aliases": [], "doc": "Time limit of search in seconds", @@ -22228,20 +22199,6 @@ "type": "unicode" }, { - "attribute": true, - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - }, - { "name": "setattr" }, { diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json index ca98a1a..d8dfba2 100644 --- a/install/ui/test/data/ipa_init_objects.json +++ b/install/ui/test/data/ipa_init_objects.json @@ -8527,19 +8527,6 @@ "noextrawhitespace": true, "type": "unicode" }, - { - "class": "Str", - "deprecated_cli_aliases": [], - "doc": "Trusted domain partner", - "flags": [ - "no_display", - "no_option" - ], - "label": "Trusted domain partner", - "name": "ipanttrustpartner", - "noextrawhitespace": true, - "type": "unicode" - } ], "uuid_attribute": "" }, diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 98def2e..62fe96e 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -1478,10 +1478,6 @@ class trustdomain(LDAPObject): cli_name='sid', label=_('Domain Security Identifier'), ), - Str('ipanttrustpartner?', - label=_('Trusted domain partner'), - flags=['no_display', 'no_option'], - ), ) # LDAPObject.get_dn() only passes all but last element of keys and no kwargs -- 2.7.4 From pspacek at redhat.com Mon Jun 6 12:28:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 6 Jun 2016 14:28:02 +0200 Subject: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used In-Reply-To: <3cb48b3a-4261-1e2e-c4d0-7d2e14801c70@redhat.com> References: <511dce5e-4f52-6f29-9ea5-19d189885cbf@redhat.com> <269d1dec-6677-a6c6-5b79-df0d2ce697a7@redhat.com> <56c1e83f-5629-1da7-8090-ba55355c6bf9@redhat.com> <3cb48b3a-4261-1e2e-c4d0-7d2e14801c70@redhat.com> Message-ID: <22d07ff0-b861-207e-d72f-ae32a966fff7@redhat.com> On 6.6.2016 11:55, Martin Basti wrote: > > > On 30.05.2016 12:49, Petr Spacek wrote: >> On 29.5.2016 14:45, Martin Basti wrote: >>> >>> On 27.05.2016 14:12, Petr Spacek wrote: >>>> On 25.5.2016 12:50, Martin Basti wrote: >>>>> On 20.05.2016 12:19, Petr Spacek wrote: >>>>>> On 11.5.2016 12:08, Martin Basti wrote: >>>>>>> On 03.05.2016 14:59, Petr Spacek wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> DNS upgrade: change forwarding policy to "only" if private IPs are used. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5710 >>>>>>>> >>>>>>>> This is the upgrade part. I will add one more patch to print a warning in >>>>>>>> dnsforwardzone* commands to avoid surprises. Please do not close the >>>>>>>> ticket >>>>>>>> yet. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> 1) >>>>>>> Upgrade failed with 'BindInstance' object has no attribute >>>>>>> 'named_conf_get_directive' >>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>>> ipa-server-upgrade manually. >>>>>>> ('IPA upgrade failed.', 1) >>>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>>> more >>>>>>> information >>>>>>> >>>>>>> 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object >>>>>>> has no >>>>>>> attribute 'named_conf_get_directive' >>>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>>> line >>>>>>> 213, in __upgrade >>>>>>> self.modified = (ld.update(self.files) or self.modified) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>> line 917, in update >>>>>>> self._run_updates(all_updates) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>> line 889, in _run_updates >>>>>>> self._run_update_plugin(update['plugin']) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>> line 862, in _run_update_plugin >>>>>>> restart_ds, updates = self.api.Updater[plugin_name]() >>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >>>>>>> 1418, in >>>>>>> __call__ >>>>>>> return self.execute(**options) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>>> line 547, in execute >>>>>>> self.update_global_named_conf_forwarder(bind) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>>> line 508, in update_global_named_conf_forwarder >>>>>>> if bind.named_conf_get_directive( >>>>>>> AttributeError: 'BindInstance' object has no attribute >>>>>>> 'named_conf_get_directive' >>>>>>> >>>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>> line >>>>>>> 447, in start_creation >>>>>>> run_step(full_msg, method) >>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>> line >>>>>>> 437, in run_step >>>>>>> method() >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>>> line >>>>>>> 221, in __upgrade >>>>>>> raise RuntimeError(e) >>>>>>> RuntimeError: 'BindInstance' object has no attribute >>>>>>> 'named_conf_get_directive' >>>>>>> >>>>>>> PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new >>>>>>> attribute * >>>>>>> 2) >>>>>>> + Int('ipadnsversion?', >>>>>>> + label=_('IPA DNS version'), >>>>>>> + ), >>>>>>> >>>>>>> Shouldn't be this part of System: Read DNS Configuration permission? >>>>>>> >>>>>>> 3) >>>>>>> - def postprocess_result(self, result): >>>>>>> + def postprocess_result(self, result, show_version): >>>>>>> if not any(param in result['result'] for param in >>>>>>> self.params): >>>>>>> result['summary'] = unicode(_('Global DNS configuration is >>>>>>> empty')) >>>>>>> >>>>>>> show_version param was added but I don't see it used in this patch. >>>>>>> >>>>>>> 4) >>>>>>> + Int('ipadnsversion?', >>>>>>> + label=_('IPA DNS version'), >>>>>>> + ), >>>>>>> >>>>>>> Could we add comment here that this option is accessible only from >>>>>>> installers >>>>>>> and upgrade? >>>>>>> >>>>>>> 5) >>>>>>> + for config_option in container_entry.get("ipaConfigString", []): >>>>>>> + matched = re.match("^DNSVersion\s+(?P\d+)$", >>>>>>> + config_option, flags=re.I) >>>>>>> + if matched: >>>>>>> + version = int(matched.group("version")) >>>>>>> >>>>>>> Shouldn't we print error if version cannot be parsed? >>>>>>> >>>>>>> PATCH * DNS upgrade: separate backup logic to make it reusable * >>>>>>> >>>>>>> LGTM >>>>>>> >>>>>>> PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * >>>>>>> >>>>>>> 7) >>>>>>> I'm curious why do you need to check superdomains? >>>>>>> >>>>>>> PATCH * DNS upgrade: change forwarding policy to = only for conflicting >>>>>>> forward zones* >>>>>>> >>>>>>> 8) >>>>>>> + self.log.debug('Zone %s was sucessfully modified to use ' >>>>>>> + 'forward policy "only"', zone['idnsname'][0]) >>>>>>> <---missing empty line----> >>>>>>> + def execute(self, **options): >>>>>>> >>>>>>> PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if >>>>>>> private IPs are used * >>>>>>> 9) >>>>>>> - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) >>>>>>> + dnsutil.related_to_auto_empty_zone( >>>>>>> + dnsutil.DNSName(zone.get('idnsname')[0])) >>>>>>> >>>>>>> Should be in previous commit >>>>>>> >>>>>>> 10) >>>>>>> - return >>>>>>> + return False, [] >>>>>>> This should be fixed in the previous commit >>>>>>> >>>>>>> PATCH * DNS upgrade: change global forwarding policy in named.conf to >>>>>>> "only" >>>>>>> if private IPs are used * >>>>>>> 11) >>>>>>> IMO this is an upgrade of configuration and this should be in >>>>>>> ipaserver/install/server/upgrade.py, upgrade plugins are used only for >>>>>>> updating of LDAP values >>>>>>> >>>>>>> Unless you really want to use this as precedence, but then it requires >>>>>>> broader >>>>>>> discussion. >>>>>>> >>>>>>> 12) >>>>>>> >>>>>>> bind.named_conf_get_directive >>>>>>> should be >>>>>>> bindinstance.named_conf_get_directive >>>>>>> >>>>>>> see 1) >>>>>> This new patchset completely obsoletes the old one. I had to reshuffle few >>>>>> things to to make the split between server config & LDAP upgrade possible. >>>>>> >>>>>> Hopefully I addressed all your comment. >>>>>> >>>>> commits >>>>> * Move IP address resolution from ipaserver.install.installutils to >>>>> ipapython.dnsutil * and * Turn verify_host_resolvable() into a wrapper >>>>> around >>>>> ipapython.dnsutil * >>>>> >>>>> cause regression in case that dns.python resolver returns NoNameservers >>>>> exception, it is handled as 'Internal server error' >>>>> >>>>> In original code every exception was caught and transformed to >>>>> DNSNotARecordError. >>>>> >>>>> So we have following options: >>>>> * keep the old behavior in 'resolve_rrsets' and catch all exceptions there >>>>> * or catch all DNS errors in 'verify_host_resolvable' and raise it as new >>>>> PublicError (DNSGenericError (doesn't exist) for example) >>>>> >>>>> >>>>> E InternalError: an internal error has occurred >>>>> >>>>> ../ipalib/rpc.py:1100: InternalError >>>>> test_forwardzone_delegation_warnings.test_command[0017: dnsrecord_mod: >>>>> Delete >>>>> (using dnsrecord-mod) NS record which delegates zone >>>>> u'fw.sub2.sub.dnszone.test.' from zone u'dnszone.test' (expected warning for >>>>> u'fw.sub2.sub.dnszone.test.')] >>>>> >>>>> [Wed May 25 12:17:00.172143 2016] [wsgi:error] [pid 62789] Traceback (most >>>>> recent call last): >>>>> [Wed May 25 12:17:00.172152 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in >>>>> wsgi_execute >>>>> [Wed May 25 12:17:00.172158 2016] [wsgi:error] [pid 62789] result = >>>>> self.Command[name](*args, **options) >>>>> [Wed May 25 12:17:00.172164 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 434, in __call__ >>>>> [Wed May 25 12:17:00.172168 2016] [wsgi:error] [pid 62789] return >>>>> self.__do_call(*args, **options) >>>>> [Wed May 25 12:17:00.172173 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 460, in >>>>> __do_call >>>>> [Wed May 25 12:17:00.172178 2016] [wsgi:error] [pid 62789] ret = >>>>> self.run(*args, **options) >>>>> [Wed May 25 12:17:00.172183 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 777, in run >>>>> [Wed May 25 12:17:00.172189 2016] [wsgi:error] [pid 62789] return >>>>> self.execute(*args, **options) >>>>> [Wed May 25 12:17:00.172194 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3774, in >>>>> execute >>>>> [Wed May 25 12:17:00.172199 2016] [wsgi:error] [pid 62789] result = >>>>> super(dnsrecord_add, self).execute(*keys, **options) >>>>> [Wed May 25 12:17:00.172204 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1230, in >>>>> execute >>>>> [Wed May 25 12:17:00.172209 2016] [wsgi:error] [pid 62789] *keys, **options) >>>>> [Wed May 25 12:17:00.172213 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3719, in >>>>> pre_callback >>>>> [Wed May 25 12:17:00.172229 2016] [wsgi:error] [pid 62789] >>>>> self.obj.run_precallback_validators(dn, entry_attrs, *keys, **options) >>>>> [Wed May 25 12:17:00.172237 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3135, in >>>>> run_precallback_validators >>>>> [Wed May 25 12:17:00.172242 2016] [wsgi:error] [pid 62789] rtype_cb(ldap, >>>>> dn, >>>>> entry_attrs, *keys, **options) >>>>> [Wed May 25 12:17:00.172247 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3057, in >>>>> _nsrecord_pre_callback >>>>> [Wed May 25 12:17:00.172252 2016] [wsgi:error] [pid 62789] >>>>> check_ns_rec_resolvable(keys[0], DNSName(nsrecord), self.log) >>>>> [Wed May 25 12:17:00.172256 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 1577, in >>>>> check_ns_rec_resolvable >>>>> [Wed May 25 12:17:00.172261 2016] [wsgi:error] [pid 62789] >>>>> verify_host_resolvable(name) >>>>> [Wed May 25 12:17:00.172265 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipalib/util.py", line 70, in >>>>> verify_host_resolvable >>>>> [Wed May 25 12:17:00.172270 2016] [wsgi:error] [pid 62789] if not >>>>> resolve_ip_addresses(fqdn): >>>>> [Wed May 25 12:17:00.172274 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 328, in >>>>> resolve_ip_addresses >>>>> [Wed May 25 12:17:00.172278 2016] [wsgi:error] [pid 62789] rrsets = >>>>> resolve_rrsets(fqdn, ['A', 'AAAA']) >>>>> [Wed May 25 12:17:00.172282 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 305, in >>>>> resolve_rrsets >>>>> [Wed May 25 12:17:00.172287 2016] [wsgi:error] [pid 62789] answer = >>>>> dns.resolver.query(fqdn, rdtype) >>>>> [Wed May 25 12:17:00.172292 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 1029, in query >>>>> [Wed May 25 12:17:00.172296 2016] [wsgi:error] [pid 62789] >>>>> raise_on_no_answer, >>>>> source_port) >>>>> [Wed May 25 12:17:00.172301 2016] [wsgi:error] [pid 62789] File >>>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 856, in query >>>>> [Wed May 25 12:17:00.172328 2016] [wsgi:error] [pid 62789] raise >>>>> NoNameservers(request=request, errors=errors) >>>> Fixed patches are attached. >>>> >>>> >>>> Please note that I've renumbered the patches because the naming does not >>>> match >>>> the original set anymore. >>>> >>> NACK >>> >>> # ipa-run-tests test_xmlrpc/test_host_plugin.py >>> =============================================================================================== >>> >>> test session starts >>> =============================================================================================== >>> >>> >>> platform linux2 -- Python 2.7.11, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 >>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>> plugins: sourceorder-0.5, multihost-1.0 >>> collected 41 items >>> >>> test_xmlrpc/test_host_plugin.py ...................F...........s......... >>> >>> ==================================================================================================== >>> >>> FAILURES >>> ===================================================================================================== >>> >>> >>> ________________________________________________________________________________________ >>> >>> TestCRUD.test_try_add_not_in_dns >>> _________________________________________________________________________________________ >>> >>> >>> >>> self = >> 0x7efc061e4110>, host = >> object at 0x7efc0623bb90> >>> >>> def test_try_add_not_in_dns(self, host): >>> host.ensure_missing() >>> command = host.make_create_command(force=False) >>> with raises_exact(errors.DNSNotARecordError( >>>> reason=u'Host does not have corresponding DNS A/AAAA >>>> record')): >>> test_xmlrpc/test_host_plugin.py:315: >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> ../ipalib/errors.py:264: in __init__ >>> messages.process_message_arguments(self, format, message, **kw) >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>> >>> obj = DNSNotARecordError(), format = None, message = None, kw = {'reason': >>> 'Host does not have corresponding DNS A/AAAA record'}, key = 'reason', value = >>> 'Host does not have corresponding DNS A/AAAA record' >>> name = 'DNSNotARecordError' >>> >>> def process_message_arguments(obj, format=None, message=None, **kw): >>> for key, value in kw.items(): >>> if not isinstance(value, six.integer_types): >>> try: >>> kw[key] = unicode(value) >>> except UnicodeError: >>> pass >>> obj.kw = kw >>> name = obj.__class__.__name__ >>> if obj.format is not None and format is not None: >>> raise ValueError( >>> 'non-generic %r needs format=None; got format=%r' % ( >>> name, format) >>> ) >>> if message is None: >>> if obj.format is None: >>> if format is None: >>> raise ValueError( >>> '%s.format is None yet format=None, message=None' >>> % name >>> ) >>> obj.format = format >>> obj.forwarded = False >>>> obj.msg = obj.format % kw >>> E KeyError: 'hostname' >> Sorry, this got lost in all the 'normal' failures :-) >> >> I do not 100% understand this test logic so I hope that attached patch fixes >> it correctly. >> > > We broke IPA 4.3 tests, patch that fixes them is attached. Of yes, we forgot to backport it. ACK. -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 6 12:30:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 14:30:17 +0200 Subject: [Freeipa-devel] [PATCH 0123-132] DNS upgrade: change forwarding policy to "only" if private IPs are used In-Reply-To: <22d07ff0-b861-207e-d72f-ae32a966fff7@redhat.com> References: <511dce5e-4f52-6f29-9ea5-19d189885cbf@redhat.com> <269d1dec-6677-a6c6-5b79-df0d2ce697a7@redhat.com> <56c1e83f-5629-1da7-8090-ba55355c6bf9@redhat.com> <3cb48b3a-4261-1e2e-c4d0-7d2e14801c70@redhat.com> <22d07ff0-b861-207e-d72f-ae32a966fff7@redhat.com> Message-ID: On 06.06.2016 14:28, Petr Spacek wrote: > On 6.6.2016 11:55, Martin Basti wrote: >> >> On 30.05.2016 12:49, Petr Spacek wrote: >>> On 29.5.2016 14:45, Martin Basti wrote: >>>> On 27.05.2016 14:12, Petr Spacek wrote: >>>>> On 25.5.2016 12:50, Martin Basti wrote: >>>>>> On 20.05.2016 12:19, Petr Spacek wrote: >>>>>>> On 11.5.2016 12:08, Martin Basti wrote: >>>>>>>> On 03.05.2016 14:59, Petr Spacek wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> DNS upgrade: change forwarding policy to "only" if private IPs are used. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5710 >>>>>>>>> >>>>>>>>> This is the upgrade part. I will add one more patch to print a warning in >>>>>>>>> dnsforwardzone* commands to avoid surprises. Please do not close the >>>>>>>>> ticket >>>>>>>>> yet. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> 1) >>>>>>>> Upgrade failed with 'BindInstance' object has no attribute >>>>>>>> 'named_conf_get_directive' >>>>>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command >>>>>>>> ipa-server-upgrade manually. >>>>>>>> ('IPA upgrade failed.', 1) >>>>>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>>>>>>> more >>>>>>>> information >>>>>>>> >>>>>>>> 2016-05-11T08:26:20Z ERROR Upgrade failed with 'BindInstance' object >>>>>>>> has no >>>>>>>> attribute 'named_conf_get_directive' >>>>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>>>> line >>>>>>>> 213, in __upgrade >>>>>>>> self.modified = (ld.update(self.files) or self.modified) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>>> line 917, in update >>>>>>>> self._run_updates(all_updates) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>>> line 889, in _run_updates >>>>>>>> self._run_update_plugin(update['plugin']) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", >>>>>>>> line 862, in _run_update_plugin >>>>>>>> restart_ds, updates = self.api.Updater[plugin_name]() >>>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line >>>>>>>> 1418, in >>>>>>>> __call__ >>>>>>>> return self.execute(**options) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>>>> line 547, in execute >>>>>>>> self.update_global_named_conf_forwarder(bind) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py", >>>>>>>> line 508, in update_global_named_conf_forwarder >>>>>>>> if bind.named_conf_get_directive( >>>>>>>> AttributeError: 'BindInstance' object has no attribute >>>>>>>> 'named_conf_get_directive' >>>>>>>> >>>>>>>> 2016-05-11T08:26:20Z DEBUG Traceback (most recent call last): >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>>> line >>>>>>>> 447, in start_creation >>>>>>>> run_step(full_msg, method) >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>>>>> line >>>>>>>> 437, in run_step >>>>>>>> method() >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", >>>>>>>> line >>>>>>>> 221, in __upgrade >>>>>>>> raise RuntimeError(e) >>>>>>>> RuntimeError: 'BindInstance' object has no attribute >>>>>>>> 'named_conf_get_directive' >>>>>>>> >>>>>>>> PATCH * Add ipaDNSVersion option to dnsconfig* commands and use new >>>>>>>> attribute * >>>>>>>> 2) >>>>>>>> + Int('ipadnsversion?', >>>>>>>> + label=_('IPA DNS version'), >>>>>>>> + ), >>>>>>>> >>>>>>>> Shouldn't be this part of System: Read DNS Configuration permission? >>>>>>>> >>>>>>>> 3) >>>>>>>> - def postprocess_result(self, result): >>>>>>>> + def postprocess_result(self, result, show_version): >>>>>>>> if not any(param in result['result'] for param in >>>>>>>> self.params): >>>>>>>> result['summary'] = unicode(_('Global DNS configuration is >>>>>>>> empty')) >>>>>>>> >>>>>>>> show_version param was added but I don't see it used in this patch. >>>>>>>> >>>>>>>> 4) >>>>>>>> + Int('ipadnsversion?', >>>>>>>> + label=_('IPA DNS version'), >>>>>>>> + ), >>>>>>>> >>>>>>>> Could we add comment here that this option is accessible only from >>>>>>>> installers >>>>>>>> and upgrade? >>>>>>>> >>>>>>>> 5) >>>>>>>> + for config_option in container_entry.get("ipaConfigString", []): >>>>>>>> + matched = re.match("^DNSVersion\s+(?P\d+)$", >>>>>>>> + config_option, flags=re.I) >>>>>>>> + if matched: >>>>>>>> + version = int(matched.group("version")) >>>>>>>> >>>>>>>> Shouldn't we print error if version cannot be parsed? >>>>>>>> >>>>>>>> PATCH * DNS upgrade: separate backup logic to make it reusable * >>>>>>>> >>>>>>>> LGTM >>>>>>>> >>>>>>>> PATCH * Add function ipapython.dnsutil.related_to_auto_empty_zone() * >>>>>>>> >>>>>>>> 7) >>>>>>>> I'm curious why do you need to check superdomains? >>>>>>>> >>>>>>>> PATCH * DNS upgrade: change forwarding policy to = only for conflicting >>>>>>>> forward zones* >>>>>>>> >>>>>>>> 8) >>>>>>>> + self.log.debug('Zone %s was sucessfully modified to use ' >>>>>>>> + 'forward policy "only"', zone['idnsname'][0]) >>>>>>>> <---missing empty line----> >>>>>>>> + def execute(self, **options): >>>>>>>> >>>>>>>> PATCH * DNS upgrade: change global forwarding policy in LDAP to "only" if >>>>>>>> private IPs are used * >>>>>>>> 9) >>>>>>>> - dnsutil.related_to_auto_empty_zone(zone.get('idnsname')[0]) >>>>>>>> + dnsutil.related_to_auto_empty_zone( >>>>>>>> + dnsutil.DNSName(zone.get('idnsname')[0])) >>>>>>>> >>>>>>>> Should be in previous commit >>>>>>>> >>>>>>>> 10) >>>>>>>> - return >>>>>>>> + return False, [] >>>>>>>> This should be fixed in the previous commit >>>>>>>> >>>>>>>> PATCH * DNS upgrade: change global forwarding policy in named.conf to >>>>>>>> "only" >>>>>>>> if private IPs are used * >>>>>>>> 11) >>>>>>>> IMO this is an upgrade of configuration and this should be in >>>>>>>> ipaserver/install/server/upgrade.py, upgrade plugins are used only for >>>>>>>> updating of LDAP values >>>>>>>> >>>>>>>> Unless you really want to use this as precedence, but then it requires >>>>>>>> broader >>>>>>>> discussion. >>>>>>>> >>>>>>>> 12) >>>>>>>> >>>>>>>> bind.named_conf_get_directive >>>>>>>> should be >>>>>>>> bindinstance.named_conf_get_directive >>>>>>>> >>>>>>>> see 1) >>>>>>> This new patchset completely obsoletes the old one. I had to reshuffle few >>>>>>> things to to make the split between server config & LDAP upgrade possible. >>>>>>> >>>>>>> Hopefully I addressed all your comment. >>>>>>> >>>>>> commits >>>>>> * Move IP address resolution from ipaserver.install.installutils to >>>>>> ipapython.dnsutil * and * Turn verify_host_resolvable() into a wrapper >>>>>> around >>>>>> ipapython.dnsutil * >>>>>> >>>>>> cause regression in case that dns.python resolver returns NoNameservers >>>>>> exception, it is handled as 'Internal server error' >>>>>> >>>>>> In original code every exception was caught and transformed to >>>>>> DNSNotARecordError. >>>>>> >>>>>> So we have following options: >>>>>> * keep the old behavior in 'resolve_rrsets' and catch all exceptions there >>>>>> * or catch all DNS errors in 'verify_host_resolvable' and raise it as new >>>>>> PublicError (DNSGenericError (doesn't exist) for example) >>>>>> >>>>>> >>>>>> E InternalError: an internal error has occurred >>>>>> >>>>>> ../ipalib/rpc.py:1100: InternalError >>>>>> test_forwardzone_delegation_warnings.test_command[0017: dnsrecord_mod: >>>>>> Delete >>>>>> (using dnsrecord-mod) NS record which delegates zone >>>>>> u'fw.sub2.sub.dnszone.test.' from zone u'dnszone.test' (expected warning for >>>>>> u'fw.sub2.sub.dnszone.test.')] >>>>>> >>>>>> [Wed May 25 12:17:00.172143 2016] [wsgi:error] [pid 62789] Traceback (most >>>>>> recent call last): >>>>>> [Wed May 25 12:17:00.172152 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 350, in >>>>>> wsgi_execute >>>>>> [Wed May 25 12:17:00.172158 2016] [wsgi:error] [pid 62789] result = >>>>>> self.Command[name](*args, **options) >>>>>> [Wed May 25 12:17:00.172164 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 434, in __call__ >>>>>> [Wed May 25 12:17:00.172168 2016] [wsgi:error] [pid 62789] return >>>>>> self.__do_call(*args, **options) >>>>>> [Wed May 25 12:17:00.172173 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 460, in >>>>>> __do_call >>>>>> [Wed May 25 12:17:00.172178 2016] [wsgi:error] [pid 62789] ret = >>>>>> self.run(*args, **options) >>>>>> [Wed May 25 12:17:00.172183 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 777, in run >>>>>> [Wed May 25 12:17:00.172189 2016] [wsgi:error] [pid 62789] return >>>>>> self.execute(*args, **options) >>>>>> [Wed May 25 12:17:00.172194 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3774, in >>>>>> execute >>>>>> [Wed May 25 12:17:00.172199 2016] [wsgi:error] [pid 62789] result = >>>>>> super(dnsrecord_add, self).execute(*keys, **options) >>>>>> [Wed May 25 12:17:00.172204 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1230, in >>>>>> execute >>>>>> [Wed May 25 12:17:00.172209 2016] [wsgi:error] [pid 62789] *keys, **options) >>>>>> [Wed May 25 12:17:00.172213 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3719, in >>>>>> pre_callback >>>>>> [Wed May 25 12:17:00.172229 2016] [wsgi:error] [pid 62789] >>>>>> self.obj.run_precallback_validators(dn, entry_attrs, *keys, **options) >>>>>> [Wed May 25 12:17:00.172237 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3135, in >>>>>> run_precallback_validators >>>>>> [Wed May 25 12:17:00.172242 2016] [wsgi:error] [pid 62789] rtype_cb(ldap, >>>>>> dn, >>>>>> entry_attrs, *keys, **options) >>>>>> [Wed May 25 12:17:00.172247 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 3057, in >>>>>> _nsrecord_pre_callback >>>>>> [Wed May 25 12:17:00.172252 2016] [wsgi:error] [pid 62789] >>>>>> check_ns_rec_resolvable(keys[0], DNSName(nsrecord), self.log) >>>>>> [Wed May 25 12:17:00.172256 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py", line 1577, in >>>>>> check_ns_rec_resolvable >>>>>> [Wed May 25 12:17:00.172261 2016] [wsgi:error] [pid 62789] >>>>>> verify_host_resolvable(name) >>>>>> [Wed May 25 12:17:00.172265 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipalib/util.py", line 70, in >>>>>> verify_host_resolvable >>>>>> [Wed May 25 12:17:00.172270 2016] [wsgi:error] [pid 62789] if not >>>>>> resolve_ip_addresses(fqdn): >>>>>> [Wed May 25 12:17:00.172274 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 328, in >>>>>> resolve_ip_addresses >>>>>> [Wed May 25 12:17:00.172278 2016] [wsgi:error] [pid 62789] rrsets = >>>>>> resolve_rrsets(fqdn, ['A', 'AAAA']) >>>>>> [Wed May 25 12:17:00.172282 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/ipapython/dnsutil.py", line 305, in >>>>>> resolve_rrsets >>>>>> [Wed May 25 12:17:00.172287 2016] [wsgi:error] [pid 62789] answer = >>>>>> dns.resolver.query(fqdn, rdtype) >>>>>> [Wed May 25 12:17:00.172292 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 1029, in query >>>>>> [Wed May 25 12:17:00.172296 2016] [wsgi:error] [pid 62789] >>>>>> raise_on_no_answer, >>>>>> source_port) >>>>>> [Wed May 25 12:17:00.172301 2016] [wsgi:error] [pid 62789] File >>>>>> "/usr/lib/python2.7/site-packages/dns/resolver.py", line 856, in query >>>>>> [Wed May 25 12:17:00.172328 2016] [wsgi:error] [pid 62789] raise >>>>>> NoNameservers(request=request, errors=errors) >>>>> Fixed patches are attached. >>>>> >>>>> >>>>> Please note that I've renumbered the patches because the naming does not >>>>> match >>>>> the original set anymore. >>>>> >>>> NACK >>>> >>>> # ipa-run-tests test_xmlrpc/test_host_plugin.py >>>> =============================================================================================== >>>> >>>> test session starts >>>> =============================================================================================== >>>> >>>> >>>> platform linux2 -- Python 2.7.11, pytest-2.9.1, py-1.4.31, pluggy-0.3.1 >>>> rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini >>>> plugins: sourceorder-0.5, multihost-1.0 >>>> collected 41 items >>>> >>>> test_xmlrpc/test_host_plugin.py ...................F...........s......... >>>> >>>> ==================================================================================================== >>>> >>>> FAILURES >>>> ===================================================================================================== >>>> >>>> >>>> ________________________________________________________________________________________ >>>> >>>> TestCRUD.test_try_add_not_in_dns >>>> _________________________________________________________________________________________ >>>> >>>> >>>> >>>> self = >>> 0x7efc061e4110>, host = >>> object at 0x7efc0623bb90> >>>> >>>> def test_try_add_not_in_dns(self, host): >>>> host.ensure_missing() >>>> command = host.make_create_command(force=False) >>>> with raises_exact(errors.DNSNotARecordError( >>>>> reason=u'Host does not have corresponding DNS A/AAAA >>>>> record')): >>>> test_xmlrpc/test_host_plugin.py:315: >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> ../ipalib/errors.py:264: in __init__ >>>> messages.process_message_arguments(self, format, message, **kw) >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ >>>> >>>> obj = DNSNotARecordError(), format = None, message = None, kw = {'reason': >>>> 'Host does not have corresponding DNS A/AAAA record'}, key = 'reason', value = >>>> 'Host does not have corresponding DNS A/AAAA record' >>>> name = 'DNSNotARecordError' >>>> >>>> def process_message_arguments(obj, format=None, message=None, **kw): >>>> for key, value in kw.items(): >>>> if not isinstance(value, six.integer_types): >>>> try: >>>> kw[key] = unicode(value) >>>> except UnicodeError: >>>> pass >>>> obj.kw = kw >>>> name = obj.__class__.__name__ >>>> if obj.format is not None and format is not None: >>>> raise ValueError( >>>> 'non-generic %r needs format=None; got format=%r' % ( >>>> name, format) >>>> ) >>>> if message is None: >>>> if obj.format is None: >>>> if format is None: >>>> raise ValueError( >>>> '%s.format is None yet format=None, message=None' >>>> % name >>>> ) >>>> obj.format = format >>>> obj.forwarded = False >>>>> obj.msg = obj.format % kw >>>> E KeyError: 'hostname' >>> Sorry, this got lost in all the 'normal' failures :-) >>> >>> I do not 100% understand this test logic so I hope that attached patch fixes >>> it correctly. >>> >> We broke IPA 4.3 tests, patch that fixes them is attached. > Of yes, we forgot to backport it. ACK. > Pushed to ipa-4-3: 8f6db8ffe69c0e14c97f5bdc2c0635c95f1fa225 From mbasti at redhat.com Mon Jun 6 12:33:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 14:33:29 +0200 Subject: [Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember Message-ID: https://fedorahosted.org/freeipa/ticket/5923 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbasti-0497-Py3-Fix-unicode-str-error-in-LDAP-ReverseMember.patch Type: text/x-patch Size: 2315 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0497-Py3-Fix-unicode-str-error-in-LDAP-ReverseMember.patch Type: text/x-patch Size: 2326 bytes Desc: not available URL: From frenaud at redhat.com Mon Jun 6 12:47:04 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Mon, 6 Jun 2016 14:47:04 +0200 Subject: [Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error Message-ID: <2646f4ce-dfe2-4916-e8e1-f86bfbd118b3@redhat.com> Hi, please find attached the patch for Ticket 5434 add context to exception on LdapEntry decode error https://fedorahosted.org/freeipa/ticket/5434 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0006-add-context-to-exception-on-LdapEntry-decode-error.patch Type: text/x-patch Size: 2504 bytes Desc: not available URL: From ftweedal at redhat.com Mon Jun 6 13:25:38 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 6 Jun 2016 23:25:38 +1000 Subject: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals In-Reply-To: <20160601044906.GY4744@dhcp-40-8.bne.redhat.com> References: <20160408142339.GV18277@dhcp-40-8.bne.redhat.com> <1460126839.7463.195.camel@redhat.com> <20160409001100.GY18277@dhcp-40-8.bne.redhat.com> <1460467890.8657.25.camel@redhat.com> <20160413011550.GI18277@dhcp-40-8.bne.redhat.com> <20160414063300.GN18277@dhcp-40-8.bne.redhat.com> <1461008648.30315.24.camel@redhat.com> <20160420062254.GE18277@dhcp-40-8.bne.redhat.com> <98e01be1-16c2-5f3c-6f95-a6e6447a1f1f@redhat.com> <20160601044906.GY4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160606132538.GK4744@dhcp-40-8.bne.redhat.com> On Wed, Jun 01, 2016 at 02:49:06PM +1000, Fraser Tweedale wrote: > Updated patch attached; comments inline below. > > On Mon, Apr 25, 2016 at 07:55:46AM +0200, Jan Cholasta wrote: > > I think it would be better to merge the `client` and `client_servicename` > > into a single `client_principal` argument, as both of the arguments are used > > only to specify the principal name of the client. > > > Done. > > > Also I would prefer if the keyfile and keytab arguments were required, > > because it's better if you can explicitly see what values are used at the > > call site. > > > Done. > > > Why is init_creds() now called from __init__()? Why is it still called from > > _auth_header()? > > > I invoke it from __init__ for more eager failure if there's a > problem (e.g. service is not in keytab), giving better error > locality. > > It remains necessary to invoke it from _auth_header in case of > short-lived credentials. I added some comments to the source. > > > Why is ldap_uri now passed to IPAKEMKeys()? > > > It tries to use LDAPI by default, so ldap_uri needs to be passed > through if process owner cannot access LDAPI socket. I added > commentary to source. > > Regarding your suggestion to make a base class and override class > variables, I prefer to pass values around. There are very few > instantiations of CustodiaClient so it is easy enough to follow. > Self-NACK on 0051-4; rebased and updated patch attached. Only one substantive change, in custodiainstance.py: - client_service='host@' + self.fqdn, + client_service='host@%s' % self.fqdn, First version broke uninstall because CustodiaInstance gets initialised with 'host_name = None' and '+' doesn't like None. -------------- next part -------------- From a3387063510cf3b99fe3bfc0fe695671393f2f79 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 8 Apr 2016 15:21:19 +1000 Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals Currently CustodiaClient assumes that the client is the host principal, and it is hard-coded to read the host keytab and server keys. For the Lightweight CAs feature, Dogtag on CA replicas will use CustodiaClient to retrieve signing keys from the originating replica. Because this process runs as 'pkiuser', the host keys cannot be used; instead, each Dogtag replica will have a service principal to use for Custodia authentication. Update CustodiaClient to require specifying the client keytab and Custodia keyfile to use, and change the client argument to be a full GSS service name (instead of hard-coding host service) to load from the keytab. Update call sites accordingly. Also pass the given 'ldap_uri' argument through to IPAKEMKeys because without it, the client tries to use LDAPI, but may not have access. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/secrets/client.py | 20 +++++++++++++------- ipaserver/install/custodiainstance.py | 14 +++++++++++--- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py index 5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..56ed6f7944c46393ed225cde1b5e0bb80fe6bef0 100644 --- a/ipapython/secrets/client.py +++ b/ipapython/secrets/client.py @@ -41,16 +41,22 @@ class CustodiaClient(object): return iSecStore(config) - def __init__(self, client, server, realm, ldap_uri=None, auth_type=None): - self.client = client - self.creds = None + def __init__( + self, client_service, keyfile, keytab, server, realm, + ldap_uri=None, auth_type=None): + self.client_service = client_service + self.keytab = keytab + + # Init creds immediately to make sure they are valid. Creds + # can also be re-inited by _auth_header to avoid expiry. + # + self.creds = self.init_creds() self.service_name = gssapi.Name('HTTP@%s' % (server,), gssapi.NameType.hostbased_service) self.server = server - keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys') - self.ikk = IPAKEMKeys({'server_keys': keyfile}) + self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri}) self.kemcli = KEMClient(self._server_keys(server, realm), self._client_keys()) @@ -61,9 +67,9 @@ class CustodiaClient(object): requests.packages.urllib3.disable_warnings() def init_creds(self): - name = gssapi.Name('host@%s' % (self.client,), + name = gssapi.Name(self.client_service, gssapi.NameType.hostbased_service) - store = {'client_keytab': paths.KRB5_KEYTAB, + store = {'client_keytab': self.keytab, 'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))} return gssapi.Credentials(name=name, store=store, usage='initiate') diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index d5c5bf738752ab4cf84f98285a37b820c80fa3be..fd30430bbf9c39e7153986999199474cfca60d09 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -12,6 +12,7 @@ from ipaserver.install import ldapupdate from ipaserver.install import sysupgrade from base64 import b64encode, b64decode from jwcrypto.common import json_decode +import functools import shutil import os import tempfile @@ -28,6 +29,13 @@ class CustodiaInstance(SimpleServiceInstance): self.fqdn = host_name self.realm = realm self.ca_is_configured = ca_is_configured + self.__CustodiaClient = functools.partial( + CustodiaClient, + client_service='host@%s' % self.fqdn, + keyfile=self.server_keys, + keytab=paths.KRB5_KEYTAB, + realm=realm, + ) def __config_file(self): template_file = os.path.basename(self.config_file) + '.template' @@ -94,11 +102,11 @@ class CustodiaInstance(SimpleServiceInstance): updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')]) def __import_ra_key(self): - cli = CustodiaClient(self.fqdn, self.master_host_name, self.realm) + cli = self.__CustodiaClient(server=self.master_host_name) cli.fetch_key('ra/ipaCert') def import_dm_password(self, master_host_name): - cli = CustodiaClient(self.fqdn, master_host_name, self.realm) + cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): @@ -108,7 +116,7 @@ class CustodiaInstance(SimpleServiceInstance): prefix = data['prefix'] certlist = data['list'] - cli = CustodiaClient(self.fqdn, ca_host, self.realm) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) -- 2.5.5 From ftweedal at redhat.com Mon Jun 6 13:32:09 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 6 Jun 2016 23:32:09 +1000 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> References: <20160414063937.GO18277@dhcp-40-8.bne.redhat.com> <20160421033003.GH18277@dhcp-40-8.bne.redhat.com> <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> On Wed, Jun 01, 2016 at 02:49:29PM +1000, Fraser Tweedale wrote: > Updated patches attached; comments inline. > > On Thu, May 05, 2016 at 04:52:29PM +1000, Fraser Tweedale wrote: > > > I would rather add a new ACI than have one super-ACI for everything. That > > > way you don't have to invent any complicated naming schemes *and* it will be > > > more apparent what the ACI does. > > > > > OK, I'll simplify the scheme and create corresponding ACIs. > > > I added new ACIs for hosts to manage Dogtag keys; they keys live in > a container with RDN cn=dogtag, nested under the main custodia keys > container. > > > > >>However, calling `CAInstance.setup_lightweight_ca_key_retrieval()' > > > >>*directly* from `ca.install_step_1' would probably work. Are you > > > >>happy with putting it there, instead of `configure_instance()'? > > > > > > Works for me. > > > > > Cool, thanks. > > > This is implemented in the latest patch. > Rebased and updated patches attached. The only substantive change is a simplification of the ipa-pki-retrieve-key script (patch 0054) following a change in Dogtag's ExternalProcessKeyRetriever (it now handles JSON). Thanks, Fraser -------------- next part -------------- From 1a88facefdbfd1bccc3177a8777f417cdaa4ced7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 3 May 2016 13:22:39 +1000 Subject: [PATCH] Add ACIs for Dogtag custodia client The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to retrieve lightweight CA signing keys, and therefore needs search and read access to Custodia keys. Add an ACI to permit this. Also add ACIs to allow host principals to manage Dogtag custodia keys for the same host. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- install/updates/20-aci.update | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 4802ae0458e8b870bf3127764ebabac1a48f7cf2..0d617d849be8a1fdc76bdeeda7560b032a45e629 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -136,3 +136,11 @@ add:aci: (target = "ldap:///cn=replication,cn=etc,$SUFFIX")(targetattr = "nsDS5R dn: cn=ipa,cn=etc,$SUFFIX add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create own Custodia secrets"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia secrets"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# IPA server hosts can create and manage Dogtag Custodia secrets for same host +dn: cn=ipa,cn=etc,$SUFFIX +add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA server hosts can create Dogtag Custodia secrets for same host"; allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia secrets for same host"; allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX" and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) + +# Dogtag service principals can search Custodia keys +add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";) -- 2.5.5 -------------- next part -------------- From b8df17c8a42a144907c76d949ec25d5a61526ed4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 Apr 2016 12:42:35 +1000 Subject: [PATCH 53/54] Optionally add service name to Custodia key DNs Lightweight CAs support introduces new service principals for Dogtag, with Custodia keys. The current Custodia key creation uses a DN that contains only they key type and the hostname, so keys for multiple services on the same host cannot be created. Add the 'generate_keys' method to generate keys for a host or an arbitrary service. When a service name is given, add the key entries in a nested container with RDN 'cn='. (The container is assumed to exist). This change does not affect searching because subtree search is used, filtering on the ipaKeyUsage and memberPrincipal attributes. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/secrets/kem.py | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index 0abf28ae4403a7b6225404df361d12cb07ccc70b..0b810b090a0e7dff09d64a5ef8752eba2676babc 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -3,6 +3,7 @@ from __future__ import print_function from ipaplatform.paths import paths from six.moves.configparser import ConfigParser +from ipapython.dn import DN from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa, ec @@ -105,11 +106,23 @@ class KEMLdap(iSecLdap): encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo) - def set_key(self, usage, host, principal, key): + def set_key(self, usage, servicename, host, principal, key): + """ + Write key for the host or service. + + Service keys are nested one level beneath the 'cn=custodia' + container, in the 'cn=' container; this allows + fine-grained control over key management permissions for + specific services. + + The container is assumed to exist. + + """ public_key = self._format_public_key(key) conn = self.connect() name = '%s/%s' % (KEY_USAGE_MAP[usage], host) - dn = 'cn=%s,%s' % (name, self.keysbase) + service_rdn = ('cn', servicename) if servicename else DN() + dn = str(DN(('cn', name), service_rdn, self.keysbase)) try: mods = [('objectClass', ['nsContainer', 'ipaKeyPolicy', @@ -170,15 +183,18 @@ class IPAKEMKeys(KEMKeysStore): return conn.get_key(usage, kid) def generate_server_keys(self): - principal = 'host/%s@%s' % (self.host, self.realm) + self.generate_keys() + + def generate_keys(self, servicename=None): + principal = '%s/%s@%s' % (servicename or 'host', self.host, self.realm) # Neutralize the key with read if any self._server_keys = None # Generate private key and store it pubkeys = newServerKeys(self.config['server_keys'], principal) # Store public key in LDAP ldapconn = KEMLdap(self.ldap_uri) - ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0]) - ldapconn.set_key(KEY_USAGE_ENC, self.host, principal, pubkeys[1]) + ldapconn.set_key(KEY_USAGE_SIG, servicename, self.host, principal, pubkeys[0]) + ldapconn.set_key(KEY_USAGE_ENC, servicename, self.host, principal, pubkeys[1]) @property def server_keys(self): -- 2.5.5 -------------- next part -------------- From 15b322874ec6cd16a12ef2f06724490fcb847937 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 1 Jun 2016 08:07:33 +1000 Subject: [PATCH 54/54] Setup lightweight CA key retrieval on install/upgrade Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Part of: https://fedorahosted.org/freeipa/ticket/4559 --- freeipa.spec.in | 1 + install/share/bootstrap-template.ldif | 6 ++++ install/tools/Makefile.am | 1 + install/tools/ipa-pki-retrieve-key | 33 +++++++++++++++++++++ install/updates/73-custodia.update | 5 ++++ ipalib/constants.py | 1 + ipaserver/install/ca.py | 9 +++++- ipaserver/install/cainstance.py | 56 +++++++++++++++++++++++++++++++++++ ipaserver/install/server/install.py | 6 ++-- ipaserver/install/server/upgrade.py | 4 ++- 10 files changed, 117 insertions(+), 5 deletions(-) create mode 100755 install/tools/ipa-pki-retrieve-key diff --git a/freeipa.spec.in b/freeipa.spec.in index d5d78f806607bfd61daab43f50dba8caa6d0661c..b42987de2fbdd6923303d6856cc46146500b0532 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1074,6 +1074,7 @@ fi %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-pki-retrieve-key %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 83be4399508a905f8eae7e2f59140a6b4051b661..f6ab35495ad7e9377404eb7a6b0bca26906f5421 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -179,6 +179,12 @@ objectClass: nsContainer objectClass: top cn: custodia +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: dogtag + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7212dabdbf968ee76cb2830e5054fe1a27712225..2866a30b2feacfec29a22eaf7965216fbbd69665 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ ipa-httpd-kdcproxy \ + ipa-pki-retrieve-key \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key new file mode 100755 index 0000000000000000000000000000000000000000..0bfa877b049a3c136a13ac92289c8836d145adf1 --- /dev/null +++ b/install/tools/ipa-pki-retrieve-key @@ -0,0 +1,33 @@ +#!/usr/bin/python2 + +from __future__ import print_function + +import ConfigParser +import os +import sys + +from ipalib import constants +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +conf = ConfigParser.ConfigParser() +conf.read(paths.IPA_DEFAULT_CONF) +hostname = conf.get('global', 'host') +realm = conf.get('global', 'realm') + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +client = CustodiaClient( + client_service='%s@%s' % (service, hostname), server=servername, + realm=realm, ldap_uri="ldaps://" + hostname, + keyfile=client_keyfile, keytab=client_keytab, + ) + +# Print the response JSON to stdout; it is already in the format +# that Dogtag's ExternalProcessKeyRetriever expects +print(client.fetch_key(keyname, store=False)) diff --git a/install/updates/73-custodia.update b/install/updates/73-custodia.update index f6520fb2e36dd1b234344a8cc4199ab72c664163..60f805ab82f141777c0d7731d4a0362e76961cce 100644 --- a/install/updates/73-custodia.update +++ b/install/updates/73-custodia.update @@ -2,3 +2,8 @@ dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: custodia + +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: dogtag diff --git a/ipalib/constants.py b/ipalib/constants.py index a2cbfdbcda07429478f97c62cc6896890f2f7979..97dff1d805a4f77469882103ab63cdb0fa55a024 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -264,3 +264,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' +PKI_GSSAPI_SERVICE_NAME = 'dogtag' diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 3a827aee86616d874bdc3d1a5735e46d1ab9bf9b..ac72c76883fda00e2f258a9ecfe9925722041fe9 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -182,7 +182,7 @@ def install_step_1(standalone, replica_config, options): basedn = ipautil.realm_to_suffix(realm_name) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') @@ -197,6 +197,13 @@ def install_step_1(standalone, replica_config, options): # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) + # Lightweight CA key retrieval is configured in step 1 instead + # of CAInstance.configure_instance (which is invoked from step + # 0) because kadmin_addprinc fails until krb5.conf is installed + # by krb.create_instance. + # + ca.setup_lightweight_ca_key_retrieval() + if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 475e74d7fbf796a87e1673fc997c05e41e352d2a..9f6a5037f92ad0168e80267999c7fbf5b7634ae0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -45,6 +45,7 @@ from six.moves.configparser import ConfigParser, RawConfigParser from ipalib import api from ipalib import pkcs10, x509 from ipalib import errors +import ipalib.constants from ipaplatform import services from ipaplatform.constants import constants @@ -59,6 +60,7 @@ from ipapython.certdb import get_ca_nickname from ipapython.dn import DN from ipapython.ipa_log_manager import log_mgr,\ standard_logging_setup, root_logger +from ipapython.secrets.kem import IPAKEMKeys from ipaserver.install import certs from ipaserver.install import dsinstance @@ -66,6 +68,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service +from ipaserver.install import sysupgrade from ipaserver.install.dogtaginstance import (export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 @@ -1356,11 +1359,64 @@ class CAInstance(DogtagInstance): self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) + self.step("Configure lightweight CA key retrieval", + self.setup_lightweight_ca_key_retrieval) self.step("enabling CA instance", self.__enable_instance) self.start_creation(runtime=210) + def setup_lightweight_ca_key_retrieval(self): + if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'): + return + + root_logger.info('[Set up lightweight CA key retrieval]') + + self.__setup_lightweight_ca_key_retrieval_kerberos() + self.__setup_lightweight_ca_key_retrieval_custodia() + + root_logger.info('Configuring key retriever') + directives = [ + ('features.authority.keyRetrieverClass', + 'com.netscape.ca.ExternalProcessKeyRetriever'), + ('features.authority.keyRetrieverConfig.executable', + '/usr/libexec/ipa/ipa-pki-retrieve-key'), + ] + for k, v in directives: + installutils.set_directive( + paths.CA_CS_CFG_PATH, k, v, quotes=False, separator='=') + + sysupgrade.set_upgrade_state('dogtag', 'setup_lwca_key_retieval', True) + + def __setup_lightweight_ca_key_retrieval_kerberos(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + principal = '{}/{}@{}'.format(service, api.env.host, self.realm) + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating principal') + installutils.kadmin_addprinc(principal) + self.suffix = ipautil.realm_to_suffix(self.realm) + if not self.admin_conn: + self.ldap_connect() + self.move_service(principal) + + root_logger.info('Retrieving keytab') + keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + installutils.create_keytab(keytab, principal) + os.chmod(keytab, 0o600) + os.chown(keytab, pent.pw_uid, pent.pw_gid) + + def __setup_lightweight_ca_key_retrieval_custodia(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating Custodia keys') + keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') + keystore = IPAKEMKeys({'server_keys': keyfile}) + keystore.generate_keys(service) + os.chmod(keyfile, 0o600) + os.chown(keyfile, pent.pw_uid, pent.pw_gid) + def replica_ca_install_check(config): if not config.setup_ca: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 4b8ef048618823387481fdde53609e526bf3f244..e8d4db878207e3369dc1de7baeaa333c5374fc61 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,6 @@ def install(installer): # we now need to enable ssl on the ds ds.enable_ssl() - if setup_ca: - ca.install_step_1(False, None, options) - krb = krbinstance.KrbInstance(fstore) if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, @@ -907,6 +904,9 @@ def install(installer): setup_pkinit=not options.no_pkinit, subject_base=options.subject) + if setup_ca: + ca.install_step_1(False, None, options) + # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2398aea90bb1def6ab1534d3640a6bfa20a6b237..1a1090f0c767238062916ec715a59983ddc59fdb 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1492,7 +1492,8 @@ def upgrade_configuration(): if subject_base: sub_dict['SUBJECT_BASE'] = subject_base - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, host_name=api.env.host) ca_running = ca.is_running() with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): @@ -1697,6 +1698,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() + ca.setup_lightweight_ca_key_retrieval() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 From pvomacka at redhat.com Mon Jun 6 14:17:03 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 6 Jun 2016 16:17:03 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts Message-ID: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> Hello, please review attached patch. Ticket: https://fedorahosted.org/freeipa/ticket/5931 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0041-Add-lists-of-hosts-allowed-to-create-or-retrieve-key.patch Type: text/x-patch Size: 2847 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 6 14:26:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 16:26:40 +0200 Subject: [Freeipa-devel] [PATCH 0499] Pylint: exclude some files/dirs from check Message-ID: See commit message, yacctab.py causes lint errors and must be excluded Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0499-Exclude-unneeded-dirs-and-files-from-pylint-check.patch Type: text/x-patch Size: 1360 bytes Desc: not available URL: From tbordaz at redhat.com Mon Jun 6 15:24:16 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 6 Jun 2016 17:24:16 +0200 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <20160606090749.yljbo6zrfxgcda7m@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> Message-ID: <575595A0.2080203@redhat.com> On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: > On Mon, 06 Jun 2016, thierry bordaz wrote: >> Hello, >> >> In DS it is possible to register callbacks for extended op. >> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), >> there is a default callback that is implemented in DS core server. >> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' >> that also register a callback ipapwd_extop/ipapwd_chpwop, for that >> same extop. >> >> The server calls the callbacks until it can find one that can handle >> the OID. But the order is not guaranty. >> So the extop can be handled either by password_extop or either by >> ipapwd_chpwop. >> >> Those two functions are not doing the same checking/updates. >> >> I would like to confirm if in Freeipa context, if only >> ipapwd_extop/ipapwd_chpwop should be called > Correct. I think we have also added plugin priority to allow handling > this type of conflicts gracefully. > The order of the plugins, is based on nsslapd-pluginprecedence. (The lower precedence is called first) The problem is that ipapw_extop and password_extop have the same precedence: 50. So the order they are selected basically rely on order they were registered. "Password Modify extended operation plugin" (core server) is registered before "IPA Password Extended Operation plugin". I think we need to add a precedence of "IPA Password Extended Operation plugin" to be sure it will be selected over "Password Modify extended operation plugin" In addition https://fedorahosted.org/389/ticket/48770 changed the way plugins are selected so even setting a precedence is currently not a solution (I opened https://fedorahosted.org/389/ticket/48870) In short we need to fix https://fedorahosted.org/389/ticket/48870 Regarding item 5.4, replacing a compat entry with its related real entry. I think there is something missing. In fact the extop is doing an internal MOD but before calling the MOD it checks the entry exists. And if called against a 'compat' entry the extop fails before calling the MOD. But even if it was successfull it may be not be a good idea to make 'Schema Compat' preop-mod doing the mapping 'compat' -> real for all MODS. A option is to change "IPA Password Extended Operation plugin" to do this mapping 'compat' -> 'real' but it is looking like a hack. From mbasti at redhat.com Mon Jun 6 16:05:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 18:05:44 +0200 Subject: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout In-Reply-To: <51d52653-ef87-6232-f7a9-e7787583286d@redhat.com> References: <304a20ca-ca5b-8df7-f1ca-090c60ec3a01@redhat.com> <58d3d9ef-d8c5-50be-1348-3c8b2835d70d@redhat.com> <5c8a4e16-98b1-2e0c-3e78-c7e6e54098e9@redhat.com> <98ffcdc1-e89e-06fb-2c0f-11d659b70d76@redhat.com> <51d52653-ef87-6232-f7a9-e7787583286d@redhat.com> Message-ID: <9a7405ca-bef5-9561-2c36-4e2d470e1221@redhat.com> On 02.06.2016 19:34, Martin Basti wrote: > > > > On 01.06.2016 06:04, Martin Basti wrote: >> >> >> >> On 31.05.2016 09:41, Stanislav Laznicka wrote: >>> On 05/30/2016 02:12 PM, Petr Spacek wrote: >>>> On 28.5.2016 15:59, Martin Basti wrote: >>>>> On 27.05.2016 14:52, Stanislav Laznicka wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5833 >>>>>> >>>>>> >>>>>> >>>>> Is possible to remove timeout completely as it used to be before? >>>>> >>>>> Even if this timeout is exceeded, command continue in execution >>>>> and it just >>>>> doesnt print result to user >>>> I agree with Martin. The timeout is pointless, please remove it or >>>> set it to >>>> 2^31 or so. >>>> >>> The documentation does not clearly state what happens in the corner >>> cases of this setting. However, by looking at the source code, I'm >>> guessing that 0 is the default value which would eventually point to >>> the Apache TimeOut and negative values seem just wrong for them >>> here. They are converting it with atoi(), so I propose to set this >>> to 2^31-1. >>> >>> >> Please put your findings to the ticket, patch LGTM I will test it today. >> >> Martin^2 >> >> > ACK > Pushed to master: 12d8a0cf22a271ff41e02f4bcf862877dd680ae5 > > We forgot to increment version number one-liner pushed master: * 5cb03128f8fa4b3e01db86247efbd9ffa888708d Upgrade mod_wsgi socket-timeout on existing installation -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0498-Upgrade-mod_wsgi-socket-timeout-on-existing-installa.patch Type: text/x-patch Size: 779 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 6 16:29:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 18:29:02 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> Message-ID: <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> On 03.06.2016 14:28, Stanislav Laznicka wrote: > On 06/03/2016 02:19 PM, Martin Basti wrote: >> >> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>> https://fedorahosted.org/freeipa/ticket/5892 >>> >>> >> NACK >> >> please remove it from LDAPAddReverseMember too, it contains the same >> code >> >> Martin^2 > > Please see the modified patch. > > Standa > ACK Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc From pvoborni at redhat.com Mon Jun 6 16:35:40 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 6 Jun 2016 18:35:40 +0200 Subject: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate' In-Reply-To: <20160604001759.GX4744@dhcp-40-8.bne.redhat.com> References: <20160604001759.GX4744@dhcp-40-8.bne.redhat.com> Message-ID: On 06/04/2016 02:17 AM, Fraser Tweedale wrote: > On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote: >> On 05/10/2016 04:52 PM, Pavel Vomacka wrote: >>> Hi all, >>> >>> please review the patch for webUI which adds SAN names into 'Issue new >>> certificate' dialog. The SAN names are mentioned only in dialogs for >>> requesting for host and service certificate, according to the design page: >>> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not >>> sure whether this change provides enough information. If you think that >>> we should add more information to these dialogs or even extend also >>> dialog on Authentication -> Certificates page, just let me know. >>> >> >> Should we also include SAN for user certs? >> >> E.g.: >> -7 emailAddrs >> >> Adding Fraser to loop... >> >> Otherwise the patch looks good. >> > We *could* add rfc822Name example for user certs, but I don't think > we should. > > Especially for user certs, we might as well hold off because the > "CSR templates" feature is intended to relieve users of having to > generate CSRs themselves. > Thanks for the info Fraser. ACK then. master: * 91ac959fe5df817e2322428acff392d735fa414e Extend the certificate request dialog -- Petr Vobornik From pvoborni at redhat.com Mon Jun 6 16:40:17 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 6 Jun 2016 18:40:17 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency In-Reply-To: <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> References: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> Message-ID: On 06/06/2016 07:28 AM, Jan Cholasta wrote: > Hi, > > On 3.6.2016 18:29, Petr Vobornik wrote: >> admintools doesn't pull python[2|3]-ipaclient by default which ends >> with exception if CLI is used. > > Please use this ticket URL: done, new patch version attached. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0958-1-admintools-missing-python3-ipaclient-dependency.patch Type: text/x-patch Size: 987 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jun 6 17:03:12 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 6 Jun 2016 19:03:12 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: <9cb4cdbf-c6be-ddb3-0d2b-50aba3015637@redhat.com> References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> <9cb4cdbf-c6be-ddb3-0d2b-50aba3015637@redhat.com> Message-ID: <0e69071c-d082-568e-4678-f3bc3cb27059@redhat.com> On 06/06/2016 12:27 PM, Pavel Vomacka wrote: > > > On 06/02/2016 06:22 PM, Petr Vobornik wrote: >> On 06/01/2016 10:41 AM, Pavel Vomacka wrote: >>> >>> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: >>>> >>>> On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >>>>> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>>>>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>>>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> the patch adds webui part for authentication indicators. >>>>>>>> >>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>>>>> The otp option displays as: OTP. >>>>>>> The radius option displays as: Radius. >>>>>>> >>>>>>> However, both are acronyms. The capitalization should be >>>>>>> consistent. >>>>>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>>>>> 'Radius'. So it should not require any change. >>>>> That is incorrect. It should be: OTP and RADIUS. >>>> I'm sorry, I didn't understand correctly. Fixed patch attached. >>>> >>>> >>>> >>> The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. >>> >> After some though, we should really support the arbitrary values also in >> Web UI. >> >> I'd reuse aci.attributes_widget - move the widget elsewhere, make it a >> general widget and a base class for the original aci.attributes_widget. >> >> The only difference should be populate method and some strings. >> >> The base widget can populate from options - same as normal checkboxes >> widget so that service page doesn't need to inherit from the base class. >> > Ok, thank you for advice. The edited patch is attached. 1. The new base class should have different name, e.g. custom_checkboxes_widget . It is not related to (aci) attributes. Then it can be registered as such widget and the attributes widget can be registered in ACI plugin. It would then also remove the ugly usage of both $type and $factory. 2. Why not implement empty placeholder populate function in the base class? Then if (that.populate && typeof that.populate === 'function') that.populate(); could be changed into: that.populate(); Child class should simply override. 3. If I add a custom indicator to one server and then switch to another. It will offer the custom option as well, but unchecked. The added options are not cleared on page reset. I'm not sure if it should be called a feature or a bug. It is remnant of the original implementation. -- Petr Vobornik From pvomacka at redhat.com Mon Jun 6 17:03:26 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 6 Jun 2016 19:03:26 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone Message-ID: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> Fix bad searching of reverse DNS zone https://fedorahosted.org/freeipa/ticket/5796 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0042-Fix-bad-searching-of-reverse-DNS-zone.patch Type: text/x-patch Size: 2199 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 6 17:08:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 19:08:31 +0200 Subject: [Freeipa-devel] [PATCH] 0002 Add the culprit line when a configuration file has an incorrect format In-Reply-To: References: <7c482bfd-c466-a2c9-ca29-bcd2a28163df@redhat.com> <93631e86-725f-ba0e-ce17-6e8b99325f23@redhat.com> <8ce7f9fe-ae8f-ed1e-f1b5-259e62030fae@redhat.com> Message-ID: On 03.06.2016 09:45, Florence Blanc-Renaud wrote: > On 06/02/2016 07:18 PM, Martin Basti wrote: >> >> >> >> On 30.05.2016 18:11, Florence Blanc-Renaud wrote: >>> >>> Hi Martin, >>> >>> thanks for the review and the suggestion. Please find the updated >>> patch attached. >>> >>> Flo. >>> >>> On 05/30/2016 11:00 AM, Martin Basti wrote: >>>> >>>> >>>> >>>> On 27.05.2016 11:35, Florence Blanc-Renaud wrote: >>>>> >>>>> Hi all, >>>>> >>>>> this patch adds information to the output of ipa-client-install >>>>> when it fails due to invalid format in a configuration file: >>>>> ipa-client-install failing with SyntaxError: Syntax Error: Unknown >>>>> line format >>>>> >>>>> Fixes: https://fedorahosted.org/freeipa/ticket/5811 >>>>> >>>>> -- >>>>> Florence Blanc-Renaud >>>>> Identity Management Team, Red Hat >>>>> >>>>> >>>> Thank you for your patch, I have just one nitpick. Can you please >>>> reuse the original exception? >>>> >>>> - curopts.append(self.parseLine(line)) >>>> + try: >>>> + curopts.append(self.parseLine(line)) >>>> + except SyntaxError as e: >>>> + raise SyntaxError('{error} in file {fname}: >>>> [{line}]'.format( >>>> + error=e, fname=f.name, line=line)) >>>> >>>> Martin^2 >>> >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >> >> >> We are almost there >> >> SyntaxError: Syntax Error: Unknown line format in file >> /etc/nsswitch.conf: [sudoers sss >> ] >> >> I don't like that extra newline, probably we should use line.rstrip() >> to line, to remove any whitespaces on right side, I'm not sure about >> left side, it probably should stay with whitespaces >> >> Martin^2 > > Hi Martin, > good catch. Please find the updated patch attached. > -- > Florence Blanc-Renaud > Identity Management Team, Red Hat ACK Pushed to master: c4a8e64cdf06cf87112bed383a13e865c8550c5b -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Jun 6 17:12:58 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 6 Jun 2016 20:12:58 +0300 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <575595A0.2080203@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> Message-ID: <20160606171258.acntciu74hac4mhq@redhat.com> On Mon, 06 Jun 2016, thierry bordaz wrote: > > >On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: >>On Mon, 06 Jun 2016, thierry bordaz wrote: >>>Hello, >>> >>> In DS it is possible to register callbacks for extended op. >>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), >>> there is a default callback that is implemented in DS core server. >>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' >>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that >>> same extop. >>> >>> The server calls the callbacks until it can find one that can handle >>> the OID. But the order is not guaranty. >>> So the extop can be handled either by password_extop or either by >>> ipapwd_chpwop. >>> >>> Those two functions are not doing the same checking/updates. >>> >>> I would like to confirm if in Freeipa context, if only >>> ipapwd_extop/ipapwd_chpwop should be called >>Correct. I think we have also added plugin priority to allow handling >>this type of conflicts gracefully. >> > > >The order of the plugins, is based on nsslapd-pluginprecedence. >(The lower precedence is called first) > >The problem is that ipapw_extop and password_extop have the same >precedence: 50. So the order they are selected basically rely on order >they were registered. >"Password Modify extended operation plugin" (core server) is >registered before "IPA Password Extended Operation plugin". >I think we need to add a precedence of "IPA Password Extended >Operation plugin" to be sure it will be selected over "Password Modify >extended operation plugin" > >In addition https://fedorahosted.org/389/ticket/48770 changed the way >plugins are selected so even setting a precedence is currently not a >solution (I opened https://fedorahosted.org/389/ticket/48870) > >In short we need to fix https://fedorahosted.org/389/ticket/48870 > > >Regarding item 5.4, replacing a compat entry with its related real entry. >I think there is something missing. In fact the extop is doing an >internal MOD but before calling the MOD it checks the entry exists. >And if called against a 'compat' entry the extop fails before calling >the MOD. >But even if it was successfull it may be not be a good idea to make >'Schema Compat' preop-mod doing the mapping 'compat' -> real for all >MODS. given that schema compat is read-only (always), you can do remapping all the time. We have this mapping already for password checks, how is this different? >A option is to change "IPA Password Extended Operation plugin" to do >this mapping 'compat' -> 'real' but it is looking like a hack. Yes, it is unacceptable. -- / Alexander Bokovoy From mbasti at redhat.com Mon Jun 6 17:18:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 19:18:39 +0200 Subject: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck In-Reply-To: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> References: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> Message-ID: <69456999-093e-1d4a-5ff7-6f5cd13e1712@redhat.com> On 02.06.2016 14:58, Florence Blanc-Renaud wrote: > > Hi, > > this patch modifies ipa-replica-conncheck when it performs the SSH > connection to the master, so that the username is always fully qualified. > > https://fedorahosted.org/freeipa/ticket/5812 > -- > Florence Blanc-Renaud > Identity Management Team, Red Hat > > LGTM, but because current issues with replica install in master branch, I couldn't test it and I would like to be sure that ipa-replica-install using NTP will work too Just little nitpick, for better readibility, 'command' should be on new line - '%s@%s' % (self.user, self.addr), command + '-o User=%s' % self.user, + '%s' % self.addr, command Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 6 17:23:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 19:23:01 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks In-Reply-To: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> References: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> Message-ID: <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> On 03.06.2016 13:38, Stanislav Laznicka wrote: > Hello, > > The attached patch implements solution to > https://fedorahosted.org/freeipa/ticket/5914. The patch is rather > hacky as nsslapd-db-locks requires to be modified when DS is not > running although I accept proposals for better solution. > > Standa > > > LGTM and works for me, but I want ack from thierry because of the value * value set by this patch is 100K, it is okay or should be rather 50K as is mentioned in the ticket * should be upgrade for this change, or should be this done only for new installations? (patch solves new installations only and I don't think that we should change it by upgrade, users may have already tuned DS) Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 6 17:51:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 19:51:02 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> Message-ID: On 05.06.2016 18:34, Pavel Vomacka wrote: > Hello, > > please review attached patches which add WebUI part of DNS Locations > feature. > > -- > Pavel^3 Vomacka > > NACK 1) When I edit location description and click on revert button, then that nice location table just disappear :) 2) Can we put a placeholder "100" (gray font or something) to Location weight in server detail view? Because when weight is not specified then default is 100 Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 6 17:55:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 6 Jun 2016 19:55:57 +0200 Subject: [Freeipa-devel] [PATCH 0102] test: test_cli: Do not expect defaults in kwargs. In-Reply-To: References: Message-ID: <984515ab-ded4-1f28-ab1d-9abc1bbcde1a@redhat.com> On 03.06.2016 12:35, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/4739 > > With this patch all but one test in test_cli.py will pass again. The > one failing is bug in the dns* commands prompt behavior and will be > fixed soon. > > Shame! That is not a way how we name patches :) ACK Pushed to master: 05878f115334dda75ae9db82e6f31b9f91ec4d2a -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Mon Jun 6 18:33:28 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 6 Jun 2016 20:33:28 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: <0e69071c-d082-568e-4678-f3bc3cb27059@redhat.com> References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> <9cb4cdbf-c6be-ddb3-0d2b-50aba3015637@redhat.com> <0e69071c-d082-568e-4678-f3bc3cb27059@redhat.com> Message-ID: <36a81816-bd7f-c1b8-db99-ca315b0842a1@redhat.com> On 06/06/2016 07:03 PM, Petr Vobornik wrote: > On 06/06/2016 12:27 PM, Pavel Vomacka wrote: >> >> On 06/02/2016 06:22 PM, Petr Vobornik wrote: >>> On 06/01/2016 10:41 AM, Pavel Vomacka wrote: >>>> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: >>>>> On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >>>>>> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>>>>>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>>>>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the patch adds webui part for authentication indicators. >>>>>>>>> >>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>>>>>> The otp option displays as: OTP. >>>>>>>> The radius option displays as: Radius. >>>>>>>> >>>>>>>> However, both are acronyms. The capitalization should be >>>>>>>> consistent. >>>>>>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>>>>>> 'Radius'. So it should not require any change. >>>>>> That is incorrect. It should be: OTP and RADIUS. >>>>> I'm sorry, I didn't understand correctly. Fixed patch attached. >>>>> >>>>> >>>>> >>>> The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. >>>> >>> After some though, we should really support the arbitrary values also in >>> Web UI. >>> >>> I'd reuse aci.attributes_widget - move the widget elsewhere, make it a >>> general widget and a base class for the original aci.attributes_widget. >>> >>> The only difference should be populate method and some strings. >>> >>> The base widget can populate from options - same as normal checkboxes >>> widget so that service page doesn't need to inherit from the base class. >>> >> Ok, thank you for advice. The edited patch is attached. > > 1. The new base class should have different name, e.g. > custom_checkboxes_widget . It is not related to (aci) attributes. > > Then it can be registered as such widget and the attributes widget can > be registered in ACI plugin. It would then also remove the ugly usage of > both $type and $factory. Fixed. > > 2. Why not implement empty placeholder populate function in the base > class? Then > if (that.populate && typeof that.populate === 'function') that.populate(); > > could be changed into: > that.populate(); > > Child class should simply override. I just did not like a empty method there. But it's true that it is more readable with empty method and the method is documented. > > 3. If I add a custom indicator to one server and then switch to another. > It will offer the custom option as well, but unchecked. The added > options are not cleared on page reset. I'm not sure if it should be > called a feature or a bug. It is remnant of the original implementation. From my point of view it is a feature. I.e. When I add custom authentication indicator to one service there is a big chance that I would like to add it to another one. And in this case the custom auth. ind. is already present. Fixed patch attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0034-5-Auth-Indicators-webUI-part.patch Type: text/x-patch Size: 22410 bytes Desc: not available URL: From ftweedal at redhat.com Tue Jun 7 04:30:11 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 7 Jun 2016 14:30:11 +1000 Subject: [Freeipa-devel] V4/Sub-CAs review In-Reply-To: <5be644e6-2858-c08f-cadd-ca2f99dfcef3@redhat.com> References: <57161E1F.6020001@redhat.com> <6b09c0a9-2887-92a0-b284-4b5af947dfde@redhat.com> <20160510103617.GP1237@dhcp-40-8.bne.redhat.com> <9eb88563-3d22-3c6e-f314-fc6ce2d69985@redhat.com> <20160517125029.GJ1323@dhcp-40-8.bne.redhat.com> <25104587-46d2-6574-2220-3b453b0af599@redhat.com> <20160601044955.GA4744@dhcp-40-8.bne.redhat.com> <5be644e6-2858-c08f-cadd-ca2f99dfcef3@redhat.com> Message-ID: <20160607043011.GO4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 06, 2016 at 08:29:16AM +0200, Jan Cholasta wrote: > On 1.6.2016 06:49, Fraser Tweedale wrote: > > On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote: > > > > > > > 2) > > > > > > > > > > > > > > It should be mentioned here that the primary CA is also handled by this > > > > > > > plugin. > > > > > > > > > > > > > > I would like to propose two additional fields: > > > > > > > > > > > > > > * subject (required) - subject name of the CA, to be able to look up > > > > > > > sub-CA that issued a certificate from its issuer name. > > > > > > > > > > > > > > * issuer_ca (optional) - name of the sub-CA which issued certificate for > > > > > > > this CA, to have information about the sub-CA hierarchy. If there is no > > > > > > > sub-CA entry for the issuer, it would be unset. > > > > > > > > > > > > > These data exist in the Dogtag database. Adding them to IPA might > > > > > > be useful for avoiding round trips so it is probably worth doing, > > > > > > but are you aware of use cases that would absolutely require them? > > > > > > > > > > As for subject, we are adding the ability to look up information about > > > > > arbitrary certificates to cert-{show,find} as part of > > > > > . Part of this information > > > > > should be whether the certificate was issued by our CA and what CA it was, > > > > > so that the web UI can present an appropriate "revoke certificate" button > > > > > for the certificate. > > > > > > > > > > As for issuer CA, I believe we need it to fix automatic CA certificate > > > > > renewal. The current renewal code uses virtual "profiles" to handle CA > > > > > certificate renewal, but that turned out to be an issue, especially with > > > > > externally signed CA certificates: > > > > > . Instead it could use > > > > > the issuer CA information from LDAP to figure out what needs to be done. > > > > > (Note that during the renewal, Dogtag is offline.) > > > > > > > > > > Also, both the attributes should be included for compatibility with external > > > > > CAs. At this point, I think it's only a matter of time when support for them > > > > > will be added (there were already several requests for such a feature), and > > > > > I would very much prefer to have to maintain only a single code path for the > > > > > generic stuff (which includes both of the attributes), instead of one for > > > > > Dogtag and one for external CAs. > > > > > > > > > OK, I'll add issuer DN and subject DN attributes to the ipaCa > > > > objectClass. > > > > > > Just to be clear, what I meant is for the issuer attribute to contain the DN > > > of the CA entry in LDAP, not the issuer DN itself. > > > > > I see; thanks for the clarification. > > Actually, the more I think of this, I think the attribute should contain the > issuer DN rather than the CA entry DN. That way it could be mandatory, thus > simplifying the related logic, and it should make adding external CAs easier > in the future. > No problem; the latest patchset adds the issuer DN and subject DN attributes. I'll update the design page shortly. > > I'm going to publish the first > > version of the patchset soon - it will not have this implemented > > yet, but I think it's more important for me to get patches out for > > review ASAP, and add this aspect in a subsequent patchset. > > OK, but please make sure it is done before 4.4, adding new mandatory > attributes is a backward incompatible change, and we most certainly don't > want to deal with that after the release. > > > > > > > > > > """ > > > > > > > The Python script shall be installed at /usr/libexec/pki-ipa-retrieve-key > > > > > > > and shall be executed as pkiuser. > > > > > > > """ > > > > > > > > > > > > > > Could you please use a subdirectory? Like /usr/libexec/pki (if the script is > > > > > > > going to be distributed with Dogtag) or /usr/libexec/ipa (if the script is > > > > > > > going to be distributed with IPA). > > > > > > > > > > > > > What is the rationale - is it a packaging guideline or just common > > > > > > sense? > > > > > > > > > > I'm not sure if it's an actual guideline, but IMHO it's definitely common > > > > > sense - I don't think littering the global namespace (i.e. /usr/libexec) is > > > > > ever preferable to keeping your stuff in your own namespace. > > > > > > > > > I'll drop the script in a subdir. While I'm at it, I think I will > > > > move it to the IPA codebase, to improve locality of the Python code. > > > > e.g. if CustodiaClient API or any other IPA Python API changes, the > > > > code in pki repo will be too easily missed. > > > > > > OK, makes sense. > > > > > Latest version of patch 0054 installs the helper program under > > /usr/libexec/ipa. > > OK. > > > > > > > > Please don't use ipaUniqueId as the RDN unless absolutely necessary. Not > > > > > only it makes debugging harder (because you can't tell which object is which > > > > > just by looking at the DN), it also requires the framework to do an extra > > > > > LDAP search every time the DN needs to be translated to primary key. > > > > > > > > > If cn is used in RDN, will changing cn (which then will be a modrdn > > > > operation) correctly update the references from CA ACLs? > > > > > > Yes, the referint DS plugin takes care of that. > > > > > cn it is; no more ipaUniqueId. > > OK. > > > > > > > > > > > > "host-authority" does not strike me as something familiar, and the "host" > > > > > bit is kind of confusing, since it is not at all related to IPA hosts. Could > > > > > we use something more obvious ("default", "root", ...)? > > > > > > > > > We shouldn't use "root" because it might not be a root CA. > > > > > > > > We probably shouldn't use "default" because we might later want to > > > > allow different default CAs for different profiles or principal > > > > types. > > > > > > What about "main"? > > > > > > > > > > > Perhaps simply "IPA CA", "ipa", or some variation on that theme? > > > > > > Something like this might be the best, as we currently refer to this CA as > > > "IPA CA". > > > > > I went with 'cn=ipa' and 'description=IPA CA'. > > OK. > > > > > > > > > > > As discussed above, there will now also be attributes for issuer DN > > > > and subject DN. > > > > > > > > > Why does a Dogtag lightweight CA need to be created before the LDAP entry? I > > > > > assume it's because deleting an LDAP entry is easier than deleting a Dogtag > > > > > lightweight CA in case something goes wrong, in which case I think ipaCaId > > > > > should be required and use a placeholder value in the initial LDAP entry. > > > > > > > > > The IPA object is created first to ensure that the user has the > > > > permissions to do so. Apart from that it is not important which > > > > happens first. I can check permissions with can_add() but defer IPA > > > > object creation until after the Dogtag LWCA has been created. In > > > > fact this is a cleaner approach. > > > > > > Yes, I agree. > > > > > Everything works fine with can_add(); design updated. > > OK. > > > > > > > ca-del results in deletion of the signing key from Dogtag's NSSDB, > > > > and deletion of the Dogtag lightweight authority object. On IPA > > > > side it removes the ipaCa object, removes references from CA ACLs, > > > > etc. ca-del should be a command. > > > > > > OK, but should the certificates issued by the CA stay valid? I would think > > > not - when authorization is based on group membership and the group is > > > deleted, it is no longer possible to authorize - when authorization is based > > > on the CA, I assume it should work analogically and authorization should > > > stop working when the CA is deleted. Or am I missing something? > > > > > It makes sense to revoke the CA certificate when the CA is deleted. > > There is a Dogtag ticket: https://fedorahosted.org/pki/ticket/1638. > > > > After that is implemented, I don't think extra behaviour is needed > > in IPA - but we should clearly document what happens with revocation > > when a CA is deleted. > > > > Until it is implemented, revocation can be performed manually. > > > > (I'll add the preceding commentary to the design page.) > > OK. > > > > > > > > > > > We can add ca-disable and ca-enable - these behaviours are > > > > implemented in Dogtag already. I prefer the more fine-grained > > > > control that CA ACLs give you, but I suppose people will want > > > > wholesale enable/disable as well? Or is it premature to assume so? > > > > > > I think it can be added later. The advantage over CA ACLs is that you don't > > > have to go through potentially many ACLs to enable/disable a single CA. > > > > > Agreed. > > > > Thanks, > > Fraser > > > > > -- > Jan Cholasta From ftweedal at redhat.com Tue Jun 7 05:42:22 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 7 Jun 2016 15:42:22 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > Hi team, > > This patchset implements the 'ca' plugin for creating and managing > lightweight sub-CAs, and updates the 'caacl' plugin and > 'cert-request' command to support multiple CAs. > > A brief overview of the patches: > > 0059 > 'ca' plugin, associated schema changes and container objects, > Dogtag REST API wrapper > 0060 > Add CA entry for the IPA CA on install/upgrade > 0061 > Update 'caacl' plugin with CA support (including enforcement) > 0062 > Update ra.request_certificate() to support specifying target CA > 0063 > Add '--ca' option to 'cert-request' command > 0064 > Add '--issuer' option to 'cert-find' command > > These patches depend on other pending patches: > > 0051, 0052, 0053, 0054, 0055, 0056 > > Signing key replication depends on unmerged Dogtag patches. Builds > of Dogtag with the required patches, and of FreeIPA with all > completed sub-CAs work, should be available from my COPR soon: > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > Some parts of the design are not implemented in the current > patchset, including: > > - local parent CA (ipaca object) references > - sub-CA certificate renewal > - 'cert-show' command '--ca=NAME' option > - certmonger support for specifying CA > - revocation of deleted CAs > > I look forward to your reviews! > > Thanks, > Fraser > Rebased and updated patches attached. Substantive changes: - add required attributes for issuer DN and subject DN - prevent rename of IPA CA - when adding IPA CA entry, contact Dogtag to learn authority id, issuer DN and subject DN - add 'read_ca' method to Dogtag interface - tighten ACIs to prevent modification of ipacaid attribute Thanks, Fraser -------------- next part -------------- From a36659566a06e78b1af83828f01052ecbe5ebbbe Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/64] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 + API.txt | 64 ++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 4 + install/share/bootstrap-template.ldif | 6 + install/updates/41-subca.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 +- ipaserver/plugins/ca.py | 235 ++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 54 ++++++- 13 files changed, 403 insertions(+), 6 deletions(-) create mode 100644 install/updates/41-subca.update create mode 100644 ipaserver/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index a09495e5a445d7c3bc51f0b082c538b80bbb425a..586f7343ef13b4b30e23543027220ed37ba2cb48 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index f17093022d54d5cd0ccbf1863f6def0589bbf8c9..06e2bb56ad200de599112ffad17b4084e1ca44f3 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,76 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,7,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: DNParam('ipacasubjectdn', cli_name='subject') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,11,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: DNParam('ipacaissuerdn?', autofill=False, cli_name='issuer') +option: DNParam('ipacasubjectdn?', autofill=False, cli_name='subject') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 4ada7467a646b4b7162fd56248399a65f8600663..5ab3c9d93db91a25cf4af6f77d678b4879c4910e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=176 -# Last change: mbasti - location-show: list servers in the location +IPA_API_VERSION_MINOR=177 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..a87fe667d56768419dacf57103e347e88c945e2a 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,9 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f6ab35495ad7e9377404eb7a6b0bca26906f5421..da12ddf0ca887e8305402048ceed5d5b28816164 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -476,3 +476,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/install/updates/41-subca.update b/install/updates/41-subca.update new file mode 100644 index 0000000000000000000000000000000000000000..72313e2ab12ab520eb12ade404fb5b6dd55a9d71 --- /dev/null +++ b/install/updates/41-subca.update @@ -0,0 +1,4 @@ +dn: cn=cas,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: cas diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 737a8bbbd1a4915a6aefec2d273b90bb3ca31710..5b308a16bfee94bdab6c36e82862a3b66a0b380c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -38,6 +38,7 @@ app_DATA = \ 40-otp.update \ 40-vault.update \ 41-caacl.update \ + 41-subca.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 97dff1d805a4f77469882103ab63cdb0fa55a024..05ba1adbbf215680c9c23963fc8c90c4bfca4ce8 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,7 @@ DEFAULT_CONFIG = ( ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -265,3 +266,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 85cdda61428a9586be940e1aec3648ee3e9b13cc..a153bf371ff31d6da721936b2b17344746d951ff 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1628,6 +1628,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..e1d0f65c8199b736bfc8e308f4c18d9257389079 --- /dev/null +++ b/ipaserver/plugins/ca.py @@ -0,0 +1,235 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipaserver.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipaserver.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = [ + 'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn', + ] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid?', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + DNParam('ipacasubjectdn', + cli_name='subject', + label=_('Subject DN'), + doc=_('Subject Distinguished Name'), + flags=['no_update'], + ), + DNParam('ipacaissuerdn', + cli_name='issuer', + label=_('Issuer DN'), + doc=_('Issuer Distinguished Name'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'ipacaissuerdn', + 'ipacasubjectdn', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + }, + 'replaces': [ + '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # check for name collision before creating CA in Dogtag + try: + api.Object.ca.get_dn_if_exists(keys[-1]) + self.obj.handle_duplicate_entry(*keys) + except errors.NotFound: + pass + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + resp = ca_api.create_ca(options['ipacasubjectdn']) + entry['ipacaid'] = [resp['id']] + entry['ipacaissuerdn'] = [resp['issuerDN']] + + # In the event that the issued certificate's subject DN + # differs from what was requested, record the actual DN. + # + entry['ipacasubjectdn'] = [resp['dn']] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + return dn + + def execute(self, *args, **kwargs): + ca_obj = self.api.Command.ca_show(args[0][0])['result'] + if 'ipacaid' in ca_obj: + have_ca_id = True + ca_id = ca_obj['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + else: + have_ca_id = False + + result = super(ca_del, self).execute(*args, **kwargs) + + if have_ca_id: + return result + else: + raise errors.NonFatalError( + reason=_( + "The CA was deleted but could not be deleted " + "from Dogtag due to missing 'ipaCaId' attribute" + ) + ) + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + if 'rename' in options or 'cn' in entry_attrs: + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=u'IPA CA cannot be renamed') + + return dn diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c4dc4e8c3ea55a0e1b67870dfb8eee45af..20349b05f02c6e186275a822a487eb4733d75c7d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2073,7 +2073,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2147,3 +2150,52 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + New CA is issued by IPA CA. Nested sub-CAs and unrelated + root CAs are not yet supported. + + Return the (parsed) JSON response from server. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def read_ca(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', ca_id, headers={'Accept': 'application/json'}) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From 8929096fdcb9ee1d329c4551945902144620784f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/64] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 47 +++++++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 48 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a153bf371ff31d6da721936b2b17344746d951ff..d05dae80dfb377460262923a5790bcc06a2ebde3 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -432,6 +432,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1899,6 +1900,52 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', 'ca'), api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['ca'], + ) + ensure_entry( + DN(api.env.container_ca, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['cas'], + ) + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From eaa10a58ee674dbf3bfbca8f77eeec8d066cbb78 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/64] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 ++++++++++++-- VERSION | 4 +- ipaserver/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++--------------- ipaserver/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index 06e2bb56ad200de599112ffad17b4084e1ca44f3..f434ebad7cc0fa22388266a1dc696c15c6ec530f 100644 --- a/API.txt +++ b/API.txt @@ -521,12 +521,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -538,6 +539,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -607,12 +619,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -628,13 +641,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -647,6 +661,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 5ab3c9d93db91a25cf4af6f77d678b4879c4910e..9a40fde7593aee748a96417abef25b92221e5a14 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=177 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=178 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index cbb5382fb5217d92c65d4b215b497958a31e978c..ef53608ece00ca6951ddeab08e0915a596116fcf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -29,6 +29,7 @@ from ipalib import errors from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -236,7 +237,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -320,7 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From e503fa0f73022d24a9288e938d3540f4c5ed463d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/64] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipaserver/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ef53608ece00ca6951ddeab08e0915a596116fcf..8fccb76292b685033f8ebda347b51a4eb599d2bc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -499,7 +499,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 20349b05f02c6e186275a822a487eb4733d75c7d..43aab92ffe6bba42d21135eb4f87cbde635f86e0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1554,10 +1554,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1586,13 +1588,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 5745218e1a2a74e89bad2d7e3d3958e773910d57 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/64] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 22 +++++++++++++++++++--- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index f434ebad7cc0fa22388266a1dc696c15c6ec530f..571c646c7b973b3107e9abf9f60caa4ded297c2f 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('ca?') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index 9a40fde7593aee748a96417abef25b92221e5a14..6577c80904f99ab6b30217ddc82625ccda928df0 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=178 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=179 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb76292b685033f8ebda347b51a4eb599d2bc..f09947337efc3d5b5872937df4a82663dfb6eff9 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,11 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('ca?', + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +325,19 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + ca = kw.get('ca', IPA_CA_CN) + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) + # + ca_obj = api.Command.ca_show(ca)['result'] + + # Look up Dogtag authority ID. + # + ca_id = None + if ca != IPA_CA_CN and 'ipacaid' in ca_obj: + ca_id = ca_obj['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +515,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From 643ff632fd528e821a80084515b96c93ae9fe51c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH 64/64] Add --issuer option to cert-find Add the --issuer option to the cert-find command, for filtering the search by issuer DN. Also add the issuer DN to the output of the command. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 5 +++++ ipaserver/plugins/dogtag.py | 9 +++++++++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/API.txt b/API.txt index 571c646c7b973b3107e9abf9f60caa4ded297c2f..05527b56cf99e971600bd1f0f2e1b6155c58bc19 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,12 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,18,4 option: Flag('all', autofill=True, cli_name='all', default=False) option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/VERSION b/VERSION index 6577c80904f99ab6b30217ddc82625ccda928df0..59c74531ef61c2cd9674be20f05bbe58e982571c 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=179 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=180 +# Last change: ftweedal - add --issuer option to cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index f09947337efc3d5b5872937df4a82663dfb6eff9..314191e349260a1119facc2df0428dc542c445f3 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -738,6 +738,11 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From tbordaz at redhat.com Tue Jun 7 06:56:20 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 7 Jun 2016 08:56:20 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks In-Reply-To: <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> References: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> Message-ID: <57567014.3080808@redhat.com> On 06/06/2016 07:23 PM, Martin Basti wrote: > > > > On 03.06.2016 13:38, Stanislav Laznicka wrote: >> Hello, >> >> The attached patch implements solution to >> https://fedorahosted.org/freeipa/ticket/5914. The patch is rather >> hacky as nsslapd-db-locks requires to be modified when DS is not >> running although I accept proposals for better solution. >> >> Standa >> >> >> > LGTM and works for me, but I want ack from thierry because of the value > > * value set by this patch is 100K, it is okay or should be rather 50K > as is mentioned in the ticket > * should be upgrade for this change, or should be this done only for > new installations? (patch solves new installations only and I don't > think that we should change it by upgrade, users may have already > tuned DS) > > Martin^2 Hello, This value also depends of the data. For example adding groups with 10K members spikes the dblock consumption up to 40K because of membership computation during the update. The size of the entries can also contribute if for example we have several entries per page or they are too large and fit on several pages. IMHO we should support out of the box groups with 10K, so 'nsslapd-db-locks: 50000' looks good to me. However it could be documented why it can consum so much lock and how to tune it. thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Jun 7 07:07:40 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jun 2016 09:07:40 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> Message-ID: <28133686-a016-2dd4-1494-df517371fe33@redhat.com> On 6.6.2016 18:29, Martin Basti wrote: > > > On 03.06.2016 14:28, Stanislav Laznicka wrote: >> On 06/03/2016 02:19 PM, Martin Basti wrote: >>> >>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>> https://fedorahosted.org/freeipa/ticket/5892 >>>> >>>> >>> NACK >>> >>> please remove it from LDAPAddReverseMember too, it contains the same >>> code >>> >>> Martin^2 >> >> Please see the modified patch. >> >> Standa >> > ACK > > Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc I think the attrs_list was supposed to be passed to the ldap.get_entry() call rather than removed, which would fix that every reverse member command always acts like --all was specified. -- Jan Cholasta From jcholast at redhat.com Tue Jun 7 07:08:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jun 2016 09:08:27 +0200 Subject: [Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember In-Reply-To: References: Message-ID: <2c21c82e-6cc5-ebb4-46ff-be6b60785158@redhat.com> On 6.6.2016 14:33, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5923 > > Patch attached. Could we drop the error message parsing and do something sane instead? -- Jan Cholasta From pspacek at redhat.com Tue Jun 7 07:08:16 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 7 Jun 2016 09:08:16 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone In-Reply-To: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> References: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> Message-ID: <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> Hi, the commit message does not say what was wrong and why and what works now. Please improve the commit message before pushing this. Petr^2 Spacek On 6.6.2016 19:03, Pavel Vomacka wrote: > Fix bad searching of reverse DNS zone > > https://fedorahosted.org/freeipa/ticket/5796 > > -- > > Pavel^3 Vomacka From pvomacka at redhat.com Tue Jun 7 08:07:48 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 7 Jun 2016 10:07:48 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> Message-ID: <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> On 06/06/2016 07:51 PM, Martin Basti wrote: > > > > On 05.06.2016 18:34, Pavel Vomacka wrote: >> Hello, >> >> please review attached patches which add WebUI part of DNS Locations >> feature. >> >> -- >> Pavel^3 Vomacka >> >> > > NACK > > 1) > When I edit location description and click on revert button, then that > nice location table just disappear :) It's the same situation as with using 'Save' button - reported here: https://fedorahosted.org/freeipa/ticket/5776 . I'll write there a comment that revert button hides values in association tables. > > 2) > Can we put a placeholder "100" (gray font or something) to Location > weight in server detail view? Because when weight is not specified > then default is 100 Placeholder added. -- Pavel^3 > > Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0039-Add-adapter-attribute-for-choosing-record.patch Type: text/x-patch Size: 1664 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0040-2-DNS-Locations-WebUI-part.patch Type: text/x-patch Size: 12685 bytes Desc: not available URL: From slaznick at redhat.com Tue Jun 7 08:14:43 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 7 Jun 2016 10:14:43 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started Message-ID: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> https://fedorahosted.org/freeipa/ticket/5775 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0043-Uninstaller-won-t-fail-if-service-can-t-be-started.patch Type: text/x-patch Size: 5626 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jun 7 08:17:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 11:17:12 +0300 Subject: [Freeipa-devel] thin client regressions: otptoken Message-ID: <20160607081712.y73qip5vowpsrlcd@redhat.com> ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli qr = self._get_qrcode(output, uri, options['version']) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode qr_code = qr_output.getvalue().decode(encoding) AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred -- / Alexander Bokovoy From jcholast at redhat.com Tue Jun 7 08:22:57 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jun 2016 10:22:57 +0200 Subject: [Freeipa-devel] thin client regressions: otptoken In-Reply-To: <20160607081712.y73qip5vowpsrlcd@redhat.com> References: <20160607081712.y73qip5vowpsrlcd@redhat.com> Message-ID: <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> On 7.6.2016 10:17, Alexander Bokovoy wrote: > ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' > Traceback (most recent call last): > File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run > sys.exit(api.Backend.cli.run(argv)) > File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run > rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, > **options) > File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", > line 103, in output_for_cli > qr = self._get_qrcode(output, uri, options['version']) > File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", > line 61, in _get_qrcode > qr_code = qr_output.getvalue().decode(encoding) > AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an > internal error has occurred Looks rather like a py3 regression to me. -- Jan Cholasta From mbasti at redhat.com Tue Jun 7 08:22:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 10:22:27 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <28133686-a016-2dd4-1494-df517371fe33@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> Message-ID: On 07.06.2016 09:07, Jan Cholasta wrote: > On 6.6.2016 18:29, Martin Basti wrote: >> >> >> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>> >>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>> >>>>> >>>> NACK >>>> >>>> please remove it from LDAPAddReverseMember too, it contains the same >>>> code >>>> >>>> Martin^2 >>> >>> Please see the modified patch. >>> >>> Standa >>> >> ACK >> >> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc > > I think the attrs_list was supposed to be passed to the > ldap.get_entry() call rather than removed, which would fix that every > reverse member command always acts like --all was specified. > I'm really afraid, what can happen if we put attr_list into get_entry() instead of '*', because this code were there for 4 years and I don't feel happy enough to change it now, what we may break. Should I revert this commit then and postpone the ticket? Martin^2 From mbasti at redhat.com Tue Jun 7 08:29:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 10:29:48 +0200 Subject: [Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember In-Reply-To: <2c21c82e-6cc5-ebb4-46ff-be6b60785158@redhat.com> References: <2c21c82e-6cc5-ebb4-46ff-be6b60785158@redhat.com> Message-ID: <0c68edcc-5c16-04a5-5bad-a92a69cbeec9@redhat.com> On 07.06.2016 09:08, Jan Cholasta wrote: > On 6.6.2016 14:33, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5923 >> >> Patch attached. > > Could we drop the error message parsing and do something sane instead? > Not now, we can do it later and push this patch just as workaround From pvomacka at redhat.com Tue Jun 7 08:30:20 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 7 Jun 2016 10:30:20 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone In-Reply-To: <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> References: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> Message-ID: <0d5d593f-4394-dbda-347e-f81a7d88f5f3@redhat.com> On 06/07/2016 09:08 AM, Petr Spacek wrote: > Hi, > > the commit message does not say what was wrong and why and what works now. > Please improve the commit message before pushing this. Commit message improved. > > Petr^2 Spacek > > On 6.6.2016 19:03, Pavel Vomacka wrote: >> Fix bad searching of reverse DNS zone >> >> https://fedorahosted.org/freeipa/ticket/5796 >> >> -- >> >> Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0042-2-Fix-bad-searching-of-reverse-DNS-zone.patch Type: text/x-patch Size: 2512 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 7 08:35:49 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jun 2016 10:35:49 +0200 Subject: [Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember In-Reply-To: <0c68edcc-5c16-04a5-5bad-a92a69cbeec9@redhat.com> References: <2c21c82e-6cc5-ebb4-46ff-be6b60785158@redhat.com> <0c68edcc-5c16-04a5-5bad-a92a69cbeec9@redhat.com> Message-ID: <8775911c-e412-7908-507d-7ea6b230a093@redhat.com> On 7.6.2016 10:29, Martin Basti wrote: > > > On 07.06.2016 09:08, Jan Cholasta wrote: >> On 6.6.2016 14:33, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5923 >>> >>> Patch attached. >> >> Could we drop the error message parsing and do something sane instead? >> > > Not now, we can do it later and push this patch just as workaround What's the point of that? -- Jan Cholasta From mbasti at redhat.com Tue Jun 7 08:35:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 10:35:10 +0200 Subject: [Freeipa-devel] [PATCH 0497] Py3: fix unicode/str error in LDAP*ReverseMember In-Reply-To: <8775911c-e412-7908-507d-7ea6b230a093@redhat.com> References: <2c21c82e-6cc5-ebb4-46ff-be6b60785158@redhat.com> <0c68edcc-5c16-04a5-5bad-a92a69cbeec9@redhat.com> <8775911c-e412-7908-507d-7ea6b230a093@redhat.com> Message-ID: <8da13b03-de28-baef-f3e8-5e41924b5ae1@redhat.com> On 07.06.2016 10:35, Jan Cholasta wrote: > On 7.6.2016 10:29, Martin Basti wrote: >> >> >> On 07.06.2016 09:08, Jan Cholasta wrote: >>> On 6.6.2016 14:33, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5923 >>>> >>>> Patch attached. >>> >>> Could we drop the error message parsing and do something sane instead? >>> >> >> Not now, we can do it later and push this patch just as workaround > > What's the point of that? > Point is that it will work as before, and I don't have to time to fix it nicely now. From jcholast at redhat.com Tue Jun 7 08:43:25 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 7 Jun 2016 10:43:25 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> Message-ID: <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> On 7.6.2016 10:22, Martin Basti wrote: > > > On 07.06.2016 09:07, Jan Cholasta wrote: >> On 6.6.2016 18:29, Martin Basti wrote: >>> >>> >>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>> >>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>> >>>>>> >>>>> NACK >>>>> >>>>> please remove it from LDAPAddReverseMember too, it contains the same >>>>> code >>>>> >>>>> Martin^2 >>>> >>>> Please see the modified patch. >>>> >>>> Standa >>>> >>> ACK >>> >>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >> >> I think the attrs_list was supposed to be passed to the >> ldap.get_entry() call rather than removed, which would fix that every >> reverse member command always acts like --all was specified. >> > I'm really afraid, what can happen if we put attr_list into get_entry() > instead of '*', because this code were there for 4 years and I don't > feel happy enough to change it now, what we may break. > > Should I revert this commit then and postpone the ticket? It's a bug and should be fixed. The fix is easy so I see no point in postponing it. I see no reason to be really afraid, I'm pretty sure that removing the objectclass attribute (which is invisible in the CLI anyway) from the output of all the 4 commands that use this code won't break anything. -- Jan Cholasta From abokovoy at redhat.com Tue Jun 7 08:41:21 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 11:41:21 +0300 Subject: [Freeipa-devel] thin client regressions: otptoken In-Reply-To: <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> References: <20160607081712.y73qip5vowpsrlcd@redhat.com> <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> Message-ID: <20160607084121.sd52t6gwqx7tlbkv@redhat.com> On Tue, 07 Jun 2016, Jan Cholasta wrote: >On 7.6.2016 10:17, Alexander Bokovoy wrote: >>ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' >>Traceback (most recent call last): >> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run >> sys.exit(api.Backend.cli.run(argv)) >> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run >> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>**options) >> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>line 103, in output_for_cli >> qr = self._get_qrcode(output, uri, options['version']) >> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>line 61, in _get_qrcode >> qr_code = qr_output.getvalue().decode(encoding) >>AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an >>internal error has occurred > >Looks rather like a py3 regression to me. > Fix attached, made a ticket https://fedorahosted.org/freeipa/ticket/5938 -- / Alexander Bokovoy -------------- next part -------------- From 398d3c0decb6b39207a2f9dcd8d27291800de1dd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jun 2016 11:37:41 +0300 Subject: [PATCH 5/5] otptoken: only decode the token output for Python 2 When IPA client is using Python 3, there is no str.decode() method anymore. ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli qr = self._get_qrcode(output, uri, options['version']) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode qr_code = qr_output.getvalue().decode(encoding) AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred Fixes https://fedorahosted.org/freeipa/ticket/5938 --- ipaclient/plugins/otptoken.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py index 5d3f1f8..968b01e 100644 --- a/ipaclient/plugins/otptoken.py +++ b/ipaclient/plugins/otptoken.py @@ -58,7 +58,9 @@ class otptoken_add(MethodOverride): encoding = locale.getpreferredencoding(False) try: - qr_code = qr_output.getvalue().decode(encoding) + qr_code = qr_output.getvalue() + if not six.PY3: + qr_code = qr_code.decode(encoding) except UnicodeError: add_message( version, -- 2.7.4 From mbasti at redhat.com Tue Jun 7 08:42:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 10:42:41 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> Message-ID: <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> On 07.06.2016 10:43, Jan Cholasta wrote: > On 7.6.2016 10:22, Martin Basti wrote: >> >> >> On 07.06.2016 09:07, Jan Cholasta wrote: >>> On 6.6.2016 18:29, Martin Basti wrote: >>>> >>>> >>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>> >>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>> >>>>>>> >>>>>> NACK >>>>>> >>>>>> please remove it from LDAPAddReverseMember too, it contains the same >>>>>> code >>>>>> >>>>>> Martin^2 >>>>> >>>>> Please see the modified patch. >>>>> >>>>> Standa >>>>> >>>> ACK >>>> >>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>> >>> I think the attrs_list was supposed to be passed to the >>> ldap.get_entry() call rather than removed, which would fix that every >>> reverse member command always acts like --all was specified. >>> >> I'm really afraid, what can happen if we put attr_list into get_entry() >> instead of '*', because this code were there for 4 years and I don't >> feel happy enough to change it now, what we may break. >> >> Should I revert this commit then and postpone the ticket? > > It's a bug and should be fixed. The fix is easy so I see no point in > postponing it. I see no reason to be really afraid, I'm pretty sure > that removing the objectclass attribute (which is invisible in the CLI > anyway) from the output of all the 4 commands that use this code won't > break anything. > Ok From mbabinsk at redhat.com Tue Jun 7 10:07:16 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 12:07:16 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: References: Message-ID: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> On 06/03/2016 05:25 PM, Martin Babinsky wrote: > I am sending rebased patches implementing > http://www.freeipa.org/page/V4/Server_Roles > > I hope the patches work since I have had a lot of fun rebasing them on > top of thin client and DNS locations effort. > > https://fedorahosted.org/freeipa/ticket/5181 > > > Sending updated patches according to Jan's interactive review. Since the name of attributes returned by API commands and signature of `server-role-find` have changed, a small update in WebUI patches is required. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0146.4-Server-roles-definitions-of-server-roles-and-attribu.patch Type: text/x-patch Size: 21102 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0147.4-Server-Roles-Backend-plugin-to-query-roles-and-attri.patch Type: text/x-patch Size: 6166 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0148.4-Test-suite-for-serverroles-backend.patch Type: text/x-patch Size: 25087 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0149.2-Server-Roles-public-API-for-server-roles.patch Type: text/x-patch Size: 7713 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0150.2-Server-Roles-make-server-show-find-utilize-role-info.patch Type: text/x-patch Size: 8778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0151.2-Server-Roles-make-config-show-consume-relevant-roles.patch Type: text/x-patch Size: 9790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0152.2-Server-Roles-provide-an-API-for-setting-CA-renewal-m.patch Type: text/x-patch Size: 3867 bytes Desc: not available URL: From pspacek at redhat.com Tue Jun 7 10:09:43 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 7 Jun 2016 12:09:43 +0200 Subject: [Freeipa-devel] [PATCH 0403-0407] Preparation work for per-server config in LDAP Message-ID: <4e913778-fc0b-fdbd-bee0-2943d37b69d4@redhat.com> Hello, this patch set is preparation work for per-server config in LDAP, which is required for DNS location in IPA. This patch set should not cause any user-visible changes. https://fedorahosted.org/bind-dyndb-ldap/ticket/162 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: 0403-Fix-in-destroy_ldap_instance-caused-by-uninitialized.patch Type: text/x-patch Size: 778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0404-Separate-BIND-config-utilities-from-ACL-parsing.patch Type: text/x-patch Size: 10963 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0405-Settings-Support-enum-description-value-mapping.patch Type: text/x-patch Size: 1754 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0406-Settings-Expose-API-for-setting_unset-and-setting_fi.patch Type: text/x-patch Size: 1937 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0407-Untangle-forwarder-configuration-from-LDAP-code.patch Type: text/x-patch Size: 50042 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jun 7 10:51:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 12:51:19 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: References: Message-ID: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> On 06/01/2016 05:10 PM, Martin Basti wrote: > Patch attached. > ACK -- Martin^3 Babinsky From pvomacka at redhat.com Tue Jun 7 10:58:04 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 7 Jun 2016 12:58:04 +0200 Subject: [Freeipa-devel] [PATCH 0499] Pylint: exclude some files/dirs from check In-Reply-To: References: Message-ID: <64c3b636-d18d-8caf-149d-4a535a750f72@redhat.com> On 06/06/2016 04:26 PM, Martin Basti wrote: > See commit message, yacctab.py causes lint errors and must be excluded > > > Patch attached. > > > Works well, ACK. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Tue Jun 7 11:05:03 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 7 Jun 2016 13:05:03 +0200 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <20160606171258.acntciu74hac4mhq@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> <20160606171258.acntciu74hac4mhq@redhat.com> Message-ID: <5756AA5F.1080106@redhat.com> On 06/06/2016 07:12 PM, Alexander Bokovoy wrote: > On Mon, 06 Jun 2016, thierry bordaz wrote: >> >> >> On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: >>> On Mon, 06 Jun 2016, thierry bordaz wrote: >>>> Hello, >>>> >>>> In DS it is possible to register callbacks for extended op. >>>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), >>>> there is a default callback that is implemented in DS core server. >>>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' >>>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that >>>> same extop. >>>> >>>> The server calls the callbacks until it can find one that can handle >>>> the OID. But the order is not guaranty. >>>> So the extop can be handled either by password_extop or either by >>>> ipapwd_chpwop. >>>> >>>> Those two functions are not doing the same checking/updates. >>>> >>>> I would like to confirm if in Freeipa context, if only >>>> ipapwd_extop/ipapwd_chpwop should be called >>> Correct. I think we have also added plugin priority to allow handling >>> this type of conflicts gracefully. >>> >> >> >> The order of the plugins, is based on nsslapd-pluginprecedence. >> (The lower precedence is called first) >> >> The problem is that ipapw_extop and password_extop have the same >> precedence: 50. So the order they are selected basically rely on >> order they were registered. >> "Password Modify extended operation plugin" (core server) is >> registered before "IPA Password Extended Operation plugin". >> I think we need to add a precedence of "IPA Password Extended >> Operation plugin" to be sure it will be selected over "Password >> Modify extended operation plugin" >> >> In addition https://fedorahosted.org/389/ticket/48770 changed the way >> plugins are selected so even setting a precedence is currently not a >> solution (I opened https://fedorahosted.org/389/ticket/48870) >> >> In short we need to fix https://fedorahosted.org/389/ticket/48870 >> >> >> Regarding item 5.4, replacing a compat entry with its related real >> entry. >> I think there is something missing. In fact the extop is doing an >> internal MOD but before calling the MOD it checks the entry exists. >> And if called against a 'compat' entry the extop fails before calling >> the MOD. >> But even if it was successfull it may be not be a good idea to make >> 'Schema Compat' preop-mod doing the mapping 'compat' -> real for all >> MODS. > given that schema compat is read-only (always), you can do remapping all > the time. We have this mapping already for password checks, how is this > different? It should be similar to mapping done for password check. When is it triggered or where is the code for this mapping ? > >> A option is to change "IPA Password Extended Operation plugin" to do >> this mapping 'compat' -> 'real' but it is looking like a hack. > Yes, it is unacceptable. > Well here we have IPA password extop that receives a 'compat' entry. This compat entry does not exist except in slapi-nis that can do the mapping to the real entry. What I was thinking of was some kind of call from IPA password extop to slapi-nis that for a given entry DN return the real entryDN. But the tranformation of the extop('compat') -> extop('real') would be done in IPA password extop From abokovoy at redhat.com Tue Jun 7 11:20:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 14:20:49 +0300 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <5756AA5F.1080106@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> <20160606171258.acntciu74hac4mhq@redhat.com> <5756AA5F.1080106@redhat.com> Message-ID: <20160607112049.pvfnxjzpsandwlbb@redhat.com> On Tue, 07 Jun 2016, thierry bordaz wrote: > > >On 06/06/2016 07:12 PM, Alexander Bokovoy wrote: >>On Mon, 06 Jun 2016, thierry bordaz wrote: >>> >>> >>>On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: >>>>On Mon, 06 Jun 2016, thierry bordaz wrote: >>>>>Hello, >>>>> >>>>> In DS it is possible to register callbacks for extended op. >>>>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), >>>>> there is a default callback that is implemented in DS core server. >>>>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' >>>>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that >>>>> same extop. >>>>> >>>>> The server calls the callbacks until it can find one that can handle >>>>> the OID. But the order is not guaranty. >>>>> So the extop can be handled either by password_extop or either by >>>>> ipapwd_chpwop. >>>>> >>>>> Those two functions are not doing the same checking/updates. >>>>> >>>>> I would like to confirm if in Freeipa context, if only >>>>> ipapwd_extop/ipapwd_chpwop should be called >>>>Correct. I think we have also added plugin priority to allow handling >>>>this type of conflicts gracefully. >>>> >>> >>> >>>The order of the plugins, is based on nsslapd-pluginprecedence. >>>(The lower precedence is called first) >>> >>>The problem is that ipapw_extop and password_extop have the same >>>precedence: 50. So the order they are selected basically rely on >>>order they were registered. >>>"Password Modify extended operation plugin" (core server) is >>>registered before "IPA Password Extended Operation plugin". >>>I think we need to add a precedence of "IPA Password Extended >>>Operation plugin" to be sure it will be selected over "Password >>>Modify extended operation plugin" >>> >>>In addition https://fedorahosted.org/389/ticket/48770 changed the >>>way plugins are selected so even setting a precedence is currently >>>not a solution (I opened >>>https://fedorahosted.org/389/ticket/48870) >>> >>>In short we need to fix https://fedorahosted.org/389/ticket/48870 >>> >>> >>>Regarding item 5.4, replacing a compat entry with its related real >>>entry. >>>I think there is something missing. In fact the extop is doing an >>>internal MOD but before calling the MOD it checks the entry >>>exists. And if called against a 'compat' entry the extop fails >>>before calling the MOD. >>>But even if it was successfull it may be not be a good idea to >>>make 'Schema Compat' preop-mod doing the mapping 'compat' -> real >>>for all MODS. >>given that schema compat is read-only (always), you can do remapping all >>the time. We have this mapping already for password checks, how is this >>different? >It should be similar to mapping done for password check. When is it >triggered or where is the code for this mapping ? See slapi-nis/src/back-sch.c:backend_bind_cb() for details. >>>A option is to change "IPA Password Extended Operation plugin" to >>>do this mapping 'compat' -> 'real' but it is looking like a hack. >>Yes, it is unacceptable. >> >Well here we have IPA password extop that receives a 'compat' entry. >This compat entry does not exist except in slapi-nis that can do the >mapping to the real entry. What I was thinking of was some kind of >call from IPA password extop to slapi-nis that for a given entry DN >return the real entryDN. But the tranformation of the extop('compat') >-> extop('real') would be done in IPA password extop no, just look at slapi-nis code to see how we rewrite DN of the request. You'd need to do a similar trick. -- / Alexander Bokovoy From mbasti at redhat.com Tue Jun 7 11:49:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 13:49:33 +0200 Subject: [Freeipa-devel] [PATCH 0499] Pylint: exclude some files/dirs from check In-Reply-To: <64c3b636-d18d-8caf-149d-4a535a750f72@redhat.com> References: <64c3b636-d18d-8caf-149d-4a535a750f72@redhat.com> Message-ID: <818deb3e-0f12-681e-da74-e75393c7f2b3@redhat.com> On 07.06.2016 12:58, Pavel Vomacka wrote: > > > > On 06/06/2016 04:26 PM, Martin Basti wrote: >> See commit message, yacctab.py causes lint errors and must be excluded >> >> >> Patch attached. >> >> >> > Works well, ACK. > > -- > Pavel^3 Vomacka > > Pushed to master: 1d9425dab7b16a0c518dadc5ba42c027045c4529 -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Tue Jun 7 13:11:01 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 7 Jun 2016 15:11:01 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> Message-ID: <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> Hello, Thank you for your patch. As the thin-client patches were pushed in the meantime, the patch won't apply. Could you please send a rebased version? Also, I have a few comments to the patch: 1) I think that the commit message should be rather a brief conclusion to the changes made in the commit. This could help for faster orientation in the changes that were made to a certain part of code should you be searching for a bug introduced by a commit. Should some more info be required, it can be added to the ticket. Could you therefore shorten the commit message? 2) Please do not add the tickets to comments in the code. You can use git blame -L or git log -L to see in which commits were the changes introduced to a certain part of a file, these commits should include the ticket number if more info is needed. Standa On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: > > Hi all, > > the following patch checks the format of parameters passed to a method > called through the batch command. I picked the ConversionError for > invalid parameters format but this choice can be discussed if you have > better suggestions... > > Fixes: https://fedorahosted.org/freeipa/ticket/5810 > -- > Florence Blanc-Renaud > Identity Management Team, Red Hat > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Tue Jun 7 13:40:57 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 7 Jun 2016 15:40:57 +0200 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <20160607112049.pvfnxjzpsandwlbb@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> <20160606171258.acntciu74hac4mhq@redhat.com> <5756AA5F.1080106@redhat.com> <20160607112049.pvfnxjzpsandwlbb@redhat.com> Message-ID: <5756CEE9.5090304@redhat.com> On 06/07/2016 01:20 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, thierry bordaz wrote: >> >> >> On 06/06/2016 07:12 PM, Alexander Bokovoy wrote: >>> On Mon, 06 Jun 2016, thierry bordaz wrote: >>>> >>>> >>>> On 06/06/2016 11:07 AM, Alexander Bokovoy wrote: >>>>> On Mon, 06 Jun 2016, thierry bordaz wrote: >>>>>> Hello, >>>>>> >>>>>> In DS it is possible to register callbacks for extended op. >>>>>> For https://www.ietf.org/rfc/rfc3062.txt (password modify extop), >>>>>> there is a default callback that is implemented in DS core server. >>>>>> Freeipa enables a plugin 'cn=ipa_pwd_extop,cn=plugins,cn=config' >>>>>> that also register a callback ipapwd_extop/ipapwd_chpwop, for that >>>>>> same extop. >>>>>> >>>>>> The server calls the callbacks until it can find one that can handle >>>>>> the OID. But the order is not guaranty. >>>>>> So the extop can be handled either by password_extop or either by >>>>>> ipapwd_chpwop. >>>>>> >>>>>> Those two functions are not doing the same checking/updates. >>>>>> >>>>>> I would like to confirm if in Freeipa context, if only >>>>>> ipapwd_extop/ipapwd_chpwop should be called >>>>> Correct. I think we have also added plugin priority to allow handling >>>>> this type of conflicts gracefully. >>>>> >>>> >>>> >>>> The order of the plugins, is based on nsslapd-pluginprecedence. >>>> (The lower precedence is called first) >>>> >>>> The problem is that ipapw_extop and password_extop have the same >>>> precedence: 50. So the order they are selected basically rely on >>>> order they were registered. >>>> "Password Modify extended operation plugin" (core server) is >>>> registered before "IPA Password Extended Operation plugin". >>>> I think we need to add a precedence of "IPA Password Extended >>>> Operation plugin" to be sure it will be selected over "Password >>>> Modify extended operation plugin" >>>> >>>> In addition https://fedorahosted.org/389/ticket/48770 changed the >>>> way plugins are selected so even setting a precedence is currently >>>> not a solution (I opened https://fedorahosted.org/389/ticket/48870) >>>> >>>> In short we need to fix https://fedorahosted.org/389/ticket/48870 >>>> >>>> >>>> Regarding item 5.4, replacing a compat entry with its related real >>>> entry. >>>> I think there is something missing. In fact the extop is doing an >>>> internal MOD but before calling the MOD it checks the entry exists. >>>> And if called against a 'compat' entry the extop fails before >>>> calling the MOD. >>>> But even if it was successfull it may be not be a good idea to make >>>> 'Schema Compat' preop-mod doing the mapping 'compat' -> real for >>>> all MODS. >>> given that schema compat is read-only (always), you can do remapping >>> all >>> the time. We have this mapping already for password checks, how is this >>> different? >> It should be similar to mapping done for password check. When is it >> triggered or where is the code for this mapping ? > See slapi-nis/src/back-sch.c:backend_bind_cb() for details. > >>>> A option is to change "IPA Password Extended Operation plugin" to >>>> do this mapping 'compat' -> 'real' but it is looking like a hack. >>> Yes, it is unacceptable. >>> >> Well here we have IPA password extop that receives a 'compat' entry. >> This compat entry does not exist except in slapi-nis that can do the >> mapping to the real entry. What I was thinking of was some kind of >> call from IPA password extop to slapi-nis that for a given entry DN >> return the real entryDN. But the tranformation of the extop('compat') >> -> extop('real') would be done in IPA password extop > no, just look at slapi-nis code to see how we rewrite DN of the request. > You'd need to do a similar trick. > Thanks for the pointer. What differs is that slapi-nis is doing the mapping in an operation (here bind) preop. But with extop there is no preop call. Mapping looks to be done in backend_locate, my understanding is that we need to find a way to call something like backend_locate from extop and it can not be done with an internal search because slapi-nis ignores them. From abokovoy at redhat.com Tue Jun 7 13:47:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 16:47:54 +0300 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <5756CEE9.5090304@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> <20160606171258.acntciu74hac4mhq@redhat.com> <5756AA5F.1080106@redhat.com> <20160607112049.pvfnxjzpsandwlbb@redhat.com> <5756CEE9.5090304@redhat.com> Message-ID: <20160607134754.e4ilfgevsxkzjolb@redhat.com> On Tue, 07 Jun 2016, thierry bordaz wrote: >>>Well here we have IPA password extop that receives a 'compat' >>>entry. This compat entry does not exist except in slapi-nis that >>>can do the mapping to the real entry. What I was thinking of was >>>some kind of call from IPA password extop to slapi-nis that for a >>>given entry DN return the real entryDN. But the tranformation of >>>the extop('compat') -> extop('real') would be done in IPA password >>>extop >>no, just look at slapi-nis code to see how we rewrite DN of the request. >>You'd need to do a similar trick. >> > >Thanks for the pointer. What differs is that slapi-nis is doing the >mapping in an operation (here bind) preop. >But with extop there is no preop call. Mapping looks to be done in >backend_locate, my understanding is that we need to find a way to call >something like backend_locate from extop and it can not be done with >an internal search because slapi-nis ignores them. May be it is time to add pre/post operations for extop? Granted, they are not going to be useful for most cases but this would solve our problem, right? -- / Alexander Bokovoy From tbordaz at redhat.com Tue Jun 7 13:53:35 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 7 Jun 2016 15:53:35 +0200 Subject: [Freeipa-devel] ipapwd_extop vs password_extop In-Reply-To: <20160607134754.e4ilfgevsxkzjolb@redhat.com> References: <57553B6D.4020804@redhat.com> <20160606090749.yljbo6zrfxgcda7m@redhat.com> <575595A0.2080203@redhat.com> <20160606171258.acntciu74hac4mhq@redhat.com> <5756AA5F.1080106@redhat.com> <20160607112049.pvfnxjzpsandwlbb@redhat.com> <5756CEE9.5090304@redhat.com> <20160607134754.e4ilfgevsxkzjolb@redhat.com> Message-ID: <5756D1DF.3020502@redhat.com> On 06/07/2016 03:47 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, thierry bordaz wrote: >>>> Well here we have IPA password extop that receives a 'compat' >>>> entry. This compat entry does not exist except in slapi-nis that >>>> can do the mapping to the real entry. What I was thinking of was >>>> some kind of call from IPA password extop to slapi-nis that for a >>>> given entry DN return the real entryDN. But the tranformation of >>>> the extop('compat') -> extop('real') would be done in IPA password >>>> extop >>> no, just look at slapi-nis code to see how we rewrite DN of the >>> request. >>> You'd need to do a similar trick. >>> >> >> Thanks for the pointer. What differs is that slapi-nis is doing the >> mapping in an operation (here bind) preop. >> But with extop there is no preop call. Mapping looks to be done in >> backend_locate, my understanding is that we need to find a way to >> call something like backend_locate from extop and it can not be done >> with an internal search because slapi-nis ignores them. > May be it is time to add pre/post operations for extop? Granted, they > are not going to be useful for most cases but this would solve our > problem, right? Right but it creates a dependency on DS. An other option would be to use the broker api (to allow a plugin to call others plugins callback), but it would require changes on slapi-nis and IPA pwd extop. The nicer approach is a extop - preop/postop. I will start on this. Thanks you for all you feedback From mbabinsk at redhat.com Tue Jun 7 14:14:32 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 16:14:32 +0200 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <20160606103315.gcndbmnnswa3s2xl@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> Message-ID: <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> On 06/06/2016 12:33 PM, Alexander Bokovoy wrote: > Hi, > > this patch adds support for external trust to Active Directory. > > External trust is a trust that can be created between Active Directory > domains that are in different forests or between an Active Directory > domain. Since FreeIPA does not support non-Kerberos means of > communication, external trust to Windows NT 4.0 or earlier domains is > not supported. > > The external trust is not transitive and can be established to any > domain in another forest. This means no access beyond the external > domain is possible via the trust link. > > Resolves: https://fedorahosted.org/freeipa/ticket/5743 > > > Hi Alexander, I have a few comments: 1.) there are numerous pep8 errors in the code: """ ./ipaserver/dcerpc.py:1044:80: E501 line too long (115 > 79 characters) ./ipaserver/dcerpc.py:1044:106: E251 unexpected spaces around keyword / parameter equals ./ipaserver/dcerpc.py:1044:108: E251 unexpected spaces around keyword / parameter equals ./ipaserver/dcerpc.py:1107:80: E501 line too long (110 > 79 characters) ./ipaserver/dcerpc.py:1108:80: E501 line too long (82 > 79 characters) ./ipaserver/dcerpc.py:1109:80: E501 line too long (114 > 79 characters) ./ipaserver/dcerpc.py:1111:80: E501 line too long (91 > 79 characters) ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) ./ipaserver/dcerpc.py:1400:80: E501 line too long (143 > 79 characters) ./ipaserver/dcerpc.py:1401:80: E501 line too long (88 > 79 characters) ./ipaserver/plugins/trust.py:66:80: E501 line too long (91 > 79 characters) ./ipaserver/plugins/trust.py:174:22: E203 whitespace before ':' ./ipaserver/plugins/trust.py:175:80: E501 line too long (106 > 79 characters) ./ipaserver/plugins/trust.py:201:1: E302 expected 2 blank lines, found 1 ./ipaserver/plugins/trust.py:209:80: E501 line too long (91 > 79 characters) ./ipaserver/plugins/trust.py:690:9: E124 closing bracket does not match visual indentation ./ipaserver/plugins/trust.py:694:80: E501 line too long (127 > 79 characters) """ Please fix them. You can check whether your commit does not break pep8 by running `git show HEAD -U0 | pep8 --diff`. 2.) I have difficulty understanding the following code: """ + self.__allow_behavior = 0 domain_validator = DomainValidator(api) self.configured = domain_validator.is_configured() if self.configured: self.local_flatname = domain_validator.flatname self.local_dn = domain_validator.dn self.__populate_local_domain() + def allow_behavior(self, behavior_set): + if type(behavior_set) is int: + behavior_set = [behavior_set] + if TRUST_JOIN_EXTERNAL in behavior_set: + self.__allow_behavior |= TRUST_JOIN_EXTERNAL + """ I assume this is made like this to accommodate setting some other behavior flags which can pop up in the future (otherwise a simple Boolean to indicate external trust should be enough), int hat case I would propose to rewrite it in this form and document it: """ def allow_behavior(self, *flags): """ Set the expected trust join behavior :param flags: trust flags to set """ for flag in flags: self.__allow_behavior |= flag """ Also, I am not a big fan of doubly underscored methods/variables since they do not 'hide' anything (Python's name mangling can be bypassed with ease anyway). If you want to indicate that the 'allow_behavior' attribute belongs to the internal implementation of the class prefix it with single underscore. 3.) """ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not (self.__allow_behavior & TRUST_JOIN_EXTERNAL): + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type, bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL)) + self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type, bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL)) # if trust is inbound, we don't need to verify it because AD DC will respond # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. ... """ Please use a separate variable to store the result of bitwise AND you pass to the methods, e.g.: """ join_as_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: ... """ There is enough copy-pasta we have to deal with when fixing bugs, better not add any more of that. 4.) In trust-find post-callback you can use `attrs.single_value.get('ipanttrustattributes', 0)` to get trust attributes from the LDAP entry (they haven't been converted to dicts yet). It makes code bit more readable. The same can be said for trust-show post-callback. """ def post_callback(self, ldap, entries, truncated, *args, **options): if options.get('pkey_only', False): return truncated for attrs in entries: # Translate ipanttrusttype to trusttype if --raw not used trust_type = attrs.get('ipanttrusttype', [None])[0] + attributes = attrs.get('ipanttrustattributes', [0])[0] if not options.get('raw', False) and trust_type is not None: - attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0]) + attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del attrs['ipanttrusttype'] + if attributes: + del attrs['ipanttrustattributes'] """ -- Martin^3 Babinsky From frenaud at redhat.com Tue Jun 7 15:25:22 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 7 Jun 2016 17:25:22 +0200 Subject: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck In-Reply-To: <69456999-093e-1d4a-5ff7-6f5cd13e1712@redhat.com> References: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> <69456999-093e-1d4a-5ff7-6f5cd13e1712@redhat.com> Message-ID: On 06/06/2016 07:18 PM, Martin Basti wrote: > > > > On 02.06.2016 14:58, Florence Blanc-Renaud wrote: >> >> Hi, >> >> this patch modifies ipa-replica-conncheck when it performs the SSH >> connection to the master, so that the username is always fully qualified. >> >> https://fedorahosted.org/freeipa/ticket/5812 >> -- >> Florence Blanc-Renaud >> Identity Management Team, Red Hat >> >> > > LGTM, but because current issues with replica install in master > branch, I couldn't test it and I would like to be sure that > ipa-replica-install using NTP will work too > > > Just little nitpick, for better readibility, 'command' should be on > new line > - '%s@%s' % (self.user, self.addr), command > + '-o User=%s' % self.user, > + '%s' % self.addr, command > > Martin^2 Hi Martin, thanks for the review. I am attaching a new patch with your suggestion. Just for my record, what would be the command-line options to test the scenario you're referring to? Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0005-2-Always-qualify-requests-for-admin-in-ipa-replica-con.patch Type: text/x-patch Size: 2312 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jun 7 15:50:23 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 17:50:23 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <20160606103445.enh3cb6yfunmmqk2@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> Message-ID: <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: > Hi, > > Add support for additional user name principal suffixes from > trusted Active Directory forests. UPN suffixes are property > of the forest and as such are associated with the forest root > domain. > > FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued > attribute of ipaNTTrustedDomain object class. > > In order to look up UPN suffixes, netr_DsRGetForestTrustInformation > LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. > > For more details on UPN and naming in Active Directory see > https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx > > https://fedorahosted.org/freeipa/ticket/5354 > > > Hi Alexander, a few comments: 1.) there are some PEP8 violations in the patch. Not all of them need to be fixed, though (line overhangs < 5 characters are OK by me). """ ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) ./ipaserver/plugins/trust.py:490:9: E128 continuation line under-indented for visual indent ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 characters) ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 characters) ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 characters) ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, found 1 ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, found 1 """ 2.) Should the ipaNTAdditionalSuffixes attribute be case insensitive? It makes sense but I'm just asking so that we don't end changing the schema later. 3.) """ def post_callback(self, ldap, entries, truncated, *args, **options): if options.get('pkey_only', False): return truncated trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') trust_entry = ldap.get_entry(trust_dn) + blacklist = trust_entry.get('ipantsidblacklistincoming') for entry in entries: - sid = entry['ipanttrusteddomainsid'][0] - - blacklist = trust_entry.get('ipantsidblacklistincoming') - if blacklist is None: + sid = entry.get('ipanttrusteddomainsid', [None])[0] + if sid is None: continue if sid in blacklist: entry['domain_enabled'] = [False] else: entry['domain_enabled'] = [True] return truncated """ Again, you can use `entry.single_value.get('ipanttrusteddomainsid', None)` to test/get the attribute value 4.) """ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: return result trust_name = trust_entry['cn'][0] # trust range must exist by the time add_new_domains_from_trust is called range_name = trust_name.upper() + '_id_range' old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] - for dom in domains: + suffixes = list() + suffixes.extend(y['cn'] for x,y in domains['suffixes'].iteritems() if x not in domains['domains']) + + for dom in domains['domains'].itervalues(): dom['trust_type'] = u'ad' """ iterkeys/itervalues are not Python 3 compatible, please use `keys()/values()` and do not worry about performance implications in Python 2. 5.) """ result.append(res['result']) - if idrange_type != u'ipa-ad-trust-posix': + if idrange_type != u'ipa-ad-trust-posix' and dom.get('ipanttrusteddomainsid', False): range_name = name.upper() + '_id_range' """ Just a nitpick, I am confused by the 'False' default when getting the value of 'ipanttrusteddomainsid' (which is a string I presume). You could put an empty string/list there since empty sequences evaluate to False. 6.) """ pass + + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = list(entry.get('ipantadditionalsuffixes', [])) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + """ On this line: """ + tlns = list(entry.get('ipantadditionalsuffixes', [])) """ is the additional conversion to list really needed? IIRC for multivalued attributes you get a list by default. 7.) """ dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.get('ipanttrusteddomainsid', [None])[0] """ the same as in point 3.) -- Martin^3 Babinsky From abokovoy at redhat.com Tue Jun 7 16:00:18 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 19:00:18 +0300 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> Message-ID: <20160607160018.fusf4llmh6gqgu3c@redhat.com> On Tue, 07 Jun 2016, Martin Babinsky wrote: >On 06/06/2016 12:33 PM, Alexander Bokovoy wrote: >>Hi, >> >>this patch adds support for external trust to Active Directory. >> >>External trust is a trust that can be created between Active Directory >>domains that are in different forests or between an Active Directory >>domain. Since FreeIPA does not support non-Kerberos means of >>communication, external trust to Windows NT 4.0 or earlier domains is >>not supported. >> >>The external trust is not transitive and can be established to any >>domain in another forest. This means no access beyond the external >>domain is possible via the trust link. >> >>Resolves: https://fedorahosted.org/freeipa/ticket/5743 >> >> >> >Hi Alexander, > >I have a few comments: > >1.) there are numerous pep8 errors in the code: > >""" >./ipaserver/dcerpc.py:1044:80: E501 line too long (115 > 79 characters) >./ipaserver/dcerpc.py:1044:106: E251 unexpected spaces around keyword >/ parameter equals >./ipaserver/dcerpc.py:1044:108: E251 unexpected spaces around keyword >/ parameter equals >./ipaserver/dcerpc.py:1107:80: E501 line too long (110 > 79 characters) >./ipaserver/dcerpc.py:1108:80: E501 line too long (82 > 79 characters) >./ipaserver/dcerpc.py:1109:80: E501 line too long (114 > 79 characters) >./ipaserver/dcerpc.py:1111:80: E501 line too long (91 > 79 characters) >./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >./ipaserver/dcerpc.py:1400:80: E501 line too long (143 > 79 characters) >./ipaserver/dcerpc.py:1401:80: E501 line too long (88 > 79 characters) >./ipaserver/plugins/trust.py:66:80: E501 line too long (91 > 79 characters) >./ipaserver/plugins/trust.py:174:22: E203 whitespace before ':' >./ipaserver/plugins/trust.py:175:80: E501 line too long (106 > 79 >characters) >./ipaserver/plugins/trust.py:201:1: E302 expected 2 blank lines, found 1 >./ipaserver/plugins/trust.py:209:80: E501 line too long (91 > 79 characters) >./ipaserver/plugins/trust.py:690:9: E124 closing bracket does not >match visual indentation >./ipaserver/plugins/trust.py:694:80: E501 line too long (127 > 79 >characters) >""" > >Please fix them. You can check whether your commit does not break pep8 >by running `git show HEAD -U0 | pep8 --diff`. Thanks for the review. The lines will have to be long. Sorry, we are not in the age of 80-column terminals anymore. Try to look at the ipaserver/dcerpc.py from a bigger perspective -- there are currently 224 errors reported by pep8 in this file. Fixing some of them makes little sense -- for example, pylint hints have to be where they are and that makes lines long, error messages have to be what they are and changing them to be smaller is counterproductive. I'm updated the patch to have most of the lines within 90 columns. > >2.) > >I have difficulty understanding the following code: > >""" >+ self.__allow_behavior = 0 > > domain_validator = DomainValidator(api) > self.configured = domain_validator.is_configured() > > if self.configured: > self.local_flatname = domain_validator.flatname > self.local_dn = domain_validator.dn > self.__populate_local_domain() > >+ def allow_behavior(self, behavior_set): >+ if type(behavior_set) is int: >+ behavior_set = [behavior_set] >+ if TRUST_JOIN_EXTERNAL in behavior_set: >+ self.__allow_behavior |= TRUST_JOIN_EXTERNAL >+ >""" >I assume this is made like this to accommodate setting some other >behavior flags which can pop up in the future (otherwise a simple >Boolean to indicate external trust should be enough), int hat case I >would propose to rewrite it in this form and document it: > > >""" >def allow_behavior(self, *flags): > """ > Set the expected trust join behavior > :param flags: trust flags to set > """ > for flag in flags: > self.__allow_behavior |= flag >""" > >Also, I am not a big fan of doubly underscored methods/variables since >they do not 'hide' anything (Python's name mangling can be bypassed >with ease anyway). If you want to indicate that the 'allow_behavior' >attribute belongs to the internal implementation of the class prefix >it with single underscore. You cannot have a property and a method named the same in the same class. I changed the code to follow your other suggestion. I kept the __allow_behavior as it is, though, because there is no difference between __ and _ semantically to a person who would be reading the code in question but I keep __ memorized. ;) > >3.) > >""" > if self.remote_domain.info['dns_domain'] != >self.remote_domain.info['dns_forest']: >- raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], >domain=self.remote_domain.info['dns_domain']) >+ if not (self.__allow_behavior & TRUST_JOIN_EXTERNAL): >+ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], >domain=self.remote_domain.info['dns_domain']) > > if not self.remote_domain.read_only: > trustdom_pass = samba.generate_random_password(128, 128) > self.get_realmdomains() >- self.remote_domain.establish_trust(self.local_domain, >trustdom_pass, trust_type) >- self.local_domain.establish_trust(self.remote_domain, >trustdom_pass, trust_type) >+ self.remote_domain.establish_trust(self.local_domain, >trustdom_pass, trust_type, bool(self.__allow_behavior & >TRUST_JOIN_EXTERNAL)) >+ self.local_domain.establish_trust(self.remote_domain, >trustdom_pass, trust_type, bool(self.__allow_behavior & >TRUST_JOIN_EXTERNAL)) > # if trust is inbound, we don't need to verify it because >AD DC will respond > # with WERR_NO_SUCH_DOMAIN -- in only does verification >for outbound trusts. > ... > >""" > >Please use a separate variable to store the result of bitwise AND you >pass to the methods, e.g.: > >""" >join_as_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) >if self.remote_domain.info['dns_domain'] != >self.remote_domain.info['dns_forest']: > ... > >""" > >There is enough copy-pasta we have to deal with when fixing bugs, >better not add any more of that. Thanks, changed this part. >4.) > >In trust-find post-callback you can use >`attrs.single_value.get('ipanttrustattributes', 0)` to get trust >attributes from the LDAP entry (they haven't been converted to dicts >yet). It makes code bit more readable. The same can be said for >trust-show post-callback. > >""" > def post_callback(self, ldap, entries, truncated, *args, **options): > if options.get('pkey_only', False): > return truncated > > for attrs in entries: > # Translate ipanttrusttype to trusttype if --raw not used > trust_type = attrs.get('ipanttrusttype', [None])[0] >+ attributes = attrs.get('ipanttrustattributes', [0])[0] > if not options.get('raw', False) and trust_type is not None: >- attrs['trusttype'] = >trust_type_string(attrs['ipanttrusttype'][0]) >+ attrs['trusttype'] = [trust_type_string(trust_type, >attributes)] > del attrs['ipanttrusttype'] >+ if attributes: >+ del attrs['ipanttrustattributes'] >""" Updated patch is attached. -- / Alexander Bokovoy -------------- next part -------------- From e9e8b4af5bf834aaceb9a7835733bd3641d5f93c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 08:55:44 +0300 Subject: [PATCH 1/5] trusts: Add support for an external trust to Active Directory domain External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external trust to Windows NT 4.0 or earlier domains is not supported. The external trust is not transitive and can be established to any domain in another forest. This means no access beyond the external domain is possible via the trust link. Resolves: https://fedorahosted.org/freeipa/ticket/5743 --- API.txt | 3 ++- ipaserver/dcerpc.py | 50 +++++++++++++++++++++++++++---------- ipaserver/plugins/trust.py | 61 +++++++++++++++++++++++++++++++++++----------- 3 files changed, 86 insertions(+), 28 deletions(-) diff --git a/API.txt b/API.txt index f170930..d5fbc27 100644 --- a/API.txt +++ b/API.txt @@ -5208,12 +5208,13 @@ arg: Str('cn', cli_name='name') option: Str('version?') output: Output('result') command: trust_add -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Int('base_id?', cli_name='base_id') option: Bool('bidirectional?', cli_name='two_way', default=False) +option: Bool('external?', cli_name='external', default=False) option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust']) option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 25ffbfa..5f56643 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -77,6 +77,11 @@ and Samba4 python bindings. TRUST_ONEWAY = 1 TRUST_BIDIRECTIONAL = 3 +# Trust join behavior +# External trust -- allow creating trust to a non-root domain in the forest +TRUST_JOIN_EXTERNAL = 1 + + def is_sid_valid(sid): try: security.dom_sid(sid) @@ -1037,7 +1042,7 @@ class TrustDomainInstance(object): # We can ignore the error here -- setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional'): + def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional', trust_external=False): """ Establishes trust between our and another domain Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call @@ -1060,6 +1065,8 @@ class TrustDomainInstance(object): info.trust_direction |= lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = 0 + if trust_external: + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE try: dname = lsa.String() @@ -1096,14 +1103,17 @@ class TrustDomainInstance(object): # server as that one doesn't support AES encryption types pass - try: - info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) - info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE - self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) - except RuntimeError as e: - root_logger.error('unable to set trust to transitive: %s' % (str(e))) + if not trust_external: + try: + info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + self._pipe.SetInformationTrustedDomain(trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) + except RuntimeError as e: + root_logger.error('unable to set trust transitivity status: %s' % (str(e))) - if self.info['is_pdc']: + if self.info['is_pdc'] or trust_external: self.update_ftinfo(another_domain) def verify_trust(self, another_domain): @@ -1262,6 +1272,7 @@ class TrustDomainJoins(object): self.api = api self.local_domain = None self.remote_domain = None + self.__allow_behavior = 0 domain_validator = DomainValidator(api) self.configured = domain_validator.is_configured() @@ -1271,6 +1282,10 @@ class TrustDomainJoins(object): self.local_dn = domain_validator.dn self.__populate_local_domain() + def allow_behavior(self, *flags): + for f in flags: + self.__allow_behavior |= int(f) + def __populate_local_domain(self): # Initialize local domain info using kerberos only ld = TrustDomainInstance(self.local_flatname) @@ -1358,14 +1373,19 @@ class TrustDomainJoins(object): realm_passwd ) + trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not trust_external: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + self.remote_domain.establish_trust(self.local_domain, + trustdom_pass, trust_type, trust_external) + self.local_domain.establish_trust(self.remote_domain, + trustdom_pass, trust_type, trust_external) # if trust is inbound, we don't need to verify it because AD DC will respond # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. result = True @@ -1381,8 +1401,12 @@ class TrustDomainJoins(object): if not(isinstance(self.remote_domain, TrustDomainInstance)): self.populate_remote_domain(realm, realm_server, realm_passwd=None) + trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not trust_external: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) - self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type) + self.local_domain.establish_trust(self.remote_domain, + trustdom_passwd, trust_type, trust_external) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index ee0ab5d..744be93 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -62,8 +62,10 @@ except Exception as e: if api.env.in_server and api.env.context in ['lite', 'server']: try: - import ipaserver.dcerpc #pylint: disable=F0401 - from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL + import ipaserver.dcerpc # pylint: disable=F0401 + from ipaserver.dcerpc import (TRUST_ONEWAY, + TRUST_BIDIRECTIONAL, + TRUST_JOIN_EXTERNAL) import dbus import dbus.mainloop.glib _bindings_installed = True @@ -162,11 +164,18 @@ trust_output_params = ( label=_('Trust type')), Str('truststatus', label=_('Trust status')), + Str('ipantadditionalsuffixes*', + label=_('UPN suffixes')), ) +# Trust type is a combination of ipanttrusttype and ipanttrustattributes +# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and +# 2+(1 << 3) becomes 10. _trust_type_dict = {1 : _('Non-Active Directory domain'), 2 : _('Active Directory domain'), - 3 : _('RFC4120-compliant Kerberos realm')} + 3 : _('RFC4120-compliant Kerberos realm'), + 10: _('Non-transitive external trust to a domain in another Active Directory forest')} + _trust_direction_dict = {1 : _('Trusting forest'), 2 : _('Trusted forest'), 3 : _('Two-way trust')} @@ -189,14 +198,17 @@ DBUS_IFACE_TRUST = 'com.redhat.idm.trust' CRED_STYLE_SAMBA = 1 CRED_STYLE_KERBEROS = 2 -def trust_type_string(level): +LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001 + +def trust_type_string(level, attrs): """ Returns a string representing a type of the trust. The original field is an enum: LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001, LSA_TRUST_TYPE_UPLEVEL = 0x00000002, LSA_TRUST_TYPE_MIT = 0x00000003 """ - string = _trust_type_dict.get(int(level), _trust_type_dict_unknown) + transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + string = _trust_type_dict.get(int(level) | (transitive << 3), _trust_type_dict_unknown) return unicode(string) def trust_direction_string(level): @@ -677,6 +689,12 @@ sides. doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')), default=False, ), + Bool('external?', + label=_('External trust'), + cli_name='external', + doc=(_('Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.')), + default=False, + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -735,12 +753,15 @@ sides. fetch_trusted_domains_over_dbus(self.api, self.log, result['value']) # Format the output into human-readable values + attributes = int(result['result'].get('ipanttrustattributes', [0])[0]) result['result']['trusttype'] = [trust_type_string( - result['result']['ipanttrusttype'][0])] + result['result']['ipanttrusttype'][0], attributes)] result['result']['trustdirection'] = [trust_direction_string( result['result']['ipanttrustdirection'][0])] result['result']['truststatus'] = [trust_status_string( result['verified'])] + if attributes: + result['result'].pop('ipanttrustattributes', None) del result['verified'] result['result'].pop('ipanttrustauthoutgoing', None) @@ -929,6 +950,11 @@ sides. trust_type = TRUST_ONEWAY if options.get('bidirectional', False): trust_type = TRUST_BIDIRECTIONAL + + # If we are forced to establish external trust, allow it + if options.get('external', False): + self.trustinstance.allow_behavior(TRUST_JOIN_EXTERNAL) + # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides if full_join: @@ -1033,7 +1059,7 @@ class trust_mod(LDAPUpdate): class trust_find(LDAPSearch): __doc__ = _('Search for trusts.') has_output_params = LDAPSearch.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'),) + (Str('ipanttrusttype'), Str('ipanttrustattributes')) msg_summary = ngettext( '%(count)d trust matched', '%(count)d trusts matched', 0 @@ -1043,7 +1069,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTTrustPartner=*)' + trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) @@ -1060,10 +1086,13 @@ class trust_find(LDAPSearch): for attrs in entries: # Translate ipanttrusttype to trusttype if --raw not used - trust_type = attrs.get('ipanttrusttype', [None])[0] + trust_type = attrs.single_value.get('ipanttrusttype', None) + attributes = attrs.single_value.get('ipanttrustattributes', 0) if not options.get('raw', False) and trust_type is not None: - attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0]) + attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del attrs['ipanttrusttype'] + if attributes: + del attrs['ipanttrustattributes'] return truncated @@ -1071,7 +1100,7 @@ class trust_find(LDAPSearch): class trust_show(LDAPRetrieve): __doc__ = _('Display information about a trust.') has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'), Str('ipanttrustdirection')) + (Str('ipanttrusttype'), Str('ipanttrustdirection'), Str('ipanttrustattributes')) def execute(self, *keys, **options): result = super(trust_show, self).execute(*keys, **options) @@ -1088,16 +1117,20 @@ class trust_show(LDAPRetrieve): # if --raw not used if not options.get('raw', False): - trust_type = entry_attrs.get('ipanttrusttype', [None])[0] + trust_type = entry_attrs.single_value.get('ipanttrusttype', None) + attributes = entry_attrs.single_value.get('ipanttrustattributes', 0) if trust_type is not None: - entry_attrs['trusttype'] = trust_type_string(trust_type) + entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del entry_attrs['ipanttrusttype'] - dir_str = entry_attrs.get('ipanttrustdirection', [None])[0] + dir_str = entry_attrs.single_value.get('ipanttrustdirection', None) if dir_str is not None: entry_attrs['trustdirection'] = [trust_direction_string(dir_str)] del entry_attrs['ipanttrustdirection'] + if attributes: + del entry_attrs['ipanttrustattributes'] + return dn -- 2.7.4 From mbasti at redhat.com Tue Jun 7 16:23:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 7 Jun 2016 18:23:37 +0200 Subject: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck In-Reply-To: References: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> <69456999-093e-1d4a-5ff7-6f5cd13e1712@redhat.com> Message-ID: On 07.06.2016 17:25, Florence Blanc-Renaud wrote: > On 06/06/2016 07:18 PM, Martin Basti wrote: >> >> >> >> On 02.06.2016 14:58, Florence Blanc-Renaud wrote: >>> >>> Hi, >>> >>> this patch modifies ipa-replica-conncheck when it performs the SSH >>> connection to the master, so that the username is always fully >>> qualified. >>> >>> https://fedorahosted.org/freeipa/ticket/5812 >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >>> >>> >> >> LGTM, but because current issues with replica install in master >> branch, I couldn't test it and I would like to be sure that >> ipa-replica-install using NTP will work too >> >> >> Just little nitpick, for better readibility, 'command' should be on >> new line >> - '%s@%s' % (self.user, self.addr), command >> + '-o User=%s' % self.user, >> + '%s' % self.addr, command >> >> Martin^2 > > Hi Martin, > > thanks for the review. I am attaching a new patch with your > suggestion. Just for my record, what would be the command-line options > to test the scenario you're referring to? > > Flo. > Hello, scenario is: 1. install server 2. create host entry with OTP (ipa host-add replica.hostname --password=OTPpasswd) 3. add host to ipaservers group (ipa hostgroup-add-member ipaservers --hosts=replica.hostname) 4. install replica (ipa-replica-install --server --domain --password=OTPpasswd) Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Jun 7 16:37:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 18:37:58 +0200 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <20160607160018.fusf4llmh6gqgu3c@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> <20160607160018.fusf4llmh6gqgu3c@redhat.com> Message-ID: <60512d46-d5db-e84e-e564-b4d87279e105@redhat.com> On 06/07/2016 06:00 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Martin Babinsky wrote: >> On 06/06/2016 12:33 PM, Alexander Bokovoy wrote: >>> Hi, >>> >>> this patch adds support for external trust to Active Directory. >>> >>> External trust is a trust that can be created between Active Directory >>> domains that are in different forests or between an Active Directory >>> domain. Since FreeIPA does not support non-Kerberos means of >>> communication, external trust to Windows NT 4.0 or earlier domains is >>> not supported. >>> >>> The external trust is not transitive and can be established to any >>> domain in another forest. This means no access beyond the external >>> domain is possible via the trust link. >>> >>> Resolves: https://fedorahosted.org/freeipa/ticket/5743 >>> >>> >>> >> Hi Alexander, >> >> I have a few comments: >> >> 1.) there are numerous pep8 errors in the code: >> >> """ >> ./ipaserver/dcerpc.py:1044:80: E501 line too long (115 > 79 characters) >> ./ipaserver/dcerpc.py:1044:106: E251 unexpected spaces around keyword >> / parameter equals >> ./ipaserver/dcerpc.py:1044:108: E251 unexpected spaces around keyword >> / parameter equals >> ./ipaserver/dcerpc.py:1107:80: E501 line too long (110 > 79 characters) >> ./ipaserver/dcerpc.py:1108:80: E501 line too long (82 > 79 characters) >> ./ipaserver/dcerpc.py:1109:80: E501 line too long (114 > 79 characters) >> ./ipaserver/dcerpc.py:1111:80: E501 line too long (91 > 79 characters) >> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >> ./ipaserver/dcerpc.py:1400:80: E501 line too long (143 > 79 characters) >> ./ipaserver/dcerpc.py:1401:80: E501 line too long (88 > 79 characters) >> ./ipaserver/plugins/trust.py:66:80: E501 line too long (91 > 79 >> characters) >> ./ipaserver/plugins/trust.py:174:22: E203 whitespace before ':' >> ./ipaserver/plugins/trust.py:175:80: E501 line too long (106 > 79 >> characters) >> ./ipaserver/plugins/trust.py:201:1: E302 expected 2 blank lines, found 1 >> ./ipaserver/plugins/trust.py:209:80: E501 line too long (91 > 79 >> characters) >> ./ipaserver/plugins/trust.py:690:9: E124 closing bracket does not >> match visual indentation >> ./ipaserver/plugins/trust.py:694:80: E501 line too long (127 > 79 >> characters) >> """ >> >> Please fix them. You can check whether your commit does not break pep8 >> by running `git show HEAD -U0 | pep8 --diff`. > Thanks for the review. > > The lines will have to be long. Sorry, we are not in the age of > 80-column terminals anymore. Try to look at the ipaserver/dcerpc.py from > a bigger perspective -- there are currently 224 errors reported by pep8 > in this file. Fixing some of them makes little sense -- for example, > pylint hints have to be where they are and that makes lines long, error > messages have to be what they are and changing them to be smaller is > counterproductive. > > I'm updated the patch to have most of the lines within 90 columns. > This is not about 80 column terminals, this is about a) not moving your neck through its full range of motion when reading the code, b) conforming to the rules set up by some project regarding contributions to its codebase [1]. These are all the pep8 violations introduced _only by the code the patch is touching/adding_, not in the whole dcerpc module: """ ./ipaserver/dcerpc.py:1045:80: E501 line too long (113 > 79 characters) ./ipaserver/dcerpc.py:1109:80: E501 line too long (93 > 79 characters) ./ipaserver/dcerpc.py:1110:80: E501 line too long (82 > 79 characters) ./ipaserver/dcerpc.py:1112:80: E501 line too long (97 > 79 characters) ./ipaserver/dcerpc.py:1114:80: E501 line too long (91 > 79 characters) ./ipaserver/dcerpc.py:1287:12: E111 indentation is not a multiple of four ./ipaserver/dcerpc.py:1379:80: E501 line too long (94 > 79 characters) ./ipaserver/dcerpc.py:1380:80: E501 line too long (94 > 79 characters) ./ipaserver/dcerpc.py:1386:80: E501 line too long (89 > 79 characters) ./ipaserver/dcerpc.py:1388:80: E501 line too long (88 > 79 characters) ./ipaserver/dcerpc.py:1407:80: E501 line too long (94 > 79 characters) ./ipaserver/dcerpc.py:1408:80: E501 line too long (94 > 79 characters) ./ipaserver/dcerpc.py:1411:80: E501 line too long (86 > 79 characters) ./ipaserver/plugins/trust.py:176:22: E203 whitespace before ':' ./ipaserver/plugins/trust.py:177:80: E501 line too long (106 > 79 characters) ./ipaserver/plugins/trust.py:203:1: E302 expected 2 blank lines, found 1 ./ipaserver/plugins/trust.py:211:80: E501 line too long (91 > 79 characters) ./ipaserver/plugins/trust.py:695:80: E501 line too long (127 > 79 characters) ./ipaserver/plugins/trust.py:697:9: E124 closing bracket does not match visual indentation ./ipaserver/plugins/trust.py:1062:25: E127 continuation line over-indented for visual indent ./ipaserver/plugins/trust.py:1072:80: E501 line too long (109 > 79 characters) ./ipaserver/plugins/trust.py:1092:80: E501 line too long (80 > 79 characters) ./ipaserver/plugins/trust.py:1103:25: E127 continuation line over-indented for visual indent ./ipaserver/plugins/trust.py:1103:80: E501 line too long (104 > 79 characters) ./ipaserver/plugins/trust.py:1121:80: E501 line too long (80 > 79 characters) ./ipaserver/plugins/trust.py:1123:80: E501 line too long (86 > 79 characters) """ Again, we only require contributors to follow PEP8 when adding new code/directly touching old one. Please note that there are more serious transgressions than a couple of long lines that should _definitely_ be fixed (indentation errors, whitespace around operators etc.). We as a contributors to the project _all_ have to conform to the style guide[1] to at least keep some uniform style in the codebase we touch. I fail to see why your contributions should be exempt from the rules we all strive to adhere to. (also you can sandwich # pylint: disable/ # pylint: enable directives around the offending long live to keep pep8 satisfied, just saying) [1] http://www.freeipa.org/page/Python_Coding_Style >> >> 2.) >> >> I have difficulty understanding the following code: >> >> """ >> + self.__allow_behavior = 0 >> >> domain_validator = DomainValidator(api) >> self.configured = domain_validator.is_configured() >> >> if self.configured: >> self.local_flatname = domain_validator.flatname >> self.local_dn = domain_validator.dn >> self.__populate_local_domain() >> >> + def allow_behavior(self, behavior_set): >> + if type(behavior_set) is int: >> + behavior_set = [behavior_set] >> + if TRUST_JOIN_EXTERNAL in behavior_set: >> + self.__allow_behavior |= TRUST_JOIN_EXTERNAL >> + >> """ >> I assume this is made like this to accommodate setting some other >> behavior flags which can pop up in the future (otherwise a simple >> Boolean to indicate external trust should be enough), int hat case I >> would propose to rewrite it in this form and document it: >> >> >> """ >> def allow_behavior(self, *flags): >> """ >> Set the expected trust join behavior >> :param flags: trust flags to set >> """ >> for flag in flags: >> self.__allow_behavior |= flag >> """ >> >> Also, I am not a big fan of doubly underscored methods/variables since >> they do not 'hide' anything (Python's name mangling can be bypassed >> with ease anyway). If you want to indicate that the 'allow_behavior' >> attribute belongs to the internal implementation of the class prefix >> it with single underscore. > You cannot have a property and a method named the same in the same > class. I changed the code to follow your other suggestion. I kept the > __allow_behavior as it is, though, because there is no difference > between __ and _ semantically to a person who would be reading the code > in question but I keep __ memorized. ;) > Fair enough, although you could have more meaningful method and attribute names, like `self.__behavior_flags` and `def set_behavior_flags()`. >> >> 3.) >> >> """ >> if self.remote_domain.info['dns_domain'] != >> self.remote_domain.info['dns_forest']: >> - raise >> errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], >> domain=self.remote_domain.info['dns_domain']) >> + if not (self.__allow_behavior & TRUST_JOIN_EXTERNAL): >> + raise >> errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], >> domain=self.remote_domain.info['dns_domain']) >> >> if not self.remote_domain.read_only: >> trustdom_pass = samba.generate_random_password(128, 128) >> self.get_realmdomains() >> - self.remote_domain.establish_trust(self.local_domain, >> trustdom_pass, trust_type) >> - self.local_domain.establish_trust(self.remote_domain, >> trustdom_pass, trust_type) >> + self.remote_domain.establish_trust(self.local_domain, >> trustdom_pass, trust_type, bool(self.__allow_behavior & >> TRUST_JOIN_EXTERNAL)) >> + self.local_domain.establish_trust(self.remote_domain, >> trustdom_pass, trust_type, bool(self.__allow_behavior & >> TRUST_JOIN_EXTERNAL)) >> # if trust is inbound, we don't need to verify it because >> AD DC will respond >> # with WERR_NO_SUCH_DOMAIN -- in only does verification >> for outbound trusts. >> ... >> >> """ >> >> Please use a separate variable to store the result of bitwise AND you >> pass to the methods, e.g.: >> >> """ >> join_as_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) >> if self.remote_domain.info['dns_domain'] != >> self.remote_domain.info['dns_forest']: >> ... >> >> """ >> >> There is enough copy-pasta we have to deal with when fixing bugs, >> better not add any more of that. > Thanks, changed this part. > >> 4.) >> >> In trust-find post-callback you can use >> `attrs.single_value.get('ipanttrustattributes', 0)` to get trust >> attributes from the LDAP entry (they haven't been converted to dicts >> yet). It makes code bit more readable. The same can be said for >> trust-show post-callback. >> >> """ >> def post_callback(self, ldap, entries, truncated, *args, **options): >> if options.get('pkey_only', False): >> return truncated >> >> for attrs in entries: >> # Translate ipanttrusttype to trusttype if --raw not used >> trust_type = attrs.get('ipanttrusttype', [None])[0] >> + attributes = attrs.get('ipanttrustattributes', [0])[0] >> if not options.get('raw', False) and trust_type is not None: >> - attrs['trusttype'] = >> trust_type_string(attrs['ipanttrusttype'][0]) >> + attrs['trusttype'] = [trust_type_string(trust_type, >> attributes)] >> del attrs['ipanttrusttype'] >> + if attributes: >> + del attrs['ipanttrustattributes'] >> """ > Updated patch is attached. > Also when sending revised patches please try to conform to the common patch naming convention: http://www.freeipa.org/page/Contribute/Patch_Format#Naming Surprisingly I have found out that my own patches actually do not follow it. Shame on me! -- Martin^3 Babinsky From abokovoy at redhat.com Tue Jun 7 16:38:07 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 19:38:07 +0300 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> Message-ID: <20160607163807.4fc5gaim7wqqqepl@redhat.com> On Tue, 07 Jun 2016, Martin Babinsky wrote: >On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>Hi, >> >>Add support for additional user name principal suffixes from >>trusted Active Directory forests. UPN suffixes are property >>of the forest and as such are associated with the forest root >>domain. >> >>FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>attribute of ipaNTTrustedDomain object class. >> >>In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >> >>For more details on UPN and naming in Active Directory see >>https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >> >>https://fedorahosted.org/freeipa/ticket/5354 >> >> >> > >Hi Alexander, > >a few comments: > >1.) > >there are some PEP8 violations in the patch. Not all of them need to >be fixed, though (line overhangs < 5 characters are OK by me). > >""" >./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) >./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) >./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) >./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) >./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >./ipaserver/plugins/trust.py:490:9: E128 continuation line >under-indented for visual indent >./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 characters) >./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 characters) >./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >characters) >./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, found 1 >./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, found 1 >""" I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough now -- breaking following line is not giving any reasonable benefit: res['ipantflatname'] = unicode(t.forest_trust_data.netbios_domain_name.string) >2.) > >Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >makes sense but I'm just asking so that we don't end changing the >schema later. ipaNTAdditionalSuffixes is defined as attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) There should be no problem with case sensitivity already. >3.) > >""" > def post_callback(self, ldap, entries, truncated, *args, **options): > if options.get('pkey_only', False): > return truncated > trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') > trust_entry = ldap.get_entry(trust_dn) >+ blacklist = trust_entry.get('ipantsidblacklistincoming') > for entry in entries: >- sid = entry['ipanttrusteddomainsid'][0] >- >- blacklist = trust_entry.get('ipantsidblacklistincoming') >- if blacklist is None: >+ sid = entry.get('ipanttrusteddomainsid', [None])[0] >+ if sid is None: > continue > > if sid in blacklist: > entry['domain_enabled'] = [False] > else: > entry['domain_enabled'] = [True] > return truncated >""" > >Again, you can use `entry.single_value.get('ipanttrusteddomainsid', >None)` to test/get the attribute value done. > >4.) > > >""" > def add_new_domains_from_trust(myapi, trustinstance, trust_entry, >domains, **options): > result = [] > if not domains: > return result > > trust_name = trust_entry['cn'][0] > # trust range must exist by the time add_new_domains_from_trust >is called > range_name = trust_name.upper() + '_id_range' > old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] > idrange_type = old_range['iparangetype'][0] > >- for dom in domains: >+ suffixes = list() >+ suffixes.extend(y['cn'] for x,y in >domains['suffixes'].iteritems() if x not in domains['domains']) >+ >+ for dom in domains['domains'].itervalues(): > dom['trust_type'] = u'ad' > >""" > >iterkeys/itervalues are not Python 3 compatible, please use >`keys()/values()` and do not worry about performance implications in >Python 2. I switched to six.iteritems(). > >5.) > >""" > result.append(res['result']) > >- if idrange_type != u'ipa-ad-trust-posix': >+ if idrange_type != u'ipa-ad-trust-posix' and >dom.get('ipanttrusteddomainsid', False): > range_name = name.upper() + '_id_range' > >""" > >Just a nitpick, I am confused by the 'False' default when getting the >value of 'ipanttrusteddomainsid' (which is a string I presume). You >could put an empty string/list there since empty sequences evaluate to >False. the attribute may not be in the object so I need to have something to evaluate there. I don't want to have empty string there as a poor man indicator of a missing attribute, though. False here represents better what is expected for an error case. > >6.) > >""" > pass >+ >+ try: >+ dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') >+ ldap = myapi.Backend.ldap2 >+ entry = ldap.get_entry(dn) >+ tlns = list(entry.get('ipantadditionalsuffixes', [])) >+ tlns.extend(x for x in suffixes if x not in tlns) >+ entry['ipantadditionalsuffixes'] = tlns >+ ldap.update_entry(entry) >+ except errors.EmptyModlist: >+ pass >+ > >""" > >On this line: > >""" >+ tlns = list(entry.get('ipantadditionalsuffixes', [])) >""" > >is the additional conversion to list really needed? IIRC for >multivalued attributes you get a list by default. Fixed > >7.) > >""" > dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') > try: > entry = ldap.get_entry(dn) >- sid = entry['ipanttrusteddomainsid'][0] >+ sid = entry.get('ipanttrusteddomainsid', [None])[0] > >""" > >the same as in point 3.) Fixed. -- / Alexander Bokovoy -------------- next part -------------- From d7372faeac414add7bbf462451b91cbc5b13708f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:41:46 +0300 Subject: [PATCH 2/6] adtrust: support UPNs for trusted domain users Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 --- ACI.txt | 2 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 60 +++++++++++++++---- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 + .../ipa-extdom-extop/ipa_extdom_common.c | 9 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 29 +-------- install/share/60basev3.ldif | 3 +- ipaserver/dcerpc.py | 37 ++++++++---- ipaserver/plugins/trust.py | 69 ++++++++++++++++------ 8 files changed, 139 insertions(+), 71 deletions(-) diff --git a/ACI.txt b/ACI.txt index a09495e..6f691f2 100644 --- a/ACI.txt +++ b/ACI.txt @@ -309,7 +309,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index d54ca71..80e7055 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2273,7 +2273,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) { - int i; + int i, j; if (!*mspac) return; @@ -2290,6 +2290,12 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) free((*mspac)->trusts[i].sid_blacklist_outgoing); free((*mspac)->trusts[i].parent_name); (*mspac)->trusts[i].parent = NULL; + if ((*mspac)->trusts[i].upn_suffixes) { + for (j = 0; (*mspac)->trusts[i].upn_suffixes[j]; j++) { + free((*mspac)->trusts[i].upn_suffixes[j]); + } + free((*mspac)->trusts[i].upn_suffixes); + } } free((*mspac)->trusts); } @@ -2405,7 +2411,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) LDAP *lc = ipactx->lcontext; char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", - "ipaNTSIDBlacklistOutgoing", NULL }; + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; char *filter = "(objectclass=ipaNTTrustedDomain)"; krb5_error_code kerr; LDAPMessage *res = NULL; @@ -2462,26 +2468,42 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) goto done; } + t[n].flat_name = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTFlatName", &t[n].flat_name); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } + t[n].domain_sid = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTTrustedDomainSID", &t[n].domain_sid); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } ret = string_to_sid(t[n].domain_sid, &t[n].domsid); - if (ret) { + if (ret && t[n].domain_sid != NULL) { ret = EINVAL; goto done; } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTAdditionalSuffixes", + &t[n].upn_suffixes); + + if (ret) { + if (ret == ENOENT) { + /* This attribute is optional */ + ret = 0; + t[n].upn_suffixes = NULL; + } else { + ret = EINVAL; + goto done; + } + } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming", &sid_blacklist_incoming); @@ -2808,6 +2830,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, struct ipadb_context *ipactx; int i, j, length; const char *name; + bool result = false; if (test_realm == NULL || test_realm[0] == '\0') { return KRB5_KDB_NOENTRY; @@ -2829,12 +2852,27 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* Iterate through list of trusts and check if input realm belongs to any of the trust */ for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - if ((strncasecmp(test_realm, - ipactx->mspac->trusts[i].domain_name, - size) == 0) || - (strncasecmp(test_realm, - ipactx->mspac->trusts[i].flat_name, - size) == 0)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].domain_name, + size) == 0; + + if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].flat_name, + size) == 0; + } + + if (!result && (ipactx->mspac->trusts[i].upn_suffixes != NULL)) { + for (j = 0; ipactx->mspac->trusts[i].upn_suffixes[j]; j++) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].upn_suffixes[j], + size) == 0; + if (result) + break; + } + } + + if (result) { /* return the realm if caller supplied a place for it */ if (trusted_realm != NULL) { name = (ipactx->mspac->trusts[i].parent_name != NULL) ? diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h index 1052bb8..30382d2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -47,6 +47,7 @@ struct ipadb_adtrusts { int len_sid_blacklist_outgoing; struct ipadb_adtrusts *parent; char *parent_name; + char **upn_suffixes; }; int string_to_sid(const char *str, struct dom_sid *sid); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 445624f..823c05c 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -1011,8 +1011,13 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; - ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, - domain_name); + if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { + ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, + domain_name); + } else { + /* SSSD_DOMAIN_SEPARATOR already present, assume UPN */ + ret = asprintf(&fq_name, "%s", name); + } if (ret == -1) { ret = LDAP_OPERATIONS_ERROR; set_err_msg(req, "Failed to create fully qualified name"); diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea00f30..4d0d466 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -170,33 +170,8 @@ except gssapi.exceptions.GSSError: ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) - -if domains: - # trust range must exist by the time fetch_domains_from_trust is called - range_name = unicode(trusted_domain.upper() + '_id_range') - old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'][0] - - result = [] - for dom in domains: - dom['trust_type'] = u'ad' - try: - name = dom['cn'] - del dom['cn'] - - res = api.Command.trustdomain_add(trusted_domain, name, **dom) - result.append(res['result']) - - if idrange_type != u'ipa-ad-trust-posix': - range_name = name.upper() + '_id_range' - dom['range_type'] = u'ipa-ad-trust' - # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range - # to force it using existing credentials cache - trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'], - trusted_domain, name, **dom) - except errors.DuplicateEntry: - # Ignore updating duplicate entries - pass +trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] +trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) if old_ccache: os.environ['KRB5CCNAME'] = old_ccache diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5ebe335..059174b 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782 @@ -64,7 +65,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUC objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) ) +objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing $ ipaNTAdditionalSuffixes) ) objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3') diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 5f56643..297987c 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1197,7 +1197,10 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): def communicate(td): td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) - domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call + # but it doesn't provide information about non-domain UPNs associated + # with the forest, thus we have to use netr_DsRGetForestTrustInformation + domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0) return domains domains = None @@ -1225,6 +1228,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): raise assess_dcerpc_exception(message=str(e)) td.info['dc'] = unicode(result.pdc_dns_name) + td.info['name'] = unicode(result.dns_domain) if type(creds) is bool: # Rely on existing Kerberos credentials in the environment td.creds = credentials.Credentials() @@ -1254,16 +1258,29 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): if domains is None: return None - result = [] - for t in domains.array: - if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and - (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): + result = {'domains': {}, 'suffixes' : {}} + # netr_DsRGetForestTrustInformation returns two types of entries: + # domain information -- name, NetBIOS name, SID of the domain + # top level name info -- a name suffix associated with the forest + # We should ignore forest root name/name suffix as it is already part + # of trust information for IPA purposes and only add what's inside the forest + for t in domains.entries: + if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: + tname = unicode(t.forest_trust_data.dns_domain_name.string) + if tname == trustdomain: + continue res = dict() - res['cn'] = unicode(t.dns_name) - res['ipantflatname'] = unicode(t.netbios_name) - res['ipanttrusteddomainsid'] = unicode(t.sid) - res['ipanttrustpartner'] = res['cn'] - result.append(res) + res['cn'] = tname + res['ipantflatname'] = unicode(t.forest_trust_data.netbios_domain_name.string) + res['ipanttrusteddomainsid'] = unicode(t.forest_trust_data.domain_sid) + result['domains'][tname] = res + elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: + tname = unicode(t.forest_trust_data.string) + if tname == trustdomain: + continue + res = dict() + res['cn'] = tname + result['suffixes'][tname] = res return result diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 744be93..0f1bb00 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -487,11 +487,16 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', - 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', - 'ipanttrustpartner', 'ipanttrustforesttrustinfo', - 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] + 'ipanttrusttype', 'ipanttrustattributes', + 'ipanttrustdirection', 'ipanttrustpartner', + 'ipanttrustforesttrustinfo', + 'ipanttrustposixoffset', + 'ipantsupportedencryptiontypes', + 'ipantadditionalsuffixes'] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype'] + 'ipanttrusteddomainsid', 'ipanttrusttype', + 'ipanttrustattributes', + 'ipantadditionalsuffixes'] managed_permissions = { 'System: Read Trust Information': { # Allow reading of attributes needed for SSSD subdomains support @@ -505,7 +510,7 @@ class trust(LDAPObject): 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', - 'ipanttrustdirection' + 'ipanttrustdirection', 'ipantadditionalsuffixes', }, }, @@ -1457,8 +1462,11 @@ class trustdomain(LDAPObject): object_name = _('trust domain') object_name_plural = _('trust domains') object_class = ['ipaNTTrustedDomain'] - default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrustpartner'] - search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', ] + default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', + 'ipanttrustpartner', 'ipantadditionalsuffixes'] + search_display_attributes = ['cn', 'ipantflatname', + 'ipanttrusteddomainsid', + 'ipantadditionalsuffixes'] label = _('Trusted domains') label_singular = _('Trusted domain') @@ -1500,9 +1508,10 @@ class trustdomain(LDAPObject): class trustdomain_find(LDAPSearch): __doc__ = _('Search domains of the trust') - has_output_params = LDAPSearch.has_output_params + ( + has_output_params = LDAPSearch.has_output_params + trust_output_params + ( Flag('domain_enabled', label= _('Domain enabled')), ) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): return (filters, base_dn, ldap.SCOPE_SUBTREE) @@ -1511,11 +1520,10 @@ class trustdomain_find(LDAPSearch): return truncated trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') trust_entry = ldap.get_entry(trust_dn) + blacklist = trust_entry.get('ipantsidblacklistincoming') for entry in entries: - sid = entry['ipanttrusteddomainsid'][0] - - blacklist = trust_entry.get('ipantsidblacklistincoming') - if blacklist is None: + sid = entry.get('ipanttrusteddomainsid', [None])[0] + if sid is None: continue if sid in blacklist: @@ -1540,10 +1548,12 @@ class trustdomain_add(LDAPCreate): takes_options = LDAPCreate.takes_options + (_trust_type_option,) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if 'ipanttrustpartner' in options: - entry_attrs['ipanttrustpartner'] = [options['ipanttrustpartner']] + # ipaNTTrustPartner must always be set to the name of the trusted domain + # See MS-ADTS 6.1.6.7.13 + entry_attrs['ipanttrustpartner'] = [dn[0]['cn']] return dn + @register() class trustdomain_del(LDAPDelete): __doc__ = _('Remove infromation about the domain associated with the trust.') @@ -1586,9 +1596,11 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, - trust_name, creds=creds, server=server) + trust_name, creds=creds, + server=server) return domains + def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: @@ -1600,7 +1612,12 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] - for dom in domains: + suffixes = list() + suffixes.extend(y['cn'] + for x, y in six.iteritems(domains['suffixes']) + if x not in domains['domains']) + + for dom in six.itervalues(domains['domains']): dom['trust_type'] = u'ad' try: name = dom['cn'] @@ -1616,13 +1633,27 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, trustinstance, + range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries pass + + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = entry.get('ipantadditionalsuffixes', []) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + return result + @register() class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') @@ -1698,7 +1729,7 @@ class trustdomain_enable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if sid in trust_entry['ipantsidblacklistincoming']: trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) @@ -1739,7 +1770,7 @@ class trustdomain_disable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if not (sid in trust_entry['ipantsidblacklistincoming']): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) -- 2.7.4 From abokovoy at redhat.com Tue Jun 7 16:40:46 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 19:40:46 +0300 Subject: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter Message-ID: <20160607164046.kgntyvj54bvubrce@redhat.com> Hi, `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 -- / Alexander Bokovoy -------------- next part -------------- From 672f62bfe736d28ac1cbd4535f3a841ff9abd52e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jun 2016 18:54:36 +0300 Subject: [PATCH 6/6] adtrust: optimize forest root LDAP filter `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 --- ipaserver/plugins/trust.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index f9b48f3..0f4f71a 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -485,7 +485,7 @@ class trust(LDAPObject): container_dn = api.env.container_trusts object_name = _('trust') object_name_plural = _('trusts') - object_class = ['ipaNTTrustedDomain'] + object_class = ['ipaNTTrustedDomain', 'ipaIDObject'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', @@ -577,7 +577,7 @@ class trust(LDAPObject): if trust_type is None: ldap = self.backend trustfilter = ldap.make_filter({ - 'objectclass': ['ipaNTTrustedDomain'], + 'objectclass': ['ipaNTTrustedDomain', 'ipaIDObject'], 'cn': [keys[-1]]}, rules=ldap.MATCH_ALL ) @@ -1074,9 +1074,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' - filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) - return (filter, base_dn, ldap.SCOPE_SUBTREE) + return (filters, base_dn, ldap.SCOPE_SUBTREE) def execute(self, *args, **options): result = super(trust_find, self).execute(*args, **options) -- 2.7.4 From abokovoy at redhat.com Tue Jun 7 16:51:42 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 19:51:42 +0300 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <60512d46-d5db-e84e-e564-b4d87279e105@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> <20160607160018.fusf4llmh6gqgu3c@redhat.com> <60512d46-d5db-e84e-e564-b4d87279e105@redhat.com> Message-ID: <20160607165142.nydefubtkr2qoyu5@redhat.com> On Tue, 07 Jun 2016, Martin Babinsky wrote: >Again, we only require contributors to follow PEP8 when adding new >code/directly touching old one. Please note that there are more >serious transgressions than a couple of long lines that should >_definitely_ be fixed (indentation errors, whitespace around operators >etc.). > >We as a contributors to the project _all_ have to conform to the style >guide[1] to at least keep some uniform style in the codebase we touch. >I fail to see why your contributions should be exempt from the rules >we all strive to adhere to. Sure we do. It is futile to shuffle dcerpc.py into pep8 style, though. Look into an example I provided to mbasti, for example: res['ipantflatname'] = unicode(t.forest_trust_data.netbios_domain_name.string) This line is 90+ characters long and there are not that many methods to split it without making thing ugly. I'm not against formatting changes but they should be taken in the context of the code. >(also you can sandwich # pylint: disable/ # pylint: enable directives >around the offending long live to keep pep8 satisfied, just saying) > >[1] http://www.freeipa.org/page/Python_Coding_Style > >>> >>>2.) >>> >>>I have difficulty understanding the following code: >>> >>>""" >>>+ self.__allow_behavior = 0 >>> >>> domain_validator = DomainValidator(api) >>> self.configured = domain_validator.is_configured() >>> >>> if self.configured: >>> self.local_flatname = domain_validator.flatname >>> self.local_dn = domain_validator.dn >>> self.__populate_local_domain() >>> >>>+ def allow_behavior(self, behavior_set): >>>+ if type(behavior_set) is int: >>>+ behavior_set = [behavior_set] >>>+ if TRUST_JOIN_EXTERNAL in behavior_set: >>>+ self.__allow_behavior |= TRUST_JOIN_EXTERNAL >>>+ >>>""" >>>I assume this is made like this to accommodate setting some other >>>behavior flags which can pop up in the future (otherwise a simple >>>Boolean to indicate external trust should be enough), int hat case I >>>would propose to rewrite it in this form and document it: >>> >>> >>>""" >>>def allow_behavior(self, *flags): >>> """ >>> Set the expected trust join behavior >>> :param flags: trust flags to set >>> """ >>> for flag in flags: >>> self.__allow_behavior |= flag >>>""" >>> >>>Also, I am not a big fan of doubly underscored methods/variables since >>>they do not 'hide' anything (Python's name mangling can be bypassed >>>with ease anyway). If you want to indicate that the 'allow_behavior' >>>attribute belongs to the internal implementation of the class prefix >>>it with single underscore. >>You cannot have a property and a method named the same in the same >>class. I changed the code to follow your other suggestion. I kept the >>__allow_behavior as it is, though, because there is no difference >>between __ and _ semantically to a person who would be reading the code >>in question but I keep __ memorized. ;) >> > >Fair enough, although you could have more meaningful method and >attribute names, like `self.__behavior_flags` and `def >set_behavior_flags()`. Nah, this is not worth it, really. >>Updated patch is attached. >> > >Also when sending revised patches please try to conform to the common >patch naming convention: >http://www.freeipa.org/page/Contribute/Patch_Format#Naming > >Surprisingly I have found out that my own patches actually do not >follow it. Shame on me! Frankly speaking, this particular part -- revision number after the patch number versus at the end of the patch file name -- always created issues to me. You can tell git to use specific suffix (.1.patch, for example) to avoid doing full renames with the latter rather than shoehorning the number into the middle. -- / Alexander Bokovoy From pvomacka at redhat.com Tue Jun 7 17:01:15 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 7 Jun 2016 19:01:15 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> Message-ID: On 06/07/2016 12:07 PM, Martin Babinsky wrote: > On 06/03/2016 05:25 PM, Martin Babinsky wrote: >> I am sending rebased patches implementing >> http://www.freeipa.org/page/V4/Server_Roles >> >> I hope the patches work since I have had a lot of fun rebasing them on >> top of thin client and DNS locations effort. >> >> https://fedorahosted.org/freeipa/ticket/5181 >> >> >> > > Sending updated patches according to Jan's interactive review. > > Since the name of attributes returned by API commands and signature of > `server-role-find` have changed, a small update in WebUI patches is > required. > > > NACK, why did you remove sizelimit from server_role_find command's? Is it possible to return it back? It breaks WebUI. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Jun 7 17:22:45 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 7 Jun 2016 19:22:45 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <20160607163807.4fc5gaim7wqqqepl@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> Message-ID: On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Martin Babinsky wrote: >> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>> Hi, >>> >>> Add support for additional user name principal suffixes from >>> trusted Active Directory forests. UPN suffixes are property >>> of the forest and as such are associated with the forest root >>> domain. >>> >>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>> attribute of ipaNTTrustedDomain object class. >>> >>> In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>> >>> For more details on UPN and naming in Active Directory see >>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>> >>> https://fedorahosted.org/freeipa/ticket/5354 >>> >>> >>> >> >> Hi Alexander, >> >> a few comments: >> >> 1.) >> >> there are some PEP8 violations in the patch. Not all of them need to >> be fixed, though (line overhangs < 5 characters are OK by me). >> >> """ >> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) >> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) >> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) >> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) >> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >> ./ipaserver/plugins/trust.py:490:9: E128 continuation line >> under-indented for visual indent >> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >> characters) >> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >> characters) >> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >> characters) >> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, found 1 >> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, found 1 >> """ > I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough > now -- breaking following line is not giving any reasonable benefit: > > res['ipantflatname'] = > unicode(t.forest_trust_data.netbios_domain_name.string) > Looking at the code, it would be IMHO more readable to directly append dict literals to the result like so: """ --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): tname = unicode(t.forest_trust_data.dns_domain_name.string) if tname == trustdomain: continue - res = dict() - res['cn'] = tname - res['ipantflatname'] = unicode(t.forest_trust_data.netbios_domain_name.string) - res['ipanttrusteddomainsid'] = unicode(t.forest_trust_data.domain_sid) - result['domains'][tname] = res + + result['domains'][tname] = { + 'cn': tname, + 'ipantflatname': unicode( + t.forest_trust_data.netbios_domain_name.string), + 'ipanttrusteddomainsid': unicode( + t.forest_trust_data.domain_sid) + } elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: tname = unicode(t.forest_trust_data.string) if tname == trustdomain: continue - res = dict() - res['cn'] = tname - result['suffixes'][tname] = res + + result['suffixes'][tname] = {'cn': tname} return result """ Also there is a whitespace before colon here: """ + result = {'domains': {}, 'suffixes' : {}} ^ """ Please fix that and I will be a happy engineer. >> 2.) >> >> Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >> makes sense but I'm just asking so that we don't end changing the >> schema later. > ipaNTAdditionalSuffixes is defined as > > attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME > 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name > associated with the domain' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15) > > There should be no problem with case sensitivity already. > OK I presume that the UPN suffixes on AD are also case-insensitive so everything should be alright. >> 3.) >> >> """ >> def post_callback(self, ldap, entries, truncated, *args, **options): >> if options.get('pkey_only', False): >> return truncated >> trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') >> trust_entry = ldap.get_entry(trust_dn) >> + blacklist = trust_entry.get('ipantsidblacklistincoming') >> for entry in entries: >> - sid = entry['ipanttrusteddomainsid'][0] >> - >> - blacklist = trust_entry.get('ipantsidblacklistincoming') >> - if blacklist is None: >> + sid = entry.get('ipanttrusteddomainsid', [None])[0] >> + if sid is None: >> continue >> >> if sid in blacklist: >> entry['domain_enabled'] = [False] >> else: >> entry['domain_enabled'] = [True] >> return truncated >> """ >> >> Again, you can use `entry.single_value.get('ipanttrusteddomainsid', >> None)` to test/get the attribute value > done. > >> >> 4.) >> >> >> """ >> def add_new_domains_from_trust(myapi, trustinstance, trust_entry, >> domains, **options): >> result = [] >> if not domains: >> return result >> >> trust_name = trust_entry['cn'][0] >> # trust range must exist by the time add_new_domains_from_trust is >> called >> range_name = trust_name.upper() + '_id_range' >> old_range = myapi.Command.idrange_show(range_name, >> raw=True)['result'] >> idrange_type = old_range['iparangetype'][0] >> >> - for dom in domains: >> + suffixes = list() >> + suffixes.extend(y['cn'] for x,y in >> domains['suffixes'].iteritems() if x not in domains['domains']) >> + >> + for dom in domains['domains'].itervalues(): >> dom['trust_type'] = u'ad' >> >> """ >> >> iterkeys/itervalues are not Python 3 compatible, please use >> `keys()/values()` and do not worry about performance implications in >> Python 2. > I switched to six.iteritems(). > >> >> 5.) >> >> """ >> result.append(res['result']) >> >> - if idrange_type != u'ipa-ad-trust-posix': >> + if idrange_type != u'ipa-ad-trust-posix' and >> dom.get('ipanttrusteddomainsid', False): >> range_name = name.upper() + '_id_range' >> >> """ >> >> Just a nitpick, I am confused by the 'False' default when getting the >> value of 'ipanttrusteddomainsid' (which is a string I presume). You >> could put an empty string/list there since empty sequences evaluate to >> False. > the attribute may not be in the object so I need to have something to > evaluate there. I don't want to have empty string there as a poor man > indicator of a missing attribute, though. False here represents better > what is expected for an error case. > I usually use 'None' as default to `get()` in these cases. >> >> 6.) >> >> """ >> pass >> + >> + try: >> + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') >> + ldap = myapi.Backend.ldap2 >> + entry = ldap.get_entry(dn) >> + tlns = list(entry.get('ipantadditionalsuffixes', [])) >> + tlns.extend(x for x in suffixes if x not in tlns) >> + entry['ipantadditionalsuffixes'] = tlns >> + ldap.update_entry(entry) >> + except errors.EmptyModlist: >> + pass >> + >> >> """ >> >> On this line: >> >> """ >> + tlns = list(entry.get('ipantadditionalsuffixes', [])) >> """ >> >> is the additional conversion to list really needed? IIRC for >> multivalued attributes you get a list by default. > Fixed > >> >> 7.) >> >> """ >> dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') >> try: >> entry = ldap.get_entry(dn) >> - sid = entry['ipanttrusteddomainsid'][0] >> + sid = entry.get('ipanttrusteddomainsid', [None])[0] >> >> """ >> >> the same as in point 3.) > Fixed. > -- Martin^3 Babinsky From pvoborni at redhat.com Tue Jun 7 17:30:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 7 Jun 2016 19:30:38 +0200 Subject: [Freeipa-devel] [PATCH] 0034: webui: Authentication indicators In-Reply-To: <36a81816-bd7f-c1b8-db99-ca315b0842a1@redhat.com> References: <3e3162a1-8d3b-5acf-734c-9e33c173e615@redhat.com> <1463087612.2785.10.camel@redhat.com> <499355d3-a44e-f330-8bac-4959a04822d2@redhat.com> <1464363841.3425.10.camel@redhat.com> <292cee55-5ffc-02a2-377f-5752c18f91ce@redhat.com> <8b936a4a-36a6-ec43-0850-d93020fb5102@redhat.com> <9cb4cdbf-c6be-ddb3-0d2b-50aba3015637@redhat.com> <0e69071c-d082-568e-4678-f3bc3cb27059@redhat.com> <36a81816-bd7f-c1b8-db99-ca315b0842a1@redhat.com> Message-ID: <39dab272-e4bb-2a83-8ddb-7dc03a74ea97@redhat.com> On 06/06/2016 08:33 PM, Pavel Vomacka wrote: > > > On 06/06/2016 07:03 PM, Petr Vobornik wrote: >> On 06/06/2016 12:27 PM, Pavel Vomacka wrote: >>> >>> On 06/02/2016 06:22 PM, Petr Vobornik wrote: >>>> On 06/01/2016 10:41 AM, Pavel Vomacka wrote: >>>>> On 05/27/2016 05:58 PM, Pavel Vomacka wrote: >>>>>> On 05/27/2016 05:44 PM, Nathaniel McCallum wrote: >>>>>>> On Fri, 2016-05-27 at 17:43 +0200, Pavel Vomacka wrote: >>>>>>>> On 05/12/2016 11:13 PM, Nathaniel McCallum wrote: >>>>>>>>> On Wed, 2016-05-11 at 13:08 +0200, Pavel Vomacka wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the patch adds webui part for authentication indicators. >>>>>>>>>> >>>>>>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5872 >>>>>>>>> The otp option displays as: OTP. >>>>>>>>> The radius option displays as: Radius. >>>>>>>>> >>>>>>>>> However, both are acronyms. The capitalization should be >>>>>>>>> consistent. >>>>>>>> I'm sorry for late answer. They are displayed this way: 'OTP' and >>>>>>>> 'Radius'. So it should not require any change. >>>>>>> That is incorrect. It should be: OTP and RADIUS. >>>>>> I'm sorry, I didn't understand correctly. Fixed patch attached. >>>>>> >>>>>> >>>>>> >>>>> The last patch changes the 'Radius' to 'RADIUS' in whole WebUI. >>>>> >>>> After some though, we should really support the arbitrary values >>>> also in >>>> Web UI. >>>> >>>> I'd reuse aci.attributes_widget - move the widget elsewhere, make it a >>>> general widget and a base class for the original aci.attributes_widget. >>>> >>>> The only difference should be populate method and some strings. >>>> >>>> The base widget can populate from options - same as normal checkboxes >>>> widget so that service page doesn't need to inherit from the base >>>> class. >>>> >>> Ok, thank you for advice. The edited patch is attached. >> >> 1. The new base class should have different name, e.g. >> custom_checkboxes_widget . It is not related to (aci) attributes. >> >> Then it can be registered as such widget and the attributes widget can >> be registered in ACI plugin. It would then also remove the ugly usage of >> both $type and $factory. > Fixed. >> >> 2. Why not implement empty placeholder populate function in the base >> class? Then >> if (that.populate && typeof that.populate === 'function') >> that.populate(); >> >> could be changed into: >> that.populate(); >> >> Child class should simply override. > I just did not like a empty method there. But it's true that it is more > readable with empty method and the method is documented. >> >> 3. If I add a custom indicator to one server and then switch to another. >> It will offer the custom option as well, but unchecked. The added >> options are not cleared on page reset. I'm not sure if it should be >> called a feature or a bug. It is remnant of the original implementation. > From my point of view it is a feature. I.e. When I add custom > authentication indicator to one service there is a big chance that I > would like to add it to another one. And in this case the custom auth. > ind. is already present. > > Fixed patch attached. > > -- > Pavel^3 Vomacka I've fixed trailing whitespace error on line: "* Additional options " And also a typo("custom_checkobox_widget") in commit message is fixed. ACK master: * afededacb92ce1903885b265c7adca87b634c21a Auth Indicators WebUI part -- Petr Vobornik From abokovoy at redhat.com Tue Jun 7 17:35:11 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 20:35:11 +0300 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> Message-ID: <20160607173511.6o3a4ovu3vpcqneq@redhat.com> On Tue, 07 Jun 2016, Martin Babinsky wrote: >On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>Hi, >>>> >>>>Add support for additional user name principal suffixes from >>>>trusted Active Directory forests. UPN suffixes are property >>>>of the forest and as such are associated with the forest root >>>>domain. >>>> >>>>FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>>>attribute of ipaNTTrustedDomain object class. >>>> >>>>In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>>>LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>> >>>>For more details on UPN and naming in Active Directory see >>>>https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>> >>>>https://fedorahosted.org/freeipa/ticket/5354 >>>> >>>> >>>> >>> >>>Hi Alexander, >>> >>>a few comments: >>> >>>1.) >>> >>>there are some PEP8 violations in the patch. Not all of them need to >>>be fixed, though (line overhangs < 5 characters are OK by me). >>> >>>""" >>>./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) >>>./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) >>>./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) >>>./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) >>>./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >>>./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>under-indented for visual indent >>>./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>characters) >>>./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>characters) >>>./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>characters) >>>./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, found 1 >>>./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, found 1 >>>""" >>I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough >>now -- breaking following line is not giving any reasonable benefit: >> >> res['ipantflatname'] = >>unicode(t.forest_trust_data.netbios_domain_name.string) >> > >Looking at the code, it would be IMHO more readable to directly append >dict literals to the result like so: > >""" >--- a/ipaserver/dcerpc.py >+++ b/ipaserver/dcerpc.py >@@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >creds=None, server=None): > tname = unicode(t.forest_trust_data.dns_domain_name.string) > if tname == trustdomain: > continue >- res = dict() >- res['cn'] = tname >- res['ipantflatname'] = >unicode(t.forest_trust_data.netbios_domain_name.string) >- res['ipanttrusteddomainsid'] = >unicode(t.forest_trust_data.domain_sid) >- result['domains'][tname] = res >+ >+ result['domains'][tname] = { >+ 'cn': tname, >+ 'ipantflatname': unicode( >+ t.forest_trust_data.netbios_domain_name.string), >+ 'ipanttrusteddomainsid': unicode( >+ t.forest_trust_data.domain_sid) >+ } > elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: > tname = unicode(t.forest_trust_data.string) > if tname == trustdomain: > continue >- res = dict() >- res['cn'] = tname >- result['suffixes'][tname] = res >+ >+ result['suffixes'][tname] = {'cn': tname} > return result >""" Makes sense. Fixed. > >Also there is a whitespace before colon here: >""" >+ result = {'domains': {}, 'suffixes' : {}} > ^ >""" >Please fix that and I will be a happy engineer. Fixed. > >>>2.) >>> >>>Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >>>makes sense but I'm just asking so that we don't end changing the >>>schema later. >>ipaNTAdditionalSuffixes is defined as >> >>attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>1.3.6.1.4.1.1466.115.121.1.15) >> >>There should be no problem with case sensitivity already. >> >OK I presume that the UPN suffixes on AD are also case-insensitive so >everything should be alright. Yes, as everything realm-related on AD side, they are case-insensitive. Updated patch attached. -- / Alexander Bokovoy -------------- next part -------------- From d12f4a85392bcef8f2280f4fbbae79ed6c66f42f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:41:46 +0300 Subject: [PATCH 2/6] adtrust: support UPNs for trusted domain users Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 --- ACI.txt | 2 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 60 +++++++++++++++---- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 + .../ipa-extdom-extop/ipa_extdom_common.c | 9 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 29 +-------- install/share/60basev3.ldif | 3 +- ipaserver/dcerpc.py | 40 +++++++++---- ipaserver/plugins/trust.py | 69 ++++++++++++++++------ 8 files changed, 141 insertions(+), 72 deletions(-) diff --git a/ACI.txt b/ACI.txt index a09495e..6f691f2 100644 --- a/ACI.txt +++ b/ACI.txt @@ -309,7 +309,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index d54ca71..80e7055 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2273,7 +2273,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) { - int i; + int i, j; if (!*mspac) return; @@ -2290,6 +2290,12 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) free((*mspac)->trusts[i].sid_blacklist_outgoing); free((*mspac)->trusts[i].parent_name); (*mspac)->trusts[i].parent = NULL; + if ((*mspac)->trusts[i].upn_suffixes) { + for (j = 0; (*mspac)->trusts[i].upn_suffixes[j]; j++) { + free((*mspac)->trusts[i].upn_suffixes[j]); + } + free((*mspac)->trusts[i].upn_suffixes); + } } free((*mspac)->trusts); } @@ -2405,7 +2411,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) LDAP *lc = ipactx->lcontext; char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", - "ipaNTSIDBlacklistOutgoing", NULL }; + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; char *filter = "(objectclass=ipaNTTrustedDomain)"; krb5_error_code kerr; LDAPMessage *res = NULL; @@ -2462,26 +2468,42 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) goto done; } + t[n].flat_name = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTFlatName", &t[n].flat_name); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } + t[n].domain_sid = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTTrustedDomainSID", &t[n].domain_sid); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } ret = string_to_sid(t[n].domain_sid, &t[n].domsid); - if (ret) { + if (ret && t[n].domain_sid != NULL) { ret = EINVAL; goto done; } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTAdditionalSuffixes", + &t[n].upn_suffixes); + + if (ret) { + if (ret == ENOENT) { + /* This attribute is optional */ + ret = 0; + t[n].upn_suffixes = NULL; + } else { + ret = EINVAL; + goto done; + } + } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming", &sid_blacklist_incoming); @@ -2808,6 +2830,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, struct ipadb_context *ipactx; int i, j, length; const char *name; + bool result = false; if (test_realm == NULL || test_realm[0] == '\0') { return KRB5_KDB_NOENTRY; @@ -2829,12 +2852,27 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* Iterate through list of trusts and check if input realm belongs to any of the trust */ for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - if ((strncasecmp(test_realm, - ipactx->mspac->trusts[i].domain_name, - size) == 0) || - (strncasecmp(test_realm, - ipactx->mspac->trusts[i].flat_name, - size) == 0)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].domain_name, + size) == 0; + + if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].flat_name, + size) == 0; + } + + if (!result && (ipactx->mspac->trusts[i].upn_suffixes != NULL)) { + for (j = 0; ipactx->mspac->trusts[i].upn_suffixes[j]; j++) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].upn_suffixes[j], + size) == 0; + if (result) + break; + } + } + + if (result) { /* return the realm if caller supplied a place for it */ if (trusted_realm != NULL) { name = (ipactx->mspac->trusts[i].parent_name != NULL) ? diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h index 1052bb8..30382d2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -47,6 +47,7 @@ struct ipadb_adtrusts { int len_sid_blacklist_outgoing; struct ipadb_adtrusts *parent; char *parent_name; + char **upn_suffixes; }; int string_to_sid(const char *str, struct dom_sid *sid); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 445624f..823c05c 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -1011,8 +1011,13 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; - ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, - domain_name); + if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { + ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, + domain_name); + } else { + /* SSSD_DOMAIN_SEPARATOR already present, assume UPN */ + ret = asprintf(&fq_name, "%s", name); + } if (ret == -1) { ret = LDAP_OPERATIONS_ERROR; set_err_msg(req, "Failed to create fully qualified name"); diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea00f30..4d0d466 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -170,33 +170,8 @@ except gssapi.exceptions.GSSError: ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) - -if domains: - # trust range must exist by the time fetch_domains_from_trust is called - range_name = unicode(trusted_domain.upper() + '_id_range') - old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'][0] - - result = [] - for dom in domains: - dom['trust_type'] = u'ad' - try: - name = dom['cn'] - del dom['cn'] - - res = api.Command.trustdomain_add(trusted_domain, name, **dom) - result.append(res['result']) - - if idrange_type != u'ipa-ad-trust-posix': - range_name = name.upper() + '_id_range' - dom['range_type'] = u'ipa-ad-trust' - # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range - # to force it using existing credentials cache - trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'], - trusted_domain, name, **dom) - except errors.DuplicateEntry: - # Ignore updating duplicate entries - pass +trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] +trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) if old_ccache: os.environ['KRB5CCNAME'] = old_ccache diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5ebe335..059174b 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782 @@ -64,7 +65,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUC objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) ) +objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing $ ipaNTAdditionalSuffixes) ) objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3') diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 5f56643..dc25ab7 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1197,7 +1197,10 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): def communicate(td): td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) - domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call + # but it doesn't provide information about non-domain UPNs associated + # with the forest, thus we have to use netr_DsRGetForestTrustInformation + domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0) return domains domains = None @@ -1225,6 +1228,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): raise assess_dcerpc_exception(message=str(e)) td.info['dc'] = unicode(result.pdc_dns_name) + td.info['name'] = unicode(result.dns_domain) if type(creds) is bool: # Rely on existing Kerberos credentials in the environment td.creds = credentials.Credentials() @@ -1254,16 +1258,30 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): if domains is None: return None - result = [] - for t in domains.array: - if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and - (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): - res = dict() - res['cn'] = unicode(t.dns_name) - res['ipantflatname'] = unicode(t.netbios_name) - res['ipanttrusteddomainsid'] = unicode(t.sid) - res['ipanttrustpartner'] = res['cn'] - result.append(res) + result = {'domains': {}, 'suffixes': {}} + # netr_DsRGetForestTrustInformation returns two types of entries: + # domain information -- name, NetBIOS name, SID of the domain + # top level name info -- a name suffix associated with the forest + # We should ignore forest root name/name suffix as it is already part + # of trust information for IPA purposes and only add what's inside the forest + for t in domains.entries: + if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: + tname = unicode(t.forest_trust_data.dns_domain_name.string) + if tname == trustdomain: + continue + result['domains'][tname] = { + 'cn': tname, + 'ipantflatname': unicode( + t.forest_trust_data.netbios_domain_name.string), + 'ipanttrusteddomainsid': unicode( + t.forest_trust_data.domain_sid) + } + elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: + tname = unicode(t.forest_trust_data.string) + if tname == trustdomain: + continue + + result['suffixes'][tname] = {'cn': tname} return result diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 744be93..0f1bb00 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -487,11 +487,16 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', - 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', - 'ipanttrustpartner', 'ipanttrustforesttrustinfo', - 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] + 'ipanttrusttype', 'ipanttrustattributes', + 'ipanttrustdirection', 'ipanttrustpartner', + 'ipanttrustforesttrustinfo', + 'ipanttrustposixoffset', + 'ipantsupportedencryptiontypes', + 'ipantadditionalsuffixes'] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype'] + 'ipanttrusteddomainsid', 'ipanttrusttype', + 'ipanttrustattributes', + 'ipantadditionalsuffixes'] managed_permissions = { 'System: Read Trust Information': { # Allow reading of attributes needed for SSSD subdomains support @@ -505,7 +510,7 @@ class trust(LDAPObject): 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', - 'ipanttrustdirection' + 'ipanttrustdirection', 'ipantadditionalsuffixes', }, }, @@ -1457,8 +1462,11 @@ class trustdomain(LDAPObject): object_name = _('trust domain') object_name_plural = _('trust domains') object_class = ['ipaNTTrustedDomain'] - default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrustpartner'] - search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', ] + default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', + 'ipanttrustpartner', 'ipantadditionalsuffixes'] + search_display_attributes = ['cn', 'ipantflatname', + 'ipanttrusteddomainsid', + 'ipantadditionalsuffixes'] label = _('Trusted domains') label_singular = _('Trusted domain') @@ -1500,9 +1508,10 @@ class trustdomain(LDAPObject): class trustdomain_find(LDAPSearch): __doc__ = _('Search domains of the trust') - has_output_params = LDAPSearch.has_output_params + ( + has_output_params = LDAPSearch.has_output_params + trust_output_params + ( Flag('domain_enabled', label= _('Domain enabled')), ) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): return (filters, base_dn, ldap.SCOPE_SUBTREE) @@ -1511,11 +1520,10 @@ class trustdomain_find(LDAPSearch): return truncated trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') trust_entry = ldap.get_entry(trust_dn) + blacklist = trust_entry.get('ipantsidblacklistincoming') for entry in entries: - sid = entry['ipanttrusteddomainsid'][0] - - blacklist = trust_entry.get('ipantsidblacklistincoming') - if blacklist is None: + sid = entry.get('ipanttrusteddomainsid', [None])[0] + if sid is None: continue if sid in blacklist: @@ -1540,10 +1548,12 @@ class trustdomain_add(LDAPCreate): takes_options = LDAPCreate.takes_options + (_trust_type_option,) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if 'ipanttrustpartner' in options: - entry_attrs['ipanttrustpartner'] = [options['ipanttrustpartner']] + # ipaNTTrustPartner must always be set to the name of the trusted domain + # See MS-ADTS 6.1.6.7.13 + entry_attrs['ipanttrustpartner'] = [dn[0]['cn']] return dn + @register() class trustdomain_del(LDAPDelete): __doc__ = _('Remove infromation about the domain associated with the trust.') @@ -1586,9 +1596,11 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, - trust_name, creds=creds, server=server) + trust_name, creds=creds, + server=server) return domains + def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: @@ -1600,7 +1612,12 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] - for dom in domains: + suffixes = list() + suffixes.extend(y['cn'] + for x, y in six.iteritems(domains['suffixes']) + if x not in domains['domains']) + + for dom in six.itervalues(domains['domains']): dom['trust_type'] = u'ad' try: name = dom['cn'] @@ -1616,13 +1633,27 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, trustinstance, + range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries pass + + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = entry.get('ipantadditionalsuffixes', []) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + return result + @register() class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') @@ -1698,7 +1729,7 @@ class trustdomain_enable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if sid in trust_entry['ipantsidblacklistincoming']: trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) @@ -1739,7 +1770,7 @@ class trustdomain_disable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if not (sid in trust_entry['ipantsidblacklistincoming']): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) -- 2.7.4 From abokovoy at redhat.com Tue Jun 7 20:25:43 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 7 Jun 2016 23:25:43 +0300 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <20160607160018.fusf4llmh6gqgu3c@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> <20160607160018.fusf4llmh6gqgu3c@redhat.com> Message-ID: <20160607202543.5iqyhx4igwd4lz3h@redhat.com> On Tue, 07 Jun 2016, Alexander Bokovoy wrote: > > del attrs['ipanttrusttype'] > > + if attributes: > > + del attrs['ipanttrustattributes'] > > """ > Updated patch is attached. Another update, forgot one space in the allow_behavior(). I also spent some time and did pep8 fixes for dcerpc.py. I reduced reported errors down to 22 from 260+. These 22 are for lines longer than 79 characters and I don't want to reduce them further because they are smaller than 84 characters already. -- / Alexander Bokovoy -------------- next part -------------- From e9e8b4af5bf834aaceb9a7835733bd3641d5f93c Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 08:55:44 +0300 Subject: [PATCH 1/5] trusts: Add support for an external trust to Active Directory domain External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external trust to Windows NT 4.0 or earlier domains is not supported. The external trust is not transitive and can be established to any domain in another forest. This means no access beyond the external domain is possible via the trust link. Resolves: https://fedorahosted.org/freeipa/ticket/5743 --- API.txt | 3 ++- ipaserver/dcerpc.py | 50 +++++++++++++++++++++++++++---------- ipaserver/plugins/trust.py | 61 +++++++++++++++++++++++++++++++++++----------- 3 files changed, 86 insertions(+), 28 deletions(-) diff --git a/API.txt b/API.txt index f170930..d5fbc27 100644 --- a/API.txt +++ b/API.txt @@ -5208,12 +5208,13 @@ arg: Str('cn', cli_name='name') option: Str('version?') output: Output('result') command: trust_add -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='realm') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Int('base_id?', cli_name='base_id') option: Bool('bidirectional?', cli_name='two_way', default=False) +option: Bool('external?', cli_name='external', default=False) option: Int('range_size?', cli_name='range_size') option: StrEnum('range_type?', cli_name='range_type', values=[u'ipa-ad-trust-posix', u'ipa-ad-trust']) option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 25ffbfa..5f56643 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -77,6 +77,11 @@ and Samba4 python bindings. TRUST_ONEWAY = 1 TRUST_BIDIRECTIONAL = 3 +# Trust join behavior +# External trust -- allow creating trust to a non-root domain in the forest +TRUST_JOIN_EXTERNAL = 1 + + def is_sid_valid(sid): try: security.dom_sid(sid) @@ -1037,7 +1042,7 @@ class TrustDomainInstance(object): # We can ignore the error here -- setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional'): + def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional', trust_external=False): """ Establishes trust between our and another domain Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call @@ -1060,6 +1065,8 @@ class TrustDomainInstance(object): info.trust_direction |= lsa.LSA_TRUST_DIRECTION_OUTBOUND info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL info.trust_attributes = 0 + if trust_external: + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE try: dname = lsa.String() @@ -1096,14 +1103,17 @@ class TrustDomainInstance(object): # server as that one doesn't support AES encryption types pass - try: - info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) - info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE - self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) - except RuntimeError as e: - root_logger.error('unable to set trust to transitive: %s' % (str(e))) + if not trust_external: + try: + info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + self._pipe.SetInformationTrustedDomain(trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) + except RuntimeError as e: + root_logger.error('unable to set trust transitivity status: %s' % (str(e))) - if self.info['is_pdc']: + if self.info['is_pdc'] or trust_external: self.update_ftinfo(another_domain) def verify_trust(self, another_domain): @@ -1262,6 +1272,7 @@ class TrustDomainJoins(object): self.api = api self.local_domain = None self.remote_domain = None + self.__allow_behavior = 0 domain_validator = DomainValidator(api) self.configured = domain_validator.is_configured() @@ -1271,6 +1282,10 @@ class TrustDomainJoins(object): self.local_dn = domain_validator.dn self.__populate_local_domain() + def allow_behavior(self, *flags): + for f in flags: + self.__allow_behavior |= int(f) + def __populate_local_domain(self): # Initialize local domain info using kerberos only ld = TrustDomainInstance(self.local_flatname) @@ -1358,14 +1373,19 @@ class TrustDomainJoins(object): realm_passwd ) + trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not trust_external: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() - self.remote_domain.establish_trust(self.local_domain, trustdom_pass, trust_type) - self.local_domain.establish_trust(self.remote_domain, trustdom_pass, trust_type) + self.remote_domain.establish_trust(self.local_domain, + trustdom_pass, trust_type, trust_external) + self.local_domain.establish_trust(self.remote_domain, + trustdom_pass, trust_type, trust_external) # if trust is inbound, we don't need to verify it because AD DC will respond # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. result = True @@ -1381,8 +1401,12 @@ class TrustDomainJoins(object): if not(isinstance(self.remote_domain, TrustDomainInstance)): self.populate_remote_domain(realm, realm_server, realm_passwd=None) + trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) + if not trust_external: + raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) - self.local_domain.establish_trust(self.remote_domain, trustdom_passwd, trust_type) + self.local_domain.establish_trust(self.remote_domain, + trustdom_passwd, trust_type, trust_external) return dict(local=self.local_domain, remote=self.remote_domain, verified=False) diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index ee0ab5d..744be93 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -62,8 +62,10 @@ except Exception as e: if api.env.in_server and api.env.context in ['lite', 'server']: try: - import ipaserver.dcerpc #pylint: disable=F0401 - from ipaserver.dcerpc import TRUST_ONEWAY, TRUST_BIDIRECTIONAL + import ipaserver.dcerpc # pylint: disable=F0401 + from ipaserver.dcerpc import (TRUST_ONEWAY, + TRUST_BIDIRECTIONAL, + TRUST_JOIN_EXTERNAL) import dbus import dbus.mainloop.glib _bindings_installed = True @@ -162,11 +164,18 @@ trust_output_params = ( label=_('Trust type')), Str('truststatus', label=_('Trust status')), + Str('ipantadditionalsuffixes*', + label=_('UPN suffixes')), ) +# Trust type is a combination of ipanttrusttype and ipanttrustattributes +# We shift trust attributes by 3 bits to left so bit 0 becomes bit 3 and +# 2+(1 << 3) becomes 10. _trust_type_dict = {1 : _('Non-Active Directory domain'), 2 : _('Active Directory domain'), - 3 : _('RFC4120-compliant Kerberos realm')} + 3 : _('RFC4120-compliant Kerberos realm'), + 10: _('Non-transitive external trust to a domain in another Active Directory forest')} + _trust_direction_dict = {1 : _('Trusting forest'), 2 : _('Trusted forest'), 3 : _('Two-way trust')} @@ -189,14 +198,17 @@ DBUS_IFACE_TRUST = 'com.redhat.idm.trust' CRED_STYLE_SAMBA = 1 CRED_STYLE_KERBEROS = 2 -def trust_type_string(level): +LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001 + +def trust_type_string(level, attrs): """ Returns a string representing a type of the trust. The original field is an enum: LSA_TRUST_TYPE_DOWNLEVEL = 0x00000001, LSA_TRUST_TYPE_UPLEVEL = 0x00000002, LSA_TRUST_TYPE_MIT = 0x00000003 """ - string = _trust_type_dict.get(int(level), _trust_type_dict_unknown) + transitive = int(attrs) & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE + string = _trust_type_dict.get(int(level) | (transitive << 3), _trust_type_dict_unknown) return unicode(string) def trust_direction_string(level): @@ -677,6 +689,12 @@ sides. doc=(_('Establish bi-directional trust. By default trust is inbound one-way only.')), default=False, ), + Bool('external?', + label=_('External trust'), + cli_name='external', + doc=(_('Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.')), + default=False, + ), ) msg_summary = _('Added Active Directory trust for realm "%(value)s"') @@ -735,12 +753,15 @@ sides. fetch_trusted_domains_over_dbus(self.api, self.log, result['value']) # Format the output into human-readable values + attributes = int(result['result'].get('ipanttrustattributes', [0])[0]) result['result']['trusttype'] = [trust_type_string( - result['result']['ipanttrusttype'][0])] + result['result']['ipanttrusttype'][0], attributes)] result['result']['trustdirection'] = [trust_direction_string( result['result']['ipanttrustdirection'][0])] result['result']['truststatus'] = [trust_status_string( result['verified'])] + if attributes: + result['result'].pop('ipanttrustattributes', None) del result['verified'] result['result'].pop('ipanttrustauthoutgoing', None) @@ -929,6 +950,11 @@ sides. trust_type = TRUST_ONEWAY if options.get('bidirectional', False): trust_type = TRUST_BIDIRECTIONAL + + # If we are forced to establish external trust, allow it + if options.get('external', False): + self.trustinstance.allow_behavior(TRUST_JOIN_EXTERNAL) + # 1. Full access to the remote domain. Use admin credentials and # generate random trustdom password to do work on both sides if full_join: @@ -1033,7 +1059,7 @@ class trust_mod(LDAPUpdate): class trust_find(LDAPSearch): __doc__ = _('Search for trusts.') has_output_params = LDAPSearch.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'),) + (Str('ipanttrusttype'), Str('ipanttrustattributes')) msg_summary = ngettext( '%(count)d trust matched', '%(count)d trusts matched', 0 @@ -1043,7 +1069,7 @@ class trust_find(LDAPSearch): # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): # list only trust, not trust domains - trust_filter = '(ipaNTTrustPartner=*)' + trust_filter = '(&(ipaNTTrustPartner=*)(&(objectclass=ipaIDObject)(objectclass=ipaNTTrustedDomain)))' filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) return (filter, base_dn, ldap.SCOPE_SUBTREE) @@ -1060,10 +1086,13 @@ class trust_find(LDAPSearch): for attrs in entries: # Translate ipanttrusttype to trusttype if --raw not used - trust_type = attrs.get('ipanttrusttype', [None])[0] + trust_type = attrs.single_value.get('ipanttrusttype', None) + attributes = attrs.single_value.get('ipanttrustattributes', 0) if not options.get('raw', False) and trust_type is not None: - attrs['trusttype'] = trust_type_string(attrs['ipanttrusttype'][0]) + attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del attrs['ipanttrusttype'] + if attributes: + del attrs['ipanttrustattributes'] return truncated @@ -1071,7 +1100,7 @@ class trust_find(LDAPSearch): class trust_show(LDAPRetrieve): __doc__ = _('Display information about a trust.') has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ - (Str('ipanttrusttype'), Str('ipanttrustdirection')) + (Str('ipanttrusttype'), Str('ipanttrustdirection'), Str('ipanttrustattributes')) def execute(self, *keys, **options): result = super(trust_show, self).execute(*keys, **options) @@ -1088,16 +1117,20 @@ class trust_show(LDAPRetrieve): # if --raw not used if not options.get('raw', False): - trust_type = entry_attrs.get('ipanttrusttype', [None])[0] + trust_type = entry_attrs.single_value.get('ipanttrusttype', None) + attributes = entry_attrs.single_value.get('ipanttrustattributes', 0) if trust_type is not None: - entry_attrs['trusttype'] = trust_type_string(trust_type) + entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)] del entry_attrs['ipanttrusttype'] - dir_str = entry_attrs.get('ipanttrustdirection', [None])[0] + dir_str = entry_attrs.single_value.get('ipanttrustdirection', None) if dir_str is not None: entry_attrs['trustdirection'] = [trust_direction_string(dir_str)] del entry_attrs['ipanttrustdirection'] + if attributes: + del entry_attrs['ipanttrustattributes'] + return dn -- 2.7.4 -------------- next part -------------- From 942364346e930296fba4acfa60e1eda735903ffd Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jun 2016 22:41:10 +0300 Subject: [PATCH 7/7] ipaserver/dcerpc: reformat to make the code closer to pep8 Because Samba Python bindings provide long-named methods and constants, sometimes it is impossible to fit into 80 columns without causing damage to readability of the code. This patchset attempts to reduce pep8 complaints to a minimum. --- ipaserver/dcerpc.py | 475 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 299 insertions(+), 176 deletions(-) diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index dc25ab7..7e2925b 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -44,10 +44,12 @@ import samba import random from cryptography.hazmat.primitives.ciphers import Cipher, algorithms from cryptography.hazmat.backends import default_backend +# pylint: disable=F0401 try: - from ldap.controls import RequestControl as LDAPControl #pylint: disable=F0401 + from ldap.controls import RequestControl as LDAPControl except ImportError: - from ldap.controls import LDAPControl as LDAPControl #pylint: disable=F0401 + from ldap.controls import LDAPControl as LDAPControl +# pylint: enable=F0401 import ldap as _ldap from ipapython.ipaldap import IPAdmin from ipalib.session import krbccache_dir, krbccache_prefix @@ -74,7 +76,7 @@ and Samba4 python bindings. # Both constants can be used as masks against trust direction # because bi-directional has two lower bits set. -TRUST_ONEWAY = 1 +TRUST_ONEWAY = 1 TRUST_BIDIRECTIONAL = 3 # Trust join behavior @@ -91,31 +93,44 @@ def is_sid_valid(sid): return True -access_denied_error = errors.ACIError(info=_('CIFS server denied your credentials')) +access_denied_error = errors.ACIError( + info=_('CIFS server denied your credentials')) dcerpc_error_codes = { -1073741823: - errors.RemoteRetrieveError(reason=_('communication with CIFS server was unsuccessful')), + errors.RemoteRetrieveError( + reason=_('communication with CIFS server was unsuccessful')), -1073741790: access_denied_error, -1073741715: access_denied_error, -1073741614: access_denied_error, -1073741603: - errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')), - -1073741811: # NT_STATUS_INVALID_PARAMETER + errors.ValidationError( + name=_('AD domain controller'), + error=_('unsupported functional level')), + -1073741811: # NT_STATUS_INVALID_PARAMETER errors.RemoteRetrieveError( - reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), - -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding + reason=_('AD domain controller complains about communication ' + 'sequence. It may mean unsynchronized time on both ' + 'sides, for example')), + -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, + # we simply will skip the binding access_denied_error, - -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND - errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')), + -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND + errors.RemoteRetrieveError( + reason=_('CIFS server configuration does not allow ' + 'access to \\\\pipe\\lsarpc')), } dcerpc_error_messages = { "NT_STATUS_OBJECT_NAME_NOT_FOUND": - errors.NotFound(reason=_('Cannot find specified domain or server name')), + errors.NotFound( + reason=_('Cannot find specified domain or server name')), "WERR_NO_LOGON_SERVERS": - errors.RemoteRetrieveError(reason=_('AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue')), + errors.RemoteRetrieveError( + reason=_('AD DC was unable to reach any IPA domain controller. ' + 'Most likely it is a DNS or firewall issue')), "NT_STATUS_INVALID_PARAMETER_MIX": - errors.RequirementError(name=_('At least the domain or IP address should be specified')), + errors.RequirementError( + name=_('At least the domain or IP address should be specified')), } pysss_type_key_translation_dict = { @@ -126,7 +141,7 @@ pysss_type_key_translation_dict = { } -def assess_dcerpc_exception(num=None,message=None): +def assess_dcerpc_exception(num=None, message=None): """ Takes error returned by Samba bindings and converts it into an IPA error class. @@ -135,8 +150,9 @@ def assess_dcerpc_exception(num=None,message=None): return dcerpc_error_codes[num] if message and message in dcerpc_error_messages: return dcerpc_error_messages[message] - reason = _('''CIFS server communication error: code "%(num)s", - message "%(message)s" (both may be "None")''') % dict(num=num, message=message) + reason = _('CIFS server communication error: code "%(num)s", ' + 'message "%(message)s" (both may be "None")') % \ + dict(num=num, message=message) return errors.RemoteRetrieveError(reason=reason) @@ -182,9 +198,13 @@ class DomainValidator(object): self._parm = None def is_configured(self): - cn_trust_local = DN(('cn', self.api.env.domain), self.api.env.container_cifsdomains, self.api.env.basedn) + cn_trust_local = DN(('cn', self.api.env.domain), + self.api.env.container_cifsdomains, + self.api.env.basedn) try: - entry_attrs = self.ldap.get_entry(cn_trust_local, [self.ATTR_FLATNAME, self.ATTR_SID]) + entry_attrs = self.ldap.get_entry(cn_trust_local, + [self.ATTR_FLATNAME, + self.ATTR_SID]) self.flatname = entry_attrs[self.ATTR_FLATNAME][0] self.sid = entry_attrs[self.ATTR_SID][0] self.dn = entry_attrs.dn @@ -203,7 +223,8 @@ class DomainValidator(object): try: search_kw = {'objectClass': 'ipaNTTrustedDomain'} - filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL) + filter = self.ldap.make_filter(search_kw, + rules=self.ldap.MATCH_ALL) (entries, truncated) = self.ldap.find_entries( filter=filter, base_dn=cn_trust, @@ -216,22 +237,22 @@ class DomainValidator(object): # domain names as keys and those are generally case-insensitive result = ipautil.CIDict() - for entry in entries: + for e in entries: try: - trust_partner = entry[self.ATTR_TRUST_PARTNER][0] - flatname_normalized = entry[self.ATTR_FLATNAME][0].lower() - trusted_sid = entry[self.ATTR_TRUSTED_SID][0] - except KeyError as e: + t_partner = e.single_value.get(self.ATTR_TRUST_PARTNER) + fname_norm = e.single_value.get(self.ATTR_FLATNAME).lower() + trusted_sid = e.single_value.get(self.ATTR_TRUSTED_SID) + except KeyError as exc: # Some piece of trusted domain info in LDAP is missing # Skip the domain, but leave log entry for investigation api.log.warning("Trusted domain '%s' entry misses an " - "attribute: %s", entry.dn, e) + "attribute: %s", e.dn, exc) continue - result[trust_partner] = (flatname_normalized, - security.dom_sid(trusted_sid)) + result[t_partner] = (fname_norm, + security.dom_sid(trusted_sid)) return result - except errors.NotFound as e: + except errors.NotFound as exc: return [] def set_trusted_domains(self): @@ -244,21 +265,22 @@ class DomainValidator(object): # This means we can't check the correctness of a trusted # domain SIDs raise errors.ValidationError(name='sid', - error=_('no trusted domain is configured')) + error=_('no trusted domain ' + 'is configured')) def get_domain_by_sid(self, sid, exact_match=False): if not self.domain: # our domain is not configured or self.is_configured() never run # reject SIDs as we can't check correctness of them raise errors.ValidationError(name='sid', - error=_('domain is not configured')) + error=_('domain is not configured')) # Parse sid string to see if it is really in a SID format try: test_sid = security.dom_sid(sid) except TypeError: raise errors.ValidationError(name='sid', - error=_('SID is not valid')) + error=_('SID is not valid')) # At this point we have SID_NT_AUTHORITY family SID and really need to # check it against prefixes of domain SIDs we trust to @@ -314,30 +336,34 @@ class DomainValidator(object): return None def get_trusted_domain_objects(self, domain=None, flatname=None, filter="", - attrs=None, scope=_ldap.SCOPE_SUBTREE, basedn=None): + attrs=None, scope=_ldap.SCOPE_SUBTREE, + basedn=None): """ - Search for LDAP objects in a trusted domain specified either by `domain' - or `flatname'. The actual LDAP search is specified by `filter', `attrs', - `scope' and `basedn'. When `basedn' is empty, database root DN is used. + Search for LDAP objects in a trusted domain specified either by + `domain' or `flatname'. The actual LDAP search is specified by + `filter', `attrs', `scope' and `basedn'. When `basedn' is empty, + database root DN is used. """ assert domain is not None or flatname is not None """Returns SID for the trusted domain object (user or group only)""" if not self.domain: # our domain is not configured or self.is_configured() never run raise errors.ValidationError(name=_('Trust setup'), - error=_('Our domain is not configured')) + error=_('Our domain is ' + 'not configured')) if not self._domains: self._domains = self.get_trusted_domains() if len(self._domains) == 0: # Our domain is configured but no trusted domains are configured raise errors.ValidationError(name=_('Trust setup'), - error=_('No trusted domain is not configured')) + error=_('No trusted domain is ' + 'not configured')) entries = None if domain is not None: if domain not in self._domains: raise errors.ValidationError(name=_('trusted domain object'), - error= _('domain is not trusted')) + error=_('domain is not trusted')) # Now we have a name to check against our list of trusted domains entries = self.search_in_dc(domain, filter, attrs, scope, basedn) elif flatname is not None: @@ -347,53 +373,65 @@ class DomainValidator(object): for domain in self._domains: if self._domains[domain][0] == flatname: found_flatname = True - entries = self.search_in_dc(domain, filter, attrs, scope, basedn) + entries = self.search_in_dc(domain, filter, + attrs, scope, basedn) if entries: break if not found_flatname: raise errors.ValidationError(name=_('trusted domain object'), - error= _('no trusted domain matched the specified flat name')) + error=_('no trusted domain ' + 'matched the specified ' + 'flat name')) if not entries: raise errors.NotFound(reason=_('trusted domain object not found')) return entries - def get_trusted_domain_object_sid(self, object_name, fallback_to_ldap=True): + def get_trusted_domain_object_sid(self, object_name, + fallback_to_ldap=True): result = pysss_nss_idmap.getsidbyname(object_name) - if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): + if object_name in result and \ + (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] return object_sid # If fallback to AD DC LDAP is not allowed, bail out if not fallback_to_ldap: raise errors.ValidationError(name=_('trusted domain object'), - error= _('SSSD was unable to resolve the object to a valid SID')) + error=_('SSSD was unable to resolve ' + 'the object to a valid SID')) # Else, we are going to contact AD DC LDAP components = normalize_name(object_name) if not ('domain' in components or 'flatname' in components): # No domain or realm specified, ambiguous search - raise errors.ValidationError(name=_('trusted domain object'), - error= _('Ambiguous search, user domain was not specified')) + raise errors.ValidationError(name=_('trusted domain object'), + error=_('Ambiguous search, user ' + 'domain was not specified')) attrs = ['objectSid'] - filter = '(&(sAMAccountName=%(name)s)(|(objectClass=user)(objectClass=group)))' \ - % dict(name=components['name']) + filter = '(&(sAMAccountName=%(name)s)' \ + '(|(objectClass=user)(objectClass=group)))' \ + % dict(name=components['name']) scope = _ldap.SCOPE_SUBTREE entries = self.get_trusted_domain_objects(components.get('domain'), - components.get('flatname'), filter, attrs, scope) + components.get('flatname'), + filter, attrs, scope) if len(entries) > 1: # Treat non-unique entries as invalid raise errors.ValidationError(name=_('trusted domain object'), - error= _('Trusted domain did not return a unique object')) + error=_('Trusted domain did not ' + 'return a unique object')) sid = self.__sid_to_str(entries[0]['objectSid'][0]) try: test_sid = security.dom_sid(sid) return unicode(test_sid) except TypeError as e: raise errors.ValidationError(name=_('trusted domain object'), - error= _('Trusted domain did not return a valid SID for the object')) + error=_('Trusted domain did not ' + 'return a valid SID for ' + 'the object')) def get_trusted_domain_object_type(self, name_or_sid): """ @@ -443,7 +481,8 @@ class DomainValidator(object): ) attrs = ['sAMAccountName'] - filter = (r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))' + filter = (r'(&(objectSid=%(sid)s)' + '(|(objectClass=user)(objectClass=group)))' % dict(sid=escaped_sid)) # sid in binary domain = self.get_domain_by_sid(sid) @@ -454,7 +493,8 @@ class DomainValidator(object): if len(entries) > 1: # Treat non-unique entries as invalid raise errors.ValidationError(name=_('trusted domain object'), - error=_('Trusted domain did not return a unique object')) + error=_('Trusted domain did not ' + 'return a unique object')) object_name = ( "%s@%s" % (entries[0].single_value['sAMAccountName'].lower(), @@ -486,27 +526,31 @@ class DomainValidator(object): # Now search a trusted domain for a user with this SID attrs = ['cn'] filter = '(&(objectClass=user)(objectSid=%(sid)s))' \ - % dict(sid=object_name) + % dict(sid=object_name) try: - entries = self.get_trusted_domain_objects(domain=domain, filter=filter, - attrs=attrs, scope=_ldap.SCOPE_SUBTREE) + entries = self.get_trusted_domain_objects(domain=domain, + filter=filter, + attrs=attrs, + scope=_ldap.SCOPE_SUBTREE) except errors.NotFound: raise errors.NotFound(reason=_('trusted domain user not found')) user_dn = entries[0].dn elif domain or flatname: attrs = ['cn'] filter = '(&(sAMAccountName=%(name)s)(objectClass=user))' \ - % dict(name=name) + % dict(name=name) try: entries = self.get_trusted_domain_objects(domain, - flatname, filter, attrs, _ldap.SCOPE_SUBTREE) + flatname, filter, attrs, + _ldap.SCOPE_SUBTREE) except errors.NotFound: raise errors.NotFound(reason=_('trusted domain user not found')) user_dn = entries[0].dn else: # No domain or realm specified, ambiguous search raise errors.ValidationError(name=_('trusted domain object'), - error= _('Ambiguous search, user domain was not specified')) + error=_('Ambiguous search, ' + 'user domain was not specified')) # Get SIDs of user object and it's groups # tokenGroups attribute must be read with a scope BASE for a known user @@ -514,9 +558,11 @@ class DomainValidator(object): attrs = ['objectSID', 'tokenGroups'] filter = "(objectClass=user)" entries = self.get_trusted_domain_objects(domain, - flatname, filter, attrs, _ldap.SCOPE_BASE, user_dn) + flatname, filter, attrs, + _ldap.SCOPE_BASE, user_dn) object_sid = self.__sid_to_str(entries[0]['objectSid'][0]) - group_sids = [self.__sid_to_str(sid) for sid in entries[0]['tokenGroups']] + group_sids = [self.__sid_to_str(sid) + for sid in entries[0]['tokenGroups']] return (object_sid, group_sids) def get_trusted_domain_user_and_groups(self, object_name): @@ -540,11 +586,14 @@ class DomainValidator(object): if is_valid_sid: object_sid = object_name result = pysss_nss_idmap.getnamebysid(object_name) - if object_name in result and (pysss_nss_idmap.NAME_KEY in result[object_name]): - group_list = pysss.getgrouplist(result[object_name][pysss_nss_idmap.NAME_KEY]) + if object_name in result and \ + (pysss_nss_idmap.NAME_KEY in result[object_name]): + group_list = pysss.getgrouplist( + result[object_name][pysss_nss_idmap.NAME_KEY]) else: result = pysss_nss_idmap.getsidbyname(object_name) - if object_name in result and (pysss_nss_idmap.SID_KEY in result[object_name]): + if object_name in result and \ + (pysss_nss_idmap.SID_KEY in result[object_name]): object_sid = result[object_name][pysss_nss_idmap.SID_KEY] group_list = pysss.getgrouplist(object_name) @@ -552,7 +601,10 @@ class DomainValidator(object): return self.__get_trusted_domain_user_and_groups(object_name) group_sids = pysss_nss_idmap.getsidbyname(group_list) - return (object_sid, [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()]) + return ( + object_sid, + [el[1][pysss_nss_idmap.SID_KEY] for el in group_sids.items()] + ) def __sid_to_str(self, sid): """ @@ -561,12 +613,13 @@ class DomainValidator(object): """ sid_rev_num = ord(sid[0]) number_sub_id = ord(sid[1]) - ia = struct.unpack('!Q','\x00\x00'+sid[2:8])[0] + ia = struct.unpack('!Q', '\x00\x00'+sid[2:8])[0] subs = [ - struct.unpack(' 0: self.parm.set('netbios name', hostname) self.creds = creds @@ -810,14 +867,14 @@ class TrustDomainInstance(object): self.validation_attempts = 0 def __gen_lsa_connection(self, binding): - if self.creds is None: - raise errors.RequirementError(name=_('CIFS credentials object')) - try: - result = lsa.lsarpc(binding, self.parm, self.creds) - return result - except RuntimeError as e: - num, message = e.args # pylint: disable=unpacking-non-sequence - raise assess_dcerpc_exception(num=num, message=message) + if self.creds is None: + raise errors.RequirementError(name=_('CIFS credentials object')) + try: + result = lsa.lsarpc(binding, self.parm, self.creds) + return result + except RuntimeError as e: + num, message = e.args # pylint: disable=unpacking-non-sequence + raise assess_dcerpc_exception(num=num, message=message) def init_lsa_pipe(self, remote_host): """ @@ -847,30 +904,35 @@ class TrustDomainInstance(object): # When session key is not available, we just skip this binding session_attempts = session_attempts + 1 - if self._pipe is None and (attempts + session_attempts) == len(bindings): + if self._pipe is None and \ + (attempts + session_attempts) == len(bindings): raise errors.ACIError( - info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host)) + info=_('CIFS server %(host)s denied your credentials') + % dict(host=remote_host)) if self._pipe is None: raise errors.RemoteRetrieveError( - reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host)) + reason=_('Cannot establish LSA connection to %(host)s. ' + 'Is CIFS server running?') % dict(host=remote_host)) self.binding = binding self.session_key = self._pipe.session_key def __gen_lsa_bindings(self, remote_host): """ - There are multiple transports to issue LSA calls. However, depending on a - system in use they may be blocked by local operating system policies. + There are multiple transports to issue LSA calls. However, depending on + a system in use they may be blocked by local operating system policies. Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. - We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults. + We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1. """ transports = (u'ncacn_np', u'ncacn_ip_tcp') - options = ( u'smb2,print', u'print') - return [u'%s:%s[%s]' % (t, remote_host, o) for t in transports for o in options] + options = (u'smb2,print', u'print') + return [u'%s:%s[%s]' % (t, remote_host, o) + for t in transports for o in options] - def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): + def retrieve_anonymously(self, remote_host, + discover_srv=False, search_pdc=False): """ When retrieving DC information anonymously, we can't get SID of the domain """ @@ -896,7 +958,8 @@ class TrustDomainInstance(object): self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0 # Netlogon response doesn't contain SID of the domain. - # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID + # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID + # control to reveal the SID ldap_uri = 'ldap://%s' % (result.pdc_dns_name) conn = _ldap.initialize(ldap_uri) conn.set_option(_ldap.OPT_SERVER_CONTROLS, [ExtendedDNControl()]) @@ -908,7 +971,7 @@ class TrustDomainInstance(object): except _ldap.LDAPError as e: root_logger.error( "LDAP error when connecting to %(host)s: %(error)s" % - dict(host=unicode(result.pdc_name), error=str(e))) + dict(host=unicode(result.pdc_name), error=str(e))) except KeyError as e: root_logger.error("KeyError: {err}, LDAP entry from {host} " "returned malformed. Your DNS might be " @@ -930,8 +993,11 @@ class TrustDomainInstance(object): objectAttribute = lsa.ObjectAttribute() objectAttribute.sec_qos = lsa.QosInfo() try: - self._policy_handle = self._pipe.OpenPolicy2(u"", objectAttribute, security.SEC_FLAG_MAXIMUM_ALLOWED) - result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_DNS) + self._policy_handle = \ + self._pipe.OpenPolicy2(u"", objectAttribute, + security.SEC_FLAG_MAXIMUM_ALLOWED) + result = self._pipe.QueryInfoPolicy2(self._policy_handle, + lsa.LSA_POLICY_INFO_DNS) except RuntimeError as e: num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) @@ -944,7 +1010,8 @@ class TrustDomainInstance(object): self.info['dc'] = remote_host try: - result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) + result = self._pipe.QueryInfoPolicy2(self._policy_handle, + lsa.LSA_POLICY_INFO_ROLE) except RuntimeError as e: num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) @@ -958,18 +1025,18 @@ class TrustDomainInstance(object): clear_value.size = len(password_blob) clear_value.password = password_blob - clear_authentication_information = drsblobs.AuthenticationInformation() - clear_authentication_information.LastUpdateTime = samba.unix2nttime(int(time.time())) - clear_authentication_information.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR - clear_authentication_information.AuthInfo = clear_value + clear_authinfo = drsblobs.AuthenticationInformation() + clear_authinfo.LastUpdateTime = samba.unix2nttime(int(time.time())) + clear_authinfo.AuthType = lsa.TRUST_AUTH_TYPE_CLEAR + clear_authinfo.AuthInfo = clear_value - authentication_information_array = drsblobs.AuthenticationInformationArray() - authentication_information_array.count = 1 - authentication_information_array.array = [clear_authentication_information] + authinfo_array = drsblobs.AuthenticationInformationArray() + authinfo_array.count = 1 + authinfo_array.array = [clear_authinfo] outgoing = drsblobs.trustAuthInOutBlob() outgoing.count = 1 - outgoing.current = authentication_information_array + outgoing.current = authinfo_array confounder = [3]*512 for i in range(512): @@ -983,7 +1050,8 @@ class TrustDomainInstance(object): trustpass_blob = ndr_pack(trustpass) - encrypted_trustpass = arcfour_encrypt(self._pipe.session_key, trustpass_blob) + encrypted_trustpass = arcfour_encrypt(self._pipe.session_key, + trustpass_blob) auth_blob = lsa.DATA_BUF2() auth_blob.size = len(encrypted_trustpass) @@ -993,7 +1061,6 @@ class TrustDomainInstance(object): auth_info.auth_blob = auth_blob self.auth_info = auth_info - def generate_ftinfo(self, another_domain): """ Generates TrustDomainInfoFullInfo2Internal structure @@ -1032,27 +1099,38 @@ class TrustDomainInstance(object): # smbd already has the information about itself ldname = lsa.StringLarge() ldname.string = another_domain.info['dns_domain'] - collision_info = self._pipe.lsaRSetForestTrustInformation(self._policy_handle, - ldname, - lsa.LSA_FOREST_TRUST_DOMAIN_INFO, - ftinfo, 0) - if collision_info: - root_logger.error("When setting forest trust information, got collision info back:\n%s" % (ndr_print(collision_info))) + ftlevel = lsa.LSA_FOREST_TRUST_DOMAIN_INFO + # RSetForestTrustInformation returns collision information + # for trust topology + cinfo = self._pipe.lsaRSetForestTrustInformation( + self._policy_handle, + ldname, + ftlevel, + ftinfo, 0) + if cinfo: + root_logger.error("When setting forest trust information, " + "got collision info back:\n%s" + % (ndr_print(cinfo))) except RuntimeError as e: - # We can ignore the error here -- setting up name suffix routes may fail + # We can ignore the error here -- + # setting up name suffix routes may fail pass - def establish_trust(self, another_domain, trustdom_secret, trust_type='bidirectional', trust_external=False): + def establish_trust(self, another_domain, trustdom_secret, + trust_type='bidirectional', trust_external=False): """ Establishes trust between our and another domain - Input: another_domain -- instance of TrustDomainInstance, initialized with #retrieve call + Input: another_domain -- instance of TrustDomainInstance, + initialized with #retrieve call trustdom_secret -- shared secred used for the trust """ if self.info['name'] == another_domain.info['name']: # Check that NetBIOS names do not clash raise errors.ValidationError(name=u'AD Trust Setup', - error=_('the IPA server and the remote domain cannot share the same ' - 'NetBIOS name: %s') % self.info['name']) + error=_('the IPA server and the ' + 'remote domain cannot share ' + 'the same NetBIOS name: %s') + % self.info['name']) self.generate_auth(trustdom_secret) @@ -1071,8 +1149,12 @@ class TrustDomainInstance(object): try: dname = lsa.String() dname.string = another_domain.info['dns_domain'] - res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) - self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) + res = self._pipe.QueryTrustedDomainInfoByName( + self._policy_handle, + dname, + lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) + self._pipe.DeleteTrustedDomain(self._policy_handle, + res.info_ex.sid) except RuntimeError as e: num, message = e.args # pylint: disable=unpacking-non-sequence # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED) @@ -1080,7 +1162,10 @@ class TrustDomainInstance(object): raise access_denied_error try: - trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) + trustdom_handle = self._pipe.CreateTrustedDomainEx2( + self._policy_handle, + info, self.auth_info, + security.SEC_STD_DELETE) except RuntimeError as e: num, message = e.args # pylint: disable=unpacking-non-sequence raise assess_dcerpc_exception(num=num, message=message) @@ -1089,13 +1174,19 @@ class TrustDomainInstance(object): # trust settings. Samba insists this has to be done with LSA # OpenTrustedDomain* calls, it is not enough to have a handle # returned by the CreateTrustedDomainEx2 call. - trustdom_handle = self._pipe.OpenTrustedDomainByName(self._policy_handle, dname, security.SEC_FLAG_MAXIMUM_ALLOWED) + trustdom_handle = self._pipe.OpenTrustedDomainByName( + self._policy_handle, + dname, + security.SEC_FLAG_MAXIMUM_ALLOWED) try: - infoclass = lsa.TrustDomainInfoSupportedEncTypes() - infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5 - infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 - self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass) + infocls = lsa.TrustDomainInfoSupportedEncTypes() + infocls.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5 + infocls.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + infocls.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + self._pipe.SetInformationTrustedDomain( + trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, + infocls) except RuntimeError as e: # We can ignore the error here -- changing enctypes is for # improved security but the trust will work with default values as @@ -1105,13 +1196,16 @@ class TrustDomainInstance(object): if not trust_external: try: - info = self._pipe.QueryTrustedDomainInfo(trustdom_handle, - lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) + info = self._pipe.QueryTrustedDomainInfo( + trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX) info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE - self._pipe.SetInformationTrustedDomain(trustdom_handle, - lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) + self._pipe.SetInformationTrustedDomain( + trustdom_handle, + lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) except RuntimeError as e: - root_logger.error('unable to set trust transitivity status: %s' % (str(e))) + root_logger.error( + 'unable to set trust transitivity status: %s' % (str(e))) if self.info['is_pdc'] or trust_external: self.update_ftinfo(another_domain) @@ -1119,12 +1213,13 @@ class TrustDomainInstance(object): def verify_trust(self, another_domain): def retrieve_netlogon_info_2(logon_server, domain, function_code, data): try: - netr_pipe = netlogon.netlogon(domain.binding, domain.parm, domain.creds) - result = netr_pipe.netr_LogonControl2Ex(logon_server=logon_server, + netr_pipe = netlogon.netlogon(domain.binding, + domain.parm, domain.creds) + result = netr_pipe.netr_LogonControl2Ex( + logon_server=logon_server, function_code=function_code, level=2, - data=data - ) + data=data) return result except RuntimeError as e: num, message = e.args # pylint: disable=unpacking-non-sequence @@ -1135,9 +1230,11 @@ class TrustDomainInstance(object): another_domain.info['dns_domain']) if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED: - if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0: + if result.pdc_connection_status[0] != 0 and \ + result.tc_connection_status[0] != 0: if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED": - # Most likely AD DC hit another IPA replica which yet has no trust secret replicated + # Most likely AD DC hit another IPA replica which + # yet has no trust secret replicated # Sleep and repeat again self.validation_attempts += 1 @@ -1176,23 +1273,23 @@ class TrustDomainInstance(object): def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): trust_flags = dict( - NETR_TRUST_FLAG_IN_FOREST = 0x00000001, - NETR_TRUST_FLAG_OUTBOUND = 0x00000002, - NETR_TRUST_FLAG_TREEROOT = 0x00000004, - NETR_TRUST_FLAG_PRIMARY = 0x00000008, - NETR_TRUST_FLAG_NATIVE = 0x00000010, - NETR_TRUST_FLAG_INBOUND = 0x00000020, - NETR_TRUST_FLAG_MIT_KRB5 = 0x00000080, - NETR_TRUST_FLAG_AES = 0x00000100) + NETR_TRUST_FLAG_IN_FOREST=0x00000001, + NETR_TRUST_FLAG_OUTBOUND=0x00000002, + NETR_TRUST_FLAG_TREEROOT=0x00000004, + NETR_TRUST_FLAG_PRIMARY=0x00000008, + NETR_TRUST_FLAG_NATIVE=0x00000010, + NETR_TRUST_FLAG_INBOUND=0x00000020, + NETR_TRUST_FLAG_MIT_KRB5=0x00000080, + NETR_TRUST_FLAG_AES=0x00000100) trust_attributes = dict( - NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE = 0x00000001, - NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY = 0x00000002, - NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN = 0x00000004, - NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE = 0x00000008, - NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION = 0x00000010, - NETR_TRUST_ATTRIBUTE_WITHIN_FOREST = 0x00000020, - NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) + NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE=0x00000001, + NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY=0x00000002, + NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN=0x00000004, + NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE=0x00000008, + NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION=0x00000010, + NETR_TRUST_ATTRIBUTE_WITHIN_FOREST=0x00000020, + NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL=0x00000040) def communicate(td): td.init_lsa_pipe(td.info['dc']) @@ -1302,7 +1399,7 @@ class TrustDomainJoins(object): def allow_behavior(self, *flags): for f in flags: - self.__allow_behavior |= int(f) + self.__allow_behavior |= int(f) def __populate_local_domain(self): # Initialize local domain info using kerberos only @@ -1314,7 +1411,8 @@ class TrustDomainJoins(object): ld.retrieve(installutils.get_fqdn()) self.local_domain = ld - def populate_remote_domain(self, realm, realm_server=None, realm_admin=None, realm_passwd=None): + def populate_remote_domain(self, realm, realm_server=None, + realm_admin=None, realm_passwd=None): def get_instance(self): # Fetch data from foreign domain using password only rd = TrustDomainInstance('') @@ -1330,7 +1428,8 @@ class TrustDomainJoins(object): if realm_server is None: rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True) else: - rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True) + rd.retrieve_anonymously(realm_server, + discover_srv=False, search_pdc=True) rd.read_only = True if realm_admin and realm_passwd: if 'name' in rd.info: @@ -1339,12 +1438,14 @@ class TrustDomainJoins(object): # realm admin is in DOMAIN\user format # strip DOMAIN part as we'll enforce the one discovered realm_admin = names[-1] - auth_string = u"%s\%s%%%s" % (rd.info['name'], realm_admin, realm_passwd) + auth_string = u"%s\%s%%%s" \ + % (rd.info['name'], realm_admin, realm_passwd) td = get_instance(self) td.creds.parse_string(auth_string) td.creds.set_workstation(self.local_domain.hostname) if realm_server is None: - # we must have rd.info['dns_hostname'] then, part of anonymous discovery + # we must have rd.info['dns_hostname'] then + # as it is part of the anonymous discovery td.retrieve(rd.info['dns_hostname']) else: td.retrieve(realm_server) @@ -1358,8 +1459,8 @@ class TrustDomainJoins(object): """ Generate list of records for forest trust information about our realm domains. Note that the list generated currently - includes only top level domains, no exclusion domains, and no TDO objects - as we handle the latter in a separate way + includes only top level domains, no exclusion domains, and + no TDO objects as we handle the latter in a separate way """ if self.local_domain.read_only: return @@ -1367,10 +1468,15 @@ class TrustDomainJoins(object): self.local_domain.ftinfo_records = [] realm_domains = self.api.Command.realmdomains_show()['result'] - # Use realmdomains' modification timestamp to judge records last update time - entry = self.api.Backend.ldap2.get_entry(realm_domains['dn'], ['modifyTimestamp']) + # Use realmdomains' modification timestamp + # to judge records' last update time + entry = self.api.Backend.ldap2.get_entry( + realm_domains['dn'], ['modifyTimestamp']) # Convert the timestamp to Windows 64-bit timestamp format - trust_timestamp = long(time.mktime(entry['modifytimestamp'][0].timetuple())*1e7+116444736000000000) + trust_timestamp = long( + time.mktime( + entry.single_value.get('modifytimestamp').timetuple() + )*1e7+116444736000000000) for dom in realm_domains['associateddomain']: ftinfo = dict() @@ -1379,7 +1485,8 @@ class TrustDomainJoins(object): ftinfo['rec_type'] = lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME self.local_domain.ftinfo_records.append(ftinfo) - def join_ad_full_credentials(self, realm, realm_server, realm_admin, realm_passwd, trust_type): + def join_ad_full_credentials(self, realm, realm_server, realm_admin, + realm_passwd, trust_type): if not self.configured: return None @@ -1392,24 +1499,33 @@ class TrustDomainJoins(object): ) trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) - if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: + if self.remote_domain.info['dns_domain'] != \ + self.remote_domain.info['dns_forest']: if not trust_external: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], - domain=self.remote_domain.info['dns_domain']) + raise errors.NotAForestRootError( + forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) if not self.remote_domain.read_only: trustdom_pass = samba.generate_random_password(128, 128) self.get_realmdomains() self.remote_domain.establish_trust(self.local_domain, - trustdom_pass, trust_type, trust_external) + trustdom_pass, + trust_type, trust_external) self.local_domain.establish_trust(self.remote_domain, - trustdom_pass, trust_type, trust_external) - # if trust is inbound, we don't need to verify it because AD DC will respond - # with WERR_NO_SUCH_DOMAIN -- in only does verification for outbound trusts. + trustdom_pass, + trust_type, trust_external) + # if trust is inbound, we don't need to verify it because + # AD DC will respond with WERR_NO_SUCH_DOMAIN -- + # it only does verification for outbound trusts. result = True if trust_type == TRUST_BIDIRECTIONAL: result = self.remote_domain.verify_trust(self.local_domain) - return dict(local=self.local_domain, remote=self.remote_domain, verified=result) + return dict( + local=self.local_domain, + remote=self.remote_domain, + verified=result + ) return None def join_ad_ipa_half(self, realm, realm_server, trustdom_passwd, trust_type): @@ -1420,11 +1536,18 @@ class TrustDomainJoins(object): self.populate_remote_domain(realm, realm_server, realm_passwd=None) trust_external = bool(self.__allow_behavior & TRUST_JOIN_EXTERNAL) - if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: + if self.remote_domain.info['dns_domain'] != \ + self.remote_domain.info['dns_forest']: if not trust_external: - raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], - domain=self.remote_domain.info['dns_domain']) + raise errors.NotAForestRootError( + forest=self.remote_domain.info['dns_forest'], + domain=self.remote_domain.info['dns_domain']) self.local_domain.establish_trust(self.remote_domain, - trustdom_passwd, trust_type, trust_external) - return dict(local=self.local_domain, remote=self.remote_domain, verified=False) + trustdom_passwd, + trust_type, trust_external) + return dict( + local=self.local_domain, + remote=self.remote_domain, + verified=False + ) -- 2.7.4 From ftweedal at redhat.com Wed Jun 8 03:15:41 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 8 Jun 2016 13:15:41 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > Hi team, > > > > This patchset implements the 'ca' plugin for creating and managing > > lightweight sub-CAs, and updates the 'caacl' plugin and > > 'cert-request' command to support multiple CAs. > > > > A brief overview of the patches: > > > > 0059 > > 'ca' plugin, associated schema changes and container objects, > > Dogtag REST API wrapper > > 0060 > > Add CA entry for the IPA CA on install/upgrade > > 0061 > > Update 'caacl' plugin with CA support (including enforcement) > > 0062 > > Update ra.request_certificate() to support specifying target CA > > 0063 > > Add '--ca' option to 'cert-request' command > > 0064 > > Add '--issuer' option to 'cert-find' command > > > > These patches depend on other pending patches: > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > of Dogtag with the required patches, and of FreeIPA with all > > completed sub-CAs work, should be available from my COPR soon: > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > Some parts of the design are not implemented in the current > > patchset, including: > > > > - local parent CA (ipaca object) references > > - sub-CA certificate renewal > > - 'cert-show' command '--ca=NAME' option > > - certmonger support for specifying CA > > - revocation of deleted CAs > > > > I look forward to your reviews! > > > > Thanks, > > Fraser > > > Rebased and updated patches attached. > > Substantive changes: > > - add required attributes for issuer DN and subject DN > - prevent rename of IPA CA > - when adding IPA CA entry, contact Dogtag to learn authority id, > issuer DN and subject DN > - add 'read_ca' method to Dogtag interface > - tighten ACIs to prevent modification of ipacaid attribute > Updated patch 0064-3; adds --issuer option to cert-show and --ca option to cert-show and cert-find. -------------- next part -------------- From 7367f8efb5e8d8f1edeaaa74b3f35b79fc5a9a46 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH] Add issuer options to 'cert-show' and 'cert-find' Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 8 +++- VERSION | 4 +- ipaserver/plugins/cert.py | 106 +++++++++++++++++++++++++++++++------------- ipaserver/plugins/dogtag.py | 9 ++++ 4 files changed, 93 insertions(+), 34 deletions(-) diff --git a/API.txt b/API.txt index 571c646c7b973b3107e9abf9f60caa4ded297c2f..f6853991659bfcaaae12d68fe8b4b8edefd6855f 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca?', autofill=False) option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,10 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,4,1 arg: Str('serial_number') +option: Str('ca?', autofill=False) +option: Str('issuer?', autofill=False) option: Str('out?') option: Str('version?') output: Output('result') diff --git a/VERSION b/VERSION index 6577c80904f99ab6b30217ddc82625ccda928df0..600ab8182332de68bc356100ae0e232c68e30d90 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=179 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=180 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index f09947337efc3d5b5872937df4a82663dfb6eff9..ce7d042d4f872c9f8176e887fd2bbfe07c1fe1a9 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -583,37 +583,17 @@ class cert_show(VirtualCommand): takes_args = _serial_number - has_output_params = ( - Str('certificate', - label=_('Certificate'), - ), - Str('subject', - label=_('Subject'), - ), - Str('issuer', - label=_('Issuer'), - ), - Str('valid_not_before', - label=_('Not Before'), - ), - Str('valid_not_after', - label=_('Not After'), - ), - Str('md5_fingerprint', - label=_('Fingerprint (MD5)'), - ), - Str('sha1_fingerprint', - label=_('Fingerprint (SHA1)'), - ), - Str('revocation_reason', - label=_('Revocation reason'), - ), - Str('serial_number_hex', - label=_('Serial number (hex)'), - ), - ) - takes_options = ( + Str('ca?', + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -621,6 +601,33 @@ class cert_show(VirtualCommand): ), ) + has_output_params = ( + Str('certificate', + label=_('Certificate'), + ), + Str('subject', + label=_('Subject'), + ), + Str('valid_not_before', + label=_('Not Before'), + ), + Str('valid_not_after', + label=_('Not After'), + ), + Str('md5_fingerprint', + label=_('Fingerprint (MD5)'), + ), + Str('sha1_fingerprint', + label=_('Fingerprint (SHA1)'), + ), + Str('revocation_reason', + label=_('Revocation reason'), + ), + Str('serial_number_hex', + label=_('Serial number (hex)'), + ), + ) + operation="retrieve certificate" def execute(self, serial_number, **options): @@ -635,8 +642,29 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'ca' in options and 'issuer' in options: + raise errors.MutuallyExclusiveError( + reason=_('CA and Issuer DN cannot both be set')) + if 'ca' in options: + ca_obj = api.Command.ca_show(options['ca'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + elif 'issuer' in options: + issuer_dn = options['issuer'] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)d and " + "issuer '%(issuer)s' not found") + % dict(serial=serial_number, issuer=issuer_dn)) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -738,6 +766,16 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('ca?', + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -822,6 +860,14 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'ca' in options and 'issuer' in options: + raise errors.MutuallyExclusiveError( + reason=_('CA and Issuer DN cannot both be set')) + if 'ca' in options: + ca_obj = api.Command.ca_show(options['ca'])['result'] + options['issuer'] = unicode(ca_obj['ipacasubjectdn'][0]) + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From ftweedal at redhat.com Wed Jun 8 05:22:39 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 8 Jun 2016 15:22:39 +1000 Subject: [Freeipa-devel] [PATCH] 0066 Load server plugins in certmonger renewal helper Message-ID: <20160608052239.GS4744@dhcp-40-8.bne.redhat.com> Client/server plugin split apparently broke the certmonger renewal helper (https://fedorahosted.org/freeipa/ticket/5943). Please review attached patch - hopefully it is correct way to fix it. Thanks, Fraser -------------- next part -------------- From 88845c834534eb4bb3b3755cef4f3d4fbb1513b8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 8 Jun 2016 15:18:00 +1000 Subject: [PATCH] Load server plugins in certmonger renewal helper The certmonger renewal helper needs to load server plugins to operate. Initialise the API with in_server=True. Fixes: https://fedorahosted.org/freeipa/ticket/5943 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 5a6b7fa2285480d76f7ecb66152692b0722d08d7..3f7333c0e0bb6059e8b3791ef5230c7e5663d2eb 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -445,7 +445,7 @@ def main(): 'ipaCACertRenewal': renew_ca_cert, } - api.bootstrap(context='renew') + api.bootstrap(in_server=True, context='renew') api.finalize() operation = os.environ.get('CERTMONGER_OPERATION') -- 2.5.5 From pspacek at redhat.com Wed Jun 8 08:07:18 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 8 Jun 2016 10:07:18 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> Message-ID: <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> On 7.6.2016 15:11, Stanislav Laznicka wrote: > Hello, > > Thank you for your patch. As the thin-client patches were pushed in the > meantime, the patch won't apply. Could you please send a rebased version? > > Also, I have a few comments to the patch: > > 1) I think that the commit message should be rather a brief conclusion to the > changes made in the commit. This could help for faster orientation in the > changes that were made to a certain part of code should you be searching for a > bug introduced by a commit. Should some more info be required, it can be added > to the ticket. Could you therefore shorten the commit message? (My personal opinion, no golden standard.) Honestly I disagree with Standa. Yes, the commit message seems to be a bit long but *tickets* are not the best place to put *technical* information into. Tickets are planning tool but keep in mind that Trac may/will vanish one day and all we will have will be (Git?) repo. I would recommend putting the comment about expected input format into code comments somewhere around batch command definition. This would reduce commit message (roughly, the text needs to be adapted) to part starting 'The code did not check the format of ' ... which is perfectly reasonable description of the change. IMHO. Petr^2 Spacek > 2) Please do not add the tickets to comments in the code. You can use git > blame -L or git log -L to see in which commits were the changes introduced to > a certain part of a file, these commits should include the ticket number if > more info is needed. > > Standa > > > On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >> >> Hi all, >> >> the following patch checks the format of parameters passed to a method >> called through the batch command. I picked the ConversionError for invalid >> parameters format but this choice can be discussed if you have better >> suggestions... >> >> Fixes: https://fedorahosted.org/freeipa/ticket/5810 >> -- >> Florence Blanc-Renaud >> Identity Management Team, Red Hat >> >> > > > > -- Petr^2 Spacek From jcholast at redhat.com Wed Jun 8 08:16:46 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 10:16:46 +0200 Subject: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals In-Reply-To: <20160606132538.GK4744@dhcp-40-8.bne.redhat.com> References: <20160408142339.GV18277@dhcp-40-8.bne.redhat.com> <1460126839.7463.195.camel@redhat.com> <20160409001100.GY18277@dhcp-40-8.bne.redhat.com> <1460467890.8657.25.camel@redhat.com> <20160413011550.GI18277@dhcp-40-8.bne.redhat.com> <20160414063300.GN18277@dhcp-40-8.bne.redhat.com> <1461008648.30315.24.camel@redhat.com> <20160420062254.GE18277@dhcp-40-8.bne.redhat.com> <98e01be1-16c2-5f3c-6f95-a6e6447a1f1f@redhat.com> <20160601044906.GY4744@dhcp-40-8.bne.redhat.com> <20160606132538.GK4744@dhcp-40-8.bne.redhat.com> Message-ID: On 6.6.2016 15:25, Fraser Tweedale wrote: > On Wed, Jun 01, 2016 at 02:49:06PM +1000, Fraser Tweedale wrote: >> Updated patch attached; comments inline below. >> >> On Mon, Apr 25, 2016 at 07:55:46AM +0200, Jan Cholasta wrote: >>> I think it would be better to merge the `client` and `client_servicename` >>> into a single `client_principal` argument, as both of the arguments are used >>> only to specify the principal name of the client. >>> >> Done. >> >>> Also I would prefer if the keyfile and keytab arguments were required, >>> because it's better if you can explicitly see what values are used at the >>> call site. >>> >> Done. >> >>> Why is init_creds() now called from __init__()? Why is it still called from >>> _auth_header()? >>> >> I invoke it from __init__ for more eager failure if there's a >> problem (e.g. service is not in keytab), giving better error >> locality. >> >> It remains necessary to invoke it from _auth_header in case of >> short-lived credentials. I added some comments to the source. >> >>> Why is ldap_uri now passed to IPAKEMKeys()? >>> >> It tries to use LDAPI by default, so ldap_uri needs to be passed >> through if process owner cannot access LDAPI socket. I added >> commentary to source. >> >> Regarding your suggestion to make a base class and override class >> variables, I prefer to pass values around. There are very few >> instantiations of CustodiaClient so it is easy enough to follow. It may be easy to follow, but what you are currently doing is basically emulating subclassing with functools.partial, which is both unidiomatic and less readable than actual subclassing. But we are past the nitpicking phase, so I'm going to let that slide :-) >> > Self-NACK on 0051-4; rebased and updated patch attached. > > Only one substantive change, in custodiainstance.py: > > - client_service='host@' + self.fqdn, > + client_service='host@%s' % self.fqdn, > > First version broke uninstall because CustodiaInstance gets > initialised with 'host_name = None' and '+' doesn't like None. This will give "host at None" on uninstall, but I guess that's OK, since it's currently not used during uninstall. ACK. Pushed to master: f94ccca6761f7dbe3f99855d181fe2cec380d476 -- Jan Cholasta From jcholast at redhat.com Wed Jun 8 08:31:07 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 10:31:07 +0200 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> References: <20160414063937.GO18277@dhcp-40-8.bne.redhat.com> <20160421033003.GH18277@dhcp-40-8.bne.redhat.com> <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> Message-ID: <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> On 6.6.2016 15:32, Fraser Tweedale wrote: > On Wed, Jun 01, 2016 at 02:49:29PM +1000, Fraser Tweedale wrote: >> Updated patches attached; comments inline. >> >> On Thu, May 05, 2016 at 04:52:29PM +1000, Fraser Tweedale wrote: >>>> I would rather add a new ACI than have one super-ACI for everything. That >>>> way you don't have to invent any complicated naming schemes *and* it will be >>>> more apparent what the ACI does. >>>> >>> OK, I'll simplify the scheme and create corresponding ACIs. >>> >> I added new ACIs for hosts to manage Dogtag keys; they keys live in >> a container with RDN cn=dogtag, nested under the main custodia keys >> container. >> >>>>>> However, calling `CAInstance.setup_lightweight_ca_key_retrieval()' >>>>>> *directly* from `ca.install_step_1' would probably work. Are you >>>>>> happy with putting it there, instead of `configure_instance()'? >>>> >>>> Works for me. >>>> >>> Cool, thanks. >>> >> This is implemented in the latest patch. >> > Rebased and updated patches attached. The only substantive change > is a simplification of the ipa-pki-retrieve-key script (patch 0054) > following a change in Dogtag's ExternalProcessKeyRetriever (it now > handles JSON). Patch 0052: The target of the "Dogtag service principals can search Custodia keys" ACI matches keys in the top-level Custodia container, but not in the Dogtag container. Is this intentional? Patch 0053: It seems the `servicename`+`host` and `principal` arguments of set_key() are carrying the same information, could you remove one of them? Patch 0054: 1) Please use ipalib.config to read IPA configuration in ipa-pki-retrieve-key: from ipalib.config import Env env = Env(in_server=True) hostname = env.host realm = env.realm 2) I'm curious why you changed the key name from "ca/$NAME" to "ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped? 3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would expect a minimum required version bump in the spec file. -- Jan Cholasta From jcholast at redhat.com Wed Jun 8 11:00:36 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 13:00:36 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> On 8.6.2016 05:15, Fraser Tweedale wrote: > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>> Hi team, >>> >>> This patchset implements the 'ca' plugin for creating and managing >>> lightweight sub-CAs, and updates the 'caacl' plugin and >>> 'cert-request' command to support multiple CAs. >>> >>> A brief overview of the patches: >>> >>> 0059 >>> 'ca' plugin, associated schema changes and container objects, >>> Dogtag REST API wrapper >>> 0060 >>> Add CA entry for the IPA CA on install/upgrade >>> 0061 >>> Update 'caacl' plugin with CA support (including enforcement) >>> 0062 >>> Update ra.request_certificate() to support specifying target CA >>> 0063 >>> Add '--ca' option to 'cert-request' command >>> 0064 >>> Add '--issuer' option to 'cert-find' command >>> >>> These patches depend on other pending patches: >>> >>> 0051, 0052, 0053, 0054, 0055, 0056 >>> >>> Signing key replication depends on unmerged Dogtag patches. Builds >>> of Dogtag with the required patches, and of FreeIPA with all >>> completed sub-CAs work, should be available from my COPR soon: >>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>> >>> Some parts of the design are not implemented in the current >>> patchset, including: >>> >>> - local parent CA (ipaca object) references >>> - sub-CA certificate renewal >>> - 'cert-show' command '--ca=NAME' option >>> - certmonger support for specifying CA >>> - revocation of deleted CAs >>> >>> I look forward to your reviews! >>> >>> Thanks, >>> Fraser >>> >> Rebased and updated patches attached. >> >> Substantive changes: >> >> - add required attributes for issuer DN and subject DN >> - prevent rename of IPA CA >> - when adding IPA CA entry, contact Dogtag to learn authority id, >> issuer DN and subject DN >> - add 'read_ca' method to Dogtag interface >> - tighten ACIs to prevent modification of ipacaid attribute >> > Updated patch 0064-3; adds --issuer option to cert-show and --ca > option to cert-show and cert-find. Patch 0059: 1) On upgrade, why is the lightweight CA container created twice - once in 41-subca.update, once using ensure_entry() call? It should be done only once. 2) In ca_del, every CA specified in args[0] should be deleted, not just the first one. 3) Do not use NonFatalError, issue a warning instead: self.add_message(MyNewWarningClass(name=...)) 4) Can it actually happen that ca_show does not return ipacaid? I guess not, so you should be able to remove the check altogether and don't bother with the warning. Patch 0060-0062: LGTM Patch 0063: Could you please define the CA param as follows: Str('cacn?', cli_name='ca', query=True, label=_("CA"), doc=_("CA to use"), ), ? This is for consitency with framework-generated parent key params, which unfortunately we cannot leverage in cert_request currently. Patch 0064: 1) See my comment for patch 0063, it applies here as well. 2) The --issuer option should not be included in cert_show - show commands are supposed to retrieve an object given primary key(s), and the primary key of CA objects is just their cn. 3) In find commands, the options form a filter, so instead of raising MutuallyExclusiveError in cert-find, return an empty result, as with any other unmatched filter. -- Jan Cholasta From slaznick at redhat.com Wed Jun 8 11:14:33 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 8 Jun 2016 13:14:33 +0200 Subject: [Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error In-Reply-To: <563432e8-aac2-2bc3-c290-ab56a3a5f684@redhat.com> References: <2646f4ce-dfe2-4916-e8e1-f86bfbd118b3@redhat.com> <7f1f1c03-6320-da3f-0c01-65954d28a148@redhat.com> <563432e8-aac2-2bc3-c290-ab56a3a5f684@redhat.com> Message-ID: On 06/08/2016 01:13 PM, Stanislav Laznicka wrote: > > > > On 06/07/2016 05:11 PM, Florence Blanc-Renaud wrote: >> On 06/07/2016 04:08 PM, Stanislav Laznicka wrote: >>> On 06/06/2016 02:47 PM, Florence Blanc-Renaud wrote: >>>> >>>> Hi, >>>> >>>> please find attached the patch for Ticket 5434 add context to >>>> exception on LdapEntry decode error >>>> >>>> https://fedorahosted.org/freeipa/ticket/5434 >>>> >>>> >>>> >>> Hello, >>> >>> Similarly to you patch 0003, could you please shorten the commit >>> message? I appreciate that you added the way to reproduce the bug >>> but I would rather see it in the comments of the ticket. >>> >>> I haven't tested the patch yet but I think that the try-except block >>> should also wrap the self._conn.decode in the raw_dels loop: >>> >>> 310 for value in raw_dels: >>> 311 value = self._conn.decode(value, name) >>> 312 if value in nice_adds: >>> 313 continue >>> 314 nice.remove(value) >>> >>> Standa >>> >> Hi Standa, >> >> thanks for your review. I will shorten the commit message as you >> suggested. >> >> Regarding the other decode() called for raw_dels, I was not sure in >> which case this part of the code was called. Do you happen to know if >> it possible for an invalid value to be in the raw_sync list but not >> in the raw list? >> >> Flo. >> > I'm not sure if there's an easy way to do that. I would just put it > there should it ever occur to have more information about what happened. Forgot to include devel-list, sorry. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Wed Jun 8 11:21:30 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 8 Jun 2016 13:21:30 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: On 06/08/2016 05:15 AM, Fraser Tweedale wrote: > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>> Hi team, >>> >>> This patchset implements the 'ca' plugin for creating and managing >>> lightweight sub-CAs, and updates the 'caacl' plugin and >>> 'cert-request' command to support multiple CAs. >>> >>> A brief overview of the patches: >>> >>> 0059 >>> 'ca' plugin, associated schema changes and container objects, >>> Dogtag REST API wrapper >>> 0060 >>> Add CA entry for the IPA CA on install/upgrade >>> 0061 >>> Update 'caacl' plugin with CA support (including enforcement) >>> 0062 >>> Update ra.request_certificate() to support specifying target CA >>> 0063 >>> Add '--ca' option to 'cert-request' command >>> 0064 >>> Add '--issuer' option to 'cert-find' command >>> >>> These patches depend on other pending patches: >>> >>> 0051, 0052, 0053, 0054, 0055, 0056 >>> >>> Signing key replication depends on unmerged Dogtag patches. Builds >>> of Dogtag with the required patches, and of FreeIPA with all >>> completed sub-CAs work, should be available from my COPR soon: >>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>> >>> Some parts of the design are not implemented in the current >>> patchset, including: >>> >>> - local parent CA (ipaca object) references >>> - sub-CA certificate renewal >>> - 'cert-show' command '--ca=NAME' option >>> - certmonger support for specifying CA >>> - revocation of deleted CAs >>> >>> I look forward to your reviews! >>> >>> Thanks, >>> Fraser >>> >> Rebased and updated patches attached. >> >> Substantive changes: >> >> - add required attributes for issuer DN and subject DN >> - prevent rename of IPA CA >> - when adding IPA CA entry, contact Dogtag to learn authority id, >> issuer DN and subject DN >> - add 'read_ca' method to Dogtag interface >> - tighten ACIs to prevent modification of ipacaid attribute >> > Updated patch 0064-3; adds --issuer option to cert-show and --ca > option to cert-show and cert-find. > > Hello, why is there --rename option in ca-mod command? Shouldn't it be rather --cn to be consistent with ca-show? Is there any reason why to have there rename? Just a note: I look at it mainly from point of view of WebUI. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Wed Jun 8 11:37:42 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 8 Jun 2016 13:37:42 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: On 06/08/2016 01:21 PM, Pavel Vomacka wrote: > > > > On 06/08/2016 05:15 AM, Fraser Tweedale wrote: >> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>> Hi team, >>>> >>>> This patchset implements the 'ca' plugin for creating and managing >>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>> 'cert-request' command to support multiple CAs. >>>> >>>> A brief overview of the patches: >>>> >>>> 0059 >>>> 'ca' plugin, associated schema changes and container objects, >>>> Dogtag REST API wrapper >>>> 0060 >>>> Add CA entry for the IPA CA on install/upgrade >>>> 0061 >>>> Update 'caacl' plugin with CA support (including enforcement) >>>> 0062 >>>> Update ra.request_certificate() to support specifying target CA >>>> 0063 >>>> Add '--ca' option to 'cert-request' command >>>> 0064 >>>> Add '--issuer' option to 'cert-find' command >>>> >>>> These patches depend on other pending patches: >>>> >>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>> >>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>> of Dogtag with the required patches, and of FreeIPA with all >>>> completed sub-CAs work, should be available from my COPR soon: >>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>> >>>> Some parts of the design are not implemented in the current >>>> patchset, including: >>>> >>>> - local parent CA (ipaca object) references >>>> - sub-CA certificate renewal >>>> - 'cert-show' command '--ca=NAME' option >>>> - certmonger support for specifying CA >>>> - revocation of deleted CAs >>>> >>>> I look forward to your reviews! >>>> >>>> Thanks, >>>> Fraser >>>> >>> Rebased and updated patches attached. >>> >>> Substantive changes: >>> >>> - add required attributes for issuer DN and subject DN >>> - prevent rename of IPA CA >>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>> issuer DN and subject DN >>> - add 'read_ca' method to Dogtag interface >>> - tighten ACIs to prevent modification of ipacaid attribute >>> >> Updated patch 0064-3; adds --issuer option to cert-show and --ca >> option to cert-show and cert-find. >> >> > Hello, > > why is there --rename option in ca-mod command? Shouldn't it be rather > --cn to be consistent with ca-show? Actually, I meant to be consistent with attribute name in result of API call of ca-show command. > Is there any reason why to have there rename? Just a note: I look at > it mainly from point of view of WebUI. > > -- > Pavel^3 Vomacka > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jun 8 11:45:55 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 13:45:55 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: <7b62092b-fe3a-7728-ec01-3e8fd78fbeb1@redhat.com> On 8.6.2016 13:37, Pavel Vomacka wrote: > > > On 06/08/2016 01:21 PM, Pavel Vomacka wrote: >> >> >> >> On 06/08/2016 05:15 AM, Fraser Tweedale wrote: >>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>> Hi team, >>>>> >>>>> This patchset implements the 'ca' plugin for creating and managing >>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>> 'cert-request' command to support multiple CAs. >>>>> >>>>> A brief overview of the patches: >>>>> >>>>> 0059 >>>>> 'ca' plugin, associated schema changes and container objects, >>>>> Dogtag REST API wrapper >>>>> 0060 >>>>> Add CA entry for the IPA CA on install/upgrade >>>>> 0061 >>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>> 0062 >>>>> Update ra.request_certificate() to support specifying target CA >>>>> 0063 >>>>> Add '--ca' option to 'cert-request' command >>>>> 0064 >>>>> Add '--issuer' option to 'cert-find' command >>>>> >>>>> These patches depend on other pending patches: >>>>> >>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>> >>>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>> completed sub-CAs work, should be available from my COPR soon: >>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>> >>>>> Some parts of the design are not implemented in the current >>>>> patchset, including: >>>>> >>>>> - local parent CA (ipaca object) references >>>>> - sub-CA certificate renewal >>>>> - 'cert-show' command '--ca=NAME' option >>>>> - certmonger support for specifying CA >>>>> - revocation of deleted CAs >>>>> >>>>> I look forward to your reviews! >>>>> >>>>> Thanks, >>>>> Fraser >>>>> >>>> Rebased and updated patches attached. >>>> >>>> Substantive changes: >>>> >>>> - add required attributes for issuer DN and subject DN >>>> - prevent rename of IPA CA >>>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>>> issuer DN and subject DN >>>> - add 'read_ca' method to Dogtag interface >>>> - tighten ACIs to prevent modification of ipacaid attribute >>>> >>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>> option to cert-show and cert-find. >>> >>> >> Hello, >> >> why is there --rename option in ca-mod command? Shouldn't it be rather >> --cn to be consistent with ca-show? > Actually, I meant to be consistent with attribute name in result of API > call of ca-show command. >> Is there any reason why to have there rename? Just a note: I look at >> it mainly from point of view of WebUI. It is consistent with other mod commands, they all have --rename if the object is renameable. You can't use the primary key name (cn) because that's already taken by the positional argument of the show command. -- Jan Cholasta From frenaud at redhat.com Wed Jun 8 12:06:38 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Wed, 8 Jun 2016 14:06:38 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> Message-ID: On 06/08/2016 10:07 AM, Petr Spacek wrote: > On 7.6.2016 15:11, Stanislav Laznicka wrote: >> Hello, >> >> Thank you for your patch. As the thin-client patches were pushed in the >> meantime, the patch won't apply. Could you please send a rebased version? >> >> Also, I have a few comments to the patch: >> >> 1) I think that the commit message should be rather a brief conclusion to the >> changes made in the commit. This could help for faster orientation in the >> changes that were made to a certain part of code should you be searching for a >> bug introduced by a commit. Should some more info be required, it can be added >> to the ticket. Could you therefore shorten the commit message? > (My personal opinion, no golden standard.) > > Honestly I disagree with Standa. Yes, the commit message seems to be a bit > long but *tickets* are not the best place to put *technical* information into. > > Tickets are planning tool but keep in mind that Trac may/will vanish one day > and all we will have will be (Git?) repo. > > I would recommend putting the comment about expected input format into code > comments somewhere around batch command definition. > > This would reduce commit message (roughly, the text needs to be adapted) to > part starting 'The code did not check the format of ' ... which is perfectly > reasonable description of the change. > > IMHO. > Petr^2 Spacek > > >> 2) Please do not add the tickets to comments in the code. You can use git >> blame -L or git log -L to see in which commits were the changes introduced to >> a certain part of a file, these commits should include the ticket number if >> more info is needed. >> >> Standa >> >> >> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>> Hi all, >>> >>> the following patch checks the format of parameters passed to a method >>> called through the batch command. I picked the ConversionError for invalid >>> parameters format but this choice can be discussed if you have better >>> suggestions... >>> >>> Fixes: https://fedorahosted.org/freeipa/ticket/5810 >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >>> >>> >> >> >> > Hi, please find an updated patch version with a less verbose commit msg. I also removed the reference to ticket # in the code. Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0003-2-batch-command-can-be-used-to-trigger-internal-errors.patch Type: text/x-patch Size: 2822 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 8 12:09:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 14:09:24 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> Message-ID: <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> On 06/08/2016 10:07 AM, Petr Spacek wrote: > On 7.6.2016 15:11, Stanislav Laznicka wrote: >> Hello, >> >> Thank you for your patch. As the thin-client patches were pushed in the >> meantime, the patch won't apply. Could you please send a rebased version? >> >> Also, I have a few comments to the patch: >> >> 1) I think that the commit message should be rather a brief conclusion to the >> changes made in the commit. This could help for faster orientation in the >> changes that were made to a certain part of code should you be searching for a >> bug introduced by a commit. Should some more info be required, it can be added >> to the ticket. Could you therefore shorten the commit message? > > (My personal opinion, no golden standard.) > > Honestly I disagree with Standa. Yes, the commit message seems to be a bit > long but *tickets* are not the best place to put *technical* information into. > > Tickets are planning tool but keep in mind that Trac may/will vanish one day > and all we will have will be (Git?) repo. +1 The commit message is very good and honestly I'd like to see more of such commit messages. > > I would recommend putting the comment about expected input format into code > comments somewhere around batch command definition. > > This would reduce commit message (roughly, the text needs to be adapted) to > part starting 'The code did not check the format of ' ... which is perfectly > reasonable description of the change. Batch command deserves a doc string, so that it would be visible in API browser but that is not subject of this ticket. Btw, expected format is already in the code. > > IMHO. > Petr^2 Spacek > > >> 2) Please do not add the tickets to comments in the code. You can use git >> blame -L or git log -L to see in which commits were the changes introduced to >> a certain part of a file, these commits should include the ticket number if >> more info is needed. +1 >> >> Standa >> >> >> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>> >>> Hi all, >>> >>> the following patch checks the format of parameters passed to a method >>> called through the batch command. I picked the ConversionError for invalid >>> parameters format but this choice can be discussed if you have better >>> suggestions... >>> >>> Fixes: https://fedorahosted.org/freeipa/ticket/5810 >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >>> >>> >> >> >> >> > > -- Petr Vobornik From dkupka at redhat.com Wed Jun 8 12:11:49 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 8 Jun 2016 14:11:49 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> On 28/04/16 14:45, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Patch set: spec file: require correct packages to get API plugins schema: fix typo schema: fix topic command output replica install: use remote server API to create service entries schema: do not validate unrequested params in command_defaults fixes some regressions introduced by previous patches. Works for me and I haven't met any new regression or bug, ACK. -- David Kupka From slaznick at redhat.com Wed Jun 8 12:17:03 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 8 Jun 2016 14:17:03 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> Message-ID: On 06/07/2016 10:42 AM, Martin Basti wrote: > > > On 07.06.2016 10:43, Jan Cholasta wrote: >> On 7.6.2016 10:22, Martin Basti wrote: >>> >>> >>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>> >>>>> >>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>> >>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>> >>>>>>>> >>>>>>> NACK >>>>>>> >>>>>>> please remove it from LDAPAddReverseMember too, it contains the >>>>>>> same >>>>>>> code >>>>>>> >>>>>>> Martin^2 >>>>>> >>>>>> Please see the modified patch. >>>>>> >>>>>> Standa >>>>>> >>>>> ACK >>>>> >>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>> >>>> I think the attrs_list was supposed to be passed to the >>>> ldap.get_entry() call rather than removed, which would fix that every >>>> reverse member command always acts like --all was specified. >>>> >>> I'm really afraid, what can happen if we put attr_list into get_entry() >>> instead of '*', because this code were there for 4 years and I don't >>> feel happy enough to change it now, what we may break. >>> >>> Should I revert this commit then and postpone the ticket? >> >> It's a bug and should be fixed. The fix is easy so I see no point in >> postponing it. I see no reason to be really afraid, I'm pretty sure >> that removing the objectclass attribute (which is invisible in the >> CLI anyway) from the output of all the 4 commands that use this code >> won't break anything. >> > > Ok It seems that tests expect objectClass to be always returned in derived methods. Is that expected behavior? If so, please see the attached patch. I wonder if the keys of the passed options should make it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0044-Revert-Removed-dead-code-from-LDAP-Remove-Add-Revers.patch Type: text/x-patch Size: 2030 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0045-The-LDAP-ReverseMember-shouldn-t-imply-all-is-always.patch Type: text/x-patch Size: 1629 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 8 12:20:48 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 14:20:48 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts In-Reply-To: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> References: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> Message-ID: On 06/06/2016 04:17 PM, Pavel Vomacka wrote: > Hello, > > please review attached patch. > > Ticket: https://fedorahosted.org/freeipa/ticket/5931 > Also tables for host groups are needed. + the same UI should be also on host page. -- Petr Vobornik From mbabinsk at redhat.com Wed Jun 8 12:40:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 8 Jun 2016 14:40:51 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> Message-ID: On 06/08/2016 02:11 PM, David Kupka wrote: > On 28/04/16 14:45, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Patch set: > > spec file: require correct packages to get API plugins > schema: fix typo > schema: fix topic command output > replica install: use remote server API to create service entries This one is not complete since it breaks replica install w/ --setup-dns. Removing this line seems to fix this case: """ diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 41eee96..d695a15 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1478,7 +1478,6 @@ def promote(installer): server_api.finalize() if options.setup_dns: - server_api.Backend.rpcclient.connect() server_api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options, server_api """ > schema: do not validate unrequested params in command_defaults > > fixes some regressions introduced by previous patches. Works for me and > I haven't met any new regression or bug, ACK. > -- Martin^3 Babinsky From jcholast at redhat.com Wed Jun 8 12:44:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 14:44:45 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> Message-ID: On 8.6.2016 14:40, Martin Babinsky wrote: > On 06/08/2016 02:11 PM, David Kupka wrote: >> On 28/04/16 14:45, Jan Cholasta wrote: >>> Hi, >>> >>> I have pushed my thin client WIP branch to GitHub: >>> . >>> >>> All commits up to "ipalib: use relative imports for cross-plugin >>> imports" should be good for review. The rest is subject to change >>> (WARNING: I will force push into this branch). >>> >>> Honza >>> >> >> Hello! >> >> Patch set: >> >> spec file: require correct packages to get API plugins >> schema: fix typo >> schema: fix topic command output >> replica install: use remote server API to create service entries > This one is not complete since it breaks replica install w/ --setup-dns. > Removing this line seems to fix this case: > > """ > diff --git a/ipaserver/install/server/replicainstall.py > b/ipaserver/install/server/replicainstall.py > index 41eee96..d695a15 100644 > --- a/ipaserver/install/server/replicainstall.py > +++ b/ipaserver/install/server/replicainstall.py > @@ -1478,7 +1478,6 @@ def promote(installer): > server_api.finalize() > > if options.setup_dns: > - server_api.Backend.rpcclient.connect() > server_api.Backend.ldap2.connect(autobind=True) > dns.install(False, True, options, server_api > """ Fixed. > > >> schema: do not validate unrequested params in command_defaults >> >> fixes some regressions introduced by previous patches. Works for me and >> I haven't met any new regression or bug, ACK. >> > > -- Jan Cholasta From jcholast at redhat.com Wed Jun 8 12:59:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 14:59:17 +0200 Subject: [Freeipa-devel] thin client regressions: otptoken In-Reply-To: <20160607084121.sd52t6gwqx7tlbkv@redhat.com> References: <20160607081712.y73qip5vowpsrlcd@redhat.com> <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> <20160607084121.sd52t6gwqx7tlbkv@redhat.com> Message-ID: <6f65dd93-8882-da8a-706b-1a0348133073@redhat.com> On 7.6.2016 10:41, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Jan Cholasta wrote: >> On 7.6.2016 10:17, Alexander Bokovoy wrote: >>> ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' >>> Traceback (most recent call last): >>> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run >>> sys.exit(api.Backend.cli.run(argv)) >>> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run >>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>> **options) >>> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>> line 103, in output_for_cli >>> qr = self._get_qrcode(output, uri, options['version']) >>> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>> line 61, in _get_qrcode >>> qr_code = qr_output.getvalue().decode(encoding) >>> AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an >>> internal error has occurred >> >> Looks rather like a py3 regression to me. >> > Fix attached, made a ticket https://fedorahosted.org/freeipa/ticket/5938 The check is incorrect actually - a proper fix would be to use encode instead of decode. -- Jan Cholasta From slaznick at redhat.com Wed Jun 8 12:59:01 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 8 Jun 2016 14:59:01 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> Message-ID: On 06/08/2016 02:09 PM, Petr Vobornik wrote: > On 06/08/2016 10:07 AM, Petr Spacek wrote: >> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>> Hello, >>> >>> Thank you for your patch. As the thin-client patches were pushed in the >>> meantime, the patch won't apply. Could you please send a rebased version? >>> >>> Also, I have a few comments to the patch: >>> >>> 1) I think that the commit message should be rather a brief conclusion to the >>> changes made in the commit. This could help for faster orientation in the >>> changes that were made to a certain part of code should you be searching for a >>> bug introduced by a commit. Should some more info be required, it can be added >>> to the ticket. Could you therefore shorten the commit message? >> (My personal opinion, no golden standard.) >> >> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >> long but *tickets* are not the best place to put *technical* information into. >> >> Tickets are planning tool but keep in mind that Trac may/will vanish one day >> and all we will have will be (Git?) repo. > +1 > > The commit message is very good and honestly I'd like to see more of > such commit messages. > >> I would recommend putting the comment about expected input format into code >> comments somewhere around batch command definition. >> >> This would reduce commit message (roughly, the text needs to be adapted) to >> part starting 'The code did not check the format of ' ... which is perfectly >> reasonable description of the change. > Batch command deserves a doc string, so that it would be visible in API > browser but that is not subject of this ticket. Btw, expected format is > already in the code. It is, although it may be not be as clear it is what you're looking for. As for the commit message, I would like see the description of batch commands (which I think is really good) in the doc string rather than in the commit message to get the information about the change I need. However, that would require proper documentation (such as that in the commit message) in the code (where it belongs). As it is not there, or it is not that clear, I guess that the commit message is the right spot to have it and I was wrong here. >> IMHO. >> Petr^2 Spacek >> >> >>> 2) Please do not add the tickets to comments in the code. You can use git >>> blame -L or git log -L to see in which commits were the changes introduced to >>> a certain part of a file, these commits should include the ticket number if >>> more info is needed. > +1 > >>> Standa >>> >>> >>> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>>> Hi all, >>>> >>>> the following patch checks the format of parameters passed to a method >>>> called through the batch command. I picked the ConversionError for invalid >>>> parameters format but this choice can be discussed if you have better >>>> suggestions... >>>> >>>> Fixes: https://fedorahosted.org/freeipa/ticket/5810 >>>> -- >>>> Florence Blanc-Renaud >>>> Identity Management Team, Red Hat >>>> >>>> >>> >>> >>> >> > From jcholast at redhat.com Wed Jun 8 13:02:18 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 8 Jun 2016 15:02:18 +0200 Subject: [Freeipa-devel] [PATCH] 0066 Load server plugins in certmonger renewal helper In-Reply-To: <20160608052239.GS4744@dhcp-40-8.bne.redhat.com> References: <20160608052239.GS4744@dhcp-40-8.bne.redhat.com> Message-ID: On 8.6.2016 07:22, Fraser Tweedale wrote: > Client/server plugin split apparently broke the certmonger renewal > helper (https://fedorahosted.org/freeipa/ticket/5943). Please > review attached patch - hopefully it is correct way to fix it. It is the correct way. Thanks for the patch, ACK. Pushed to master: 6b3db0dc736a74c54b41f0746f1abc2091ba1be8 -- Jan Cholasta From pvomacka at redhat.com Wed Jun 8 13:32:45 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 8 Jun 2016 15:32:45 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts In-Reply-To: References: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> Message-ID: On 06/08/2016 02:20 PM, Petr Vobornik wrote: > On 06/06/2016 04:17 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patch. >> >> Ticket: https://fedorahosted.org/freeipa/ticket/5931 >> > Also tables for host groups are needed. > > + the same UI should be also on host page. Added, please see attached patch. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0041-2-Add-lists-of-hosts-allowed-to-create-or-retrieve-key.patch Type: text/x-patch Size: 9054 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 8 13:40:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 8 Jun 2016 15:40:59 +0200 Subject: [Freeipa-devel] [PATCH 0403-0407] Preparation work for per-server config in LDAP In-Reply-To: <4e913778-fc0b-fdbd-bee0-2943d37b69d4@redhat.com> References: <4e913778-fc0b-fdbd-bee0-2943d37b69d4@redhat.com> Message-ID: <07675644-5694-3106-0762-4bf75a4221b8@redhat.com> On 7.6.2016 12:09, Petr Spacek wrote: > Hello, > > this patch set is preparation work for per-server config in LDAP, which is > required for DNS location in IPA. > > This patch set should not cause any user-visible changes. > > https://fedorahosted.org/bind-dyndb-ldap/ticket/162 Here is revised patch set. It fixes couple interesting bugs in corner cases I found during work on next features. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0403-2-Fix-in-destroy_ldap_instance-caused-by-uninitialized.patch Type: text/x-patch Size: 778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0404-2-Separate-BIND-config-utilities-from-ACL-parsing.patch Type: text/x-patch Size: 10963 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0405-2-Settings-Support-enum-description-value-mapping.patch Type: text/x-patch Size: 1754 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0406-2-Settings-Expose-API-for-setting_unset-and-setting_fi.patch Type: text/x-patch Size: 1937 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0407-2-Untangle-forwarder-configuration-from-LDAP-code.patch Type: text/x-patch Size: 52798 bytes Desc: not available URL: From abokovoy at redhat.com Wed Jun 8 13:41:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 8 Jun 2016 16:41:54 +0300 Subject: [Freeipa-devel] thin client regressions: otptoken In-Reply-To: <6f65dd93-8882-da8a-706b-1a0348133073@redhat.com> References: <20160607081712.y73qip5vowpsrlcd@redhat.com> <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> <20160607084121.sd52t6gwqx7tlbkv@redhat.com> <6f65dd93-8882-da8a-706b-1a0348133073@redhat.com> Message-ID: <20160608134154.fnyodsdgnwcbgoa3@redhat.com> On Wed, 08 Jun 2016, Jan Cholasta wrote: >On 7.6.2016 10:41, Alexander Bokovoy wrote: >>On Tue, 07 Jun 2016, Jan Cholasta wrote: >>>On 7.6.2016 10:17, Alexander Bokovoy wrote: >>>>ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' >>>>Traceback (most recent call last): >>>>File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run >>>> sys.exit(api.Backend.cli.run(argv)) >>>>File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run >>>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>>>**options) >>>>File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>>>line 103, in output_for_cli >>>> qr = self._get_qrcode(output, uri, options['version']) >>>>File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>>>line 61, in _get_qrcode >>>> qr_code = qr_output.getvalue().decode(encoding) >>>>AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an >>>>internal error has occurred >>> >>>Looks rather like a py3 regression to me. >>> >>Fix attached, made a ticket https://fedorahosted.org/freeipa/ticket/5938 > >The check is incorrect actually - a proper fix would be to use encode >instead of decode. Updated patch attached. It indeed works. -- / Alexander Bokovoy -------------- next part -------------- From be6167d050d30a9204a65c10519a23ff2a7f93f7 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jun 2016 11:37:41 +0300 Subject: [PATCH 5/7] otptoken: support Python 3 for the qr code When IPA client is using Python 3, there is no str.decode() method anymore. ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli qr = self._get_qrcode(output, uri, options['version']) File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode qr_code = qr_output.getvalue().decode(encoding) AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred Fixes https://fedorahosted.org/freeipa/ticket/5938 --- ipaclient/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py index 5d3f1f8..d7d5356 100644 --- a/ipaclient/plugins/otptoken.py +++ b/ipaclient/plugins/otptoken.py @@ -58,7 +58,7 @@ class otptoken_add(MethodOverride): encoding = locale.getpreferredencoding(False) try: - qr_code = qr_output.getvalue().decode(encoding) + qr_code = qr_output.getvalue().encode(encoding) except UnicodeError: add_message( version, -- 2.7.4 From pspacek at redhat.com Wed Jun 8 13:42:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 8 Jun 2016 15:42:56 +0200 Subject: [Freeipa-devel] [PATCH 0408] Do not apply forwarding configuration for disabled master zones Message-ID: Hello, Do not apply forwarding configuration for disabled master zones. We have to respect idnsZoneActive attribute when calling fwd_configure_zone(). https://fedorahosted.org/bind-dyndb-ldap/ticket/164 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0408-Do-not-apply-forwarding-configuration-for-disabled-m.patch Type: text/x-patch Size: 4252 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 8 13:44:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 8 Jun 2016 15:44:23 +0200 Subject: [Freeipa-devel] [PATCH 0409-0411] Parse idnsServerConfigObject and use its values for forwarder configuration Add LDAP schema for per-server config in LDAP Add server_ldap_settings layer to tree of setting objects Message-ID: Hello, this patch set implements forwarder configuration in idnsServerConfigObject. https://fedorahosted.org/bind-dyndb-ldap/ticket/162 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0409-Add-server_ldap_settings-layer-to-tree-of-setting-ob.patch Type: text/x-patch Size: 8380 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0410-Add-LDAP-schema-for-per-server-config-in-LDAP.patch Type: text/x-patch Size: 1413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0411-Parse-idnsServerConfigObject-and-use-its-values-for-.patch Type: text/x-patch Size: 7756 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 8 13:45:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 8 Jun 2016 15:45:32 +0200 Subject: [Freeipa-devel] [PATCH 0412] Fix interaction between root zone and global forwarders Message-ID: <39277380-1482-510f-2bc5-3dd6f0a05f2a@redhat.com> Hello, Fix interaction between root zone and global forwarders. Finally the following priority order should be respected in all circumstances: - root zone (highest priority) - server config in LDAP - global config in LDAP - named.conf https://fedorahosted.org/bind-dyndb-ldap/ticket/165 This patch and all previous patches can be found in my Github repo in branch server_config_in_ldap3. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0412-Fix-interaction-between-root-zone-and-global-forward.patch Type: text/x-patch Size: 4852 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 8 14:09:54 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 16:09:54 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: <6c5ee253-49b1-5f24-00a1-15feb77728e4@redhat.com> References: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> <6c5ee253-49b1-5f24-00a1-15feb77728e4@redhat.com> Message-ID: <5d97b475-c08a-951c-8064-f7c6030ff5bf@redhat.com> On 06/05/2016 07:22 PM, Pavel Vomacka wrote: > > > On 06/03/2016 03:10 PM, Petr Vobornik wrote: >> On 06/02/2016 01:40 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> please review my patches which add webui for server roles. >>> >> Did not test yet. I'm waiting for rebase of backend. >> >> Patch 36: ACK (assuming it works when ^^ is available) >> >> Patch 37: >> >> 1. typo: 'overriden' - twice > Fixed. >> >> 2. 'create_column_link' is a bad name for the method. The method doesn't >> create a column link. It is a link's click handler. So the name should >> be e.g. on_column_link_click > Yes, this is better. Fixed. >> Patch 38: >> >> 1. in serverroles_nested_search_facet wouldn't it be better to override >> only get_refresh_command_options and maybe get_refresh_command_args >> instead of full create_refresh_command? >> > Fixed. > > Attached the whole patchset with edited patches. > > -- > Pavel^3 Vomacka 1. Following line breaks navigation: that.on_column_link_click(value, entity); it should be: return that.on_column_link_click(value, entity); -- Petr Vobornik From pvoborni at redhat.com Wed Jun 8 14:40:30 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 16:40:30 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> Message-ID: <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> On 06/07/2016 10:07 AM, Pavel Vomacka wrote: > > > On 06/06/2016 07:51 PM, Martin Basti wrote: >> >> >> >> On 05.06.2016 18:34, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patches which add WebUI part of DNS Locations feature. >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> >> NACK >> >> 1) >> When I edit location description and click on revert button, then that nice >> location table just disappear :) > It's the same situation as with using 'Save' button - reported here: > https://fedorahosted.org/freeipa/ticket/5776 . I'll write there a comment that > revert button hides values in association tables. >> >> 2) >> Can we put a placeholder "100" (gray font or something) to Location weight in >> server detail view? Because when weight is not specified then default is 100 > Placeholder added. > 1. please add "disable_facet_tabs: true," to location details page. There is no point to display single facet tab. 2. can we extend location_association_table the same witth as rule tables are extended in sudo and hbac rules? IIRC it needs to use specific section type of 'servers' section. 3. the placeholder 100 should be also added to adder dialog in location_association_table_widget 4. Description could be textarea - to be consistent with hbac, sudo rules. 5. "Information" section is called "General" or "$Entity Settings" on other parts of Web UI. It should be consistent. -- Petr Vobornik From ftweedal at redhat.com Wed Jun 8 15:21:29 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Jun 2016 01:21:29 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> Message-ID: <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > On 8.6.2016 05:15, Fraser Tweedale wrote: > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > Hi team, > > > > > > > > This patchset implements the 'ca' plugin for creating and managing > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > 'cert-request' command to support multiple CAs. > > > > > > > > A brief overview of the patches: > > > > > > > > 0059 > > > > 'ca' plugin, associated schema changes and container objects, > > > > Dogtag REST API wrapper > > > > 0060 > > > > Add CA entry for the IPA CA on install/upgrade > > > > 0061 > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > 0062 > > > > Update ra.request_certificate() to support specifying target CA > > > > 0063 > > > > Add '--ca' option to 'cert-request' command > > > > 0064 > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > These patches depend on other pending patches: > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > completed sub-CAs work, should be available from my COPR soon: > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > Some parts of the design are not implemented in the current > > > > patchset, including: > > > > > > > > - local parent CA (ipaca object) references > > > > - sub-CA certificate renewal > > > > - 'cert-show' command '--ca=NAME' option > > > > - certmonger support for specifying CA > > > > - revocation of deleted CAs > > > > > > > > I look forward to your reviews! > > > > > > > > Thanks, > > > > Fraser > > > > > > > Rebased and updated patches attached. > > > > > > Substantive changes: > > > > > > - add required attributes for issuer DN and subject DN > > > - prevent rename of IPA CA > > > - when adding IPA CA entry, contact Dogtag to learn authority id, > > > issuer DN and subject DN > > > - add 'read_ca' method to Dogtag interface > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > option to cert-show and cert-find. > > Patch 0059: > > 1) On upgrade, why is the lightweight CA container created twice - once in > 41-subca.update, once using ensure_entry() call? It should be done only > once. > I'll remove 41-subca.update; the routine in cainstance is the one that's needed. > 2) In ca_del, every CA specified in args[0] should be deleted, not just the > first one. > > 3) Do not use NonFatalError, issue a warning instead: > > self.add_message(MyNewWarningClass(name=...)) > > 4) Can it actually happen that ca_show does not return ipacaid? I guess not, > so you should be able to remove the check altogether and don't bother with > the warning. > ipacaid is mandatory now, so I'll remove the check. > > Patch 0060-0062: LGTM > Yippee \o/ > > Patch 0063: > > Could you please define the CA param as follows: > > Str('cacn?', > cli_name='ca', > query=True, > label=_("CA"), > doc=_("CA to use"), > ), > > ? > > This is for consitency with framework-generated parent key params, which > unfortunately we cannot leverage in cert_request currently. > No problemo. > > Patch 0064: > > 1) See my comment for patch 0063, it applies here as well. > > 2) The --issuer option should not be included in cert_show - show commands > are supposed to retrieve an object given primary key(s), and the primary key > of CA objects is just their cn. > The --issuer argument is because primary key for a cert is really (issuer, serial). So it show the cert _with_ that issuer (and serial), not the cert _for_ that issuer. > 3) In find commands, the options form a filter, so instead of raising > MutuallyExclusiveError in cert-find, return an empty result, as with any > other unmatched filter. > Here, --issuer and --ca are two different ways to specify the issuer. --issuer lets you give the issuer DN straight up; --ca takes the name of an IPA CA object and looks up its issuer DN. (Thus it makes no sense to give both options at once). Do you think it would be clearer to provide a single option that takes issuer DN or the name of CA? I considered this but decided against it because collisions are possible (one could name an IPA CA something that passes for a stingified DN). Thanks for reviewing! Fraser From lslebodn at redhat.com Wed Jun 8 16:07:16 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 8 Jun 2016 18:07:16 +0200 Subject: [Freeipa-devel] git commit message In-Reply-To: <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> Message-ID: <20160608160716.GB20125@10.4.128.1> On (08/06/16 14:09), Petr Vobornik wrote: >On 06/08/2016 10:07 AM, Petr Spacek wrote: >> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>> Hello, >>> >>> Thank you for your patch. As the thin-client patches were pushed in the >>> meantime, the patch won't apply. Could you please send a rebased version? >>> >>> Also, I have a few comments to the patch: >>> >>> 1) I think that the commit message should be rather a brief conclusion to the >>> changes made in the commit. This could help for faster orientation in the >>> changes that were made to a certain part of code should you be searching for a >>> bug introduced by a commit. Should some more info be required, it can be added >>> to the ticket. Could you therefore shorten the commit message? >> >> (My personal opinion, no golden standard.) >> >> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >> long but *tickets* are not the best place to put *technical* information into. >> >> Tickets are planning tool but keep in mind that Trac may/will vanish one day >> and all we will have will be (Git?) repo. > >+1 > >The commit message is very good and honestly I'd like to see more of >such commit messages. > Regarding to commit message. I like recommendation about git commit message from Openstack wiki https://wiki.openstack.org/wiki/GitCommitMessages#Information_in_commit_messages We can at least inspire. IMHO longer commit message is always better. LS From pvoborni at redhat.com Wed Jun 8 16:36:28 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 8 Jun 2016 18:36:28 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone In-Reply-To: <0d5d593f-4394-dbda-347e-f81a7d88f5f3@redhat.com> References: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> <0d5d593f-4394-dbda-347e-f81a7d88f5f3@redhat.com> Message-ID: <69444cc4-c425-f201-2ca2-bc8d575a9c1b@redhat.com> On 06/07/2016 10:30 AM, Pavel Vomacka wrote: > > > On 06/07/2016 09:08 AM, Petr Spacek wrote: >> Hi, >> >> the commit message does not say what was wrong and why and what works >> now. >> Please improve the commit message before pushing this. > Commit message improved. >> >> Petr^2 Spacek >> >> On 6.6.2016 19:03, Pavel Vomacka wrote: >>> Fix bad searching of reverse DNS zone >>> >>> https://fedorahosted.org/freeipa/ticket/5796 >>> It fails with zones: * 13.10.10.in-addr.arpa. * 3.10.10.in-addr.arpa. And A record: 10.10.13.1 reason: you forgot to update target_zone.index when udating target_zone.target_zone -- Petr Vobornik From ftweedal at redhat.com Thu Jun 9 04:07:52 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Jun 2016 14:07:52 +1000 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> References: <20160414063937.GO18277@dhcp-40-8.bne.redhat.com> <20160421033003.GH18277@dhcp-40-8.bne.redhat.com> <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> Message-ID: <20160609040751.GW4744@dhcp-40-8.bne.redhat.com> Updated patches 0053-6 and 0054-6 attached. Comments inline. Thanks, Fraser On Wed, Jun 08, 2016 at 10:31:07AM +0200, Jan Cholasta wrote: > Patch 0052: > > The target of the "Dogtag service principals can search Custodia keys" ACI > matches keys in the top-level Custodia container, but not in the Dogtag > container. Is this intentional? > ACI applies to all entries under the 'cn=custodia' tree, not only the entries directly under it. > > Patch 0053: > > It seems the `servicename`+`host` and `principal` arguments of set_key() are > carrying the same information, could you remove one of them? > OK, just `principal` now. > > Patch 0054: > > 1) Please use ipalib.config to read IPA configuration in > ipa-pki-retrieve-key: > > from ipalib.config import Env > > env = Env(in_server=True) > hostname = env.host > realm = env.realm > I have implemented this; it was necessary to also call `env._finalize()`. > 2) I'm curious why you changed the key name from "ca/$NAME" to > "ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped? > The payload of the `ca_wrapped` Custodia store is a PKIArchiveOptions object wrapped by the main CA's private key. (This payload is then encrypted by Custodia, as all Custodia payloads are). See my patch 0056 [1] for implementation details. [1] https://www.redhat.com/archives/freeipa-devel/2016-May/msg00079.html > 3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would > expect a minimum required version bump in the spec file. > Indeed; I added this in latest patches. -------------- next part -------------- From 5116bc9cd4a2f3f1dde4fbc5f941b091036fa78c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 11 Apr 2016 12:42:35 +1000 Subject: [PATCH 53/54] Optionally add service name to Custodia key DNs Lightweight CAs support introduces new service principals for Dogtag, with Custodia keys. The current Custodia key creation uses a DN that contains only they key type and the hostname, so keys for multiple services on the same host cannot be created. Add the 'generate_keys' method to generate keys for a host or an arbitrary service. When a service name is given, add the key entries in a nested container with RDN 'cn='. (The container is assumed to exist). This change does not affect searching because subtree search is used, filtering on the ipaKeyUsage and memberPrincipal attributes. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/secrets/kem.py | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index 0abf28ae4403a7b6225404df361d12cb07ccc70b..d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -3,6 +3,7 @@ from __future__ import print_function from ipaplatform.paths import paths from six.moves.configparser import ConfigParser +from ipapython.dn import DN from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa, ec @@ -105,11 +106,24 @@ class KEMLdap(iSecLdap): encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo) - def set_key(self, usage, host, principal, key): + def set_key(self, usage, principal, key): + """ + Write key for the host or service. + + Service keys are nested one level beneath the 'cn=custodia' + container, in the 'cn=' container; this allows + fine-grained control over key management permissions for + specific services. + + The container is assumed to exist. + + """ public_key = self._format_public_key(key) conn = self.connect() + servicename, host = principal.split('@')[0].split('/') name = '%s/%s' % (KEY_USAGE_MAP[usage], host) - dn = 'cn=%s,%s' % (name, self.keysbase) + service_rdn = ('cn', servicename) if servicename != 'host' else DN() + dn = str(DN(('cn', name), service_rdn, self.keysbase)) try: mods = [('objectClass', ['nsContainer', 'ipaKeyPolicy', @@ -170,15 +184,18 @@ class IPAKEMKeys(KEMKeysStore): return conn.get_key(usage, kid) def generate_server_keys(self): - principal = 'host/%s@%s' % (self.host, self.realm) + self.generate_keys('host') + + def generate_keys(self, servicename): + principal = '%s/%s@%s' % (servicename, self.host, self.realm) # Neutralize the key with read if any self._server_keys = None # Generate private key and store it pubkeys = newServerKeys(self.config['server_keys'], principal) # Store public key in LDAP ldapconn = KEMLdap(self.ldap_uri) - ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0]) - ldapconn.set_key(KEY_USAGE_ENC, self.host, principal, pubkeys[1]) + ldapconn.set_key(KEY_USAGE_SIG, principal, pubkeys[0]) + ldapconn.set_key(KEY_USAGE_ENC, principal, pubkeys[1]) @property def server_keys(self): -- 2.5.5 -------------- next part -------------- From e07041700f3f4c181aa6c50dd85d44bf1bc27cdc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 1 Jun 2016 08:07:33 +1000 Subject: [PATCH 54/54] Setup lightweight CA key retrieval on install/upgrade Add the ipa-pki-retrieve-key helper program and configure lightweight CA key replication on installation and upgrade. The specific configuration steps are: - Add the 'dogtag/$HOSTNAME' service principal - Create the pricipal's Custodia keys - Retrieve the principal's keytab - Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever to invoke ipa-pki-retrieve-key for key retrieval Also bump the minimum version of Dogtag to 10.3.2. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- freeipa.spec.in | 7 +++-- install/share/bootstrap-template.ldif | 6 ++++ install/tools/Makefile.am | 1 + install/tools/ipa-pki-retrieve-key | 32 ++++++++++++++++++++ install/updates/73-custodia.update | 5 ++++ ipalib/constants.py | 1 + ipaserver/install/ca.py | 9 +++++- ipaserver/install/cainstance.py | 56 +++++++++++++++++++++++++++++++++++ ipaserver/install/server/install.py | 6 ++-- ipaserver/install/server/upgrade.py | 4 ++- 10 files changed, 119 insertions(+), 8 deletions(-) create mode 100755 install/tools/ipa-pki-retrieve-key diff --git a/freeipa.spec.in b/freeipa.spec.in index d5d78f806607bfd61daab43f50dba8caa6d0661c..8eb3bd5fc385f9268909e8df0d570649a7de0c39 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -94,7 +94,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.2.6 +BuildRequires: pki-base >= 10.3.2 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -155,8 +155,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.55-1 -Requires: pki-ca >= 10.2.6-19 -Requires: pki-kra >= 10.2.6-19 +Requires: pki-ca >= 10.3.2 +Requires: pki-kra >= 10.3.2 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip @@ -1074,6 +1074,7 @@ fi %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-pki-retrieve-key %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 83be4399508a905f8eae7e2f59140a6b4051b661..f6ab35495ad7e9377404eb7a6b0bca26906f5421 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -179,6 +179,12 @@ objectClass: nsContainer objectClass: top cn: custodia +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: dogtag + dn: cn=s4u2proxy,cn=etc,$SUFFIX changetype: add objectClass: nsContainer diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 7212dabdbf968ee76cb2830e5054fe1a27712225..2866a30b2feacfec29a22eaf7965216fbbd69665 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST = \ appdir = $(libexecdir)/ipa/ app_SCRIPTS = \ ipa-httpd-kdcproxy \ + ipa-pki-retrieve-key \ $(NULL) MAINTAINERCLEANFILES = \ diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key new file mode 100755 index 0000000000000000000000000000000000000000..740e799d2d8047570abecfb58f7dec07266ef429 --- /dev/null +++ b/install/tools/ipa-pki-retrieve-key @@ -0,0 +1,32 @@ +#!/usr/bin/python2 + +from __future__ import print_function + +import os +import sys + +from ipalib import constants +from ipalib.config import Env +from ipaplatform.paths import paths +from ipapython.secrets.client import CustodiaClient + +env = Env() +env._finalize() + +keyname = "ca_wrapped/" + sys.argv[1] +servername = sys.argv[2] + +service = constants.PKI_GSSAPI_SERVICE_NAME +client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') +client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + +# pylint: disable=no-member +client = CustodiaClient( + client_service='%s@%s' % (service, env.host), server=servername, + realm=env.realm, ldap_uri="ldaps://" + env.host, + keyfile=client_keyfile, keytab=client_keytab, + ) + +# Print the response JSON to stdout; it is already in the format +# that Dogtag's ExternalProcessKeyRetriever expects +print(client.fetch_key(keyname, store=False)) diff --git a/install/updates/73-custodia.update b/install/updates/73-custodia.update index f6520fb2e36dd1b234344a8cc4199ab72c664163..60f805ab82f141777c0d7731d4a0362e76961cce 100644 --- a/install/updates/73-custodia.update +++ b/install/updates/73-custodia.update @@ -2,3 +2,8 @@ dn: cn=custodia,cn=ipa,cn=etc,$SUFFIX default: objectClass: top default: objectClass: nsContainer default: cn: custodia + +dn: cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX +default: objectClass: top +default: objectClass: nsContainer +default: cn: dogtag diff --git a/ipalib/constants.py b/ipalib/constants.py index a2cbfdbcda07429478f97c62cc6896890f2f7979..97dff1d805a4f77469882103ab63cdb0fa55a024 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -264,3 +264,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' +PKI_GSSAPI_SERVICE_NAME = 'dogtag' diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 3a827aee86616d874bdc3d1a5735e46d1ab9bf9b..ac72c76883fda00e2f258a9ecfe9925722041fe9 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -182,7 +182,7 @@ def install_step_1(standalone, replica_config, options): basedn = ipautil.realm_to_suffix(realm_name) - ca = cainstance.CAInstance(realm_name, certs.NSS_DIR) + ca = cainstance.CAInstance(realm_name, certs.NSS_DIR, host_name=host_name) if standalone: ca.stop('pki-tomcat') @@ -197,6 +197,13 @@ def install_step_1(standalone, replica_config, options): # This is done within stopped_service context, which restarts CA ca.enable_client_auth_to_db(paths.CA_CS_CFG_PATH) + # Lightweight CA key retrieval is configured in step 1 instead + # of CAInstance.configure_instance (which is invoked from step + # 0) because kadmin_addprinc fails until krb5.conf is installed + # by krb.create_instance. + # + ca.setup_lightweight_ca_key_retrieval() + if standalone and replica_config is None: serverid = installutils.realm_to_serverid(realm_name) dirname = dsinstance.config_dirname(serverid) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 475e74d7fbf796a87e1673fc997c05e41e352d2a..9f6a5037f92ad0168e80267999c7fbf5b7634ae0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -45,6 +45,7 @@ from six.moves.configparser import ConfigParser, RawConfigParser from ipalib import api from ipalib import pkcs10, x509 from ipalib import errors +import ipalib.constants from ipaplatform import services from ipaplatform.constants import constants @@ -59,6 +60,7 @@ from ipapython.certdb import get_ca_nickname from ipapython.dn import DN from ipapython.ipa_log_manager import log_mgr,\ standard_logging_setup, root_logger +from ipapython.secrets.kem import IPAKEMKeys from ipaserver.install import certs from ipaserver.install import dsinstance @@ -66,6 +68,7 @@ from ipaserver.install import installutils from ipaserver.install import ldapupdate from ipaserver.install import replication from ipaserver.install import service +from ipaserver.install import sysupgrade from ipaserver.install.dogtaginstance import (export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 @@ -1356,11 +1359,64 @@ class CAInstance(DogtagInstance): self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) + self.step("Configure lightweight CA key retrieval", + self.setup_lightweight_ca_key_retrieval) self.step("enabling CA instance", self.__enable_instance) self.start_creation(runtime=210) + def setup_lightweight_ca_key_retrieval(self): + if sysupgrade.get_upgrade_state('dogtag', 'setup_lwca_key_retrieval'): + return + + root_logger.info('[Set up lightweight CA key retrieval]') + + self.__setup_lightweight_ca_key_retrieval_kerberos() + self.__setup_lightweight_ca_key_retrieval_custodia() + + root_logger.info('Configuring key retriever') + directives = [ + ('features.authority.keyRetrieverClass', + 'com.netscape.ca.ExternalProcessKeyRetriever'), + ('features.authority.keyRetrieverConfig.executable', + '/usr/libexec/ipa/ipa-pki-retrieve-key'), + ] + for k, v in directives: + installutils.set_directive( + paths.CA_CS_CFG_PATH, k, v, quotes=False, separator='=') + + sysupgrade.set_upgrade_state('dogtag', 'setup_lwca_key_retieval', True) + + def __setup_lightweight_ca_key_retrieval_kerberos(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + principal = '{}/{}@{}'.format(service, api.env.host, self.realm) + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating principal') + installutils.kadmin_addprinc(principal) + self.suffix = ipautil.realm_to_suffix(self.realm) + if not self.admin_conn: + self.ldap_connect() + self.move_service(principal) + + root_logger.info('Retrieving keytab') + keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') + installutils.create_keytab(keytab, principal) + os.chmod(keytab, 0o600) + os.chown(keytab, pent.pw_uid, pent.pw_gid) + + def __setup_lightweight_ca_key_retrieval_custodia(self): + service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME + pent = pwd.getpwnam(constants.PKI_USER) + + root_logger.info('Creating Custodia keys') + keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') + keystore = IPAKEMKeys({'server_keys': keyfile}) + keystore.generate_keys(service) + os.chmod(keyfile, 0o600) + os.chown(keyfile, pent.pw_uid, pent.pw_gid) + def replica_ca_install_check(config): if not config.setup_ca: diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 4b8ef048618823387481fdde53609e526bf3f244..e8d4db878207e3369dc1de7baeaa333c5374fc61 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,6 @@ def install(installer): # we now need to enable ssl on the ds ds.enable_ssl() - if setup_ca: - ca.install_step_1(False, None, options) - krb = krbinstance.KrbInstance(fstore) if options.pkinit_cert_files: krb.create_instance(realm_name, host_name, domain_name, @@ -907,6 +904,9 @@ def install(installer): setup_pkinit=not options.no_pkinit, subject_base=options.subject) + if setup_ca: + ca.install_step_1(False, None, options) + # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2398aea90bb1def6ab1534d3640a6bfa20a6b237..1a1090f0c767238062916ec715a59983ddc59fdb 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1492,7 +1492,8 @@ def upgrade_configuration(): if subject_base: sub_dict['SUBJECT_BASE'] = subject_base - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca = cainstance.CAInstance( + api.env.realm, certs.NSS_DIR, host_name=api.env.host) ca_running = ca.is_running() with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): @@ -1697,6 +1698,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() + ca.setup_lightweight_ca_key_retrieval() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 From dkupka at redhat.com Thu Jun 9 05:00:45 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 9 Jun 2016 07:00:45 +0200 Subject: [Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment. In-Reply-To: <1194734610.40520786.1456913917730.JavaMail.zimbra@redhat.com> References: <1194734610.40520786.1456913917730.JavaMail.zimbra@redhat.com> Message-ID: On 02/03/16 11:18, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/5694 > Sending updated version crafted with Flo's help, thanks. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0094.1-man-Decribe-ipa-client-install-workaround-for-broken.patch Type: text/x-patch Size: 1506 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 9 05:49:51 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 07:49:51 +0200 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <20160609040751.GW4744@dhcp-40-8.bne.redhat.com> References: <20160414063937.GO18277@dhcp-40-8.bne.redhat.com> <20160421033003.GH18277@dhcp-40-8.bne.redhat.com> <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> <20160609040751.GW4744@dhcp-40-8.bne.redhat.com> Message-ID: On 9.6.2016 06:07, Fraser Tweedale wrote: > Updated patches 0053-6 and 0054-6 attached. Comments inline. > > Thanks, > Fraser > > On Wed, Jun 08, 2016 at 10:31:07AM +0200, Jan Cholasta wrote: >> Patch 0052: >> >> The target of the "Dogtag service principals can search Custodia keys" ACI >> matches keys in the top-level Custodia container, but not in the Dogtag >> container. Is this intentional? >> > ACI applies to all entries under the 'cn=custodia' tree, not only > the entries directly under it. You are right: Mea culpa, I thought the target matching behavior was simpler than this. Anyway, could the ACI be tightened to allow access only to the Dogtag subtree? > >> >> Patch 0053: >> >> It seems the `servicename`+`host` and `principal` arguments of set_key() are >> carrying the same information, could you remove one of them? >> > OK, just `principal` now. > >> >> Patch 0054: >> >> 1) Please use ipalib.config to read IPA configuration in >> ipa-pki-retrieve-key: >> >> from ipalib.config import Env >> >> env = Env(in_server=True) >> hostname = env.host >> realm = env.realm >> > I have implemented this; it was necessary to also call > `env._finalize()`. Right. I wrote the above snippet off the top of my head, hence the omission. > >> 2) I'm curious why you changed the key name from "ca/$NAME" to >> "ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped? >> > The payload of the `ca_wrapped` Custodia store is a > PKIArchiveOptions object wrapped by the main CA's private key. > (This payload is then encrypted by Custodia, as all Custodia > payloads are). > > See my patch 0056 [1] for implementation details. > > [1] https://www.redhat.com/archives/freeipa-devel/2016-May/msg00079.html Wow, I totally missed patch 0055 and 0056! > >> 3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would >> expect a minimum required version bump in the spec file. >> > Indeed; I added this in latest patches. Thanks. ACK if the ACI in patch 52 does not need tightening. -- Jan Cholasta From jcholast at redhat.com Thu Jun 9 06:10:52 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 08:10:52 +0200 Subject: [Freeipa-devel] thin client regressions: otptoken In-Reply-To: <20160608134154.fnyodsdgnwcbgoa3@redhat.com> References: <20160607081712.y73qip5vowpsrlcd@redhat.com> <274802cb-b6bf-fb93-727a-4747080ff08c@redhat.com> <20160607084121.sd52t6gwqx7tlbkv@redhat.com> <6f65dd93-8882-da8a-706b-1a0348133073@redhat.com> <20160608134154.fnyodsdgnwcbgoa3@redhat.com> Message-ID: <17f7240a-7841-6cc7-e1c5-5b774346bf57@redhat.com> On 8.6.2016 15:41, Alexander Bokovoy wrote: > On Wed, 08 Jun 2016, Jan Cholasta wrote: >> On 7.6.2016 10:41, Alexander Bokovoy wrote: >>> On Tue, 07 Jun 2016, Jan Cholasta wrote: >>>> On 7.6.2016 10:17, Alexander Bokovoy wrote: >>>>> ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, >>>>> in run >>>>> sys.exit(api.Backend.cli.run(argv)) >>>>> File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, >>>>> in run >>>>> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >>>>> **options) >>>>> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>>>> line 103, in output_for_cli >>>>> qr = self._get_qrcode(output, uri, options['version']) >>>>> File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", >>>>> line 61, in _get_qrcode >>>>> qr_code = qr_output.getvalue().decode(encoding) >>>>> AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an >>>>> internal error has occurred >>>> >>>> Looks rather like a py3 regression to me. >>>> >>> Fix attached, made a ticket https://fedorahosted.org/freeipa/ticket/5938 >> >> The check is incorrect actually - a proper fix would be to use encode >> instead of decode. > Updated patch attached. It indeed works. Thanks, ACK. Pushed to: master: 29d669fec18c089619c199d66195ec3b73df7ee1 ipa-4-3: 94822209c4b6d4902188fc461578b819dfd2f7fc -- Jan Cholasta From dkupka at redhat.com Thu Jun 9 06:14:31 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 9 Jun 2016 08:14:31 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> Message-ID: <9a87b3a9-2f9d-c5f6-f3b8-16b0cf18e614@redhat.com> On 08/06/16 14:44, Jan Cholasta wrote: > On 8.6.2016 14:40, Martin Babinsky wrote: >> On 06/08/2016 02:11 PM, David Kupka wrote: >>> On 28/04/16 14:45, Jan Cholasta wrote: >>>> Hi, >>>> >>>> I have pushed my thin client WIP branch to GitHub: >>>> . >>>> >>>> All commits up to "ipalib: use relative imports for cross-plugin >>>> imports" should be good for review. The rest is subject to change >>>> (WARNING: I will force push into this branch). >>>> >>>> Honza >>>> >>> >>> Hello! >>> >>> Patch set: >>> >>> spec file: require correct packages to get API plugins >>> schema: fix typo >>> schema: fix topic command output >>> replica install: use remote server API to create service entries >> This one is not complete since it breaks replica install w/ --setup-dns. >> Removing this line seems to fix this case: >> >> """ >> diff --git a/ipaserver/install/server/replicainstall.py >> b/ipaserver/install/server/replicainstall.py >> index 41eee96..d695a15 100644 >> --- a/ipaserver/install/server/replicainstall.py >> +++ b/ipaserver/install/server/replicainstall.py >> @@ -1478,7 +1478,6 @@ def promote(installer): >> server_api.finalize() >> >> if options.setup_dns: >> - server_api.Backend.rpcclient.connect() >> server_api.Backend.ldap2.connect(autobind=True) >> dns.install(False, True, options, server_api >> """ > > Fixed. > >> >> >>> schema: do not validate unrequested params in command_defaults >>> >>> fixes some regressions introduced by previous patches. Works for me and >>> I haven't met any new regression or bug, ACK. >>> >> >> > > Thanks for the catch, Martin. Now it's really fixed and can be pushed. Obligatory keyword to trigger the push: ACK BTW, I've discovered other related issue [1] that is there since 4.2. I will send patch soon. [1] https://fedorahosted.org/freeipa/ticket/5945 -- David Kupka From dkupka at redhat.com Thu Jun 9 06:16:33 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 9 Jun 2016 08:16:33 +0200 Subject: [Freeipa-devel] [PATCH 0103-4] installer: Fix single command replica install with --setup-dns Message-ID: Should go into master, ipa-4-3 and ipa-4-2. https://fedorahosted.org/freeipa/ticket/5945 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0103.0-installer-positional_arguments-must-be-tuple-or-list.patch Type: text/x-patch Size: 1099 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0104.0-installer-index-raises-ValueError.patch Type: text/x-patch Size: 1220 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jun 9 06:31:20 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Jun 2016 16:31:20 +1000 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: References: <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> <20160609040751.GW4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160609063120.GX4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 07:49:51AM +0200, Jan Cholasta wrote: > On 9.6.2016 06:07, Fraser Tweedale wrote: > > Updated patches 0053-6 and 0054-6 attached. Comments inline. > > > > Thanks, > > Fraser > > > > On Wed, Jun 08, 2016 at 10:31:07AM +0200, Jan Cholasta wrote: > > > Patch 0052: > > > > > > The target of the "Dogtag service principals can search Custodia keys" ACI > > > matches keys in the top-level Custodia container, but not in the Dogtag > > > container. Is this intentional? > > > > > ACI applies to all entries under the 'cn=custodia' tree, not only > > the entries directly under it. > > You are right: > > > > Mea culpa, I thought the target matching behavior was simpler than this. > > Anyway, could the ACI be tightened to allow access only to the Dogtag > subtree? > Dogtag does need access to the host Custodia keys. I'm not sure how to tighten the ACI to prevent access to "deeper" levels. In any case they're all public keys and it's read only access, so I don't think it's an issue. > > > > > > > > Patch 0053: > > > > > > It seems the `servicename`+`host` and `principal` arguments of set_key() are > > > carrying the same information, could you remove one of them? > > > > > OK, just `principal` now. > > > > > > > > Patch 0054: > > > > > > 1) Please use ipalib.config to read IPA configuration in > > > ipa-pki-retrieve-key: > > > > > > from ipalib.config import Env > > > > > > env = Env(in_server=True) > > > hostname = env.host > > > realm = env.realm > > > > > I have implemented this; it was necessary to also call > > `env._finalize()`. > > Right. I wrote the above snippet off the top of my head, hence the omission. > > > > > > 2) I'm curious why you changed the key name from "ca/$NAME" to > > > "ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped? > > > > > The payload of the `ca_wrapped` Custodia store is a > > PKIArchiveOptions object wrapped by the main CA's private key. > > (This payload is then encrypted by Custodia, as all Custodia > > payloads are). > > > > See my patch 0056 [1] for implementation details. > > > > [1] https://www.redhat.com/archives/freeipa-devel/2016-May/msg00079.html > > Wow, I totally missed patch 0055 and 0056! > No worries; easily done because I sent more emails with fewer, largely independent patches. > > > > > 3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would > > > expect a minimum required version bump in the spec file. > > > > > Indeed; I added this in latest patches. > > Thanks. ACK if the ACI in patch 52 does not need tightening. > Thanks for reviewing! From ftweedal at redhat.com Thu Jun 9 06:44:48 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Jun 2016 16:44:48 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > Hi team, > > > > > > > > > > This patchset implements the 'ca' plugin for creating and managing > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > 0059 > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > Dogtag REST API wrapper > > > > > 0060 > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > 0061 > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > 0062 > > > > > Update ra.request_certificate() to support specifying target CA > > > > > 0063 > > > > > Add '--ca' option to 'cert-request' command > > > > > 0064 > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > patchset, including: > > > > > > > > > > - local parent CA (ipaca object) references > > > > > - sub-CA certificate renewal > > > > > - 'cert-show' command '--ca=NAME' option > > > > > - certmonger support for specifying CA > > > > > - revocation of deleted CAs > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > Thanks, > > > > > Fraser > > > > > > > > > Rebased and updated patches attached. > > > > > > > > Substantive changes: > > > > > > > > - add required attributes for issuer DN and subject DN > > > > - prevent rename of IPA CA > > > > - when adding IPA CA entry, contact Dogtag to learn authority id, > > > > issuer DN and subject DN > > > > - add 'read_ca' method to Dogtag interface > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > option to cert-show and cert-find. > > > > Patch 0059: > > > > 1) On upgrade, why is the lightweight CA container created twice - once in > > 41-subca.update, once using ensure_entry() call? It should be done only > > once. > > > I'll remove 41-subca.update; the routine in cainstance is the one > that's needed. > > > 2) In ca_del, every CA specified in args[0] should be deleted, not just the > > first one. > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > self.add_message(MyNewWarningClass(name=...)) > > > > 4) Can it actually happen that ca_show does not return ipacaid? I guess not, > > so you should be able to remove the check altogether and don't bother with > > the warning. > > > ipacaid is mandatory now, so I'll remove the check. > > > > > Patch 0060-0062: LGTM > > > Yippee \o/ > > > > > Patch 0063: > > > > Could you please define the CA param as follows: > > > > Str('cacn?', > > cli_name='ca', > > query=True, > > label=_("CA"), > > doc=_("CA to use"), > > ), > > > > ? > > > > This is for consitency with framework-generated parent key params, which > > unfortunately we cannot leverage in cert_request currently. > > > No problemo. > > > > > Patch 0064: > > > > 1) See my comment for patch 0063, it applies here as well. > > > > 2) The --issuer option should not be included in cert_show - show commands > > are supposed to retrieve an object given primary key(s), and the primary key > > of CA objects is just their cn. > > > The --issuer argument is because primary key for a cert is really > (issuer, serial). So it show the cert _with_ that issuer (and > serial), not the cert _for_ that issuer. > > > 3) In find commands, the options form a filter, so instead of raising > > MutuallyExclusiveError in cert-find, return an empty result, as with any > > other unmatched filter. > > > Here, --issuer and --ca are two different ways to specify the > issuer. --issuer lets you give the issuer DN straight up; --ca > takes the name of an IPA CA object and looks up its issuer DN. > (Thus it makes no sense to give both options at once). > > Do you think it would be clearer to provide a single option that > takes issuer DN or the name of CA? I considered this but decided > against it because collisions are possible (one could name an IPA CA > something that passes for a stingified DN). > > Thanks for reviewing! > Fraser > Updated patches attached (0059-3..0063-3, 0064-4). No substantive changes to 0060..0062. -------------- next part -------------- From 60c684cc7da5d835546dbc3fa5c1ea42f045cf53 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/63] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 ++ API.txt | 64 +++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 4 + install/share/bootstrap-template.ldif | 6 + ipalib/constants.py | 2 + ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 ++- ipaserver/plugins/ca.py | 217 ++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 54 +++++++- 11 files changed, 380 insertions(+), 6 deletions(-) create mode 100644 ipaserver/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index a09495e5a445d7c3bc51f0b082c538b80bbb425a..586f7343ef13b4b30e23543027220ed37ba2cb48 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index f17093022d54d5cd0ccbf1863f6def0589bbf8c9..06e2bb56ad200de599112ffad17b4084e1ca44f3 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,76 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,7,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: DNParam('ipacasubjectdn', cli_name='subject') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,11,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: DNParam('ipacaissuerdn?', autofill=False, cli_name='issuer') +option: DNParam('ipacasubjectdn?', autofill=False, cli_name='subject') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 4ada7467a646b4b7162fd56248399a65f8600663..5ab3c9d93db91a25cf4af6f77d678b4879c4910e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=176 -# Last change: mbasti - location-show: list servers in the location +IPA_API_VERSION_MINOR=177 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..a87fe667d56768419dacf57103e347e88c945e2a 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,9 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f6ab35495ad7e9377404eb7a6b0bca26906f5421..da12ddf0ca887e8305402048ceed5d5b28816164 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -476,3 +476,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/ipalib/constants.py b/ipalib/constants.py index 97dff1d805a4f77469882103ab63cdb0fa55a024..05ba1adbbf215680c9c23963fc8c90c4bfca4ce8 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,7 @@ DEFAULT_CONFIG = ( ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -265,3 +266,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 85cdda61428a9586be940e1aec3648ee3e9b13cc..a153bf371ff31d6da721936b2b17344746d951ff 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1628,6 +1628,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..ee98f0a2a9dc469d67676a3123d82ce519ba6d59 --- /dev/null +++ b/ipaserver/plugins/ca.py @@ -0,0 +1,217 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipaserver.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipaserver.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = [ + 'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn', + ] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + DNParam('ipacasubjectdn', + cli_name='subject', + label=_('Subject DN'), + doc=_('Subject Distinguished Name'), + flags=['no_update'], + ), + DNParam('ipacaissuerdn', + cli_name='issuer', + label=_('Issuer DN'), + doc=_('Issuer Distinguished Name'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'ipacaissuerdn', + 'ipacasubjectdn', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + }, + 'replaces': [ + '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # check for name collision before creating CA in Dogtag + try: + api.Object.ca.get_dn_if_exists(keys[-1]) + self.obj.handle_duplicate_entry(*keys) + except errors.NotFound: + pass + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + resp = ca_api.create_ca(options['ipacasubjectdn']) + entry['ipacaid'] = [resp['id']] + entry['ipacaissuerdn'] = [resp['issuerDN']] + + # In the event that the issued certificate's subject DN + # differs from what was requested, record the actual DN. + # + entry['ipacasubjectdn'] = [resp['dn']] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + + return dn + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + if 'rename' in options or 'cn' in entry_attrs: + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=u'IPA CA cannot be renamed') + + return dn diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c4dc4e8c3ea55a0e1b67870dfb8eee45af..20349b05f02c6e186275a822a487eb4733d75c7d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2073,7 +2073,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2147,3 +2150,52 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + New CA is issued by IPA CA. Nested sub-CAs and unrelated + root CAs are not yet supported. + + Return the (parsed) JSON response from server. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def read_ca(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', ca_id, headers={'Accept': 'application/json'}) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From c9ec4461244e256fe4a7927b1eb4a53cc6d0912b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/63] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 47 +++++++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 48 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index a153bf371ff31d6da721936b2b17344746d951ff..d05dae80dfb377460262923a5790bcc06a2ebde3 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -432,6 +432,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1899,6 +1900,52 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', 'ca'), api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['ca'], + ) + ensure_entry( + DN(api.env.container_ca, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['cas'], + ) + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From 9af4873fe8606949ad9fd882f20f748c741982e1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/63] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 ++++++++++++-- VERSION | 4 +- ipaserver/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++--------------- ipaserver/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index 06e2bb56ad200de599112ffad17b4084e1ca44f3..f434ebad7cc0fa22388266a1dc696c15c6ec530f 100644 --- a/API.txt +++ b/API.txt @@ -521,12 +521,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -538,6 +539,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -607,12 +619,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -628,13 +641,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -647,6 +661,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 5ab3c9d93db91a25cf4af6f77d678b4879c4910e..9a40fde7593aee748a96417abef25b92221e5a14 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=177 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=178 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index cbb5382fb5217d92c65d4b215b497958a31e978c..ef53608ece00ca6951ddeab08e0915a596116fcf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -29,6 +29,7 @@ from ipalib import errors from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -236,7 +237,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -320,7 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From c4c857f55fed2a84ae18510d956a990cc7cb6ee4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/63] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipaserver/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ef53608ece00ca6951ddeab08e0915a596116fcf..8fccb76292b685033f8ebda347b51a4eb599d2bc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -499,7 +499,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 20349b05f02c6e186275a822a487eb4733d75c7d..43aab92ffe6bba42d21135eb4f87cbde635f86e0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1554,10 +1554,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1586,13 +1588,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 2a50ac6fa1415f8456c6c2dc55eded4c7dc50a46 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/63] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index f434ebad7cc0fa22388266a1dc696c15c6ec530f..73b2379a7f86fcd00eabcb0bc1db4401223c8803 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('cacn?', cli_name='ca') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index 9a40fde7593aee748a96417abef25b92221e5a14..6577c80904f99ab6b30217ddc82625ccda928df0 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=178 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=179 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb76292b685033f8ebda347b51a4eb599d2bc..63a051fabdcd89d430128d3f06f44f17b9e09a27 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,13 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('cacn?', + cli_name='ca', + query=True, + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +327,13 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) and look up authority ID. + # + ca = kw.get('cacn', IPA_CA_CN) + ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +511,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From 6eedfd3ec3f959ddc88360ecd61227714dd870ea Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH] Add issuer options to cert-show and cert-find Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 8 +++- VERSION | 4 +- ipaserver/plugins/cert.py | 110 ++++++++++++++++++++++++++++++++------------ ipaserver/plugins/dogtag.py | 9 ++++ 4 files changed, 97 insertions(+), 34 deletions(-) diff --git a/API.txt b/API.txt index 73b2379a7f86fcd00eabcb0bc1db4401223c8803..b7c71ca7e83aae3ed8984f836d83443d39239948 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cacn?', autofill=False, cli_name='ca') option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,10 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,4,1 arg: Str('serial_number') +option: Str('cacn?', autofill=False, cli_name='ca') +option: Str('issuer?', autofill=False) option: Str('out?') option: Str('version?') output: Output('result') diff --git a/VERSION b/VERSION index 6577c80904f99ab6b30217ddc82625ccda928df0..600ab8182332de68bc356100ae0e232c68e30d90 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=179 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=180 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fabdcd89d430128d3f06f44f17b9e09a27..e1800c371a852c616142c388a56124b07055fafc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -579,37 +579,19 @@ class cert_show(VirtualCommand): takes_args = _serial_number - has_output_params = ( - Str('certificate', - label=_('Certificate'), - ), - Str('subject', - label=_('Subject'), - ), - Str('issuer', - label=_('Issuer'), - ), - Str('valid_not_before', - label=_('Not Before'), - ), - Str('valid_not_after', - label=_('Not After'), - ), - Str('md5_fingerprint', - label=_('Fingerprint (MD5)'), - ), - Str('sha1_fingerprint', - label=_('Fingerprint (SHA1)'), - ), - Str('revocation_reason', - label=_('Revocation reason'), - ), - Str('serial_number_hex', - label=_('Serial number (hex)'), - ), - ) - takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -617,6 +599,33 @@ class cert_show(VirtualCommand): ), ) + has_output_params = ( + Str('certificate', + label=_('Certificate'), + ), + Str('subject', + label=_('Subject'), + ), + Str('valid_not_before', + label=_('Not Before'), + ), + Str('valid_not_after', + label=_('Not After'), + ), + Str('md5_fingerprint', + label=_('Fingerprint (MD5)'), + ), + Str('sha1_fingerprint', + label=_('Fingerprint (SHA1)'), + ), + Str('revocation_reason', + label=_('Revocation reason'), + ), + Str('serial_number_hex', + label=_('Serial number (hex)'), + ), + ) + operation="retrieve certificate" def execute(self, serial_number, **options): @@ -631,8 +640,29 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options and 'issuer' in options: + raise errors.MutuallyExclusiveError( + reason=_('CA and Issuer DN cannot both be set')) + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + elif 'issuer' in options: + issuer_dn = options['issuer'] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)d and " + "issuer '%(issuer)s' not found") + % dict(serial=serial_number, issuer=issuer_dn)) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +764,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +860,14 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options and 'issuer' in options: + raise errors.MutuallyExclusiveError( + reason=_('CA and Issuer DN cannot both be set')) + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + options['issuer'] = unicode(ca_obj['ipacasubjectdn'][0]) + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From pspacek at redhat.com Thu Jun 9 06:55:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 9 Jun 2016 08:55:09 +0200 Subject: [Freeipa-devel] git commit message In-Reply-To: <20160608160716.GB20125@10.4.128.1> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <93d758c0-7076-d401-a6a5-1a4168b5f17e@redhat.com> <20160608160716.GB20125@10.4.128.1> Message-ID: <65382c33-5a79-1325-e791-e15f82abdc0a@redhat.com> On 8.6.2016 18:07, Lukas Slebodnik wrote: > On (08/06/16 14:09), Petr Vobornik wrote: >> On 06/08/2016 10:07 AM, Petr Spacek wrote: >>> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> Thank you for your patch. As the thin-client patches were pushed in the >>>> meantime, the patch won't apply. Could you please send a rebased version? >>>> >>>> Also, I have a few comments to the patch: >>>> >>>> 1) I think that the commit message should be rather a brief conclusion to the >>>> changes made in the commit. This could help for faster orientation in the >>>> changes that were made to a certain part of code should you be searching for a >>>> bug introduced by a commit. Should some more info be required, it can be added >>>> to the ticket. Could you therefore shorten the commit message? >>> >>> (My personal opinion, no golden standard.) >>> >>> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >>> long but *tickets* are not the best place to put *technical* information into. >>> >>> Tickets are planning tool but keep in mind that Trac may/will vanish one day >>> and all we will have will be (Git?) repo. >> >> +1 >> >> The commit message is very good and honestly I'd like to see more of >> such commit messages. >> > Regarding to commit message. > > I like recommendation about git commit message from Openstack wiki > https://wiki.openstack.org/wiki/GitCommitMessages#Information_in_commit_messages > We can at least inspire. > > IMHO longer commit message is always better. I like it! Thank you for the link. -- Petr^2 Spacek From jcholast at redhat.com Thu Jun 9 07:05:24 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 09:05:24 +0200 Subject: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication In-Reply-To: <20160609063120.GX4744@dhcp-40-8.bne.redhat.com> References: <2a1b79e5-83c5-001c-abc3-676ae787f6a6@redhat.com> <20160503070558.GJ1237@dhcp-40-8.bne.redhat.com> <20160504040405.GN1237@dhcp-40-8.bne.redhat.com> <35b15cbc-dc68-56ab-92d8-6cbbef69103c@redhat.com> <20160505065229.GU1237@dhcp-40-8.bne.redhat.com> <20160601044928.GZ4744@dhcp-40-8.bne.redhat.com> <20160606133208.GL4744@dhcp-40-8.bne.redhat.com> <5c0f032f-5fbb-9981-6e5b-301ce826a7ce@redhat.com> <20160609040751.GW4744@dhcp-40-8.bne.redhat.com> <20160609063120.GX4744@dhcp-40-8.bne.redhat.com> Message-ID: <5951c1d8-7cca-320c-bd32-6adb416a4bef@redhat.com> On 9.6.2016 08:31, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 07:49:51AM +0200, Jan Cholasta wrote: >> On 9.6.2016 06:07, Fraser Tweedale wrote: >>> Updated patches 0053-6 and 0054-6 attached. Comments inline. >>> >>> Thanks, >>> Fraser >>> >>> On Wed, Jun 08, 2016 at 10:31:07AM +0200, Jan Cholasta wrote: >>>> Patch 0052: >>>> >>>> The target of the "Dogtag service principals can search Custodia keys" ACI >>>> matches keys in the top-level Custodia container, but not in the Dogtag >>>> container. Is this intentional? >>>> >>> ACI applies to all entries under the 'cn=custodia' tree, not only >>> the entries directly under it. >> >> You are right: >> >> >> >> Mea culpa, I thought the target matching behavior was simpler than this. >> >> Anyway, could the ACI be tightened to allow access only to the Dogtag >> subtree? >> > Dogtag does need access to the host Custodia keys. I see, the ACI is OK then. > I'm not sure how > to tighten the ACI to prevent access to "deeper" levels. In any > case they're all public keys and it's read only access, so I don't > think it's an issue. Right. > >>> >>>> >>>> Patch 0053: >>>> >>>> It seems the `servicename`+`host` and `principal` arguments of set_key() are >>>> carrying the same information, could you remove one of them? >>>> >>> OK, just `principal` now. >>> >>>> >>>> Patch 0054: >>>> >>>> 1) Please use ipalib.config to read IPA configuration in >>>> ipa-pki-retrieve-key: >>>> >>>> from ipalib.config import Env >>>> >>>> env = Env(in_server=True) >>>> hostname = env.host >>>> realm = env.realm >>>> >>> I have implemented this; it was necessary to also call >>> `env._finalize()`. >> >> Right. I wrote the above snippet off the top of my head, hence the omission. >> >>> >>>> 2) I'm curious why you changed the key name from "ca/$NAME" to >>>> "ca_wrapped/$NAME". Aren't *all* keys in Custodia wrapped? >>>> >>> The payload of the `ca_wrapped` Custodia store is a >>> PKIArchiveOptions object wrapped by the main CA's private key. >>> (This payload is then encrypted by Custodia, as all Custodia >>> payloads are). >>> >>> See my patch 0056 [1] for implementation details. >>> >>> [1] https://www.redhat.com/archives/freeipa-devel/2016-May/msg00079.html >> >> Wow, I totally missed patch 0055 and 0056! >> > No worries; easily done because I sent more emails with fewer, > largely independent patches. > >>> >>>> 3) Given that Dogtag ExternalProcessKeyRetriever handles JSON *now*, I would >>>> expect a minimum required version bump in the spec file. >>>> >>> Indeed; I added this in latest patches. >> >> Thanks. ACK if the ACI in patch 52 does not need tightening. >> > Thanks for reviewing! Pushed to master: b0d9a4728f0dc78e2bbde344beac17ae50b847a9 -- Jan Cholasta From jcholast at redhat.com Thu Jun 9 07:06:13 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 09:06:13 +0200 Subject: [Freeipa-devel] [PATCH] 0055 Authorise CA Agent to manage lightweight CAs In-Reply-To: <20160421051943.GK18277@dhcp-40-8.bne.redhat.com> References: <20160421051943.GK18277@dhcp-40-8.bne.redhat.com> Message-ID: <56d6e204-dfb5-ee38-7479-12274aabafe1@redhat.com> On 21.4.2016 07:19, Fraser Tweedale wrote: > The attached patch is part of lightweight CA support. It just adds > some ACL rules to Dogtag database, and does not depend the version > of Dogtag (so it's ok to merge immediately, when ACKed). ACK. Pushed to master: 903a90fb4e7dc7eaddc1cc4f11083dad5c16db9b -- Jan Cholasta From jcholast at redhat.com Thu Jun 9 07:06:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 09:06:56 +0200 Subject: [Freeipa-devel] [PATCH] 0056 Add custodia store for lightweight CA key replication In-Reply-To: <20160505070530.GW1237@dhcp-40-8.bne.redhat.com> References: <20160505070530.GW1237@dhcp-40-8.bne.redhat.com> Message-ID: On 5.5.2016 09:05, Fraser Tweedale wrote: > G'day team, > > This patch implements a new Custodia store type to be used for LWCA > keys. Simo gave a preliminary review a couple weeks ago (I was > holding off because required Dogtag bits were not yet merged... they > are now, so here's the patch ^_^) ACK. Fixed a PEP8 issue and pushed to master: 4660bb7ff0197649c8777151a3a2a5378929e842 -- Jan Cholasta From jcholast at redhat.com Thu Jun 9 07:12:51 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 09:12:51 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <9a87b3a9-2f9d-c5f6-f3b8-16b0cf18e614@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <1b39d3df-dc5c-5b4e-8c41-668ce3be933f@redhat.com> <9a87b3a9-2f9d-c5f6-f3b8-16b0cf18e614@redhat.com> Message-ID: <4520570e-ba4c-e3a4-8ba8-df5d88be1443@redhat.com> On 9.6.2016 08:14, David Kupka wrote: > On 08/06/16 14:44, Jan Cholasta wrote: >> On 8.6.2016 14:40, Martin Babinsky wrote: >>> On 06/08/2016 02:11 PM, David Kupka wrote: >>>> On 28/04/16 14:45, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> I have pushed my thin client WIP branch to GitHub: >>>>> . >>>>> >>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>> imports" should be good for review. The rest is subject to change >>>>> (WARNING: I will force push into this branch). >>>>> >>>>> Honza >>>>> >>>> >>>> Hello! >>>> >>>> Patch set: >>>> >>>> spec file: require correct packages to get API plugins >>>> schema: fix typo >>>> schema: fix topic command output >>>> replica install: use remote server API to create service entries >>> This one is not complete since it breaks replica install w/ --setup-dns. >>> Removing this line seems to fix this case: >>> >>> """ >>> diff --git a/ipaserver/install/server/replicainstall.py >>> b/ipaserver/install/server/replicainstall.py >>> index 41eee96..d695a15 100644 >>> --- a/ipaserver/install/server/replicainstall.py >>> +++ b/ipaserver/install/server/replicainstall.py >>> @@ -1478,7 +1478,6 @@ def promote(installer): >>> server_api.finalize() >>> >>> if options.setup_dns: >>> - server_api.Backend.rpcclient.connect() >>> server_api.Backend.ldap2.connect(autobind=True) >>> dns.install(False, True, options, server_api >>> """ >> >> Fixed. >> >>> >>> >>>> schema: do not validate unrequested params in command_defaults >>>> >>>> fixes some regressions introduced by previous patches. Works for me and >>>> I haven't met any new regression or bug, ACK. >>>> >>> >>> >> >> > > Thanks for the catch, Martin. Now it's really fixed and can be pushed. > Obligatory keyword to trigger the push: ACK Thanks. Attaching the patches for reference. Pushed to master: 0f995312565e69768c660b85476b1efe1f62fb84 > > BTW, I've discovered other related issue [1] that is there since 4.2. I > will send patch soon. > > [1] https://fedorahosted.org/freeipa/ticket/5945 > -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-618-schema-do-not-validate-unrequested-params-in-command.patch Type: text/x-patch Size: 2161 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-619-replica-install-use-remote-server-API-to-create-serv.patch Type: text/x-patch Size: 11200 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-620-schema-fix-topic-command-output.patch Type: text/x-patch Size: 2492 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-621-schema-fix-typo.patch Type: text/x-patch Size: 933 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-622-spec-file-require-correct-packages-to-get-API-plugin.patch Type: text/x-patch Size: 2078 bytes Desc: not available URL: From frenaud at redhat.com Thu Jun 9 08:03:28 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 9 Jun 2016 10:03:28 +0200 Subject: [Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment. In-Reply-To: References: <1194734610.40520786.1456913917730.JavaMail.zimbra@redhat.com> Message-ID: <4f3a745f-d6d7-2aa6-bb6c-ce8354aad5e2@redhat.com> On 06/09/2016 07:00 AM, David Kupka wrote: > On 02/03/16 11:18, David Kupka wrote: >> https://fedorahosted.org/freeipa/ticket/5694 >> > > Sending updated version crafted with Flo's help, thanks. > ACK. Thanks for your patience explaining the details, Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Jun 9 08:12:40 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 10:12:40 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> Message-ID: <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> On 9.6.2016 08:44, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>> Hi team, >>>>>> >>>>>> This patchset implements the 'ca' plugin for creating and managing >>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>> 'cert-request' command to support multiple CAs. >>>>>> >>>>>> A brief overview of the patches: >>>>>> >>>>>> 0059 >>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>> Dogtag REST API wrapper >>>>>> 0060 >>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>> 0061 >>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>> 0062 >>>>>> Update ra.request_certificate() to support specifying target CA >>>>>> 0063 >>>>>> Add '--ca' option to 'cert-request' command >>>>>> 0064 >>>>>> Add '--issuer' option to 'cert-find' command >>>>>> >>>>>> These patches depend on other pending patches: >>>>>> >>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>> >>>>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>> >>>>>> Some parts of the design are not implemented in the current >>>>>> patchset, including: >>>>>> >>>>>> - local parent CA (ipaca object) references >>>>>> - sub-CA certificate renewal >>>>>> - 'cert-show' command '--ca=NAME' option >>>>>> - certmonger support for specifying CA >>>>>> - revocation of deleted CAs >>>>>> >>>>>> I look forward to your reviews! >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>> Rebased and updated patches attached. >>>>> >>>>> Substantive changes: >>>>> >>>>> - add required attributes for issuer DN and subject DN >>>>> - prevent rename of IPA CA >>>>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>>>> issuer DN and subject DN >>>>> - add 'read_ca' method to Dogtag interface >>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>> >>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>> option to cert-show and cert-find. >>> >>> Patch 0059: >>> >>> 1) On upgrade, why is the lightweight CA container created twice - once in >>> 41-subca.update, once using ensure_entry() call? It should be done only >>> once. >>> >> I'll remove 41-subca.update; the routine in cainstance is the one >> that's needed. >> >>> 2) In ca_del, every CA specified in args[0] should be deleted, not just the >>> first one. >>> >>> 3) Do not use NonFatalError, issue a warning instead: >>> >>> self.add_message(MyNewWarningClass(name=...)) >>> >>> 4) Can it actually happen that ca_show does not return ipacaid? I guess not, >>> so you should be able to remove the check altogether and don't bother with >>> the warning. >>> >> ipacaid is mandatory now, so I'll remove the check. >> >>> >>> Patch 0060-0062: LGTM >>> >> Yippee \o/ >> >>> >>> Patch 0063: >>> >>> Could you please define the CA param as follows: >>> >>> Str('cacn?', >>> cli_name='ca', >>> query=True, >>> label=_("CA"), >>> doc=_("CA to use"), >>> ), >>> >>> ? >>> >>> This is for consitency with framework-generated parent key params, which >>> unfortunately we cannot leverage in cert_request currently. >>> >> No problemo. >> >>> >>> Patch 0064: >>> >>> 1) See my comment for patch 0063, it applies here as well. >>> >>> 2) The --issuer option should not be included in cert_show - show commands >>> are supposed to retrieve an object given primary key(s), and the primary key >>> of CA objects is just their cn. >>> >> The --issuer argument is because primary key for a cert is really >> (issuer, serial). So it show the cert _with_ that issuer (and >> serial), not the cert _for_ that issuer. Correct, but in IPA the issuer is represented by the CA object, so in IPA the primary key for a certificate is actually (CA name, serial). Certificate lookup by issuer name and serial is actually a search operation, analogical to how CA lookup by subject name is also a search operation, so it should be done by cert-find. >> >>> 3) In find commands, the options form a filter, so instead of raising >>> MutuallyExclusiveError in cert-find, return an empty result, as with any >>> other unmatched filter. >>> >> Here, --issuer and --ca are two different ways to specify the >> issuer. --issuer lets you give the issuer DN straight up; --ca >> takes the name of an IPA CA object and looks up its issuer DN. >> (Thus it makes no sense to give both options at once). That's one way to look at it, but it's true only if you assume that cert-find can only search certificates in Dogtag. This will very soon became untrue, as we will allow cert-find to also search certificates anywhere in LDAP (the server part of ticket #5381). There, the difference between the options would be that with --ca you search for certificates issued by the specified managed CA, but with --issuer you search for certificates with the given issuer name, be it managed CA or not. For now, IMO the correct behavior should be that if both are specified and the issuer name of the specified CA does not match the specified issuer name, empty result is returned, otherwise carry on with the search in Dogtag. >> >> Do you think it would be clearer to provide a single option that >> takes issuer DN or the name of CA? I considered this but decided >> against it because collisions are possible (one could name an IPA CA >> something that passes for a stingified DN). Right, I would not do that. >> >> Thanks for reviewing! >> Fraser >> > Updated patches attached (0059-3..0063-3, 0064-4). No substantive > changes to 0060..0062. -- Jan Cholasta From pvomacka at redhat.com Thu Jun 9 08:15:28 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 10:15:28 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> Message-ID: On 06/08/2016 04:40 PM, Petr Vobornik wrote: > On 06/07/2016 10:07 AM, Pavel Vomacka wrote: >> >> On 06/06/2016 07:51 PM, Martin Basti wrote: >>> >>> >>> On 05.06.2016 18:34, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patches which add WebUI part of DNS Locations feature. >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> >>>> >>> NACK >>> >>> 1) >>> When I edit location description and click on revert button, then that nice >>> location table just disappear :) >> It's the same situation as with using 'Save' button - reported here: >> https://fedorahosted.org/freeipa/ticket/5776 . I'll write there a comment that >> revert button hides values in association tables. >>> 2) >>> Can we put a placeholder "100" (gray font or something) to Location weight in >>> server detail view? Because when weight is not specified then default is 100 >> Placeholder added. >> > > 1. please add "disable_facet_tabs: true," to location details page. > There is no point to display single facet tab. Fixed. > 2. can we extend location_association_table the same witth as rule > tables are extended in sudo and hbac rules? IIRC it needs to use > specific section type of 'servers' section. Fixed. > > 3. the placeholder 100 should be also added to adder dialog in > location_association_table_widget I think that it can be confusing when user tries to move a server from one location to another, because server might have set a weight already and it can differ from 100. In this case user would see placeholder 100 but in reality the weight of server would be different (value set in previous location). > 4. Description could be textarea - to be consistent with hbac, sudo rules. Fixed. > > 5. "Information" section is called "General" or "$Entity Settings" on > other parts of Web UI. It should be consistent. Fixed. Patches attached. -- Pavel^3 Vomacka > > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0039-Add-adapter-attribute-for-choosing-record.patch Type: text/x-patch Size: 1664 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0040-3-DNS-Locations-WebUI-part.patch Type: text/x-patch Size: 12300 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 9 08:44:13 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 10:44:13 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> Message-ID: <24b7c5b5-cb60-3fb4-62f3-6587b9cc7966@redhat.com> On 06/09/2016 10:15 AM, Pavel Vomacka wrote: > > > On 06/08/2016 04:40 PM, Petr Vobornik wrote: >> On 06/07/2016 10:07 AM, Pavel Vomacka wrote: >>> >>> On 06/06/2016 07:51 PM, Martin Basti wrote: >>>> >>>> >>>> On 05.06.2016 18:34, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> please review attached patches which add WebUI part of DNS >>>>> Locations feature. >>>>> >>>>> -- >>>>> Pavel^3 Vomacka >>>>> >>>>> >>>> NACK >>>> >>>> 1) >>>> When I edit location description and click on revert button, then >>>> that nice >>>> location table just disappear :) >>> It's the same situation as with using 'Save' button - reported here: >>> https://fedorahosted.org/freeipa/ticket/5776 . I'll write there a >>> comment that >>> revert button hides values in association tables. >>>> 2) >>>> Can we put a placeholder "100" (gray font or something) to Location >>>> weight in >>>> server detail view? Because when weight is not specified then >>>> default is 100 >>> Placeholder added. >>> >> >> 1. please add "disable_facet_tabs: true," to location details page. >> There is no point to display single facet tab. > Fixed. >> 2. can we extend location_association_table the same witth as rule >> tables are extended in sudo and hbac rules? IIRC it needs to use >> specific section type of 'servers' section. > Fixed. >> >> 3. the placeholder 100 should be also added to adder dialog in >> location_association_table_widget > I think that it can be confusing when user tries to move a server from > one location to another, because server might have set a weight > already and it can differ from 100. In this case user would see > placeholder 100 but in reality the weight of server would be different > (value set in previous location). >> 4. Description could be textarea - to be consistent with hbac, sudo >> rules. > Fixed. >> >> 5. "Information" section is called "General" or "$Entity Settings" on >> other parts of Web UI. It should be consistent. > Fixed. > > Patches attached. > > -- > Pavel^3 Vomacka >> >> > > > Another revision of patch 40, removed useless comma from ipa_init.json. Both patches attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0039-Add-adapter-attribute-for-choosing-record.patch Type: text/x-patch Size: 1664 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0040-4-DNS-Locations-WebUI-part.patch Type: text/x-patch Size: 11412 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 9 08:53:16 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 10:53:16 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone In-Reply-To: <69444cc4-c425-f201-2ca2-bc8d575a9c1b@redhat.com> References: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> <0d5d593f-4394-dbda-347e-f81a7d88f5f3@redhat.com> <69444cc4-c425-f201-2ca2-bc8d575a9c1b@redhat.com> Message-ID: On 06/08/2016 06:36 PM, Petr Vobornik wrote: > On 06/07/2016 10:30 AM, Pavel Vomacka wrote: >> >> On 06/07/2016 09:08 AM, Petr Spacek wrote: >>> Hi, >>> >>> the commit message does not say what was wrong and why and what works >>> now. >>> Please improve the commit message before pushing this. >> Commit message improved. >>> Petr^2 Spacek >>> >>> On 6.6.2016 19:03, Pavel Vomacka wrote: >>>> Fix bad searching of reverse DNS zone >>>> >>>> https://fedorahosted.org/freeipa/ticket/5796 >>>> > It fails with zones: > * 13.10.10.in-addr.arpa. > * 3.10.10.in-addr.arpa. > > And A record: 10.10.13.1 > > reason: you forgot to update target_zone.index when udating > target_zone.target_zone Thank you, I really forgot to add that line. Updated patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0042-3-Fix-bad-searching-of-reverse-DNS-zone.patch Type: text/x-patch Size: 2557 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jun 9 09:10:51 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 9 Jun 2016 19:10:51 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> Message-ID: <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: > On 9.6.2016 08:44, Fraser Tweedale wrote: > > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > > > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > > > Hi team, > > > > > > > > > > > > > > This patchset implements the 'ca' plugin for creating and managing > > > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > > > > > 0059 > > > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > > > Dogtag REST API wrapper > > > > > > > 0060 > > > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > > > 0061 > > > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > > > 0062 > > > > > > > Update ra.request_certificate() to support specifying target CA > > > > > > > 0063 > > > > > > > Add '--ca' option to 'cert-request' command > > > > > > > 0064 > > > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > > > patchset, including: > > > > > > > > > > > > > > - local parent CA (ipaca object) references > > > > > > > - sub-CA certificate renewal > > > > > > > - 'cert-show' command '--ca=NAME' option > > > > > > > - certmonger support for specifying CA > > > > > > > - revocation of deleted CAs > > > > > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > > > > > Thanks, > > > > > > > Fraser > > > > > > > > > > > > > Rebased and updated patches attached. > > > > > > > > > > > > Substantive changes: > > > > > > > > > > > > - add required attributes for issuer DN and subject DN > > > > > > - prevent rename of IPA CA > > > > > > - when adding IPA CA entry, contact Dogtag to learn authority id, > > > > > > issuer DN and subject DN > > > > > > - add 'read_ca' method to Dogtag interface > > > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > > > option to cert-show and cert-find. > > > > > > > > Patch 0059: > > > > > > > > 1) On upgrade, why is the lightweight CA container created twice - once in > > > > 41-subca.update, once using ensure_entry() call? It should be done only > > > > once. > > > > > > > I'll remove 41-subca.update; the routine in cainstance is the one > > > that's needed. > > > > > > > 2) In ca_del, every CA specified in args[0] should be deleted, not just the > > > > first one. > > > > > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > > > > > self.add_message(MyNewWarningClass(name=...)) > > > > > > > > 4) Can it actually happen that ca_show does not return ipacaid? I guess not, > > > > so you should be able to remove the check altogether and don't bother with > > > > the warning. > > > > > > > ipacaid is mandatory now, so I'll remove the check. > > > > > > > > > > > Patch 0060-0062: LGTM > > > > > > > Yippee \o/ > > > > > > > > > > > Patch 0063: > > > > > > > > Could you please define the CA param as follows: > > > > > > > > Str('cacn?', > > > > cli_name='ca', > > > > query=True, > > > > label=_("CA"), > > > > doc=_("CA to use"), > > > > ), > > > > > > > > ? > > > > > > > > This is for consitency with framework-generated parent key params, which > > > > unfortunately we cannot leverage in cert_request currently. > > > > > > > No problemo. > > > > > > > > > > > Patch 0064: > > > > > > > > 1) See my comment for patch 0063, it applies here as well. > > > > > > > > 2) The --issuer option should not be included in cert_show - show commands > > > > are supposed to retrieve an object given primary key(s), and the primary key > > > > of CA objects is just their cn. > > > > > > > The --issuer argument is because primary key for a cert is really > > > (issuer, serial). So it show the cert _with_ that issuer (and > > > serial), not the cert _for_ that issuer. > > Correct, but in IPA the issuer is represented by the CA object, so in IPA > the primary key for a certificate is actually (CA name, serial). > > Certificate lookup by issuer name and serial is actually a search operation, > analogical to how CA lookup by subject name is also a search operation, so > it should be done by cert-find. > OK, I will remove the --issuer option for cert-find. > > > > > > > 3) In find commands, the options form a filter, so instead of raising > > > > MutuallyExclusiveError in cert-find, return an empty result, as with any > > > > other unmatched filter. > > > > > > > Here, --issuer and --ca are two different ways to specify the > > > issuer. --issuer lets you give the issuer DN straight up; --ca > > > takes the name of an IPA CA object and looks up its issuer DN. > > > (Thus it makes no sense to give both options at once). > > That's one way to look at it, but it's true only if you assume that > cert-find can only search certificates in Dogtag. This will very soon became > untrue, as we will allow cert-find to also search certificates anywhere in > LDAP (the server part of ticket #5381). There, the difference between the > options would be that with --ca you search for certificates issued by the > specified managed CA, but with --issuer you search for certificates with the > given issuer name, be it managed CA or not. > --ca is just a "shorthand" for --issuer - it merely looks up subject DN of the specified CA, and uses that as the issuer option. > For now, IMO the correct behavior should be that if both are specified and > the issuer name of the specified CA does not match the specified issuer > name, empty result is returned, otherwise carry on with the search in > Dogtag. > If I allow both, the behaviour will then be: specify issuer DN only) search using given issuer DN specify CA only) search using subject DN of specified CA. If no such CA, error. specify issuer DN and CA) search using given issuer DN, and ensure that result (if any) matches subject DN of specified CA. If no such CA, error. I'm happy to implement this if you confirm that you think it's the correct behaviour. Thanks, Fraser From frenaud at redhat.com Thu Jun 9 09:58:25 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 9 Jun 2016 11:58:25 +0200 Subject: [Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error In-Reply-To: References: <2646f4ce-dfe2-4916-e8e1-f86bfbd118b3@redhat.com> <7f1f1c03-6320-da3f-0c01-65954d28a148@redhat.com> <563432e8-aac2-2bc3-c290-ab56a3a5f684@redhat.com> Message-ID: On 06/08/2016 01:14 PM, Stanislav Laznicka wrote: > On 06/08/2016 01:13 PM, Stanislav Laznicka wrote: >> >> >> >> On 06/07/2016 05:11 PM, Florence Blanc-Renaud wrote: >>> On 06/07/2016 04:08 PM, Stanislav Laznicka wrote: >>>> On 06/06/2016 02:47 PM, Florence Blanc-Renaud wrote: >>>>> >>>>> Hi, >>>>> >>>>> please find attached the patch for Ticket 5434 add context to >>>>> exception on LdapEntry decode error >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5434 >>>>> >>>>> >>>>> >>>> Hello, >>>> >>>> Similarly to you patch 0003, could you please shorten the commit >>>> message? I appreciate that you added the way to reproduce the bug >>>> but I would rather see it in the comments of the ticket. >>>> >>>> I haven't tested the patch yet but I think that the try-except >>>> block should also wrap the self._conn.decode in the raw_dels loop: >>>> >>>> 310 for value in raw_dels: >>>> 311 value = self._conn.decode(value, name) >>>> 312 if value in nice_adds: >>>> 313 continue >>>> 314 nice.remove(value) >>>> >>>> Standa >>>> >>> Hi Standa, >>> >>> thanks for your review. I will shorten the commit message as you >>> suggested. >>> >>> Regarding the other decode() called for raw_dels, I was not sure in >>> which case this part of the code was called. Do you happen to know >>> if it possible for an invalid value to be in the raw_sync list but >>> not in the raw list? >>> >>> Flo. >>> >> I'm not sure if there's an easy way to do that. I would just put it >> there should it ever occur to have more information about what happened. > Forgot to include devel-list, sorry. Hi, updated patch attached. Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0006-2-add-context-to-exception-on-LdapEntry-decode-error.patch Type: text/x-patch Size: 1882 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 9 10:21:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 12:21:06 +0200 Subject: [Freeipa-devel] [PATCH][WIP] DNS Location: generator for location records Message-ID: <6ca934d6-f3af-8f48-2061-094161774236@redhat.com> Hello, here is WIP version of generator for IPA DNS records and locations, that is responsible for creating and updating all IPA records for all masters. Please note that this is not finished yet and some methods may not work. Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-9999-DNS-Location-generator-for-records.patch Type: text/x-patch Size: 11824 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 9 10:32:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 12:32:06 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> References: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> Message-ID: <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> On 07.06.2016 12:51, Martin Babinsky wrote: > On 06/01/2016 05:10 PM, Martin Basti wrote: >> Patch attached. >> > ACK > Pushed to ipa-4-3: 22fcf65cd1b674b21496b677818a8c75adcd70a6 From jcholast at redhat.com Thu Jun 9 10:36:35 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 9 Jun 2016 12:36:35 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> Message-ID: On 9.6.2016 11:10, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: >> On 9.6.2016 08:44, Fraser Tweedale wrote: >>> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >>>> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>>>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>>>> Hi team, >>>>>>>> >>>>>>>> This patchset implements the 'ca' plugin for creating and managing >>>>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>>>> 'cert-request' command to support multiple CAs. >>>>>>>> >>>>>>>> A brief overview of the patches: >>>>>>>> >>>>>>>> 0059 >>>>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>>>> Dogtag REST API wrapper >>>>>>>> 0060 >>>>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>>>> 0061 >>>>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>>>> 0062 >>>>>>>> Update ra.request_certificate() to support specifying target CA >>>>>>>> 0063 >>>>>>>> Add '--ca' option to 'cert-request' command >>>>>>>> 0064 >>>>>>>> Add '--issuer' option to 'cert-find' command >>>>>>>> >>>>>>>> These patches depend on other pending patches: >>>>>>>> >>>>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>>>> >>>>>>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>>>> >>>>>>>> Some parts of the design are not implemented in the current >>>>>>>> patchset, including: >>>>>>>> >>>>>>>> - local parent CA (ipaca object) references >>>>>>>> - sub-CA certificate renewal >>>>>>>> - 'cert-show' command '--ca=NAME' option >>>>>>>> - certmonger support for specifying CA >>>>>>>> - revocation of deleted CAs >>>>>>>> >>>>>>>> I look forward to your reviews! >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Fraser >>>>>>>> >>>>>>> Rebased and updated patches attached. >>>>>>> >>>>>>> Substantive changes: >>>>>>> >>>>>>> - add required attributes for issuer DN and subject DN >>>>>>> - prevent rename of IPA CA >>>>>>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>>>>>> issuer DN and subject DN >>>>>>> - add 'read_ca' method to Dogtag interface >>>>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>>>> >>>>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>>>> option to cert-show and cert-find. >>>>> >>>>> Patch 0059: >>>>> >>>>> 1) On upgrade, why is the lightweight CA container created twice - once in >>>>> 41-subca.update, once using ensure_entry() call? It should be done only >>>>> once. >>>>> >>>> I'll remove 41-subca.update; the routine in cainstance is the one >>>> that's needed. >>>> >>>>> 2) In ca_del, every CA specified in args[0] should be deleted, not just the >>>>> first one. >>>>> >>>>> 3) Do not use NonFatalError, issue a warning instead: >>>>> >>>>> self.add_message(MyNewWarningClass(name=...)) >>>>> >>>>> 4) Can it actually happen that ca_show does not return ipacaid? I guess not, >>>>> so you should be able to remove the check altogether and don't bother with >>>>> the warning. >>>>> >>>> ipacaid is mandatory now, so I'll remove the check. >>>> >>>>> >>>>> Patch 0060-0062: LGTM >>>>> >>>> Yippee \o/ >>>> >>>>> >>>>> Patch 0063: >>>>> >>>>> Could you please define the CA param as follows: >>>>> >>>>> Str('cacn?', >>>>> cli_name='ca', >>>>> query=True, >>>>> label=_("CA"), >>>>> doc=_("CA to use"), >>>>> ), >>>>> >>>>> ? >>>>> >>>>> This is for consitency with framework-generated parent key params, which >>>>> unfortunately we cannot leverage in cert_request currently. >>>>> >>>> No problemo. >>>> >>>>> >>>>> Patch 0064: >>>>> >>>>> 1) See my comment for patch 0063, it applies here as well. >>>>> >>>>> 2) The --issuer option should not be included in cert_show - show commands >>>>> are supposed to retrieve an object given primary key(s), and the primary key >>>>> of CA objects is just their cn. >>>>> >>>> The --issuer argument is because primary key for a cert is really >>>> (issuer, serial). So it show the cert _with_ that issuer (and >>>> serial), not the cert _for_ that issuer. >> >> Correct, but in IPA the issuer is represented by the CA object, so in IPA >> the primary key for a certificate is actually (CA name, serial). >> >> Certificate lookup by issuer name and serial is actually a search operation, >> analogical to how CA lookup by subject name is also a search operation, so >> it should be done by cert-find. >> > OK, I will remove the --issuer option for cert-find. > >>>> >>>>> 3) In find commands, the options form a filter, so instead of raising >>>>> MutuallyExclusiveError in cert-find, return an empty result, as with any >>>>> other unmatched filter. >>>>> >>>> Here, --issuer and --ca are two different ways to specify the >>>> issuer. --issuer lets you give the issuer DN straight up; --ca >>>> takes the name of an IPA CA object and looks up its issuer DN. >>>> (Thus it makes no sense to give both options at once). >> >> That's one way to look at it, but it's true only if you assume that >> cert-find can only search certificates in Dogtag. This will very soon became >> untrue, as we will allow cert-find to also search certificates anywhere in >> LDAP (the server part of ticket #5381). There, the difference between the >> options would be that with --ca you search for certificates issued by the >> specified managed CA, but with --issuer you search for certificates with the >> given issuer name, be it managed CA or not. >> > --ca is just a "shorthand" for --issuer - it merely looks up subject > DN of the specified CA, and uses that as the issuer option. > >> For now, IMO the correct behavior should be that if both are specified and >> the issuer name of the specified CA does not match the specified issuer >> name, empty result is returned, otherwise carry on with the search in >> Dogtag. >> > If I allow both, the behaviour will then be: > > specify issuer DN only) > search using given issuer DN > specify CA only) > search using subject DN of specified CA. If no such CA, error. > specify issuer DN and CA) > search using given issuer DN, and ensure that result (if any) > matches subject DN of specified CA. If no such CA, error. > > I'm happy to implement this if you confirm that you think it's the > correct behaviour. Looks correct to me. -- Jan Cholasta From slaznick at redhat.com Thu Jun 9 10:42:22 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 9 Jun 2016 12:42:22 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks In-Reply-To: <57567014.3080808@redhat.com> References: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> <57567014.3080808@redhat.com> Message-ID: On 06/07/2016 08:56 AM, thierry bordaz wrote: > > > On 06/06/2016 07:23 PM, Martin Basti wrote: >> >> >> >> On 03.06.2016 13:38, Stanislav Laznicka wrote: >>> Hello, >>> >>> The attached patch implements solution to >>> https://fedorahosted.org/freeipa/ticket/5914. The patch is rather >>> hacky as nsslapd-db-locks requires to be modified when DS is not >>> running although I accept proposals for better solution. >>> >>> Standa >>> >> LGTM and works for me, but I want ack from thierry because of the value >> >> * value set by this patch is 100K, it is okay or should be rather 50K >> as is mentioned in the ticket >> * should be upgrade for this change, or should be this done only for >> new installations? (patch solves new installations only and I don't >> think that we should change it by upgrade, users may have already >> tuned DS) >> >> Martin^2 > Hello, > > This value also depends of the data. For example adding groups with > 10K members spikes the dblock consumption up to 40K because of > membership computation during the update. > The size of the entries can also contribute if for example we have > several entries per page or they are too large and fit on several pages. > > IMHO we should support out of the box groups with 10K, so > 'nsslapd-db-locks: 50000' looks good to me. > However it could be documented why it can consum so much lock and how > to tune it. > > thanks > thierry > Thank you, Thierry. Reduced the 100k locks to 50k locks in the patch (attached). -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0041-2-Increase-nsslapd-db-locks-to-50000.patch Type: text/x-patch Size: 2385 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jun 9 11:02:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 13:02:34 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> Message-ID: <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: > > > On 06/07/2016 12:07 PM, Martin Babinsky wrote: >> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>> I am sending rebased patches implementing >>> http://www.freeipa.org/page/V4/Server_Roles >>> >>> I hope the patches work since I have had a lot of fun rebasing them on >>> top of thin client and DNS locations effort. >>> >>> https://fedorahosted.org/freeipa/ticket/5181 >>> >>> >>> >> >> Sending updated patches according to Jan's interactive review. >> >> Since the name of attributes returned by API commands and signature of >> `server-role-find` have changed, a small update in WebUI patches is >> required. >> >> >> > NACK, why did you remove sizelimit from server_role_find command's? Is > it possible to return it back? It breaks WebUI. Indeed, this was caused by changing the base class of the command. It is fixed in updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0146-5-Server-roles-definitions-of-server-roles-and-attribu.patch Type: text/x-patch Size: 21169 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0147-5-Server-Roles-Backend-plugin-to-query-roles-and-attri.patch Type: text/x-patch Size: 6160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0148-5-Test-suite-for-serverroles-backend.patch Type: text/x-patch Size: 25087 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0149-3-Server-Roles-public-API-for-server-roles.patch Type: text/x-patch Size: 8274 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0150-2-Server-Roles-make-server-show-find-utilize-role-info.patch Type: text/x-patch Size: 8778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0151-2-Server-Roles-make-config-show-consume-relevant-roles.patch Type: text/x-patch Size: 9790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0152-2-Server-Roles-provide-an-API-for-setting-CA-renewal-m.patch Type: text/x-patch Size: 3867 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 9 11:14:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 13:14:58 +0200 Subject: [Freeipa-devel] [PATCH] man: Decribe ipa-client-install workaround for broken D-Bus enviroment. In-Reply-To: <4f3a745f-d6d7-2aa6-bb6c-ce8354aad5e2@redhat.com> References: <1194734610.40520786.1456913917730.JavaMail.zimbra@redhat.com> <4f3a745f-d6d7-2aa6-bb6c-ce8354aad5e2@redhat.com> Message-ID: On 09.06.2016 10:03, Florence Blanc-Renaud wrote: > On 06/09/2016 07:00 AM, David Kupka wrote: >> On 02/03/16 11:18, David Kupka wrote: >>> https://fedorahosted.org/freeipa/ticket/5694 >>> >> >> Sending updated version crafted with Flo's help, thanks. >> > ACK. > > Thanks for your patience explaining the details, > Flo. > > > > Pushed to: master: da5885b72a284811bda7ddd36b8716d71ac66bd9 ipa-4-3: 149744675315df54280955a829142f21893aa0de -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Thu Jun 9 11:20:45 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 9 Jun 2016 13:20:45 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid Message-ID: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> Hello, Please see the attached patch of https://fedorahosted.org/freeipa/ticket/5797. Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0046-host-service-show-find-shouldn-t-fail-on-invalid-cer.patch Type: text/x-patch Size: 3435 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 9 11:30:52 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 14:30:52 +0300 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes Message-ID: <20160609113052.u6iuzhliisaoyvwu@redhat.com> Hi, webUI changes to support external trust and showing UPN suffixes are attached. UPN Suffixes defined on AD side and fetched with 'ipa trust-fetch-domains'. They cannot be disabled individually as they come from AD side and are forest-wide, so we only show them, not allowing to modify anything. External forest is a flag and is shown in the trust-add dialog. The result would be visible as trust type of 'Non-transitive external trust to a domain in another Active Directory forest' These patches functionally depend on 0201 and 0202. -- / Alexander Bokovoy -------------- next part -------------- From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 9 Jun 2016 12:04:05 +0300 Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties Part of https://fedorahosted.org/freeipa/ticket/5354 --- install/ui/src/freeipa/trust.js | 11 +++++++++++ ipaserver/plugins/internal.py | 2 ++ 2 files changed, 13 insertions(+) diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index f26e2f2..f147a26 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -142,6 +142,17 @@ return { ] }, { + name: 'suffixes', + label: '@i18n:objects.trust.ipantadditionalsuffixes', + fields: [ + { + $type: 'multivalued', + name: 'ipantadditionalsuffixes', + read_only: 'true' + }, + ] + }, + { name: 'blacklists', label: '@i18n:objects.trust.blacklists', fields: [ diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index 4804f64..ea29b16 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -747,6 +747,8 @@ class i18n_messages(Command): "trustdirection": _("Trust direction"), "truststatus": _("Trust status"), "trusttype": _("Trust type"), + "suffixes": _("UPN suffixes"), + "ipantadditionalsuffixes": _("UPN suffixes"), }, "trustconfig": { "options": _("Options"), -- 2.7.4 -------------- next part -------------- From 99600009b97f5652b088718c71ba0dd348f4bdb8 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 9 Jun 2016 12:04:39 +0300 Subject: [PATCH 8/8] webui: support external flag to trust-add Part of https://fedorahosted.org/freeipa/ticket/5743 --- install/ui/src/freeipa/trust.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index f147a26..ab2e24f 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -189,6 +189,12 @@ return { widget: 'realm.bidirectional' }, { + $type: 'checkbox', + name: 'external', + metadata: '@mc-opt:trust_add:external', + widget: 'realm.external' + }, + { name: 'realm_admin', label: '@i18n:objects.trust.account', widget: 'method.realm_admin' @@ -246,6 +252,11 @@ return { $type: 'checkbox', name: 'bidirectional', tooltip: '@mc-opt:trust_add:bidirectional:doc' + }, + { + $type: 'checkbox', + name: 'external', + tooltip: '@mc-opt:trust_add:external:doc' } ] }, -- 2.7.4 From sbose at redhat.com Thu Jun 9 11:54:18 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 13:54:18 +0200 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes In-Reply-To: <20160609113052.u6iuzhliisaoyvwu@redhat.com> References: <20160609113052.u6iuzhliisaoyvwu@redhat.com> Message-ID: <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 02:30:52PM +0300, Alexander Bokovoy wrote: > Hi, > > webUI changes to support external trust and showing UPN suffixes are > attached. > > UPN Suffixes defined on AD side and fetched with 'ipa trust-fetch-domains'. > They cannot be disabled individually as they come from AD side and are > forest-wide, so we only show them, not allowing to modify anything. > > External forest is a flag and is shown in the trust-add dialog. > The result would be visible as trust type of 'Non-transitive external > trust to a domain in another Active Directory forest' > > These patches functionally depend on 0201 and 0202. > > -- > / Alexander Bokovoy > From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 2001 > From: Alexander Bokovoy > Date: Thu, 9 Jun 2016 12:04:05 +0300 > Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties > > Part of https://fedorahosted.org/freeipa/ticket/5354 > > --- > install/ui/src/freeipa/trust.js | 11 +++++++++++ > ipaserver/plugins/internal.py | 2 ++ > 2 files changed, 13 insertions(+) > ... > diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py > index 4804f64..ea29b16 100644 > --- a/ipaserver/plugins/internal.py > +++ b/ipaserver/plugins/internal.py > @@ -747,6 +747,8 @@ class i18n_messages(Command): > "trustdirection": _("Trust direction"), > "truststatus": _("Trust status"), > "trusttype": _("Trust type"), > + "suffixes": _("UPN suffixes"), > + "ipantadditionalsuffixes": _("UPN suffixes"), The AD gui calls the latter 'Alternative UPN suffixes'. Maybe we should use the same description here as well to avoid irritations? bye, Sumit > }, > "trustconfig": { > "options": _("Options"), > -- > 2.7.4 > From pvomacka at redhat.com Thu Jun 9 12:00:07 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 14:00:07 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: <24b7c5b5-cb60-3fb4-62f3-6587b9cc7966@redhat.com> References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> <24b7c5b5-cb60-3fb4-62f3-6587b9cc7966@redhat.com> Message-ID: <2ee59334-03ac-7b9b-91bd-dca6c8e7aa73@redhat.com> On 06/09/2016 10:44 AM, Pavel Vomacka wrote: > > > > On 06/09/2016 10:15 AM, Pavel Vomacka wrote: >> >> >> On 06/08/2016 04:40 PM, Petr Vobornik wrote: >>> On 06/07/2016 10:07 AM, Pavel Vomacka wrote: >>>> >>>> On 06/06/2016 07:51 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 05.06.2016 18:34, Pavel Vomacka wrote: >>>>>> Hello, >>>>>> >>>>>> please review attached patches which add WebUI part of DNS >>>>>> Locations feature. >>>>>> >>>>>> -- >>>>>> Pavel^3 Vomacka >>>>>> >>>>>> >>>>> NACK >>>>> >>>>> 1) >>>>> When I edit location description and click on revert button, then >>>>> that nice >>>>> location table just disappear :) >>>> It's the same situation as with using 'Save' button - reported here: >>>> https://fedorahosted.org/freeipa/ticket/5776 . I'll write there a >>>> comment that >>>> revert button hides values in association tables. >>>>> 2) >>>>> Can we put a placeholder "100" (gray font or something) to >>>>> Location weight in >>>>> server detail view? Because when weight is not specified then >>>>> default is 100 >>>> Placeholder added. >>>> >>> >>> 1. please add "disable_facet_tabs: true," to location details page. >>> There is no point to display single facet tab. >> Fixed. >>> 2. can we extend location_association_table the same witth as rule >>> tables are extended in sudo and hbac rules? IIRC it needs to use >>> specific section type of 'servers' section. >> Fixed. >>> >>> 3. the placeholder 100 should be also added to adder dialog in >>> location_association_table_widget >> I think that it can be confusing when user tries to move a server >> from one location to another, because server might have set a weight >> already and it can differ from 100. In this case user would see >> placeholder 100 but in reality the weight of server would be >> different (value set in previous location). >>> 4. Description could be textarea - to be consistent with hbac, sudo >>> rules. >> Fixed. >>> >>> 5. "Information" section is called "General" or "$Entity Settings" on >>> other parts of Web UI. It should be consistent. >> Fixed. >> >> Patches attached. >> >> -- >> Pavel^3 Vomacka >>> >>> >> >> >> > Another revision of patch 40, removed useless comma from > ipa_init.json. Both patches attached. > > And another revision. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0039-Add-adapter-attribute-for-choosing-record.patch Type: text/x-patch Size: 1664 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0040-5-DNS-Locations-WebUI-part.patch Type: text/x-patch Size: 11248 bytes Desc: not available URL: From jhrozek at redhat.com Thu Jun 9 12:02:03 2016 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 9 Jun 2016 14:02:03 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160609120203.GF3271@hendrix> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: > Hi, > > this patch allows the extom plugin to lookup users by certificate which > is needed in the case where a IPA client wants to lookup an AD user who > has the certificate stored in AD. To make this work the related patches > I just send to sssd-devel are needed as well. > > Currently the patches miss the change in the required version of SSSD. > since the SSSD patches are not committed. But the patches are needed to > fully test the SSSD patches. I will send a new version with the needed > changes to the minimal SSSD version when the SSSD patches are committed. > > bye, > Sumit The patch works fine (tested together with the corresponding SSSD patches), so ACK from me. The code also looks good to me, but I'm not sure if reviewing an IPA patch requires something more (CI? Coverity?) From pvoborni at redhat.com Thu Jun 9 12:03:43 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jun 2016 14:03:43 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts In-Reply-To: References: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> Message-ID: <1663d3e2-2de3-7fd9-5a0f-ea775a2d9762@redhat.com> On 06/08/2016 03:32 PM, Pavel Vomacka wrote: > > > On 06/08/2016 02:20 PM, Petr Vobornik wrote: >> On 06/06/2016 04:17 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patch. >>> >>> Ticket: https://fedorahosted.org/freeipa/ticket/5931 >>> >> Also tables for host groups are needed. >> >> + the same UI should be also on host page. > Added, please see attached patch. 1.hostgroups cannot be removed from "allow to read" tables. This should fix it. - name: 'ipaallowedtoperform_read_keys_hosts_group', + name: 'ipaallowedtoperform_read_keys_hostgroup', - name: 'ipaallowedtoperform_read_keys_hosts_group', + name: 'ipaallowedtoperform_read_keys_hostgroup', Patch with the change attached. ACK if you ACK it :) -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0041-3-Add-lists-of-hosts-allowed-to-create-or-retrieve-key.patch Type: text/x-patch Size: 9050 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 9 12:08:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jun 2016 14:08:02 +0200 Subject: [Freeipa-devel] [PATCH] 0042: Fix bad searching of reverse DNS zone In-Reply-To: <69444cc4-c425-f201-2ca2-bc8d575a9c1b@redhat.com> References: <952be7b3-1f20-fd1a-7ac5-7ce246050b86@redhat.com> <4164415a-ef03-5246-a7a8-fbb190892dd4@redhat.com> <0d5d593f-4394-dbda-347e-f81a7d88f5f3@redhat.com> <69444cc4-c425-f201-2ca2-bc8d575a9c1b@redhat.com> Message-ID: <5dfa1126-f0e1-5e74-a63e-1bc2337db9dc@redhat.com> On 06/08/2016 06:36 PM, Petr Vobornik wrote: > On 06/07/2016 10:30 AM, Pavel Vomacka wrote: >> >> >> On 06/07/2016 09:08 AM, Petr Spacek wrote: >>> Hi, >>> >>> the commit message does not say what was wrong and why and what works >>> now. >>> Please improve the commit message before pushing this. >> Commit message improved. >>> >>> Petr^2 Spacek >>> >>> On 6.6.2016 19:03, Pavel Vomacka wrote: >>>> Fix bad searching of reverse DNS zone >>>> >>>> https://fedorahosted.org/freeipa/ticket/5796 >>>> > > It fails with zones: > * 13.10.10.in-addr.arpa. > * 3.10.10.in-addr.arpa. > > And A record: 10.10.13.1 > > reason: you forgot to update target_zone.index when udating > target_zone.target_zone > ACK pushed to master: * 740099cf0bc2762b6ea329385f6abd542d863c98 Fix bad searching of reverse DNS zone -- Petr Vobornik From pvomacka at redhat.com Thu Jun 9 12:18:43 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 14:18:43 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts In-Reply-To: <1663d3e2-2de3-7fd9-5a0f-ea775a2d9762@redhat.com> References: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> <1663d3e2-2de3-7fd9-5a0f-ea775a2d9762@redhat.com> Message-ID: On 06/09/2016 02:03 PM, Petr Vobornik wrote: > On 06/08/2016 03:32 PM, Pavel Vomacka wrote: >> >> On 06/08/2016 02:20 PM, Petr Vobornik wrote: >>> On 06/06/2016 04:17 PM, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patch. >>>> >>>> Ticket: https://fedorahosted.org/freeipa/ticket/5931 >>>> >>> Also tables for host groups are needed. >>> >>> + the same UI should be also on host page. >> Added, please see attached patch. > 1.hostgroups cannot be removed from "allow to read" tables. > > This should fix it. > > - name: 'ipaallowedtoperform_read_keys_hosts_group', > + name: 'ipaallowedtoperform_read_keys_hostgroup', > > - name: 'ipaallowedtoperform_read_keys_hosts_group', > + name: 'ipaallowedtoperform_read_keys_hostgroup', > > Patch with the change attached. ACK if you ACK it :) ACK, thank you for fixing it. :) From abokovoy at redhat.com Thu Jun 9 12:19:28 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 15:19:28 +0300 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes In-Reply-To: <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160609113052.u6iuzhliisaoyvwu@redhat.com> <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160609121928.zvddi2lchxextrv6@redhat.com> On Thu, 09 Jun 2016, Sumit Bose wrote: >On Thu, Jun 09, 2016 at 02:30:52PM +0300, Alexander Bokovoy wrote: >> Hi, >> >> webUI changes to support external trust and showing UPN suffixes are >> attached. >> >> UPN Suffixes defined on AD side and fetched with 'ipa trust-fetch-domains'. >> They cannot be disabled individually as they come from AD side and are >> forest-wide, so we only show them, not allowing to modify anything. >> >> External forest is a flag and is shown in the trust-add dialog. >> The result would be visible as trust type of 'Non-transitive external >> trust to a domain in another Active Directory forest' >> >> These patches functionally depend on 0201 and 0202. >> >> -- >> / Alexander Bokovoy > >> From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 2001 >> From: Alexander Bokovoy >> Date: Thu, 9 Jun 2016 12:04:05 +0300 >> Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties >> >> Part of https://fedorahosted.org/freeipa/ticket/5354 >> >> --- >> install/ui/src/freeipa/trust.js | 11 +++++++++++ >> ipaserver/plugins/internal.py | 2 ++ >> 2 files changed, 13 insertions(+) >> >... >> diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py >> index 4804f64..ea29b16 100644 >> --- a/ipaserver/plugins/internal.py >> +++ b/ipaserver/plugins/internal.py >> @@ -747,6 +747,8 @@ class i18n_messages(Command): >> "trustdirection": _("Trust direction"), >> "truststatus": _("Trust status"), >> "trusttype": _("Trust type"), >> + "suffixes": _("UPN suffixes"), >> + "ipantadditionalsuffixes": _("UPN suffixes"), > >The AD gui calls the latter 'Alternative UPN suffixes'. Maybe we should >use the same description here as well to avoid irritations? Makes sense. I've updated the patch 0208 and also removed the string 'suffixes' which is not referenced from the UI. -- / Alexander Bokovoy -------------- next part -------------- From 51b9d21b1ebefaa70d37b4bb3e2171c326897f47 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 9 Jun 2016 12:04:05 +0300 Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties Part of https://fedorahosted.org/freeipa/ticket/5354 --- install/ui/src/freeipa/trust.js | 11 +++++++++++ ipaserver/plugins/internal.py | 1 + 2 files changed, 12 insertions(+) diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index f26e2f2..f147a26 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -142,6 +142,17 @@ return { ] }, { + name: 'suffixes', + label: '@i18n:objects.trust.ipantadditionalsuffixes', + fields: [ + { + $type: 'multivalued', + name: 'ipantadditionalsuffixes', + read_only: 'true' + }, + ] + }, + { name: 'blacklists', label: '@i18n:objects.trust.blacklists', fields: [ diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py index 4804f64..c44c260 100644 --- a/ipaserver/plugins/internal.py +++ b/ipaserver/plugins/internal.py @@ -747,6 +747,7 @@ class i18n_messages(Command): "trustdirection": _("Trust direction"), "truststatus": _("Trust status"), "trusttype": _("Trust type"), + "ipantadditionalsuffixes": _("Alternative UPN suffixes"), }, "trustconfig": { "options": _("Options"), -- 2.7.4 From pvoborni at redhat.com Thu Jun 9 12:20:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jun 2016 14:20:33 +0200 Subject: [Freeipa-devel] [PATCH] 0039-40: DNS Location: WebUI In-Reply-To: <2ee59334-03ac-7b9b-91bd-dca6c8e7aa73@redhat.com> References: <989e30dc-1f7e-20c4-d641-0ca8f0819a68@redhat.com> <5a8ad7b6-e727-f4e6-781a-f7009b21ee7f@redhat.com> <854f388a-e84d-2344-bc02-d95952ef4b58@redhat.com> <24b7c5b5-cb60-3fb4-62f3-6587b9cc7966@redhat.com> <2ee59334-03ac-7b9b-91bd-dca6c8e7aa73@redhat.com> Message-ID: <5c9aab8e-436b-2aed-3ca3-76d214b3cc87@redhat.com> On 06/09/2016 02:00 PM, Pavel Vomacka wrote: > >> >> > And another revision. > ACK pushed to master: * 5a8ad3e9828c67e8ff9cc9dfc05458003f19c985 Add adapter attribute for choosing record * 5f48df48d4af740ba09197d0f07415e8e76e608e DNS Locations: WebUI part -- Petr Vobornik From abokovoy at redhat.com Thu Jun 9 12:22:21 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 15:22:21 +0300 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160609120203.GF3271@hendrix> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> Message-ID: <20160609122221.6lzzv4zgusc72wfx@redhat.com> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> Hi, >> >> this patch allows the extom plugin to lookup users by certificate which >> is needed in the case where a IPA client wants to lookup an AD user who >> has the certificate stored in AD. To make this work the related patches >> I just send to sssd-devel are needed as well. >> >> Currently the patches miss the change in the required version of SSSD. >> since the SSSD patches are not committed. But the patches are needed to >> fully test the SSSD patches. I will send a new version with the needed >> changes to the minimal SSSD version when the SSSD patches are committed. >> >> bye, >> Sumit > >The patch works fine (tested together with the corresponding SSSD >patches), so ACK from me. The code also looks good to me, but I'm not >sure if reviewing an IPA patch requires something more (CI? Coverity?) ACK from me as well, I forgot to send email about it, though I reviewed this patch a week ago. -- / Alexander Bokovoy From mbabinsk at redhat.com Thu Jun 9 12:23:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 14:23:34 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> Message-ID: <5ccde82b-efa3-282a-d4df-5bb2be0fcedb@redhat.com> On 06/09/2016 08:44 AM, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>> Hi team, >>>>>> >>>>>> This patchset implements the 'ca' plugin for creating and managing >>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>> 'cert-request' command to support multiple CAs. >>>>>> >>>>>> A brief overview of the patches: >>>>>> >>>>>> 0059 >>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>> Dogtag REST API wrapper >>>>>> 0060 >>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>> 0061 >>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>> 0062 >>>>>> Update ra.request_certificate() to support specifying target CA >>>>>> 0063 >>>>>> Add '--ca' option to 'cert-request' command >>>>>> 0064 >>>>>> Add '--issuer' option to 'cert-find' command >>>>>> >>>>>> These patches depend on other pending patches: >>>>>> >>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>> >>>>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>> >>>>>> Some parts of the design are not implemented in the current >>>>>> patchset, including: >>>>>> >>>>>> - local parent CA (ipaca object) references >>>>>> - sub-CA certificate renewal >>>>>> - 'cert-show' command '--ca=NAME' option >>>>>> - certmonger support for specifying CA >>>>>> - revocation of deleted CAs >>>>>> >>>>>> I look forward to your reviews! >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>> Rebased and updated patches attached. >>>>> >>>>> Substantive changes: >>>>> >>>>> - add required attributes for issuer DN and subject DN >>>>> - prevent rename of IPA CA >>>>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>>>> issuer DN and subject DN >>>>> - add 'read_ca' method to Dogtag interface >>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>> >>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>> option to cert-show and cert-find. >>> >>> Patch 0059: >>> >>> 1) On upgrade, why is the lightweight CA container created twice - once in >>> 41-subca.update, once using ensure_entry() call? It should be done only >>> once. >>> >> I'll remove 41-subca.update; the routine in cainstance is the one >> that's needed. >> >>> 2) In ca_del, every CA specified in args[0] should be deleted, not just the >>> first one. >>> >>> 3) Do not use NonFatalError, issue a warning instead: >>> >>> self.add_message(MyNewWarningClass(name=...)) >>> >>> 4) Can it actually happen that ca_show does not return ipacaid? I guess not, >>> so you should be able to remove the check altogether and don't bother with >>> the warning. >>> >> ipacaid is mandatory now, so I'll remove the check. >> >>> >>> Patch 0060-0062: LGTM >>> >> Yippee \o/ >> >>> >>> Patch 0063: >>> >>> Could you please define the CA param as follows: >>> >>> Str('cacn?', >>> cli_name='ca', >>> query=True, >>> label=_("CA"), >>> doc=_("CA to use"), >>> ), >>> >>> ? >>> >>> This is for consitency with framework-generated parent key params, which >>> unfortunately we cannot leverage in cert_request currently. >>> >> No problemo. >> >>> >>> Patch 0064: >>> >>> 1) See my comment for patch 0063, it applies here as well. >>> >>> 2) The --issuer option should not be included in cert_show - show commands >>> are supposed to retrieve an object given primary key(s), and the primary key >>> of CA objects is just their cn. >>> >> The --issuer argument is because primary key for a cert is really >> (issuer, serial). So it show the cert _with_ that issuer (and >> serial), not the cert _for_ that issuer. >> >>> 3) In find commands, the options form a filter, so instead of raising >>> MutuallyExclusiveError in cert-find, return an empty result, as with any >>> other unmatched filter. >>> >> Here, --issuer and --ca are two different ways to specify the >> issuer. --issuer lets you give the issuer DN straight up; --ca >> takes the name of an IPA CA object and looks up its issuer DN. >> (Thus it makes no sense to give both options at once). >> >> Do you think it would be clearer to provide a single option that >> takes issuer DN or the name of CA? I considered this but decided >> against it because collisions are possible (one could name an IPA CA >> something that passes for a stingified DN). >> >> Thanks for reviewing! >> Fraser >> > Updated patches attached (0059-3..0063-3, 0064-4). No substantive > changes to 0060..0062. > > > Hi Fraser, I'm doing functional review of your sub-CA patches and your first patch breaks upgrade [1]. Bear in mind that all the system configuration is upgraded after LDAP upgrade, so you actually have to use update file to add "cn=cas,cn=ca,$SUFFIX$" subtree. Otherwise the code tries to add ACIs to entries that are not yet created resulting in the pasted error. [1] https://paste.fedoraproject.org/376600/74804146/ -- Martin^3 Babinsky From mbasti at redhat.com Thu Jun 9 12:25:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 14:25:02 +0200 Subject: [Freeipa-devel] [PATCH 0500] regression: function resolve_rrsets: RRSet object is not hashable Message-ID: <5af3aa64-5526-f787-b2f9-b9350cab68b4@redhat.com> This regression was introduce by https://fedorahosted.org/freeipa/ticket/5710 thus this should go to 4.3.2 as well Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0500-Fix-resolve_rrsets-RRSet-is-not-hasbale.patch Type: text/x-patch Size: 1321 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 9 12:26:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jun 2016 14:26:02 +0200 Subject: [Freeipa-devel] [PATCH] 0041: webui: add create/retrieve keytab tables for hosts In-Reply-To: References: <19741286-82f4-8129-8426-2d91053a1f30@redhat.com> <1663d3e2-2de3-7fd9-5a0f-ea775a2d9762@redhat.com> Message-ID: <7bc887e2-9b93-018a-d47f-1c6dd3886ff6@redhat.com> On 06/09/2016 02:18 PM, Pavel Vomacka wrote: > > > On 06/09/2016 02:03 PM, Petr Vobornik wrote: >> On 06/08/2016 03:32 PM, Pavel Vomacka wrote: >>> >>> On 06/08/2016 02:20 PM, Petr Vobornik wrote: >>>> On 06/06/2016 04:17 PM, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> please review attached patch. >>>>> >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/5931 >>>>> >>>> Also tables for host groups are needed. >>>> >>>> + the same UI should be also on host page. >>> Added, please see attached patch. >> 1.hostgroups cannot be removed from "allow to read" tables. >> >> This should fix it. >> >> - name: 'ipaallowedtoperform_read_keys_hosts_group', >> + name: 'ipaallowedtoperform_read_keys_hostgroup', >> >> - name: 'ipaallowedtoperform_read_keys_hosts_group', >> + name: 'ipaallowedtoperform_read_keys_hostgroup', >> >> Patch with the change attached. ACK if you ACK it :) > ACK, thank you for fixing it. :) pushed to master: * b1df1cfe71129075a010a0a3a38f1595d79cf412 Add lists of hosts allowed to create or retrieve keytabs -- Petr Vobornik From mbasti at redhat.com Thu Jun 9 12:29:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 14:29:45 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160609122221.6lzzv4zgusc72wfx@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> Message-ID: <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> On 09.06.2016 14:22, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>> Hi, >>> >>> this patch allows the extom plugin to lookup users by certificate which >>> is needed in the case where a IPA client wants to lookup an AD user who >>> has the certificate stored in AD. To make this work the related patches >>> I just send to sssd-devel are needed as well. >>> >>> Currently the patches miss the change in the required version of SSSD. >>> since the SSSD patches are not committed. But the patches are needed to >>> fully test the SSSD patches. I will send a new version with the needed >>> changes to the minimal SSSD version when the SSSD patches are >>> committed. >>> >>> bye, >>> Sumit >> >> The patch works fine (tested together with the corresponding SSSD >> patches), so ACK from me. The code also looks good to me, but I'm not >> sure if reviewing an IPA patch requires something more (CI? Coverity?) > ACK from me as well, I forgot to send email about it, though I reviewed > this patch a week ago. > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 From slaznick at redhat.com Thu Jun 9 12:31:13 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 9 Jun 2016 14:31:13 +0200 Subject: [Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error In-Reply-To: References: <2646f4ce-dfe2-4916-e8e1-f86bfbd118b3@redhat.com> <7f1f1c03-6320-da3f-0c01-65954d28a148@redhat.com> <563432e8-aac2-2bc3-c290-ab56a3a5f684@redhat.com> Message-ID: <00b53128-3e52-4d2e-3fbc-731ea96e7f44@redhat.com> On 06/09/2016 11:58 AM, Florence Blanc-Renaud wrote: > On 06/08/2016 01:14 PM, Stanislav Laznicka wrote: >> On 06/08/2016 01:13 PM, Stanislav Laznicka wrote: >>> >>> >>> >>> On 06/07/2016 05:11 PM, Florence Blanc-Renaud wrote: >>>> On 06/07/2016 04:08 PM, Stanislav Laznicka wrote: >>>>> On 06/06/2016 02:47 PM, Florence Blanc-Renaud wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> please find attached the patch for Ticket 5434 add context to >>>>>> exception on LdapEntry decode error >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5434 >>>>>> >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> Similarly to you patch 0003, could you please shorten the commit >>>>> message? I appreciate that you added the way to reproduce the bug >>>>> but I would rather see it in the comments of the ticket. >>>>> >>>>> I haven't tested the patch yet but I think that the try-except >>>>> block should also wrap the self._conn.decode in the raw_dels loop: >>>>> >>>>> 310 for value in raw_dels: >>>>> 311 value = self._conn.decode(value, name) >>>>> 312 if value in nice_adds: >>>>> 313 continue >>>>> 314 nice.remove(value) >>>>> >>>>> Standa >>>>> >>>> Hi Standa, >>>> >>>> thanks for your review. I will shorten the commit message as you >>>> suggested. >>>> >>>> Regarding the other decode() called for raw_dels, I was not sure in >>>> which case this part of the code was called. Do you happen to know >>>> if it possible for an invalid value to be in the raw_sync list but >>>> not in the raw list? >>>> >>>> Flo. >>>> >>> I'm not sure if there's an easy way to do that. I would just put it >>> there should it ever occur to have more information about what happened. >> Forgot to include devel-list, sorry. > > Hi, > > updated patch attached. > > Flo. > Thank you for the updated patch. It seems to work as expected so ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 9 12:38:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 14:38:06 +0200 Subject: [Freeipa-devel] [PATCH] 0006 add context to exception on LdapEntry decode error In-Reply-To: <00b53128-3e52-4d2e-3fbc-731ea96e7f44@redhat.com> References: <2646f4ce-dfe2-4916-e8e1-f86bfbd118b3@redhat.com> <7f1f1c03-6320-da3f-0c01-65954d28a148@redhat.com> <563432e8-aac2-2bc3-c290-ab56a3a5f684@redhat.com> <00b53128-3e52-4d2e-3fbc-731ea96e7f44@redhat.com> Message-ID: <0986cc98-f3b7-28c4-7397-c42141d5e341@redhat.com> On 09.06.2016 14:31, Stanislav Laznicka wrote: > On 06/09/2016 11:58 AM, Florence Blanc-Renaud wrote: >> On 06/08/2016 01:14 PM, Stanislav Laznicka wrote: >>> On 06/08/2016 01:13 PM, Stanislav Laznicka wrote: >>>> >>>> >>>> >>>> On 06/07/2016 05:11 PM, Florence Blanc-Renaud wrote: >>>>> On 06/07/2016 04:08 PM, Stanislav Laznicka wrote: >>>>>> On 06/06/2016 02:47 PM, Florence Blanc-Renaud wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> please find attached the patch for Ticket 5434 add context to >>>>>>> exception on LdapEntry decode error >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5434 >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, >>>>>> >>>>>> Similarly to you patch 0003, could you please shorten the commit >>>>>> message? I appreciate that you added the way to reproduce the bug >>>>>> but I would rather see it in the comments of the ticket. >>>>>> >>>>>> I haven't tested the patch yet but I think that the try-except >>>>>> block should also wrap the self._conn.decode in the raw_dels loop: >>>>>> >>>>>> 310 for value in raw_dels: >>>>>> 311 value = self._conn.decode(value, name) >>>>>> 312 if value in nice_adds: >>>>>> 313 continue >>>>>> 314 nice.remove(value) >>>>>> >>>>>> Standa >>>>>> >>>>> Hi Standa, >>>>> >>>>> thanks for your review. I will shorten the commit message as you >>>>> suggested. >>>>> >>>>> Regarding the other decode() called for raw_dels, I was not sure >>>>> in which case this part of the code was called. Do you happen to >>>>> know if it possible for an invalid value to be in the raw_sync >>>>> list but not in the raw list? >>>>> >>>>> Flo. >>>>> >>>> I'm not sure if there's an easy way to do that. I would just put it >>>> there should it ever occur to have more information about what >>>> happened. >>> Forgot to include devel-list, sorry. >> >> Hi, >> >> updated patch attached. >> >> Flo. >> > Thank you for the updated patch. It seems to work as expected so ACK. > > Pushed to master: 53524fbbff51418a8f1194c8559c9dcfcc5bbb83 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Thu Jun 9 12:38:29 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 9 Jun 2016 14:38:29 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> Message-ID: <20160609123829.GN19915@10.4.128.1> On (09/06/16 14:29), Martin Basti wrote: >On 09.06.2016 14:22, Alexander Bokovoy wrote: >> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > Hi, >> > > >> > > this patch allows the extom plugin to lookup users by certificate which >> > > is needed in the case where a IPA client wants to lookup an AD user who >> > > has the certificate stored in AD. To make this work the related patches >> > > I just send to sssd-devel are needed as well. >> > > >> > > Currently the patches miss the change in the required version of SSSD. >> > > since the SSSD patches are not committed. But the patches are needed to >> > > fully test the SSSD patches. I will send a new version with the needed >> > > changes to the minimal SSSD version when the SSSD patches are >> > > committed. >> > > >> > > bye, >> > > Sumit >> > >> > The patch works fine (tested together with the corresponding SSSD >> > patches), so ACK from me. The code also looks good to me, but I'm not >> > sure if reviewing an IPA patch requires something more (CI? Coverity?) >> ACK from me as well, I forgot to send email about it, though I reviewed >> this patch a week ago. >> >Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 > It's very likey that this commit will break build of freeipa-master. I didn't try. Because it uses new function sss_nss_getnamebycert from the library libsss_nss_idmap which is not in fedora. It was pushed to sssd master just today. LS From mbasti at redhat.com Thu Jun 9 12:42:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 14:42:10 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160609123829.GN19915@10.4.128.1> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> Message-ID: <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> On 09.06.2016 14:38, Lukas Slebodnik wrote: > On (09/06/16 14:29), Martin Basti wrote: >> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>> Hi, >>>>> >>>>> this patch allows the extom plugin to lookup users by certificate which >>>>> is needed in the case where a IPA client wants to lookup an AD user who >>>>> has the certificate stored in AD. To make this work the related patches >>>>> I just send to sssd-devel are needed as well. >>>>> >>>>> Currently the patches miss the change in the required version of SSSD. >>>>> since the SSSD patches are not committed. But the patches are needed to >>>>> fully test the SSSD patches. I will send a new version with the needed >>>>> changes to the minimal SSSD version when the SSSD patches are >>>>> committed. >>>>> >>>>> bye, >>>>> Sumit >>>> The patch works fine (tested together with the corresponding SSSD >>>> patches), so ACK from me. The code also looks good to me, but I'm not >>>> sure if reviewing an IPA patch requires something more (CI? Coverity?) >>> ACK from me as well, I forgot to send email about it, though I reviewed >>> this patch a week ago. >>> >> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > It's very likey that this commit will break build of > freeipa-master. I didn't try. > > Because it uses new function sss_nss_getnamebycert > from the library libsss_nss_idmap which is not in fedora. > It was pushed to sssd master just today. > > LS If this is true, can you/somebody provide the SRPM of SSSD with the required functionality please? We may need to add it to @freeipa/freeipa-master copr and bump required version of SSSD. Martin^2 From mbasti at redhat.com Thu Jun 9 12:45:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 14:45:37 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> Message-ID: <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> On 09.06.2016 14:42, Martin Basti wrote: > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> On (09/06/16 14:29), Martin Basti wrote: >>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>> Hi, >>>>>> >>>>>> this patch allows the extom plugin to lookup users by certificate >>>>>> which >>>>>> is needed in the case where a IPA client wants to lookup an AD >>>>>> user who >>>>>> has the certificate stored in AD. To make this work the related >>>>>> patches >>>>>> I just send to sssd-devel are needed as well. >>>>>> >>>>>> Currently the patches miss the change in the required version of >>>>>> SSSD. >>>>>> since the SSSD patches are not committed. But the patches are >>>>>> needed to >>>>>> fully test the SSSD patches. I will send a new version with the >>>>>> needed >>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>> committed. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>> The patch works fine (tested together with the corresponding SSSD >>>>> patches), so ACK from me. The code also looks good to me, but I'm not >>>>> sure if reviewing an IPA patch requires something more (CI? >>>>> Coverity?) >>>> ACK from me as well, I forgot to send email about it, though I >>>> reviewed >>>> this patch a week ago. >>>> >>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>> >> It's very likey that this commit will break build of >> freeipa-master. I didn't try. >> >> Because it uses new function sss_nss_getnamebycert >> from the library libsss_nss_idmap which is not in fedora. >> It was pushed to sssd master just today. >> >> LS > > If this is true, can you/somebody provide the SRPM of SSSD with the > required functionality please? We may need to add it to > @freeipa/freeipa-master copr and bump required version of SSSD. > > Martin^2 > Yes, you were right, master build is broken. Martin^2 From rcritten at redhat.com Thu Jun 9 12:51:49 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 9 Jun 2016 08:51:49 -0400 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> Message-ID: <57596665.9070308@redhat.com> Stanislav Laznicka wrote: > Hello, > > Please see the attached patch of > https://fedorahosted.org/freeipa/ticket/5797. > > Standa > > > Just wondering out loud but should usercertificate be excluded from the output if it is unparsable? Is there any value in showing that a bogus value is in there? rob From slaznick at redhat.com Thu Jun 9 13:02:15 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 9 Jun 2016 15:02:15 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <57596665.9070308@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> Message-ID: On 06/09/2016 02:51 PM, Rob Crittenden wrote: > Stanislav Laznicka wrote: >> Hello, >> >> Please see the attached patch of >> https://fedorahosted.org/freeipa/ticket/5797. >> >> Standa >> >> >> > > Just wondering out loud but should usercertificate be excluded from > the output if it is unparsable? Is there any value in showing that a > bogus value is in there? > > rob I think it is a good pointer that something has gone wrong with the certificate. Another way would be to print 'Invalid certificate' instead of it similar to what Apache LDAP Browser does. From mbasti at redhat.com Thu Jun 9 13:03:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 15:03:40 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> Message-ID: <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> On 09.06.2016 15:02, Stanislav Laznicka wrote: > On 06/09/2016 02:51 PM, Rob Crittenden wrote: >> Stanislav Laznicka wrote: >>> Hello, >>> >>> Please see the attached patch of >>> https://fedorahosted.org/freeipa/ticket/5797. >>> >>> Standa >>> >>> >>> >> >> Just wondering out loud but should usercertificate be excluded from >> the output if it is unparsable? Is there any value in showing that a >> bogus value is in there? >> >> rob > I think it is a good pointer that something has gone wrong with the > certificate. Another way would be to print 'Invalid certificate' > instead of it similar to what Apache LDAP Browser does. > We can return a warning message that something with certificates is broken. Martin^2 From mbasti at redhat.com Thu Jun 9 13:07:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 15:07:34 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> Message-ID: <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> On 09.06.2016 15:03, Martin Basti wrote: > > > On 09.06.2016 15:02, Stanislav Laznicka wrote: >> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>> Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> Please see the attached patch of >>>> https://fedorahosted.org/freeipa/ticket/5797. >>>> >>>> Standa >>>> >>>> >>>> >>> >>> Just wondering out loud but should usercertificate be excluded from >>> the output if it is unparsable? Is there any value in showing that a >>> bogus value is in there? >>> >>> rob >> I think it is a good pointer that something has gone wrong with the >> certificate. Another way would be to print 'Invalid certificate' >> instead of it similar to what Apache LDAP Browser does. >> > > We can return a warning message that something with certificates is > broken. > > Martin^2 > And you should log it at error log level, because it is error From rcritten at redhat.com Thu Jun 9 13:14:52 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 9 Jun 2016 09:14:52 -0400 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> Message-ID: <57596BCC.4060407@redhat.com> Stanislav Laznicka wrote: > On 06/09/2016 02:51 PM, Rob Crittenden wrote: >> Stanislav Laznicka wrote: >>> Hello, >>> >>> Please see the attached patch of >>> https://fedorahosted.org/freeipa/ticket/5797. >>> >>> Standa >>> >>> >>> >> >> Just wondering out loud but should usercertificate be excluded from >> the output if it is unparsable? Is there any value in showing that a >> bogus value is in there? >> >> rob > I think it is a good pointer that something has gone wrong with the > certificate. Another way would be to print 'Invalid certificate' instead > of it similar to what Apache LDAP Browser does. My point is that if there is no usercertificate value shown then it would be safe to assume there is no certificate associated with the entry at all which isn't true. I think a message would be nice. rob From pspacek at redhat.com Thu Jun 9 13:40:20 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 9 Jun 2016 15:40:20 +0200 Subject: [Freeipa-devel] [PATCH 0500] regression: function resolve_rrsets: RRSet object is not hashable In-Reply-To: <5af3aa64-5526-f787-b2f9-b9350cab68b4@redhat.com> References: <5af3aa64-5526-f787-b2f9-b9350cab68b4@redhat.com> Message-ID: On 9.6.2016 14:25, Martin Basti wrote: > This regression was introduce by https://fedorahosted.org/freeipa/ticket/5710 > thus this should go to 4.3.2 as well > > > Patch attached. > ACK -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 9 13:44:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 15:44:01 +0200 Subject: [Freeipa-devel] [PATCH 0500] regression: function resolve_rrsets: RRSet object is not hashable In-Reply-To: References: <5af3aa64-5526-f787-b2f9-b9350cab68b4@redhat.com> Message-ID: <13ebcd39-4769-5192-8ad6-d878fd366996@redhat.com> On 09.06.2016 15:40, Petr Spacek wrote: > On 9.6.2016 14:25, Martin Basti wrote: >> This regression was introduce by https://fedorahosted.org/freeipa/ticket/5710 >> thus this should go to 4.3.2 as well >> >> >> Patch attached. >> > ACK > This was actually reproducible only with python3 (because some incompatibility in python-dns between py2 and py3) Pushed to: master: 971b4bf009f051819d757d451e213c3c82de1c97 ipa-4-3: 262054ae571799bde40a8a8698ee6f07da5d0efb From pvoborni at redhat.com Thu Jun 9 13:54:22 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 9 Jun 2016 15:54:22 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> Message-ID: <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> On 06/09/2016 01:02 PM, Martin Babinsky wrote: > On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >> >> >> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>> I am sending rebased patches implementing >>>> http://www.freeipa.org/page/V4/Server_Roles >>>> >>>> I hope the patches work since I have had a lot of fun rebasing them on >>>> top of thin client and DNS locations effort. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5181 >>>> >>>> >>>> >>> >>> Sending updated patches according to Jan's interactive review. >>> >>> Since the name of attributes returned by API commands and signature of >>> `server-role-find` have changed, a small update in WebUI patches is >>> required. >>> >>> >>> >> NACK, why did you remove sizelimit from server_role_find command's? Is >> it possible to return it back? It breaks WebUI. > > Indeed, this was caused by changing the base class of the command. It is > fixed in updated patches. > NACK Option timelimit? of command server_role_find in ipalib, not in API file: Int('timelimit?', autofill=False) Option sizelimit? of command server_role_find in ipalib, not in API file: Int('sizelimit?', autofill=False) There are one or more changes to the API. Either undo the API changes or update API.txt and increment the major version in VERSION. Makefile:159: recipe for target 'version-update' failed make: *** [version-update] Error 1 -- Petr Vobornik From ftweedal at redhat.com Thu Jun 9 14:04:48 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Jun 2016 00:04:48 +1000 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> Message-ID: <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: > > > On 09.06.2016 15:03, Martin Basti wrote: > > > > > > On 09.06.2016 15:02, Stanislav Laznicka wrote: > > > On 06/09/2016 02:51 PM, Rob Crittenden wrote: > > > > Stanislav Laznicka wrote: > > > > > Hello, > > > > > > > > > > Please see the attached patch of > > > > > https://fedorahosted.org/freeipa/ticket/5797. > > > > > > > > > > Standa > > > > > > > > > > > > > > > > > > > > > > > Just wondering out loud but should usercertificate be excluded > > > > from the output if it is unparsable? Is there any value in > > > > showing that a bogus value is in there? > > > > > > > > rob > > > I think it is a good pointer that something has gone wrong with the > > > certificate. Another way would be to print 'Invalid certificate' > > > instead of it similar to what Apache LDAP Browser does. > > > > > > > We can return a warning message that something with certificates is > > broken. > > > > Martin^2 > > > And you should log it at error log level, because it is error > Is the data from LDAP actually invalid? It should not be possible to store data that is not a syntactically valid X.509 cert in the userCertificate attribute (if it is, we should file a ticket against 389). Is there a full traceback for the original error of #5797? What is the datum that is the immediate cause of the error and what happens to it between the database and the function that throws? Could it be a python3 bytes/str problem originating in x509.normalize_certificate? Cheers, Fraser From mbabinsk at redhat.com Thu Jun 9 14:16:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 16:16:19 +0200 Subject: [Freeipa-devel] [PATCH 0103-4] installer: Fix single command replica install with --setup-dns In-Reply-To: References: Message-ID: <15e27dc9-e70c-1225-e57b-c89f86043171@redhat.com> On 06/09/2016 08:16 AM, David Kupka wrote: > Should go into master, ipa-4-3 and ipa-4-2. > > https://fedorahosted.org/freeipa/ticket/5945 Works for me, ACK -- Martin^3 Babinsky From mbasti at redhat.com Thu Jun 9 14:17:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 16:17:15 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> Message-ID: <2f3a00f6-1faf-fd47-2ae9-b63508807119@redhat.com> On 09.06.2016 16:04, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: >> >> On 09.06.2016 15:03, Martin Basti wrote: >>> >>> On 09.06.2016 15:02, Stanislav Laznicka wrote: >>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>>>> Stanislav Laznicka wrote: >>>>>> Hello, >>>>>> >>>>>> Please see the attached patch of >>>>>> https://fedorahosted.org/freeipa/ticket/5797. >>>>>> >>>>>> Standa >>>>>> >>>>>> >>>>>> >>>>> Just wondering out loud but should usercertificate be excluded >>>>> from the output if it is unparsable? Is there any value in >>>>> showing that a bogus value is in there? >>>>> >>>>> rob >>>> I think it is a good pointer that something has gone wrong with the >>>> certificate. Another way would be to print 'Invalid certificate' >>>> instead of it similar to what Apache LDAP Browser does. >>>> >>> We can return a warning message that something with certificates is >>> broken. >>> >>> Martin^2 >>> >> And you should log it at error log level, because it is error >> > Is the data from LDAP actually invalid? It should not be possible > to store data that is not a syntactically valid X.509 cert in the > userCertificate attribute (if it is, we should file a ticket against > 389). > > Is there a full traceback for the original error of #5797? What is > the datum that is the immediate cause of the error and what happens > to it between the database and the function that throws? > > Could it be a python3 bytes/str problem originating in > x509.normalize_certificate? > > Cheers, > Fraser I was able to put an invalid certificate data there using ldif and ldapadd I can try reproduce later or next week Martin^2 From rcritten at redhat.com Thu Jun 9 14:32:14 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 9 Jun 2016 10:32:14 -0400 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> Message-ID: <57597DEE.4010704@redhat.com> Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: >> >> >> On 09.06.2016 15:03, Martin Basti wrote: >>> >>> >>> On 09.06.2016 15:02, Stanislav Laznicka wrote: >>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>>>> Stanislav Laznicka wrote: >>>>>> Hello, >>>>>> >>>>>> Please see the attached patch of >>>>>> https://fedorahosted.org/freeipa/ticket/5797. >>>>>> >>>>>> Standa >>>>>> >>>>>> >>>>>> >>>>> >>>>> Just wondering out loud but should usercertificate be excluded >>>>> from the output if it is unparsable? Is there any value in >>>>> showing that a bogus value is in there? >>>>> >>>>> rob >>>> I think it is a good pointer that something has gone wrong with the >>>> certificate. Another way would be to print 'Invalid certificate' >>>> instead of it similar to what Apache LDAP Browser does. >>>> >>> >>> We can return a warning message that something with certificates is >>> broken. >>> >>> Martin^2 >>> >> And you should log it at error log level, because it is error >> > Is the data from LDAP actually invalid? It should not be possible > to store data that is not a syntactically valid X.509 cert in the > userCertificate attribute (if it is, we should file a ticket against > 389). > > Is there a full traceback for the original error of #5797? What is > the datum that is the immediate cause of the error and what happens > to it between the database and the function that throws? > > Could it be a python3 bytes/str problem originating in > x509.normalize_certificate? > > Cheers, > Fraser > A cert can get in several different ways. IPA sure tries hard not to allow bad certs but I guess they can happen: $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: admin at GREYOAK.COM SASL SSF: 56 SASL data security layer installed. dn: krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com changetype: modify add: usercertificate usercertificate: foo modifying entry "krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com" $ ipa service-show cert/slithy.greyoak.com ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. No traceback, it's a caught error: [Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO: [jsonserver_session] admin at GREYOAK.COM: service_mod(u'cert/slithy.greyoak.com at GREYOAK.COM', addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, raw=False, version=u'2.156', no_members=False): CertificateFormatError And interestingly, I can't delete the service and there I _do_ get a traceback. [Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO: [jsonserver_session] admin at GREYOAK.COM: service_show(u'cert/slithy.greyoak.com at GREYOAK.COM', rights=False, all=False, raw=False, version=u'2.156', no_members=False): CertificateFormatError [Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO: Problem decoding certificate: Certificate format error: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR: non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback (most recent call last): [Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in wsgi_execute [Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693] result = self.Command[name](*args, **options) [Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ [Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693] ret = self.run(*args, **options) rgs, **options) [Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run [Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693] return self.execute(*args, **options) [Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1626, in execute [Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693] delete_entry(pkey) [Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1579, in delete_entry [Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693] dn = callback(self, ldap, dn, *nkeys, **options) [Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, in pre_callback [Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693] revoke_certs(entry_attrs.get('usercertificate', []), self.log) [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in revoke_certs y_attrs.get('usercertificate', []), self.log) [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in revoke_certs [Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693] serial = unicode(x509.get_serial_number(cert, x509.DER)) [Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in get_serial_number [Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693] nsscert = load_certificate(certificate, datatype, dbdir) [Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693] File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in load_certificate [Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693] return nss.Certificate(buffer(data)) [Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. [Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO: [jsonserver_session] admin at GREYOAK.COM: service_del((u'cert/slithy.greyoak.com at GREYOAK.COM',), continue=False, version=u'2.156'): NSPRError rob From ftweedal at redhat.com Thu Jun 9 14:48:00 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Jun 2016 00:48:00 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: > On 9.6.2016 11:10, Fraser Tweedale wrote: > > On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: > > > On 9.6.2016 08:44, Fraser Tweedale wrote: > > > > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > > > > > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > > > > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > > > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > > > > > Hi team, > > > > > > > > > > > > > > > > > > This patchset implements the 'ca' plugin for creating and managing > > > > > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > > > > > > > > > 0059 > > > > > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > > > > > Dogtag REST API wrapper > > > > > > > > > 0060 > > > > > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > > > > > 0061 > > > > > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > > > > > 0062 > > > > > > > > > Update ra.request_certificate() to support specifying target CA > > > > > > > > > 0063 > > > > > > > > > Add '--ca' option to 'cert-request' command > > > > > > > > > 0064 > > > > > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > > > > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > > > > > patchset, including: > > > > > > > > > > > > > > > > > > - local parent CA (ipaca object) references > > > > > > > > > - sub-CA certificate renewal > > > > > > > > > - 'cert-show' command '--ca=NAME' option > > > > > > > > > - certmonger support for specifying CA > > > > > > > > > - revocation of deleted CAs > > > > > > > > > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > Rebased and updated patches attached. > > > > > > > > > > > > > > > > Substantive changes: > > > > > > > > > > > > > > > > - add required attributes for issuer DN and subject DN > > > > > > > > - prevent rename of IPA CA > > > > > > > > - when adding IPA CA entry, contact Dogtag to learn authority id, > > > > > > > > issuer DN and subject DN > > > > > > > > - add 'read_ca' method to Dogtag interface > > > > > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > > > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > > > > > option to cert-show and cert-find. > > > > > > > > > > > > Patch 0059: > > > > > > > > > > > > 1) On upgrade, why is the lightweight CA container created twice - once in > > > > > > 41-subca.update, once using ensure_entry() call? It should be done only > > > > > > once. > > > > > > > > > > > I'll remove 41-subca.update; the routine in cainstance is the one > > > > > that's needed. > > > > > > > > > > > 2) In ca_del, every CA specified in args[0] should be deleted, not just the > > > > > > first one. > > > > > > > > > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > > > > > > > > > self.add_message(MyNewWarningClass(name=...)) > > > > > > > > > > > > 4) Can it actually happen that ca_show does not return ipacaid? I guess not, > > > > > > so you should be able to remove the check altogether and don't bother with > > > > > > the warning. > > > > > > > > > > > ipacaid is mandatory now, so I'll remove the check. > > > > > > > > > > > > > > > > > Patch 0060-0062: LGTM > > > > > > > > > > > Yippee \o/ > > > > > > > > > > > > > > > > > Patch 0063: > > > > > > > > > > > > Could you please define the CA param as follows: > > > > > > > > > > > > Str('cacn?', > > > > > > cli_name='ca', > > > > > > query=True, > > > > > > label=_("CA"), > > > > > > doc=_("CA to use"), > > > > > > ), > > > > > > > > > > > > ? > > > > > > > > > > > > This is for consitency with framework-generated parent key params, which > > > > > > unfortunately we cannot leverage in cert_request currently. > > > > > > > > > > > No problemo. > > > > > > > > > > > > > > > > > Patch 0064: > > > > > > > > > > > > 1) See my comment for patch 0063, it applies here as well. > > > > > > > > > > > > 2) The --issuer option should not be included in cert_show - show commands > > > > > > are supposed to retrieve an object given primary key(s), and the primary key > > > > > > of CA objects is just their cn. > > > > > > > > > > > The --issuer argument is because primary key for a cert is really > > > > > (issuer, serial). So it show the cert _with_ that issuer (and > > > > > serial), not the cert _for_ that issuer. > > > > > > Correct, but in IPA the issuer is represented by the CA object, so in IPA > > > the primary key for a certificate is actually (CA name, serial). > > > > > > Certificate lookup by issuer name and serial is actually a search operation, > > > analogical to how CA lookup by subject name is also a search operation, so > > > it should be done by cert-find. > > > > > OK, I will remove the --issuer option for cert-find. > > > > > > > > > > > > > 3) In find commands, the options form a filter, so instead of raising > > > > > > MutuallyExclusiveError in cert-find, return an empty result, as with any > > > > > > other unmatched filter. > > > > > > > > > > > Here, --issuer and --ca are two different ways to specify the > > > > > issuer. --issuer lets you give the issuer DN straight up; --ca > > > > > takes the name of an IPA CA object and looks up its issuer DN. > > > > > (Thus it makes no sense to give both options at once). > > > > > > That's one way to look at it, but it's true only if you assume that > > > cert-find can only search certificates in Dogtag. This will very soon became > > > untrue, as we will allow cert-find to also search certificates anywhere in > > > LDAP (the server part of ticket #5381). There, the difference between the > > > options would be that with --ca you search for certificates issued by the > > > specified managed CA, but with --issuer you search for certificates with the > > > given issuer name, be it managed CA or not. > > > > > --ca is just a "shorthand" for --issuer - it merely looks up subject > > DN of the specified CA, and uses that as the issuer option. > > > > > For now, IMO the correct behavior should be that if both are specified and > > > the issuer name of the specified CA does not match the specified issuer > > > name, empty result is returned, otherwise carry on with the search in > > > Dogtag. > > > > > If I allow both, the behaviour will then be: > > > > specify issuer DN only) > > search using given issuer DN > > specify CA only) > > search using subject DN of specified CA. If no such CA, error. > > specify issuer DN and CA) > > search using given issuer DN, and ensure that result (if any) > > matches subject DN of specified CA. If no such CA, error. > > > > I'm happy to implement this if you confirm that you think it's the > > correct behaviour. > > Looks correct to me. > Thanks; updated patches attached. Martin, this patch should also fix the upgrade issue. Cheers, Fraser -------------- next part -------------- From d56c617000216a77281ecd1ccc8111ee8028fdfb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/63] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 ++ API.txt | 64 +++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 4 + install/share/bootstrap-template.ldif | 6 + install/updates/41-lightweight-cas.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 ++- ipaserver/plugins/ca.py | 217 ++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 54 +++++++- 13 files changed, 385 insertions(+), 6 deletions(-) create mode 100644 install/updates/41-lightweight-cas.update create mode 100644 ipaserver/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index a09495e5a445d7c3bc51f0b082c538b80bbb425a..586f7343ef13b4b30e23543027220ed37ba2cb48 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index f17093022d54d5cd0ccbf1863f6def0589bbf8c9..06e2bb56ad200de599112ffad17b4084e1ca44f3 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,76 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,7,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: DNParam('ipacasubjectdn', cli_name='subject') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,11,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: DNParam('ipacaissuerdn?', autofill=False, cli_name='issuer') +option: DNParam('ipacasubjectdn?', autofill=False, cli_name='subject') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 4ada7467a646b4b7162fd56248399a65f8600663..5ab3c9d93db91a25cf4af6f77d678b4879c4910e 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=176 -# Last change: mbasti - location-show: list servers in the location +IPA_API_VERSION_MINOR=177 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..a87fe667d56768419dacf57103e347e88c945e2a 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,9 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f6ab35495ad7e9377404eb7a6b0bca26906f5421..da12ddf0ca887e8305402048ceed5d5b28816164 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -476,3 +476,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/install/updates/41-lightweight-cas.update b/install/updates/41-lightweight-cas.update new file mode 100644 index 0000000000000000000000000000000000000000..72313e2ab12ab520eb12ade404fb5b6dd55a9d71 --- /dev/null +++ b/install/updates/41-lightweight-cas.update @@ -0,0 +1,4 @@ +dn: cn=cas,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: cas diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 737a8bbbd1a4915a6aefec2d273b90bb3ca31710..0dbd85c5254290c0130e1149d3226728cf84129c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -38,6 +38,7 @@ app_DATA = \ 40-otp.update \ 40-vault.update \ 41-caacl.update \ + 41-lightweight-cas.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 97dff1d805a4f77469882103ab63cdb0fa55a024..05ba1adbbf215680c9c23963fc8c90c4bfca4ce8 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,7 @@ DEFAULT_CONFIG = ( ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -265,3 +266,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index becb0b1728746bb2c432d08e92425ceb95bb261a..3e2576d058733c9859f4c5b003afdacf26408348 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1629,6 +1629,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..ee98f0a2a9dc469d67676a3123d82ce519ba6d59 --- /dev/null +++ b/ipaserver/plugins/ca.py @@ -0,0 +1,217 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipaserver.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipaserver.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = [ + 'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn', + ] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + DNParam('ipacasubjectdn', + cli_name='subject', + label=_('Subject DN'), + doc=_('Subject Distinguished Name'), + flags=['no_update'], + ), + DNParam('ipacaissuerdn', + cli_name='issuer', + label=_('Issuer DN'), + doc=_('Issuer Distinguished Name'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'ipacaissuerdn', + 'ipacasubjectdn', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + }, + 'replaces': [ + '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # check for name collision before creating CA in Dogtag + try: + api.Object.ca.get_dn_if_exists(keys[-1]) + self.obj.handle_duplicate_entry(*keys) + except errors.NotFound: + pass + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + resp = ca_api.create_ca(options['ipacasubjectdn']) + entry['ipacaid'] = [resp['id']] + entry['ipacaissuerdn'] = [resp['issuerDN']] + + # In the event that the issued certificate's subject DN + # differs from what was requested, record the actual DN. + # + entry['ipacasubjectdn'] = [resp['dn']] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + + return dn + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + if 'rename' in options or 'cn' in entry_attrs: + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=u'IPA CA cannot be renamed') + + return dn diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c4dc4e8c3ea55a0e1b67870dfb8eee45af..20349b05f02c6e186275a822a487eb4733d75c7d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2073,7 +2073,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2147,3 +2150,52 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + New CA is issued by IPA CA. Nested sub-CAs and unrelated + root CAs are not yet supported. + + Return the (parsed) JSON response from server. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def read_ca(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', ca_id, headers={'Accept': 'application/json'}) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From 947335bcbaadbf29ac19bcc9be8482fe7e566dba Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/63] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 37 +++++++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 38 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3e2576d058733c9859f4c5b003afdacf26408348..c7f3116f62ce1158a04af23f29439c4a1d1a102f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -433,6 +433,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1900,6 +1901,42 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From b5e645687571c725d7e136728add6909181f33c4 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/63] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 ++++++++++++-- VERSION | 4 +- ipaserver/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++--------------- ipaserver/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index 06e2bb56ad200de599112ffad17b4084e1ca44f3..f434ebad7cc0fa22388266a1dc696c15c6ec530f 100644 --- a/API.txt +++ b/API.txt @@ -521,12 +521,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -538,6 +539,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -607,12 +619,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -628,13 +641,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -647,6 +661,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 5ab3c9d93db91a25cf4af6f77d678b4879c4910e..9a40fde7593aee748a96417abef25b92221e5a14 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=177 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=178 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index cbb5382fb5217d92c65d4b215b497958a31e978c..ef53608ece00ca6951ddeab08e0915a596116fcf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -29,6 +29,7 @@ from ipalib import errors from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -236,7 +237,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -320,7 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From 213da73765bb2120fe633ca327c3cab5b02286a9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/63] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipaserver/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ef53608ece00ca6951ddeab08e0915a596116fcf..8fccb76292b685033f8ebda347b51a4eb599d2bc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -499,7 +499,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 20349b05f02c6e186275a822a487eb4733d75c7d..43aab92ffe6bba42d21135eb4f87cbde635f86e0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1554,10 +1554,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1586,13 +1588,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 14d8f06da5e13bdb59bb3ab4ed51e5386f6b59cd Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/63] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index f434ebad7cc0fa22388266a1dc696c15c6ec530f..73b2379a7f86fcd00eabcb0bc1db4401223c8803 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('cacn?', cli_name='ca') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index 9a40fde7593aee748a96417abef25b92221e5a14..6577c80904f99ab6b30217ddc82625ccda928df0 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=178 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=179 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb76292b685033f8ebda347b51a4eb599d2bc..63a051fabdcd89d430128d3f06f44f17b9e09a27 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,13 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('cacn?', + cli_name='ca', + query=True, + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +327,13 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) and look up authority ID. + # + ca = kw.get('cacn', IPA_CA_CN) + ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +511,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From 33753add93c4baa93fb873a4e3e71e84a655884c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH] Add issuer options to cert-show and cert-find Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 7 +++++-- VERSION | 4 ++-- ipaserver/plugins/cert.py | 47 +++++++++++++++++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 9 +++++++++ 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 73b2379a7f86fcd00eabcb0bc1db4401223c8803..cb6bd81ff35799c9cdfe43f95358ce31806f0cc3 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cacn?', autofill=False, cli_name='ca') option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,9 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,3,1 arg: Str('serial_number') +option: Str('cacn?', autofill=False, cli_name='ca') option: Str('out?') option: Str('version?') output: Output('result') diff --git a/VERSION b/VERSION index 6577c80904f99ab6b30217ddc82625ccda928df0..600ab8182332de68bc356100ae0e232c68e30d90 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=179 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=180 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fabdcd89d430128d3f06f44f17b9e09a27..171d08b9df6537e1e0422e461c56e6a170fb820d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -610,6 +610,13 @@ class cert_show(VirtualCommand): ) takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -631,8 +638,24 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)s " + "issued by CA '%(ca)s' not found") + % dict(serial=serial_number, ca=options['cacn'])) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +757,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +853,18 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + ca_sdn = unicode(ca_obj['ipacasubjectdn'][0]) + if 'issuer' in options: + if DN(ca_sdn) != DN(options['issuer']): + # client has provided both 'ca' and 'issuer' but + # issuer DNs don't match; result must be empty + return dict(result=[], count=0, truncated=False) + else: + options['issuer'] = ca_sdn + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From ofayans at redhat.com Thu Jun 9 14:48:57 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 9 Jun 2016 16:48:57 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides Message-ID: <575981D9.2040305@redhat.com> Hi guys, Here is the first somewhat skeletal and pretty short version of the testplan. Could you please review it anyone? http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ftweedal at redhat.com Thu Jun 9 14:58:49 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 10 Jun 2016 00:58:49 +1000 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <57597DEE.4010704@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> <57597DEE.4010704@redhat.com> Message-ID: <20160609145849.GE4744@dhcp-40-8.bne.redhat.com> On Thu, Jun 09, 2016 at 10:32:14AM -0400, Rob Crittenden wrote: > Fraser Tweedale wrote: > > On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: > > > > > > > > > On 09.06.2016 15:03, Martin Basti wrote: > > > > > > > > > > > > On 09.06.2016 15:02, Stanislav Laznicka wrote: > > > > > On 06/09/2016 02:51 PM, Rob Crittenden wrote: > > > > > > Stanislav Laznicka wrote: > > > > > > > Hello, > > > > > > > > > > > > > > Please see the attached patch of > > > > > > > https://fedorahosted.org/freeipa/ticket/5797. > > > > > > > > > > > > > > Standa > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Just wondering out loud but should usercertificate be excluded > > > > > > from the output if it is unparsable? Is there any value in > > > > > > showing that a bogus value is in there? > > > > > > > > > > > > rob > > > > > I think it is a good pointer that something has gone wrong with the > > > > > certificate. Another way would be to print 'Invalid certificate' > > > > > instead of it similar to what Apache LDAP Browser does. > > > > > > > > > > > > > We can return a warning message that something with certificates is > > > > broken. > > > > > > > > Martin^2 > > > > > > > And you should log it at error log level, because it is error > > > > > Is the data from LDAP actually invalid? It should not be possible > > to store data that is not a syntactically valid X.509 cert in the > > userCertificate attribute (if it is, we should file a ticket against > > 389). > > > > Is there a full traceback for the original error of #5797? What is > > the datum that is the immediate cause of the error and what happens > > to it between the database and the function that throws? > > > > Could it be a python3 bytes/str problem originating in > > x509.normalize_certificate? > > > > Cheers, > > Fraser > > > > A cert can get in several different ways. IPA sure tries hard not to allow > bad certs but I guess they can happen: > > $ ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: admin at GREYOAK.COM > SASL SSF: 56 > SASL data security layer installed. > dn: krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com > changetype: modify > add: usercertificate > usercertificate: foo > > modifying entry "krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com" > > $ ipa service-show cert/slithy.greyoak.com > ipa: ERROR: Certificate format error: (SEC_ERROR_INVALID_ARGS) security > library: invalid arguments. > > No traceback, it's a caught error: > > [Thu Jun 09 10:27:58.642749 2016] [wsgi:error] [pid 19694] ipa: INFO: > [jsonserver_session] admin at GREYOAK.COM: > service_mod(u'cert/slithy.greyoak.com at GREYOAK.COM', > addattr=(u'usercertificate=Zm9vCg==',), rights=False, all=False, raw=False, > version=u'2.156', no_members=False): CertificateFormatError > > And interestingly, I can't delete the service and there I _do_ get a > traceback. > > [Thu Jun 09 10:29:34.236210 2016] [wsgi:error] [pid 19694] ipa: INFO: > [jsonserver_session] admin at GREYOAK.COM: > service_show(u'cert/slithy.greyoak.com at GREYOAK.COM', rights=False, > all=False, raw=False, version=u'2.156', no_members=False): > CertificateFormatError > [Thu Jun 09 10:30:55.692025 2016] [wsgi:error] [pid 19693] ipa: INFO: > Problem decoding certificate: Certificate format error: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.770495 2016] [wsgi:error] [pid 19693] ipa: ERROR: > non-public: NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.770527 2016] [wsgi:error] [pid 19693] Traceback (most > recent call last): > [Thu Jun 09 10:30:55.770534 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 347, in > wsgi_execute > [Thu Jun 09 10:30:55.770541 2016] [wsgi:error] [pid 19693] result = > self.Command[name](*args, **options) > [Thu Jun 09 10:30:55.770547 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 442, in __call__ > [Thu Jun 09 10:30:55.770552 2016] [wsgi:error] [pid 19693] ret = > self.run(*args, **options) > rgs, **options) > [Thu Jun 09 10:30:55.770558 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 759, in run > [Thu Jun 09 10:30:55.770563 2016] [wsgi:error] [pid 19693] return > self.execute(*args, **options) > [Thu Jun 09 10:30:55.770569 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1626, in > execute > [Thu Jun 09 10:30:55.770575 2016] [wsgi:error] [pid 19693] > delete_entry(pkey) > [Thu Jun 09 10:30:55.770580 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 1579, in > delete_entry > [Thu Jun 09 10:30:55.770585 2016] [wsgi:error] [pid 19693] dn = > callback(self, ldap, dn, *nkeys, **options) > [Thu Jun 09 10:30:55.770591 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 594, in > pre_callback > [Thu Jun 09 10:30:55.770597 2016] [wsgi:error] [pid 19693] > revoke_certs(entry_attrs.get('usercertificate', []), self.log) > [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in > revoke_certs > y_attrs.get('usercertificate', []), self.log) > [Thu Jun 09 10:30:55.770617 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/plugins/service.py", line 258, in > revoke_certs > [Thu Jun 09 10:30:55.770625 2016] [wsgi:error] [pid 19693] serial = > unicode(x509.get_serial_number(cert, x509.DER)) > [Thu Jun 09 10:30:55.770631 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 183, in > get_serial_number > [Thu Jun 09 10:30:55.770637 2016] [wsgi:error] [pid 19693] nsscert = > load_certificate(certificate, datatype, dbdir) > [Thu Jun 09 10:30:55.770642 2016] [wsgi:error] [pid 19693] File > "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 128, in > load_certificate > [Thu Jun 09 10:30:55.770648 2016] [wsgi:error] [pid 19693] return > nss.Certificate(buffer(data)) > [Thu Jun 09 10:30:55.770653 2016] [wsgi:error] [pid 19693] NSPRError: > (SEC_ERROR_LIBRARY_FAILURE) security library failure. > [Thu Jun 09 10:30:55.771242 2016] [wsgi:error] [pid 19693] ipa: INFO: > [jsonserver_session] admin at GREYOAK.COM: > service_del((u'cert/slithy.greyoak.com at GREYOAK.COM',), continue=False, > version=u'2.156'): NSPRError > > rob > Yikes, I guess I hope too much when I expected userCertificate to barf if given a value that doesn't look like an X.509 cert. Reading https://tools.ietf.org/html/rfc4523#section-2.1, looks like garbarge-in/garbage-out is (unfortuntaely) the right behaviour for DS. Cheers, Fraser From sbose at redhat.com Thu Jun 9 15:06:19 2016 From: sbose at redhat.com (Sumit Bose) Date: Thu, 9 Jun 2016 17:06:19 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides In-Reply-To: <575981D9.2040305@redhat.com> References: <575981D9.2040305@redhat.com> Message-ID: <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: > Hi guys, > > Here is the first somewhat skeletal and pretty short version of the > testplan. Could you please review it anyone? > > http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan Hi Oleg, 'Make sure the id view is applied to ipa master host' the IPA masters/servers will always and only have the 'Default Trust View'. But it is ok to use the 'Default Trust View' for testing the certificates in the ID override. The 'openssl req ...' call will only generate a certificate request and not the certificate itself. The request must still be signed by e.g. the IPA CA. Please see the blog posts of Fraser (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. Since you want to test certificates in overrides you should use idoverrideuser-add-cert and idoverrideuser-remove-cert instead of user-add-cert and user-remove-cert. bye, Sumit > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From mbabinsk at redhat.com Thu Jun 9 15:06:38 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 17:06:38 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> Message-ID: On 06/09/2016 03:54 PM, Petr Vobornik wrote: > On 06/09/2016 01:02 PM, Martin Babinsky wrote: >> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>> >>> >>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>> I am sending rebased patches implementing >>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>> >>>>> I hope the patches work since I have had a lot of fun rebasing them on >>>>> top of thin client and DNS locations effort. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>> >>>>> >>>>> >>>> >>>> Sending updated patches according to Jan's interactive review. >>>> >>>> Since the name of attributes returned by API commands and signature of >>>> `server-role-find` have changed, a small update in WebUI patches is >>>> required. >>>> >>>> >>>> >>> NACK, why did you remove sizelimit from server_role_find command's? Is >>> it possible to return it back? It breaks WebUI. >> >> Indeed, this was caused by changing the base class of the command. It is >> fixed in updated patches. >> > > NACK > > Option timelimit? of command server_role_find in ipalib, not in API file: > Int('timelimit?', autofill=False) > Option sizelimit? of command server_role_find in ipalib, not in API file: > Int('sizelimit?', autofill=False) > > There are one or more changes to the API. > Either undo the API changes or update API.txt and increment the major > version in VERSION. > Makefile:159: recipe for target 'version-update' failed > make: *** [version-update] Error 1 > Oops, seems like a missed API.txt update. Fixed. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0146-5-Server-roles-definitions-of-server-roles-and-attribu.patch Type: text/x-patch Size: 21169 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0147-5-Server-Roles-Backend-plugin-to-query-roles-and-attri.patch Type: text/x-patch Size: 6160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0148-5-Test-suite-for-serverroles-backend.patch Type: text/x-patch Size: 25087 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0149-4-Server-Roles-public-API-for-server-roles.patch Type: text/x-patch Size: 8360 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0150-3-Server-Roles-make-server-show-find-utilize-role-info.patch Type: text/x-patch Size: 8778 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0151-3-Server-Roles-make-config-show-consume-relevant-roles.patch Type: text/x-patch Size: 9790 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0152-3-Server-Roles-provide-an-API-for-setting-CA-renewal-m.patch Type: text/x-patch Size: 3867 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 9 15:10:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 9 Jun 2016 17:10:23 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: References: Message-ID: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> Hello, I've received a bunch of pylint fixes produced by upstream contributor who is not subscribed to the list so I'm resending them here. All credit goes to B?rta Jan <55042barta at sstebrno.eu>. Flo, if you have time for it I think that it could be a good exercise which will lead you to various dark corners in IPA :-) Petr^2 Spacek -------- Forwarded Message -------- Date: Fri, 3 Jun 2016 14:57:16 +0200 From: B?rta Jan <55042barta at sstebrno.eu> To: pspacek at redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-pylint-fix-simplifiable-if-statement-warnings.patch Type: text/x-patch Size: 7658 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-pylint-fix-multiple-statements.patch Type: text/x-patch Size: 1727 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-pylint-fix-unneeded-not.patch Type: text/x-patch Size: 7482 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-pylint-fix-pointless-statement.patch Type: text/x-patch Size: 4980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-pylint-fix-redefine-in-handler.patch Type: text/x-patch Size: 3563 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-pylint-fix-old-style-class.patch Type: text/x-patch Size: 4277 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0008-pylint-fix-bad-classmethod-argument.patch Type: text/x-patch Size: 1820 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0009-pylint-fix-bad-mcs-classmethod-argument.patch Type: text/x-patch Size: 1360 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0010-pylint-fix-bad-mcs-method-argument.patch Type: text/x-patch Size: 3708 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 9 15:39:45 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 9 Jun 2016 17:39:45 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: <5d97b475-c08a-951c-8064-f7c6030ff5bf@redhat.com> References: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> <6c5ee253-49b1-5f24-00a1-15feb77728e4@redhat.com> <5d97b475-c08a-951c-8064-f7c6030ff5bf@redhat.com> Message-ID: <23d76534-e7bf-99d2-67b5-a7246646938c@redhat.com> On 06/08/2016 04:09 PM, Petr Vobornik wrote: > On 06/05/2016 07:22 PM, Pavel Vomacka wrote: >> >> On 06/03/2016 03:10 PM, Petr Vobornik wrote: >>> On 06/02/2016 01:40 PM, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review my patches which add webui for server roles. >>>> >>> Did not test yet. I'm waiting for rebase of backend. >>> >>> Patch 36: ACK (assuming it works when ^^ is available) >>> >>> Patch 37: >>> >>> 1. typo: 'overriden' - twice >> Fixed. >>> 2. 'create_column_link' is a bad name for the method. The method doesn't >>> create a column link. It is a link's click handler. So the name should >>> be e.g. on_column_link_click >> Yes, this is better. Fixed. >>> Patch 38: >>> >>> 1. in serverroles_nested_search_facet wouldn't it be better to override >>> only get_refresh_command_options and maybe get_refresh_command_args >>> instead of full create_refresh_command? >>> >> Fixed. >> >> Attached the whole patchset with edited patches. >> >> -- >> Pavel^3 Vomacka > 1. Following line breaks navigation: > that.on_column_link_click(value, entity); > it should be: > return that.on_column_link_click(value, entity); > Attached patches are rebased and updated according to new Server Role patches. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0036-2-Association-table-can-be-read-only.patch Type: text/x-patch Size: 1413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0037-3-Extend-table-facet.patch Type: text/x-patch Size: 5367 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0038-3-Add-server-roles-on-topology-page.patch Type: text/x-patch Size: 9492 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0044-Search-facet-can-be-without-search-field.patch Type: text/x-patch Size: 1826 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jun 9 15:49:50 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 17:49:50 +0200 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: <20160606103855.ptkbthy27mv3qz5g@redhat.com> References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> Message-ID: <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: > Hi, > > In case an ID override was created for an Active Directory user in the > default trust view, allow mapping the incoming GSSAPI authenticated > connection to the ID override for this user. > > This allows to self-manage ID override parameters from the CLI, for > example, SSH public keys or certificates. Admins can define what can be > changed by the users via self-service permissions. > > Part of https://fedorahosted.org/freeipa/ticket/2149 > > > ACK -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jun 9 15:56:29 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 17:56:29 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <20160606113719.3c2hweabc7xojkad@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> Message-ID: On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: > On Mon, 06 Jun 2016, Jan Cholasta wrote: >> On 6.6.2016 13:22, Martin Basti wrote: >>> >>> >>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>> >>>>> >>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>> Hi, >>>>>> >>>>>> MS-ADTS spec requires that TrustPartner field should be equal to the >>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>> trust relationship between parent and child domains. In fact, we >>>>>> have parent-child relationship recorded in the DN (child domains >>>>>> are part of the parent domain's container). >>>>>> >>>>>> Remove the argument that was never used externally but only >>>>>> supplied by >>>>>> trust-specific code inside the IPA framework. >>>>>> >>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hello, how is handled backward compatibility here, you just removes >>>>> the option from API, without any additional logic for older clients. >>>> This is not used by the external clients at all. It is part of internal >>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>> always talk to the same server they are running on. >>>> >>>> @register() >>>> class trustdomain_add(LDAPCreate): >>>> __doc__ = _('Allow access from the trusted domain') >>>> NO_CLI = True >>>> >>>> >>> >>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>> browser, and since this was in API, it is set to stone. So If you think >>> that it is safe to be removed and nobody can hit this, I'm okay for >>> removing that option. Maybe we should at least wrote it to release notes >>> (I'll let Honza to express his feelings as API versioning/compatibility >>> sensei) >> >> IMHO it is safe to remove. >> >>> >>> And you forgot to increment api version in VERSION file > Updated patch attached, with a VERSION change. > > > ACK -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jun 9 16:03:43 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 18:03:43 +0200 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <20160607202543.5iqyhx4igwd4lz3h@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> <20160607160018.fusf4llmh6gqgu3c@redhat.com> <20160607202543.5iqyhx4igwd4lz3h@redhat.com> Message-ID: <4d5a410f-f7c9-1c89-2d43-4d6822bdaae3@redhat.com> On 06/07/2016 10:25 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Alexander Bokovoy wrote: >> > del attrs['ipanttrusttype'] >> > + if attributes: >> > + del attrs['ipanttrustattributes'] >> > """ >> Updated patch is attached. > Another update, forgot one space in the allow_behavior(). > > I also spent some time and did pep8 fixes for dcerpc.py. I reduced > reported errors down to 22 from 260+. These 22 are for lines longer than > 79 characters and I don't want to reduce them further because they are > smaller than 84 characters already. > > patch 201-2 ACK patch 207: I appreciate the effort you put into this, but as I said earlier we require PEP8 compliance only when writing new code or modifying the old one. Even if re-formatting the whole module is just a refactoring and it is unlikely to break anything it will drastically alter the git history, that's why we are not reformatting old modules and that's why I was sometime ago told not to do this. But feel free to open a ticket if this is an issue for you and you would like the patch to be pushed. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jun 9 16:07:40 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 18:07:40 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <20160607173511.6o3a4ovu3vpcqneq@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> Message-ID: <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Martin Babinsky wrote: >> On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>> Hi, >>>>> >>>>> Add support for additional user name principal suffixes from >>>>> trusted Active Directory forests. UPN suffixes are property >>>>> of the forest and as such are associated with the forest root >>>>> domain. >>>>> >>>>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>>>> attribute of ipaNTTrustedDomain object class. >>>>> >>>>> In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>>>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>> >>>>> For more details on UPN and naming in Active Directory see >>>>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5354 >>>>> >>>>> >>>>> >>>> >>>> Hi Alexander, >>>> >>>> a few comments: >>>> >>>> 1.) >>>> >>>> there are some PEP8 violations in the patch. Not all of them need to >>>> be fixed, though (line overhangs < 5 characters are OK by me). >>>> >>>> """ >>>> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) >>>> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) >>>> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) >>>> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) >>>> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >>>> ./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>> under-indented for visual indent >>>> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>> characters) >>>> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>> characters) >>>> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>> characters) >>>> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>> found 1 >>>> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>> found 1 >>>> """ >>> I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough >>> now -- breaking following line is not giving any reasonable benefit: >>> >>> res['ipantflatname'] = >>> unicode(t.forest_trust_data.netbios_domain_name.string) >>> >> >> Looking at the code, it would be IMHO more readable to directly append >> dict literals to the result like so: >> >> """ >> --- a/ipaserver/dcerpc.py >> +++ b/ipaserver/dcerpc.py >> @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >> creds=None, server=None): >> tname = unicode(t.forest_trust_data.dns_domain_name.string) >> if tname == trustdomain: >> continue >> - res = dict() >> - res['cn'] = tname >> - res['ipantflatname'] = >> unicode(t.forest_trust_data.netbios_domain_name.string) >> - res['ipanttrusteddomainsid'] = >> unicode(t.forest_trust_data.domain_sid) >> - result['domains'][tname] = res >> + >> + result['domains'][tname] = { >> + 'cn': tname, >> + 'ipantflatname': unicode( >> + t.forest_trust_data.netbios_domain_name.string), >> + 'ipanttrusteddomainsid': unicode( >> + t.forest_trust_data.domain_sid) >> + } >> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >> tname = unicode(t.forest_trust_data.string) >> if tname == trustdomain: >> continue >> - res = dict() >> - res['cn'] = tname >> - result['suffixes'][tname] = res >> + >> + result['suffixes'][tname] = {'cn': tname} >> return result >> """ > Makes sense. Fixed. > >> >> Also there is a whitespace before colon here: >> """ >> + result = {'domains': {}, 'suffixes' : {}} >> ^ >> """ >> Please fix that and I will be a happy engineer. > Fixed. > >> >>>> 2.) >>>> >>>> Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >>>> makes sense but I'm just asking so that we don't end changing the >>>> schema later. >>> ipaNTAdditionalSuffixes is defined as >>> >>> attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>> 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>> associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>> 1.3.6.1.4.1.1466.115.121.1.15) >>> >>> There should be no problem with case sensitivity already. >>> >> OK I presume that the UPN suffixes on AD are also case-insensitive so >> everything should be alright. > Yes, as everything realm-related on AD side, they are case-insensitive. > > Updated patch attached. 1.) there is one unused import that makes pylint choke: """ ************* Module com.redhat.idm install/oddjob/com.redhat.idm.trust-fetch-domains:6: [W0611(unused-import), ] Unused errors imported from ipalib) Makefile:137: recipe for target 'lint' failed make: *** [lint] Error 1 """ 2.) The UPN suffixes are added during trust establishment and I can also kinit as the enterprise principal using one of UPNs, but only when using two-way trust. Is this expected? I was not able to find any clue in the design page but maybe I was just not looking hard enough. -- Martin^3 Babinsky From abokovoy at redhat.com Thu Jun 9 16:46:42 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 19:46:42 +0300 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> Message-ID: <20160609164642.ogbmk6m2fnbggdlh@redhat.com> On Thu, 09 Jun 2016, Martin Babinsky wrote: >On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: >>On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>>>On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>>>Hi, >>>>>> >>>>>>Add support for additional user name principal suffixes from >>>>>>trusted Active Directory forests. UPN suffixes are property >>>>>>of the forest and as such are associated with the forest root >>>>>>domain. >>>>>> >>>>>>FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>>>>>attribute of ipaNTTrustedDomain object class. >>>>>> >>>>>>In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>>>>>LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>>> >>>>>>For more details on UPN and naming in Active Directory see >>>>>>https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>>> >>>>>>https://fedorahosted.org/freeipa/ticket/5354 >>>>>> >>>>>> >>>>>> >>>>> >>>>>Hi Alexander, >>>>> >>>>>a few comments: >>>>> >>>>>1.) >>>>> >>>>>there are some PEP8 violations in the patch. Not all of them need to >>>>>be fixed, though (line overhangs < 5 characters are OK by me). >>>>> >>>>>""" >>>>>./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 characters) >>>>>./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 characters) >>>>>./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>>>./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 characters) >>>>>./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 characters) >>>>>./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 characters) >>>>>./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>>>under-indented for visual indent >>>>>./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>>>characters) >>>>>./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>>>./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>>>characters) >>>>>./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>>>characters) >>>>>./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>>>./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>>>found 1 >>>>>./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>>>found 1 >>>>>""" >>>>I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough >>>>now -- breaking following line is not giving any reasonable benefit: >>>> >>>> res['ipantflatname'] = >>>>unicode(t.forest_trust_data.netbios_domain_name.string) >>>> >>> >>>Looking at the code, it would be IMHO more readable to directly append >>>dict literals to the result like so: >>> >>>""" >>>--- a/ipaserver/dcerpc.py >>>+++ b/ipaserver/dcerpc.py >>>@@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >>>creds=None, server=None): >>> tname = unicode(t.forest_trust_data.dns_domain_name.string) >>> if tname == trustdomain: >>> continue >>>- res = dict() >>>- res['cn'] = tname >>>- res['ipantflatname'] = >>>unicode(t.forest_trust_data.netbios_domain_name.string) >>>- res['ipanttrusteddomainsid'] = >>>unicode(t.forest_trust_data.domain_sid) >>>- result['domains'][tname] = res >>>+ >>>+ result['domains'][tname] = { >>>+ 'cn': tname, >>>+ 'ipantflatname': unicode( >>>+ t.forest_trust_data.netbios_domain_name.string), >>>+ 'ipanttrusteddomainsid': unicode( >>>+ t.forest_trust_data.domain_sid) >>>+ } >>> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >>> tname = unicode(t.forest_trust_data.string) >>> if tname == trustdomain: >>> continue >>>- res = dict() >>>- res['cn'] = tname >>>- result['suffixes'][tname] = res >>>+ >>>+ result['suffixes'][tname] = {'cn': tname} >>> return result >>>""" >>Makes sense. Fixed. >> >>> >>>Also there is a whitespace before colon here: >>>""" >>>+ result = {'domains': {}, 'suffixes' : {}} >>> ^ >>>""" >>>Please fix that and I will be a happy engineer. >>Fixed. >> >>> >>>>>2.) >>>>> >>>>>Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >>>>>makes sense but I'm just asking so that we don't end changing the >>>>>schema later. >>>>ipaNTAdditionalSuffixes is defined as >>>> >>>>attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>>>'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>>>associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>>>1.3.6.1.4.1.1466.115.121.1.15) >>>> >>>>There should be no problem with case sensitivity already. >>>> >>>OK I presume that the UPN suffixes on AD are also case-insensitive so >>>everything should be alright. >>Yes, as everything realm-related on AD side, they are case-insensitive. >> >>Updated patch attached. > >1.) there is one unused import that makes pylint choke: > >""" >************* Module com.redhat.idm >install/oddjob/com.redhat.idm.trust-fetch-domains:6: >[W0611(unused-import), ] Unused errors imported from ipalib) >Makefile:137: recipe for target 'lint' failed >make: *** [lint] Error 1 >""" Fixed, thanks. I wasn't attentive to why it considered that error. >2.) The UPN suffixes are added during trust establishment and I can >also kinit as the enterprise principal using one of UPNs, but only >when using two-way trust. Is this expected? I was not able to find any >clue in the design page but maybe I was just not looking hard enough. No, it works just fine for one-way trust as well. The way UPNs used in AD is a bit awkward -- you define them globally for the whole forest first and then assign specific UPN suffix for the user account in the account properties. Only then you can use the suffix for this user: [root at f24-master ~]# net ads search -S w12.ad.test -k cn=grumpy |grep userPrincipalName userPrincipalName: grumpy at torchwood [root at f24-master ~]# KRB5_TRACE=/dev/stderr kinit -E -C grumpy at torchwood [9135] 1465490159.655327: Resolving unique ccache of type KEYRING [9135] 1465490159.655408: Getting initial credentials for grumpy\@torchwood at IPA.AD.TEST [9135] 1465490159.656798: Sending request (176 bytes) to IPA.AD.TEST [9135] 1465490159.656994: Initiating TCP connection to stream 192.168.5.117:88 [9135] 1465490159.657122: Sending TCP request to stream 192.168.5.117:88 [9135] 1465490159.657655: Received answer (169 bytes) from stream 192.168.5.117:88 [9135] 1465490159.657679: Terminating TCP connection to stream 192.168.5.117:88 [9135] 1465490159.657715: Response was from master KDC [9135] 1465490159.657741: Received error from KDC: -1765328316/Realm not local to KDC [9135] 1465490159.657756: Following referral to realm AD.TEST [9135] 1465490159.657783: Sending request (168 bytes) to AD.TEST [9135] 1465490159.674764: Resolving hostname w12.ad.test. [9135] 1465490159.679514: Sending initial UDP request to dgram 192.168.5.111:88 [9135] 1465490159.680158: Received answer (171 bytes) from dgram 192.168.5.111:88 [9135] 1465490159.688085: Response was not from master KDC [9135] 1465490159.688141: Received error from KDC: -1765328359/Additional pre-authentication required [9135] 1465490159.688203: Processing preauth types: 16, 15, 19, 2 [9135] 1465490159.688252: Selected etype info: etype aes256-cts, salt "AD.TESTgrumpy", params "" [9135] 1465490159.688285: PKINIT client has no configured identity; giving up [9135] 1465490159.688315: PKINIT client has no configured identity; giving up [9135] 1465490159.688342: Preauth module pkinit (16) (real) returned: 22/Invalid argument [9135] 1465490159.688368: PKINIT client has no configured identity; giving up [9135] 1465490159.688394: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for grumpy\@torchwood at AD.TEST: [9135] 1465490162.317092: AS key obtained for encrypted timestamp: aes256-cts/C61F [9135] 1465490162.317176: Encrypted timestamp (for 1465490162.505923): plain 301AA011180F32303136303630393136333630325AA105020307B843, encrypted ADD327ACC03C99C821D9FBBE280866D6342D3CE1BBA2C720CF5A5BEBA586ECD0034CD2C3448F5FD6D66219DB77DC51D81C8C1D6D01A87AC9 [9135] 1465490162.317228: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [9135] 1465490162.317272: Produced preauth for next request: 2 [9135] 1465490162.317328: Sending request (246 bytes) to AD.TEST [9135] 1465490162.346793: Resolving hostname w12.ad.test. [9135] 1465490162.352714: Sending initial UDP request to dgram 192.168.5.111:88 [9135] 1465490162.353537: Received answer (1442 bytes) from dgram 192.168.5.111:88 [9135] 1465490162.366042: Response was not from master KDC [9135] 1465490162.366094: Processing preauth types: 19 [9135] 1465490162.366139: Selected etype info: etype aes256-cts, salt "AD.TESTgrumpy", params "" [9135] 1465490162.366190: Produced preauth for next request: (empty) [9135] 1465490162.366235: AS key determined by preauth: aes256-cts/C61F [9135] 1465490162.366328: Decrypted AS reply; session key is: aes256-cts/BD45 [9135] 1465490162.366382: FAST negotiation: unavailable [9135] 1465490162.366416: Initializing KEYRING:persistent:0:krb_ccache_dSjqZkD with default princ grumpy at AD.TEST [9135] 1465490162.366488: Storing grumpy at AD.TEST -> krbtgt/AD.TEST at AD.TEST in KEYRING:persistent:0:krb_ccache_dSjqZkD [9135] 1465490162.366550: Storing config in KEYRING:persistent:0:krb_ccache_dSjqZkD for krbtgt/AD.TEST at AD.TEST: pa_type: 2 [9135] 1465490162.366585: Storing grumpy at AD.TEST -> krb5_ccache_conf_data/pa_type/krbtgt\/AD.TEST\@AD.TEST at X-CACHECONF: in KEYRING:persistent:0:krb_ccache_dSjqZkD As you can see, the realm was considered non-local and a referral to the correct realm was issued, then kinit followed the referral and finally we've got the ticket for grumpy at AD.TEST because canonicalization was asked. If no canonicalization would be asked, the principal would be enterprise one but, again, from the other realm: [root at f24-master ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_lIqrVtl Default principal: grumpy\@torchwood at AD.TEST Valid starting Expires Service principal 06/09/2016 19:45:16 06/10/2016 05:45:16 krbtgt/AD.TEST at AD.TEST renew until 06/10/2016 19:45:13 -- / Alexander Bokovoy -------------- next part -------------- From 366242a58d476ae34d46629b779a8e9d7df29195 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 6 Jun 2016 11:41:46 +0300 Subject: [PATCH 2/8] adtrust: support UPNs for trusted domain users Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 --- ACI.txt | 2 +- daemons/ipa-kdb/ipa_kdb_mspac.c | 60 +++++++++++++++---- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 + .../ipa-extdom-extop/ipa_extdom_common.c | 9 ++- install/oddjob/com.redhat.idm.trust-fetch-domains | 31 +--------- install/share/60basev3.ldif | 3 +- ipaserver/dcerpc.py | 40 +++++++++---- ipaserver/plugins/trust.py | 69 ++++++++++++++++------ 8 files changed, 142 insertions(+), 73 deletions(-) diff --git a/ACI.txt b/ACI.txt index a09495e..6f691f2 100644 --- a/ACI.txt +++ b/ACI.txt @@ -309,7 +309,7 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry dn: dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=trusts,dc=ipa,dc=example -aci: (targetattr = "cn || createtimestamp || entryusn || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=trusts,dc=ipa,dc=example aci: (targetattr = "gidnumber || krbprincipalname || uidnumber")(version 3.0;acl "permission:System: Read system trust accounts";allow (compare,read,search) groupdn = "ldap:///cn=System: Read system trust accounts,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=groups,cn=accounts,dc=ipa,dc=example diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index d54ca71..80e7055 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2273,7 +2273,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) { - int i; + int i, j; if (!*mspac) return; @@ -2290,6 +2290,12 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) free((*mspac)->trusts[i].sid_blacklist_outgoing); free((*mspac)->trusts[i].parent_name); (*mspac)->trusts[i].parent = NULL; + if ((*mspac)->trusts[i].upn_suffixes) { + for (j = 0; (*mspac)->trusts[i].upn_suffixes[j]; j++) { + free((*mspac)->trusts[i].upn_suffixes[j]); + } + free((*mspac)->trusts[i].upn_suffixes); + } } free((*mspac)->trusts); } @@ -2405,7 +2411,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) LDAP *lc = ipactx->lcontext; char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName", "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming", - "ipaNTSIDBlacklistOutgoing", NULL }; + "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL }; char *filter = "(objectclass=ipaNTTrustedDomain)"; krb5_error_code kerr; LDAPMessage *res = NULL; @@ -2462,26 +2468,42 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) goto done; } + t[n].flat_name = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTFlatName", &t[n].flat_name); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } + t[n].domain_sid = NULL; ret = ipadb_ldap_attr_to_str(lc, le, "ipaNTTrustedDomainSID", &t[n].domain_sid); - if (ret) { + if (ret && ret != ENOENT) { ret = EINVAL; goto done; } ret = string_to_sid(t[n].domain_sid, &t[n].domsid); - if (ret) { + if (ret && t[n].domain_sid != NULL) { ret = EINVAL; goto done; } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTAdditionalSuffixes", + &t[n].upn_suffixes); + + if (ret) { + if (ret == ENOENT) { + /* This attribute is optional */ + ret = 0; + t[n].upn_suffixes = NULL; + } else { + ret = EINVAL; + goto done; + } + } + ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming", &sid_blacklist_incoming); @@ -2808,6 +2830,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, struct ipadb_context *ipactx; int i, j, length; const char *name; + bool result = false; if (test_realm == NULL || test_realm[0] == '\0') { return KRB5_KDB_NOENTRY; @@ -2829,12 +2852,27 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, /* Iterate through list of trusts and check if input realm belongs to any of the trust */ for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - if ((strncasecmp(test_realm, - ipactx->mspac->trusts[i].domain_name, - size) == 0) || - (strncasecmp(test_realm, - ipactx->mspac->trusts[i].flat_name, - size) == 0)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].domain_name, + size) == 0; + + if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].flat_name, + size) == 0; + } + + if (!result && (ipactx->mspac->trusts[i].upn_suffixes != NULL)) { + for (j = 0; ipactx->mspac->trusts[i].upn_suffixes[j]; j++) { + result = strncasecmp(test_realm, + ipactx->mspac->trusts[i].upn_suffixes[j], + size) == 0; + if (result) + break; + } + } + + if (result) { /* return the realm if caller supplied a place for it */ if (trusted_realm != NULL) { name = (ipactx->mspac->trusts[i].parent_name != NULL) ? diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h index 1052bb8..30382d2 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h +++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h @@ -47,6 +47,7 @@ struct ipadb_adtrusts { int len_sid_blacklist_outgoing; struct ipadb_adtrusts *parent; char *parent_name; + char **upn_suffixes; }; int string_to_sid(const char *str, struct dom_sid *sid); diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 445624f..823c05c 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -1011,8 +1011,13 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, char *buf = NULL; struct sss_nss_kv *kv_list = NULL; - ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, - domain_name); + if (strchr(name, SSSD_DOMAIN_SEPARATOR) == NULL) { + ret = asprintf(&fq_name, "%s%c%s", name, SSSD_DOMAIN_SEPARATOR, + domain_name); + } else { + /* SSSD_DOMAIN_SEPARATOR already present, assume UPN */ + ret = asprintf(&fq_name, "%s", name); + } if (ret == -1) { ret = LDAP_OPERATIONS_ERROR; set_err_msg(req, "Failed to create fully qualified name"); diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index ea00f30..57b15f7 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -3,7 +3,7 @@ from ipaserver import dcerpc from ipaserver.install.installutils import is_ipa_configured, ScriptError from ipapython import config, ipautil -from ipalib import api, errors +from ipalib import api from ipapython.dn import DN from ipalib.config import Env from ipalib.constants import DEFAULT_CONFIG @@ -170,33 +170,8 @@ except gssapi.exceptions.GSSError: ipa_domain = api.env.domain os.environ['KRB5CCNAME'] = oneway_ccache_name domains = dcerpc.fetch_domains(api, ipa_domain, trusted_domain, creds=True) - -if domains: - # trust range must exist by the time fetch_domains_from_trust is called - range_name = unicode(trusted_domain.upper() + '_id_range') - old_range = api.Command.idrange_show(range_name, raw=True)['result'] - idrange_type = old_range['iparangetype'][0] - - result = [] - for dom in domains: - dom['trust_type'] = u'ad' - try: - name = dom['cn'] - del dom['cn'] - - res = api.Command.trustdomain_add(trusted_domain, name, **dom) - result.append(res['result']) - - if idrange_type != u'ipa-ad-trust-posix': - range_name = name.upper() + '_id_range' - dom['range_type'] = u'ipa-ad-trust' - # Do not pass ipaserver.dcerpc.TrustInstance to trust.add_range - # to force it using existing credentials cache - trust.add_range(api, None, range_name, dom['ipanttrusteddomainsid'], - trusted_domain, name, **dom) - except errors.DuplicateEntry: - # Ignore updating duplicate entries - pass +trust_domain_object = api.Command.trust_show(trusted_domain, raw=True)['result'] +trust.add_new_domains_from_trust(api, None, trust_domain_object, domains) if old_ccache: os.environ['KRB5CCNAME'] = old_ccache diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5ebe335..059174b 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -56,6 +56,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.64 NAME 'ipaSecretKeyRef' DESC 'DN of attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#11 wrapping mechanism equivalent to CK_MECHANISM_TYPE' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.1') attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2') attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' ) # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782 @@ -64,7 +65,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUC objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing) ) +objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTTrustedDomainSID $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes $ ipaNTSIDBlacklistIncoming $ ipaNTSIDBlacklistOutgoing $ ipaNTAdditionalSuffixes) ) objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.10 NAME 'ipaSELinuxUserMap' SUP ipaAssociation STRUCTURAL MUST ipaSELinuxUser MAY ( accessTime $ seeAlso ) X-ORIGIN 'IPA v3') diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 5f56643..dc25ab7 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1197,7 +1197,10 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): def communicate(td): td.init_lsa_pipe(td.info['dc']) netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) - domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + # Older FreeIPA versions used netr_DsrEnumerateDomainTrusts call + # but it doesn't provide information about non-domain UPNs associated + # with the forest, thus we have to use netr_DsRGetForestTrustInformation + domains = netr_pipe.netr_DsRGetForestTrustInformation(td.info['dc'], '', 0) return domains domains = None @@ -1225,6 +1228,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): raise assess_dcerpc_exception(message=str(e)) td.info['dc'] = unicode(result.pdc_dns_name) + td.info['name'] = unicode(result.dns_domain) if type(creds) is bool: # Rely on existing Kerberos credentials in the environment td.creds = credentials.Credentials() @@ -1254,16 +1258,30 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): if domains is None: return None - result = [] - for t in domains.array: - if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and - (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): - res = dict() - res['cn'] = unicode(t.dns_name) - res['ipantflatname'] = unicode(t.netbios_name) - res['ipanttrusteddomainsid'] = unicode(t.sid) - res['ipanttrustpartner'] = res['cn'] - result.append(res) + result = {'domains': {}, 'suffixes': {}} + # netr_DsRGetForestTrustInformation returns two types of entries: + # domain information -- name, NetBIOS name, SID of the domain + # top level name info -- a name suffix associated with the forest + # We should ignore forest root name/name suffix as it is already part + # of trust information for IPA purposes and only add what's inside the forest + for t in domains.entries: + if t.type == lsa.LSA_FOREST_TRUST_DOMAIN_INFO: + tname = unicode(t.forest_trust_data.dns_domain_name.string) + if tname == trustdomain: + continue + result['domains'][tname] = { + 'cn': tname, + 'ipantflatname': unicode( + t.forest_trust_data.netbios_domain_name.string), + 'ipanttrusteddomainsid': unicode( + t.forest_trust_data.domain_sid) + } + elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: + tname = unicode(t.forest_trust_data.string) + if tname == trustdomain: + continue + + result['suffixes'][tname] = {'cn': tname} return result diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py index 744be93..0f1bb00 100644 --- a/ipaserver/plugins/trust.py +++ b/ipaserver/plugins/trust.py @@ -487,11 +487,16 @@ class trust(LDAPObject): object_name_plural = _('trusts') object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', - 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', - 'ipanttrustpartner', 'ipanttrustforesttrustinfo', - 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] + 'ipanttrusttype', 'ipanttrustattributes', + 'ipanttrustdirection', 'ipanttrustpartner', + 'ipanttrustforesttrustinfo', + 'ipanttrustposixoffset', + 'ipantsupportedencryptiontypes', + 'ipantadditionalsuffixes'] search_display_attributes = ['cn', 'ipantflatname', - 'ipanttrusteddomainsid', 'ipanttrusttype'] + 'ipanttrusteddomainsid', 'ipanttrusttype', + 'ipanttrustattributes', + 'ipantadditionalsuffixes'] managed_permissions = { 'System: Read Trust Information': { # Allow reading of attributes needed for SSSD subdomains support @@ -505,7 +510,7 @@ class trust(LDAPObject): 'ipantflatname', 'ipantsecurityidentifier', 'ipanttrusteddomainsid', 'ipanttrustpartner', 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing', - 'ipanttrustdirection' + 'ipanttrustdirection', 'ipantadditionalsuffixes', }, }, @@ -1457,8 +1462,11 @@ class trustdomain(LDAPObject): object_name = _('trust domain') object_name_plural = _('trust domains') object_class = ['ipaNTTrustedDomain'] - default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrustpartner'] - search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', ] + default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', + 'ipanttrustpartner', 'ipantadditionalsuffixes'] + search_display_attributes = ['cn', 'ipantflatname', + 'ipanttrusteddomainsid', + 'ipantadditionalsuffixes'] label = _('Trusted domains') label_singular = _('Trusted domain') @@ -1500,9 +1508,10 @@ class trustdomain(LDAPObject): class trustdomain_find(LDAPSearch): __doc__ = _('Search domains of the trust') - has_output_params = LDAPSearch.has_output_params + ( + has_output_params = LDAPSearch.has_output_params + trust_output_params + ( Flag('domain_enabled', label= _('Domain enabled')), ) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): return (filters, base_dn, ldap.SCOPE_SUBTREE) @@ -1511,11 +1520,10 @@ class trustdomain_find(LDAPSearch): return truncated trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') trust_entry = ldap.get_entry(trust_dn) + blacklist = trust_entry.get('ipantsidblacklistincoming') for entry in entries: - sid = entry['ipanttrusteddomainsid'][0] - - blacklist = trust_entry.get('ipantsidblacklistincoming') - if blacklist is None: + sid = entry.get('ipanttrusteddomainsid', [None])[0] + if sid is None: continue if sid in blacklist: @@ -1540,10 +1548,12 @@ class trustdomain_add(LDAPCreate): takes_options = LDAPCreate.takes_options + (_trust_type_option,) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - if 'ipanttrustpartner' in options: - entry_attrs['ipanttrustpartner'] = [options['ipanttrustpartner']] + # ipaNTTrustPartner must always be set to the name of the trusted domain + # See MS-ADTS 6.1.6.7.13 + entry_attrs['ipanttrustpartner'] = [dn[0]['cn']] return dn + @register() class trustdomain_del(LDAPDelete): __doc__ = _('Remove infromation about the domain associated with the trust.') @@ -1586,9 +1596,11 @@ def fetch_domains_from_trust(myapi, trustinstance, trust_entry, **options): server = options.get('realm_server', None) domains = ipaserver.dcerpc.fetch_domains(myapi, trustinstance.local_flatname, - trust_name, creds=creds, server=server) + trust_name, creds=creds, + server=server) return domains + def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options): result = [] if not domains: @@ -1600,7 +1612,12 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt old_range = myapi.Command.idrange_show(range_name, raw=True)['result'] idrange_type = old_range['iparangetype'][0] - for dom in domains: + suffixes = list() + suffixes.extend(y['cn'] + for x, y in six.iteritems(domains['suffixes']) + if x not in domains['domains']) + + for dom in six.itervalues(domains['domains']): dom['trust_type'] = u'ad' try: name = dom['cn'] @@ -1616,13 +1633,27 @@ def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **opt if idrange_type != u'ipa-ad-trust-posix': range_name = name.upper() + '_id_range' dom['range_type'] = u'ipa-ad-trust' - add_range(myapi, trustinstance, range_name, dom['ipanttrusteddomainsid'], + add_range(myapi, trustinstance, + range_name, dom['ipanttrusteddomainsid'], trust_name, name, **dom) except errors.DuplicateEntry: # Ignore updating duplicate entries pass + + try: + dn = myapi.Object.trust.get_dn(trust_name, trust_type=u'ad') + ldap = myapi.Backend.ldap2 + entry = ldap.get_entry(dn) + tlns = entry.get('ipantadditionalsuffixes', []) + tlns.extend(x for x in suffixes if x not in tlns) + entry['ipantadditionalsuffixes'] = tlns + ldap.update_entry(entry) + except errors.EmptyModlist: + pass + return result + @register() class trust_fetch_domains(LDAPRetrieve): __doc__ = _('Refresh list of the domains associated with the trust') @@ -1698,7 +1729,7 @@ class trustdomain_enable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if sid in trust_entry['ipantsidblacklistincoming']: trust_entry['ipantsidblacklistincoming'].remove(sid) ldap.update_entry(trust_entry) @@ -1739,7 +1770,7 @@ class trustdomain_disable(LDAPQuery): dn = self.obj.get_dn(keys[0], keys[1], trust_type=u'ad') try: entry = ldap.get_entry(dn) - sid = entry['ipanttrusteddomainsid'][0] + sid = entry.single_value.get('ipanttrusteddomainsid', None) if not (sid in trust_entry['ipantsidblacklistincoming']): trust_entry['ipantsidblacklistincoming'].append(sid) ldap.update_entry(trust_entry) -- 2.7.4 From mbabinsk at redhat.com Thu Jun 9 17:08:25 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 19:08:25 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <20160609164642.ogbmk6m2fnbggdlh@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> <20160609164642.ogbmk6m2fnbggdlh@redhat.com> Message-ID: On 06/09/2016 06:46 PM, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Martin Babinsky wrote: >> On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: >>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>> On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>>>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Add support for additional user name principal suffixes from >>>>>>> trusted Active Directory forests. UPN suffixes are property >>>>>>> of the forest and as such are associated with the forest root >>>>>>> domain. >>>>>>> >>>>>>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>>>>>> attribute of ipaNTTrustedDomain object class. >>>>>>> >>>>>>> In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>>>>>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>>>> >>>>>>> For more details on UPN and naming in Active Directory see >>>>>>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>>>> >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5354 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Hi Alexander, >>>>>> >>>>>> a few comments: >>>>>> >>>>>> 1.) >>>>>> >>>>>> there are some PEP8 violations in the patch. Not all of them need to >>>>>> be fixed, though (line overhangs < 5 characters are OK by me). >>>>>> >>>>>> """ >>>>>> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 >>>>>> characters) >>>>>> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 >>>>>> characters) >>>>>> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>>>> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 >>>>>> characters) >>>>>> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 >>>>>> characters) >>>>>> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 >>>>>> characters) >>>>>> ./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>>>> under-indented for visual indent >>>>>> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>>>> characters) >>>>>> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>>>> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>>>> characters) >>>>>> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>>>> characters) >>>>>> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>>>> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>>>> found 1 >>>>>> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>>>> found 1 >>>>>> """ >>>>> I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough >>>>> now -- breaking following line is not giving any reasonable benefit: >>>>> >>>>> res['ipantflatname'] = >>>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>>> >>>> >>>> Looking at the code, it would be IMHO more readable to directly append >>>> dict literals to the result like so: >>>> >>>> """ >>>> --- a/ipaserver/dcerpc.py >>>> +++ b/ipaserver/dcerpc.py >>>> @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >>>> creds=None, server=None): >>>> tname = unicode(t.forest_trust_data.dns_domain_name.string) >>>> if tname == trustdomain: >>>> continue >>>> - res = dict() >>>> - res['cn'] = tname >>>> - res['ipantflatname'] = >>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>> - res['ipanttrusteddomainsid'] = >>>> unicode(t.forest_trust_data.domain_sid) >>>> - result['domains'][tname] = res >>>> + >>>> + result['domains'][tname] = { >>>> + 'cn': tname, >>>> + 'ipantflatname': unicode( >>>> + t.forest_trust_data.netbios_domain_name.string), >>>> + 'ipanttrusteddomainsid': unicode( >>>> + t.forest_trust_data.domain_sid) >>>> + } >>>> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >>>> tname = unicode(t.forest_trust_data.string) >>>> if tname == trustdomain: >>>> continue >>>> - res = dict() >>>> - res['cn'] = tname >>>> - result['suffixes'][tname] = res >>>> + >>>> + result['suffixes'][tname] = {'cn': tname} >>>> return result >>>> """ >>> Makes sense. Fixed. >>> >>>> >>>> Also there is a whitespace before colon here: >>>> """ >>>> + result = {'domains': {}, 'suffixes' : {}} >>>> ^ >>>> """ >>>> Please fix that and I will be a happy engineer. >>> Fixed. >>> >>>> >>>>>> 2.) >>>>>> >>>>>> Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >>>>>> makes sense but I'm just asking so that we don't end changing the >>>>>> schema later. >>>>> ipaNTAdditionalSuffixes is defined as >>>>> >>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>>>> 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>>>> associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>>>> 1.3.6.1.4.1.1466.115.121.1.15) >>>>> >>>>> There should be no problem with case sensitivity already. >>>>> >>>> OK I presume that the UPN suffixes on AD are also case-insensitive so >>>> everything should be alright. >>> Yes, as everything realm-related on AD side, they are case-insensitive. >>> >>> Updated patch attached. >> >> 1.) there is one unused import that makes pylint choke: >> >> """ >> ************* Module com.redhat.idm >> install/oddjob/com.redhat.idm.trust-fetch-domains:6: >> [W0611(unused-import), ] Unused errors imported from ipalib) >> Makefile:137: recipe for target 'lint' failed >> make: *** [lint] Error 1 >> """ > Fixed, thanks. I wasn't attentive to why it considered that error. We are continuously tighting pylint checks in order to help us improve (or at least not worsen) the code quality. > >> 2.) The UPN suffixes are added during trust establishment and I can >> also kinit as the enterprise principal using one of UPNs, but only >> when using two-way trust. Is this expected? I was not able to find any >> clue in the design page but maybe I was just not looking hard enough. > No, it works just fine for one-way trust as well. The way UPNs used in > AD is a bit awkward -- you define them globally for the whole forest > first and then assign specific UPN suffix for the user account in the > account properties. Only then you can use the suffix for this user: > > [root at f24-master ~]# net ads search -S w12.ad.test -k cn=grumpy |grep > userPrincipalName > userPrincipalName: grumpy at torchwood > > [root at f24-master ~]# KRB5_TRACE=/dev/stderr kinit -E -C grumpy at torchwood > [9135] 1465490159.655327: Resolving unique ccache of type KEYRING > [9135] 1465490159.655408: Getting initial credentials for > grumpy\@torchwood at IPA.AD.TEST > [9135] 1465490159.656798: Sending request (176 bytes) to IPA.AD.TEST > [9135] 1465490159.656994: Initiating TCP connection to stream > 192.168.5.117:88 > [9135] 1465490159.657122: Sending TCP request to stream 192.168.5.117:88 > [9135] 1465490159.657655: Received answer (169 bytes) from stream > 192.168.5.117:88 > [9135] 1465490159.657679: Terminating TCP connection to stream > 192.168.5.117:88 > [9135] 1465490159.657715: Response was from master KDC > [9135] 1465490159.657741: Received error from KDC: -1765328316/Realm not > local to KDC > [9135] 1465490159.657756: Following referral to realm AD.TEST > [9135] 1465490159.657783: Sending request (168 bytes) to AD.TEST > [9135] 1465490159.674764: Resolving hostname w12.ad.test. > [9135] 1465490159.679514: Sending initial UDP request to dgram > 192.168.5.111:88 > [9135] 1465490159.680158: Received answer (171 bytes) from dgram > 192.168.5.111:88 > [9135] 1465490159.688085: Response was not from master KDC > [9135] 1465490159.688141: Received error from KDC: > -1765328359/Additional pre-authentication required > [9135] 1465490159.688203: Processing preauth types: 16, 15, 19, 2 > [9135] 1465490159.688252: Selected etype info: etype aes256-cts, salt > "AD.TESTgrumpy", params "" > [9135] 1465490159.688285: PKINIT client has no configured identity; > giving up > [9135] 1465490159.688315: PKINIT client has no configured identity; > giving up > [9135] 1465490159.688342: Preauth module pkinit (16) (real) returned: > 22/Invalid argument > [9135] 1465490159.688368: PKINIT client has no configured identity; > giving up > [9135] 1465490159.688394: Preauth module pkinit (14) (real) returned: > 22/Invalid argument > Password for grumpy\@torchwood at AD.TEST: [9135] 1465490162.317092: AS key > obtained for encrypted timestamp: aes256-cts/C61F > [9135] 1465490162.317176: Encrypted timestamp (for 1465490162.505923): > plain 301AA011180F32303136303630393136333630325AA105020307B843, > encrypted > ADD327ACC03C99C821D9FBBE280866D6342D3CE1BBA2C720CF5A5BEBA586ECD0034CD2C3448F5FD6D66219DB77DC51D81C8C1D6D01A87AC9 > > [9135] 1465490162.317228: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [9135] 1465490162.317272: Produced preauth for next request: 2 > [9135] 1465490162.317328: Sending request (246 bytes) to AD.TEST > [9135] 1465490162.346793: Resolving hostname w12.ad.test. > [9135] 1465490162.352714: Sending initial UDP request to dgram > 192.168.5.111:88 > [9135] 1465490162.353537: Received answer (1442 bytes) from dgram > 192.168.5.111:88 > [9135] 1465490162.366042: Response was not from master KDC > [9135] 1465490162.366094: Processing preauth types: 19 > [9135] 1465490162.366139: Selected etype info: etype aes256-cts, salt > "AD.TESTgrumpy", params "" > [9135] 1465490162.366190: Produced preauth for next request: (empty) > [9135] 1465490162.366235: AS key determined by preauth: aes256-cts/C61F > [9135] 1465490162.366328: Decrypted AS reply; session key is: > aes256-cts/BD45 > [9135] 1465490162.366382: FAST negotiation: unavailable > [9135] 1465490162.366416: Initializing > KEYRING:persistent:0:krb_ccache_dSjqZkD with default princ grumpy at AD.TEST > [9135] 1465490162.366488: Storing grumpy at AD.TEST -> > krbtgt/AD.TEST at AD.TEST in KEYRING:persistent:0:krb_ccache_dSjqZkD > [9135] 1465490162.366550: Storing config in > KEYRING:persistent:0:krb_ccache_dSjqZkD for krbtgt/AD.TEST at AD.TEST: > pa_type: 2 > [9135] 1465490162.366585: Storing grumpy at AD.TEST -> > krb5_ccache_conf_data/pa_type/krbtgt\/AD.TEST\@AD.TEST at X-CACHECONF: in > KEYRING:persistent:0:krb_ccache_dSjqZkD > > As you can see, the realm was considered non-local and a referral to the > correct realm was issued, then kinit followed the referral and finally > we've got the ticket for grumpy at AD.TEST because canonicalization was > asked. If no canonicalization would be asked, the principal would be > enterprise one but, again, from the other realm: > > [root at f24-master ~]# klist > Ticket cache: KEYRING:persistent:0:krb_ccache_lIqrVtl > Default principal: grumpy\@torchwood at AD.TEST > > Valid starting Expires Service principal > 06/09/2016 19:45:16 06/10/2016 05:45:16 krbtgt/AD.TEST at AD.TEST > renew until 06/10/2016 19:45:13 > > > Hmmm, when I establish a one-way trust I can kinit with the user having UPN suffix: kinit -E jdoe at crew207 Password for jdoe\@crew207 at DOM-207.ADREALM.COM: [root at vm-183 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_gHJAT3H Default principal: jdoe\@crew207 at DOM-207.ADREALM.COM Valid starting Expires Service principal 06/09/2016 17:56:31 06/10/2016 03:56:31 krbtgt/DOM-207.ADREALM.COM at DOM-207.ADREALM.COM renew until 06/10/2016 17:56:26 However when I issue 'ipa trust-show' I do not see any UPN suffixes associated with the trust because 'ipaNTAdditionalSuffixes' attribute is not populated on the trusted domain object while in the tow-way trust case it is and 'trust-*' commands show the UPNs as expected. ipa trust-show dom-207.adrealm.com Domain NetBIOS name: DOM-207 Domain Security Identifier: S-1-5-21-2334637434-2721788842-3715042423 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Realm name: dom-207.adrealm.com (it doesn't matter if I create external one-way trust or not, the UPNs are not pulled from AD DC in either case) -- Martin^3 Babinsky From abokovoy at redhat.com Thu Jun 9 17:19:52 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 20:19:52 +0300 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> <20160609164642.ogbmk6m2fnbggdlh@redhat.com> Message-ID: <20160609171952.2yxwdgkztzdqcchr@redhat.com> On Thu, 09 Jun 2016, Martin Babinsky wrote: >On 06/09/2016 06:46 PM, Alexander Bokovoy wrote: >>On Thu, 09 Jun 2016, Martin Babinsky wrote: >>>On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: >>>>On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>>>>>On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>>>On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>>>>>Hi, >>>>>>>> >>>>>>>>Add support for additional user name principal suffixes from >>>>>>>>trusted Active Directory forests. UPN suffixes are property >>>>>>>>of the forest and as such are associated with the forest root >>>>>>>>domain. >>>>>>>> >>>>>>>>FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued >>>>>>>>attribute of ipaNTTrustedDomain object class. >>>>>>>> >>>>>>>>In order to look up UPN suffixes, netr_DsRGetForestTrustInformation >>>>>>>>LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>>>>> >>>>>>>>For more details on UPN and naming in Active Directory see >>>>>>>>https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>>>>> >>>>>>>> >>>>>>>>https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>>Hi Alexander, >>>>>>> >>>>>>>a few comments: >>>>>>> >>>>>>>1.) >>>>>>> >>>>>>>there are some PEP8 violations in the patch. Not all of them need to >>>>>>>be fixed, though (line overhangs < 5 characters are OK by me). >>>>>>> >>>>>>>""" >>>>>>>./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 >>>>>>>characters) >>>>>>>./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 >>>>>>>characters) >>>>>>>./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>>>>>./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 >>>>>>>characters) >>>>>>>./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 >>>>>>>characters) >>>>>>>./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 >>>>>>>characters) >>>>>>>./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>>>>>under-indented for visual indent >>>>>>>./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>>>>>characters) >>>>>>>./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>>>>>./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>>>>>characters) >>>>>>>./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>>>>>characters) >>>>>>>./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>>>>>./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>>>>>found 1 >>>>>>>./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>>>>>found 1 >>>>>>>""" >>>>>>I've fixed trust.py part, the dcerpc.py fixes in 0201 should be enough >>>>>>now -- breaking following line is not giving any reasonable benefit: >>>>>> >>>>>> res['ipantflatname'] = >>>>>>unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>> >>>>> >>>>>Looking at the code, it would be IMHO more readable to directly append >>>>>dict literals to the result like so: >>>>> >>>>>""" >>>>>--- a/ipaserver/dcerpc.py >>>>>+++ b/ipaserver/dcerpc.py >>>>>@@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >>>>>creds=None, server=None): >>>>> tname = unicode(t.forest_trust_data.dns_domain_name.string) >>>>> if tname == trustdomain: >>>>> continue >>>>>- res = dict() >>>>>- res['cn'] = tname >>>>>- res['ipantflatname'] = >>>>>unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>- res['ipanttrusteddomainsid'] = >>>>>unicode(t.forest_trust_data.domain_sid) >>>>>- result['domains'][tname] = res >>>>>+ >>>>>+ result['domains'][tname] = { >>>>>+ 'cn': tname, >>>>>+ 'ipantflatname': unicode( >>>>>+ t.forest_trust_data.netbios_domain_name.string), >>>>>+ 'ipanttrusteddomainsid': unicode( >>>>>+ t.forest_trust_data.domain_sid) >>>>>+ } >>>>> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >>>>> tname = unicode(t.forest_trust_data.string) >>>>> if tname == trustdomain: >>>>> continue >>>>>- res = dict() >>>>>- res['cn'] = tname >>>>>- result['suffixes'][tname] = res >>>>>+ >>>>>+ result['suffixes'][tname] = {'cn': tname} >>>>> return result >>>>>""" >>>>Makes sense. Fixed. >>>> >>>>> >>>>>Also there is a whitespace before colon here: >>>>>""" >>>>>+ result = {'domains': {}, 'suffixes' : {}} >>>>> ^ >>>>>""" >>>>>Please fix that and I will be a happy engineer. >>>>Fixed. >>>> >>>>> >>>>>>>2.) >>>>>>> >>>>>>>Should the ipaNTAdditionalSuffixes attribute be case insensitive? It >>>>>>>makes sense but I'm just asking so that we don't end changing the >>>>>>>schema later. >>>>>>ipaNTAdditionalSuffixes is defined as >>>>>> >>>>>>attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>>>>>'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>>>>>associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>>>>>1.3.6.1.4.1.1466.115.121.1.15) >>>>>> >>>>>>There should be no problem with case sensitivity already. >>>>>> >>>>>OK I presume that the UPN suffixes on AD are also case-insensitive so >>>>>everything should be alright. >>>>Yes, as everything realm-related on AD side, they are case-insensitive. >>>> >>>>Updated patch attached. >>> >>>1.) there is one unused import that makes pylint choke: >>> >>>""" >>>************* Module com.redhat.idm >>>install/oddjob/com.redhat.idm.trust-fetch-domains:6: >>>[W0611(unused-import), ] Unused errors imported from ipalib) >>>Makefile:137: recipe for target 'lint' failed >>>make: *** [lint] Error 1 >>>""" >>Fixed, thanks. I wasn't attentive to why it considered that error. > >We are continuously tighting pylint checks in order to help us improve >(or at least not worsen) the code quality. > >> >>>2.) The UPN suffixes are added during trust establishment and I can >>>also kinit as the enterprise principal using one of UPNs, but only >>>when using two-way trust. Is this expected? I was not able to find any >>>clue in the design page but maybe I was just not looking hard enough. >>No, it works just fine for one-way trust as well. The way UPNs used in >>AD is a bit awkward -- you define them globally for the whole forest >>first and then assign specific UPN suffix for the user account in the >>account properties. Only then you can use the suffix for this user: >> >>[root at f24-master ~]# net ads search -S w12.ad.test -k cn=grumpy |grep >>userPrincipalName >>userPrincipalName: grumpy at torchwood >> >>[root at f24-master ~]# KRB5_TRACE=/dev/stderr kinit -E -C grumpy at torchwood >>[9135] 1465490159.655327: Resolving unique ccache of type KEYRING >>[9135] 1465490159.655408: Getting initial credentials for >>grumpy\@torchwood at IPA.AD.TEST >>[9135] 1465490159.656798: Sending request (176 bytes) to IPA.AD.TEST >>[9135] 1465490159.656994: Initiating TCP connection to stream >>192.168.5.117:88 >>[9135] 1465490159.657122: Sending TCP request to stream 192.168.5.117:88 >>[9135] 1465490159.657655: Received answer (169 bytes) from stream >>192.168.5.117:88 >>[9135] 1465490159.657679: Terminating TCP connection to stream >>192.168.5.117:88 >>[9135] 1465490159.657715: Response was from master KDC >>[9135] 1465490159.657741: Received error from KDC: -1765328316/Realm not >>local to KDC >>[9135] 1465490159.657756: Following referral to realm AD.TEST >>[9135] 1465490159.657783: Sending request (168 bytes) to AD.TEST >>[9135] 1465490159.674764: Resolving hostname w12.ad.test. >>[9135] 1465490159.679514: Sending initial UDP request to dgram >>192.168.5.111:88 >>[9135] 1465490159.680158: Received answer (171 bytes) from dgram >>192.168.5.111:88 >>[9135] 1465490159.688085: Response was not from master KDC >>[9135] 1465490159.688141: Received error from KDC: >>-1765328359/Additional pre-authentication required >>[9135] 1465490159.688203: Processing preauth types: 16, 15, 19, 2 >>[9135] 1465490159.688252: Selected etype info: etype aes256-cts, salt >>"AD.TESTgrumpy", params "" >>[9135] 1465490159.688285: PKINIT client has no configured identity; >>giving up >>[9135] 1465490159.688315: PKINIT client has no configured identity; >>giving up >>[9135] 1465490159.688342: Preauth module pkinit (16) (real) returned: >>22/Invalid argument >>[9135] 1465490159.688368: PKINIT client has no configured identity; >>giving up >>[9135] 1465490159.688394: Preauth module pkinit (14) (real) returned: >>22/Invalid argument >>Password for grumpy\@torchwood at AD.TEST: [9135] 1465490162.317092: AS key >>obtained for encrypted timestamp: aes256-cts/C61F >>[9135] 1465490162.317176: Encrypted timestamp (for 1465490162.505923): >>plain 301AA011180F32303136303630393136333630325AA105020307B843, >>encrypted >>ADD327ACC03C99C821D9FBBE280866D6342D3CE1BBA2C720CF5A5BEBA586ECD0034CD2C3448F5FD6D66219DB77DC51D81C8C1D6D01A87AC9 >> >>[9135] 1465490162.317228: Preauth module encrypted_timestamp (2) (real) >>returned: 0/Success >>[9135] 1465490162.317272: Produced preauth for next request: 2 >>[9135] 1465490162.317328: Sending request (246 bytes) to AD.TEST >>[9135] 1465490162.346793: Resolving hostname w12.ad.test. >>[9135] 1465490162.352714: Sending initial UDP request to dgram >>192.168.5.111:88 >>[9135] 1465490162.353537: Received answer (1442 bytes) from dgram >>192.168.5.111:88 >>[9135] 1465490162.366042: Response was not from master KDC >>[9135] 1465490162.366094: Processing preauth types: 19 >>[9135] 1465490162.366139: Selected etype info: etype aes256-cts, salt >>"AD.TESTgrumpy", params "" >>[9135] 1465490162.366190: Produced preauth for next request: (empty) >>[9135] 1465490162.366235: AS key determined by preauth: aes256-cts/C61F >>[9135] 1465490162.366328: Decrypted AS reply; session key is: >>aes256-cts/BD45 >>[9135] 1465490162.366382: FAST negotiation: unavailable >>[9135] 1465490162.366416: Initializing >>KEYRING:persistent:0:krb_ccache_dSjqZkD with default princ grumpy at AD.TEST >>[9135] 1465490162.366488: Storing grumpy at AD.TEST -> >>krbtgt/AD.TEST at AD.TEST in KEYRING:persistent:0:krb_ccache_dSjqZkD >>[9135] 1465490162.366550: Storing config in >>KEYRING:persistent:0:krb_ccache_dSjqZkD for krbtgt/AD.TEST at AD.TEST: >>pa_type: 2 >>[9135] 1465490162.366585: Storing grumpy at AD.TEST -> >>krb5_ccache_conf_data/pa_type/krbtgt\/AD.TEST\@AD.TEST at X-CACHECONF: in >>KEYRING:persistent:0:krb_ccache_dSjqZkD >> >>As you can see, the realm was considered non-local and a referral to the >>correct realm was issued, then kinit followed the referral and finally >>we've got the ticket for grumpy at AD.TEST because canonicalization was >>asked. If no canonicalization would be asked, the principal would be >>enterprise one but, again, from the other realm: >> >>[root at f24-master ~]# klist >>Ticket cache: KEYRING:persistent:0:krb_ccache_lIqrVtl >>Default principal: grumpy\@torchwood at AD.TEST >> >>Valid starting Expires Service principal >>06/09/2016 19:45:16 06/10/2016 05:45:16 krbtgt/AD.TEST at AD.TEST >> renew until 06/10/2016 19:45:13 >> >> >> >Hmmm, > >when I establish a one-way trust I can kinit with the user having UPN >suffix: > > kinit -E jdoe at crew207 >Password for jdoe\@crew207 at DOM-207.ADREALM.COM: >[root at vm-183 ~]# klist >Ticket cache: KEYRING:persistent:0:krb_ccache_gHJAT3H >Default principal: jdoe\@crew207 at DOM-207.ADREALM.COM > >Valid starting Expires Service principal >06/09/2016 17:56:31 06/10/2016 03:56:31 >krbtgt/DOM-207.ADREALM.COM at DOM-207.ADREALM.COM > renew until 06/10/2016 17:56:26 > > >However when I issue 'ipa trust-show' I do not see any UPN suffixes >associated with the trust because 'ipaNTAdditionalSuffixes' attribute >is not populated on the trusted domain object while in the tow-way >trust case it is and 'trust-*' commands show the UPNs as expected. > >ipa trust-show dom-207.adrealm.com > Domain NetBIOS name: DOM-207 > Domain Security Identifier: S-1-5-21-2334637434-2721788842-3715042423 > Trust direction: Trusting forest > Trust type: Non-transitive external trust to a domain in another >Active Directory forest > Realm name: dom-207.adrealm.com > >(it doesn't matter if I create external one-way trust or not, the UPNs >are not pulled from AD DC in either case) Check audit.log, on Fedora 24 selinux policy is broken again due to us moving files all around. Try with setenforce 0 to verify it. We run an equivalent of # oddjob_request -i com.redhat.idm.trust.fetch_domains \ -s com.redhat.idm.trust -o / \ com.redhat.idm.trust.fetch_domains ad.test when retrieving forest topology information in one-way trust case. If SELinux policy prevents oddjobd to launch the helper, no retrieval will happen. -- / Alexander Bokovoy From mbabinsk at redhat.com Thu Jun 9 18:12:26 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 9 Jun 2016 20:12:26 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del Message-ID: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> These patches expand `server_del` to a full fledged IPA master killer in domain level 1. Due to 'server uninstallation removed master from topology' use case, the individual steps are not in the same order as in the original code to facilitate self-removal from topology without introducing an array of permissions for master to remove itself. I had no opportunity to test out the CI test suite because of technical problems so it would be nice if our upstream QE could give it a spin and report errors. http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 https://fedorahosted.org/freeipa/ticket/5181 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0153-ipapython-module-for-working-with-managed-topology.patch Type: text/x-patch Size: 9946 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0154-delegate-removal-of-master-DNS-record-and-replica-ke.patch Type: text/x-patch Size: 3115 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0155-server-del-perform-full-master-removal-in-managed-to.patch Type: text/x-patch Size: 20941 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0156-CI-test-suite-for-server-del.patch Type: text/x-patch Size: 15681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0157-ipa-replica-manage-use-server_del-when-removing-doma.patch Type: text/x-patch Size: 12920 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0158-remove-the-master-from-managed-topology-during-unins.patch Type: text/x-patch Size: 10643 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 9 18:57:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 20:57:48 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 Message-ID: Py3 support was enabled prematurely, attached patches removes python3 from /usr/bin/ipa Notes: * ipa 4.3.x won't have enabled py3 * master (ipa 4.4+) will have disabled py3 temporarily -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-master-mbasti-0501-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2244 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0501-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2149 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 9 19:02:39 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 21:02:39 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> Message-ID: <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> On 09.06.2016 14:45, Martin Basti wrote: > > > On 09.06.2016 14:42, Martin Basti wrote: >> >> >> On 09.06.2016 14:38, Lukas Slebodnik wrote: >>> On (09/06/16 14:29), Martin Basti wrote: >>>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>>> Hi, >>>>>>> >>>>>>> this patch allows the extom plugin to lookup users by >>>>>>> certificate which >>>>>>> is needed in the case where a IPA client wants to lookup an AD >>>>>>> user who >>>>>>> has the certificate stored in AD. To make this work the related >>>>>>> patches >>>>>>> I just send to sssd-devel are needed as well. >>>>>>> >>>>>>> Currently the patches miss the change in the required version of >>>>>>> SSSD. >>>>>>> since the SSSD patches are not committed. But the patches are >>>>>>> needed to >>>>>>> fully test the SSSD patches. I will send a new version with the >>>>>>> needed >>>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>>> committed. >>>>>>> >>>>>>> bye, >>>>>>> Sumit >>>>>> The patch works fine (tested together with the corresponding SSSD >>>>>> patches), so ACK from me. The code also looks good to me, but I'm >>>>>> not >>>>>> sure if reviewing an IPA patch requires something more (CI? >>>>>> Coverity?) >>>>> ACK from me as well, I forgot to send email about it, though I >>>>> reviewed >>>>> this patch a week ago. >>>>> >>>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>>> >>> It's very likey that this commit will break build of >>> freeipa-master. I didn't try. >>> >>> Because it uses new function sss_nss_getnamebycert >>> from the library libsss_nss_idmap which is not in fedora. >>> It was pushed to sssd master just today. >>> >>> LS >> >> If this is true, can you/somebody provide the SRPM of SSSD with the >> required functionality please? We may need to add it to >> @freeipa/freeipa-master copr and bump required version of SSSD. >> >> Martin^2 >> > > Yes, you were right, master build is broken. > Martin^2 > SSSD master build has been added to @freeipa/freeipa-master copr as a workaround (to unblock automatic testing an developers) Please bump version in specfile accordingly (I don't know in which version of SSSD will be required function) Martin^2 From mbasti at redhat.com Thu Jun 9 19:09:05 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 21:09:05 +0200 Subject: [Freeipa-devel] [PATCH] 0201 Add support for an external trust to Active Directory domain In-Reply-To: <4d5a410f-f7c9-1c89-2d43-4d6822bdaae3@redhat.com> References: <20160606103315.gcndbmnnswa3s2xl@redhat.com> <4dd1c8c3-f037-f86b-1a40-f6d88086dc0d@redhat.com> <20160607160018.fusf4llmh6gqgu3c@redhat.com> <20160607202543.5iqyhx4igwd4lz3h@redhat.com> <4d5a410f-f7c9-1c89-2d43-4d6822bdaae3@redhat.com> Message-ID: <5f90ea9c-adc8-02d6-7826-e79881b4e939@redhat.com> On 09.06.2016 18:03, Martin Babinsky wrote: > On 06/07/2016 10:25 PM, Alexander Bokovoy wrote: >> On Tue, 07 Jun 2016, Alexander Bokovoy wrote: >>> > del attrs['ipanttrusttype'] >>> > + if attributes: >>> > + del attrs['ipanttrustattributes'] >>> > """ >>> Updated patch is attached. >> Another update, forgot one space in the allow_behavior(). >> >> I also spent some time and did pep8 fixes for dcerpc.py. I reduced >> reported errors down to 22 from 260+. These 22 are for lines longer than >> 79 characters and I don't want to reduce them further because they are >> smaller than 84 characters already. >> >> > patch 201-2 ACK > > patch 207: I appreciate the effort you put into this, but as I said > earlier we require PEP8 compliance only when writing new code or > modifying the old one. Even if re-formatting the whole module is just > a refactoring and it is unlikely to break anything it will drastically > alter the git history, that's why we are not reformatting old modules > and that's why I was sometime ago told not to do this. > > But feel free to open a ticket if this is an issue for you and you > would like the patch to be pushed. > patch 201: Pushed to master: 8ca7a4c94796afa280de7e7f5191b48ad667b219 From mbasti at redhat.com Thu Jun 9 19:10:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 21:10:42 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> Message-ID: <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> On 09.06.2016 17:56, Martin Babinsky wrote: > On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>> On 6.6.2016 13:22, Martin Basti wrote: >>>> >>>> >>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>> Hi, >>>>>>> >>>>>>> MS-ADTS spec requires that TrustPartner field should be equal to >>>>>>> the >>>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>> trust relationship between parent and child domains. In fact, we >>>>>>> have parent-child relationship recorded in the DN (child domains >>>>>>> are part of the parent domain's container). >>>>>>> >>>>>>> Remove the argument that was never used externally but only >>>>>>> supplied by >>>>>>> trust-specific code inside the IPA framework. >>>>>>> >>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Hello, how is handled backward compatibility here, you just removes >>>>>> the option from API, without any additional logic for older clients. >>>>> This is not used by the external clients at all. It is part of >>>>> internal >>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>> always talk to the same server they are running on. >>>>> >>>>> @register() >>>>> class trustdomain_add(LDAPCreate): >>>>> __doc__ = _('Allow access from the trusted domain') >>>>> NO_CLI = True >>>>> >>>>> >>>> >>>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>>> browser, and since this was in API, it is set to stone. So If you >>>> think >>>> that it is safe to be removed and nobody can hit this, I'm okay for >>>> removing that option. Maybe we should at least wrote it to release >>>> notes >>>> (I'll let Honza to express his feelings as API >>>> versioning/compatibility >>>> sensei) >>> >>> IMHO it is safe to remove. >>> >>>> >>>> And you forgot to increment api version in VERSION file >> Updated patch attached, with a VERSION change. >> >> >> > ACK > Is there any ticket for this? Martin^2 From mbasti at redhat.com Thu Jun 9 19:13:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 9 Jun 2016 21:13:50 +0200 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> Message-ID: On 09.06.2016 17:49, Martin Babinsky wrote: > On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >> Hi, >> >> In case an ID override was created for an Active Directory user in the >> default trust view, allow mapping the incoming GSSAPI authenticated >> connection to the ID override for this user. >> >> This allows to self-manage ID override parameters from the CLI, for >> example, SSH public keys or certificates. Admins can define what can be >> changed by the users via self-service permissions. >> >> Part of https://fedorahosted.org/freeipa/ticket/2149 >> >> >> > ACK > Ticket for this is in 'Tickets Deferred' milestone and should be re-triaged before push Martin^2 From abokovoy at redhat.com Thu Jun 9 19:45:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 22:45:13 +0300 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> Message-ID: <20160609194513.h3h7qzlhyrzvstij@redhat.com> On Thu, 09 Jun 2016, Martin Basti wrote: > > >On 09.06.2016 17:56, Martin Babinsky wrote: >>On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>On 6.6.2016 13:22, Martin Basti wrote: >>>>> >>>>> >>>>>On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>>On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>Hi, >>>>>>>> >>>>>>>>MS-ADTS spec requires that TrustPartner field should be >>>>>>>>equal to the >>>>>>>>commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>>>trust relationship between parent and child domains. In fact, we >>>>>>>>have parent-child relationship recorded in the DN (child domains >>>>>>>>are part of the parent domain's container). >>>>>>>> >>>>>>>>Remove the argument that was never used externally but only >>>>>>>>supplied by >>>>>>>>trust-specific code inside the IPA framework. >>>>>>>> >>>>>>>>Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>>Hello, how is handled backward compatibility here, you just removes >>>>>>>the option from API, without any additional logic for older clients. >>>>>>This is not used by the external clients at all. It is part >>>>>>of internal >>>>>>logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>>>always talk to the same server they are running on. >>>>>> >>>>>>@register() >>>>>>class trustdomain_add(LDAPCreate): >>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>> NO_CLI = True >>>>>> >>>>>> >>>>> >>>>>Yes sorry, not old IPA clients, but it was part of API, shown in API >>>>>browser, and since this was in API, it is set to stone. So If >>>>>you think >>>>>that it is safe to be removed and nobody can hit this, I'm okay for >>>>>removing that option. Maybe we should at least wrote it to >>>>>release notes >>>>>(I'll let Honza to express his feelings as API >>>>>versioning/compatibility >>>>>sensei) >>>> >>>>IMHO it is safe to remove. >>>> >>>>> >>>>>And you forgot to increment api version in VERSION file >>>Updated patch attached, with a VERSION change. >>> >>> >>> >>ACK >> > >Is there any ticket for this? As I wrote in the commit message and in the email, it is part of https://fedorahosted.org/freeipa/ticket/5354 -- / Alexander Bokovoy From abokovoy at redhat.com Thu Jun 9 19:47:12 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 9 Jun 2016 22:47:12 +0300 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> Message-ID: <20160609194712.djxzctcxyiqxplvg@redhat.com> On Thu, 09 Jun 2016, Martin Basti wrote: > > >On 09.06.2016 17:49, Martin Babinsky wrote: >>On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>Hi, >>> >>>In case an ID override was created for an Active Directory user in the >>>default trust view, allow mapping the incoming GSSAPI authenticated >>>connection to the ID override for this user. >>> >>>This allows to self-manage ID override parameters from the CLI, for >>>example, SSH public keys or certificates. Admins can define what can be >>>changed by the users via self-service permissions. >>> >>>Part of https://fedorahosted.org/freeipa/ticket/2149 >>> >>> >>> >>ACK >> > >Ticket for this is in 'Tickets Deferred' milestone and should be >re-triaged before push The ticket itself covers a far longer story and should stay in the deferred bucket. However, this specific part of the implementation was already discussed to be for 4.4. Don't pull the original ticket, as I'm using it as a tracker. -- / Alexander Bokovoy From jcholast at redhat.com Fri Jun 10 04:17:32 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jun 2016 06:17:32 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: References: Message-ID: On 9.6.2016 20:57, Martin Basti wrote: > Py3 support was enabled prematurely, attached patches removes python3 > from /usr/bin/ipa > > > Notes: > > * ipa 4.3.x won't have enabled py3 > > * master (ipa 4.4+) will have disabled py3 temporarily NACK. you reverted this bit wrong: -%if 0%{?with_python3} -Requires: python3-ipaclient = %{version}-%{release} -%else Requires: python2-ipaclient = %{version}-%{release} -%endif +Requires: %{name}-client-common = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} -- Jan Cholasta From mbasti at redhat.com Fri Jun 10 08:01:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:01:40 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <20160609194513.h3h7qzlhyrzvstij@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> Message-ID: On 09.06.2016 21:45, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Martin Basti wrote: >> >> >> On 09.06.2016 17:56, Martin Babinsky wrote: >>> On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>> On 6.6.2016 13:22, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> MS-ADTS spec requires that TrustPartner field should be equal >>>>>>>>> to the >>>>>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>>>> trust relationship between parent and child domains. In fact, we >>>>>>>>> have parent-child relationship recorded in the DN (child domains >>>>>>>>> are part of the parent domain's container). >>>>>>>>> >>>>>>>>> Remove the argument that was never used externally but only >>>>>>>>> supplied by >>>>>>>>> trust-specific code inside the IPA framework. >>>>>>>>> >>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Hello, how is handled backward compatibility here, you just >>>>>>>> removes >>>>>>>> the option from API, without any additional logic for older >>>>>>>> clients. >>>>>>> This is not used by the external clients at all. It is part of >>>>>>> internal >>>>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>>>> always talk to the same server they are running on. >>>>>>> >>>>>>> @register() >>>>>>> class trustdomain_add(LDAPCreate): >>>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>>> NO_CLI = True >>>>>>> >>>>>>> >>>>>> >>>>>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>>>>> browser, and since this was in API, it is set to stone. So If you >>>>>> think >>>>>> that it is safe to be removed and nobody can hit this, I'm okay for >>>>>> removing that option. Maybe we should at least wrote it to >>>>>> release notes >>>>>> (I'll let Honza to express his feelings as API >>>>>> versioning/compatibility >>>>>> sensei) >>>>> >>>>> IMHO it is safe to remove. >>>>> >>>>>> >>>>>> And you forgot to increment api version in VERSION file >>>> Updated patch attached, with a VERSION change. >>>> >>>> >>>> >>> ACK >>> >> >> Is there any ticket for this? > As I wrote in the commit message and in the email, > it is part of https://fedorahosted.org/freeipa/ticket/5354 > Sorry I misread that ticket in the commit message, because ipatool was unable to parse it from commit message Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 From mbasti at redhat.com Fri Jun 10 08:21:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:21:55 +0200 Subject: [Freeipa-devel] [PATCH][WIP] DNS Location: generator for location records In-Reply-To: <6ca934d6-f3af-8f48-2061-094161774236@redhat.com> References: <6ca934d6-f3af-8f48-2061-094161774236@redhat.com> Message-ID: <8ab03221-12c1-f902-6412-5554a661f099@redhat.com> On 09.06.2016 12:21, Martin Basti wrote: > Hello, > > here is WIP version of generator for IPA DNS records and locations, > that is responsible for creating and updating all IPA records for all > masters. > > Please note that this is not finished yet and some methods may not work. > > > Patch attached > > > Updated, this version actually works -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-9990-DNS-Location-generator-for-records.patch Type: text/x-patch Size: 17186 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-9991-DNS-Location-return-error-when-ipa-domain-is-not-man.patch Type: text/x-patch Size: 1256 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 10 08:57:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 10:57:53 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: References: Message-ID: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> On 10.06.2016 06:17, Jan Cholasta wrote: > On 9.6.2016 20:57, Martin Basti wrote: >> Py3 support was enabled prematurely, attached patches removes python3 >> from /usr/bin/ipa >> >> >> Notes: >> >> * ipa 4.3.x won't have enabled py3 >> >> * master (ipa 4.4+) will have disabled py3 temporarily > > NACK. you reverted this bit wrong: > > -%if 0%{?with_python3} > -Requires: python3-ipaclient = %{version}-%{release} > -%else > Requires: python2-ipaclient = %{version}-%{release} > -%endif > +Requires: %{name}-client-common = %{version}-%{release} > +Requires: python2-ipalib = %{version}-%{release} > Shame on me, updated patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-master-mbasti-0501.2-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0501-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2149 bytes Desc: not available URL: From mkosek at redhat.com Fri Jun 10 09:01:09 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 10 Jun 2016 11:01:09 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> Message-ID: <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> On 06/10/2016 10:01 AM, Martin Basti wrote: > > > On 09.06.2016 21:45, Alexander Bokovoy wrote: >> On Thu, 09 Jun 2016, Martin Basti wrote: >>> >>> >>> On 09.06.2016 17:56, Martin Babinsky wrote: >>>> On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>>> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>>> On 6.6.2016 13:22, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> MS-ADTS spec requires that TrustPartner field should be equal to the >>>>>>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>>>>> trust relationship between parent and child domains. In fact, we >>>>>>>>>> have parent-child relationship recorded in the DN (child domains >>>>>>>>>> are part of the parent domain's container). >>>>>>>>>> >>>>>>>>>> Remove the argument that was never used externally but only >>>>>>>>>> supplied by >>>>>>>>>> trust-specific code inside the IPA framework. >>>>>>>>>> >>>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, how is handled backward compatibility here, you just removes >>>>>>>>> the option from API, without any additional logic for older clients. >>>>>>>> This is not used by the external clients at all. It is part of internal >>>>>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>>>>> always talk to the same server they are running on. >>>>>>>> >>>>>>>> @register() >>>>>>>> class trustdomain_add(LDAPCreate): >>>>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>>>> NO_CLI = True >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>>>>>> browser, and since this was in API, it is set to stone. So If you think >>>>>>> that it is safe to be removed and nobody can hit this, I'm okay for >>>>>>> removing that option. Maybe we should at least wrote it to release notes >>>>>>> (I'll let Honza to express his feelings as API versioning/compatibility >>>>>>> sensei) >>>>>> >>>>>> IMHO it is safe to remove. >>>>>> >>>>>>> >>>>>>> And you forgot to increment api version in VERSION file >>>>> Updated patch attached, with a VERSION change. >>>>> >>>>> >>>>> >>>> ACK >>>> >>> >>> Is there any ticket for this? >> As I wrote in the commit message and in the email, >> it is part of https://fedorahosted.org/freeipa/ticket/5354 >> > Sorry I misread that ticket in the commit message, because ipatool was unable > to parse it from commit message > > Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 I see no link to this ticket in the commit message in https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=185806432d6dfccc5cdd73815471ce60a575b073 Did you push old version of this patch? In general, I would suggest using the patch format from http://www.freeipa.org/page/Contribute/Patch_Format It makes automation easier... Martin From mbasti at redhat.com Fri Jun 10 10:13:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 12:13:01 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> Message-ID: On 10.06.2016 11:01, Martin Kosek wrote: > On 06/10/2016 10:01 AM, Martin Basti wrote: >> >> On 09.06.2016 21:45, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>> >>>> On 09.06.2016 17:56, Martin Babinsky wrote: >>>>> On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>>>> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>>>> On 6.6.2016 13:22, Martin Basti wrote: >>>>>>>> >>>>>>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> MS-ADTS spec requires that TrustPartner field should be equal to the >>>>>>>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>>>>>> trust relationship between parent and child domains. In fact, we >>>>>>>>>>> have parent-child relationship recorded in the DN (child domains >>>>>>>>>>> are part of the parent domain's container). >>>>>>>>>>> >>>>>>>>>>> Remove the argument that was never used externally but only >>>>>>>>>>> supplied by >>>>>>>>>>> trust-specific code inside the IPA framework. >>>>>>>>>>> >>>>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Hello, how is handled backward compatibility here, you just removes >>>>>>>>>> the option from API, without any additional logic for older clients. >>>>>>>>> This is not used by the external clients at all. It is part of internal >>>>>>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>>>>>> always talk to the same server they are running on. >>>>>>>>> >>>>>>>>> @register() >>>>>>>>> class trustdomain_add(LDAPCreate): >>>>>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>>>>> NO_CLI = True >>>>>>>>> >>>>>>>>> >>>>>>>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>>>>>>> browser, and since this was in API, it is set to stone. So If you think >>>>>>>> that it is safe to be removed and nobody can hit this, I'm okay for >>>>>>>> removing that option. Maybe we should at least wrote it to release notes >>>>>>>> (I'll let Honza to express his feelings as API versioning/compatibility >>>>>>>> sensei) >>>>>>> IMHO it is safe to remove. >>>>>>> >>>>>>>> And you forgot to increment api version in VERSION file >>>>>> Updated patch attached, with a VERSION change. >>>>>> >>>>>> >>>>>> >>>>> ACK >>>>> >>>> Is there any ticket for this? >>> As I wrote in the commit message and in the email, >>> it is part of https://fedorahosted.org/freeipa/ticket/5354 >>> >> Sorry I misread that ticket in the commit message, because ipatool was unable >> to parse it from commit message >> >> Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 > I see no link to this ticket in the commit message in > https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=185806432d6dfccc5cdd73815471ce60a575b073 > Did you push old version of this patch? > > In general, I would suggest using the patch format from > http://www.freeipa.org/page/Contribute/Patch_Format > It makes automation easier... > > Martin Oh well, yes, my bad I will revert the wrong commit and push the right one Martin^2 From mbasti at redhat.com Fri Jun 10 10:27:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 12:27:33 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: References: <20160606103636.mhvkfdq6otcsxpgu@redhat.com> <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> Message-ID: <2599cbdb-4bb1-52ae-dd48-7a22f9506cb8@redhat.com> On 10.06.2016 12:13, Martin Basti wrote: > > > On 10.06.2016 11:01, Martin Kosek wrote: >> On 06/10/2016 10:01 AM, Martin Basti wrote: >>> >>> On 09.06.2016 21:45, Alexander Bokovoy wrote: >>>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>>> >>>>> On 09.06.2016 17:56, Martin Babinsky wrote: >>>>>> On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>>>>> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>>>>> On 6.6.2016 13:22, Martin Basti wrote: >>>>>>>>> >>>>>>>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> MS-ADTS spec requires that TrustPartner field should be >>>>>>>>>>>> equal to the >>>>>>>>>>>> commonName (cn) of the trust. We used it a bit wrongly to >>>>>>>>>>>> express >>>>>>>>>>>> trust relationship between parent and child domains. In >>>>>>>>>>>> fact, we >>>>>>>>>>>> have parent-child relationship recorded in the DN (child >>>>>>>>>>>> domains >>>>>>>>>>>> are part of the parent domain's container). >>>>>>>>>>>> >>>>>>>>>>>> Remove the argument that was never used externally but only >>>>>>>>>>>> supplied by >>>>>>>>>>>> trust-specific code inside the IPA framework. >>>>>>>>>>>> >>>>>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Hello, how is handled backward compatibility here, you just >>>>>>>>>>> removes >>>>>>>>>>> the option from API, without any additional logic for older >>>>>>>>>>> clients. >>>>>>>>>> This is not used by the external clients at all. It is part >>>>>>>>>> of internal >>>>>>>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains >>>>>>>>>> which >>>>>>>>>> always talk to the same server they are running on. >>>>>>>>>> >>>>>>>>>> @register() >>>>>>>>>> class trustdomain_add(LDAPCreate): >>>>>>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>>>>>> NO_CLI = True >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Yes sorry, not old IPA clients, but it was part of API, shown >>>>>>>>> in API >>>>>>>>> browser, and since this was in API, it is set to stone. So If >>>>>>>>> you think >>>>>>>>> that it is safe to be removed and nobody can hit this, I'm >>>>>>>>> okay for >>>>>>>>> removing that option. Maybe we should at least wrote it to >>>>>>>>> release notes >>>>>>>>> (I'll let Honza to express his feelings as API >>>>>>>>> versioning/compatibility >>>>>>>>> sensei) >>>>>>>> IMHO it is safe to remove. >>>>>>>> >>>>>>>>> And you forgot to increment api version in VERSION file >>>>>>> Updated patch attached, with a VERSION change. >>>>>>> >>>>>>> >>>>>>> >>>>>> ACK >>>>>> >>>>> Is there any ticket for this? >>>> As I wrote in the commit message and in the email, >>>> it is part of https://fedorahosted.org/freeipa/ticket/5354 >>>> >>> Sorry I misread that ticket in the commit message, because ipatool >>> was unable >>> to parse it from commit message >>> >>> Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 >> I see no link to this ticket in the commit message in >> https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=185806432d6dfccc5cdd73815471ce60a575b073 >> >> Did you push old version of this patch? >> >> In general, I would suggest using the patch format from >> http://www.freeipa.org/page/Contribute/Patch_Format >> It makes automation easier... >> >> Martin > > Oh well, yes, my bad > > I will revert the wrong commit and push the right one > > Martin^2 > Revert: master *478017357b50cb7fe30d6a4e26c3c47e111c91d0 Revert "adtrust: remove nttrustpartner parameter" The right patch: master: a0f953e0ff89900d9767df3e6ed868ae662616b4 adtrust: remove nttrustpartner parameter From pspacek at redhat.com Fri Jun 10 10:28:34 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 10 Jun 2016 12:28:34 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> Message-ID: On 9.6.2016 15:07, Martin Basti wrote: > > > On 09.06.2016 15:03, Martin Basti wrote: >> >> >> On 09.06.2016 15:02, Stanislav Laznicka wrote: >>> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>>> Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> Please see the attached patch of >>>>> https://fedorahosted.org/freeipa/ticket/5797. >>>>> >>>>> Standa >>>>> >>>>> >>>>> >>>> >>>> Just wondering out loud but should usercertificate be excluded from the >>>> output if it is unparsable? Is there any value in showing that a bogus >>>> value is in there? >>>> >>>> rob >>> I think it is a good pointer that something has gone wrong with the >>> certificate. Another way would be to print 'Invalid certificate' instead of >>> it similar to what Apache LDAP Browser does. >>> >> >> We can return a warning message that something with certificates is broken. >> >> Martin^2 >> > And you should log it at error log level, because it is error +1 -- Petr^2 Spacek From lkrispen at redhat.com Fri Jun 10 10:36:09 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 10 Jun 2016 12:36:09 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host Message-ID: <575A9819.3030803@redhat.com> Hi, the attached patch will prevent the crash reported in ticket #5928. So far I do not understand how this situation can occur, there is no reproducer yet. I do not really like this fix as it hides a probable corrupted data structure and would prefer to find the root cause. But please review it, so we can commit it if there is no progress on the root cause. Ludwig -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0023-avoid-crash-in-topology-plugin-when-host-list-contai.patch Type: text/x-patch Size: 1398 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 10 10:35:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jun 2016 12:35:36 +0200 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: <20160609194712.djxzctcxyiqxplvg@redhat.com> References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> <20160609194712.djxzctcxyiqxplvg@redhat.com> Message-ID: On 06/09/2016 09:47 PM, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Martin Basti wrote: >> >> >> On 09.06.2016 17:49, Martin Babinsky wrote: >>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>> Hi, >>>> >>>> In case an ID override was created for an Active Directory user in the >>>> default trust view, allow mapping the incoming GSSAPI authenticated >>>> connection to the ID override for this user. >>>> >>>> This allows to self-manage ID override parameters from the CLI, for >>>> example, SSH public keys or certificates. Admins can define what can be >>>> changed by the users via self-service permissions. >>>> >>>> Part of https://fedorahosted.org/freeipa/ticket/2149 >>>> >>>> >>>> >>> ACK >>> >> >> Ticket for this is in 'Tickets Deferred' milestone and should be >> re-triaged before push > The ticket itself covers a far longer story and should stay in the > deferred bucket. However, this specific part of the implementation was > already discussed to be for 4.4. Don't pull the original ticket, as I'm > using it as a tracker. This ticket should be used for that: https://fedorahosted.org/freeipa/ticket/3242 -- Petr Vobornik From abokovoy at redhat.com Fri Jun 10 10:43:42 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 13:43:42 +0300 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> <20160609194712.djxzctcxyiqxplvg@redhat.com> Message-ID: <20160610104342.yvnt2vnf4pibiwfq@redhat.com> On Fri, 10 Jun 2016, Petr Vobornik wrote: >On 06/09/2016 09:47 PM, Alexander Bokovoy wrote: >> On Thu, 09 Jun 2016, Martin Basti wrote: >>> >>> >>> On 09.06.2016 17:49, Martin Babinsky wrote: >>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>>> Hi, >>>>> >>>>> In case an ID override was created for an Active Directory user in the >>>>> default trust view, allow mapping the incoming GSSAPI authenticated >>>>> connection to the ID override for this user. >>>>> >>>>> This allows to self-manage ID override parameters from the CLI, for >>>>> example, SSH public keys or certificates. Admins can define what can be >>>>> changed by the users via self-service permissions. >>>>> >>>>> Part of https://fedorahosted.org/freeipa/ticket/2149 >>>>> >>>>> >>>>> >>>> ACK >>>> >>> >>> Ticket for this is in 'Tickets Deferred' milestone and should be >>> re-triaged before push >> The ticket itself covers a far longer story and should stay in the >> deferred bucket. However, this specific part of the implementation was >> already discussed to be for 4.4. Don't pull the original ticket, as I'm >> using it as a tracker. > >This ticket should be used for that: >https://fedorahosted.org/freeipa/ticket/3242 I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and is properly describing what this is about. Note that if you manually add ID Override record to the cn=admins group, then AD users will indeed be able to manage IPA via CLI. 3242 is more UI related. UI part needs to be done as we have explicit prevention for AD user logons right now. -- / Alexander Bokovoy From pvoborni at redhat.com Fri Jun 10 10:53:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jun 2016 12:53:24 +0200 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: <20160610104342.yvnt2vnf4pibiwfq@redhat.com> References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> <20160609194712.djxzctcxyiqxplvg@redhat.com> <20160610104342.yvnt2vnf4pibiwfq@redhat.com> Message-ID: On 06/10/2016 12:43 PM, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Petr Vobornik wrote: >> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>> >>>> >>>> On 09.06.2016 17:49, Martin Babinsky wrote: >>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>>>> Hi, >>>>>> >>>>>> In case an ID override was created for an Active Directory user in >>>>>> the >>>>>> default trust view, allow mapping the incoming GSSAPI authenticated >>>>>> connection to the ID override for this user. >>>>>> >>>>>> This allows to self-manage ID override parameters from the CLI, for >>>>>> example, SSH public keys or certificates. Admins can define what >>>>>> can be >>>>>> changed by the users via self-service permissions. >>>>>> >>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149 >>>>>> >>>>>> >>>>>> >>>>> ACK >>>>> >>>> >>>> Ticket for this is in 'Tickets Deferred' milestone and should be >>>> re-triaged before push >>> The ticket itself covers a far longer story and should stay in the >>> deferred bucket. However, this specific part of the implementation was >>> already discussed to be for 4.4. Don't pull the original ticket, as I'm >>> using it as a tracker. >> >> This ticket should be used for that: >> https://fedorahosted.org/freeipa/ticket/3242 > I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and > is properly describing what this is about. > > Note that if you manually add ID Override record to the cn=admins group, > then AD users will indeed be able to manage IPA via CLI. > > 3242 is more UI related. UI part needs to be done as we have explicit > prevention for AD user logons right now. Most proper would be to create a new ticket, link to bz ?1287194 and make it a blocker for 2149 and 3242. But I'm fine with updating both tickets(2149, 3242) with the commit ID while leaving the tickets open. Up to you. -- Petr Vobornik From abokovoy at redhat.com Fri Jun 10 11:09:54 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 10 Jun 2016 14:09:54 +0300 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> <20160609194712.djxzctcxyiqxplvg@redhat.com> <20160610104342.yvnt2vnf4pibiwfq@redhat.com> Message-ID: <20160610110954.zhwvvuituttsqvkl@redhat.com> On Fri, 10 Jun 2016, Petr Vobornik wrote: >On 06/10/2016 12:43 PM, Alexander Bokovoy wrote: >> On Fri, 10 Jun 2016, Petr Vobornik wrote: >>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote: >>>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>>> >>>>> >>>>> On 09.06.2016 17:49, Martin Babinsky wrote: >>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>>>>> Hi, >>>>>>> >>>>>>> In case an ID override was created for an Active Directory user in >>>>>>> the >>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated >>>>>>> connection to the ID override for this user. >>>>>>> >>>>>>> This allows to self-manage ID override parameters from the CLI, for >>>>>>> example, SSH public keys or certificates. Admins can define what >>>>>>> can be >>>>>>> changed by the users via self-service permissions. >>>>>>> >>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149 >>>>>>> >>>>>>> >>>>>>> >>>>>> ACK >>>>>> >>>>> >>>>> Ticket for this is in 'Tickets Deferred' milestone and should be >>>>> re-triaged before push >>>> The ticket itself covers a far longer story and should stay in the >>>> deferred bucket. However, this specific part of the implementation was >>>> already discussed to be for 4.4. Don't pull the original ticket, as I'm >>>> using it as a tracker. >>> >>> This ticket should be used for that: >>> https://fedorahosted.org/freeipa/ticket/3242 >> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and >> is properly describing what this is about. >> >> Note that if you manually add ID Override record to the cn=admins group, >> then AD users will indeed be able to manage IPA via CLI. >> >> 3242 is more UI related. UI part needs to be done as we have explicit >> prevention for AD user logons right now. > >Most proper would be to create a new ticket, link to bz 1287194 and >make it a blocker for 2149 and 3242. But I'm fine with updating both >tickets(2149, 3242) with the commit ID while leaving the tickets open. > >Up to you. That's what I did when I chose to put the reference to ticket 2149 already. -- / Alexander Bokovoy From slaznick at redhat.com Fri Jun 10 11:25:52 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 10 Jun 2016 13:25:52 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: <57597DEE.4010704@redhat.com> References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> <57597DEE.4010704@redhat.com> Message-ID: On 06/09/2016 04:32 PM, Rob Crittenden wrote: > Fraser Tweedale wrote: >> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: >>> On 09.06.2016 15:03, Martin Basti wrote: >>>> On 09.06.2016 15:02, Stanislav Laznicka wrote: >>>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>>>>> Stanislav Laznicka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> Please see the attached patch of >>>>>>> https://fedorahosted.org/freeipa/ticket/5797. >>>>>>> >>>>>>> Standa >>>>>>> >>>>>> Just wondering out loud but should usercertificate be excluded >>>>>> from the output if it is unparsable? Is there any value in >>>>>> showing that a bogus value is in there? >>>>>> >>>>>> rob >>>>> I think it is a good pointer that something has gone wrong with the >>>>> certificate. Another way would be to print 'Invalid certificate' >>>>> instead of it similar to what Apache LDAP Browser does. >>>> We can return a warning message that something with certificates is >>>> broken. >>>> >>>> Martin^2 >>>> >>> And you should log it at error log level, because it is error >>> >> Is the data from LDAP actually invalid? It should not be possible >> to store data that is not a syntactically valid X.509 cert in the >> userCertificate attribute (if it is, we should file a ticket against >> 389). >> >> Is there a full traceback for the original error of #5797? What is >> the datum that is the immediate cause of the error and what happens >> to it between the database and the function that throws? >> >> Could it be a python3 bytes/str problem originating in >> x509.normalize_certificate? >> >> Cheers, >> Fraser >> > > A cert can get in several different ways. IPA sure tries hard not to > allow bad certs but I guess they can happen: > > $ ldapmodify -Y GSSAPI > SASL/GSSAPI authentication started > SASL username: admin at GREYOAK.COM > SASL SSF: 56 > SASL data security layer installed. > dn: > krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com > changetype: modify > add: usercertificate > usercertificate: foo > > modifying entry > "krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com" < .. snip .. > That is exactly how I was reproducing this issue. Added is the patch that adds error message and logs properly. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0046-2-host-service-show-find-shouldn-t-fail-on-invalid-cer.patch Type: text/x-patch Size: 5706 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 10 11:40:39 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jun 2016 13:40:39 +0200 Subject: [Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user In-Reply-To: <20160610110954.zhwvvuituttsqvkl@redhat.com> References: <20160606103855.ptkbthy27mv3qz5g@redhat.com> <1e9a6ded-de08-b301-f7ab-cd52b2ecabbb@redhat.com> <20160609194712.djxzctcxyiqxplvg@redhat.com> <20160610104342.yvnt2vnf4pibiwfq@redhat.com> <20160610110954.zhwvvuituttsqvkl@redhat.com> Message-ID: <231320fd-afe4-4453-c54a-a6b01a7786b7@redhat.com> On 06/10/2016 01:09 PM, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Petr Vobornik wrote: >> On 06/10/2016 12:43 PM, Alexander Bokovoy wrote: >>> On Fri, 10 Jun 2016, Petr Vobornik wrote: >>>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote: >>>>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 09.06.2016 17:49, Martin Babinsky wrote: >>>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> In case an ID override was created for an Active Directory user in >>>>>>>> the >>>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated >>>>>>>> connection to the ID override for this user. >>>>>>>> >>>>>>>> This allows to self-manage ID override parameters from the CLI, for >>>>>>>> example, SSH public keys or certificates. Admins can define what >>>>>>>> can be >>>>>>>> changed by the users via self-service permissions. >>>>>>>> >>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ACK >>>>>>> >>>>>> >>>>>> Ticket for this is in 'Tickets Deferred' milestone and should be >>>>>> re-triaged before push >>>>> The ticket itself covers a far longer story and should stay in the >>>>> deferred bucket. However, this specific part of the implementation was >>>>> already discussed to be for 4.4. Don't pull the original ticket, as >>>>> I'm >>>>> using it as a tracker. >>>> >>>> This ticket should be used for that: >>>> https://fedorahosted.org/freeipa/ticket/3242 >>> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and >>> is properly describing what this is about. >>> >>> Note that if you manually add ID Override record to the cn=admins group, >>> then AD users will indeed be able to manage IPA via CLI. >>> >>> 3242 is more UI related. UI part needs to be done as we have explicit >>> prevention for AD user logons right now. >> >> Most proper would be to create a new ticket, link to bz 1287194 and >> make it a blocker for 2149 and 3242. But I'm fine with updating both >> tickets(2149, 3242) with the commit ID while leaving the tickets open. >> >> Up to you. > That's what I did when I chose to put the reference to ticket 2149 > already. Added "Part of https://fedorahosted.org/freeipa/ticket/3242" to commit message. Removed blank lines at the end of update files which git complained about and pushed to master: * b506fd178edbf1553ca581c44ac6697f88ead125 adtrust: support GSSAPI authentication to LDAP as Active Directory user -- Petr Vobornik From jcholast at redhat.com Fri Jun 10 12:22:49 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 10 Jun 2016 14:22:49 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> Message-ID: <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> On 9.6.2016 17:06, Martin Babinsky wrote: > On 06/09/2016 03:54 PM, Petr Vobornik wrote: >> On 06/09/2016 01:02 PM, Martin Babinsky wrote: >>> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>>> >>>> >>>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>>> I am sending rebased patches implementing >>>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>>> >>>>>> I hope the patches work since I have had a lot of fun rebasing >>>>>> them on >>>>>> top of thin client and DNS locations effort. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>> >>>>>> >>>>>> >>>>> >>>>> Sending updated patches according to Jan's interactive review. >>>>> >>>>> Since the name of attributes returned by API commands and signature of >>>>> `server-role-find` have changed, a small update in WebUI patches is >>>>> required. >>>>> >>>>> >>>>> >>>> NACK, why did you remove sizelimit from server_role_find command's? Is >>>> it possible to return it back? It breaks WebUI. >>> >>> Indeed, this was caused by changing the base class of the command. It is >>> fixed in updated patches. >>> >> >> NACK >> >> Option timelimit? of command server_role_find in ipalib, not in API file: >> Int('timelimit?', autofill=False) >> Option sizelimit? of command server_role_find in ipalib, not in API file: >> Int('sizelimit?', autofill=False) >> >> There are one or more changes to the API. >> Either undo the API changes or update API.txt and increment the major >> version in VERSION. >> Makefile:159: recipe for target 'version-update' failed >> make: *** [version-update] Error 1 >> > > Oops, seems like a missed API.txt update. > > Fixed. "ipa server-role-find" does not return the "IPA master" role for my server ("ipa-server-role $HOSTNAME 'IPA master'" does). I would rather skip the option altogether rather than hide it: + # we do not want to test negative membership for roles + # hide it from CLI + elif option.name == 'no_servrole': + option = option.clone(flags={'no_option'}) The patches need a rebase (VERSION). Otherwise LGTM. -- Jan Cholasta From mbasti at redhat.com Fri Jun 10 13:47:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 10 Jun 2016 15:47:07 +0200 Subject: [Freeipa-devel] [PATCH][WIP] DNS Location: generator for location records In-Reply-To: <8ab03221-12c1-f902-6412-5554a661f099@redhat.com> References: <6ca934d6-f3af-8f48-2061-094161774236@redhat.com> <8ab03221-12c1-f902-6412-5554a661f099@redhat.com> Message-ID: On 10.06.2016 10:21, Martin Basti wrote: > > > > On 09.06.2016 12:21, Martin Basti wrote: >> Hello, >> >> here is WIP version of generator for IPA DNS records and locations, >> that is responsible for creating and updating all IPA records for all >> masters. >> >> Please note that this is not finished yet and some methods may not work. >> >> >> Patch attached >> >> >> > Updated, this version actually works > > SelfNACK, I will use Zone object as storage for data instead of random lists and dicts -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Jun 10 14:03:39 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 10 Jun 2016 16:03:39 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> References: <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> Message-ID: <20160610140338.GH5333@10.4.128.1> On (10/06/16 11:01), Martin Kosek wrote: >On 06/10/2016 10:01 AM, Martin Basti wrote: >> >> >> On 09.06.2016 21:45, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Martin Basti wrote: >>>> >>>> >>>> On 09.06.2016 17:56, Martin Babinsky wrote: >>>>> On 06/06/2016 01:37 PM, Alexander Bokovoy wrote: >>>>>> On Mon, 06 Jun 2016, Jan Cholasta wrote: >>>>>>> On 6.6.2016 13:22, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 06.06.2016 13:14, Alexander Bokovoy wrote: >>>>>>>>> On Mon, 06 Jun 2016, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 06.06.2016 12:36, Alexander Bokovoy wrote: >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> MS-ADTS spec requires that TrustPartner field should be equal to the >>>>>>>>>>> commonName (cn) of the trust. We used it a bit wrongly to express >>>>>>>>>>> trust relationship between parent and child domains. In fact, we >>>>>>>>>>> have parent-child relationship recorded in the DN (child domains >>>>>>>>>>> are part of the parent domain's container). >>>>>>>>>>> >>>>>>>>>>> Remove the argument that was never used externally but only >>>>>>>>>>> supplied by >>>>>>>>>>> trust-specific code inside the IPA framework. >>>>>>>>>>> >>>>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, how is handled backward compatibility here, you just removes >>>>>>>>>> the option from API, without any additional logic for older clients. >>>>>>>>> This is not used by the external clients at all. It is part of internal >>>>>>>>> logic of the code in trust.py+com.redhat.trust.fetch-domains which >>>>>>>>> always talk to the same server they are running on. >>>>>>>>> >>>>>>>>> @register() >>>>>>>>> class trustdomain_add(LDAPCreate): >>>>>>>>> __doc__ = _('Allow access from the trusted domain') >>>>>>>>> NO_CLI = True >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Yes sorry, not old IPA clients, but it was part of API, shown in API >>>>>>>> browser, and since this was in API, it is set to stone. So If you think >>>>>>>> that it is safe to be removed and nobody can hit this, I'm okay for >>>>>>>> removing that option. Maybe we should at least wrote it to release notes >>>>>>>> (I'll let Honza to express his feelings as API versioning/compatibility >>>>>>>> sensei) >>>>>>> >>>>>>> IMHO it is safe to remove. >>>>>>> >>>>>>>> >>>>>>>> And you forgot to increment api version in VERSION file >>>>>> Updated patch attached, with a VERSION change. >>>>>> >>>>>> >>>>>> >>>>> ACK >>>>> >>>> >>>> Is there any ticket for this? >>> As I wrote in the commit message and in the email, >>> it is part of https://fedorahosted.org/freeipa/ticket/5354 >>> >> Sorry I misread that ticket in the commit message, because ipatool was unable >> to parse it from commit message >> >> Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 > >I see no link to this ticket in the commit message in >https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=185806432d6dfccc5cdd73815471ce60a575b073 >Did you push old version of this patch? > >In general, I would suggest using the patch format from >http://www.freeipa.org/page/Contribute/Patch_Format >It makes automation easier... > And it would be much easier for author with .git-commit-template @see https://git.fedorahosted.org/cgit/sssd.git/commit/?id=3d9edb4c510028def2df41aa7b0ce705b197e6fc LS From pvoborni at redhat.com Fri Jun 10 14:16:00 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 10 Jun 2016 16:16:00 +0200 Subject: [Freeipa-devel] [PATCH] 0203 adtrust: remove ipanttrustpartner parameter In-Reply-To: <20160610140338.GH5333@10.4.128.1> References: <4424d3e3-165a-df1a-1377-f4e1eda33e1e@redhat.com> <20160606111413.p37ejfgjk6zuslh7@redhat.com> <02ba4b46-ff99-985f-7c2e-1f4eb4a534fd@redhat.com> <047286b4-6f9e-1ca4-f009-198c732a6fbc@redhat.com> <20160606113719.3c2hweabc7xojkad@redhat.com> <0177d9f6-ff8d-1e99-76a2-b6fbc16c4f8c@redhat.com> <20160609194513.h3h7qzlhyrzvstij@redhat.com> <4e0856fb-3b5b-3f34-3143-70e4e5d27bc8@redhat.com> <20160610140338.GH5333@10.4.128.1> Message-ID: <7c9f2a47-150a-228e-74cf-b06a69dcb37d@redhat.com> On 06/10/2016 04:03 PM, Lukas Slebodnik wrote: > On (10/06/16 11:01), Martin Kosek wrote: >> On 06/10/2016 10:01 AM, Martin Basti wrote: >>>> >>> Sorry I misread that ticket in the commit message, because ipatool was unable >>> to parse it from commit message >>> >>> Pushed to master: 185806432d6dfccc5cdd73815471ce60a575b073 >> >> I see no link to this ticket in the commit message in >> https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=185806432d6dfccc5cdd73815471ce60a575b073 >> Did you push old version of this patch? >> >> In general, I would suggest using the patch format from >> http://www.freeipa.org/page/Contribute/Patch_Format >> It makes automation easier... >> > And it would be much easier for author with .git-commit-template > @see > https://git.fedorahosted.org/cgit/sssd.git/commit/?id=3d9edb4c510028def2df41aa7b0ce705b197e6fc > > LS > Good idea, https://fedorahosted.org/freeipa/ticket/5952 -- Petr Vobornik From pvomacka at redhat.com Fri Jun 10 14:34:33 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 10 Jun 2016 16:34:33 +0200 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs Message-ID: Hello, please review these new patches which add WebUI for Sub-CAs. https://fedorahosted.org/freeipa/ticket/5939 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0045-Add-new-webui-plugin-ca.patch Type: text/x-patch Size: 5471 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0046-Extend-certificate-entity-page.patch Type: text/x-patch Size: 7780 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0047-Extend-caacl-entity.patch Type: text/x-patch Size: 5496 bytes Desc: not available URL: From tbordaz at redhat.com Fri Jun 10 14:44:09 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 10 Jun 2016 16:44:09 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575A9819.3030803@redhat.com> References: <575A9819.3030803@redhat.com> Message-ID: <575AD239.2080101@redhat.com> Hi Ludwig, I agree with you there is no path to add a host with an empty hostname. You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. Also I wonder if a reason of empty hostname could be a slapi_ch_free on it but with the host remaining in the list. Looking at https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, I wonder if the two lines 852 and 853 could lead to this situation. thanks thierry On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: > Hi, > the attached patch will prevent the crash reported in ticket #5928. > > So far I do not understand how this situation can occur, there is no > reproducer yet. I do not really like this fix as it hides a probable > corrupted data structure and would prefer to find the root cause. > > But please review it, so we can commit it if there is no progress on > the root cause. > > Ludwig > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From frenaud at redhat.com Fri Jun 10 15:14:49 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Fri, 10 Jun 2016 17:14:49 +0200 Subject: [Freeipa-devel] Storing directory path in variables Message-ID: <6e7201a1-b4a2-ee91-c40e-32755bbc32be@redhat.com> Hi, I am working on a bug linked to a trailing / in a directory name. It looks like hardcoded paths for directories sometimes contain the trailing / but not always (for instance dsinstance.config_dirname() returns something like '/etc/dirsrv/slapd-DOM-221-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM*/*' while HTTPD_ALIAS_DIR = "/etc/httpd/alias"). So my question is: is there a rule inside FreeIPA to use the directory name with the / or not? For most of the tools, it doesn't matter but when looking for a cert monitored by certmonger it is important. I think that a consistent rule would also avoid ugly logs with double slashes in the file names. Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 10 15:23:06 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 10 Jun 2016 17:23:06 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575AD239.2080101@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> Message-ID: <575ADB5A.6060900@redhat.com> On 06/10/2016 04:44 PM, thierry bordaz wrote: > Hi Ludwig, > > I agree with you there is no path to add a host with an empty hostname. > You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. yes, of course that was my intention, copy paste :-) > > Also I wonder if a reason of empty hostname could be a slapi_ch_free > on it but with the host remaining in the list. > Looking at > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, > I wonder if the two lines 852 and 853 could lead to this situation. but this frees the complete replica structure tconf and in the caller tconf is set to null, so should never be used again. > > thanks > thierry > > > On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >> Hi, >> the attached patch will prevent the crash reported in ticket #5928. >> >> So far I do not understand how this situation can occur, there is no >> reproducer yet. I do not really like this fix as it hides a probable >> corrupted data structure and would prefer to find the root cause. >> >> But please review it, so we can commit it if there is no progress on >> the root cause. >> >> Ludwig >> >> >> > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Fri Jun 10 15:41:28 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 10 Jun 2016 17:41:28 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575ADB5A.6060900@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> Message-ID: <575ADFA8.5010306@redhat.com> On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: > > On 06/10/2016 04:44 PM, thierry bordaz wrote: >> Hi Ludwig, >> >> I agree with you there is no path to add a host with an empty hostname. >> You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. > yes, of course that was my intention, copy paste :-) >> >> Also I wonder if a reason of empty hostname could be a slapi_ch_free >> on it but with the host remaining in the list. >> Looking at >> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >> I wonder if the two lines 852 and 853 could lead to this situation. > but this frees the complete replica structure tconf and in the caller > tconf is set to null, so should never be used again. Yes you are right, it can not conduct to empty hostname into tconf. However I think it can leak because host will be set to 0 at the end of the first iteration. An other possibility is that in https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not null but empty, so we may create an empty hostname. | >> >> thanks >> thierry >> >> >> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>> Hi, >>> the attached patch will prevent the crash reported in ticket #5928. >>> >>> So far I do not understand how this situation can occur, there is no >>> reproducer yet. I do not really like this fix as it hides a probable >>> corrupted data structure and would prefer to find the root cause. >>> >>> But please review it, so we can commit it if there is no progress on >>> the root cause. >>> >>> Ludwig >>> >>> >>> >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Fri Jun 10 15:42:27 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 10 Jun 2016 17:42:27 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> Message-ID: <9310f244-5a4a-e075-651c-d449445ec0d6@redhat.com> On 06/10/2016 02:22 PM, Jan Cholasta wrote: > On 9.6.2016 17:06, Martin Babinsky wrote: >> On 06/09/2016 03:54 PM, Petr Vobornik wrote: >>> On 06/09/2016 01:02 PM, Martin Babinsky wrote: >>>> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>>>> >>>>> >>>>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>>>> I am sending rebased patches implementing >>>>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>>>> >>>>>>> I hope the patches work since I have had a lot of fun rebasing >>>>>>> them on >>>>>>> top of thin client and DNS locations effort. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Sending updated patches according to Jan's interactive review. >>>>>> >>>>>> Since the name of attributes returned by API commands and >>>>>> signature of >>>>>> `server-role-find` have changed, a small update in WebUI patches is >>>>>> required. >>>>>> >>>>>> >>>>>> >>>>> NACK, why did you remove sizelimit from server_role_find command's? Is >>>>> it possible to return it back? It breaks WebUI. >>>> >>>> Indeed, this was caused by changing the base class of the command. >>>> It is >>>> fixed in updated patches. >>>> >>> >>> NACK >>> >>> Option timelimit? of command server_role_find in ipalib, not in API >>> file: >>> Int('timelimit?', autofill=False) >>> Option sizelimit? of command server_role_find in ipalib, not in API >>> file: >>> Int('sizelimit?', autofill=False) >>> >>> There are one or more changes to the API. >>> Either undo the API changes or update API.txt and increment the major >>> version in VERSION. >>> Makefile:159: recipe for target 'version-update' failed >>> make: *** [version-update] Error 1 >>> >> >> Oops, seems like a missed API.txt update. >> >> Fixed. > > "ipa server-role-find" does not return the "IPA master" role for my > server ("ipa-server-role $HOSTNAME 'IPA master'" does). > This is intentional since we discussed during the design phase[1] that "IPA master" role should be implicit and not shown to the user in server-show and server-role-find operation. This however does not preclude you to query its status manually if you know the role name. [1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles > I would rather skip the option altogether rather than hide it: > > + # we do not want to test negative membership for roles > + # hide it from CLI > + elif option.name == 'no_servrole': > + option = option.clone(flags={'no_option'}) > So something like: elif option.name == 'no_servrole': continue should do the trick? > The patches need a rebase (VERSION). > > Otherwise LGTM. > Ok I will send fixed patches ASAP. -- Martin^3 Babinsky From lkrispen at redhat.com Fri Jun 10 15:52:05 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 10 Jun 2016 17:52:05 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575ADFA8.5010306@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> Message-ID: <575AE225.4070703@redhat.com> On 06/10/2016 05:41 PM, thierry bordaz wrote: > > > On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >> >> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>> Hi Ludwig, >>> >>> I agree with you there is no path to add a host with an empty hostname. >>> You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. >> yes, of course that was my intention, copy paste :-) >>> >>> Also I wonder if a reason of empty hostname could be a slapi_ch_free >>> on it but with the host remaining in the list. >>> Looking at >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>> I wonder if the two lines 852 and 853 could lead to this situation. >> but this frees the complete replica structure tconf and in the caller >> tconf is set to null, so should never be used again. > > Yes you are right, it can not conduct to empty hostname into tconf. > However I think it can leak because host will be set to 0 at the end > of the first iteration. > > An other possibility is that in > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| > ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not null > but empty, so we may create an empty hostname. > | |newhost= slapi_entry_attr_get_charptr(hostentry,"cn"); if (newhost== NULL) return; if there is no cn, it will not be added, if the cn is an empty value, the pointer is not NULL and it will not crash when dereferncing | > || >>> >>> thanks >>> thierry >>> >>> >>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>> Hi, >>>> the attached patch will prevent the crash reported in ticket #5928. >>>> >>>> So far I do not understand how this situation can occur, there is >>>> no reproducer yet. I do not really like this fix as it hides a >>>> probable corrupted data structure and would prefer to find the root >>>> cause. >>>> >>>> But please review it, so we can commit it if there is no progress >>>> on the root cause. >>>> >>>> Ludwig >>>> >>>> >>>> >>> >> >> -- >> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Fri Jun 10 15:56:21 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 10 Jun 2016 17:56:21 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575ADFA8.5010306@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> Message-ID: <575AE325.6030605@redhat.com> On 06/10/2016 05:41 PM, thierry bordaz wrote: > > > On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >> >> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>> Hi Ludwig, >>> >>> I agree with you there is no path to add a host with an empty hostname. >>> You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. >> yes, of course that was my intention, copy paste :-) >>> >>> Also I wonder if a reason of empty hostname could be a slapi_ch_free >>> on it but with the host remaining in the list. >>> Looking at >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>> I wonder if the two lines 852 and 853 could lead to this situation. >> but this frees the complete replica structure tconf and in the caller >> tconf is set to null, so should never be used again. > > Yes you are right, it can not conduct to empty hostname into tconf. > However I think it can leak because host will be set to 0 at the end > of the first iteration. yes, line 852 and 853 should be switched > > An other possibility is that in > https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| > ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not null > but empty, so we may create an empty hostname. > | >>> >>> thanks >>> thierry >>> >>> >>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>> Hi, >>>> the attached patch will prevent the crash reported in ticket #5928. >>>> >>>> So far I do not understand how this situation can occur, there is >>>> no reproducer yet. I do not really like this fix as it hides a >>>> probable corrupted data structure and would prefer to find the root >>>> cause. >>>> >>>> But please review it, so we can commit it if there is no progress >>>> on the root cause. >>>> >>>> Ludwig >>>> >>>> >>>> >>> >> >> -- >> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkubik at redhat.com Fri Jun 10 15:58:02 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 10 Jun 2016 17:58:02 +0200 Subject: [Freeipa-devel] [Testplan review] Sub CAs Message-ID: Hi Fraser and list, I've wrote a (minimal) draft [1] of the test plan for the Sub CAs feature and I also have several questions. Could you please take a look at it? Questions: As described in the last (currently) test case, should it be possible to specify both the CA and certificate profile in cert-request call? This way one could use (at least) two ACLs (one affiliated with CA, one with a profile). Are there such use cases? Related to this, what happens when CA ACL has specific CA and profile category (all)? Applicable to other combinations as well. The ACL category semantics is a bit unclear for me here. Is there any validation of the CA's DN (syntax)? How would you approach testing of the Sub CA certificate renewal and key replication (I do not know if this is covered at the respective component's level or not)? [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan Thanks -- Milan Kubik From tbordaz at redhat.com Fri Jun 10 16:00:13 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Fri, 10 Jun 2016 18:00:13 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575AE325.6030605@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> <575AE325.6030605@redhat.com> Message-ID: <575AE40D.80604@redhat.com> On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: > > On 06/10/2016 05:41 PM, thierry bordaz wrote: >> >> >> On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >>> >>> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>>> Hi Ludwig, >>>> >>>> I agree with you there is no path to add a host with an empty hostname. >>>> You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. >>> yes, of course that was my intention, copy paste :-) >>>> >>>> Also I wonder if a reason of empty hostname could be a >>>> slapi_ch_free on it but with the host remaining in the list. >>>> Looking at >>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>>> I wonder if the two lines 852 and 853 could lead to this situation. >>> but this frees the complete replica structure tconf and in the >>> caller tconf is set to null, so should never be used again. >> >> Yes you are right, it can not conduct to empty hostname into tconf. >> However I think it can leak because host will be set to 0 at the end >> of the first iteration. > yes, line 852 and 853 should be switched >> >> An other possibility is that in >> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| >> ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not >> null but empty, so we may create an empty hostname. >> | |You are definitely right there is no path that can lead to NULL hostname :-( If we are unable to get a reproducible test case, A crazy idea would be to do some internal rotating logging in a buffer on each events (add/del host, add/del segments...), when the incoherency is detected, then dump the buffer into the error logs so that we would have more data to find the RC. | >> || >>>> >>>> thanks >>>> thierry >>>> >>>> >>>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>>> Hi, >>>>> the attached patch will prevent the crash reported in ticket #5928. >>>>> >>>>> So far I do not understand how this situation can occur, there is >>>>> no reproducer yet. I do not really like this fix as it hides a >>>>> probable corrupted data structure and would prefer to find the >>>>> root cause. >>>>> >>>>> But please review it, so we can commit it if there is no progress >>>>> on the root cause. >>>>> >>>>> Ludwig >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Fri Jun 10 16:31:56 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 10 Jun 2016 18:31:56 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> Message-ID: <6ff1556f-965c-e78b-c0ed-1e0fbf2cedb4@redhat.com> On 06/08/2016 02:06 PM, Florence Blanc-Renaud wrote: > On 06/08/2016 10:07 AM, Petr Spacek wrote: >> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>> Hello, >>> >>> Thank you for your patch. As the thin-client patches were pushed in the >>> meantime, the patch won't apply. Could you please send a rebased version? >>> >>> Also, I have a few comments to the patch: >>> >>> 1) I think that the commit message should be rather a brief conclusion to the >>> changes made in the commit. This could help for faster orientation in the >>> changes that were made to a certain part of code should you be searching for a >>> bug introduced by a commit. Should some more info be required, it can be added >>> to the ticket. Could you therefore shorten the commit message? >> (My personal opinion, no golden standard.) >> >> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >> long but *tickets* are not the best place to put *technical* information into. >> >> Tickets are planning tool but keep in mind that Trac may/will vanish one day >> and all we will have will be (Git?) repo. >> >> I would recommend putting the comment about expected input format into code >> comments somewhere around batch command definition. >> >> This would reduce commit message (roughly, the text needs to be adapted) to >> part starting 'The code did not check the format of ' ... which is perfectly >> reasonable description of the change. >> >> IMHO. >> Petr^2 Spacek >> >> >>> 2) Please do not add the tickets to comments in the code. You can use git >>> blame -L or git log -L to see in which commits were the changes introduced to >>> a certain part of a file, these commits should include the ticket number if >>> more info is needed. >>> >>> Standa >>> >>> >>> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>>> Hi all, >>>> >>>> the following patch checks the format of parameters passed to a method >>>> called through the batch command. I picked the ConversionError for invalid >>>> parameters format but this choice can be discussed if you have better >>>> suggestions... >>>> >>>> Fixes:https://fedorahosted.org/freeipa/ticket/5810 >>>> -- >>>> Florence Blanc-Renaud >>>> Identity Management Team, Red Hat >>>> >>>> >>> >>> > Hi, > > please find an updated patch version with a less verbose commit msg. I > also removed the reference to ticket # in the code. > > Flo. > > Hello, Thank you for your updated patch. I have just one small issue that maybe exceeds the scope of this ticket. If the check for dictionary instance in list: + if not isinstance(arg, dict): + raise errors.ConversionError( + name='methods', + error=_(u'must contain dict objects')) fails at a further member of the list, by raising an exception, you will lose information about execution of all the previous commands but these were already executed. This hasn't seem to be an issue until now so I wonder if it is a problem or not. So far, batch commands have only been utilized in the WebUI so I am adding Petr for opinions on how to handle this properly so that WebUI could react to it should it ever happen (although AFAIK this should never happen for batch commands called from the UI). Standa -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Fri Jun 10 16:43:24 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 10 Jun 2016 18:43:24 +0200 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes In-Reply-To: <20160609121928.zvddi2lchxextrv6@redhat.com> References: <20160609113052.u6iuzhliisaoyvwu@redhat.com> <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609121928.zvddi2lchxextrv6@redhat.com> Message-ID: <33810136-2a46-57b4-6be3-7f790f69c1d2@redhat.com> On 06/09/2016 02:19 PM, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Sumit Bose wrote: >> On Thu, Jun 09, 2016 at 02:30:52PM +0300, Alexander Bokovoy wrote: >>> Hi, >>> >>> webUI changes to support external trust and showing UPN suffixes are >>> attached. >>> >>> UPN Suffixes defined on AD side and fetched with 'ipa >>> trust-fetch-domains'. >>> They cannot be disabled individually as they come from AD side and are >>> forest-wide, so we only show them, not allowing to modify anything. >>> >>> External forest is a flag and is shown in the trust-add dialog. >>> The result would be visible as trust type of 'Non-transitive external >>> trust to a domain in another Active Directory forest' >>> >>> These patches functionally depend on 0201 and 0202. >>> >>> -- >>> / Alexander Bokovoy >> >>> From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 2001 >>> From: Alexander Bokovoy >>> Date: Thu, 9 Jun 2016 12:04:05 +0300 >>> Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties >>> >>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>> >>> --- >>> install/ui/src/freeipa/trust.js | 11 +++++++++++ >>> ipaserver/plugins/internal.py | 2 ++ >>> 2 files changed, 13 insertions(+) >>> >> ... >>> diff --git a/ipaserver/plugins/internal.py >>> b/ipaserver/plugins/internal.py >>> index 4804f64..ea29b16 100644 >>> --- a/ipaserver/plugins/internal.py >>> +++ b/ipaserver/plugins/internal.py >>> @@ -747,6 +747,8 @@ class i18n_messages(Command): >>> "trustdirection": _("Trust direction"), >>> "truststatus": _("Trust status"), >>> "trusttype": _("Trust type"), >>> + "suffixes": _("UPN suffixes"), >>> + "ipantadditionalsuffixes": _("UPN suffixes"), >> >> The AD gui calls the latter 'Alternative UPN suffixes'. Maybe we should >> use the same description here as well to avoid irritations? > Makes sense. I've updated the patch 0208 and also removed the string > 'suffixes' which is not referenced from the UI. > > Hello, thank you for patches, they look good and work well. I have only one small comment: Patch 208: + read_only: 'true' It would be nicer to use boolean value instead of string, even if it works correctly with string value. And because it is really small change I edited your patch. I also changed links in your commit messages to WebUI tickets (5904,5937). Edited patches are attached, so ACK if you agree with these changes. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-abbra-0208-1-webui-show-UPN-suffixes-in-trust-properties.patch Type: text/x-patch Size: 2101 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-abbra-0209-webui-support-external-flag-to-trust-add.patch Type: text/x-patch Size: 1515 bytes Desc: not available URL: From abokovoy at redhat.com Fri Jun 10 21:23:47 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sat, 11 Jun 2016 00:23:47 +0300 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes In-Reply-To: <33810136-2a46-57b4-6be3-7f790f69c1d2@redhat.com> References: <20160609113052.u6iuzhliisaoyvwu@redhat.com> <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609121928.zvddi2lchxextrv6@redhat.com> <33810136-2a46-57b4-6be3-7f790f69c1d2@redhat.com> Message-ID: <20160610212347.gq2zghaibm3xsyn2@redhat.com> On Fri, 10 Jun 2016, Pavel Vomacka wrote: > > >On 06/09/2016 02:19 PM, Alexander Bokovoy wrote: >>On Thu, 09 Jun 2016, Sumit Bose wrote: >>>On Thu, Jun 09, 2016 at 02:30:52PM +0300, Alexander Bokovoy wrote: >>>>Hi, >>>> >>>>webUI changes to support external trust and showing UPN suffixes are >>>>attached. >>>> >>>>UPN Suffixes defined on AD side and fetched with 'ipa >>>>trust-fetch-domains'. >>>>They cannot be disabled individually as they come from AD side and are >>>>forest-wide, so we only show them, not allowing to modify anything. >>>> >>>>External forest is a flag and is shown in the trust-add dialog. >>>>The result would be visible as trust type of 'Non-transitive external >>>>trust to a domain in another Active Directory forest' >>>> >>>>These patches functionally depend on 0201 and 0202. >>>> >>>>-- >>>>/ Alexander Bokovoy >>> >>>>From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 2001 >>>>From: Alexander Bokovoy >>>>Date: Thu, 9 Jun 2016 12:04:05 +0300 >>>>Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties >>>> >>>>Part of https://fedorahosted.org/freeipa/ticket/5354 >>>> >>>>--- >>>> install/ui/src/freeipa/trust.js | 11 +++++++++++ >>>> ipaserver/plugins/internal.py | 2 ++ >>>> 2 files changed, 13 insertions(+) >>>> >>>... >>>>diff --git a/ipaserver/plugins/internal.py >>>>b/ipaserver/plugins/internal.py >>>>index 4804f64..ea29b16 100644 >>>>--- a/ipaserver/plugins/internal.py >>>>+++ b/ipaserver/plugins/internal.py >>>>@@ -747,6 +747,8 @@ class i18n_messages(Command): >>>> "trustdirection": _("Trust direction"), >>>> "truststatus": _("Trust status"), >>>> "trusttype": _("Trust type"), >>>>+ "suffixes": _("UPN suffixes"), >>>>+ "ipantadditionalsuffixes": _("UPN suffixes"), >>> >>>The AD gui calls the latter 'Alternative UPN suffixes'. Maybe we should >>>use the same description here as well to avoid irritations? >>Makes sense. I've updated the patch 0208 and also removed the string >>'suffixes' which is not referenced from the UI. >> >> >Hello, > >thank you for patches, they look good and work well. I have only one >small comment: >Patch 208: > >+ read_only: 'true' > >It would be nicer to use boolean value instead of string, even if it >works correctly with string value. > >And because it is really small change I edited your patch. I also >changed links in your commit messages to WebUI tickets (5904,5937). >Edited patches are attached, so ACK if you agree with these changes. Sure, ACK. Thanks for the review. -- / Alexander Bokovoy From mbasti at redhat.com Sat Jun 11 08:47:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Sat, 11 Jun 2016 10:47:04 +0200 Subject: [Freeipa-devel] Storing directory path in variables In-Reply-To: <6e7201a1-b4a2-ee91-c40e-32755bbc32be@redhat.com> References: <6e7201a1-b4a2-ee91-c40e-32755bbc32be@redhat.com> Message-ID: <5fcd37ab-6e2c-017f-c99a-86b1850590ff@redhat.com> On 10.06.2016 17:14, Florence Blanc-Renaud wrote: > > Hi, > > I am working on a bug linked to a trailing / in a directory name. It > looks like hardcoded paths for directories sometimes contain the > trailing / but not always (for instance dsinstance.config_dirname() > returns something like > '/etc/dirsrv/slapd-DOM-221-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM*/*' while > HTTPD_ALIAS_DIR = "/etc/httpd/alias"). > > So my question is: is there a rule inside FreeIPA to use the directory > name with the / or not? For most of the tools, it doesn't matter but > when looking for a cert monitored by certmonger it is important. I > think that a consistent rule would also avoid ugly logs with double > slashes in the file names. > > Flo. > > > Hello, we don't have any rule on how to represent directory name, but with using proper python tools, this should not be issue, for manipulation with paths should be used os.path module, for example os.path.join('directory', 'file') if trailing slash is an issue with certmonger, you can use os.path.normpath() If you see any double slashes please file a tickets for them, or provide patch if it is quickfix. HTH Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Sat Jun 11 14:13:48 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Sat, 11 Jun 2016 16:13:48 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: <20160609171952.2yxwdgkztzdqcchr@redhat.com> References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> <20160609164642.ogbmk6m2fnbggdlh@redhat.com> <20160609171952.2yxwdgkztzdqcchr@redhat.com> Message-ID: On 06/09/2016 07:19 PM, Alexander Bokovoy wrote: > On Thu, 09 Jun 2016, Martin Babinsky wrote: >> On 06/09/2016 06:46 PM, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Martin Babinsky wrote: >>>> On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: >>>>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>> On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>>>>>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>>>> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Add support for additional user name principal suffixes from >>>>>>>>> trusted Active Directory forests. UPN suffixes are property >>>>>>>>> of the forest and as such are associated with the forest root >>>>>>>>> domain. >>>>>>>>> >>>>>>>>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes >>>>>>>>> multi-valued >>>>>>>>> attribute of ipaNTTrustedDomain object class. >>>>>>>>> >>>>>>>>> In order to look up UPN suffixes, >>>>>>>>> netr_DsRGetForestTrustInformation >>>>>>>>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>>>>>> >>>>>>>>> For more details on UPN and naming in Active Directory see >>>>>>>>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Hi Alexander, >>>>>>>> >>>>>>>> a few comments: >>>>>>>> >>>>>>>> 1.) >>>>>>>> >>>>>>>> there are some PEP8 violations in the patch. Not all of them >>>>>>>> need to >>>>>>>> be fixed, though (line overhangs < 5 characters are OK by me). >>>>>>>> >>>>>>>> """ >>>>>>>> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>>>>>> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>>>>>> under-indented for visual indent >>>>>>>> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>>>>>> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>>>>>> characters) >>>>>>>> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>>>>>> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>>>>>> found 1 >>>>>>>> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>>>>>> found 1 >>>>>>>> """ >>>>>>> I've fixed trust.py part, the dcerpc.py fixes in 0201 should be >>>>>>> enough >>>>>>> now -- breaking following line is not giving any reasonable benefit: >>>>>>> >>>>>>> res['ipantflatname'] = >>>>>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>>> >>>>>> >>>>>> Looking at the code, it would be IMHO more readable to directly >>>>>> append >>>>>> dict literals to the result like so: >>>>>> >>>>>> """ >>>>>> --- a/ipaserver/dcerpc.py >>>>>> +++ b/ipaserver/dcerpc.py >>>>>> @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, trustdomain, >>>>>> creds=None, server=None): >>>>>> tname = unicode(t.forest_trust_data.dns_domain_name.string) >>>>>> if tname == trustdomain: >>>>>> continue >>>>>> - res = dict() >>>>>> - res['cn'] = tname >>>>>> - res['ipantflatname'] = >>>>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>> - res['ipanttrusteddomainsid'] = >>>>>> unicode(t.forest_trust_data.domain_sid) >>>>>> - result['domains'][tname] = res >>>>>> + >>>>>> + result['domains'][tname] = { >>>>>> + 'cn': tname, >>>>>> + 'ipantflatname': unicode( >>>>>> + t.forest_trust_data.netbios_domain_name.string), >>>>>> + 'ipanttrusteddomainsid': unicode( >>>>>> + t.forest_trust_data.domain_sid) >>>>>> + } >>>>>> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >>>>>> tname = unicode(t.forest_trust_data.string) >>>>>> if tname == trustdomain: >>>>>> continue >>>>>> - res = dict() >>>>>> - res['cn'] = tname >>>>>> - result['suffixes'][tname] = res >>>>>> + >>>>>> + result['suffixes'][tname] = {'cn': tname} >>>>>> return result >>>>>> """ >>>>> Makes sense. Fixed. >>>>> >>>>>> >>>>>> Also there is a whitespace before colon here: >>>>>> """ >>>>>> + result = {'domains': {}, 'suffixes' : {}} >>>>>> ^ >>>>>> """ >>>>>> Please fix that and I will be a happy engineer. >>>>> Fixed. >>>>> >>>>>> >>>>>>>> 2.) >>>>>>>> >>>>>>>> Should the ipaNTAdditionalSuffixes attribute be case >>>>>>>> insensitive? It >>>>>>>> makes sense but I'm just asking so that we don't end changing the >>>>>>>> schema later. >>>>>>> ipaNTAdditionalSuffixes is defined as >>>>>>> >>>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>>>>>> 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>>>>>> associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>>>>>> 1.3.6.1.4.1.1466.115.121.1.15) >>>>>>> >>>>>>> There should be no problem with case sensitivity already. >>>>>>> >>>>>> OK I presume that the UPN suffixes on AD are also case-insensitive so >>>>>> everything should be alright. >>>>> Yes, as everything realm-related on AD side, they are >>>>> case-insensitive. >>>>> >>>>> Updated patch attached. >>>> >>>> 1.) there is one unused import that makes pylint choke: >>>> >>>> """ >>>> ************* Module com.redhat.idm >>>> install/oddjob/com.redhat.idm.trust-fetch-domains:6: >>>> [W0611(unused-import), ] Unused errors imported from ipalib) >>>> Makefile:137: recipe for target 'lint' failed >>>> make: *** [lint] Error 1 >>>> """ >>> Fixed, thanks. I wasn't attentive to why it considered that error. >> >> We are continuously tighting pylint checks in order to help us improve >> (or at least not worsen) the code quality. >> >>> >>>> 2.) The UPN suffixes are added during trust establishment and I can >>>> also kinit as the enterprise principal using one of UPNs, but only >>>> when using two-way trust. Is this expected? I was not able to find any >>>> clue in the design page but maybe I was just not looking hard enough. >>> No, it works just fine for one-way trust as well. The way UPNs used in >>> AD is a bit awkward -- you define them globally for the whole forest >>> first and then assign specific UPN suffix for the user account in the >>> account properties. Only then you can use the suffix for this user: >>> >>> [root at f24-master ~]# net ads search -S w12.ad.test -k cn=grumpy |grep >>> userPrincipalName >>> userPrincipalName: grumpy at torchwood >>> >>> [root at f24-master ~]# KRB5_TRACE=/dev/stderr kinit -E -C grumpy at torchwood >>> [9135] 1465490159.655327: Resolving unique ccache of type KEYRING >>> [9135] 1465490159.655408: Getting initial credentials for >>> grumpy\@torchwood at IPA.AD.TEST >>> [9135] 1465490159.656798: Sending request (176 bytes) to IPA.AD.TEST >>> [9135] 1465490159.656994: Initiating TCP connection to stream >>> 192.168.5.117:88 >>> [9135] 1465490159.657122: Sending TCP request to stream 192.168.5.117:88 >>> [9135] 1465490159.657655: Received answer (169 bytes) from stream >>> 192.168.5.117:88 >>> [9135] 1465490159.657679: Terminating TCP connection to stream >>> 192.168.5.117:88 >>> [9135] 1465490159.657715: Response was from master KDC >>> [9135] 1465490159.657741: Received error from KDC: -1765328316/Realm not >>> local to KDC >>> [9135] 1465490159.657756: Following referral to realm AD.TEST >>> [9135] 1465490159.657783: Sending request (168 bytes) to AD.TEST >>> [9135] 1465490159.674764: Resolving hostname w12.ad.test. >>> [9135] 1465490159.679514: Sending initial UDP request to dgram >>> 192.168.5.111:88 >>> [9135] 1465490159.680158: Received answer (171 bytes) from dgram >>> 192.168.5.111:88 >>> [9135] 1465490159.688085: Response was not from master KDC >>> [9135] 1465490159.688141: Received error from KDC: >>> -1765328359/Additional pre-authentication required >>> [9135] 1465490159.688203: Processing preauth types: 16, 15, 19, 2 >>> [9135] 1465490159.688252: Selected etype info: etype aes256-cts, salt >>> "AD.TESTgrumpy", params "" >>> [9135] 1465490159.688285: PKINIT client has no configured identity; >>> giving up >>> [9135] 1465490159.688315: PKINIT client has no configured identity; >>> giving up >>> [9135] 1465490159.688342: Preauth module pkinit (16) (real) returned: >>> 22/Invalid argument >>> [9135] 1465490159.688368: PKINIT client has no configured identity; >>> giving up >>> [9135] 1465490159.688394: Preauth module pkinit (14) (real) returned: >>> 22/Invalid argument >>> Password for grumpy\@torchwood at AD.TEST: [9135] 1465490162.317092: AS key >>> obtained for encrypted timestamp: aes256-cts/C61F >>> [9135] 1465490162.317176: Encrypted timestamp (for 1465490162.505923): >>> plain 301AA011180F32303136303630393136333630325AA105020307B843, >>> encrypted >>> ADD327ACC03C99C821D9FBBE280866D6342D3CE1BBA2C720CF5A5BEBA586ECD0034CD2C3448F5FD6D66219DB77DC51D81C8C1D6D01A87AC9 >>> >>> >>> [9135] 1465490162.317228: Preauth module encrypted_timestamp (2) (real) >>> returned: 0/Success >>> [9135] 1465490162.317272: Produced preauth for next request: 2 >>> [9135] 1465490162.317328: Sending request (246 bytes) to AD.TEST >>> [9135] 1465490162.346793: Resolving hostname w12.ad.test. >>> [9135] 1465490162.352714: Sending initial UDP request to dgram >>> 192.168.5.111:88 >>> [9135] 1465490162.353537: Received answer (1442 bytes) from dgram >>> 192.168.5.111:88 >>> [9135] 1465490162.366042: Response was not from master KDC >>> [9135] 1465490162.366094: Processing preauth types: 19 >>> [9135] 1465490162.366139: Selected etype info: etype aes256-cts, salt >>> "AD.TESTgrumpy", params "" >>> [9135] 1465490162.366190: Produced preauth for next request: (empty) >>> [9135] 1465490162.366235: AS key determined by preauth: aes256-cts/C61F >>> [9135] 1465490162.366328: Decrypted AS reply; session key is: >>> aes256-cts/BD45 >>> [9135] 1465490162.366382: FAST negotiation: unavailable >>> [9135] 1465490162.366416: Initializing >>> KEYRING:persistent:0:krb_ccache_dSjqZkD with default princ >>> grumpy at AD.TEST >>> [9135] 1465490162.366488: Storing grumpy at AD.TEST -> >>> krbtgt/AD.TEST at AD.TEST in KEYRING:persistent:0:krb_ccache_dSjqZkD >>> [9135] 1465490162.366550: Storing config in >>> KEYRING:persistent:0:krb_ccache_dSjqZkD for krbtgt/AD.TEST at AD.TEST: >>> pa_type: 2 >>> [9135] 1465490162.366585: Storing grumpy at AD.TEST -> >>> krb5_ccache_conf_data/pa_type/krbtgt\/AD.TEST\@AD.TEST at X-CACHECONF: in >>> KEYRING:persistent:0:krb_ccache_dSjqZkD >>> >>> As you can see, the realm was considered non-local and a referral to the >>> correct realm was issued, then kinit followed the referral and finally >>> we've got the ticket for grumpy at AD.TEST because canonicalization was >>> asked. If no canonicalization would be asked, the principal would be >>> enterprise one but, again, from the other realm: >>> >>> [root at f24-master ~]# klist >>> Ticket cache: KEYRING:persistent:0:krb_ccache_lIqrVtl >>> Default principal: grumpy\@torchwood at AD.TEST >>> >>> Valid starting Expires Service principal >>> 06/09/2016 19:45:16 06/10/2016 05:45:16 krbtgt/AD.TEST at AD.TEST >>> renew until 06/10/2016 19:45:13 >>> >>> >>> >> Hmmm, >> >> when I establish a one-way trust I can kinit with the user having UPN >> suffix: >> >> kinit -E jdoe at crew207 >> Password for jdoe\@crew207 at DOM-207.ADREALM.COM: >> [root at vm-183 ~]# klist >> Ticket cache: KEYRING:persistent:0:krb_ccache_gHJAT3H >> Default principal: jdoe\@crew207 at DOM-207.ADREALM.COM >> >> Valid starting Expires Service principal >> 06/09/2016 17:56:31 06/10/2016 03:56:31 >> krbtgt/DOM-207.ADREALM.COM at DOM-207.ADREALM.COM >> renew until 06/10/2016 17:56:26 >> >> >> However when I issue 'ipa trust-show' I do not see any UPN suffixes >> associated with the trust because 'ipaNTAdditionalSuffixes' attribute >> is not populated on the trusted domain object while in the tow-way >> trust case it is and 'trust-*' commands show the UPNs as expected. >> >> ipa trust-show dom-207.adrealm.com >> Domain NetBIOS name: DOM-207 >> Domain Security Identifier: S-1-5-21-2334637434-2721788842-3715042423 >> Trust direction: Trusting forest >> Trust type: Non-transitive external trust to a domain in another >> Active Directory forest >> Realm name: dom-207.adrealm.com >> >> (it doesn't matter if I create external one-way trust or not, the UPNs >> are not pulled from AD DC in either case) > Check audit.log, on Fedora 24 selinux policy is broken again due to us > moving files all around. Try with setenforce 0 to verify it. > > We run an equivalent of > # oddjob_request -i com.redhat.idm.trust.fetch_domains \ > -s com.redhat.idm.trust -o / \ > com.redhat.idm.trust.fetch_domains ad.test > > when retrieving forest topology information in one-way trust case. > If SELinux policy prevents oddjobd to launch the helper, no retrieval > will happen. > Yes the code works fine but SELinux blocks com.redhat.trust.fetch_domains from running. I will open appropriate BZs against selinux-policy. ACK. -- Martin^3 Babinsky From mbasti at redhat.com Sat Jun 11 15:27:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Sat, 11 Jun 2016 17:27:37 +0200 Subject: [Freeipa-devel] [PATCH] 0202 support UPNs for trusted domain users In-Reply-To: References: <20160606103445.enh3cb6yfunmmqk2@redhat.com> <0561a485-5e97-e68a-8da0-284ead631fd1@redhat.com> <20160607163807.4fc5gaim7wqqqepl@redhat.com> <20160607173511.6o3a4ovu3vpcqneq@redhat.com> <54b08667-1f26-ce8b-3932-d8e0bc101eaf@redhat.com> <20160609164642.ogbmk6m2fnbggdlh@redhat.com> <20160609171952.2yxwdgkztzdqcchr@redhat.com> Message-ID: <04dff71e-8a5b-25fd-8f4e-77dbc1a50b08@redhat.com> On 11.06.2016 16:13, Martin Babinsky wrote: > On 06/09/2016 07:19 PM, Alexander Bokovoy wrote: >> On Thu, 09 Jun 2016, Martin Babinsky wrote: >>> On 06/09/2016 06:46 PM, Alexander Bokovoy wrote: >>>> On Thu, 09 Jun 2016, Martin Babinsky wrote: >>>>> On 06/07/2016 07:35 PM, Alexander Bokovoy wrote: >>>>>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>>> On 06/07/2016 06:38 PM, Alexander Bokovoy wrote: >>>>>>>> On Tue, 07 Jun 2016, Martin Babinsky wrote: >>>>>>>>> On 06/06/2016 12:34 PM, Alexander Bokovoy wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Add support for additional user name principal suffixes from >>>>>>>>>> trusted Active Directory forests. UPN suffixes are property >>>>>>>>>> of the forest and as such are associated with the forest root >>>>>>>>>> domain. >>>>>>>>>> >>>>>>>>>> FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes >>>>>>>>>> multi-valued >>>>>>>>>> attribute of ipaNTTrustedDomain object class. >>>>>>>>>> >>>>>>>>>> In order to look up UPN suffixes, >>>>>>>>>> netr_DsRGetForestTrustInformation >>>>>>>>>> LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. >>>>>>>>>> >>>>>>>>>> For more details on UPN and naming in Active Directory see >>>>>>>>>> https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5354 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Hi Alexander, >>>>>>>>> >>>>>>>>> a few comments: >>>>>>>>> >>>>>>>>> 1.) >>>>>>>>> >>>>>>>>> there are some PEP8 violations in the patch. Not all of them >>>>>>>>> need to >>>>>>>>> be fixed, though (line overhangs < 5 characters are OK by me). >>>>>>>>> >>>>>>>>> """ >>>>>>>>> ./ipaserver/dcerpc.py:1199:80: E501 line too long (80 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/dcerpc.py:1200:80: E501 line too long (83 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/dcerpc.py:1258:40: E203 whitespace before ':' >>>>>>>>> ./ipaserver/dcerpc.py:1263:80: E501 line too long (81 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/dcerpc.py:1271:80: E501 line too long (90 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/dcerpc.py:1272:80: E501 line too long (82 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/plugins/trust.py:490:9: E128 continuation line >>>>>>>>> under-indented for visual indent >>>>>>>>> ./ipaserver/plugins/trust.py:490:80: E501 line too long (93 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/plugins/trust.py:490:92: E202 whitespace before ']' >>>>>>>>> ./ipaserver/plugins/trust.py:493:80: E501 line too long (83 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/plugins/trust.py:1461:80: E501 line too long (80 > 79 >>>>>>>>> characters) >>>>>>>>> ./ipaserver/plugins/trust.py:1462:59: E202 whitespace before ']' >>>>>>>>> ./ipaserver/plugins/trust.py:1544:1: E302 expected 2 blank lines, >>>>>>>>> found 1 >>>>>>>>> ./ipaserver/plugins/trust.py:1638:1: E302 expected 2 blank lines, >>>>>>>>> found 1 >>>>>>>>> """ >>>>>>>> I've fixed trust.py part, the dcerpc.py fixes in 0201 should be >>>>>>>> enough >>>>>>>> now -- breaking following line is not giving any reasonable >>>>>>>> benefit: >>>>>>>> >>>>>>>> res['ipantflatname'] = >>>>>>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>>>> >>>>>>> >>>>>>> Looking at the code, it would be IMHO more readable to directly >>>>>>> append >>>>>>> dict literals to the result like so: >>>>>>> >>>>>>> """ >>>>>>> --- a/ipaserver/dcerpc.py >>>>>>> +++ b/ipaserver/dcerpc.py >>>>>>> @@ -1269,18 +1269,20 @@ def fetch_domains(api, mydomain, >>>>>>> trustdomain, >>>>>>> creds=None, server=None): >>>>>>> tname = >>>>>>> unicode(t.forest_trust_data.dns_domain_name.string) >>>>>>> if tname == trustdomain: >>>>>>> continue >>>>>>> - res = dict() >>>>>>> - res['cn'] = tname >>>>>>> - res['ipantflatname'] = >>>>>>> unicode(t.forest_trust_data.netbios_domain_name.string) >>>>>>> - res['ipanttrusteddomainsid'] = >>>>>>> unicode(t.forest_trust_data.domain_sid) >>>>>>> - result['domains'][tname] = res >>>>>>> + >>>>>>> + result['domains'][tname] = { >>>>>>> + 'cn': tname, >>>>>>> + 'ipantflatname': unicode( >>>>>>> + t.forest_trust_data.netbios_domain_name.string), >>>>>>> + 'ipanttrusteddomainsid': unicode( >>>>>>> + t.forest_trust_data.domain_sid) >>>>>>> + } >>>>>>> elif t.type == lsa.LSA_FOREST_TRUST_TOP_LEVEL_NAME: >>>>>>> tname = unicode(t.forest_trust_data.string) >>>>>>> if tname == trustdomain: >>>>>>> continue >>>>>>> - res = dict() >>>>>>> - res['cn'] = tname >>>>>>> - result['suffixes'][tname] = res >>>>>>> + >>>>>>> + result['suffixes'][tname] = {'cn': tname} >>>>>>> return result >>>>>>> """ >>>>>> Makes sense. Fixed. >>>>>> >>>>>>> >>>>>>> Also there is a whitespace before colon here: >>>>>>> """ >>>>>>> + result = {'domains': {}, 'suffixes' : {}} >>>>>>> ^ >>>>>>> """ >>>>>>> Please fix that and I will be a happy engineer. >>>>>> Fixed. >>>>>> >>>>>>> >>>>>>>>> 2.) >>>>>>>>> >>>>>>>>> Should the ipaNTAdditionalSuffixes attribute be case >>>>>>>>> insensitive? It >>>>>>>>> makes sense but I'm just asking so that we don't end changing the >>>>>>>>> schema later. >>>>>>>> ipaNTAdditionalSuffixes is defined as >>>>>>>> >>>>>>>> attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME >>>>>>>> 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name >>>>>>>> associated with the domain' EQUALITY caseIgnoreMatch SYNTAX >>>>>>>> 1.3.6.1.4.1.1466.115.121.1.15) >>>>>>>> >>>>>>>> There should be no problem with case sensitivity already. >>>>>>>> >>>>>>> OK I presume that the UPN suffixes on AD are also >>>>>>> case-insensitive so >>>>>>> everything should be alright. >>>>>> Yes, as everything realm-related on AD side, they are >>>>>> case-insensitive. >>>>>> >>>>>> Updated patch attached. >>>>> >>>>> 1.) there is one unused import that makes pylint choke: >>>>> >>>>> """ >>>>> ************* Module com.redhat.idm >>>>> install/oddjob/com.redhat.idm.trust-fetch-domains:6: >>>>> [W0611(unused-import), ] Unused errors imported from ipalib) >>>>> Makefile:137: recipe for target 'lint' failed >>>>> make: *** [lint] Error 1 >>>>> """ >>>> Fixed, thanks. I wasn't attentive to why it considered that error. >>> >>> We are continuously tighting pylint checks in order to help us improve >>> (or at least not worsen) the code quality. >>> >>>> >>>>> 2.) The UPN suffixes are added during trust establishment and I can >>>>> also kinit as the enterprise principal using one of UPNs, but only >>>>> when using two-way trust. Is this expected? I was not able to find >>>>> any >>>>> clue in the design page but maybe I was just not looking hard enough. >>>> No, it works just fine for one-way trust as well. The way UPNs used in >>>> AD is a bit awkward -- you define them globally for the whole forest >>>> first and then assign specific UPN suffix for the user account in the >>>> account properties. Only then you can use the suffix for this user: >>>> >>>> [root at f24-master ~]# net ads search -S w12.ad.test -k cn=grumpy |grep >>>> userPrincipalName >>>> userPrincipalName: grumpy at torchwood >>>> >>>> [root at f24-master ~]# KRB5_TRACE=/dev/stderr kinit -E -C >>>> grumpy at torchwood >>>> [9135] 1465490159.655327: Resolving unique ccache of type KEYRING >>>> [9135] 1465490159.655408: Getting initial credentials for >>>> grumpy\@torchwood at IPA.AD.TEST >>>> [9135] 1465490159.656798: Sending request (176 bytes) to IPA.AD.TEST >>>> [9135] 1465490159.656994: Initiating TCP connection to stream >>>> 192.168.5.117:88 >>>> [9135] 1465490159.657122: Sending TCP request to stream >>>> 192.168.5.117:88 >>>> [9135] 1465490159.657655: Received answer (169 bytes) from stream >>>> 192.168.5.117:88 >>>> [9135] 1465490159.657679: Terminating TCP connection to stream >>>> 192.168.5.117:88 >>>> [9135] 1465490159.657715: Response was from master KDC >>>> [9135] 1465490159.657741: Received error from KDC: >>>> -1765328316/Realm not >>>> local to KDC >>>> [9135] 1465490159.657756: Following referral to realm AD.TEST >>>> [9135] 1465490159.657783: Sending request (168 bytes) to AD.TEST >>>> [9135] 1465490159.674764: Resolving hostname w12.ad.test. >>>> [9135] 1465490159.679514: Sending initial UDP request to dgram >>>> 192.168.5.111:88 >>>> [9135] 1465490159.680158: Received answer (171 bytes) from dgram >>>> 192.168.5.111:88 >>>> [9135] 1465490159.688085: Response was not from master KDC >>>> [9135] 1465490159.688141: Received error from KDC: >>>> -1765328359/Additional pre-authentication required >>>> [9135] 1465490159.688203: Processing preauth types: 16, 15, 19, 2 >>>> [9135] 1465490159.688252: Selected etype info: etype aes256-cts, salt >>>> "AD.TESTgrumpy", params "" >>>> [9135] 1465490159.688285: PKINIT client has no configured identity; >>>> giving up >>>> [9135] 1465490159.688315: PKINIT client has no configured identity; >>>> giving up >>>> [9135] 1465490159.688342: Preauth module pkinit (16) (real) returned: >>>> 22/Invalid argument >>>> [9135] 1465490159.688368: PKINIT client has no configured identity; >>>> giving up >>>> [9135] 1465490159.688394: Preauth module pkinit (14) (real) returned: >>>> 22/Invalid argument >>>> Password for grumpy\@torchwood at AD.TEST: [9135] 1465490162.317092: >>>> AS key >>>> obtained for encrypted timestamp: aes256-cts/C61F >>>> [9135] 1465490162.317176: Encrypted timestamp (for 1465490162.505923): >>>> plain 301AA011180F32303136303630393136333630325AA105020307B843, >>>> encrypted >>>> ADD327ACC03C99C821D9FBBE280866D6342D3CE1BBA2C720CF5A5BEBA586ECD0034CD2C3448F5FD6D66219DB77DC51D81C8C1D6D01A87AC9 >>>> >>>> >>>> >>>> [9135] 1465490162.317228: Preauth module encrypted_timestamp (2) >>>> (real) >>>> returned: 0/Success >>>> [9135] 1465490162.317272: Produced preauth for next request: 2 >>>> [9135] 1465490162.317328: Sending request (246 bytes) to AD.TEST >>>> [9135] 1465490162.346793: Resolving hostname w12.ad.test. >>>> [9135] 1465490162.352714: Sending initial UDP request to dgram >>>> 192.168.5.111:88 >>>> [9135] 1465490162.353537: Received answer (1442 bytes) from dgram >>>> 192.168.5.111:88 >>>> [9135] 1465490162.366042: Response was not from master KDC >>>> [9135] 1465490162.366094: Processing preauth types: 19 >>>> [9135] 1465490162.366139: Selected etype info: etype aes256-cts, salt >>>> "AD.TESTgrumpy", params "" >>>> [9135] 1465490162.366190: Produced preauth for next request: (empty) >>>> [9135] 1465490162.366235: AS key determined by preauth: >>>> aes256-cts/C61F >>>> [9135] 1465490162.366328: Decrypted AS reply; session key is: >>>> aes256-cts/BD45 >>>> [9135] 1465490162.366382: FAST negotiation: unavailable >>>> [9135] 1465490162.366416: Initializing >>>> KEYRING:persistent:0:krb_ccache_dSjqZkD with default princ >>>> grumpy at AD.TEST >>>> [9135] 1465490162.366488: Storing grumpy at AD.TEST -> >>>> krbtgt/AD.TEST at AD.TEST in KEYRING:persistent:0:krb_ccache_dSjqZkD >>>> [9135] 1465490162.366550: Storing config in >>>> KEYRING:persistent:0:krb_ccache_dSjqZkD for krbtgt/AD.TEST at AD.TEST: >>>> pa_type: 2 >>>> [9135] 1465490162.366585: Storing grumpy at AD.TEST -> >>>> krb5_ccache_conf_data/pa_type/krbtgt\/AD.TEST\@AD.TEST at X-CACHECONF: in >>>> KEYRING:persistent:0:krb_ccache_dSjqZkD >>>> >>>> As you can see, the realm was considered non-local and a referral >>>> to the >>>> correct realm was issued, then kinit followed the referral and finally >>>> we've got the ticket for grumpy at AD.TEST because canonicalization was >>>> asked. If no canonicalization would be asked, the principal would be >>>> enterprise one but, again, from the other realm: >>>> >>>> [root at f24-master ~]# klist >>>> Ticket cache: KEYRING:persistent:0:krb_ccache_lIqrVtl >>>> Default principal: grumpy\@torchwood at AD.TEST >>>> >>>> Valid starting Expires Service principal >>>> 06/09/2016 19:45:16 06/10/2016 05:45:16 krbtgt/AD.TEST at AD.TEST >>>> renew until 06/10/2016 19:45:13 >>>> >>>> >>>> >>> Hmmm, >>> >>> when I establish a one-way trust I can kinit with the user having UPN >>> suffix: >>> >>> kinit -E jdoe at crew207 >>> Password for jdoe\@crew207 at DOM-207.ADREALM.COM: >>> [root at vm-183 ~]# klist >>> Ticket cache: KEYRING:persistent:0:krb_ccache_gHJAT3H >>> Default principal: jdoe\@crew207 at DOM-207.ADREALM.COM >>> >>> Valid starting Expires Service principal >>> 06/09/2016 17:56:31 06/10/2016 03:56:31 >>> krbtgt/DOM-207.ADREALM.COM at DOM-207.ADREALM.COM >>> renew until 06/10/2016 17:56:26 >>> >>> >>> However when I issue 'ipa trust-show' I do not see any UPN suffixes >>> associated with the trust because 'ipaNTAdditionalSuffixes' attribute >>> is not populated on the trusted domain object while in the tow-way >>> trust case it is and 'trust-*' commands show the UPNs as expected. >>> >>> ipa trust-show dom-207.adrealm.com >>> Domain NetBIOS name: DOM-207 >>> Domain Security Identifier: S-1-5-21-2334637434-2721788842-3715042423 >>> Trust direction: Trusting forest >>> Trust type: Non-transitive external trust to a domain in another >>> Active Directory forest >>> Realm name: dom-207.adrealm.com >>> >>> (it doesn't matter if I create external one-way trust or not, the UPNs >>> are not pulled from AD DC in either case) >> Check audit.log, on Fedora 24 selinux policy is broken again due to us >> moving files all around. Try with setenforce 0 to verify it. >> >> We run an equivalent of >> # oddjob_request -i com.redhat.idm.trust.fetch_domains \ >> -s com.redhat.idm.trust -o / \ >> com.redhat.idm.trust.fetch_domains ad.test >> >> when retrieving forest topology information in one-way trust case. >> If SELinux policy prevents oddjobd to launch the helper, no retrieval >> will happen. >> > Yes the code works fine but SELinux blocks > com.redhat.trust.fetch_domains from running. > > I will open appropriate BZs against selinux-policy. > > ACK. > Pushed to master: bb75f5a5836ea011b8920f8bb8d58c1f4cd9b4c8 From mbasti at redhat.com Sat Jun 11 15:31:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Sat, 11 Jun 2016 17:31:16 +0200 Subject: [Freeipa-devel] [PATCH] 0208-0209 webUI changes for external trust and UPN suffixes In-Reply-To: <20160610212347.gq2zghaibm3xsyn2@redhat.com> References: <20160609113052.u6iuzhliisaoyvwu@redhat.com> <20160609115418.GJ3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609121928.zvddi2lchxextrv6@redhat.com> <33810136-2a46-57b4-6be3-7f790f69c1d2@redhat.com> <20160610212347.gq2zghaibm3xsyn2@redhat.com> Message-ID: <7b47e142-5ffa-46d8-162f-a9f6fdd8e13b@redhat.com> On 10.06.2016 23:23, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Pavel Vomacka wrote: >> >> >> On 06/09/2016 02:19 PM, Alexander Bokovoy wrote: >>> On Thu, 09 Jun 2016, Sumit Bose wrote: >>>> On Thu, Jun 09, 2016 at 02:30:52PM +0300, Alexander Bokovoy wrote: >>>>> Hi, >>>>> >>>>> webUI changes to support external trust and showing UPN suffixes are >>>>> attached. >>>>> >>>>> UPN Suffixes defined on AD side and fetched with 'ipa >>>>> trust-fetch-domains'. >>>>> They cannot be disabled individually as they come from AD side and >>>>> are >>>>> forest-wide, so we only show them, not allowing to modify anything. >>>>> >>>>> External forest is a flag and is shown in the trust-add dialog. >>>>> The result would be visible as trust type of 'Non-transitive external >>>>> trust to a domain in another Active Directory forest' >>>>> >>>>> These patches functionally depend on 0201 and 0202. >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>> >>>>> From 4da33f5e82c83617ccfb2da7c3b70e5e66ac49d9 Mon Sep 17 00:00:00 >>>>> 2001 >>>>> From: Alexander Bokovoy >>>>> Date: Thu, 9 Jun 2016 12:04:05 +0300 >>>>> Subject: [PATCH 7/8] webui: show UPN suffixes in trust properties >>>>> >>>>> Part of https://fedorahosted.org/freeipa/ticket/5354 >>>>> >>>>> --- >>>>> install/ui/src/freeipa/trust.js | 11 +++++++++++ >>>>> ipaserver/plugins/internal.py | 2 ++ >>>>> 2 files changed, 13 insertions(+) >>>>> >>>> ... >>>>> diff --git a/ipaserver/plugins/internal.py >>>>> b/ipaserver/plugins/internal.py >>>>> index 4804f64..ea29b16 100644 >>>>> --- a/ipaserver/plugins/internal.py >>>>> +++ b/ipaserver/plugins/internal.py >>>>> @@ -747,6 +747,8 @@ class i18n_messages(Command): >>>>> "trustdirection": _("Trust direction"), >>>>> "truststatus": _("Trust status"), >>>>> "trusttype": _("Trust type"), >>>>> + "suffixes": _("UPN suffixes"), >>>>> + "ipantadditionalsuffixes": _("UPN suffixes"), >>>> >>>> The AD gui calls the latter 'Alternative UPN suffixes'. Maybe we >>>> should >>>> use the same description here as well to avoid irritations? >>> Makes sense. I've updated the patch 0208 and also removed the string >>> 'suffixes' which is not referenced from the UI. >>> >>> >> Hello, >> >> thank you for patches, they look good and work well. I have only one >> small comment: >> Patch 208: >> >> + read_only: 'true' >> >> It would be nicer to use boolean value instead of string, even if it >> works correctly with string value. >> >> And because it is really small change I edited your patch. I also >> changed links in your commit messages to WebUI tickets (5904,5937). >> Edited patches are attached, so ACK if you agree with these changes. > Sure, ACK. > > Thanks for the review. > master: * 5b0dbe7e5996ef95301c5fdd530f2e2a18757f04 webui: show UPN suffixes in trust properties * d6266476fa1425dfd62cf6138b9ca7ab7b270c23 webui: support external flag to trust-add From pspacek at redhat.com Sat Jun 11 18:25:53 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 11 Jun 2016 20:25:53 +0200 Subject: [Freeipa-devel] [PATCH 0409-0411] Parse idnsServerConfigObject and use its values for forwarder configuration Add LDAP schema for per-server config in LDAP Add server_ldap_settings layer to tree of setting objects In-Reply-To: References: Message-ID: <4490638a-e982-86d2-0da8-3279248849bc@redhat.com> On 8.6.2016 15:44, Petr Spacek wrote: > Hello, > > this patch set implements forwarder configuration in idnsServerConfigObject. > > https://fedorahosted.org/bind-dyndb-ldap/ticket/162 This version of patch set fixes race condition caused by improper ISC task handling for update_serverconfig event. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0409-2-Add-server_ldap_settings-layer-to-tree-of-setting-ob.patch Type: text/x-patch Size: 8380 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0410-2-Add-LDAP-schema-for-per-server-config-in-LDAP.patch Type: text/x-patch Size: 1413 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0411-2-Parse-idnsServerConfigObject-and-use-its-values-for-.patch Type: text/x-patch Size: 8683 bytes Desc: not available URL: From pspacek at redhat.com Sat Jun 11 18:36:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 11 Jun 2016 20:36:39 +0200 Subject: [Freeipa-devel] [PATCH 0413-0416] Support fake_mname option in per-server configuration in LDAP Message-ID: <4d3bdecd-9222-8040-58fa-87a6ad58af47@redhat.com> Hello, Support fake_mname option in per-server configuration in LDAP. https://fedorahosted.org/bind-dyndb-ldap/ticket/162 Patch set contains necessary infrastructure changes so the configuration is read before zone loading starts. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0413-Do-not-log-connection-to-the-LDAP-server-was-lost-on.patch Type: text/x-patch Size: 1135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0414-Refactor-LDAP-SyncRepl-connection-handling-to-make-i.patch Type: text/x-patch Size: 9257 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0415-Read-configuration-from-LDAP-first-to-guarantee-its-.patch Type: text/x-patch Size: 12394 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0416-Support-fake_mname-option-in-per-server-configuratio.patch Type: text/x-patch Size: 1914 bytes Desc: not available URL: From pspacek at redhat.com Sat Jun 11 18:40:04 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 11 Jun 2016 20:40:04 +0200 Subject: [Freeipa-devel] [PATCH 0417-0422] Support dynamic record generation using idnsTemplateAttribute & idnsSubstitutionVariable; ipalocation variable from server's config Message-ID: <3b5e78ed-bc4f-fd19-6e59-de9ba97efbc2@redhat.com> Hello, This is all we need for RecordGenerator and IPA locations. Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator https://fedorahosted.org/bind-dyndb-ldap/ticket/126 Limitation is that all the changes are applied only on BIND reload. I will think about eliminating this requirement but it is not that easy. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0417-Read-idnsSubstitutionVariable-ipalocation-variable-f.patch Type: text/x-patch Size: 2232 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0418-Refactor-ldap_parse_rrentry-to-make-settings-system-.patch Type: text/x-patch Size: 4016 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0419-Revive-str.c-str_cat_char_len-function-from-git-hist.patch Type: text/x-patch Size: 1354 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0420-Support-dynamic-record-generation-using-idnsTemplate.patch Type: text/x-patch Size: 9915 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0421-Detect-unsupported-combination-of-idnsTemplateObject.patch Type: text/x-patch Size: 2465 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0422-Optimize-idnsTemplateAttribute-processing.patch Type: text/x-patch Size: 1524 bytes Desc: not available URL: From pspacek at redhat.com Sat Jun 11 18:41:34 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 11 Jun 2016 20:41:34 +0200 Subject: [Freeipa-devel] [PATCH 0423] Support default TTL configuration at zone level: dNSdefaultTTL attribute Message-ID: <43237105-c3c9-58e3-7824-f383c43c027f@redhat.com> Hello, Support default TTL configuration at zone level: dNSdefaultTTL attribute. Limitations: - Changes to the dNSdefaultTTL attribute will propagate only to records which were updated after the change. Reload is necessary to ensure that all TTL values in zone were updated. https://fedorahosted.org/bind-dyndb-ldap/ticket/70 This and all my previous patches are available from Github branch pspacek/server_config_in_ldap4. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0423-Support-default-TTL-configuration-at-zone-level-dNSd.patch Type: text/x-patch Size: 10206 bytes Desc: not available URL: From pspacek at redhat.com Sat Jun 11 19:22:52 2016 From: pspacek at redhat.com (Petr Spacek) Date: Sat, 11 Jun 2016 21:22:52 +0200 Subject: [Freeipa-devel] bind-dyndb-ldap 10.0 development status (related to FreeIPA 4.4) Message-ID: <32d1d163-d716-ba00-3cb1-7ebd2388430a@redhat.com> Hello, bind-dyndb-ldap 10.0 alpha 1 is available for testing (finally). AFAIK it implements all the critical functionality for FreeIPA 4.4, namely RecordGenerator & default TTL support necessary for FreeIPA DNS locations. Limitations =========== BIND has to be reloaded ("rndc reload" at least) after each change in server's config or zone's default TTL. In case of FreeIPA it means that server-mod command which touches server's DNS location has to be followed by "rndc reload" on the affected replica. Outlook ======= I'm looking for a solution for quite a while now but it is an asynchronous parallel event hell. We will probably end up with big hammer like "reconnect to LDAP and re-parse everything". Most likely it will be error prone and racy (think about DNS updates in the middle of re-synchronization) but any fine-grained approaches seem to be even more fragile and even racier. Yuck. Implemented designs =================== - https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator - https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP Fixed tickets ============= - https://fedorahosted.org/bind-dyndb-ldap/ticket/126 - https://fedorahosted.org/bind-dyndb-ldap/ticket/162 - https://fedorahosted.org/bind-dyndb-ldap/ticket/70 - https://fedorahosted.org/bind-dyndb-ldap/ticket/164 - https://fedorahosted.org/bind-dyndb-ldap/ticket/165 - https://fedorahosted.org/bind-dyndb-ldap/ticket/146 COPR packages ============= https://copr.fedorainfracloud.org/coprs/pspacek/bind-dyndb-ldap/build/339004/ SRPM ==== https://pspacek.fedorapeople.org/bind-dyndb-ldap/bind-dyndb-ldap-10.0-0.1alpha.fc23.src.rpm Git branch ========== https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 Git commit ========== 6722382b2344fd5acd6ba9fa858c139c16e3de99 Enjoy. -- Petr^2 Spacek From mbabinsk at redhat.com Sun Jun 12 15:29:59 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Sun, 12 Jun 2016 17:29:59 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <9310f244-5a4a-e075-651c-d449445ec0d6@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> <9310f244-5a4a-e075-651c-d449445ec0d6@redhat.com> Message-ID: On 06/10/2016 05:42 PM, Martin Babinsky wrote: > On 06/10/2016 02:22 PM, Jan Cholasta wrote: >> On 9.6.2016 17:06, Martin Babinsky wrote: >>> On 06/09/2016 03:54 PM, Petr Vobornik wrote: >>>> On 06/09/2016 01:02 PM, Martin Babinsky wrote: >>>>> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>>>>> >>>>>> >>>>>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>>>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>>>>> I am sending rebased patches implementing >>>>>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>>>>> >>>>>>>> I hope the patches work since I have had a lot of fun rebasing >>>>>>>> them on >>>>>>>> top of thin client and DNS locations effort. >>>>>>>> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Sending updated patches according to Jan's interactive review. >>>>>>> >>>>>>> Since the name of attributes returned by API commands and >>>>>>> signature of >>>>>>> `server-role-find` have changed, a small update in WebUI patches is >>>>>>> required. >>>>>>> >>>>>>> >>>>>>> >>>>>> NACK, why did you remove sizelimit from server_role_find >>>>>> command's? Is >>>>>> it possible to return it back? It breaks WebUI. >>>>> >>>>> Indeed, this was caused by changing the base class of the command. >>>>> It is >>>>> fixed in updated patches. >>>>> >>>> >>>> NACK >>>> >>>> Option timelimit? of command server_role_find in ipalib, not in API >>>> file: >>>> Int('timelimit?', autofill=False) >>>> Option sizelimit? of command server_role_find in ipalib, not in API >>>> file: >>>> Int('sizelimit?', autofill=False) >>>> >>>> There are one or more changes to the API. >>>> Either undo the API changes or update API.txt and increment the major >>>> version in VERSION. >>>> Makefile:159: recipe for target 'version-update' failed >>>> make: *** [version-update] Error 1 >>>> >>> >>> Oops, seems like a missed API.txt update. >>> >>> Fixed. >> >> "ipa server-role-find" does not return the "IPA master" role for my >> server ("ipa-server-role $HOSTNAME 'IPA master'" does). >> > This is intentional since we discussed during the design phase[1] that > "IPA master" role should be implicit and not shown to the user in > server-show and server-role-find operation. This however does not > preclude you to query its status manually if you know the role name. > > [1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles > >> I would rather skip the option altogether rather than hide it: >> >> + # we do not want to test negative membership for roles >> + # hide it from CLI >> + elif option.name == 'no_servrole': >> + option = option.clone(flags={'no_option'}) >> > So something like: > > elif option.name == 'no_servrole': > continue > > should do the trick? >> The patches need a rebase (VERSION). >> >> Otherwise LGTM. >> > > Ok I will send fixed patches ASAP. > Attaching rebased patches. 'no_servrole' option is now skipped and does not show in the API. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0146-5-Server-roles-definitions-of-server-roles-and-attribu.patch Type: text/x-patch Size: 21169 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0147-5-Server-Roles-Backend-plugin-to-query-roles-and-attri.patch Type: text/x-patch Size: 6160 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0148-5-Test-suite-for-serverroles-backend.patch Type: text/x-patch Size: 25087 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0149-5-Server-Roles-public-API-for-server-roles.patch Type: text/x-patch Size: 8358 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0150-4-Server-Roles-make-server-show-find-utilize-role-info.patch Type: text/x-patch Size: 8351 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0151-4-Server-Roles-make-config-show-consume-relevant-roles.patch Type: text/x-patch Size: 9792 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0152-4-Server-Roles-provide-an-API-for-setting-CA-renewal-m.patch Type: text/x-patch Size: 3869 bytes Desc: not available URL: From mbabinsk at redhat.com Sun Jun 12 15:31:34 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Sun, 12 Jun 2016 17:31:34 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> Message-ID: <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> On 06/09/2016 08:12 PM, Martin Babinsky wrote: > These patches expand `server_del` to a full fledged IPA master killer in > domain level 1. > > Due to 'server uninstallation removed master from topology' use case, > the individual steps are not in the same order as in the original code > to facilitate self-removal from topology without introducing an array of > permissions for master to remove itself. > > I had no opportunity to test out the CI test suite because of technical > problems so it would be nice if our upstream QE could give it a spin and > report errors. > > http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 > https://fedorahosted.org/freeipa/ticket/5181 > > > Attaching rebased patches and bumping for review. Please note that they depend on 'Server Roles v2' patchset. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0153-2-ipapython-module-for-working-with-managed-topology.patch Type: text/x-patch Size: 9948 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0154-2-delegate-removal-of-master-DNS-record-and-replica-ke.patch Type: text/x-patch Size: 3117 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0155-2-server-del-perform-full-master-removal-in-managed-to.patch Type: text/x-patch Size: 20943 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0156-2-CI-test-suite-for-server-del.patch Type: text/x-patch Size: 15683 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0157-2-ipa-replica-manage-use-server_del-when-removing-doma.patch Type: text/x-patch Size: 12922 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0158-2-remove-the-master-from-managed-topology-during-unins.patch Type: text/x-patch Size: 10645 bytes Desc: not available URL: From mbabinsk at redhat.com Sun Jun 12 15:37:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Sun, 12 Jun 2016 17:37:12 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role Message-ID: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> These two patches turn oft-neglected ntp service into a full fledged role whose status can be queried centrally. They should also enable generation of location-specific _ntp._udp records. Please note that NTP is LDAP-enabled by additional call after DS instance is configured. I was not feeling confident by swapping NTP and DS configuration steps as I was afraid it will break things. If not, I will happily update the patch accordingly. https://fedorahosted.org/freeipa/ticket/5815 https://fedorahosted.org/freeipa/ticket/5826 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0159-Add-NTP-to-the-list-of-services-stored-in-IPA-master.patch Type: text/x-patch Size: 5130 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0160-Introduce-NTP-server-role.patch Type: text/x-patch Size: 2331 bytes Desc: not available URL: From ftweedal at redhat.com Mon Jun 13 01:11:30 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 13 Jun 2016 11:11:30 +1000 Subject: [Freeipa-devel] [Testplan review] Sub CAs In-Reply-To: References: Message-ID: <20160613011130.GJ4744@dhcp-40-8.bne.redhat.com> On Fri, Jun 10, 2016 at 05:58:02PM +0200, Milan Kub?k wrote: > Hi Fraser and list, > > I've wrote a (minimal) draft [1] of the test plan for the Sub CAs feature > and I also have several questions. > > Could you please take a look at it? > > Questions: > > As described in the last (currently) test case, should it be possible to > specify > both the CA and certificate profile in cert-request call? > This way one could use (at least) two ACLs (one affiliated with CA, one with > a profile). > Are there such use cases? > You can specify both CA and profile in cert-request call. CA ACLs encompass both of these. (Implementation-wise, we use the HBAC machinery; CA is the "host" and profile is the "service"). > Related to this, what happens when CA ACL has specific CA and profile > category (all)? > If an ACL has profilecat=all and cacat=all, it will match if the subject principal's name or groups match one of the name or groups in the ACL rule. > Applicable to other combinations as well. The ACL category semantics is > a bit unclear for me here. > > Is there any validation of the CA's DN (syntax)? > Yes; the subject DN is a DNParam (checked by IPA framework). Dogtag also checks it and CA creation will fail if it is invalid OR if there is already a CA with that DN. > How would you approach testing of the Sub CA certificate renewal and key > replication > Renewal is not yet impemented, so ask me later :) Key replication: if you create a CA on one replica, there are a couple ways to check. 1) After a short delay, a key and cert with the CA's Authority ID appear in the CA replica's NSSDB (/etc/pki/pki-tomcat/alias) 2) After a short delay, hit the Dogtag REST API ( GET /ca/rest/authorities/) or invoke the `pki' command to see if the CA is "ready to sign", e.g.: # pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert \ -P https -p 8443 ca-authority-show 24de435e-3b3b-4248-b187-fc719e579983 Authority DN: CN=smime ID: 24de435e-3b3b-4248-b187-fc719e579983 Parent ID: 8568c666-00d6-435c-9446-1014c6ce1215 Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201606091248 Serial no: 15 Enabled: true Ready to sign: true <--- key replication completed > (I do not know if this is covered at the respective component's level or > not)? > > > [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan > > Thanks > Thank you; I will review the rest of the test plan shortly. Cheers, Fraser From ftweedal at redhat.com Mon Jun 13 04:55:42 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 13 Jun 2016 14:55:42 +1000 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: References: Message-ID: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: > Hello, > > please review these new patches which add WebUI for Sub-CAs. > > https://fedorahosted.org/freeipa/ticket/5939 > Hi Pavel, I have reviewed the functionality of the patches. Functionality is good - a few minor comments below. Patch 45: 1) In the main `Certificate Authorities' table, `Subject DN' is showing the DN of the IPA object, instead of the Subject DN. 2) In the `Certificate Authorities' detail table, there is an unlabelled row showing the DN of the IPA object. IMO we do not need to show this value at all. Patch 46: 3) I see a FIXME in certificate.js. The behaviour (default to IPA CA / 'ipa') is OK. Alternatively, you could allow the user to not specify a CA (this will allow the default - currently 'ipa' - to be controlled by server). Patch 47: 4) For backwards compatibility, a CA ACL without any specified CAs (and not cacat=all) implies the 'ipa' CA. It would be good to indicate this in the UI somehow, or include a notice to explain. Cheers, Fraser From jcholast at redhat.com Mon Jun 13 05:26:28 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 13 Jun 2016 07:26:28 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> <9310f244-5a4a-e075-651c-d449445ec0d6@redhat.com> Message-ID: <821ddea0-22b9-ad2e-7334-dffbab36d20d@redhat.com> On 12.6.2016 17:29, Martin Babinsky wrote: > On 06/10/2016 05:42 PM, Martin Babinsky wrote: >> On 06/10/2016 02:22 PM, Jan Cholasta wrote: >>> On 9.6.2016 17:06, Martin Babinsky wrote: >>>> On 06/09/2016 03:54 PM, Petr Vobornik wrote: >>>>> On 06/09/2016 01:02 PM, Martin Babinsky wrote: >>>>>> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>>>>>> >>>>>>> >>>>>>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>>>>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>>>>>> I am sending rebased patches implementing >>>>>>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>>>>>> >>>>>>>>> I hope the patches work since I have had a lot of fun rebasing >>>>>>>>> them on >>>>>>>>> top of thin client and DNS locations effort. >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Sending updated patches according to Jan's interactive review. >>>>>>>> >>>>>>>> Since the name of attributes returned by API commands and >>>>>>>> signature of >>>>>>>> `server-role-find` have changed, a small update in WebUI patches is >>>>>>>> required. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> NACK, why did you remove sizelimit from server_role_find >>>>>>> command's? Is >>>>>>> it possible to return it back? It breaks WebUI. >>>>>> >>>>>> Indeed, this was caused by changing the base class of the command. >>>>>> It is >>>>>> fixed in updated patches. >>>>>> >>>>> >>>>> NACK >>>>> >>>>> Option timelimit? of command server_role_find in ipalib, not in API >>>>> file: >>>>> Int('timelimit?', autofill=False) >>>>> Option sizelimit? of command server_role_find in ipalib, not in API >>>>> file: >>>>> Int('sizelimit?', autofill=False) >>>>> >>>>> There are one or more changes to the API. >>>>> Either undo the API changes or update API.txt and increment the major >>>>> version in VERSION. >>>>> Makefile:159: recipe for target 'version-update' failed >>>>> make: *** [version-update] Error 1 >>>>> >>>> >>>> Oops, seems like a missed API.txt update. >>>> >>>> Fixed. >>> >>> "ipa server-role-find" does not return the "IPA master" role for my >>> server ("ipa-server-role $HOSTNAME 'IPA master'" does). >>> >> This is intentional since we discussed during the design phase[1] that >> "IPA master" role should be implicit and not shown to the user in >> server-show and server-role-find operation. This however does not >> preclude you to query its status manually if you know the role name. >> >> [1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles OK. There should be an option to get everything, though (can be added later, I guess). >> >>> I would rather skip the option altogether rather than hide it: >>> >>> + # we do not want to test negative membership for roles >>> + # hide it from CLI >>> + elif option.name == 'no_servrole': >>> + option = option.clone(flags={'no_option'}) >>> >> So something like: >> >> elif option.name == 'no_servrole': >> continue >> >> should do the trick? Correct. >>> The patches need a rebase (VERSION). >>> >>> Otherwise LGTM. >>> >> >> Ok I will send fixed patches ASAP. >> > > Attaching rebased patches. 'no_servrole' option is now skipped and does > not show in the API. Good. ACK. -- Jan Cholasta From ftweedal at redhat.com Mon Jun 13 06:38:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 13 Jun 2016 16:38:34 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: > On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: > > On 9.6.2016 11:10, Fraser Tweedale wrote: > > > On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: > > > > On 9.6.2016 08:44, Fraser Tweedale wrote: > > > > > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > > > > > > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > > > > > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > > > > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > > > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > > > > > > Hi team, > > > > > > > > > > > > > > > > > > > > This patchset implements the 'ca' plugin for creating and managing > > > > > > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > > > > > > > > > > > 0059 > > > > > > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > > > > > > Dogtag REST API wrapper > > > > > > > > > > 0060 > > > > > > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > > > > > > 0061 > > > > > > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > > > > > > 0062 > > > > > > > > > > Update ra.request_certificate() to support specifying target CA > > > > > > > > > > 0063 > > > > > > > > > > Add '--ca' option to 'cert-request' command > > > > > > > > > > 0064 > > > > > > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. Builds > > > > > > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > > > > > > patchset, including: > > > > > > > > > > > > > > > > > > > > - local parent CA (ipaca object) references > > > > > > > > > > - sub-CA certificate renewal > > > > > > > > > > - 'cert-show' command '--ca=NAME' option > > > > > > > > > > - certmonger support for specifying CA > > > > > > > > > > - revocation of deleted CAs > > > > > > > > > > > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > Rebased and updated patches attached. > > > > > > > > > > > > > > > > > > Substantive changes: > > > > > > > > > > > > > > > > > > - add required attributes for issuer DN and subject DN > > > > > > > > > - prevent rename of IPA CA > > > > > > > > > - when adding IPA CA entry, contact Dogtag to learn authority id, > > > > > > > > > issuer DN and subject DN > > > > > > > > > - add 'read_ca' method to Dogtag interface > > > > > > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > > > > > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > > > > > > option to cert-show and cert-find. > > > > > > > > > > > > > > Patch 0059: > > > > > > > > > > > > > > 1) On upgrade, why is the lightweight CA container created twice - once in > > > > > > > 41-subca.update, once using ensure_entry() call? It should be done only > > > > > > > once. > > > > > > > > > > > > > I'll remove 41-subca.update; the routine in cainstance is the one > > > > > > that's needed. > > > > > > > > > > > > > 2) In ca_del, every CA specified in args[0] should be deleted, not just the > > > > > > > first one. > > > > > > > > > > > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > > > > > > > > > > > self.add_message(MyNewWarningClass(name=...)) > > > > > > > > > > > > > > 4) Can it actually happen that ca_show does not return ipacaid? I guess not, > > > > > > > so you should be able to remove the check altogether and don't bother with > > > > > > > the warning. > > > > > > > > > > > > > ipacaid is mandatory now, so I'll remove the check. > > > > > > > > > > > > > > > > > > > > Patch 0060-0062: LGTM > > > > > > > > > > > > > Yippee \o/ > > > > > > > > > > > > > > > > > > > > Patch 0063: > > > > > > > > > > > > > > Could you please define the CA param as follows: > > > > > > > > > > > > > > Str('cacn?', > > > > > > > cli_name='ca', > > > > > > > query=True, > > > > > > > label=_("CA"), > > > > > > > doc=_("CA to use"), > > > > > > > ), > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > This is for consitency with framework-generated parent key params, which > > > > > > > unfortunately we cannot leverage in cert_request currently. > > > > > > > > > > > > > No problemo. > > > > > > > > > > > > > > > > > > > > Patch 0064: > > > > > > > > > > > > > > 1) See my comment for patch 0063, it applies here as well. > > > > > > > > > > > > > > 2) The --issuer option should not be included in cert_show - show commands > > > > > > > are supposed to retrieve an object given primary key(s), and the primary key > > > > > > > of CA objects is just their cn. > > > > > > > > > > > > > The --issuer argument is because primary key for a cert is really > > > > > > (issuer, serial). So it show the cert _with_ that issuer (and > > > > > > serial), not the cert _for_ that issuer. > > > > > > > > Correct, but in IPA the issuer is represented by the CA object, so in IPA > > > > the primary key for a certificate is actually (CA name, serial). > > > > > > > > Certificate lookup by issuer name and serial is actually a search operation, > > > > analogical to how CA lookup by subject name is also a search operation, so > > > > it should be done by cert-find. > > > > > > > OK, I will remove the --issuer option for cert-find. > > > > > > > > > > > > > > > > 3) In find commands, the options form a filter, so instead of raising > > > > > > > MutuallyExclusiveError in cert-find, return an empty result, as with any > > > > > > > other unmatched filter. > > > > > > > > > > > > > Here, --issuer and --ca are two different ways to specify the > > > > > > issuer. --issuer lets you give the issuer DN straight up; --ca > > > > > > takes the name of an IPA CA object and looks up its issuer DN. > > > > > > (Thus it makes no sense to give both options at once). > > > > > > > > That's one way to look at it, but it's true only if you assume that > > > > cert-find can only search certificates in Dogtag. This will very soon became > > > > untrue, as we will allow cert-find to also search certificates anywhere in > > > > LDAP (the server part of ticket #5381). There, the difference between the > > > > options would be that with --ca you search for certificates issued by the > > > > specified managed CA, but with --issuer you search for certificates with the > > > > given issuer name, be it managed CA or not. > > > > > > > --ca is just a "shorthand" for --issuer - it merely looks up subject > > > DN of the specified CA, and uses that as the issuer option. > > > > > > > For now, IMO the correct behavior should be that if both are specified and > > > > the issuer name of the specified CA does not match the specified issuer > > > > name, empty result is returned, otherwise carry on with the search in > > > > Dogtag. > > > > > > > If I allow both, the behaviour will then be: > > > > > > specify issuer DN only) > > > search using given issuer DN > > > specify CA only) > > > search using subject DN of specified CA. If no such CA, error. > > > specify issuer DN and CA) > > > search using given issuer DN, and ensure that result (if any) > > > matches subject DN of specified CA. If no such CA, error. > > > > > > I'm happy to implement this if you confirm that you think it's the > > > correct behaviour. > > > > Looks correct to me. > > > Thanks; updated patches attached. Martin, this patch should also > fix the upgrade issue. > > Cheers, > Fraser > Another rebase to fix conflicts in VERSION file. No other changes. -------------- next part -------------- From 4659e2a64d1d5906f9457d9c25387dea566b6b5b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/63] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 ++ API.txt | 64 +++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 4 + install/share/bootstrap-template.ldif | 6 + install/updates/41-lightweight-cas.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 ++- ipaserver/plugins/ca.py | 217 ++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 54 +++++++- 13 files changed, 385 insertions(+), 6 deletions(-) create mode 100644 install/updates/41-lightweight-cas.update create mode 100644 ipaserver/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index 6f691f2a7b01f834006e3c796c14c256ee87faa6..a26e2dd4bcf7c75b93d2f11cfd470beb17b18873 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 4247dd77c38fc17be8639a988049803d5b1f558f..eeda016b67e7df4cad8471c33e0254fe4200c22c 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,76 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,7,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: DNParam('ipacasubjectdn', cli_name='subject') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,11,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: DNParam('ipacaissuerdn?', autofill=False, cli_name='issuer') +option: DNParam('ipacasubjectdn?', autofill=False, cli_name='subject') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 8945ae54888a21f6335389c26859ea2cb6353cd6..45bdeb816751cf4f4c553f90019ebd18152fa9a7 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=177 -# Last change: abbra - adtrust: remove nttrustpartner parameter +IPA_API_VERSION_MINOR=178 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..a87fe667d56768419dacf57103e347e88c945e2a 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,9 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f6ab35495ad7e9377404eb7a6b0bca26906f5421..da12ddf0ca887e8305402048ceed5d5b28816164 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -476,3 +476,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/install/updates/41-lightweight-cas.update b/install/updates/41-lightweight-cas.update new file mode 100644 index 0000000000000000000000000000000000000000..72313e2ab12ab520eb12ade404fb5b6dd55a9d71 --- /dev/null +++ b/install/updates/41-lightweight-cas.update @@ -0,0 +1,4 @@ +dn: cn=cas,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: cas diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fde69175caaee296577b8b990084e6f7619a8620..455fd209d171888dc94a7f708dc5fa1743f62bf4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,6 +39,7 @@ app_DATA = \ 40-otp.update \ 40-vault.update \ 41-caacl.update \ + 41-lightweight-cas.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 97dff1d805a4f77469882103ab63cdb0fa55a024..05ba1adbbf215680c9c23963fc8c90c4bfca4ce8 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,7 @@ DEFAULT_CONFIG = ( ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -265,3 +266,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index becb0b1728746bb2c432d08e92425ceb95bb261a..3e2576d058733c9859f4c5b003afdacf26408348 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1629,6 +1629,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..ee98f0a2a9dc469d67676a3123d82ce519ba6d59 --- /dev/null +++ b/ipaserver/plugins/ca.py @@ -0,0 +1,217 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipaserver.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipaserver.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = [ + 'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn', + ] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + DNParam('ipacasubjectdn', + cli_name='subject', + label=_('Subject DN'), + doc=_('Subject Distinguished Name'), + flags=['no_update'], + ), + DNParam('ipacaissuerdn', + cli_name='issuer', + label=_('Issuer DN'), + doc=_('Issuer Distinguished Name'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'ipacaissuerdn', + 'ipacasubjectdn', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + }, + 'replaces': [ + '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # check for name collision before creating CA in Dogtag + try: + api.Object.ca.get_dn_if_exists(keys[-1]) + self.obj.handle_duplicate_entry(*keys) + except errors.NotFound: + pass + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + resp = ca_api.create_ca(options['ipacasubjectdn']) + entry['ipacaid'] = [resp['id']] + entry['ipacaissuerdn'] = [resp['issuerDN']] + + # In the event that the issued certificate's subject DN + # differs from what was requested, record the actual DN. + # + entry['ipacasubjectdn'] = [resp['dn']] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + + return dn + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + if 'rename' in options or 'cn' in entry_attrs: + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=u'IPA CA cannot be renamed') + + return dn diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c4dc4e8c3ea55a0e1b67870dfb8eee45af..20349b05f02c6e186275a822a487eb4733d75c7d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2073,7 +2073,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2147,3 +2150,52 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + New CA is issued by IPA CA. Nested sub-CAs and unrelated + root CAs are not yet supported. + + Return the (parsed) JSON response from server. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def read_ca(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', ca_id, headers={'Accept': 'application/json'}) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From 5494f0acc70507f33f867a69dab76a95d1dcc4e7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/63] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 37 +++++++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 38 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3e2576d058733c9859f4c5b003afdacf26408348..c7f3116f62ce1158a04af23f29439c4a1d1a102f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -433,6 +433,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1900,6 +1901,42 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From 43c0c4106a7a6de2c06cc0cb75ec49f97695a654 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/63] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 ++++++++++++-- VERSION | 4 +- ipaserver/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++--------------- ipaserver/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index eeda016b67e7df4cad8471c33e0254fe4200c22c..cc91dc318850052931e8692afb03405ea086306d 100644 --- a/API.txt +++ b/API.txt @@ -521,12 +521,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -538,6 +539,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -607,12 +619,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -628,13 +641,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -647,6 +661,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 45bdeb816751cf4f4c553f90019ebd18152fa9a7..3347046622821758d029c5db1923176715b6f312 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=178 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=179 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index cbb5382fb5217d92c65d4b215b497958a31e978c..ef53608ece00ca6951ddeab08e0915a596116fcf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -29,6 +29,7 @@ from ipalib import errors from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -236,7 +237,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -320,7 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From fef7a8ade9f977eb09105b0118df3bfa378ea999 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/63] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipaserver/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ef53608ece00ca6951ddeab08e0915a596116fcf..8fccb76292b685033f8ebda347b51a4eb599d2bc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -499,7 +499,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 20349b05f02c6e186275a822a487eb4733d75c7d..43aab92ffe6bba42d21135eb4f87cbde635f86e0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1554,10 +1554,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1586,13 +1588,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 18acd708b250d136e6b56ff5f47bb1e2259174cf Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/63] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index cc91dc318850052931e8692afb03405ea086306d..189c89db6c88441fda71a8ce6ac11aec83daea9b 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('cacn?', cli_name='ca') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index 3347046622821758d029c5db1923176715b6f312..a76be09c36e38ac314addeb06c467ed7f5046395 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=179 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=180 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb76292b685033f8ebda347b51a4eb599d2bc..63a051fabdcd89d430128d3f06f44f17b9e09a27 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,13 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('cacn?', + cli_name='ca', + query=True, + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +327,13 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) and look up authority ID. + # + ca = kw.get('cacn', IPA_CA_CN) + ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +511,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From bd638829e0f7c8b3fa58d6760f87d1195c86d2fa Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH] Add issuer options to cert-show and cert-find Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 7 +++++-- VERSION | 4 ++-- ipaserver/plugins/cert.py | 47 +++++++++++++++++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 9 +++++++++ 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 189c89db6c88441fda71a8ce6ac11aec83daea9b..ba9d050a5576fbb3459f7e45d88e39fd288fb6eb 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cacn?', autofill=False, cli_name='ca') option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,9 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,3,1 arg: Str('serial_number') +option: Str('cacn?', autofill=False, cli_name='ca') option: Str('out?') option: Str('version?') output: Output('result') diff --git a/VERSION b/VERSION index a76be09c36e38ac314addeb06c467ed7f5046395..046c30f5b6a5b52be9e42a5d6f13fe532d35cdca 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=180 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=181 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fabdcd89d430128d3f06f44f17b9e09a27..171d08b9df6537e1e0422e461c56e6a170fb820d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -610,6 +610,13 @@ class cert_show(VirtualCommand): ) takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -631,8 +638,24 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)s " + "issued by CA '%(ca)s' not found") + % dict(serial=serial_number, ca=options['cacn'])) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +757,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +853,18 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + ca_sdn = unicode(ca_obj['ipacasubjectdn'][0]) + if 'issuer' in options: + if DN(ca_sdn) != DN(options['issuer']): + # client has provided both 'ca' and 'issuer' but + # issuer DNs don't match; result must be empty + return dict(result=[], count=0, truncated=False) + else: + options['issuer'] = ca_sdn + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 From jcholast at redhat.com Mon Jun 13 06:59:43 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 13 Jun 2016 08:59:43 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> Message-ID: <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> On 13.6.2016 08:38, Fraser Tweedale wrote: > On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: >> On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: >>> On 9.6.2016 11:10, Fraser Tweedale wrote: >>>> On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: >>>>> On 9.6.2016 08:44, Fraser Tweedale wrote: >>>>>> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >>>>>>> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>>>>>>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>>>>>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>>>>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>>>>>>> Hi team, >>>>>>>>>>> >>>>>>>>>>> This patchset implements the 'ca' plugin for creating and managing >>>>>>>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>>>>>>> 'cert-request' command to support multiple CAs. >>>>>>>>>>> >>>>>>>>>>> A brief overview of the patches: >>>>>>>>>>> >>>>>>>>>>> 0059 >>>>>>>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>>>>>>> Dogtag REST API wrapper >>>>>>>>>>> 0060 >>>>>>>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>>>>>>> 0061 >>>>>>>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>>>>>>> 0062 >>>>>>>>>>> Update ra.request_certificate() to support specifying target CA >>>>>>>>>>> 0063 >>>>>>>>>>> Add '--ca' option to 'cert-request' command >>>>>>>>>>> 0064 >>>>>>>>>>> Add '--issuer' option to 'cert-find' command >>>>>>>>>>> >>>>>>>>>>> These patches depend on other pending patches: >>>>>>>>>>> >>>>>>>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>>>>>>> >>>>>>>>>>> Signing key replication depends on unmerged Dogtag patches. Builds >>>>>>>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>>>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>>>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>>>>>>> >>>>>>>>>>> Some parts of the design are not implemented in the current >>>>>>>>>>> patchset, including: >>>>>>>>>>> >>>>>>>>>>> - local parent CA (ipaca object) references >>>>>>>>>>> - sub-CA certificate renewal >>>>>>>>>>> - 'cert-show' command '--ca=NAME' option >>>>>>>>>>> - certmonger support for specifying CA >>>>>>>>>>> - revocation of deleted CAs >>>>>>>>>>> >>>>>>>>>>> I look forward to your reviews! >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Fraser >>>>>>>>>>> >>>>>>>>>> Rebased and updated patches attached. >>>>>>>>>> >>>>>>>>>> Substantive changes: >>>>>>>>>> >>>>>>>>>> - add required attributes for issuer DN and subject DN >>>>>>>>>> - prevent rename of IPA CA >>>>>>>>>> - when adding IPA CA entry, contact Dogtag to learn authority id, >>>>>>>>>> issuer DN and subject DN >>>>>>>>>> - add 'read_ca' method to Dogtag interface >>>>>>>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>>>>>>> >>>>>>>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>>>>>>> option to cert-show and cert-find. >>>>>>>> >>>>>>>> Patch 0059: >>>>>>>> >>>>>>>> 1) On upgrade, why is the lightweight CA container created twice - once in >>>>>>>> 41-subca.update, once using ensure_entry() call? It should be done only >>>>>>>> once. >>>>>>>> >>>>>>> I'll remove 41-subca.update; the routine in cainstance is the one >>>>>>> that's needed. >>>>>>> >>>>>>>> 2) In ca_del, every CA specified in args[0] should be deleted, not just the >>>>>>>> first one. >>>>>>>> >>>>>>>> 3) Do not use NonFatalError, issue a warning instead: >>>>>>>> >>>>>>>> self.add_message(MyNewWarningClass(name=...)) >>>>>>>> >>>>>>>> 4) Can it actually happen that ca_show does not return ipacaid? I guess not, >>>>>>>> so you should be able to remove the check altogether and don't bother with >>>>>>>> the warning. >>>>>>>> >>>>>>> ipacaid is mandatory now, so I'll remove the check. >>>>>>> >>>>>>>> >>>>>>>> Patch 0060-0062: LGTM >>>>>>>> >>>>>>> Yippee \o/ >>>>>>> >>>>>>>> >>>>>>>> Patch 0063: >>>>>>>> >>>>>>>> Could you please define the CA param as follows: >>>>>>>> >>>>>>>> Str('cacn?', >>>>>>>> cli_name='ca', >>>>>>>> query=True, >>>>>>>> label=_("CA"), >>>>>>>> doc=_("CA to use"), >>>>>>>> ), >>>>>>>> >>>>>>>> ? >>>>>>>> >>>>>>>> This is for consitency with framework-generated parent key params, which >>>>>>>> unfortunately we cannot leverage in cert_request currently. >>>>>>>> >>>>>>> No problemo. >>>>>>> >>>>>>>> >>>>>>>> Patch 0064: >>>>>>>> >>>>>>>> 1) See my comment for patch 0063, it applies here as well. >>>>>>>> >>>>>>>> 2) The --issuer option should not be included in cert_show - show commands >>>>>>>> are supposed to retrieve an object given primary key(s), and the primary key >>>>>>>> of CA objects is just their cn. >>>>>>>> >>>>>>> The --issuer argument is because primary key for a cert is really >>>>>>> (issuer, serial). So it show the cert _with_ that issuer (and >>>>>>> serial), not the cert _for_ that issuer. >>>>> >>>>> Correct, but in IPA the issuer is represented by the CA object, so in IPA >>>>> the primary key for a certificate is actually (CA name, serial). >>>>> >>>>> Certificate lookup by issuer name and serial is actually a search operation, >>>>> analogical to how CA lookup by subject name is also a search operation, so >>>>> it should be done by cert-find. >>>>> >>>> OK, I will remove the --issuer option for cert-find. >>>> >>>>>>> >>>>>>>> 3) In find commands, the options form a filter, so instead of raising >>>>>>>> MutuallyExclusiveError in cert-find, return an empty result, as with any >>>>>>>> other unmatched filter. >>>>>>>> >>>>>>> Here, --issuer and --ca are two different ways to specify the >>>>>>> issuer. --issuer lets you give the issuer DN straight up; --ca >>>>>>> takes the name of an IPA CA object and looks up its issuer DN. >>>>>>> (Thus it makes no sense to give both options at once). >>>>> >>>>> That's one way to look at it, but it's true only if you assume that >>>>> cert-find can only search certificates in Dogtag. This will very soon became >>>>> untrue, as we will allow cert-find to also search certificates anywhere in >>>>> LDAP (the server part of ticket #5381). There, the difference between the >>>>> options would be that with --ca you search for certificates issued by the >>>>> specified managed CA, but with --issuer you search for certificates with the >>>>> given issuer name, be it managed CA or not. >>>>> >>>> --ca is just a "shorthand" for --issuer - it merely looks up subject >>>> DN of the specified CA, and uses that as the issuer option. >>>> >>>>> For now, IMO the correct behavior should be that if both are specified and >>>>> the issuer name of the specified CA does not match the specified issuer >>>>> name, empty result is returned, otherwise carry on with the search in >>>>> Dogtag. >>>>> >>>> If I allow both, the behaviour will then be: >>>> >>>> specify issuer DN only) >>>> search using given issuer DN >>>> specify CA only) >>>> search using subject DN of specified CA. If no such CA, error. >>>> specify issuer DN and CA) >>>> search using given issuer DN, and ensure that result (if any) >>>> matches subject DN of specified CA. If no such CA, error. >>>> >>>> I'm happy to implement this if you confirm that you think it's the >>>> correct behaviour. >>> >>> Looks correct to me. >>> >> Thanks; updated patches attached. Martin, this patch should also >> fix the upgrade issue. >> >> Cheers, >> Fraser >> > Another rebase to fix conflicts in VERSION file. No other changes. Thanks. The remaining cert commands (status, revoke, remove-hold) should also have the cacn option consistent with cert-show. This can be added in further patch, though. I think it would make sense if the cn argument in ca commands was optional, with the default being 'ipa'. This can also be done later. So LGTM. If Martin agrees, we can push this patch set. -- Jan Cholasta From lslebodn at redhat.com Mon Jun 13 07:33:32 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 13 Jun 2016 09:33:32 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> References: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> Message-ID: <20160613073331.GA3591@10.4.128.1> On (09/06/16 12:32), Martin Basti wrote: > > >On 07.06.2016 12:51, Martin Babinsky wrote: >> On 06/01/2016 05:10 PM, Martin Basti wrote: >> > Patch attached. >> > >> ACK >> >Pushed to ipa-4-3: 22fcf65cd1b674b21496b677818a8c75adcd70a6 > I am not sure but it's very likely that this patch broke build in ipa-4-3 branch. //snip /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '/home/user/workspace/freeipa/rpmbuild/BUILDROOT/freeipa-4.3.1-20160611121012Zjenkins7git262054a.fc24.x86_64.' make[4]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' make[3]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' make[3]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' make[4]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' make[4]: Nothing to be done for 'install-exec-am'. make[4]: Nothing to be done for 'install-data-am'. make[4]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' make[3]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' make[2]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' cd install/po && make install || exit 1; make[2]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' Merging ipa.pot into bn_IN.po .......................................................................................................................................................................................................................................................................................................................... done. Creating bn_IN.mo Merging ipa.pot into de.po .......................................................................................................................................................................................................................................................................................................................... done. Creating de.mo de.po:1056: 'msgid' and 'msgstr' entries do not both begin with '\n' de.po:12101: 'msgid' and 'msgstr' entries do not both begin with '\n' /usr/bin/msgfmt: found 4 fatal errors Makefile:88: recipe for target 'de.mo' failed make[2]: *** [de.mo] Error 1 make[2]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' Makefile:115: recipe for target 'client-install' failed make[1]: *** [client-install] Error 1 make[1]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1' error: Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) Makefile:258: recipe for target 'rpms' failed make: *** [rpms] Error 1 Build step 'Execute shell' marked build as failure LS From pspacek at redhat.com Mon Jun 13 07:56:55 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jun 2016 09:56:55 +0200 Subject: [Freeipa-devel] [PATCH 0413-0416] Support fake_mname option in per-server configuration in LDAP In-Reply-To: <4d3bdecd-9222-8040-58fa-87a6ad58af47@redhat.com> References: <4d3bdecd-9222-8040-58fa-87a6ad58af47@redhat.com> Message-ID: <98d386ec-9dbb-de60-cf5d-68902afd6812@redhat.com> On 11.6.2016 20:36, Petr Spacek wrote: > Hello, > > Support fake_mname option in per-server configuration in LDAP. > > https://fedorahosted.org/bind-dyndb-ldap/ticket/162 > > > Patch set contains necessary infrastructure changes so the configuration is > read before zone loading starts. This version fixes crash which could be triggered by failure in second syncrepl session. (I.e. config sync succeeded but data sync failed.) -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0413-2-Do-not-log-connection-to-the-LDAP-server-was-lost-on.patch Type: text/x-patch Size: 1135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0414-2-Refactor-LDAP-SyncRepl-connection-handling-to-make-i.patch Type: text/x-patch Size: 9257 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0415-2-Read-configuration-from-LDAP-first-to-guarantee-its-.patch Type: text/x-patch Size: 15248 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0416-2-Support-fake_mname-option-in-per-server-configuratio.patch Type: text/x-patch Size: 1914 bytes Desc: not available URL: From lkrispen at redhat.com Mon Jun 13 08:04:21 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 13 Jun 2016 10:04:21 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575AE325.6030605@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> <575AE325.6030605@redhat.com> Message-ID: <575E6905.8020204@redhat.com> revised patch (v2) attached: changed log level fixed order of statements in freeing host list On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: > > On 06/10/2016 05:41 PM, thierry bordaz wrote: >> >> >> On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >>> >>> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>>> Hi Ludwig, >>>> >>>> I agree with you there is no path to add a host with an empty hostname. >>>> You fix looks valid but I would prefer a log in FATAL rather in PLUGIN. >>> yes, of course that was my intention, copy paste :-) >>>> >>>> Also I wonder if a reason of empty hostname could be a >>>> slapi_ch_free on it but with the host remaining in the list. >>>> Looking at >>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>>> I wonder if the two lines 852 and 853 could lead to this situation. >>> but this frees the complete replica structure tconf and in the >>> caller tconf is set to null, so should never be used again. >> >> Yes you are right, it can not conduct to empty hostname into tconf. >> However I think it can leak because host will be set to 0 at the end >> of the first iteration. > yes, line 852 and 853 should be switched >> >> An other possibility is that in >> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| >> ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not >> null but empty, so we may create an empty hostname. >> | >>>> >>>> thanks >>>> thierry >>>> >>>> >>>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>>> Hi, >>>>> the attached patch will prevent the crash reported in ticket #5928. >>>>> >>>>> So far I do not understand how this situation can occur, there is >>>>> no reproducer yet. I do not really like this fix as it hides a >>>>> probable corrupted data structure and would prefer to find the >>>>> root cause. >>>>> >>>>> But please review it, so we can commit it if there is no progress >>>>> on the root cause. >>>>> >>>>> Ludwig >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-lkrispen-0023-v2-avoid-crash-in-topology-plugin-when-host-list-con.patch Type: text/x-patch Size: 1907 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jun 13 08:15:00 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 13 Jun 2016 10:15:00 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <6ff1556f-965c-e78b-c0ed-1e0fbf2cedb4@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <6ff1556f-965c-e78b-c0ed-1e0fbf2cedb4@redhat.com> Message-ID: On 06/10/2016 06:31 PM, Stanislav Laznicka wrote: > On 06/08/2016 02:06 PM, Florence Blanc-Renaud wrote: >> On 06/08/2016 10:07 AM, Petr Spacek wrote: >>> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> Thank you for your patch. As the thin-client patches were pushed in the >>>> meantime, the patch won't apply. Could you please send a rebased version? >>>> >>>> Also, I have a few comments to the patch: >>>> >>>> 1) I think that the commit message should be rather a brief conclusion to the >>>> changes made in the commit. This could help for faster orientation in the >>>> changes that were made to a certain part of code should you be searching for a >>>> bug introduced by a commit. Should some more info be required, it can be added >>>> to the ticket. Could you therefore shorten the commit message? >>> (My personal opinion, no golden standard.) >>> >>> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >>> long but *tickets* are not the best place to put *technical* information into. >>> >>> Tickets are planning tool but keep in mind that Trac may/will vanish one day >>> and all we will have will be (Git?) repo. >>> >>> I would recommend putting the comment about expected input format into code >>> comments somewhere around batch command definition. >>> >>> This would reduce commit message (roughly, the text needs to be adapted) to >>> part starting 'The code did not check the format of ' ... which is perfectly >>> reasonable description of the change. >>> >>> IMHO. >>> Petr^2 Spacek >>> >>> >>>> 2) Please do not add the tickets to comments in the code. You can use git >>>> blame -L or git log -L to see in which commits were the changes introduced to >>>> a certain part of a file, these commits should include the ticket number if >>>> more info is needed. >>>> >>>> Standa >>>> >>>> >>>> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>>>> Hi all, >>>>> >>>>> the following patch checks the format of parameters passed to a method >>>>> called through the batch command. I picked the ConversionError for invalid >>>>> parameters format but this choice can be discussed if you have better >>>>> suggestions... >>>>> >>>>> Fixes:https://fedorahosted.org/freeipa/ticket/5810 >>>>> -- >>>>> Florence Blanc-Renaud >>>>> Identity Management Team, Red Hat >>>>> >>>>> >>>> >>>> >> Hi, >> >> please find an updated patch version with a less verbose commit msg. I also >> removed the reference to ticket # in the code. >> >> Flo. >> >> > Hello, > > Thank you for your updated patch. I have just one small issue that maybe exceeds > the scope of this ticket. If the check for dictionary instance in list: > > + if not isinstance(arg, dict): > + raise errors.ConversionError( > + name='methods', > + error=_(u'must contain dict objects')) > > fails at a further member of the list, by raising an exception, you will lose > information about execution of all the previous commands but these were already > executed. This hasn't seem to be an issue until now so I wonder if it is a > problem or not. Right, this is something that we will need to address but not in scope of this ticket and probably not 4.4 release. > > So far, batch commands have only been utilized in the WebUI so I am adding Petr > for opinions on how to handle this properly so that WebUI could react to it > should it ever happen (although AFAIK this should never happen for batch > commands called from the UI). Web UI doesn't care because it sends it correctly :) The bug is trying to use batch command while talking directly to API - e.g. because of performance reasons. > > Standa > -- Petr Vobornik From pvomacka at redhat.com Mon Jun 13 08:48:47 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 13 Jun 2016 10:48:47 +0200 Subject: [Freeipa-devel] [PATCH] 0048-50: webui: extend topology graph functionality Message-ID: <7269e62e-a2bb-4082-5248-c580403a0719@redhat.com> Hello, please review attached patches which extend topology graph functionality. First two add possibility to create agreement using mouse and the third one adds 'Autogenerated' placeholder. 0047,48: https://fedorahosted.org/freeipa/ticket/5648 0050: https://fedorahosted.org/freeipa/ticket/5867 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0048-Add-creating-a-segment-using-mouse.patch Type: text/x-patch Size: 18630 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0049-Add-listener-which-opens-add-segment-dialog.patch Type: text/x-patch Size: 7266 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0050-Add-placeholder-to-add-segment-dialog.patch Type: text/x-patch Size: 2409 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 13 09:48:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 11:48:04 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: <20160613073331.GA3591@10.4.128.1> References: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> <20160613073331.GA3591@10.4.128.1> Message-ID: <5dbb5c58-38d7-103e-3d78-9ace2f8d5b66@redhat.com> On 13.06.2016 09:33, Lukas Slebodnik wrote: > On (09/06/16 12:32), Martin Basti wrote: >> >> On 07.06.2016 12:51, Martin Babinsky wrote: >>> On 06/01/2016 05:10 PM, Martin Basti wrote: >>>> Patch attached. >>>> >>> ACK >>> >> Pushed to ipa-4-3: 22fcf65cd1b674b21496b677818a8c75adcd70a6 >> > I am not sure but it's very likely that this patch broke build > in ipa-4-3 branch. > > //snip > /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h '/home/user/workspace/freeipa/rpmbuild/BUILDROOT/freeipa-4.3.1-20160611121012Zjenkins7git262054a.fc24.x86_64.' > make[4]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' > make[3]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' > make[3]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' > make[4]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' > make[4]: Nothing to be done for 'install-exec-am'. > make[4]: Nothing to be done for 'install-data-am'. > make[4]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' > make[3]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' > make[2]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' > cd install/po && make install || exit 1; > make[2]: Entering directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' > Merging ipa.pot into bn_IN.po > .......................................................................................................................................................................................................................................................................................................................... done. > Creating bn_IN.mo > Merging ipa.pot into de.po > .......................................................................................................................................................................................................................................................................................................................... done. > Creating de.mo > de.po:1056: 'msgid' and 'msgstr' entries do not both begin with '\n' > de.po:12101: 'msgid' and 'msgstr' entries do not both begin with '\n' > /usr/bin/msgfmt: found 4 fatal errors > Makefile:88: recipe for target 'de.mo' failed > make[2]: *** [de.mo] Error 1 > make[2]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' > Makefile:115: recipe for target 'client-install' failed > make[1]: *** [client-install] Error 1 > make[1]: Leaving directory '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1' > error: Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) > > > RPM build errors: > Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) > Makefile:258: recipe for target 'rpms' failed > make: *** [rpms] Error 1 > Build step 'Execute shell' marked build as failure > > LS Thank you for reporting this Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0502-Translations-update-ipa-4-3-translations.patch Type: text/x-patch Size: 39514 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 13 10:00:04 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 13 Jun 2016 12:00:04 +0200 Subject: [Freeipa-devel] [PATCH] 0051: webui: correct jslint warning Message-ID: <23e9c41b-d20d-5701-43f8-27d39937d9af@redhat.com> Hello, I forgot to run jslint during the last review and there was one warning, so this patch fixes it. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0051-Correct-a-jslint-warning.patch Type: text/x-patch Size: 975 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 13 10:20:39 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 13 Jun 2016 12:20:39 +0200 Subject: [Freeipa-devel] [PATCH] 0051: webui: correct jslint warning In-Reply-To: <23e9c41b-d20d-5701-43f8-27d39937d9af@redhat.com> References: <23e9c41b-d20d-5701-43f8-27d39937d9af@redhat.com> Message-ID: <99fea8d1-2e64-f73c-9363-43acb888e4f1@redhat.com> On 06/13/2016 12:00 PM, Pavel Vomacka wrote: > Hello, > > I forgot to run jslint during the last review and there was one > warning, so this patch fixes it. > > -- > Pavel^3 Vomacka > > Added ticket to the commit message. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0051-Correct-a-jslint-warning.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jun 13 10:25:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Jun 2016 12:25:51 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: <5dbb5c58-38d7-103e-3d78-9ace2f8d5b66@redhat.com> References: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> <20160613073331.GA3591@10.4.128.1> <5dbb5c58-38d7-103e-3d78-9ace2f8d5b66@redhat.com> Message-ID: On 06/13/2016 11:48 AM, Martin Basti wrote: > > > On 13.06.2016 09:33, Lukas Slebodnik wrote: >> On (09/06/16 12:32), Martin Basti wrote: >>> >>> On 07.06.2016 12:51, Martin Babinsky wrote: >>>> On 06/01/2016 05:10 PM, Martin Basti wrote: >>>>> Patch attached. >>>>> >>>> ACK >>>> >>> Pushed to ipa-4-3: 22fcf65cd1b674b21496b677818a8c75adcd70a6 >>> >> I am not sure but it's very likely that this patch broke build >> in ipa-4-3 branch. >> >> //snip >> /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h >> GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h >> '/home/user/workspace/freeipa/rpmbuild/BUILDROOT/freeipa-4.3.1-20160611121012Zjenkins7git262054a.fc24.x86_64.' >> >> make[4]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' >> make[3]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' >> make[3]: Entering directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >> make[4]: Entering directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >> make[4]: Nothing to be done for 'install-exec-am'. >> make[4]: Nothing to be done for 'install-data-am'. >> make[4]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >> make[3]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >> make[2]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >> cd install/po && make install || exit 1; >> make[2]: Entering directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' >> Merging ipa.pot into bn_IN.po >> .......................................................................................................................................................................................................................................................................................................................... >> done. >> Creating bn_IN.mo >> Merging ipa.pot into de.po >> .......................................................................................................................................................................................................................................................................................................................... >> done. >> Creating de.mo >> de.po:1056: 'msgid' and 'msgstr' entries do not both begin with '\n' >> de.po:12101: 'msgid' and 'msgstr' entries do not both begin with '\n' >> /usr/bin/msgfmt: found 4 fatal errors >> Makefile:88: recipe for target 'de.mo' failed >> make[2]: *** [de.mo] Error 1 >> make[2]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' >> Makefile:115: recipe for target 'client-install' failed >> make[1]: *** [client-install] Error 1 >> make[1]: Leaving directory >> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1' >> error: Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) >> >> >> RPM build errors: >> Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) >> Makefile:258: recipe for target 'rpms' failed >> make: *** [rpms] Error 1 >> Build step 'Execute shell' marked build as failure >> >> LS > > > Thank you for reporting this > > Patch attached > > This patch fixes build of 4-3 branch for me. ACK. -- Martin^3 Babinsky From mbasti at redhat.com Mon Jun 13 10:33:41 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 12:33:41 +0200 Subject: [Freeipa-devel] [PATCH 0492] Translations: update ipa-4-3 translations In-Reply-To: References: <360280f1-4e72-7dd0-a6b9-7aba6f274cb6@redhat.com> <236e4cce-d7e6-1729-f41c-0c526ee744d5@redhat.com> <20160613073331.GA3591@10.4.128.1> <5dbb5c58-38d7-103e-3d78-9ace2f8d5b66@redhat.com> Message-ID: On 13.06.2016 12:25, Martin Babinsky wrote: > On 06/13/2016 11:48 AM, Martin Basti wrote: >> >> >> On 13.06.2016 09:33, Lukas Slebodnik wrote: >>> On (09/06/16 12:32), Martin Basti wrote: >>>> >>>> On 07.06.2016 12:51, Martin Babinsky wrote: >>>>> On 06/01/2016 05:10 PM, Martin Basti wrote: >>>>>> Patch attached. >>>>>> >>>>> ACK >>>>> >>>> Pushed to ipa-4-3: 22fcf65cd1b674b21496b677818a8c75adcd70a6 >>>> >>> I am not sure but it's very likely that this patch broke build >>> in ipa-4-3 branch. >>> >>> //snip >>> /usr/bin/install -c -m 644 Int32.h GetKeytabControl.h GKNewKeys.h >>> GKCurrentKeys.h GKReply.h KrbKey.h TypeValuePair.h >>> '/home/user/workspace/freeipa/rpmbuild/BUILDROOT/freeipa-4.3.1-20160611121012Zjenkins7git262054a.fc24.x86_64.' >>> >>> >>> make[4]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' >>> make[3]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1/asn1c' >>> make[3]: Entering directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >>> make[4]: Entering directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >>> make[4]: Nothing to be done for 'install-exec-am'. >>> make[4]: Nothing to be done for 'install-data-am'. >>> make[4]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >>> make[3]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >>> make[2]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/asn1' >>> cd install/po && make install || exit 1; >>> make[2]: Entering directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' >>> Merging ipa.pot into bn_IN.po >>> .......................................................................................................................................................................................................................................................................................................................... >>> >>> done. >>> Creating bn_IN.mo >>> Merging ipa.pot into de.po >>> .......................................................................................................................................................................................................................................................................................................................... >>> >>> done. >>> Creating de.mo >>> de.po:1056: 'msgid' and 'msgstr' entries do not both begin with '\n' >>> de.po:12101: 'msgid' and 'msgstr' entries do not both begin with '\n' >>> /usr/bin/msgfmt: found 4 fatal errors >>> Makefile:88: recipe for target 'de.mo' failed >>> make[2]: *** [de.mo] Error 1 >>> make[2]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1/install/po' >>> Makefile:115: recipe for target 'client-install' failed >>> make[1]: *** [client-install] Error 1 >>> make[1]: Leaving directory >>> '/home/user/workspace/freeipa/rpmbuild/BUILD/freeipa-4.3.1' >>> error: Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) >>> >>> >>> RPM build errors: >>> Bad exit status from /var/tmp/rpm-tmp.YUcPEp (%install) >>> Makefile:258: recipe for target 'rpms' failed >>> make: *** [rpms] Error 1 >>> Build step 'Execute shell' marked build as failure >>> >>> LS >> >> >> Thank you for reporting this >> >> Patch attached >> >> > > This patch fixes build of 4-3 branch for me. > > ACK. > Pushed to ipa-4-3: e6eff13e0884c91d0e1516e1eeff5c2bbf28475c From mbabinsk at redhat.com Mon Jun 13 10:48:18 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Jun 2016 12:48:18 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> Message-ID: <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> On 06/13/2016 08:59 AM, Jan Cholasta wrote: > On 13.6.2016 08:38, Fraser Tweedale wrote: >> On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: >>> On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: >>>> On 9.6.2016 11:10, Fraser Tweedale wrote: >>>>> On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: >>>>>> On 9.6.2016 08:44, Fraser Tweedale wrote: >>>>>>> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >>>>>>>> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>>>>>>>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>>>>>>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>>>>>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>>>>>>>> Hi team, >>>>>>>>>>>> >>>>>>>>>>>> This patchset implements the 'ca' plugin for creating and >>>>>>>>>>>> managing >>>>>>>>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>>>>>>>> 'cert-request' command to support multiple CAs. >>>>>>>>>>>> >>>>>>>>>>>> A brief overview of the patches: >>>>>>>>>>>> >>>>>>>>>>>> 0059 >>>>>>>>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>>>>>>>> Dogtag REST API wrapper >>>>>>>>>>>> 0060 >>>>>>>>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>>>>>>>> 0061 >>>>>>>>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>>>>>>>> 0062 >>>>>>>>>>>> Update ra.request_certificate() to support specifying >>>>>>>>>>>> target CA >>>>>>>>>>>> 0063 >>>>>>>>>>>> Add '--ca' option to 'cert-request' command >>>>>>>>>>>> 0064 >>>>>>>>>>>> Add '--issuer' option to 'cert-find' command >>>>>>>>>>>> >>>>>>>>>>>> These patches depend on other pending patches: >>>>>>>>>>>> >>>>>>>>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>>>>>>>> >>>>>>>>>>>> Signing key replication depends on unmerged Dogtag patches. >>>>>>>>>>>> Builds >>>>>>>>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>>>>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>>>>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>> >>>>>>>>>>>> Some parts of the design are not implemented in the current >>>>>>>>>>>> patchset, including: >>>>>>>>>>>> >>>>>>>>>>>> - local parent CA (ipaca object) references >>>>>>>>>>>> - sub-CA certificate renewal >>>>>>>>>>>> - 'cert-show' command '--ca=NAME' option >>>>>>>>>>>> - certmonger support for specifying CA >>>>>>>>>>>> - revocation of deleted CAs >>>>>>>>>>>> >>>>>>>>>>>> I look forward to your reviews! >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Fraser >>>>>>>>>>>> >>>>>>>>>>> Rebased and updated patches attached. >>>>>>>>>>> >>>>>>>>>>> Substantive changes: >>>>>>>>>>> >>>>>>>>>>> - add required attributes for issuer DN and subject DN >>>>>>>>>>> - prevent rename of IPA CA >>>>>>>>>>> - when adding IPA CA entry, contact Dogtag to learn authority >>>>>>>>>>> id, >>>>>>>>>>> issuer DN and subject DN >>>>>>>>>>> - add 'read_ca' method to Dogtag interface >>>>>>>>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>>>>>>>> >>>>>>>>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>>>>>>>> option to cert-show and cert-find. >>>>>>>>> >>>>>>>>> Patch 0059: >>>>>>>>> >>>>>>>>> 1) On upgrade, why is the lightweight CA container created >>>>>>>>> twice - once in >>>>>>>>> 41-subca.update, once using ensure_entry() call? It should be >>>>>>>>> done only >>>>>>>>> once. >>>>>>>>> >>>>>>>> I'll remove 41-subca.update; the routine in cainstance is the one >>>>>>>> that's needed. >>>>>>>> >>>>>>>>> 2) In ca_del, every CA specified in args[0] should be deleted, >>>>>>>>> not just the >>>>>>>>> first one. >>>>>>>>> >>>>>>>>> 3) Do not use NonFatalError, issue a warning instead: >>>>>>>>> >>>>>>>>> self.add_message(MyNewWarningClass(name=...)) >>>>>>>>> >>>>>>>>> 4) Can it actually happen that ca_show does not return ipacaid? >>>>>>>>> I guess not, >>>>>>>>> so you should be able to remove the check altogether and don't >>>>>>>>> bother with >>>>>>>>> the warning. >>>>>>>>> >>>>>>>> ipacaid is mandatory now, so I'll remove the check. >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0060-0062: LGTM >>>>>>>>> >>>>>>>> Yippee \o/ >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0063: >>>>>>>>> >>>>>>>>> Could you please define the CA param as follows: >>>>>>>>> >>>>>>>>> Str('cacn?', >>>>>>>>> cli_name='ca', >>>>>>>>> query=True, >>>>>>>>> label=_("CA"), >>>>>>>>> doc=_("CA to use"), >>>>>>>>> ), >>>>>>>>> >>>>>>>>> ? >>>>>>>>> >>>>>>>>> This is for consitency with framework-generated parent key >>>>>>>>> params, which >>>>>>>>> unfortunately we cannot leverage in cert_request currently. >>>>>>>>> >>>>>>>> No problemo. >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0064: >>>>>>>>> >>>>>>>>> 1) See my comment for patch 0063, it applies here as well. >>>>>>>>> >>>>>>>>> 2) The --issuer option should not be included in cert_show - >>>>>>>>> show commands >>>>>>>>> are supposed to retrieve an object given primary key(s), and >>>>>>>>> the primary key >>>>>>>>> of CA objects is just their cn. >>>>>>>>> >>>>>>>> The --issuer argument is because primary key for a cert is really >>>>>>>> (issuer, serial). So it show the cert _with_ that issuer (and >>>>>>>> serial), not the cert _for_ that issuer. >>>>>> >>>>>> Correct, but in IPA the issuer is represented by the CA object, so >>>>>> in IPA >>>>>> the primary key for a certificate is actually (CA name, serial). >>>>>> >>>>>> Certificate lookup by issuer name and serial is actually a search >>>>>> operation, >>>>>> analogical to how CA lookup by subject name is also a search >>>>>> operation, so >>>>>> it should be done by cert-find. >>>>>> >>>>> OK, I will remove the --issuer option for cert-find. >>>>> >>>>>>>> >>>>>>>>> 3) In find commands, the options form a filter, so instead of >>>>>>>>> raising >>>>>>>>> MutuallyExclusiveError in cert-find, return an empty result, as >>>>>>>>> with any >>>>>>>>> other unmatched filter. >>>>>>>>> >>>>>>>> Here, --issuer and --ca are two different ways to specify the >>>>>>>> issuer. --issuer lets you give the issuer DN straight up; --ca >>>>>>>> takes the name of an IPA CA object and looks up its issuer DN. >>>>>>>> (Thus it makes no sense to give both options at once). >>>>>> >>>>>> That's one way to look at it, but it's true only if you assume that >>>>>> cert-find can only search certificates in Dogtag. This will very >>>>>> soon became >>>>>> untrue, as we will allow cert-find to also search certificates >>>>>> anywhere in >>>>>> LDAP (the server part of ticket #5381). There, the difference >>>>>> between the >>>>>> options would be that with --ca you search for certificates issued >>>>>> by the >>>>>> specified managed CA, but with --issuer you search for >>>>>> certificates with the >>>>>> given issuer name, be it managed CA or not. >>>>>> >>>>> --ca is just a "shorthand" for --issuer - it merely looks up subject >>>>> DN of the specified CA, and uses that as the issuer option. >>>>> >>>>>> For now, IMO the correct behavior should be that if both are >>>>>> specified and >>>>>> the issuer name of the specified CA does not match the specified >>>>>> issuer >>>>>> name, empty result is returned, otherwise carry on with the search in >>>>>> Dogtag. >>>>>> >>>>> If I allow both, the behaviour will then be: >>>>> >>>>> specify issuer DN only) >>>>> search using given issuer DN >>>>> specify CA only) >>>>> search using subject DN of specified CA. If no such CA, error. >>>>> specify issuer DN and CA) >>>>> search using given issuer DN, and ensure that result (if any) >>>>> matches subject DN of specified CA. If no such CA, error. >>>>> >>>>> I'm happy to implement this if you confirm that you think it's the >>>>> correct behaviour. >>>> >>>> Looks correct to me. >>>> >>> Thanks; updated patches attached. Martin, this patch should also >>> fix the upgrade issue. >>> >>> Cheers, >>> Fraser >>> >> Another rebase to fix conflicts in VERSION file. No other changes. > > Thanks. > > The remaining cert commands (status, revoke, remove-hold) should also > have the cacn option consistent with cert-show. This can be added in > further patch, though. > > I think it would make sense if the cn argument in ca commands was > optional, with the default being 'ipa'. This can also be done later. > > So LGTM. If Martin agrees, we can push this patch set. > Hi Fraser, during functional review I found the following issues: 1.) If I create a CAACL rule tied to a specific sub-CA let's say for user certificate issuance: """ ipa caacl-show user_cert_issuance Enabled: TRUE User category: all CAs: user_sub_ca Profiles: caIPAuserCert ACL name: user_cert_issuance """ I can still happily request certificate for a user using root-CA: """ ipa cert-request cert.csr --principal jdoe --ca ipa Certificate: MIID9j.../Ov8mkjFA== Subject: CN=jdoe,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST ... """ should not this be denied by CA-ACL rule? The default IPA CAACL rule is like this: """ ipa caacl-show hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all Profiles: caIPAserviceCert ACL name: hosts_services_caIPAserviceCert """ so the default rule should not allow users to request certs at all. 2.) The '--chain' option in cert-show/cert-request is not implemented, but this was probably a deliberate decision. We should however at least open a ticket about this and add it later. 3.) I cannot issue a user certificate on a replica with configured CA: """ [root at replica1 ~]# ipa cert-request cert.csr --ca user_sub_ca --principal jrogan ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not found: bc953851-1f24-4e16-9847-9ee5bbe6dd0e) [root at replica1 ~]# ipa ca-find user_sub_ca ------------ 1 CA matched ------------ Name: user_sub_ca Description: CA for issuing user certificates Authority ID: bc953851-1f24-4e16-9847-9ee5bbe6dd0e Subject DN: CN=User Cert Sub-CA,O=IPA.TEST Issuer DN: CN=Certificate Authority,O=IPA.TEST ---------------------------- Number of entries returned 1 ---------------------------- [root at replica1 ~]# ipa cert-request cert.csr --ca user_sub_ca --principal jrogan ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not found: bc953851-1f24-4e16-9847-9ee5bbe6dd0e) """ The LDAP entry is there, but it seems like the sub-CA was not replicated at the dogtag backend. This occurs regardless of whether the master was freshly installed or upgraded from 4.3.1 release. -- Martin^3 Babinsky From mbasti at redhat.com Mon Jun 13 11:50:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 13:50:02 +0200 Subject: [Freeipa-devel] [PATCH] 0051: webui: correct jslint warning In-Reply-To: <99fea8d1-2e64-f73c-9363-43acb888e4f1@redhat.com> References: <23e9c41b-d20d-5701-43f8-27d39937d9af@redhat.com> <99fea8d1-2e64-f73c-9363-43acb888e4f1@redhat.com> Message-ID: On 13.06.2016 12:20, Pavel Vomacka wrote: > > > > On 06/13/2016 12:00 PM, Pavel Vomacka wrote: >> Hello, >> >> I forgot to run jslint during the last review and there was one >> warning, so this patch fixes it. >> >> -- >> Pavel^3 Vomacka >> >> > Added ticket to the commit message. > > > > Would be nice to have covered jslint in make lint, can you enable this check there? Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 13 11:53:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 13:53:33 +0200 Subject: [Freeipa-devel] [PATCH] 0051: webui: correct jslint warning In-Reply-To: References: <23e9c41b-d20d-5701-43f8-27d39937d9af@redhat.com> <99fea8d1-2e64-f73c-9363-43acb888e4f1@redhat.com> Message-ID: On 13.06.2016 13:50, Martin Basti wrote: > > > > On 13.06.2016 12:20, Pavel Vomacka wrote: >> >> >> >> On 06/13/2016 12:00 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> I forgot to run jslint during the last review and there was one >>> warning, so this patch fixes it. >>> >>> -- >>> Pavel^3 Vomacka >>> >>> >> Added ticket to the commit message. >> >> >> >> > > Would be nice to have covered jslint in make lint, can you enable this > check there? > > Martin^2 > > jslint can be added later ACK Pushed to master: 3bac6de49e49d702e07a4ef3e85013e3cbd2e82b -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 13 11:58:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 13:58:56 +0200 Subject: [Freeipa-devel] [PATCH 0491] Fix: Local variable s_indent might be referenced before defined In-Reply-To: <4ad10b83-c29b-abee-5716-20a721a3a502@redhat.com> References: <4ad10b83-c29b-abee-5716-20a721a3a502@redhat.com> Message-ID: <6381b79e-675e-64d5-57bc-dd4d072141d5@redhat.com> On 01.06.2016 16:13, Martin Babinsky wrote: > On 06/01/2016 03:59 PM, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5921 >> >> Patch attached. >> >> >> > ACK > Pushed to master: 493ae1e5028c6ce8a0888146ee3de6c798caa55f From jcholast at redhat.com Mon Jun 13 12:17:14 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 13 Jun 2016 14:17:14 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> References: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> Message-ID: On 10.6.2016 10:57, Martin Basti wrote: > > > On 10.06.2016 06:17, Jan Cholasta wrote: >> On 9.6.2016 20:57, Martin Basti wrote: >>> Py3 support was enabled prematurely, attached patches removes python3 >>> from /usr/bin/ipa >>> >>> >>> Notes: >>> >>> * ipa 4.3.x won't have enabled py3 >>> >>> * master (ipa 4.4+) will have disabled py3 temporarily >> >> NACK. you reverted this bit wrong: >> >> -%if 0%{?with_python3} >> -Requires: python3-ipaclient = %{version}-%{release} >> -%else >> Requires: python2-ipaclient = %{version}-%{release} >> -%endif >> +Requires: %{name}-client-common = %{version}-%{release} >> +Requires: python2-ipalib = %{version}-%{release} >> > > Shame on me, > > updated patch attached LGTM. -- Jan Cholasta From ofayans at redhat.com Mon Jun 13 12:42:28 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 13 Jun 2016 14:42:28 +0200 Subject: [Freeipa-devel] [Test][Patch-0043-0045] DNSSec key rotation test Message-ID: <575EAA34.2000501@redhat.com> Hi guys, Here is a test for dnssec key rotation mechanism. The full set of commands works perfectly when run manually (even in the mode of a full copy-pasting from the test). However, when run automatically, the test always fails as `dig +rrcomments test.here DS` does not display zone keytag. I tried to decrease default key TTL values with no success. Could anyone take a look into this (after 4.4 is released, of course)? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0043-Added-dnssec-specific-constants.patch Type: text/x-patch Size: 1363 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0044-Added-a-method-updating-dnssec-defaults.patch Type: text/x-patch Size: 1552 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0045-Automated-dnssec-key-rotation-test.patch Type: text/x-patch Size: 3653 bytes Desc: not available URL: From frenaud at redhat.com Mon Jun 13 12:46:55 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Mon, 13 Jun 2016 14:46:55 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> Message-ID: On 06/07/2016 10:14 AM, Stanislav Laznicka wrote: > https://fedorahosted.org/freeipa/ticket/5775 > > > LGTM, ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Mon Jun 13 12:51:56 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Jun 2016 14:51:56 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> Message-ID: On 06/07/2016 10:14 AM, Stanislav Laznicka wrote: > https://fedorahosted.org/freeipa/ticket/5775 > > > Umm, wouldn't it be better to augment the `Service.start()/restart()` methods themselves with parameters that will suppress exception raising and log an error instead of copy-pasting try: ... except: blocks? -- Martin^3 Babinsky From mbasti at redhat.com Mon Jun 13 12:57:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 14:57:50 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513] DNS locations Message-ID: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> Patches attached. https://fedorahosted.org/freeipa/ticket/2008 Missing parts: dns-server config, some warnings from design, some corner, cleanup of old unused location records cases, this will be covered in future patches -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 16610 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 2829 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 8605 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10768 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 11681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3575 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1958 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 13 13:06:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 15:06:50 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513] DNS locations In-Reply-To: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> Message-ID: <77e037c5-4a2e-5517-13dc-3b2e6451d581@redhat.com> On 13.06.2016 14:57, Martin Basti wrote: > Patches attached. > > https://fedorahosted.org/freeipa/ticket/2008 > > > Missing parts: dns-server config, some warnings from design, some > corner, cleanup of old unused location records cases, this will be > covered in future patches > It should be 'corner cases' > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Mon Jun 13 13:17:21 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 13 Jun 2016 23:17:21 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> References: <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> Message-ID: <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 13, 2016 at 12:48:18PM +0200, Martin Babinsky wrote: > On 06/13/2016 08:59 AM, Jan Cholasta wrote: > > On 13.6.2016 08:38, Fraser Tweedale wrote: > > > On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: > > > > On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: > > > > > On 9.6.2016 11:10, Fraser Tweedale wrote: > > > > > > On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: > > > > > > > On 9.6.2016 08:44, Fraser Tweedale wrote: > > > > > > > > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > > > > > > > > > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > > > > > > > > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > > > > > > > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > > > > > > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > > > > > > > > > Hi team, > > > > > > > > > > > > > > > > > > > > > > > > > > This patchset implements the 'ca' plugin for creating and > > > > > > > > > > > > > managing > > > > > > > > > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > > > > > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > > > > > > > > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > > > > > > > > > > > > > > > > > 0059 > > > > > > > > > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > > > > > > > > > Dogtag REST API wrapper > > > > > > > > > > > > > 0060 > > > > > > > > > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > > > > > > > > > 0061 > > > > > > > > > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > > > > > > > > > 0062 > > > > > > > > > > > > > Update ra.request_certificate() to support specifying > > > > > > > > > > > > > target CA > > > > > > > > > > > > > 0063 > > > > > > > > > > > > > Add '--ca' option to 'cert-request' command > > > > > > > > > > > > > 0064 > > > > > > > > > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > > > > > > > > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > > > > > > > > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > > > > > > > > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. > > > > > > > > > > > > > Builds > > > > > > > > > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > > > > > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > > > > > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > > > > > > > > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > > > > > > > > > patchset, including: > > > > > > > > > > > > > > > > > > > > > > > > > > - local parent CA (ipaca object) references > > > > > > > > > > > > > - sub-CA certificate renewal > > > > > > > > > > > > > - 'cert-show' command '--ca=NAME' option > > > > > > > > > > > > > - certmonger support for specifying CA > > > > > > > > > > > > > - revocation of deleted CAs > > > > > > > > > > > > > > > > > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > > > > Rebased and updated patches attached. > > > > > > > > > > > > > > > > > > > > > > > > Substantive changes: > > > > > > > > > > > > > > > > > > > > > > > > - add required attributes for issuer DN and subject DN > > > > > > > > > > > > - prevent rename of IPA CA > > > > > > > > > > > > - when adding IPA CA entry, contact Dogtag to learn authority > > > > > > > > > > > > id, > > > > > > > > > > > > issuer DN and subject DN > > > > > > > > > > > > - add 'read_ca' method to Dogtag interface > > > > > > > > > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > > > > > > > > > > > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > > > > > > > > > option to cert-show and cert-find. > > > > > > > > > > > > > > > > > > > > Patch 0059: > > > > > > > > > > > > > > > > > > > > 1) On upgrade, why is the lightweight CA container created > > > > > > > > > > twice - once in > > > > > > > > > > 41-subca.update, once using ensure_entry() call? It should be > > > > > > > > > > done only > > > > > > > > > > once. > > > > > > > > > > > > > > > > > > > I'll remove 41-subca.update; the routine in cainstance is the one > > > > > > > > > that's needed. > > > > > > > > > > > > > > > > > > > 2) In ca_del, every CA specified in args[0] should be deleted, > > > > > > > > > > not just the > > > > > > > > > > first one. > > > > > > > > > > > > > > > > > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > > > > > > > > > > > > > > > > > self.add_message(MyNewWarningClass(name=...)) > > > > > > > > > > > > > > > > > > > > 4) Can it actually happen that ca_show does not return ipacaid? > > > > > > > > > > I guess not, > > > > > > > > > > so you should be able to remove the check altogether and don't > > > > > > > > > > bother with > > > > > > > > > > the warning. > > > > > > > > > > > > > > > > > > > ipacaid is mandatory now, so I'll remove the check. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0060-0062: LGTM > > > > > > > > > > > > > > > > > > > Yippee \o/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0063: > > > > > > > > > > > > > > > > > > > > Could you please define the CA param as follows: > > > > > > > > > > > > > > > > > > > > Str('cacn?', > > > > > > > > > > cli_name='ca', > > > > > > > > > > query=True, > > > > > > > > > > label=_("CA"), > > > > > > > > > > doc=_("CA to use"), > > > > > > > > > > ), > > > > > > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > > > > > > This is for consitency with framework-generated parent key > > > > > > > > > > params, which > > > > > > > > > > unfortunately we cannot leverage in cert_request currently. > > > > > > > > > > > > > > > > > > > No problemo. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0064: > > > > > > > > > > > > > > > > > > > > 1) See my comment for patch 0063, it applies here as well. > > > > > > > > > > > > > > > > > > > > 2) The --issuer option should not be included in cert_show - > > > > > > > > > > show commands > > > > > > > > > > are supposed to retrieve an object given primary key(s), and > > > > > > > > > > the primary key > > > > > > > > > > of CA objects is just their cn. > > > > > > > > > > > > > > > > > > > The --issuer argument is because primary key for a cert is really > > > > > > > > > (issuer, serial). So it show the cert _with_ that issuer (and > > > > > > > > > serial), not the cert _for_ that issuer. > > > > > > > > > > > > > > Correct, but in IPA the issuer is represented by the CA object, so > > > > > > > in IPA > > > > > > > the primary key for a certificate is actually (CA name, serial). > > > > > > > > > > > > > > Certificate lookup by issuer name and serial is actually a search > > > > > > > operation, > > > > > > > analogical to how CA lookup by subject name is also a search > > > > > > > operation, so > > > > > > > it should be done by cert-find. > > > > > > > > > > > > > OK, I will remove the --issuer option for cert-find. > > > > > > > > > > > > > > > > > > > > > > > > > 3) In find commands, the options form a filter, so instead of > > > > > > > > > > raising > > > > > > > > > > MutuallyExclusiveError in cert-find, return an empty result, as > > > > > > > > > > with any > > > > > > > > > > other unmatched filter. > > > > > > > > > > > > > > > > > > > Here, --issuer and --ca are two different ways to specify the > > > > > > > > > issuer. --issuer lets you give the issuer DN straight up; --ca > > > > > > > > > takes the name of an IPA CA object and looks up its issuer DN. > > > > > > > > > (Thus it makes no sense to give both options at once). > > > > > > > > > > > > > > That's one way to look at it, but it's true only if you assume that > > > > > > > cert-find can only search certificates in Dogtag. This will very > > > > > > > soon became > > > > > > > untrue, as we will allow cert-find to also search certificates > > > > > > > anywhere in > > > > > > > LDAP (the server part of ticket #5381). There, the difference > > > > > > > between the > > > > > > > options would be that with --ca you search for certificates issued > > > > > > > by the > > > > > > > specified managed CA, but with --issuer you search for > > > > > > > certificates with the > > > > > > > given issuer name, be it managed CA or not. > > > > > > > > > > > > > --ca is just a "shorthand" for --issuer - it merely looks up subject > > > > > > DN of the specified CA, and uses that as the issuer option. > > > > > > > > > > > > > For now, IMO the correct behavior should be that if both are > > > > > > > specified and > > > > > > > the issuer name of the specified CA does not match the specified > > > > > > > issuer > > > > > > > name, empty result is returned, otherwise carry on with the search in > > > > > > > Dogtag. > > > > > > > > > > > > > If I allow both, the behaviour will then be: > > > > > > > > > > > > specify issuer DN only) > > > > > > search using given issuer DN > > > > > > specify CA only) > > > > > > search using subject DN of specified CA. If no such CA, error. > > > > > > specify issuer DN and CA) > > > > > > search using given issuer DN, and ensure that result (if any) > > > > > > matches subject DN of specified CA. If no such CA, error. > > > > > > > > > > > > I'm happy to implement this if you confirm that you think it's the > > > > > > correct behaviour. > > > > > > > > > > Looks correct to me. > > > > > > > > > Thanks; updated patches attached. Martin, this patch should also > > > > fix the upgrade issue. > > > > > > > > Cheers, > > > > Fraser > > > > > > > Another rebase to fix conflicts in VERSION file. No other changes. > > > > Thanks. > > > > The remaining cert commands (status, revoke, remove-hold) should also > > have the cacn option consistent with cert-show. This can be added in > > further patch, though. > > > > I think it would make sense if the cn argument in ca commands was > > optional, with the default being 'ipa'. This can also be done later. > > > > So LGTM. If Martin agrees, we can push this patch set. > > > > Hi Fraser, > > during functional review I found the following issues: > > 1.) > > If I create a CAACL rule tied to a specific sub-CA let's say for user > certificate issuance: > > """ > ipa caacl-show user_cert_issuance > Enabled: TRUE > User category: all > CAs: user_sub_ca > Profiles: caIPAuserCert > ACL name: user_cert_issuance > > """ > > I can still happily request certificate for a user using root-CA: > > """ > ipa cert-request cert.csr --principal jdoe --ca ipa > Certificate: MIID9j.../Ov8mkjFA== > Subject: CN=jdoe,O=IPA.TEST > Issuer: CN=Certificate Authority,O=IPA.TEST > ... > """ > > should not this be denied by CA-ACL rule? > > The default IPA CAACL rule is like this: > > """ > ipa caacl-show hosts_services_caIPAserviceCert > Enabled: TRUE > Host category: all > Service category: all > Profiles: caIPAserviceCert > ACL name: hosts_services_caIPAserviceCert > > """ > > so the default rule should not allow users to request certs at all. > Yes, these should be denied. Looking into it. > 2.) > > The '--chain' option in cert-show/cert-request is not implemented, but this > was probably a deliberate decision. We should however at least open a ticket > about this and add it later. > Yes, it will be added in a later patch. > 3.) > > I cannot issue a user certificate on a replica with configured CA: > > """ > [root at replica1 ~]# ipa cert-request cert.csr --ca user_sub_ca --principal > jrogan > ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not > found: bc953851-1f24-4e16-9847-9ee5bbe6dd0e) > [root at replica1 ~]# ipa ca-find user_sub_ca > ------------ > 1 CA matched > ------------ > Name: user_sub_ca > Description: CA for issuing user certificates > Authority ID: bc953851-1f24-4e16-9847-9ee5bbe6dd0e > Subject DN: CN=User Cert Sub-CA,O=IPA.TEST > Issuer DN: CN=Certificate Authority,O=IPA.TEST > ---------------------------- > Number of entries returned 1 > ---------------------------- > [root at replica1 ~]# ipa cert-request cert.csr --ca user_sub_ca --principal > jrogan > ipa: ERROR: Certificate operation cannot be completed: FAILURE (CA not > found: bc953851-1f24-4e16-9847-9ee5bbe6dd0e) > """ > > The LDAP entry is there, but it seems like the sub-CA was not replicated at > the dogtag backend. This occurs regardless of whether the master was freshly > installed or upgraded from 4.3.1 release. > Can you please tell me the version of Dogtag packages on each of the machines? Could you please also provide /var/log/pki/pki-tomcat/ca/debug from the replica? Cheers, Fraser From ftweedal at redhat.com Mon Jun 13 13:32:08 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 13 Jun 2016 23:32:08 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> References: <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 13, 2016 at 11:17:21PM +1000, Fraser Tweedale wrote: > On Mon, Jun 13, 2016 at 12:48:18PM +0200, Martin Babinsky wrote: > > On 06/13/2016 08:59 AM, Jan Cholasta wrote: > > > On 13.6.2016 08:38, Fraser Tweedale wrote: > > > > On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: > > > > > On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: > > > > > > On 9.6.2016 11:10, Fraser Tweedale wrote: > > > > > > > On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: > > > > > > > > On 9.6.2016 08:44, Fraser Tweedale wrote: > > > > > > > > > On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: > > > > > > > > > > On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: > > > > > > > > > > > On 8.6.2016 05:15, Fraser Tweedale wrote: > > > > > > > > > > > > On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: > > > > > > > > > > > > > On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: > > > > > > > > > > > > > > Hi team, > > > > > > > > > > > > > > > > > > > > > > > > > > > > This patchset implements the 'ca' plugin for creating and > > > > > > > > > > > > > > managing > > > > > > > > > > > > > > lightweight sub-CAs, and updates the 'caacl' plugin and > > > > > > > > > > > > > > 'cert-request' command to support multiple CAs. > > > > > > > > > > > > > > > > > > > > > > > > > > > > A brief overview of the patches: > > > > > > > > > > > > > > > > > > > > > > > > > > > > 0059 > > > > > > > > > > > > > > 'ca' plugin, associated schema changes and container objects, > > > > > > > > > > > > > > Dogtag REST API wrapper > > > > > > > > > > > > > > 0060 > > > > > > > > > > > > > > Add CA entry for the IPA CA on install/upgrade > > > > > > > > > > > > > > 0061 > > > > > > > > > > > > > > Update 'caacl' plugin with CA support (including enforcement) > > > > > > > > > > > > > > 0062 > > > > > > > > > > > > > > Update ra.request_certificate() to support specifying > > > > > > > > > > > > > > target CA > > > > > > > > > > > > > > 0063 > > > > > > > > > > > > > > Add '--ca' option to 'cert-request' command > > > > > > > > > > > > > > 0064 > > > > > > > > > > > > > > Add '--issuer' option to 'cert-find' command > > > > > > > > > > > > > > > > > > > > > > > > > > > > These patches depend on other pending patches: > > > > > > > > > > > > > > > > > > > > > > > > > > > > 0051, 0052, 0053, 0054, 0055, 0056 > > > > > > > > > > > > > > > > > > > > > > > > > > > > Signing key replication depends on unmerged Dogtag patches. > > > > > > > > > > > > > > Builds > > > > > > > > > > > > > > of Dogtag with the required patches, and of FreeIPA with all > > > > > > > > > > > > > > completed sub-CAs work, should be available from my COPR soon: > > > > > > > > > > > > > > https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > Some parts of the design are not implemented in the current > > > > > > > > > > > > > > patchset, including: > > > > > > > > > > > > > > > > > > > > > > > > > > > > - local parent CA (ipaca object) references > > > > > > > > > > > > > > - sub-CA certificate renewal > > > > > > > > > > > > > > - 'cert-show' command '--ca=NAME' option > > > > > > > > > > > > > > - certmonger support for specifying CA > > > > > > > > > > > > > > - revocation of deleted CAs > > > > > > > > > > > > > > > > > > > > > > > > > > > > I look forward to your reviews! > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > > > > > > Rebased and updated patches attached. > > > > > > > > > > > > > > > > > > > > > > > > > > Substantive changes: > > > > > > > > > > > > > > > > > > > > > > > > > > - add required attributes for issuer DN and subject DN > > > > > > > > > > > > > - prevent rename of IPA CA > > > > > > > > > > > > > - when adding IPA CA entry, contact Dogtag to learn authority > > > > > > > > > > > > > id, > > > > > > > > > > > > > issuer DN and subject DN > > > > > > > > > > > > > - add 'read_ca' method to Dogtag interface > > > > > > > > > > > > > - tighten ACIs to prevent modification of ipacaid attribute > > > > > > > > > > > > > > > > > > > > > > > > > Updated patch 0064-3; adds --issuer option to cert-show and --ca > > > > > > > > > > > > option to cert-show and cert-find. > > > > > > > > > > > > > > > > > > > > > > Patch 0059: > > > > > > > > > > > > > > > > > > > > > > 1) On upgrade, why is the lightweight CA container created > > > > > > > > > > > twice - once in > > > > > > > > > > > 41-subca.update, once using ensure_entry() call? It should be > > > > > > > > > > > done only > > > > > > > > > > > once. > > > > > > > > > > > > > > > > > > > > > I'll remove 41-subca.update; the routine in cainstance is the one > > > > > > > > > > that's needed. > > > > > > > > > > > > > > > > > > > > > 2) In ca_del, every CA specified in args[0] should be deleted, > > > > > > > > > > > not just the > > > > > > > > > > > first one. > > > > > > > > > > > > > > > > > > > > > > 3) Do not use NonFatalError, issue a warning instead: > > > > > > > > > > > > > > > > > > > > > > self.add_message(MyNewWarningClass(name=...)) > > > > > > > > > > > > > > > > > > > > > > 4) Can it actually happen that ca_show does not return ipacaid? > > > > > > > > > > > I guess not, > > > > > > > > > > > so you should be able to remove the check altogether and don't > > > > > > > > > > > bother with > > > > > > > > > > > the warning. > > > > > > > > > > > > > > > > > > > > > ipacaid is mandatory now, so I'll remove the check. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0060-0062: LGTM > > > > > > > > > > > > > > > > > > > > > Yippee \o/ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0063: > > > > > > > > > > > > > > > > > > > > > > Could you please define the CA param as follows: > > > > > > > > > > > > > > > > > > > > > > Str('cacn?', > > > > > > > > > > > cli_name='ca', > > > > > > > > > > > query=True, > > > > > > > > > > > label=_("CA"), > > > > > > > > > > > doc=_("CA to use"), > > > > > > > > > > > ), > > > > > > > > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > > > > > > > > This is for consitency with framework-generated parent key > > > > > > > > > > > params, which > > > > > > > > > > > unfortunately we cannot leverage in cert_request currently. > > > > > > > > > > > > > > > > > > > > > No problemo. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Patch 0064: > > > > > > > > > > > > > > > > > > > > > > 1) See my comment for patch 0063, it applies here as well. > > > > > > > > > > > > > > > > > > > > > > 2) The --issuer option should not be included in cert_show - > > > > > > > > > > > show commands > > > > > > > > > > > are supposed to retrieve an object given primary key(s), and > > > > > > > > > > > the primary key > > > > > > > > > > > of CA objects is just their cn. > > > > > > > > > > > > > > > > > > > > > The --issuer argument is because primary key for a cert is really > > > > > > > > > > (issuer, serial). So it show the cert _with_ that issuer (and > > > > > > > > > > serial), not the cert _for_ that issuer. > > > > > > > > > > > > > > > > Correct, but in IPA the issuer is represented by the CA object, so > > > > > > > > in IPA > > > > > > > > the primary key for a certificate is actually (CA name, serial). > > > > > > > > > > > > > > > > Certificate lookup by issuer name and serial is actually a search > > > > > > > > operation, > > > > > > > > analogical to how CA lookup by subject name is also a search > > > > > > > > operation, so > > > > > > > > it should be done by cert-find. > > > > > > > > > > > > > > > OK, I will remove the --issuer option for cert-find. > > > > > > > > > > > > > > > > > > > > > > > > > > > > 3) In find commands, the options form a filter, so instead of > > > > > > > > > > > raising > > > > > > > > > > > MutuallyExclusiveError in cert-find, return an empty result, as > > > > > > > > > > > with any > > > > > > > > > > > other unmatched filter. > > > > > > > > > > > > > > > > > > > > > Here, --issuer and --ca are two different ways to specify the > > > > > > > > > > issuer. --issuer lets you give the issuer DN straight up; --ca > > > > > > > > > > takes the name of an IPA CA object and looks up its issuer DN. > > > > > > > > > > (Thus it makes no sense to give both options at once). > > > > > > > > > > > > > > > > That's one way to look at it, but it's true only if you assume that > > > > > > > > cert-find can only search certificates in Dogtag. This will very > > > > > > > > soon became > > > > > > > > untrue, as we will allow cert-find to also search certificates > > > > > > > > anywhere in > > > > > > > > LDAP (the server part of ticket #5381). There, the difference > > > > > > > > between the > > > > > > > > options would be that with --ca you search for certificates issued > > > > > > > > by the > > > > > > > > specified managed CA, but with --issuer you search for > > > > > > > > certificates with the > > > > > > > > given issuer name, be it managed CA or not. > > > > > > > > > > > > > > > --ca is just a "shorthand" for --issuer - it merely looks up subject > > > > > > > DN of the specified CA, and uses that as the issuer option. > > > > > > > > > > > > > > > For now, IMO the correct behavior should be that if both are > > > > > > > > specified and > > > > > > > > the issuer name of the specified CA does not match the specified > > > > > > > > issuer > > > > > > > > name, empty result is returned, otherwise carry on with the search in > > > > > > > > Dogtag. > > > > > > > > > > > > > > > If I allow both, the behaviour will then be: > > > > > > > > > > > > > > specify issuer DN only) > > > > > > > search using given issuer DN > > > > > > > specify CA only) > > > > > > > search using subject DN of specified CA. If no such CA, error. > > > > > > > specify issuer DN and CA) > > > > > > > search using given issuer DN, and ensure that result (if any) > > > > > > > matches subject DN of specified CA. If no such CA, error. > > > > > > > > > > > > > > I'm happy to implement this if you confirm that you think it's the > > > > > > > correct behaviour. > > > > > > > > > > > > Looks correct to me. > > > > > > > > > > > Thanks; updated patches attached. Martin, this patch should also > > > > > fix the upgrade issue. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > Another rebase to fix conflicts in VERSION file. No other changes. > > > > > > Thanks. > > > > > > The remaining cert commands (status, revoke, remove-hold) should also > > > have the cacn option consistent with cert-show. This can be added in > > > further patch, though. > > > > > > I think it would make sense if the cn argument in ca commands was > > > optional, with the default being 'ipa'. This can also be done later. > > > > > > So LGTM. If Martin agrees, we can push this patch set. > > > > > > > Hi Fraser, > > > > during functional review I found the following issues: > > > > 1.) > > > > If I create a CAACL rule tied to a specific sub-CA let's say for user > > certificate issuance: > > > > """ > > ipa caacl-show user_cert_issuance > > Enabled: TRUE > > User category: all > > CAs: user_sub_ca > > Profiles: caIPAuserCert > > ACL name: user_cert_issuance > > > > """ > > > > I can still happily request certificate for a user using root-CA: > > > > """ > > ipa cert-request cert.csr --principal jdoe --ca ipa > > Certificate: MIID9j.../Ov8mkjFA== > > Subject: CN=jdoe,O=IPA.TEST > > Issuer: CN=Certificate Authority,O=IPA.TEST > > ... > > """ > > > > should not this be denied by CA-ACL rule? > > > > The default IPA CAACL rule is like this: > > > > """ > > ipa caacl-show hosts_services_caIPAserviceCert > > Enabled: TRUE > > Host category: all > > Service category: all > > Profiles: caIPAserviceCert > > ACL name: hosts_services_caIPAserviceCert > > > > """ > > > > so the default rule should not allow users to request certs at all. > > > Yes, these should be denied. Looking into it. > Were you using 'admin' account to request the cert? admin has permission 'Request Certificate ignoring CA ACLs' via the 'Certificate Manager' privilege. If so, please try again with less privileges (e.g. self-service as jdoe). From tbordaz at redhat.com Mon Jun 13 13:54:27 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 13 Jun 2016 15:54:27 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575E6905.8020204@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> <575AE325.6030605@redhat.com> <575E6905.8020204@redhat.com> Message-ID: <575EBB13.1080204@redhat.com> The fix is good for me. ACK thanks thierry On 06/13/2016 10:04 AM, Ludwig Krispenz wrote: > revised patch (v2) attached: > changed log level > fixed order of statements in freeing host list > > On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: >> >> On 06/10/2016 05:41 PM, thierry bordaz wrote: >>> >>> >>> On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >>>> >>>> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>>>> Hi Ludwig, >>>>> >>>>> I agree with you there is no path to add a host with an empty >>>>> hostname. >>>>> You fix looks valid but I would prefer a log in FATAL rather in >>>>> PLUGIN. >>>> yes, of course that was my intention, copy paste :-) >>>>> >>>>> Also I wonder if a reason of empty hostname could be a >>>>> slapi_ch_free on it but with the host remaining in the list. >>>>> Looking at >>>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>>>> I wonder if the two lines 852 and 853 could lead to this situation. >>>> but this frees the complete replica structure tconf and in the >>>> caller tconf is set to null, so should never be used again. >>> >>> Yes you are right, it can not conduct to empty hostname into tconf. >>> However I think it can leak because host will be set to 0 at the end >>> of the first iteration. >> yes, line 852 and 853 should be switched >>> >>> An other possibility is that in >>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| >>> ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not >>> null but empty, so we may create an empty hostname. >>> | >>>>> >>>>> thanks >>>>> thierry >>>>> >>>>> >>>>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>>>> Hi, >>>>>> the attached patch will prevent the crash reported in ticket #5928. >>>>>> >>>>>> So far I do not understand how this situation can occur, there is >>>>>> no reproducer yet. I do not really like this fix as it hides a >>>>>> probable corrupted data structure and would prefer to find the >>>>>> root cause. >>>>>> >>>>>> But please review it, so we can commit it if there is no progress >>>>>> on the root cause. >>>>>> >>>>>> Ludwig >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> -- >>>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >>> >> >> -- >> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >> >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 13 14:11:03 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 13 Jun 2016 16:11:03 +0200 Subject: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin Message-ID: <575EBEF7.9010201@redhat.com> This is the fix for https://fedorahosted.org/freeipa/ticket/5944 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-sure-ipapwd_extop-takes-precedence-over-passwd_.patch Type: text/x-patch Size: 1300 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 13 14:25:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 16:25:52 +0200 Subject: [Freeipa-devel] [PATCH 0023] topology plugins sigsev when adding a managed host In-Reply-To: <575EBB13.1080204@redhat.com> References: <575A9819.3030803@redhat.com> <575AD239.2080101@redhat.com> <575ADB5A.6060900@redhat.com> <575ADFA8.5010306@redhat.com> <575AE325.6030605@redhat.com> <575E6905.8020204@redhat.com> <575EBB13.1080204@redhat.com> Message-ID: <6ab9275e-6cc0-45f2-10e4-4ced8c7bed73@redhat.com> On 13.06.2016 15:54, thierry bordaz wrote: > > The fix is good for me. ACK > > thanks > thierry > On 06/13/2016 10:04 AM, Ludwig Krispenz wrote: >> revised patch (v2) attached: >> changed log level >> fixed order of statements in freeing host list >> >> On 06/10/2016 05:56 PM, Ludwig Krispenz wrote: >>> >>> On 06/10/2016 05:41 PM, thierry bordaz wrote: >>>> >>>> >>>> On 06/10/2016 05:23 PM, Ludwig Krispenz wrote: >>>>> >>>>> On 06/10/2016 04:44 PM, thierry bordaz wrote: >>>>>> Hi Ludwig, >>>>>> >>>>>> I agree with you there is no path to add a host with an empty >>>>>> hostname. >>>>>> You fix looks valid but I would prefer a log in FATAL rather in >>>>>> PLUGIN. >>>>> yes, of course that was my intention, copy paste :-) >>>>>> >>>>>> Also I wonder if a reason of empty hostname could be a >>>>>> slapi_ch_free on it but with the host remaining in the list. >>>>>> Looking at >>>>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_cfg.c#n852, >>>>>> I wonder if the two lines 852 and 853 could lead to this situation. >>>>> but this frees the complete replica structure tconf and in the >>>>> caller tconf is set to null, so should never be used again. >>>> >>>> Yes you are right, it can not conduct to empty hostname into tconf. >>>> However I think it can leak because host will be set to 0 at the >>>> end of the first iteration. >>> yes, line 852 and 853 should be switched >>>> >>>> An other possibility is that in >>>> https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-slapi-plugins/topology/topology_util.c#n1449| >>>> ipa_topo_util_init_hosts, 'cn' has an empty value. newhost is not >>>> null but empty, so we may create an empty hostname. >>>> | >>>>>> >>>>>> thanks >>>>>> thierry >>>>>> >>>>>> >>>>>> On 06/10/2016 12:36 PM, Ludwig Krispenz wrote: >>>>>>> Hi, >>>>>>> the attached patch will prevent the crash reported in ticket #5928. >>>>>>> >>>>>>> So far I do not understand how this situation can occur, there >>>>>>> is no reproducer yet. I do not really like this fix as it hides >>>>>>> a probable corrupted data structure and would prefer to find the >>>>>>> root cause. >>>>>>> >>>>>>> But please review it, so we can commit it if there is no >>>>>>> progress on the root cause. >>>>>>> >>>>>>> Ludwig >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >>>> >>> >>> -- >>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >>> >>> >> >> -- >> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >> >> > > > Pushed to master: 0b11b36bf215a351050280ab0b329ceda7a9dccf -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Mon Jun 13 14:35:53 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 13 Jun 2016 16:35:53 +0200 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree Message-ID: <575EC4C9.7070901@redhat.com> Hello, In order to support the update of the password (and krbkey) of an entry in the compat tree, it requires that: 1. DS (https://fedorahosted.org/389/ticket/48880) --> already fixed It should support registration of pre/post extended operation and call them upon extended operation 2. slapi-nis (https://fedorahosted.org/freeipa/ticket/5955) --> under development registers a pre-extop that catch the password change and translate the requested DN, if it is mapped, into the real DN 3. ipapwd_extop (https://fedorahosted.org/freeipa/ticket/5946) --> this review Uses a target_DN set by the pre-extop callback, instead of the one defined in the LDAP ber req So this review is about the 3rd item. thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ipapwd_extop-should-use-TARGET_DN-defined-by-a-pre-e.patch Type: text/x-patch Size: 2909 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jun 13 14:35:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 13 Jun 2016 16:35:54 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> References: <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> Message-ID: <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> On 06/13/2016 03:32 PM, Fraser Tweedale wrote: > On Mon, Jun 13, 2016 at 11:17:21PM +1000, Fraser Tweedale wrote: >> On Mon, Jun 13, 2016 at 12:48:18PM +0200, Martin Babinsky wrote: >>> On 06/13/2016 08:59 AM, Jan Cholasta wrote: >>>> On 13.6.2016 08:38, Fraser Tweedale wrote: >>>>> On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: >>>>>> On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: >>>>>>> On 9.6.2016 11:10, Fraser Tweedale wrote: >>>>>>>> On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: >>>>>>>>> On 9.6.2016 08:44, Fraser Tweedale wrote: >>>>>>>>>> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >>>>>>>>>>> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>>>>>>>>>>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>>>>>>>>>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>>>>>>>>>>> Hi team, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This patchset implements the 'ca' plugin for creating and >>>>>>>>>>>>>>> managing >>>>>>>>>>>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>>>>>>>>>>> 'cert-request' command to support multiple CAs. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> A brief overview of the patches: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 0059 >>>>>>>>>>>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>>>>>>>>>>> Dogtag REST API wrapper >>>>>>>>>>>>>>> 0060 >>>>>>>>>>>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>>>>>>>>>>> 0061 >>>>>>>>>>>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>>>>>>>>>>> 0062 >>>>>>>>>>>>>>> Update ra.request_certificate() to support specifying >>>>>>>>>>>>>>> target CA >>>>>>>>>>>>>>> 0063 >>>>>>>>>>>>>>> Add '--ca' option to 'cert-request' command >>>>>>>>>>>>>>> 0064 >>>>>>>>>>>>>>> Add '--issuer' option to 'cert-find' command >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> These patches depend on other pending patches: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Signing key replication depends on unmerged Dogtag patches. >>>>>>>>>>>>>>> Builds >>>>>>>>>>>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>>>>>>>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>>>>>>>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Some parts of the design are not implemented in the current >>>>>>>>>>>>>>> patchset, including: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - local parent CA (ipaca object) references >>>>>>>>>>>>>>> - sub-CA certificate renewal >>>>>>>>>>>>>>> - 'cert-show' command '--ca=NAME' option >>>>>>>>>>>>>>> - certmonger support for specifying CA >>>>>>>>>>>>>>> - revocation of deleted CAs >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I look forward to your reviews! >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>> Fraser >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Rebased and updated patches attached. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Substantive changes: >>>>>>>>>>>>>> >>>>>>>>>>>>>> - add required attributes for issuer DN and subject DN >>>>>>>>>>>>>> - prevent rename of IPA CA >>>>>>>>>>>>>> - when adding IPA CA entry, contact Dogtag to learn authority >>>>>>>>>>>>>> id, >>>>>>>>>>>>>> issuer DN and subject DN >>>>>>>>>>>>>> - add 'read_ca' method to Dogtag interface >>>>>>>>>>>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>>>>>>>>>>> >>>>>>>>>>>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>>>>>>>>>>> option to cert-show and cert-find. >>>>>>>>>>>> >>>>>>>>>>>> Patch 0059: >>>>>>>>>>>> >>>>>>>>>>>> 1) On upgrade, why is the lightweight CA container created >>>>>>>>>>>> twice - once in >>>>>>>>>>>> 41-subca.update, once using ensure_entry() call? It should be >>>>>>>>>>>> done only >>>>>>>>>>>> once. >>>>>>>>>>>> >>>>>>>>>>> I'll remove 41-subca.update; the routine in cainstance is the one >>>>>>>>>>> that's needed. >>>>>>>>>>> >>>>>>>>>>>> 2) In ca_del, every CA specified in args[0] should be deleted, >>>>>>>>>>>> not just the >>>>>>>>>>>> first one. >>>>>>>>>>>> >>>>>>>>>>>> 3) Do not use NonFatalError, issue a warning instead: >>>>>>>>>>>> >>>>>>>>>>>> self.add_message(MyNewWarningClass(name=...)) >>>>>>>>>>>> >>>>>>>>>>>> 4) Can it actually happen that ca_show does not return ipacaid? >>>>>>>>>>>> I guess not, >>>>>>>>>>>> so you should be able to remove the check altogether and don't >>>>>>>>>>>> bother with >>>>>>>>>>>> the warning. >>>>>>>>>>>> >>>>>>>>>>> ipacaid is mandatory now, so I'll remove the check. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Patch 0060-0062: LGTM >>>>>>>>>>>> >>>>>>>>>>> Yippee \o/ >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Patch 0063: >>>>>>>>>>>> >>>>>>>>>>>> Could you please define the CA param as follows: >>>>>>>>>>>> >>>>>>>>>>>> Str('cacn?', >>>>>>>>>>>> cli_name='ca', >>>>>>>>>>>> query=True, >>>>>>>>>>>> label=_("CA"), >>>>>>>>>>>> doc=_("CA to use"), >>>>>>>>>>>> ), >>>>>>>>>>>> >>>>>>>>>>>> ? >>>>>>>>>>>> >>>>>>>>>>>> This is for consitency with framework-generated parent key >>>>>>>>>>>> params, which >>>>>>>>>>>> unfortunately we cannot leverage in cert_request currently. >>>>>>>>>>>> >>>>>>>>>>> No problemo. >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Patch 0064: >>>>>>>>>>>> >>>>>>>>>>>> 1) See my comment for patch 0063, it applies here as well. >>>>>>>>>>>> >>>>>>>>>>>> 2) The --issuer option should not be included in cert_show - >>>>>>>>>>>> show commands >>>>>>>>>>>> are supposed to retrieve an object given primary key(s), and >>>>>>>>>>>> the primary key >>>>>>>>>>>> of CA objects is just their cn. >>>>>>>>>>>> >>>>>>>>>>> The --issuer argument is because primary key for a cert is really >>>>>>>>>>> (issuer, serial). So it show the cert _with_ that issuer (and >>>>>>>>>>> serial), not the cert _for_ that issuer. >>>>>>>>> >>>>>>>>> Correct, but in IPA the issuer is represented by the CA object, so >>>>>>>>> in IPA >>>>>>>>> the primary key for a certificate is actually (CA name, serial). >>>>>>>>> >>>>>>>>> Certificate lookup by issuer name and serial is actually a search >>>>>>>>> operation, >>>>>>>>> analogical to how CA lookup by subject name is also a search >>>>>>>>> operation, so >>>>>>>>> it should be done by cert-find. >>>>>>>>> >>>>>>>> OK, I will remove the --issuer option for cert-find. >>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> 3) In find commands, the options form a filter, so instead of >>>>>>>>>>>> raising >>>>>>>>>>>> MutuallyExclusiveError in cert-find, return an empty result, as >>>>>>>>>>>> with any >>>>>>>>>>>> other unmatched filter. >>>>>>>>>>>> >>>>>>>>>>> Here, --issuer and --ca are two different ways to specify the >>>>>>>>>>> issuer. --issuer lets you give the issuer DN straight up; --ca >>>>>>>>>>> takes the name of an IPA CA object and looks up its issuer DN. >>>>>>>>>>> (Thus it makes no sense to give both options at once). >>>>>>>>> >>>>>>>>> That's one way to look at it, but it's true only if you assume that >>>>>>>>> cert-find can only search certificates in Dogtag. This will very >>>>>>>>> soon became >>>>>>>>> untrue, as we will allow cert-find to also search certificates >>>>>>>>> anywhere in >>>>>>>>> LDAP (the server part of ticket #5381). There, the difference >>>>>>>>> between the >>>>>>>>> options would be that with --ca you search for certificates issued >>>>>>>>> by the >>>>>>>>> specified managed CA, but with --issuer you search for >>>>>>>>> certificates with the >>>>>>>>> given issuer name, be it managed CA or not. >>>>>>>>> >>>>>>>> --ca is just a "shorthand" for --issuer - it merely looks up subject >>>>>>>> DN of the specified CA, and uses that as the issuer option. >>>>>>>> >>>>>>>>> For now, IMO the correct behavior should be that if both are >>>>>>>>> specified and >>>>>>>>> the issuer name of the specified CA does not match the specified >>>>>>>>> issuer >>>>>>>>> name, empty result is returned, otherwise carry on with the search in >>>>>>>>> Dogtag. >>>>>>>>> >>>>>>>> If I allow both, the behaviour will then be: >>>>>>>> >>>>>>>> specify issuer DN only) >>>>>>>> search using given issuer DN >>>>>>>> specify CA only) >>>>>>>> search using subject DN of specified CA. If no such CA, error. >>>>>>>> specify issuer DN and CA) >>>>>>>> search using given issuer DN, and ensure that result (if any) >>>>>>>> matches subject DN of specified CA. If no such CA, error. >>>>>>>> >>>>>>>> I'm happy to implement this if you confirm that you think it's the >>>>>>>> correct behaviour. >>>>>>> >>>>>>> Looks correct to me. >>>>>>> >>>>>> Thanks; updated patches attached. Martin, this patch should also >>>>>> fix the upgrade issue. >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>> Another rebase to fix conflicts in VERSION file. No other changes. >>>> >>>> Thanks. >>>> >>>> The remaining cert commands (status, revoke, remove-hold) should also >>>> have the cacn option consistent with cert-show. This can be added in >>>> further patch, though. >>>> >>>> I think it would make sense if the cn argument in ca commands was >>>> optional, with the default being 'ipa'. This can also be done later. >>>> >>>> So LGTM. If Martin agrees, we can push this patch set. >>>> >>> >>> Hi Fraser, >>> >>> during functional review I found the following issues: >>> >>> 1.) >>> >>> If I create a CAACL rule tied to a specific sub-CA let's say for user >>> certificate issuance: >>> >>> """ >>> ipa caacl-show user_cert_issuance >>> Enabled: TRUE >>> User category: all >>> CAs: user_sub_ca >>> Profiles: caIPAuserCert >>> ACL name: user_cert_issuance >>> >>> """ >>> >>> I can still happily request certificate for a user using root-CA: >>> >>> """ >>> ipa cert-request cert.csr --principal jdoe --ca ipa >>> Certificate: MIID9j.../Ov8mkjFA== >>> Subject: CN=jdoe,O=IPA.TEST >>> Issuer: CN=Certificate Authority,O=IPA.TEST >>> ... >>> """ >>> >>> should not this be denied by CA-ACL rule? >>> >>> The default IPA CAACL rule is like this: >>> >>> """ >>> ipa caacl-show hosts_services_caIPAserviceCert >>> Enabled: TRUE >>> Host category: all >>> Service category: all >>> Profiles: caIPAserviceCert >>> ACL name: hosts_services_caIPAserviceCert >>> >>> """ >>> >>> so the default rule should not allow users to request certs at all. >>> >> Yes, these should be denied. Looking into it. >> > Were you using 'admin' account to request the cert? admin has > permission 'Request Certificate ignoring CA ACLs' via the > 'Certificate Manager' privilege. > > If so, please try again with less privileges (e.g. self-service as > jdoe). > You were right when I was requesting certs as user principals themselves everything worked as expected. Regarding usb-CAs not present on replica, both machines run the following version of dogtag CA: pki-ca-10.3.2-3.fc24.noarch Here are the last 256 lines of the debug log: http://paste.fedoraproject.org/378512/65828332 -- Martin^3 Babinsky -------------- next part -------------- [13/Jun/2016:14:21:54][localhost-startStop-1]: ============================================ [13/Jun/2016:14:21:54][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [13/Jun/2016:14:21:54][localhost-startStop-1]: ============================================ [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: done init id=debug [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initialized debug [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initSubsystem id=log [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: ready to init id=log [13/Jun/2016:14:21:54][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [13/Jun/2016:14:21:54][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [13/Jun/2016:14:21:54][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: done init id=log [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initialized log [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: ready to init id=jss [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: done init id=jss [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initialized jss [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [13/Jun/2016:14:21:54][localhost-startStop-1]: CMSEngine: ready to init id=dbs [13/Jun/2016:14:21:54][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=false [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [13/Jun/2016:14:21:55][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:21:55][localhost-startStop-1]: DBSubsystem: Ignore EPropertyNotDefined during pre-op: Property internaldb.ldapconn.port missing value [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=dbs [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized dbs [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=usrgrp [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=usrgrp [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating LdapBoundConnFactor(UGSubsystem) [13/Jun/2016:14:21:55][localhost-startStop-1]: LdapBoundConnFactory: init Property internaldb.ldapconn.port missing value at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:452) at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55) at com.netscape.cmscore.ldapconn.LdapConnInfo.(LdapConnInfo.java:45) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123) at com.netscape.cmscore.usrgrp.UGSubsystem.init(UGSubsystem.java:141) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:568) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [13/Jun/2016:14:21:55][localhost-startStop-1]: UGSubsystem.init(): Swallow exception in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=usrgrp [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized usrgrp [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=registry [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=registry [13/Jun/2016:14:21:55][localhost-startStop-1]: RegistrySubsystem: start init [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profile caEnrollImpl Generic Certificate Enrollment Profile Certificate Authority Generic Certificate Enrollment Profile com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profile caCACertEnrollImpl CA Certificate Enrollment Profile Certificate Authority CA Certificate Enrollment Profile com.netscape.cms.profile.common.CACertCAEnrollProfile [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profile caUserCertEnrollImpl User Certificate Enrollment Profile Certificate Authority User Certificate Enrollment Profile com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy noDefaultImpl No Default No Default com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy genericExtDefaultImpl Generic Extension Generic Extension com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto Request Assignment Default com.netscape.cms.profile.def.AutoAssignDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name Default com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy validityDefaultImpl Validity Default Validty Default com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy randomizedValidityDefaultImpl Randomized Validity Default Randomized Validity Default com.netscape.cms.profile.def.RandomizedValidityDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA Certificate Validty Default com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject Key Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy authorityKeyIdentifierExtDefaultImpl Authority Key Identifier Extension Default Authority Key Identifier Extension Default com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy basicConstraintsExtDefaultImpl Basic Constraints Extension Default Basic Constraints Extension Default com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy keyUsageExtDefaultImpl Key Usage Extension Default Key Usage Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape Certificate Type Extension Default com.netscape.cms.profile.def.NSCertTypeExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended Key Usage Extension Default com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OCSP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy issuerAltNameExtDefaultImpl Issuer Alternative Name Extension Default Issuer Alternative Name Extension Default com.netscape.cms.profile.def.IssuerAltNameExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default Subject Alternative Name Extension Default com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy userKeyDefaultImpl User Supplied Key Default User Supplied Key Default com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy userValidityDefaultImpl User Supplied Validity Default User Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy userExtensionDefaultImpl User Supplied Extension Default User Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default Subject Info Access Extension Default com.netscape.cms.profile.def.SubjectInfoAccessExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy authInfoAccessExtDefaultImpl Authority Info Access Extension Default Authority Info Access Extension Default com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy freshestCRLExtDefaultImpl Freshest CRL Extension Default Freshest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy Constraints Extension Default com.netscape.cms.profile.def.PolicyConstraintsExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy Mappings Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension Default Name Constraints Extension Default com.netscape.cms.profile.def.NameConstraintsExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy certificateVersionDefaultImpl Certificate Version Default Certificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies Extension Default Certificate Policies Extension Default com.netscape.cms.profile.def.CertificatePoliciesExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension Default Subject Directory Attributes Extension Default com.netscape.cms.profile.def.SubjectDirAttributesExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit Any-Policy Extension Default com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy imageDefaultImpl Image Default Image Default com.netscape.cms.profile.def.ImageDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNameDefault nsTokenUserKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin defaultPolicy authzRealmDefaultImpl Authz Realm Default Authz Realm Default com.netscape.cms.profile.def.AuthzRealmDefault [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy noConstraintImpl No Constraint No Constraint com.netscape.cms.profile.constraint.NoConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy subjectNameConstraintImpl Subject Name Constraint Subject Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy uniqueSubjectNameConstraintImpl Unique Subject Name Constraint Unique Subject Name Constraint com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy userSubjectNameConstraintImpl User Subject Name Constraint User Subject Name Constraint com.netscape.cms.profile.constraint.UserSubjectNameConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy validityConstraintImpl Validity Constraint Validity Constraint com.netscape.cms.profile.constraint.ValidityConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy keyUsageExtConstraintImpl Key Usage Extension Constraint Key Usage Extension Constraint com.netscape.cms.profile.constraint.KeyUsageExtConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy nsCertTypeExtConstraintImpl Netscape Certificate Type Extension Constraint Netscape Certificate Type Extension Constraint com.netscape.cms.profile.constraint.NSCertTypeExtConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy extendedKeyUsageExtConstraintImpl Extended Key Usage Extension Constraint Extended Key Usage Extension Constraint com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy keyConstraintImpl Key Constraint Key Constraint com.netscape.cms.profile.constraint.KeyConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy basicConstraintsExtConstraintImpl Basic Constraints Extension Constraint Basic Constraints Extension Constraint com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy extensionConstraintImpl Extension Constraint Extension Constraint com.netscape.cms.profile.constraint.ExtensionConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy signingAlgConstraintImpl Signing Algorithm Constraint Signing Algorithm Constraint com.netscape.cms.profile.constraint.SigningAlgConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy uniqueKeyConstraintImpl Unique Public Key Constraint Unique Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy renewGracePeriodConstraintImpl Renewal Grace Period Constraint Renewal Grace Period Constraint com.netscape.cms.profile.constraint.RenewGracePeriodConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin constraintPolicy authzRealmConstraintImpl Authz Realm Constraint Authz Realm Constraint com.netscape.cms.profile.constraint.AuthzRealmConstraint [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput cmcCertReqInputImpl CMC Certificate Request Input CMC Certificate Request Input com.netscape.cms.profile.input.CMCCertReqInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput certReqInputImpl Certificate Request Input Certificate Request Input com.netscape.cms.profile.input.CertReqInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput keyGenInputImpl Key Generation Input Key Generation Input com.netscape.cms.profile.input.KeyGenInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput encKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.EncryptionKeyGenInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput signKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.SigningKeyGenInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput dualKeyGenInputImpl Dual Key Generation Input Dual Key Generation Input com.netscape.cms.profile.input.DualKeyGenInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput subjectNameInputImpl Subject Name Input Subject Name Input com.netscape.cms.profile.input.SubjectNameInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput submitterInfoInputImpl Submitter Information Input Submitter Information Input com.netscape.cms.profile.input.SubmitterInfoInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput genericInputImpl Generic Input Generic Input com.netscape.cms.profile.input.GenericInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput fileSigningInputImpl File Signing Input File Signing Input com.netscape.cms.profile.input.FileSigningInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput imageInputImpl Image Input Image Input com.netscape.cms.profile.input.ImageInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput subjectDNInputImpl Subject DN Input Subject DN Input com.netscape.cms.profile.input.SubjectDNInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl com.netscape.cms.profile.input.nsNKeyCertReqInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl com.netscape.cms.profile.input.nsHKeyCertReqInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput serialNumRenewInputImpl Certificate Renewal Request Serial Number Input Certificate Renewal Request Serial Number Input com.netscape.cms.profile.input.SerialNumRenewInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileInput subjectAltNameExtInputImpl SAN Input SAN Input com.netscape.cms.profile.input.SubjectAltNameExtInput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileOutput certOutputImpl Certificate Output Certificate Output com.netscape.cms.profile.output.CertOutput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileOutput cmmfOutputImpl CMMF Response Output CMMF Response Output com.netscape.cms.profile.output.CMMFOutput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileOutput pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.profile.output.PKCS7Output [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileOutput nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netscape.cms.profile.output.nsNKeyOutput [13/Jun/2016:14:21:55][localhost-startStop-1]: added plugin profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=registry [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized registry [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=oidmap [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=oidmap [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=oidmap [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized oidmap [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=X500Name [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=X500Name [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=X500Name [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized X500Name [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=request [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=request [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=request [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized request [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=ca [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=ca [13/Jun/2016:14:21:55][localhost-startStop-1]: CertificateAuthority init [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating LdapBoundConnFactor(CertificateAuthority) [13/Jun/2016:14:21:55][localhost-startStop-1]: LdapBoundConnFactory: init Property internaldb.ldapconn.port missing value at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:452) at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55) at com.netscape.cmscore.ldapconn.LdapConnInfo.(LdapConnInfo.java:45) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:499) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [13/Jun/2016:14:21:55][localhost-startStop-1]: CertificateAuthority.init(): Swallow exception in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=ca [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized ca [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine::initSubsystem ca Java subsytem about to calculate serverCertNickname. [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=profile [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: subsystem disabled id=profile [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=selftests [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=selftests [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): ENTERING . . . [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test logger parameters [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/selftests.log) [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugins [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugin parameters [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): loading on demand self tests [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): loading startup self tests [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem::init(): EXITING. [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=selftests [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized selftests [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=CrossCertPair [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=CrossCertPair [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating LdapBoundConnFactor(CrossCertPairSubsystem) [13/Jun/2016:14:21:55][localhost-startStop-1]: LdapBoundConnFactory: init Property internaldb.ldapconn.port missing value at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:452) at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55) at com.netscape.cmscore.ldapconn.LdapConnInfo.(LdapConnInfo.java:45) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123) at com.netscape.cmscore.cert.CrossCertPairSubsystem.init(CrossCertPairSubsystem.java:124) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:578) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [13/Jun/2016:14:21:55][localhost-startStop-1]: CrossCertPairSubsystem.init(): Swallow exception in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=CrossCertPair [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized CrossCertPair [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=stats [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=stats [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=stats [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized stats [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=auths [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=auths [13/Jun/2016:14:21:55][localhost-startStop-1]: PasswdUserDBAuthentication.init(): Abort due to missing LDAP connection info in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: AuthSubsystem: initializing authentication manager AgentCertAuth [13/Jun/2016:14:21:55][localhost-startStop-1]: AuthSubsystem: initializing authentication manager SSLclientCertAuth [13/Jun/2016:14:21:55][localhost-startStop-1]: AuthSubsystem: initializing authentication manager TokenAuth [13/Jun/2016:14:21:55][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: Splitting String: UID on commas [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: token 0 = UID [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: Splitting String: PWD on commas [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: token 0 = PWD [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 0,0 = UID [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 1,0 = PWD [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: mFilename = /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: mKeyAttributes = UID [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: mAuthAttrs = PWD [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: stringArrays[0][0] = UID [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: stringArrays[1][0] = PWD [13/Jun/2016:14:21:55][localhost-startStop-1]: FlatFileAuth: Read entries from password file - /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:21:55][localhost-startStop-1]: AuthSubsystem: initializing authentication manager raCertAuth [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=auths [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized auths [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=authz [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=authz [13/Jun/2016:14:21:55][localhost-startStop-1]: Found authz manager plugin BasicAclAuthz [13/Jun/2016:14:21:55][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:21:55][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: Found authz manager plugin DirAclAuthz [13/Jun/2016:14:21:55][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:21:55][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:21:55][localhost-startStop-1]: Creating LdapBoundConnFactor(DirAclAuthz) [13/Jun/2016:14:21:55][localhost-startStop-1]: LdapBoundConnFactory: init Property internaldb.ldapconn.port missing value at com.netscape.cmscore.base.PropConfigStore.getInteger(PropConfigStore.java:452) at com.netscape.cmscore.ldapconn.LdapConnInfo.init(LdapConnInfo.java:55) at com.netscape.cmscore.ldapconn.LdapConnInfo.(LdapConnInfo.java:45) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:123) at com.netscape.cms.authorization.DirAclAuthz.init(DirAclAuthz.java:150) at com.netscape.cmscore.authorization.AuthzSubsystem.init(AuthzSubsystem.java:137) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1166) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1072) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:579) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:122) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1226) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1151) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1038) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4997) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:585) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1794) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=authz [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized authz [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initSubsystem id=jobsScheduler [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ready to init id=jobsScheduler [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: cert not found:auditSigningCert cert-pki-tomcat [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Exception:org.mozilla.jss.crypto.ObjectNotFoundException [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: done init id=jobsScheduler [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: initialized jobsScheduler [13/Jun/2016:14:21:55][localhost-startStop-1]: Java version=1.8.0_92 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 0 class=Mozilla-JSS version 4.2.6 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 1 class=SUN version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 2 class=SunRsaSign version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 3 class=SunEC version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 4 class=SunJSSE version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: debug startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: debug startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: log startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: entering LogSubsystem.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: log startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: jss startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: jss startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: dbs startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: dbs startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: usrgrp startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: usrgrp startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: registry startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: RegistrySubsystem: startup [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: registry startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: oidmap startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: oidmap startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: X500Name startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: X500Name startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: request startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: request startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ca startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CertificateAuthority.startup(): Do not start CA in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: ca startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: profile startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: LDAPProfileSubsystem: startup [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: profile startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: selftests startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: SelfTestSubsystem.startup(): Do not run selftests in pre-op mode [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: selftests startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: stats startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: stats startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: auths startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: auths startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: authz startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: authz startup done [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [13/Jun/2016:14:21:55][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [13/Jun/2016:14:21:55][http-bio-8443-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:21:55][http-bio-8443-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [13/Jun/2016:14:21:55][http-bio-8443-exec-1]: CMSServlet: caGetStatus start to service. [13/Jun/2016:14:21:55][http-bio-8443-exec-1]: CMSServlet: curDate=Mon Jun 13 14:21:55 UTC 2016 id=caGetStatus time=30 [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: SessionContextInterceptor: SystemConfigResource.configure() [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: SessionContextInterceptor: Not authenticated. [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: SystemConfigResource.configure() [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: mapping: default [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: loading /usr/share/pki/ca/conf/auth-method.properties [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: checking /var/lib/pki/pki-tomcat/ca/conf/auth-method.properties [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: required auth methods: [*] [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: AuthMethodInterceptor: anonymous access allowed [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: ACLInterceptor: SystemConfigResource.configure() [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: ACLInterceptor.filter: no authorization required [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: ACLInterceptor: No ACL mapping; authz not required. [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: SignedAuditEventFactory: create() message created for eventType=AUTHZ_SUCCESS [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: MessageFormatInterceptor: SystemConfigResource.configure() [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: MessageFormatInterceptor: content-type: application/json [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: MessageFormatInterceptor: accept: [application/json] [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: MessageFormatInterceptor: request format: application/json [13/Jun/2016:14:21:56][http-bio-8443-exec-3]: MessageFormatInterceptor: response format: application/json [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: SystemConfigService: configure() [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: SystemConfigService: request: ConfigurationRequest [pin=XXXX, token=Internal Key Storage Token, tokenPassword=XXXX, securityDomainType=existingdomain, securityDomainUri=https://master1.ipa.test:443, securityDomainName=null, securityDomainUser=admin-replica1.ipa.test, securityDomainPassword=XXXX, isClone=true, cloneUri=https://master1.ipa.test:443, subsystemName=CA replica1.ipa.test 8443, p12File=/tmp/ca.p12, p12Password=XXXX, hierarchy=root, dsHost=replica1.ipa.test, dsPort=389, baseDN=o=ipaca, bindDN=cn=Directory Manager, bindpwd=XXXX, database=ipaca, secureConn=false, removeData=true, replicateSchema=false, masterReplicationPort=389, cloneReplicationPort=389, replicationSecurity=TLS, systemCertsImported=false, systemCerts=[com.netscape.certsrv.system.SystemCertData at 22b1036c], issuingCA=https://master1.ipa.test:443, backupKeys=true, backupPassword=XXXX, backupFile=/etc/pki/pki-tomcat/alias/ca_backup_keys.p12, adminUID=null, adminPassword=XXXX, adminEmail=null, adminCertRequest=null, adminCertRequestType=null, adminSubjectDN=null, adminName=null, adminProfileID=null, adminCert=null, importAdminCert=false, generateServerCert=true, external=false, standAlone=false, stepTwo=false, authdbBaseDN=null, authdbHost=null, authdbPort=null, authdbSecureConn=null, caUri=null, kraUri=null, tksUri=null, enableServerSideKeyGen=null, importSharedSecret=null, generateSubsystemCert=null, sharedDB=false, sharedDBUserDN=null, createNewDB=false, setupReplication=False, subordinateSecurityDomainName=null, reindexData=True] [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: === Token Authentication === [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: === Security Domain Configuration === [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: Joining existing security domain [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: Resolving security domain URL https://master1.ipa.test:443 [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: Getting security domain cert chain [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getCertChain [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: Getting install token [13/Jun/2016:14:21:57][http-bio-8443-exec-3]: Getting install token [13/Jun/2016:14:22:00][http-bio-8443-exec-3]: Getting domain XML [13/Jun/2016:14:22:00][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [13/Jun/2016:14:22:00][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getDomainXML [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: domain info: IPAmaster1.ipa.test80443443443443FALSECA master1.ipa.test 8443TRUE100000 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: len is 1 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: hostname: [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: admin_port: <443> [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: === Subsystem Configuration === [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: SystemConfigService: validate clone URI: https://master1.ipa.test:443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: SystemConfigService: import certificate chain from master [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: Searching for SecureAdminPort in CA hosts [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: host: master1.ipa.test [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: SecurePort port: 443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: SecureAdminPort port found: 443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils.importCertChain() [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getCertChain [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: SystemConfigService: get configuration entries from master [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange start host=master1.ipa.test adminPort=443 eePort=443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/admin/ca/updateNumberRange [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: content from admin interface =0999000110000000 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange(): status=0 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange start host=master1.ipa.test adminPort=443 eePort=443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/admin/ca/updateNumberRange [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: content from admin interface =0fff000110000000 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange(): status=0 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange start host=master1.ipa.test adminPort=443 eePort=443 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/admin/ca/updateNumberRange [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: content from admin interface =096100 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateNumberRange(): status=0 [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: updateConfigEntries start [13/Jun/2016:14:22:02][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/admin/ca/getConfigEntries [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: updateConfigEntries: status=0 [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: SystemConfigService: restore certificates from P12 file [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Importing PKCS #12 data [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Safe #0: [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Bag #0: certificate [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Nickname: ocspSigningCert cert-pki-ca [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Serial number: 2 [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Status: valid [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Bag #1: certificate [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Nickname: caSigningCert cert-pki-ca [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Serial number: 1 [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Status: valid [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Bag #2: certificate [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Nickname: subsystemCert cert-pki-ca [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Serial number: 4 [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Status: valid [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Bag #3: certificate [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Nickname: auditSigningCert cert-pki-ca [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Serial number: 5 [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: Status: valid [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Safe #1: [13/Jun/2016:14:22:03][http-bio-8443-exec-3]: - Bag #0: key [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Subject DN: CN=OCSP Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Bag #1: key [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Subject DN: CN=CA Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Bag #2: key [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Subject DN: CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Bag #3: key [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Subject DN: CN=CA Audit,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: ConfigurationUtils.importKeyCert() [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Deleting existing certificates: [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate caSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Certificate nickname caSigningCert cert-pki-ca not found [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate ocspSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Certificate nickname ocspSigningCert cert-pki-ca not found [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate subsystemCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Certificate nickname subsystemCert cert-pki-ca not found [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate auditSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Certificate nickname auditSigningCert cert-pki-ca not found [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Importing new keys: [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Key: CN=OCSP Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Find cert with subject DN CN=OCSP Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 2 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Key: CN=CA Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Find cert with subject DN CN=CA Subsystem,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 4 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Key: CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Find cert with subject DN CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 1 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Key: CN=CA Audit,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Find cert with subject DN CN=CA Audit,O=IPA.TEST [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 5 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Importing new certificates: [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate: ocspSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: CA signing cert: false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 2 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate: caSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: CA signing cert: true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 1 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate: subsystemCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: CA signing cert: false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 4 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: - Certificate: auditSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: CA signing cert: false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Imported cert 5 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: SystemConfigService: verify certificates [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: ConfigurationUtils.verifySystemCertificates(): checking certificate caSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: ConfigurationUtils.verifySystemCertificates(): checking certificate ocspSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: ConfigurationUtils.verifySystemCertificates(): checking certificate subsystemCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: ConfigurationUtils.verifySystemCertificates(): checking certificate auditSigningCert cert-pki-ca [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: === Hierarchy Configuration === [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: === Database Configuration === [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(ConfigurationUtils) [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: password not in memory [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: getPasswordFromStore: try to get it from password store [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: getPasswordFromStore: about to get from passwored store: internaldb [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: getPasswordFromStore: password store available [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: getPasswordFromStore: password found for prompt in password store [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.usn.ldif [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/server/conf/usn.ldif [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/usn.ldif [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(ConfigurationUtils) [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.schema.ldif [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/server/conf/schema.ldif [13/Jun/2016:14:22:04][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/schema.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/server/conf/database.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/database.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.index_ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/index.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/index.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: populateIndexes(): start [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.index_task_ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/indextasks.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/indextasks.ldif [13/Jun/2016:14:22:52][http-bio-8443-exec-3]: Checking wait_dn cn=index1160589770,cn=index,cn=tasks,cn=config [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: DBSubsystem: init() mEnableSerialMgmt=true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(DBSubsystem) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: registered: false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(CertificateAuthority) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Cert Repot inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CRL Repot inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Replica Repot inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority:initSigUnit: ca cert found [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got token Internal Key Storage Token by name [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Found cert by nickname: 'caSigningCert cert-pki-ca' with serial number: 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: converted to x509CertImpl [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got private key from cert [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got public key from cert [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA signing unit inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: cachainNum= 0 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: in init - got CA chain from JSS. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: ca.ocsp_signing Signing Unit nickname ocspSigningCert cert-pki-ca [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got token Internal Key Storage Token by name [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Found cert by nickname: 'ocspSigningCert cert-pki-ca' with serial number: 2 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: converted to x509CertImpl [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got private key from cert [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Got public key from cert [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Separate OCSP signing unit inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: in init - got OCSP chain from JSS. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA First signing algorithm is SHA1withRSA [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: in init - got CA name CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority init: initRequestQueue [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: selected policy processor = classic [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: GenericPolicyProcessor::init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is DISABLED [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA policy inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA service inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA notifier inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CA pending notifier inited [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: RequestRepository: constructor2. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: CertificateAuthority.init(): Abort in pre-op mode [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapAnonConnFactory(PasswdUserDBAuthentication) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum number of connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AuthSubsystem: initializing authentication manager AgentCertAuth [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AuthSubsystem: initializing authentication manager SSLclientCertAuth [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AuthSubsystem: initializing authentication manager TokenAuth [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AuthSubsystem: initializing authentication manager flatFileAuth [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: Splitting String: UID on commas [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: token 0 = UID [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: Splitting String: PWD on commas [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: token 0 = PWD [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: unionOfStrings: 0,0 = UID [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: unionOfStrings: 1,0 = PWD [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: mFilename = /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: mKeyAttributes = UID [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: mAuthAttrs = PWD [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: stringArrays[0][0] = UID [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: stringArrays[1][0] = PWD [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: FlatFileAuth: Read entries from password file - /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AuthSubsystem: initializing authentication manager raCertAuth [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Found authz manager plugin BasicAclAuthz [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AAclAuthz: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: GroupAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: UserAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Found authz manager plugin DirAclAuthz [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: AAclAuthz: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: GroupAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: UserAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(DirAclAuthz) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: DirAclAuthz: about to ldap search aclResources [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: returnConn: mNumConns now 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(UGSubsystem) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: populateDBManager(): start [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(ConfigurationUtils) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.manager_ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/server/conf/manager.ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/manager.ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS(): LDAP Errors in importing /var/lib/pki/pki-tomcat/ca/conf/manager.ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LDAPUtil:importLDIF: exception in modifying entry o=ipaca:netscape.ldap.LDAPException: error result (20) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: populateVLVIndexes(): start [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Creating LdapBoundConnFactor(ConfigurationUtils) [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory: init [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init begins [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: prompt is internaldb [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: try getting from memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: got password from memory [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init: password found for prompt. [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: password ok: store in memory cache [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: LdapAuthInfo: init ends [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: makeConnection: errorIfDown false [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: Established LDAP connection using basic authentication to host replica1.ipa.test port 389 as cn=Directory Manager [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 389, secure connection, false, authentication type 1 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: increasing minimum connections by 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new total available connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: new number of connections 3 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS: param=preop.internaldb.post_ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/vlv.ldif [13/Jun/2016:14:22:54][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/vlv.ldif [13/Jun/2016:14:22:55][http-bio-8443-exec-3]: importLDIFS(): ldif file = /usr/share/pki/ca/conf/vlvtasks.ldif [13/Jun/2016:14:22:55][http-bio-8443-exec-3]: importLDIFS(): ldif file copy to /var/lib/pki/pki-tomcat/ca/conf/vlvtasks.ldif [13/Jun/2016:14:22:55][http-bio-8443-exec-3]: Checking wait_dn cn=index1160589769, cn=index, cn=tasks, cn=config [13/Jun/2016:14:22:57][http-bio-8443-exec-3]: SystemConfigService:processCerts(): san_server_cert not found for tag sslserver [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: configCert: caType is local [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: configCert: caType is remote (revised) [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: ConfigurationUtils: updateConfig() for certTag sslserver [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: updateConfig() done [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: configCert: remote CA [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: CertRequestPanel: got public key [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: CertRequestPanel: got private key [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: ConfigurationUtils: For this Cloned CA, always use its Master CA to generate the 'sslserver' certificate to avoid any changes which may have been made to the X500Name directory string encoding order. [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: ConfigurationUtils: injectSAN=false [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: CertUtil: content: {xmlOutput=[true], cert_request_type=[pkcs10], profileId=[caInternalAuthServerCert], cert_request=[MIICdDCCAVwCAQAwLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMMEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3OTi8N8nI3m4f13lZkjCpt18+U/kgapfR8ncLVpZTq/+P39h/GWc/8QgKEETR0cvop8zw7SF3xOPzFc2+s5lRXA+IgTFTLd+DN/ER86TFHm49g7MXTio8dvlChx9keKx2r8vNrbHrGq3WYh3R6mtYHGvOVezeAJ4LCnpiR4o5Iypfffp3T4qpMUe4FPHXWi5Xn6MU7ZepUCoroCtHma28+nCgBk218cKQGsv24zifwvIfwaHf/3PLc5AoxLvfi8njk1DnKdVcR82ROAe/SYJEEYMXNPt8BYWY75+ONLmeVymLGj11+mTWDrFaJed1eFx+tVheLKKz0oPcF+tmkgBzwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAEyYS9HYvDpnbn2AjCBzaO/Zty7Zb6Eoa91csR9dN7jDrLnJWzj0qnF7rYu3o0nfapENIrynbX9QJDxaFNM5Fhda3O1YI9/pL5znquBP8/4kwRa0Nuzwb5NM7n0cr0aevjGeVp6+asjfWO5dFoIXtaFvhazDa9wgqBA5sL2AgkQfxL/CR/12QIIBJ4sohl8vfp1otTxyvewf64Cwamw54TPPH6Qt/dsQd1rEbyPbYkbvYLm1Sh8hYY19P9BymkIzok+rp2uOryZlMPqW+37MI9w13AZEJVVp5j2UfBsI65jm2sFz+W9/1IIkJKQzHXvCl8vSuC64nlunqHRs5kp1jmE=], requestor_name=[CA-replica1.ipa.test-8443], sessionID=[1876710413997685118]} [13/Jun/2016:14:22:58][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/ee/ca/profileSubmit [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: CertUtil: status: 0 [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: CertUtil: cert: MIIDezCCAmOgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDYxMzE0MjI1OFoXDTE4MDYwMzE0MjI1OFowLzERMA8GA1UECgwISVBBLlRFU1QxGjAYBgNVBAMMEXJlcGxpY2ExLmlwYS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3OTi8N8nI3m4f13lZkjCpt18+U/kgapfR8ncLVpZTq/+P39h/GWc/8QgKEETR0cvop8zw7SF3xOPzFc2+s5lRXA+IgTFTLd+DN/ER86TFHm49g7MXTio8dvlChx9keKx2r8vNrbHrGq3WYh3R6mtYHGvOVezeAJ4LCnpiR4o5Iypfffp3T4qpMUe4FPHXWi5Xn6MU7ZepUCoroCtHma28+nCgBk218cKQGsv24zifwvIfwaHf/3PLc5AoxLvfi8njk1DnKdVcR82ROAe/SYJEEYMXNPt8BYWY75+ONLmeVymLGj11+mTWDrFaJed1eFx+tVheLKKz0oPcF+tmkgBzwIDAQABo4GdMIGaMB8GA1UdIwQYMBaAFDehhluXcw2kjdgLrGP8/egPQJ+8MD4GCCsGAQUFBwEBBDIwMDAuBggrBgEFBQcwAYYiaHR0cDovL21hc3RlcjEuaXBhLnRlc3Q6ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAZ0kcXOAUtfUou1dEGobMph3YjDSn/+onZ+QaVi9mcVbmmWiA72LWLDEu2tPWdbSCJLOsH9V+qY/UYDp7tCdQ4uD4Hvc8U7k+jBCriQTVYYceolqq7EtjC3vcIet7K3IbotkHHXVsF0itdKscTfDsfCnuFftRiHB0kJFoTIycEqCu8609oPCUazD19/NPPAaQloXL5rEoICoCQs568wmAjjl5SPYfeWrlrJR4h3oW3F197t7yLbSS3BQSP01wQYmUZG5A0QZMetyHBgnVJMkxGAXd9QEfLrTVbBP0jOqUishKfsF3faJQIaWahqaN0CAcLzGh9cjqKGgEoZlVluhlsg== [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: getting public key for certificate sslserver [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: getting private key for certificate sslserver [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: private key ID: -5b887f24bcc76ff5f868b61035afbec3ce094e09 [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: generating generic extensions [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: ConfigurationUtils: createGenericExtensions: begins [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: generating PKCS #10 request [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: generateCertRequest: storing cert request [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: Processing 'sslserver' certificate: [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: handleCerts(): for cert tag 'sslserver' using cert type 'remote' [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: handleCerts(): process remote...import cert [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: deleteCert: nickname=Server-Cert cert-pki-ca [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: deleteCert: cert deleted successfully [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: handleCerts(): certchains length=2 [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: handleCerts(): import certificate successfully, certTag=sslserver [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: Processed 'sslserver' certificate. [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: === Backup Keys === [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: backupKeys(): start [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: === Admin Configuration === [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: === Finalization === [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: Updating existing security domain [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [13/Jun/2016:14:22:59][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getDomainXML [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: ConfigurationUtils: domain info: IPAmaster1.ipa.test80443443443443FALSECA master1.ipa.test 8443TRUE100000 [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: Cloning a domain master [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: Update security domain using admin interface [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML start hostname=master1.ipa.test port=443 [13/Jun/2016:14:23:01][http-bio-8443-exec-3]: ConfigurationUtils: POST https://master1.ipa.test:443/ca/admin/ca/updateDomainXML [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: updateDomainXML: status=0 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: updateSecurityDomain(): Dump contents of updated Security Domain . . . [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getDomainXML [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: domain info: IPAmaster1.ipa.test80443443443443FALSECA master1.ipa.test 8443TRUEreplica1.ipa.test80443443443443TRUECA replica1.ipa.test 8443TRUE200000 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: masterConn is connected: true [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: getConn: conn is connected true [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: getConn: mNumConns now 2 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: setupDBUser(): user already exists: pkidbuser [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: isSDHostDomainMaster(): Getting domain.xml from CA... [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: getting domain info [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: GET https://master1.ipa.test:443/ca/admin/ca/getDomainXML [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: status: 0 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: ConfigurationUtils: domain info: IPAmaster1.ipa.test80443443443443FALSECA master1.ipa.test 8443TRUEreplica1.ipa.test80443443443443TRUECA replica1.ipa.test 8443TRUE200000 [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: CAInstallerService:disableCRLCachingAndGenerationForClone entering. [13/Jun/2016:14:23:02][http-bio-8443-exec-3]: CAInstallerService:disableCRLCachingAndGenerationForClone: masterHost: master1.ipa.test masterPort: 443 [13/Jun/2016:14:23:12][localhost-startStop-1]: ============================================ [13/Jun/2016:14:23:12][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [13/Jun/2016:14:23:12][localhost-startStop-1]: ============================================ [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=debug [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized debug [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=log [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=log [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=log [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized log [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=jss [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=jss [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized jss [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=dbs [13/Jun/2016:14:23:12][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:12][localhost-startStop-1]: init: before makeConnection errorIfDown is true [13/Jun/2016:14:23:12][localhost-startStop-1]: makeConnection: errorIfDown true [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:12][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:12][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: registered: false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=dbs [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized dbs [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=usrgrp [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=usrgrp [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating LdapBoundConnFactor(UGSubsystem) [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:12][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:12][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:12][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:12][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=usrgrp [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized usrgrp [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=registry [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=registry [13/Jun/2016:14:23:12][localhost-startStop-1]: RegistrySubsystem: start init [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profile caEnrollImpl Generic Certificate Enrollment Profile Certificate Authority Generic Certificate Enrollment Profile com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profile caCACertEnrollImpl CA Certificate Enrollment Profile Certificate Authority CA Certificate Enrollment Profile com.netscape.cms.profile.common.CACertCAEnrollProfile [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profile caUserCertEnrollImpl User Certificate Enrollment Profile Certificate Authority User Certificate Enrollment Profile com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy noDefaultImpl No Default No Default com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy genericExtDefaultImpl Generic Extension Generic Extension com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto Request Assignment Default com.netscape.cms.profile.def.AutoAssignDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name Default com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy validityDefaultImpl Validity Default Validty Default com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy randomizedValidityDefaultImpl Randomized Validity Default Randomized Validity Default com.netscape.cms.profile.def.RandomizedValidityDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA Certificate Validty Default com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject Key Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy authorityKeyIdentifierExtDefaultImpl Authority Key Identifier Extension Default Authority Key Identifier Extension Default com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy basicConstraintsExtDefaultImpl Basic Constraints Extension Default Basic Constraints Extension Default com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy keyUsageExtDefaultImpl Key Usage Extension Default Key Usage Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape Certificate Type Extension Default com.netscape.cms.profile.def.NSCertTypeExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended Key Usage Extension Default com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OCSP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy issuerAltNameExtDefaultImpl Issuer Alternative Name Extension Default Issuer Alternative Name Extension Default com.netscape.cms.profile.def.IssuerAltNameExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default Subject Alternative Name Extension Default com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy userKeyDefaultImpl User Supplied Key Default User Supplied Key Default com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy userValidityDefaultImpl User Supplied Validity Default User Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy userExtensionDefaultImpl User Supplied Extension Default User Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default Subject Info Access Extension Default com.netscape.cms.profile.def.SubjectInfoAccessExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy authInfoAccessExtDefaultImpl Authority Info Access Extension Default Authority Info Access Extension Default com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy freshestCRLExtDefaultImpl Freshest CRL Extension Default Freshest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy Constraints Extension Default com.netscape.cms.profile.def.PolicyConstraintsExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy Mappings Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension Default Name Constraints Extension Default com.netscape.cms.profile.def.NameConstraintsExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy certificateVersionDefaultImpl Certificate Version Default Certificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies Extension Default Certificate Policies Extension Default com.netscape.cms.profile.def.CertificatePoliciesExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension Default Subject Directory Attributes Extension Default com.netscape.cms.profile.def.SubjectDirAttributesExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit Any-Policy Extension Default com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy imageDefaultImpl Image Default Image Default com.netscape.cms.profile.def.ImageDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNameDefault nsTokenUserKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin defaultPolicy authzRealmDefaultImpl Authz Realm Default Authz Realm Default com.netscape.cms.profile.def.AuthzRealmDefault [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy noConstraintImpl No Constraint No Constraint com.netscape.cms.profile.constraint.NoConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy subjectNameConstraintImpl Subject Name Constraint Subject Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy uniqueSubjectNameConstraintImpl Unique Subject Name Constraint Unique Subject Name Constraint com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy userSubjectNameConstraintImpl User Subject Name Constraint User Subject Name Constraint com.netscape.cms.profile.constraint.UserSubjectNameConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy validityConstraintImpl Validity Constraint Validity Constraint com.netscape.cms.profile.constraint.ValidityConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy keyUsageExtConstraintImpl Key Usage Extension Constraint Key Usage Extension Constraint com.netscape.cms.profile.constraint.KeyUsageExtConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy nsCertTypeExtConstraintImpl Netscape Certificate Type Extension Constraint Netscape Certificate Type Extension Constraint com.netscape.cms.profile.constraint.NSCertTypeExtConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy extendedKeyUsageExtConstraintImpl Extended Key Usage Extension Constraint Extended Key Usage Extension Constraint com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy keyConstraintImpl Key Constraint Key Constraint com.netscape.cms.profile.constraint.KeyConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy basicConstraintsExtConstraintImpl Basic Constraints Extension Constraint Basic Constraints Extension Constraint com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy extensionConstraintImpl Extension Constraint Extension Constraint com.netscape.cms.profile.constraint.ExtensionConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy signingAlgConstraintImpl Signing Algorithm Constraint Signing Algorithm Constraint com.netscape.cms.profile.constraint.SigningAlgConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy uniqueKeyConstraintImpl Unique Public Key Constraint Unique Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy renewGracePeriodConstraintImpl Renewal Grace Period Constraint Renewal Grace Period Constraint com.netscape.cms.profile.constraint.RenewGracePeriodConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin constraintPolicy authzRealmConstraintImpl Authz Realm Constraint Authz Realm Constraint com.netscape.cms.profile.constraint.AuthzRealmConstraint [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput cmcCertReqInputImpl CMC Certificate Request Input CMC Certificate Request Input com.netscape.cms.profile.input.CMCCertReqInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput certReqInputImpl Certificate Request Input Certificate Request Input com.netscape.cms.profile.input.CertReqInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput keyGenInputImpl Key Generation Input Key Generation Input com.netscape.cms.profile.input.KeyGenInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput encKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.EncryptionKeyGenInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput signKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.SigningKeyGenInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput dualKeyGenInputImpl Dual Key Generation Input Dual Key Generation Input com.netscape.cms.profile.input.DualKeyGenInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput subjectNameInputImpl Subject Name Input Subject Name Input com.netscape.cms.profile.input.SubjectNameInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput submitterInfoInputImpl Submitter Information Input Submitter Information Input com.netscape.cms.profile.input.SubmitterInfoInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput genericInputImpl Generic Input Generic Input com.netscape.cms.profile.input.GenericInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput fileSigningInputImpl File Signing Input File Signing Input com.netscape.cms.profile.input.FileSigningInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput imageInputImpl Image Input Image Input com.netscape.cms.profile.input.ImageInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput subjectDNInputImpl Subject DN Input Subject DN Input com.netscape.cms.profile.input.SubjectDNInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl com.netscape.cms.profile.input.nsNKeyCertReqInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl com.netscape.cms.profile.input.nsHKeyCertReqInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput serialNumRenewInputImpl Certificate Renewal Request Serial Number Input Certificate Renewal Request Serial Number Input com.netscape.cms.profile.input.SerialNumRenewInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileInput subjectAltNameExtInputImpl SAN Input SAN Input com.netscape.cms.profile.input.SubjectAltNameExtInput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileOutput certOutputImpl Certificate Output Certificate Output com.netscape.cms.profile.output.CertOutput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileOutput cmmfOutputImpl CMMF Response Output CMMF Response Output com.netscape.cms.profile.output.CMMFOutput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileOutput pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.profile.output.PKCS7Output [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileOutput nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netscape.cms.profile.output.nsNKeyOutput [13/Jun/2016:14:23:12][localhost-startStop-1]: added plugin profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=registry [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized registry [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=oidmap [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=oidmap [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=oidmap [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized oidmap [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=X500Name [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=X500Name [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=X500Name [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized X500Name [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=request [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=request [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=request [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized request [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority init [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating LdapBoundConnFactor(CertificateAuthority) [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:12][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:12][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:12][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:12][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: Cert Repot inited [13/Jun/2016:14:23:12][localhost-startStop-1]: CRL Repot inited [13/Jun/2016:14:23:12][localhost-startStop-1]: Replica Repot inited [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority:initSigUnit: ca cert found [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:12][localhost-startStop-1]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:12][localhost-startStop-1]: Found cert by nickname: 'caSigningCert cert-pki-ca' with serial number: 1 [13/Jun/2016:14:23:12][localhost-startStop-1]: converted to x509CertImpl [13/Jun/2016:14:23:12][localhost-startStop-1]: Got private key from cert [13/Jun/2016:14:23:12][localhost-startStop-1]: Got public key from cert [13/Jun/2016:14:23:12][localhost-startStop-1]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:23:12][localhost-startStop-1]: CA signing unit inited [13/Jun/2016:14:23:12][localhost-startStop-1]: cachainNum= 0 [13/Jun/2016:14:23:12][localhost-startStop-1]: in init - got CA chain from JSS. [13/Jun/2016:14:23:12][localhost-startStop-1]: ca.ocsp_signing Signing Unit nickname ocspSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:12][localhost-startStop-1]: Found cert by nickname: 'ocspSigningCert cert-pki-ca' with serial number: 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: converted to x509CertImpl [13/Jun/2016:14:23:12][localhost-startStop-1]: Got private key from cert [13/Jun/2016:14:23:12][localhost-startStop-1]: Got public key from cert [13/Jun/2016:14:23:12][localhost-startStop-1]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:23:12][localhost-startStop-1]: Separate OCSP signing unit inited [13/Jun/2016:14:23:12][localhost-startStop-1]: in init - got OCSP chain from JSS. [13/Jun/2016:14:23:12][localhost-startStop-1]: CA First signing algorithm is SHA1withRSA [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:12][localhost-startStop-1]: in init - got CA name CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority init: initRequestQueue [13/Jun/2016:14:23:12][localhost-startStop-1]: selected policy processor = classic [13/Jun/2016:14:23:12][localhost-startStop-1]: GenericPolicyProcessor::init begins [13/Jun/2016:14:23:12][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is DISABLED [13/Jun/2016:14:23:12][localhost-startStop-1]: CA policy inited [13/Jun/2016:14:23:12][localhost-startStop-1]: CA service inited [13/Jun/2016:14:23:12][localhost-startStop-1]: CA notifier inited [13/Jun/2016:14:23:12][localhost-startStop-1]: CA pending notifier inited [13/Jun/2016:14:23:12][localhost-startStop-1]: RequestRepository: constructor2. [13/Jun/2016:14:23:12][localhost-startStop-1]: In setCertStatusUpdateInterval 0 [13/Jun/2016:14:23:12][localhost-startStop-1]: In setCertStatusUpdateInterval interval = 0 [13/Jun/2016:14:23:12][localhost-startStop-1]: In setCertStatusUpdateInterval 600 [13/Jun/2016:14:23:12][localhost-startStop-1]: In setSerialNumberUpdateInterval scheduling serial number update every 600 seconds. [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: About to start updateSerialNumbers [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Starting updateSerialNumbers (entered lock) [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false mCounter=null [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateFactory Type : X.509 [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateFactory Provider : SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration) [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: getSerialNumber() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: getSerialNumber serial=1 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository:setSerialNumber 2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: in InitCache [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: Instance of Certificate Repository. [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: minSerial:fff0001 maxSerial: 10000000 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: nextMinSerial: nextMaxSerial: [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: increment:10000000 lowWaterMark: 2000000 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: in getLastSerialNumberInRange: low 268369921 high 268435456 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false mMinRandomBitLength=4 CollisionRecovery=3,10 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false mForceModeChange=false mode= [13/Jun/2016:14:23:12][localhost-startStop-1]: PublisherProcessor: startup() [13/Jun/2016:14:23:12][localhost-startStop-1]: No LdapPublishing enabled [13/Jun/2016:14:23:12][localhost-startStop-1]: PublisherProcessor: startup: Publishing Queue Enabled: true Priority Level: 0 Maximum Number of Threads: 3 Page Size: 40 [13/Jun/2016:14:23:12][localhost-startStop-1]: setPublishingQueue: Publishing Queue Enabled: true Priority Level: 0 Maximum Number of Threads: 3 Page Size: 40 [13/Jun/2016:14:23:12][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:12][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:12][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: RequestRepository: getPublishingStatus mBaseDN: ou=ca,ou=requests,o=ipaca status: -1 [13/Jun/2016:14:23:12][localhost-startStop-1]: Publishing inited [13/Jun/2016:14:23:12][localhost-startStop-1]: initializing crl issue point MasterCRL [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In findCertRecordsInList with Jumpto 268435456 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null pageSize -5 startFrom 09268435456 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList.getSize() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: searching for entry 09268435456 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList.getEntries() [13/Jun/2016:14:23:12][localhost-startStop-1]: CRL Page Size: 100 [13/Jun/2016:14:23:12][localhost-startStop-1]: getTimeListSize: ListSize=1 [13/Jun/2016:14:23:12][localhost-startStop-1]: CRLIssuingPoint:initConfig: mUnexpectedExceptionWaitTime set to 1800000 [13/Jun/2016:14:23:12][localhost-startStop-1]: CRLIssuingPoint:initConfig: mUnexpectedExceptionLoopMax set to 10 [13/Jun/2016:14:23:12][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:12][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:12][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][authorityMonitor]: authorityMonitor: starting. [13/Jun/2016:14:23:12][authorityMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][authorityMonitor]: masterConn is connected: true [13/Jun/2016:14:23:12][authorityMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:12][authorityMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][authorityMonitor]: authorityMonitor: Processed change controls. [13/Jun/2016:14:23:12][authorityMonitor]: authorityMonitor: immediate result [13/Jun/2016:14:23:12][authorityMonitor]: readAuthority: new entryUSN = 96 [13/Jun/2016:14:23:12][authorityMonitor]: authorityMonitor: Processed change controls. [13/Jun/2016:14:23:12][authorityMonitor]: authorityMonitor: immediate result [13/Jun/2016:14:23:12][authorityMonitor]: readAuthority: new entryUSN = 96 [13/Jun/2016:14:23:12][authorityMonitor]: CertificateAuthority init [13/Jun/2016:14:23:12][authorityMonitor]: CertificateAuthority:initSigUnit: ca cert found [13/Jun/2016:14:23:12][authorityMonitor]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:12][authorityMonitor]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca f4f46dea-04aa-48b5-8707-72fe87eac6a1 [13/Jun/2016:14:23:12][authorityMonitor]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: entries: 6 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: top: 9 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: size: 15 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastSerialNumberInRange: recList size 15 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastSerialNumberInRange: ltSize 15 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #0 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: reverse direction getting index 5 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 15 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #1 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: reverse direction getting index 4 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 14 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: reverse direction getting index 3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 13 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: reverse direction getting index 2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 12 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #4 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: reverse direction getting index 1 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 11 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: returning 268369920 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Repository: mLastSerialNo: 268369920 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: updateCounter CertificateRepositoryMode = [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: updateCounter modeChange=false [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: CertificateRepository: UpdateCounter mEnableRandomSerialNumbers=false mCounter=-1 [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Starting cert checkRanges [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Server not completely started. Returning .. [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Starting request checkRanges [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: Server not completely started. Returning .. [13/Jun/2016:14:23:12][SerialNumberUpdateTask]: updateSerialNumbers done [13/Jun/2016:14:23:12][authorityMonitor]: SigningUnit init: debug Certificate object not found [13/Jun/2016:14:23:12][authorityMonitor]: CA signing key and cert not (yet) present in NSSDB [13/Jun/2016:14:23:12][authorityMonitor]: Starting KeyRetrieverRunner thread [13/Jun/2016:14:23:12][authorityMonitor]: Updating certificate in NSSDB; new serial number: 11 [13/Jun/2016:14:23:12][authorityMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][authorityMonitor]: masterConn is connected: true [13/Jun/2016:14:23:12][authorityMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:12][authorityMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][authorityMonitor]: returnConn: mNumConns now 3 Failed to update certificate at com.netscape.ca.CertificateAuthority.checkForNewerCert(CertificateAuthority.java:653) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:534) at com.netscape.ca.CertificateAuthority.(CertificateAuthority.java:372) at com.netscape.ca.CertificateAuthority.readAuthority(CertificateAuthority.java:3238) at com.netscape.ca.CertificateAuthority.run(CertificateAuthority.java:3110) at java.lang.Thread.run(Thread.java:745) Caused by: org.mozilla.jss.crypto.NoSuchItemOnTokenException at org.mozilla.jss.pkcs11.PK11Store.deleteCert(Native Method) at com.netscape.ca.CertificateAuthority.checkForNewerCert(CertificateAuthority.java:639) ... 5 more [13/Jun/2016:14:23:12][authorityMonitor]: Error initialising lightweight CA: Failed to update certificate [13/Jun/2016:14:23:12][localhost-startStop-1]: CertificateAuthority: finished init of host authority [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: done init id=ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initialized ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine::initSubsystem ca Java subsytem about to calculate serverCertNickname. [13/Jun/2016:14:23:12][localhost-startStop-1]: Subsystem ca init sslserver: tokenName:Internal Key Storage Token nickName:Server-Cert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: initSubsystem id=profile [13/Jun/2016:14:23:12][localhost-startStop-1]: CMSEngine: ready to init id=profile [13/Jun/2016:14:23:12][localhost-startStop-1]: LDAPProfileSubsystem: start init [13/Jun/2016:14:23:12][localhost-startStop-1]: Creating LdapBoundConnFactor(LDAPProfileSubsystem) [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:12][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:12][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:12][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:12][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:12][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Unable to read key retriever class from CS.cfg: Property features.authority.keyRetrieverClass missing value [13/Jun/2016:14:23:12][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Retrying in 10 seconds [13/Jun/2016:14:23:12][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:12][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:12][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:12][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:12][profileChangeMonitor]: Profile change monitor: starting. [13/Jun/2016:14:23:12][profileChangeMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:12][profileChangeMonitor]: masterConn is connected: true [13/Jun/2016:14:23:12][profileChangeMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:12][profileChangeMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:12][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:12][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:12][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:12][profileChangeMonitor]: Start Profile Creation - caUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:12][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caECUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caECUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caUserSMIMEcapCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caUserSMIMEcapCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caDualCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caDualCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caECDualCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caECDualCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - AdminCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - AdminCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caSignedLogCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caSignedLogCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTPSCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTPSCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caRARouterCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caRARouterCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caRouterCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caRouterCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caServerCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caSubsystemCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caSubsystemCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caOtherCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caOtherCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caCACert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caCrossSignedCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caCrossSignedCACert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInstallCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInstallCACert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caRACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caRACert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caOCSPCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caOCSPCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caStorageCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caStorageCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTransportCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTransportCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caDirPinUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caDirPinUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caDirUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caDirUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caECDirUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caECDirUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caAgentServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caAgentServerCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caAgentFileSigning caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caAgentFileSigning [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caCMCUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caFullCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caFullCMCUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caSimpleCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caSimpleCMCUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenDeviceKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenDeviceKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserEncryptionKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserEncryptionKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserSigningKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTempTokenDeviceKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTempTokenDeviceKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTempTokenUserEncryptionKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTempTokenUserEncryptionKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTempTokenUserSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTempTokenUserSigningKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caAdminCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caAdminCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthServerCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthTransportCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthTransportCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthDRMstorageCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthDRMstorageCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthSubsystemCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthSubsystemCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthOCSPCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthOCSPCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caInternalAuthAuditSigningCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caInternalAuthAuditSigningCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - DomainController caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - DomainController [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caDualRAuserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caDualRAuserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caRAagentCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caRAagentCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caRAserverCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caRAserverCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caUUIDdeviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caUUIDdeviceCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caSSLClientSelfRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caSSLClientSelfRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caManualRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caManualRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenMSLoginEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenMSLoginEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserSigningKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserSigningKeyRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserEncryptionKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserEncryptionKeyRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserAuthKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserAuthKeyRenewal [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caJarSigningCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NSCertTypeExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caJarSigningCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caIPAserviceCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caEncUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caEncUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caEncECUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caEncECUserCert [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserDelegateAuthKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserDelegateAuthKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caTokenUserDelegateSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:13][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caTokenUserDelegateSigningKeyEnrollment [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: WARNING attempt to add duplicate Policy userExtensionDefaultImpl:noConstraintImpl Contact System Administrator. [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: WARNING attempt to add duplicate Policy userExtensionDefaultImpl:noConstraintImpl Contact System Administrator. [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - IECUserRoles [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:13][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:13][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:13][profileChangeMonitor]: Start Profile Creation - caIPAuserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:13][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:13][profileChangeMonitor]: Done Profile Creation - caIPAuserCert [13/Jun/2016:14:23:13][localhost-startStop-1]: LDAPProfileSubsystem: finished init [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: done init id=profile [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initialized profile [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initSubsystem id=selftests [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: ready to init id=selftests [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): ENTERING . . . [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test logger parameters [13/Jun/2016:14:23:13][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/selftests.log) [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugins [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugin parameters [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): loading on demand self tests [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): loading startup self tests [13/Jun/2016:14:23:13][localhost-startStop-1]: SelfTestSubsystem::init(): EXITING. [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: done init id=selftests [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initialized selftests [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initSubsystem id=CrossCertPair [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: ready to init id=CrossCertPair [13/Jun/2016:14:23:13][localhost-startStop-1]: Creating LdapBoundConnFactor(CrossCertPairSubsystem) [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:13][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:13][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:13][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:13][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:13][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:13][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:13][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:13][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: done init id=CrossCertPair [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initialized CrossCertPair [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initSubsystem id=stats [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: ready to init id=stats [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: done init id=stats [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initialized stats [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: initSubsystem id=auths [13/Jun/2016:14:23:13][localhost-startStop-1]: CMSEngine: ready to init id=auths [13/Jun/2016:14:23:13][localhost-startStop-1]: Creating LdapAnonConnFactory(PasswdUserDBAuthentication) [13/Jun/2016:14:23:13][localhost-startStop-1]: increasing minimum number of connections by 3 [13/Jun/2016:14:23:13][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:14][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:15][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:15][localhost-startStop-1]: new total number of connections 3 [13/Jun/2016:14:23:15][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:15][localhost-startStop-1]: AuthSubsystem: initializing authentication manager AgentCertAuth [13/Jun/2016:14:23:15][localhost-startStop-1]: AuthSubsystem: initializing authentication manager SSLclientCertAuth [13/Jun/2016:14:23:15][localhost-startStop-1]: AuthSubsystem: initializing authentication manager TokenAuth [13/Jun/2016:14:23:15][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: Splitting String: UID on commas [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: token 0 = UID [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: Splitting String: PWD on commas [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: token 0 = PWD [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 0,0 = UID [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 1,0 = PWD [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: mFilename = /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: mKeyAttributes = UID [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: mAuthAttrs = PWD [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: stringArrays[0][0] = UID [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: stringArrays[1][0] = PWD [13/Jun/2016:14:23:15][localhost-startStop-1]: FlatFileAuth: Read entries from password file - /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:23:15][localhost-startStop-1]: AuthSubsystem: initializing authentication manager raCertAuth [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: done init id=auths [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: initialized auths [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: initSubsystem id=authz [13/Jun/2016:14:23:15][localhost-startStop-1]: CMSEngine: ready to init id=authz [13/Jun/2016:14:23:15][localhost-startStop-1]: Found authz manager plugin BasicAclAuthz [13/Jun/2016:14:23:15][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:23:15][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: Found authz manager plugin DirAclAuthz [13/Jun/2016:14:23:15][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:23:15][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:23:15][localhost-startStop-1]: Creating LdapBoundConnFactor(DirAclAuthz) [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:15][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:15][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:15][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:16][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:16][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: DirAclAuthz: about to ldap search aclResources [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: done init id=authz [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: initialized authz [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: initSubsystem id=jobsScheduler [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: ready to init id=jobsScheduler [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: done init id=jobsScheduler [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: initialized jobsScheduler [13/Jun/2016:14:23:16][localhost-startStop-1]: Java version=1.8.0_92 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 0 class=Mozilla-JSS version 4.2.6 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 1 class=SUN version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 2 class=SunRsaSign version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 3 class=SunEC version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 4 class=SunJSSE version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [13/Jun/2016:14:23:16][localhost-startStop-1]: Creating LdapBoundConnFactor(LDAPSecurityDomainSessionTable) [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:16][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:16][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:16][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:16][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:16][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:16][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: debug startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: debug startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: log startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: entering LogSubsystem.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: log startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: jss startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: jss startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: dbs startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: dbs startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: usrgrp startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: usrgrp startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: registry startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: RegistrySubsystem: startup [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: registry startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: oidmap startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: oidmap startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: X500Name startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: X500Name startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: request startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: request startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: ca startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CertificateIssuedListener: template file directory: /var/lib/pki/pki-tomcat/ca/emails/ [13/Jun/2016:14:23:16][localhost-startStop-1]: CertificateIssuedListener: Reject file path: /var/lib/pki/pki-tomcat/ca/emails/certRequestRejected.html [13/Jun/2016:14:23:16][localhost-startStop-1]: CertificateRevokedListener: template file directory: /var/lib/pki/pki-tomcat/ca/emails/ [13/Jun/2016:14:23:16][localhost-startStop-1]: CertificateRevokedListener: Reject file path: /var/lib/pki/pki-tomcat/ca/emails/certRequestRejected.html [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestInQuListener: agentport = 443 [13/Jun/2016:14:23:16][localhost-startStop-1]: PublishProcessor::publishCACert [13/Jun/2016:14:23:16][localhost-startStop-1]: No rule can be found for publishing: cacert [13/Jun/2016:14:23:16][localhost-startStop-1]: published ca cert [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: ca startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: profile startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: LDAPProfileSubsystem: startup [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: profile startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: selftests startup start [13/Jun/2016:14:23:16][Timer-0]: SessionTimer: run() [13/Jun/2016:14:23:16][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [13/Jun/2016:14:23:16][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [13/Jun/2016:14:23:16][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][Timer-0]: masterConn is connected: true [13/Jun/2016:14:23:16][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:23:16][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][Timer-0]: masterConn is connected: true [13/Jun/2016:14:23:16][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:23:16][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][RequestRecoverThread]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][RequestRecoverThread]: masterConn is connected: true [13/Jun/2016:14:23:16][RequestRecoverThread]: getConn: conn is connected true [13/Jun/2016:14:23:16][RequestRecoverThread]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: SelfTestSubsystem: running CAPresence [13/Jun/2016:14:23:16][localhost-startStop-1]: SelfTestSubsystem: running SystemCertsVerification [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByTag(signing) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(caSigningCert cert-pki-ca, SSLCA) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(caSigningCert cert-pki-ca, true, SSLCA) [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:16][RequestRecoverThread]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByTag(ocsp_signing) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(ocspSigningCert cert-pki-ca, StatusResponder) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(ocspSigningCert cert-pki-ca, true, StatusResponder) [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=sslserver [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByTag(sslserver) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=subsystem [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByTag(subsystem) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(subsystemCert cert-pki-ca, SSLClient) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(subsystemCert cert-pki-ca, true, SSLClient) [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=audit_signing [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByTag(audit_signing) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(auditSigningCert cert-pki-ca, ObjectSigner) [13/Jun/2016:14:23:16][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(auditSigningCert cert-pki-ca, true, ObjectSigner) [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:16][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=SELFTESTS_EXECUTION [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: selftests startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: stats startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: stats startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: auths startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: auths startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: authz startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: authz startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: checking request serial number ranges for the CA [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: getSerialNumber() [13/Jun/2016:14:23:16][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: getSerialNumber serial=0 [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: in InitCache [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: Instance of Request Repository or CRLRepository. [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: minSerial:9990001 maxSerial: 10000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: nextMinSerial: nextMaxSerial: [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: increment:10000000 lowWaterMark: 2000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestRepository: in getLastSerialNumberInRange: min 9990001 max 10000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestRepository: mRequestQueue com.netscape.cmscore.request.RequestQueue at 4475ff7f [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestRepository: about to call mRequestQueue.getLastRequestIdInRange [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: getLastRequestId: low 9990001 high 10000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: getLastRequestId: filter (requeststate=*) fromId 10000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom 0810000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList.getSize() [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: searching for entry 0810000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList.getEntries() [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: entries: 6 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: top: 9 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: size: 15 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: getLastRequestId: size 15 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: getSizeBeforeJumpTo: 15 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: retrieving entry #0 [13/Jun/2016:14:23:16][localhost-startStop-1]: reverse direction getting index 5 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: curReqId: 15 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: retrieving entry #1 [13/Jun/2016:14:23:16][localhost-startStop-1]: reverse direction getting index 4 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: curReqId: 14 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: retrieving entry #2 [13/Jun/2016:14:23:16][localhost-startStop-1]: reverse direction getting index 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: curReqId: 13 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: retrieving entry #3 [13/Jun/2016:14:23:16][localhost-startStop-1]: reverse direction getting index 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: curReqId: 12 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBVirtualList: retrieving entry #4 [13/Jun/2016:14:23:16][localhost-startStop-1]: reverse direction getting index 1 [13/Jun/2016:14:23:16][localhost-startStop-1]: RequestQueue: curReqId: 11 [13/Jun/2016:14:23:16][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: returning 9990000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Repository: mLastSerialNo: 9990000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Serial numbers left in range: 10000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Last Serial Number: 9990000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Serial Numbers available: 10000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Low water mark reached. Requesting next range [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 10000001 - 20000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:16][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: nNextMinSerialNo has been set to 10000001 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBSubsystem: Setting next min requests number: 10000001 [13/Jun/2016:14:23:16][localhost-startStop-1]: DBSubsystem: Setting next max requests number: 20000000 [13/Jun/2016:14:23:16][localhost-startStop-1]: Checking for a range conflict [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:16][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:16][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:16][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [13/Jun/2016:14:23:16][localhost-startStop-1]: Serial numbers left in range: 65536 [13/Jun/2016:14:23:16][localhost-startStop-1]: Last Serial Number: 268369920 [13/Jun/2016:14:23:16][localhost-startStop-1]: Serial Numbers available: 65536 [13/Jun/2016:14:23:16][localhost-startStop-1]: Low water mark reached. Requesting next range [13/Jun/2016:14:23:16][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:16][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:16][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:17][localhost-startStop-1]: DBSubsystem: getNextRange Next range has been added: 10000001 - 20000000 [13/Jun/2016:14:23:17][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:17][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:17][localhost-startStop-1]: nNextMinSerialNo has been set to 10000001 [13/Jun/2016:14:23:17][localhost-startStop-1]: DBSubsystem: Setting next min certs number: 10000001 [13/Jun/2016:14:23:17][localhost-startStop-1]: DBSubsystem: Setting next max certs number: 20000000 [13/Jun/2016:14:23:17][localhost-startStop-1]: Checking for a range conflict [13/Jun/2016:14:23:17][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:17][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:17][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:17][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:17][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:17][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:17][http-nio-8080-exec-1]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:23:17][http-nio-8080-exec-1]: CMSServlet:service() uri = /ca/admin/ca/getStatus [13/Jun/2016:14:23:17][http-nio-8080-exec-1]: CMSServlet: caGetStatus start to service. [13/Jun/2016:14:23:17][http-nio-8080-exec-1]: CMSServlet: curDate=Mon Jun 13 14:23:17 UTC 2016 id=caGetStatus time=38 [13/Jun/2016:14:23:17][http-nio-8080-exec-3]: according to ccMode, authorization for servlet: caGetCertChain is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:23:17][http-nio-8080-exec-3]: CMSServlet:service() uri = /ca/ee/ca/getCertChain [13/Jun/2016:14:23:17][http-nio-8080-exec-3]: CMSServlet: caGetCertChain start to service. [13/Jun/2016:14:23:17][http-nio-8080-exec-3]: CMSServlet: curDate=Mon Jun 13 14:23:17 UTC 2016 id=caGetCertChain time=12 [13/Jun/2016:14:23:22][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Unable to read key retriever class from CS.cfg: Property features.authority.keyRetrieverClass missing value [13/Jun/2016:14:23:22][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Retrying in 15 seconds [13/Jun/2016:14:23:42][localhost-startStop-1]: ============================================ [13/Jun/2016:14:23:42][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [13/Jun/2016:14:23:42][localhost-startStop-1]: ============================================ [13/Jun/2016:14:23:42][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:42][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:42][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:42][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=debug [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized debug [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=log [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=log [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=log [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized log [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=jss [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=jss [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized jss [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=dbs [13/Jun/2016:14:23:43][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:43][localhost-startStop-1]: init: before makeConnection errorIfDown is true [13/Jun/2016:14:23:43][localhost-startStop-1]: makeConnection: errorIfDown true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:43][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: registered: false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=dbs [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized dbs [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=usrgrp [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=usrgrp [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapBoundConnFactor(UGSubsystem) [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:43][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:43][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:43][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=usrgrp [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized usrgrp [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=registry [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=registry [13/Jun/2016:14:23:43][localhost-startStop-1]: RegistrySubsystem: start init [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profile caEnrollImpl Generic Certificate Enrollment Profile Certificate Authority Generic Certificate Enrollment Profile com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profile caCACertEnrollImpl CA Certificate Enrollment Profile Certificate Authority CA Certificate Enrollment Profile com.netscape.cms.profile.common.CACertCAEnrollProfile [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profile caServerCertEnrollImpl Server Certificate Enrollment Profile Certificate Authority Server Certificate Enrollment Profile com.netscape.cms.profile.common.ServerCertCAEnrollProfile [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profile caUserCertEnrollImpl User Certificate Enrollment Profile Certificate Authority User Certificate Enrollment Profile com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy noDefaultImpl No Default No Default com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy genericExtDefaultImpl Generic Extension Generic Extension com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy autoAssignDefaultImpl Auto Request Assignment Default Auto Request Assignment Default com.netscape.cms.profile.def.AutoAssignDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy subjectNameDefaultImpl Subject Name Default Subject Name Default com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy validityDefaultImpl Validity Default Validty Default com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy randomizedValidityDefaultImpl Randomized Validity Default Randomized Validity Default com.netscape.cms.profile.def.RandomizedValidityDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy caValidityDefaultImpl CA Certificate Validity Default CA Certificate Validty Default com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy subjectKeyIdentifierExtDefaultImpl Subject Key Identifier Default Subject Key Identifier Default com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy authorityKeyIdentifierExtDefaultImpl Authority Key Identifier Extension Default Authority Key Identifier Extension Default com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy basicConstraintsExtDefaultImpl Basic Constraints Extension Default Basic Constraints Extension Default com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy keyUsageExtDefaultImpl Key Usage Extension Default Key Usage Extension Default com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy nsCertTypeExtDefaultImpl Netscape Certificate Type Extension Default Netscape Certificate Type Extension Default com.netscape.cms.profile.def.NSCertTypeExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy extendedKeyUsageExtDefaultImpl Extended Key Usage Extension Default Extended Key Usage Extension Default com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy ocspNoCheckExtDefaultImpl OCSP No Check Extension Default OCSP No Check Extension Default com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy issuerAltNameExtDefaultImpl Issuer Alternative Name Extension Default Issuer Alternative Name Extension Default com.netscape.cms.profile.def.IssuerAltNameExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy subjectAltNameExtDefaultImpl Subject Alternative Name Extension Default Subject Alternative Name Extension Default com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy userSubjectNameDefaultImpl User Supplied Subject Name Default User Supplied Subject Name Default com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy signingAlgDefaultImpl Signing Algorithm Default Signing Algorithm Default com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy userKeyDefaultImpl User Supplied Key Default User Supplied Key Default com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy userValidityDefaultImpl User Supplied Validity Default User Supplied Validity Default com.netscape.cms.profile.def.UserValidityDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy userExtensionDefaultImpl User Supplied Extension Default User Supplied Extension Default com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy userSigningAlgDefaultImpl User Supplied Signing Alg Default User Supplied Signing Alg Default com.netscape.cms.profile.def.UserSigningAlgDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy authTokenSubjectNameDefaultImpl Token Supplied Subject Name Default Token Supplied Subject Name Default com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy subjectInfoAccessExtDefaultImpl Subject Info Access Extension Default Subject Info Access Extension Default com.netscape.cms.profile.def.SubjectInfoAccessExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy authInfoAccessExtDefaultImpl Authority Info Access Extension Default Authority Info Access Extension Default com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy nscCommentExtDefaultImpl Netscape Comment Extension Default Netscape Comment Extension Default com.netscape.cms.profile.def.NSCCommentExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy freshestCRLExtDefaultImpl Freshest CRL Extension Default Freshest CRL Extension Default com.netscape.cms.profile.def.FreshestCRLExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy crlDistributionPointsExtDefaultImpl CRL Distribution Points Extension Default CRL Distribution Points Extension Default com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy policyConstraintsExtDefaultImpl Policy Constraints Extension Default Policy Constraints Extension Default com.netscape.cms.profile.def.PolicyConstraintsExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy policyMappingsExtDefaultImpl Policy Mappings Extension Default Policy Mappings Extension Default com.netscape.cms.profile.def.PolicyMappingsExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy nameConstraintsExtDefaultImpl Name Constraints Extension Default Name Constraints Extension Default com.netscape.cms.profile.def.NameConstraintsExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy certificateVersionDefaultImpl Certificate Version Default Certificate Version Default com.netscape.cms.profile.def.CertificateVersionDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy certificatePoliciesExtDefaultImpl Certificate Policies Extension Default Certificate Policies Extension Default com.netscape.cms.profile.def.CertificatePoliciesExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy subjectDirAttributesExtDefaultImpl Subject Directory Attributes Extension Default Subject Directory Attributes Extension Default com.netscape.cms.profile.def.SubjectDirAttributesExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy privateKeyPeriodExtDefaultImpl Private Key Period Ext Default Private Key Period Ext Default com.netscape.cms.profile.def.PrivateKeyUsagePeriodExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy inhibitAnyPolicyExtDefaultImpl Inhibit Any-Policy Extension Default Inhibit Any-Policy Extension Default com.netscape.cms.profile.def.InhibitAnyPolicyExtDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy imageDefaultImpl Image Default Image Default com.netscape.cms.profile.def.ImageDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy nsTokenDeviceKeySubjectNameDefaultImpl nsTokenDeviceKeySubjectNameDefault nsTokenDeviceKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy nsTokenUserKeySubjectNameDefaultImpl nsTokenUserKeySubjectNameDefault nsTokenUserKeySubjectNameDefaultImpl com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin defaultPolicy authzRealmDefaultImpl Authz Realm Default Authz Realm Default com.netscape.cms.profile.def.AuthzRealmDefault [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy noConstraintImpl No Constraint No Constraint com.netscape.cms.profile.constraint.NoConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy subjectNameConstraintImpl Subject Name Constraint Subject Name Constraint com.netscape.cms.profile.constraint.SubjectNameConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy uniqueSubjectNameConstraintImpl Unique Subject Name Constraint Unique Subject Name Constraint com.netscape.cms.profile.constraint.UniqueSubjectNameConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy userSubjectNameConstraintImpl User Subject Name Constraint User Subject Name Constraint com.netscape.cms.profile.constraint.UserSubjectNameConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy validityConstraintImpl Validity Constraint Validity Constraint com.netscape.cms.profile.constraint.ValidityConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy keyUsageExtConstraintImpl Key Usage Extension Constraint Key Usage Extension Constraint com.netscape.cms.profile.constraint.KeyUsageExtConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy nsCertTypeExtConstraintImpl Netscape Certificate Type Extension Constraint Netscape Certificate Type Extension Constraint com.netscape.cms.profile.constraint.NSCertTypeExtConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy extendedKeyUsageExtConstraintImpl Extended Key Usage Extension Constraint Extended Key Usage Extension Constraint com.netscape.cms.profile.constraint.ExtendedKeyUsageExtConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy keyConstraintImpl Key Constraint Key Constraint com.netscape.cms.profile.constraint.KeyConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy basicConstraintsExtConstraintImpl Basic Constraints Extension Constraint Basic Constraints Extension Constraint com.netscape.cms.profile.constraint.BasicConstraintsExtConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy extensionConstraintImpl Extension Constraint Extension Constraint com.netscape.cms.profile.constraint.ExtensionConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy signingAlgConstraintImpl Signing Algorithm Constraint Signing Algorithm Constraint com.netscape.cms.profile.constraint.SigningAlgConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy uniqueKeyConstraintImpl Unique Public Key Constraint Unique Public Key Constraint com.netscape.cms.profile.constraint.UniqueKeyConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy renewGracePeriodConstraintImpl Renewal Grace Period Constraint Renewal Grace Period Constraint com.netscape.cms.profile.constraint.RenewGracePeriodConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin constraintPolicy authzRealmConstraintImpl Authz Realm Constraint Authz Realm Constraint com.netscape.cms.profile.constraint.AuthzRealmConstraint [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput cmcCertReqInputImpl CMC Certificate Request Input CMC Certificate Request Input com.netscape.cms.profile.input.CMCCertReqInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput certReqInputImpl Certificate Request Input Certificate Request Input com.netscape.cms.profile.input.CertReqInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput keyGenInputImpl Key Generation Input Key Generation Input com.netscape.cms.profile.input.KeyGenInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput encKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.EncryptionKeyGenInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput signKeyGenInputImpl Encryption Key Generation Input Encryption Key Generation Input com.netscape.cms.profile.input.SigningKeyGenInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput dualKeyGenInputImpl Dual Key Generation Input Dual Key Generation Input com.netscape.cms.profile.input.DualKeyGenInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput subjectNameInputImpl Subject Name Input Subject Name Input com.netscape.cms.profile.input.SubjectNameInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput submitterInfoInputImpl Submitter Information Input Submitter Information Input com.netscape.cms.profile.input.SubmitterInfoInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput genericInputImpl Generic Input Generic Input com.netscape.cms.profile.input.GenericInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput fileSigningInputImpl File Signing Input File Signing Input com.netscape.cms.profile.input.FileSigningInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput imageInputImpl Image Input Image Input com.netscape.cms.profile.input.ImageInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput subjectDNInputImpl Subject DN Input Subject DN Input com.netscape.cms.profile.input.SubjectDNInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl nsNKeyCertReqInputImpl com.netscape.cms.profile.input.nsNKeyCertReqInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl nsHKeyCertReqInputImpl com.netscape.cms.profile.input.nsHKeyCertReqInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput serialNumRenewInputImpl Certificate Renewal Request Serial Number Input Certificate Renewal Request Serial Number Input com.netscape.cms.profile.input.SerialNumRenewInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileInput subjectAltNameExtInputImpl SAN Input SAN Input com.netscape.cms.profile.input.SubjectAltNameExtInput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileOutput certOutputImpl Certificate Output Certificate Output com.netscape.cms.profile.output.CertOutput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileOutput cmmfOutputImpl CMMF Response Output CMMF Response Output com.netscape.cms.profile.output.CMMFOutput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileOutput pkcs7OutputImpl PKCS7 Output PKCS7 Output com.netscape.cms.profile.output.PKCS7Output [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileOutput nsNKeyOutputImpl nsNKeyOutputImpl nsNKeyOutputImpl com.netscape.cms.profile.output.nsNKeyOutput [13/Jun/2016:14:23:43][localhost-startStop-1]: added plugin profileUpdater subsystemGroupUpdaterImpl Updater for Subsystem Group Updater for Subsystem Group com.netscape.cms.profile.updater.SubsystemGroupUpdater [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=registry [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized registry [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=oidmap [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=oidmap [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=oidmap [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized oidmap [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=X500Name [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=X500Name [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=X500Name [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized X500Name [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=request [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=request [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=request [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized request [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority init [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapBoundConnFactor(CertificateAuthority) [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:43][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:43][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:43][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: Cert Repot inited [13/Jun/2016:14:23:43][localhost-startStop-1]: CRL Repot inited [13/Jun/2016:14:23:43][localhost-startStop-1]: Replica Repot inited [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority:initSigUnit: ca cert found [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:43][localhost-startStop-1]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:43][localhost-startStop-1]: Found cert by nickname: 'caSigningCert cert-pki-ca' with serial number: 1 [13/Jun/2016:14:23:43][localhost-startStop-1]: converted to x509CertImpl [13/Jun/2016:14:23:43][localhost-startStop-1]: Got private key from cert [13/Jun/2016:14:23:43][localhost-startStop-1]: Got public key from cert [13/Jun/2016:14:23:43][localhost-startStop-1]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:23:43][localhost-startStop-1]: CA signing unit inited [13/Jun/2016:14:23:43][localhost-startStop-1]: cachainNum= 0 [13/Jun/2016:14:23:43][localhost-startStop-1]: in init - got CA chain from JSS. [13/Jun/2016:14:23:43][localhost-startStop-1]: ca.ocsp_signing Signing Unit nickname ocspSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:43][localhost-startStop-1]: Found cert by nickname: 'ocspSigningCert cert-pki-ca' with serial number: 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: converted to x509CertImpl [13/Jun/2016:14:23:43][localhost-startStop-1]: Got private key from cert [13/Jun/2016:14:23:43][localhost-startStop-1]: Got public key from cert [13/Jun/2016:14:23:43][localhost-startStop-1]: got signing algorithm RSASignatureWithSHA256Digest [13/Jun/2016:14:23:43][localhost-startStop-1]: Separate OCSP signing unit inited [13/Jun/2016:14:23:43][localhost-startStop-1]: in init - got OCSP chain from JSS. [13/Jun/2016:14:23:43][localhost-startStop-1]: CA First signing algorithm is SHA1withRSA [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority: initSigUnit - setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:43][localhost-startStop-1]: in init - got CA name CN=Certificate Authority,O=IPA.TEST [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority init: initRequestQueue [13/Jun/2016:14:23:43][localhost-startStop-1]: selected policy processor = classic [13/Jun/2016:14:23:43][localhost-startStop-1]: GenericPolicyProcessor::init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: GenericPolicyProcessor::init Certificate Policy Framework (deprecated) is DISABLED [13/Jun/2016:14:23:43][localhost-startStop-1]: CA policy inited [13/Jun/2016:14:23:43][localhost-startStop-1]: CA service inited [13/Jun/2016:14:23:43][localhost-startStop-1]: CA notifier inited [13/Jun/2016:14:23:43][localhost-startStop-1]: CA pending notifier inited [13/Jun/2016:14:23:43][localhost-startStop-1]: RequestRepository: constructor2. [13/Jun/2016:14:23:43][localhost-startStop-1]: In setCertStatusUpdateInterval 0 [13/Jun/2016:14:23:43][localhost-startStop-1]: In setCertStatusUpdateInterval interval = 0 [13/Jun/2016:14:23:43][localhost-startStop-1]: In setCertStatusUpdateInterval 600 [13/Jun/2016:14:23:43][localhost-startStop-1]: In setSerialNumberUpdateInterval scheduling serial number update every 600 seconds. [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateFactory Type : X.509 [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateFactory Provider : SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration) [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: About to start updateSerialNumbers [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Starting updateSerialNumbers (entered lock) [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false mCounter=null [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: getSerialNumber() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: getSerialNumber serial=1 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository:setSerialNumber 2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: in InitCache [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: Instance of Certificate Repository. [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: minSerial:fff0001 maxSerial: 10000000 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: nextMinSerial: 10000001 nextMaxSerial: 20000000 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: increment:10000000 lowWaterMark: 2000000 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: in getLastSerialNumberInRange: low 268369921 high 268435456 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false mMinRandomBitLength=4 CollisionRecovery=3,10 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange modeChange=false enableRsnAtConfig=false mForceModeChange=false mode= [13/Jun/2016:14:23:43][localhost-startStop-1]: PublisherProcessor: startup() [13/Jun/2016:14:23:43][localhost-startStop-1]: No LdapPublishing enabled [13/Jun/2016:14:23:43][localhost-startStop-1]: PublisherProcessor: startup: Publishing Queue Enabled: true Priority Level: 0 Maximum Number of Threads: 3 Page Size: 40 [13/Jun/2016:14:23:43][localhost-startStop-1]: setPublishingQueue: Publishing Queue Enabled: true Priority Level: 0 Maximum Number of Threads: 3 Page Size: 40 [13/Jun/2016:14:23:43][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:43][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:43][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: RequestRepository: getPublishingStatus mBaseDN: ou=ca,ou=requests,o=ipaca status: -1 [13/Jun/2016:14:23:43][localhost-startStop-1]: Publishing inited [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing crl issue point MasterCRL [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers=false [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In findCertRecordsInList with Jumpto 268435456 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (certStatus=*) attrs: null pageSize -5 startFrom 09268435456 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList.getSize() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: searching for entry 09268435456 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList.getEntries() [13/Jun/2016:14:23:43][localhost-startStop-1]: CRL Page Size: 100 [13/Jun/2016:14:23:43][localhost-startStop-1]: getTimeListSize: ListSize=1 [13/Jun/2016:14:23:43][localhost-startStop-1]: CRLIssuingPoint:initConfig: mUnexpectedExceptionWaitTime set to 1800000 [13/Jun/2016:14:23:43][localhost-startStop-1]: CRLIssuingPoint:initConfig: mUnexpectedExceptionLoopMax set to 10 [13/Jun/2016:14:23:43][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:43][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:43][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][authorityMonitor]: authorityMonitor: starting. [13/Jun/2016:14:23:43][authorityMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][authorityMonitor]: masterConn is connected: true [13/Jun/2016:14:23:43][authorityMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:43][authorityMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][authorityMonitor]: authorityMonitor: Processed change controls. [13/Jun/2016:14:23:43][authorityMonitor]: authorityMonitor: immediate result [13/Jun/2016:14:23:43][authorityMonitor]: readAuthority: new entryUSN = 96 [13/Jun/2016:14:23:43][authorityMonitor]: authorityMonitor: Processed change controls. [13/Jun/2016:14:23:43][authorityMonitor]: authorityMonitor: immediate result [13/Jun/2016:14:23:43][authorityMonitor]: readAuthority: new entryUSN = 96 [13/Jun/2016:14:23:43][authorityMonitor]: CertificateAuthority init [13/Jun/2016:14:23:43][authorityMonitor]: CertificateAuthority:initSigUnit: ca cert found [13/Jun/2016:14:23:43][authorityMonitor]: CertificateAuthority: initSigUnit 1- setting mIssuerObj and mSubjectObj [13/Jun/2016:14:23:43][authorityMonitor]: ca.signing Signing Unit nickname caSigningCert cert-pki-ca f4f46dea-04aa-48b5-8707-72fe87eac6a1 [13/Jun/2016:14:23:43][authorityMonitor]: Got token Internal Key Storage Token by name [13/Jun/2016:14:23:43][authorityMonitor]: SigningUnit init: debug Certificate object not found [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: entries: 6 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: top: 9 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: size: 15 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastSerialNumberInRange: recList size 15 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastSerialNumberInRange: ltSize 15 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #0 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: reverse direction getting index 5 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 15 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #1 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: reverse direction getting index 4 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 14 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: reverse direction getting index 3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 13 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: reverse direction getting index 2 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 12 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBVirtualList: retrieving entry #4 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: reverse direction getting index 1 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: serialno 11 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository:getLastCertRecordSerialNo: returning 268369920 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Repository: mLastSerialNo: 268369920 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][authorityMonitor]: CA signing key and cert not (yet) present in NSSDB [13/Jun/2016:14:23:43][authorityMonitor]: Starting KeyRetrieverRunner thread [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter CertificateRepositoryMode = [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter modeChange=false [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: CertificateRepository: UpdateCounter mEnableRandomSerialNumbers=false mCounter=-1 [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Starting cert checkRanges [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Server not completely started. Returning .. [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Starting request checkRanges [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: Server not completely started. Returning .. [13/Jun/2016:14:23:43][SerialNumberUpdateTask]: updateSerialNumbers done [13/Jun/2016:14:23:43][authorityMonitor]: Updating certificate in NSSDB; new serial number: 11 [13/Jun/2016:14:23:43][authorityMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][authorityMonitor]: masterConn is connected: true [13/Jun/2016:14:23:43][authorityMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:43][authorityMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][authorityMonitor]: returnConn: mNumConns now 3 Failed to update certificate at com.netscape.ca.CertificateAuthority.checkForNewerCert(CertificateAuthority.java:653) at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:534) at com.netscape.ca.CertificateAuthority.(CertificateAuthority.java:372) at com.netscape.ca.CertificateAuthority.readAuthority(CertificateAuthority.java:3238) at com.netscape.ca.CertificateAuthority.run(CertificateAuthority.java:3110) at java.lang.Thread.run(Thread.java:745) Caused by: org.mozilla.jss.crypto.NoSuchItemOnTokenException at org.mozilla.jss.pkcs11.PK11Store.deleteCert(Native Method) at com.netscape.ca.CertificateAuthority.checkForNewerCert(CertificateAuthority.java:639) ... 5 more [13/Jun/2016:14:23:43][authorityMonitor]: Error initialising lightweight CA: Failed to update certificate [13/Jun/2016:14:23:43][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Running ExternalProcessKeyRetriever [13/Jun/2016:14:23:43][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: About to execute command: [/usr/libexec/ipa/ipa-pki-retrieve-key, caSigningCert cert-pki-ca f4f46dea-04aa-48b5-8707-72fe87eac6a1, master1.ipa.test] [13/Jun/2016:14:23:43][localhost-startStop-1]: CertificateAuthority: finished init of host authority [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine::initSubsystem ca Java subsytem about to calculate serverCertNickname. [13/Jun/2016:14:23:43][localhost-startStop-1]: Subsystem ca init sslserver: tokenName:Internal Key Storage Token nickName:Server-Cert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=profile [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=profile [13/Jun/2016:14:23:43][localhost-startStop-1]: LDAPProfileSubsystem: start init [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapBoundConnFactor(LDAPProfileSubsystem) [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:43][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:43][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:43][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: starting. [13/Jun/2016:14:23:43][profileChangeMonitor]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:43][profileChangeMonitor]: masterConn is connected: true [13/Jun/2016:14:23:43][profileChangeMonitor]: getConn: conn is connected true [13/Jun/2016:14:23:43][profileChangeMonitor]: getConn: mNumConns now 2 [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caECUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caECUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caUserSMIMEcapCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caUserSMIMEcapCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caDualCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caDualCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caECDualCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caECDualCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - AdminCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - AdminCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caSignedLogCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caSignedLogCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTPSCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTPSCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caRARouterCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caRARouterCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caRouterCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caRouterCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caServerCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caSubsystemCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caSubsystemCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caOtherCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caOtherCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caCACert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caCrossSignedCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CAValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caCrossSignedCACert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInstallCACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInstallCACert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caRACert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caRACert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caOCSPCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caOCSPCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caStorageCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caStorageCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTransportCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTransportCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caDirPinUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caDirPinUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caDirUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caDirUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caECDirUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthTokenSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NoDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caECDirUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caAgentServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caAgentServerCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caAgentFileSigning caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caAgentFileSigning [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caCMCUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caFullCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caFullCMCUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caSimpleCMCUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caSimpleCMCUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenDeviceKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenDeviceKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserEncryptionKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserEncryptionKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserSigningKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTempTokenDeviceKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenDeviceKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTempTokenDeviceKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTempTokenUserEncryptionKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTempTokenUserEncryptionKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTempTokenUserSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTempTokenUserSigningKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caAdminCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caAdminCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthServerCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthServerCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthTransportCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthTransportCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthDRMstorageCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthDRMstorageCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthSubsystemCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthSubsystemCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthOCSPCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.OCSPNoCheckExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthOCSPCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caInternalAuthAuditSigningCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caInternalAuthAuditSigningCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - DomainController caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.GenericExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - DomainController [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caDualRAuserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caDualRAuserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caRAagentCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caRAagentCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caRAserverCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caRAserverCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caUUIDdeviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caUUIDdeviceCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caSSLClientSelfRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caSSLClientSelfRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caDirUserRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caDirUserRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caManualRenewal caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caManualRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenMSLoginEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.nsTokenUserKeySubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenMSLoginEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserSigningKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserSigningKeyRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserEncryptionKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserEncryptionKeyRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserAuthKeyRenewal caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserAuthKeyRenewal [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caJarSigningCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.NSCertTypeExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caJarSigningCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caIPAserviceCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caIPAserviceCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caEncUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caEncUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caEncECUserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caEncECUserCert [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserDelegateAuthKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserDelegateAuthKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caTokenUserDelegateSigningKeyEnrollment caUserCertEnrollImpl com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.UserCertCAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserSubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectAltNameExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_type=null [13/Jun/2016:14:23:43][profileChangeMonitor]: SubjectAltNameExtDefault: Upgrading old_pattern=null [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.BasicConstraintsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caTokenUserDelegateSigningKeyEnrollment [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - IECUserRoles caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: WARNING attempt to add duplicate Policy userExtensionDefaultImpl:noConstraintImpl Contact System Administrator. [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: WARNING attempt to add duplicate Policy userExtensionDefaultImpl:noConstraintImpl Contact System Administrator. [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - IECUserRoles [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: Processed change controls. [13/Jun/2016:14:23:43][profileChangeMonitor]: Profile change monitor: immediate result [13/Jun/2016:14:23:43][profileChangeMonitor]: readProfile: new entryUSN = 96 [13/Jun/2016:14:23:43][profileChangeMonitor]: Start Profile Creation - caIPAuserCert caEnrollImpl com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: LDAPProfileSubsystem: initing com.netscape.cms.profile.common.CAEnrollProfile [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: start init [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectNameDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ValidityDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserKeyDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: KeyConstraint.init ecNames: nistp256,nistp384,nistp521,sect163k1,nistk163,sect163r1,sect163r2,nistb163,sect193r1,sect193r2,sect233k1,nistk233,sect233r1,nistb233,sect239k1,sect283k1,nistk283,sect283r1,nistb283,sect409k1,nistk409,sect409r1,nistb409,sect571k1,nistk571,sect571r1,nistb571,secp160k1,secp160r1,secp160r2,secp192k1,secp192r1,nistp192,secp224k1,secp224r1,nistp224,secp256k1,secp256r1,secp384r1,secp521r1,prime192v1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2 [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.AuthInfoAccessExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.KeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SigningAlgDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.CRLDistributionPointsExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.SubjectKeyIdentifierExtDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: loading default class com.netscape.cms.profile.def.UserExtensionDefault [13/Jun/2016:14:23:43][profileChangeMonitor]: BasicProfile: done init [13/Jun/2016:14:23:43][profileChangeMonitor]: Done Profile Creation - caIPAuserCert [13/Jun/2016:14:23:43][localhost-startStop-1]: LDAPProfileSubsystem: finished init [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=profile [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized profile [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=selftests [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=selftests [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): ENTERING . . . [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test logger parameters [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/selftests.log) [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugins [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): loading self test plugin parameters [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): loading on demand self tests [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): loading startup self tests [13/Jun/2016:14:23:43][localhost-startStop-1]: SelfTestSubsystem::init(): EXITING. [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=selftests [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized selftests [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=CrossCertPair [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=CrossCertPair [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapBoundConnFactor(CrossCertPairSubsystem) [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:43][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:43][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:43][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:43][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:43][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=CrossCertPair [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized CrossCertPair [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=stats [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=stats [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: done init id=stats [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initialized stats [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: initSubsystem id=auths [13/Jun/2016:14:23:43][localhost-startStop-1]: CMSEngine: ready to init id=auths [13/Jun/2016:14:23:43][localhost-startStop-1]: Creating LdapAnonConnFactory(PasswdUserDBAuthentication) [13/Jun/2016:14:23:43][localhost-startStop-1]: increasing minimum number of connections by 3 [13/Jun/2016:14:23:43][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:44][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:45][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:45][localhost-startStop-1]: new total number of connections 3 [13/Jun/2016:14:23:45][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager AgentCertAuth [13/Jun/2016:14:23:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager SSLclientCertAuth [13/Jun/2016:14:23:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager TokenAuth [13/Jun/2016:14:23:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: Splitting String: UID on commas [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: token 0 = UID [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: Splitting String: PWD on commas [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: countTokens:1 [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: token 0 = PWD [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 0,0 = UID [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: unionOfStrings: 1,0 = PWD [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: mFilename = /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: mKeyAttributes = UID [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: mAuthAttrs = PWD [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: stringArrays[0][0] = UID [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: stringArrays[1][0] = PWD [13/Jun/2016:14:23:45][localhost-startStop-1]: FlatFileAuth: Read entries from password file - /var/lib/pki/pki-tomcat/conf/ca/flatfile.txt [13/Jun/2016:14:23:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager raCertAuth [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: done init id=auths [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: initialized auths [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: initSubsystem id=authz [13/Jun/2016:14:23:45][localhost-startStop-1]: CMSEngine: ready to init id=authz [13/Jun/2016:14:23:45][localhost-startStop-1]: Found authz manager plugin BasicAclAuthz [13/Jun/2016:14:23:45][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:23:45][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: Found authz manager plugin DirAclAuthz [13/Jun/2016:14:23:45][localhost-startStop-1]: AAclAuthz: init begins [13/Jun/2016:14:23:45][localhost-startStop-1]: GroupAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: UserAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: UserOrigReqAccessEvaluator: init [13/Jun/2016:14:23:45][localhost-startStop-1]: Creating LdapBoundConnFactor(DirAclAuthz) [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:45][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:45][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:45][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:46][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:46][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: DirAclAuthz: about to ldap search aclResources [13/Jun/2016:14:23:46][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: done init id=authz [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: initialized authz [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: initSubsystem id=jobsScheduler [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: ready to init id=jobsScheduler [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: done init id=jobsScheduler [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: initialized jobsScheduler [13/Jun/2016:14:23:46][localhost-startStop-1]: Java version=1.8.0_92 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 0 class=Mozilla-JSS version 4.2.6 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 1 class=SUN version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 2 class=SunRsaSign version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 3 class=SunEC version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 4 class=SunJSSE version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 5 class=SunJCE version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 6 class=SunJGSS version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 7 class=SunSASL version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 8 class=XMLDSig version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 9 class=SunPCSC version 1.8 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: Java Security Provider 10 class=CMS version 1.0 [13/Jun/2016:14:23:46][localhost-startStop-1]: Creating LdapBoundConnFactor(LDAPSecurityDomainSessionTable) [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapBoundConnFactory: init [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapAuthInfo: init() [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapAuthInfo: init begins [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapAuthInfo: init ends [13/Jun/2016:14:23:46][localhost-startStop-1]: init: before makeConnection errorIfDown is false [13/Jun/2016:14:23:46][localhost-startStop-1]: makeConnection: errorIfDown false [13/Jun/2016:14:23:46][localhost-startStop-1]: LdapJssSSLSocket set client auth cert nicknamesubsystemCert cert-pki-ca [13/Jun/2016:14:23:46][localhost-startStop-1]: SSL handshake happened [13/Jun/2016:14:23:46][localhost-startStop-1]: Established LDAP connection with SSL client auth to replica1.ipa.test:636 [13/Jun/2016:14:23:46][localhost-startStop-1]: initializing with mininum 3 and maximum 15 connections to host replica1.ipa.test port 636, secure connection, true, authentication type 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: increasing minimum connections by 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: new total available connections 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: new number of connections 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: debug startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: debug startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: log startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: entering LogSubsystem.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: about to call inst=Transactions in LogSubsystem.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: about to call inst=SignedAudit in LogSubsystem.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: about to call inst=System in LogSubsystem.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: LogFile: entering LogFile.startup() [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: log startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: jss startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: jss startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: dbs startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: dbs startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: usrgrp startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: usrgrp startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: registry startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: RegistrySubsystem: startup [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: registry startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: oidmap startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: oidmap startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: X500Name startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: X500Name startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: request startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: request startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: ca startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CertificateIssuedListener: template file directory: /var/lib/pki/pki-tomcat/ca/emails/ [13/Jun/2016:14:23:46][localhost-startStop-1]: CertificateIssuedListener: Reject file path: /var/lib/pki/pki-tomcat/ca/emails/certRequestRejected.html [13/Jun/2016:14:23:46][localhost-startStop-1]: CertificateRevokedListener: template file directory: /var/lib/pki/pki-tomcat/ca/emails/ [13/Jun/2016:14:23:46][localhost-startStop-1]: CertificateRevokedListener: Reject file path: /var/lib/pki/pki-tomcat/ca/emails/certRequestRejected.html [13/Jun/2016:14:23:46][Timer-0]: SessionTimer: run() [13/Jun/2016:14:23:46][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [13/Jun/2016:14:23:46][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [13/Jun/2016:14:23:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][RequestRecoverThread]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:23:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:23:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:23:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:23:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][RequestRecoverThread]: masterConn is connected: true [13/Jun/2016:14:23:46][RequestRecoverThread]: getConn: conn is connected true [13/Jun/2016:14:23:46][RequestRecoverThread]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestInQuListener: agentport = 443 [13/Jun/2016:14:23:46][localhost-startStop-1]: PublishProcessor::publishCACert [13/Jun/2016:14:23:46][localhost-startStop-1]: No rule can be found for publishing: cacert [13/Jun/2016:14:23:46][localhost-startStop-1]: published ca cert [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: ca startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: profile startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: LDAPProfileSubsystem: startup [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: profile startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: selftests startup start [13/Jun/2016:14:23:46][RequestRecoverThread]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: SelfTestSubsystem: running CAPresence [13/Jun/2016:14:23:46][localhost-startStop-1]: SelfTestSubsystem: running SystemCertsVerification [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=signing [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(signing) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(caSigningCert cert-pki-ca, SSLCA) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(caSigningCert cert-pki-ca, true, SSLCA) [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=ocsp_signing [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(ocsp_signing) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(ocspSigningCert cert-pki-ca, StatusResponder) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(ocspSigningCert cert-pki-ca, true, StatusResponder) [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=sslserver [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(sslserver) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-ca, SSLServer) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-ca, true, SSLServer) [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=subsystem [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(subsystem) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(subsystemCert cert-pki-ca, SSLClient) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(subsystemCert cert-pki-ca, true, SSLClient) [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCerts() cert tag=audit_signing [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(audit_signing) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(auditSigningCert cert-pki-ca, ObjectSigner) [13/Jun/2016:14:23:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(auditSigningCert cert-pki-ca, true, ObjectSigner) [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION [13/Jun/2016:14:23:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=SELFTESTS_EXECUTION [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: selftests startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: CrossCertPair startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: CrossCertPair startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: stats startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: stats startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: auths startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: auths startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: authz startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: authz startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: jobsScheduler startup start [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: jobsScheduler startup done [13/Jun/2016:14:23:46][localhost-startStop-1]: CMSEngine: checking request serial number ranges for the CA [13/Jun/2016:14:23:46][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: getSerialNumber() [13/Jun/2016:14:23:46][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: getSerialNumber serial=0 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: in InitCache [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: Instance of Request Repository or CRLRepository. [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: minSerial:9990001 maxSerial: 10000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: nextMinSerial: 10000001 nextMaxSerial: 20000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: increment:10000000 lowWaterMark: 2000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestRepository: in getLastSerialNumberInRange: min 9990001 max 10000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestRepository: mRequestQueue com.netscape.cmscore.request.RequestQueue at 142fcc2d [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestRepository: about to call mRequestQueue.getLastRequestIdInRange [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: getLastRequestId: low 9990001 high 10000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: getLastRequestId: filter (requeststate=*) fromId 10000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: In DBVirtualList filter attrs startFrom sortKey pageSize filter: (requeststate=*) attrs: null pageSize -5 startFrom 0810000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList.getSize() [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: searching for entry 0810000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList.getEntries() [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: entries: 6 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: top: 9 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: size: 15 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: getLastRequestId: size 15 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: getSizeBeforeJumpTo: 15 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: retrieving entry #0 [13/Jun/2016:14:23:46][localhost-startStop-1]: reverse direction getting index 5 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: curReqId: 15 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: retrieving entry #1 [13/Jun/2016:14:23:46][localhost-startStop-1]: reverse direction getting index 4 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: curReqId: 14 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: retrieving entry #2 [13/Jun/2016:14:23:46][localhost-startStop-1]: reverse direction getting index 3 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: curReqId: 13 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: retrieving entry #3 [13/Jun/2016:14:23:46][localhost-startStop-1]: reverse direction getting index 2 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: curReqId: 12 [13/Jun/2016:14:23:46][localhost-startStop-1]: DBVirtualList: retrieving entry #4 [13/Jun/2016:14:23:46][localhost-startStop-1]: reverse direction getting index 1 [13/Jun/2016:14:23:46][localhost-startStop-1]: RequestQueue: curReqId: 11 [13/Jun/2016:14:23:46][localhost-startStop-1]: CertificateRepository:getLastCertRecordSerialNo: returning 9990000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Repository: mLastSerialNo: 9990000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Serial numbers left in range: 10000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Last Serial Number: 9990000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Serial Numbers in next range: 10000000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Serial Numbers available: 10010000 [13/Jun/2016:14:23:46][localhost-startStop-1]: Checking for a range conflict [13/Jun/2016:14:23:46][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:46][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:46][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:47][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:47][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:47][localhost-startStop-1]: CMSEngine: checking certificate serial number ranges [13/Jun/2016:14:23:47][localhost-startStop-1]: Serial numbers left in range: 65536 [13/Jun/2016:14:23:47][localhost-startStop-1]: Last Serial Number: 268369920 [13/Jun/2016:14:23:47][localhost-startStop-1]: Serial Numbers in next range: 268435456 [13/Jun/2016:14:23:47][localhost-startStop-1]: Serial Numbers available: 268500992 [13/Jun/2016:14:23:47][localhost-startStop-1]: Checking for a range conflict [13/Jun/2016:14:23:47][localhost-startStop-1]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:23:47][localhost-startStop-1]: masterConn is connected: true [13/Jun/2016:14:23:47][localhost-startStop-1]: getConn: conn is connected true [13/Jun/2016:14:23:47][localhost-startStop-1]: getConn: mNumConns now 2 [13/Jun/2016:14:23:47][localhost-startStop-1]: Releasing ldap connection [13/Jun/2016:14:23:47][localhost-startStop-1]: returnConn: mNumConns now 3 [13/Jun/2016:14:23:47][http-nio-8080-exec-2]: according to ccMode, authorization for servlet: caGetStatus is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:23:47][http-nio-8080-exec-2]: CMSServlet:service() uri = /ca/admin/ca/getStatus [13/Jun/2016:14:23:47][http-nio-8080-exec-2]: CMSServlet: caGetStatus start to service. [13/Jun/2016:14:23:47][http-nio-8080-exec-2]: CMSServlet: curDate=Mon Jun 13 14:23:47 UTC 2016 id=caGetStatus time=49 [13/Jun/2016:14:23:48][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Importing key and cert [13/Jun/2016:14:23:49][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Reinitialising SigningUnit [13/Jun/2016:14:23:49][KeyRetrieverRunner-f4f46dea-04aa-48b5-8707-72fe87eac6a1]: Authority was deleted; returning. [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caProfileSubmitSSLClient is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet:service() uri = /ca/eeca/ca/profileSubmitSSLClient [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet::service() param name='xml' value='true' [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet::service() param name='profileId' value='caIPAuserCert' [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet::service() param name='authorityId' value='f4f46dea-04aa-48b5-8707-72fe87eac6a1' [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet::service() param name='cert_request' value='-----BEGIN CERTIFICATE REQUEST----- MIICVjCCAT4CAQAwETEPMA0GA1UEAwwGanJvZ2FuMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAnaucECRiBLm52b38HNISAgSsRIHSNTTQVSFN+QfTCGrw t012gSaafT+YDIfc0c+EnCBnKJtcvB7+wP6ctr2jq8R5dvZhSffsFVfoDJHWgGCm vsc3cxnSxF7RcAfGcVTxBsGr6MyQzlVtjSp0qzfzFvlpxYsF+0nY36JsY6my/eg1 YVCnGdL3Vinis1j8aZ0x/zupYGBSNH47epV4bpDwH/wYLAgAbc4rfinXa04iltXJ 9SIAtDmrIJed0oiyImM9p6a4G1WUCoVJBrRgnHXWZUC78iA/XNdOkrQiKvHvaCNP W9UUZQxh0zxvrSNYQIC2NnhKlAXvX/unHcfYXIqrYQIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAFsIwkM9R1Tvuqy5SKDnJ9skrl76UVOd4BcNmzoAltHkFdtyU7OE rXLgrf9k3AqVMmCJic3MH0JzArlnJGRoToZub6qlnu504zOVAcXzbIVZ1Txu+Ald ZOxIxIBkaz38wL00A6O1cG+EGlwlnI5E0mASVsZifJrTTKxKbcKFWAdcznogoRRi 3XOB+0bW8uC2m5pZGw4bBMZcmKoGRHuv6DV9w+RX6CyzZAAZoHvWk7J96cpkQpVL f56eCb4JySyG0YJ4Y6D21MQczJIkerOrnPf5iitiVzLK+oaojPjwuGpsBm7LvvCS s/+efkHN3EouRz/E9EagYCfXg5TrMnlgyGE= -----END CERTIFICATE REQUEST-----' [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet::service() param name='cert_request_type' value='pkcs10' [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet: caProfileSubmitSSLClient start to service. [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: xmlOutput true [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: ProfileSubmitServlet: isRenewal false [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: according to ccMode, authorization for servlet: caProfileSubmit is LDAP based, not XML {1}, use default authz mgr: {2}. [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: ProfileSubmitServlet: profile: caIPAuserCert CA not found: f4f46dea-04aa-48b5-8707-72fe87eac6a1 at com.netscape.cms.servlet.profile.ProfileSubmitServlet.processEnrollment(ProfileSubmitServlet.java:239) at com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(ProfileSubmitServlet.java:128) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:514) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:173) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:286) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:286) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:283) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:318) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:258) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:190) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: ProfileSubmitServlet: error in processing request: CA not found: f4f46dea-04aa-48b5-8707-72fe87eac6a1 [13/Jun/2016:14:27:16][ajp-nio-127.0.0.1-8009-exec-1]: CMSServlet: curDate=Mon Jun 13 14:27:16 UTC 2016 id=caProfileSubmitSSLClient time=23 [13/Jun/2016:14:28:46][Timer-0]: SessionTimer: run() [13/Jun/2016:14:28:46][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [13/Jun/2016:14:28:46][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [13/Jun/2016:14:28:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:28:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:28:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:28:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:28:46][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:28:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:28:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:28:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:28:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:28:46][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: About to start updateSerialNumbers [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Starting updateSerialNumbers (entered lock) [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false mCounter=-1 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: DBSubsystem: getEntryAttribute: dn=ou=certificateRepository, ou=ca, o=ipaca attr=description:; [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter mEnableRandomSerialNumbers=false [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter CertificateRepositoryMode = [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: CertificateRepository: updateCounter modeChange=false [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: CertificateRepository: UpdateCounter mEnableRandomSerialNumbers=false mCounter=-1 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Starting cert checkRanges [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial numbers left in range: 65536 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Last Serial Number: 268369920 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial Numbers in next range: 268435456 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial Numbers available: 268500992 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Checking for a range conflict [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Starting request checkRanges [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial numbers left in range: 10000 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Last Serial Number: 9990000 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial Numbers in next range: 10000000 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Serial Numbers available: 10010000 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Checking for a range conflict [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: masterConn is connected: true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: conn is connected true [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: getConn: mNumConns now 2 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: Releasing ldap connection [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: returnConn: mNumConns now 3 [13/Jun/2016:14:33:43][SerialNumberUpdateTask]: updateSerialNumbers done [13/Jun/2016:14:33:46][Timer-0]: SessionTimer: run() [13/Jun/2016:14:33:46][Timer-0]: LDAPSecurityDomainSessionTable: getSessionIds() [13/Jun/2016:14:33:46][Timer-0]: LDAPSecurityDomainSessionTable: searching ou=sessions,ou=Security Domain,o=ipaca [13/Jun/2016:14:33:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:33:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:33:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:33:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:33:46][Timer-0]: returnConn: mNumConns now 3 [13/Jun/2016:14:33:46][Timer-0]: In LdapBoundConnFactory::getConn() [13/Jun/2016:14:33:46][Timer-0]: masterConn is connected: true [13/Jun/2016:14:33:46][Timer-0]: getConn: conn is connected true [13/Jun/2016:14:33:46][Timer-0]: getConn: mNumConns now 2 [13/Jun/2016:14:33:46][Timer-0]: returnConn: mNumConns now 3 From pspacek at redhat.com Mon Jun 13 14:51:11 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 13 Jun 2016 16:51:11 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513] DNS locations In-Reply-To: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> Message-ID: On 13.6.2016 14:57, Martin Basti wrote: > Patches attached. > > https://fedorahosted.org/freeipa/ticket/2008 > > > Missing parts: dns-server config, some warnings from design, some corner, > cleanup of old unused location records cases, this will be covered in future > patches > freeipa-mbasti-0506-DNS-Locations-DNS-data-management.patch > > > From f8eb14afe97111e58a8e5bce401a7ab8620888a6 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 8 Jun 2016 17:53:58 +0200 > Subject: [PATCH 04/11] DNS Locations: DNS data management > > Adding module that allows to work with IPA DNS system records: > * getting system records > * updating system records > * work with DNS locations > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ipalib/dns.py | 2 + > ipalib/dns_data_management.py | 395 ++++++++++++++++++++++++++++++++++++++++++ > ipaserver/plugins/dns.py | 1 + > 3 files changed, 398 insertions(+) > create mode 100644 ipalib/dns_data_management.py > > diff --git a/ipalib/dns.py b/ipalib/dns.py > index 54a4c24a08c974d8e905e4630d91d2381c39778d..55e45a094e5b4171962abdc3f81e1647107ef96d 100644 > --- a/ipalib/dns.py > +++ b/ipalib/dns.py > @@ -18,6 +18,8 @@ > # You should have received a copy of the GNU General Public License > # along with this program. If not, see . > > +from __future__ import absolute_import > + > import re > > from ipalib import errors > diff --git a/ipalib/dns_data_management.py b/ipalib/dns_data_management.py > new file mode 100644 > index 0000000000000000000000000000000000000000..939978d980c4c1292dd516245457795fc116d401 > --- /dev/null > +++ b/ipalib/dns_data_management.py > @@ -0,0 +1,395 @@ > +# > +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license > +# > + > +from __future__ import absolute_import > + > +from collections import defaultdict > +from dns import ( > + rdataclass, > + rdatatype, > + zone, > +) > +from dns.rdtypes.IN.SRV import SRV > +from dns.rdtypes.ANY.TXT import TXT > + > +from ipalib import errors > +from ipalib.dns import record_name_format > +from ipapython.dnsutil import DNSName, resolve_rrsets > + > +IPA_DEFAULT_MASTER_SRV_REC = ( > + # srv record name, port > + (DNSName(u'_ldap._tcp'), 389), > + (DNSName(u'_kerberos._tcp'), 88), > + (DNSName(u'_kerberos._udp'), 88), > + (DNSName(u'_kerberos-master._tcp'), 88), > + (DNSName(u'_kerberos-master._udp'), 88), > + (DNSName(u'_kpasswd._tcp'), 464), > + (DNSName(u'_kpasswd._udp'), 464), > +) > + > +IPA_DEFAULT_ADTRUST_SRV_REC = ( > + # srv record name, port > + (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), > + (DNSName(u'_ldap._tcp.dc._msdcs'), 389), > + (DNSName(u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs'), 88), > + (DNSName(u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs'), 88), > + (DNSName(u'_kerberos._tcp.dc._msdcs'), 88), > + (DNSName(u'_kerberos._udp.dc._msdcs'), 88), > +) > + > + > +class IPADomainIsNotManagedByIPAError(Exception): > + pass > + > + > +class IPASystemRecords(object): > + > + # fixme do it configurable > + PRIORITY_HIGH = 0 > + PRIORITY_LOW = 50 > + > + def __init__(self, api_instance): > + self.api_instance = api_instance > + self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute() > + self.servers_data = {} > + self.__init_data() > + > + def reload_data(self): > + """ > + After any change made to IPA servers, this method must be called to > + update data in the object, otherwise invalid records may be > + created/updated > + """ > + self.__init_data() > + > + def __get_server_attrs(self, hostname): > + """ > + Returns weight, location, and intersection of its roles and allowed > + roles > + :param hostname: server hostname > + :param allowed_roles: *set* of server roles that are allowed, if None > + all roles will be used > + :return: (weight, location, intersection of roles and allowed roles) There is no param allowed_roles :-) > + """ > + server_result = self.api_instance.Command.server_show(hostname)['result'] > + weight = int(server_result.get('ipalocationweight', [u'100'])[0]) > + location = server_result.get('ipalocation_location', [None])[0] > + roles = set(server_result.get('enabled_role_servrole', ())) > + > + return weight, location, roles > + > + def __init_data(self): > + self.servers_data = {} > + > + servers_result = self.api_instance.Command.server_find( > + pkey_only=True)['result'] > + servers = [s['cn'][0] for s in servers_result] > + for s in servers: > + weight, location, roles = self.__get_server_attrs(s) > + self.servers_data[s] = { > + 'weight': weight, > + 'location': location, > + 'roles': roles, > + } > + > + def __get_srv_records( > + self, zone_obj, hostname, rname_port_map, > + weight=100, priority=0, location=None > + ): > + assert isinstance(hostname, DNSName) > + assert isinstance(priority, int) > + assert isinstance(weight, int) > + > + if location: > + suffix = ( > + location + DNSName('_locations') + self.domain_abs > + ) > + else: > + suffix = self.domain_abs > + > + for name, port in rname_port_map: > + rd = SRV( > + rdataclass.IN, rdatatype.SRV, > + priority, > + weight, > + port, > + hostname.make_absolute() > + ) > + > + r_name = name.derelativize(suffix) > + > + rdataset = zone_obj.get_rdataset( > + r_name, rdatatype.SRV, create=True) > + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config > + > + def __get_ca_records_from_hostname(self, zone_obj, hostname): Name __get is misleading because it does not return a new object - it in fact modifies one one of its arguments. I would rather start the name with __add_... > + assert isinstance(hostname, DNSName) and hostname.is_absolute() > + r_name = DNSName('ipa-ca') + self.domain_abs > + rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.AAAA)) > + for rrset in rrsets: > + for rd in rrset: > + rdataset = zone_obj.get_rdataset( > + r_name, rd.rdtype, create=True) > + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config > + > + def __get_kerberos_txt_rec(self, zone_obj): The same as above. > + # FIXME: with external DNS, this should generate records for all > + # realmdomains > + r_name = DNSName('_kerberos') + self.domain_abs > + rd = TXT(rdataclass.IN, rdatatype.TXT, [self.api_instance.env.realm]) > + rdataset = zone_obj.get_rdataset( > + r_name, rdatatype.TXT, create=True > + ) > + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config > + > + def _get_base_dns_records_for_server( The same as above. > + self, zone_obj, hostname, roles=None, include_master_role=True, > + include_kerberos_realm=True, > + ): > + server = self.servers_data[hostname] > + if roles: > + eff_roles = server['roles'] & set(roles) > + else: > + eff_roles = server['roles'] > + hostname_abs = DNSName(hostname).make_absolute() > + > + if include_kerberos_realm: > + self.__get_kerberos_txt_rec(zone_obj) > + > + # get master records > + if include_master_role: > + self.__get_srv_records( > + zone_obj, > + hostname_abs, > + IPA_DEFAULT_MASTER_SRV_REC, > + weight=server['weight'] > + ) > + > + if 'CA server' in eff_roles: > + self.__get_ca_records_from_hostname(zone_obj, hostname_abs) > + > + if 'AD trust controller' in eff_roles: > + self.__get_srv_records( > + zone_obj, > + hostname_abs, > + IPA_DEFAULT_ADTRUST_SRV_REC, > + weight=server['weight'] > + ) > + > + def _get_location_dns_records_for_server( > + self, zone_obj, hostname, locations, > + roles=None, include_master_role=True): > + """ > + Function returns list of DNS records for server with proper locations > + mappings In fact it returns zone. > + :param api_instance: instance of API > + :param hostname: server hostname > + :return: dict with keys as record name, and list of rrsets as values > + """ > + server = self.servers_data[hostname] > + if roles: > + eff_roles = server['roles'] & roles > + else: > + eff_roles = server['roles'] > + hostname_abs = DNSName(hostname).make_absolute() > + > + # generate locations specific records > + for location in locations: > + if location == self.servers_data[hostname]['location']: > + priority = self.PRIORITY_HIGH > + else: > + priority = self.PRIORITY_LOW > + > + if include_master_role: > + self.__get_srv_records( > + zone_obj, > + hostname_abs, > + IPA_DEFAULT_MASTER_SRV_REC, > + weight=server['weight'], > + priority=priority, > + location=location > + ) > + > + if 'AD trust controller' in eff_roles: > + self.__get_srv_records( > + zone_obj, > + hostname_abs, > + IPA_DEFAULT_ADTRUST_SRV_REC, > + weight=server['weight'], > + priority=priority, > + location=location > + ) > + > + return zone_obj > + > + def __prepare_records_update_dict(self, node): > + update_dict = defaultdict(list) > + for rdataset in node.rdatasets: AFAIK "rdataset in node" would be better and would not touch internals of node. > + for rdata in rdataset: > + option_name = (record_name_format % rdatatype.to_text( > + rdata.rdtype).lower()) > + update_dict[option_name].append(rdata.to_text()) > + return update_dict > + > + def __update_dns_records( > + self, record_name, nodes, set_cname_template=True > + ): > + update_dict = self.__prepare_records_update_dict(nodes) > + cname_template = { > + 'addattr': [u'objectclass=idnsTemplateObject'], > + 'setattr': [ > + u'idnsTemplateAttribute;cnamerecord=%s' > + u'.\{substitutionvariable_ipalocation\}._locations' % > + record_name.relativize(self.domain_abs) > + ] > + } > + try: > + if set_cname_template: > + # only srv records should have configured cname templates > + update_dict.update(cname_template) > + self.api_instance.Command.dnsrecord_mod( > + self.domain_abs, record_name, > + **update_dict > + ) > + except errors.NotFound: > + # because internal API magic, addattr and setattr doesn't work with > + # dnsrecord-add well, use dnsrecord-mod instead later > + update_dict.pop('addattr', None) > + update_dict.pop('setattr', None) > + > + self.api_instance.Command.dnsrecord_add( > + self.domain_abs, record_name, **update_dict) > + > + if set_cname_template: > + try: > + self.api_instance.Command.dnsrecord_add( This ^^^ should be dnsrecord_mod. > + self.domain_abs, > + record_name, **cname_template) > + except errors.EmptyModlist: > + pass > + except errors.EmptyModlist: > + pass > + > + def get_base_records( > + self, servers=None, roles=None, include_master_role=True, > + include_kerberos_realm=True > + ): > + """ > + Generate IPA service records for specific servers and roles > + :param servers: list of server which will be used in records, > + if None all IPA servers will be used > + :param roles: roles for which DNS records will be generated, > + if None all roles will be used > + :param include_master_role: generate records required by IPA master > + role > + :return: dns.zone.Zone object that contains base DNS records > + """ > + > + zone_obj = zone.Zone(self.domain_abs, relativize=False) > + if servers is None: > + servers = self.servers_data.keys() > + > + for server in servers: > + self._get_base_dns_records_for_server(zone_obj, server, > + roles=roles, include_master_role=include_master_role, > + include_kerberos_realm=include_kerberos_realm > + ) > + return zone_obj > + > + def get_locations_records( > + self, servers=None, roles=None, include_master_role=True): > + """ > + Generate IPA location records for specific servers and roles. > + :param servers: list of server which will be used in records, > + if None all IPA servers will be used > + :param roles: roles for which DNS records will be generated, > + if None all roles will be used > + :param include_master_role: generate records required by IPA master > + role > + :return: dns.zone.Zone object that contains location DNS records > + """ > + zone_obj = zone.Zone(self.domain_abs, relativize=False) > + if servers is None: > + servers_result = self.api_instance.Command.server_find( > + pkey_only=True)['result'] > + servers = [s['cn'][0] for s in servers_result] > + > + locations_result = self.api_instance.Command.location_find()['result'] > + locations = [l['idnsname'][0] for l in locations_result] > + > + for server in servers: > + self._get_location_dns_records_for_server( > + zone_obj, server, > + locations, roles=roles, > + include_master_role=include_master_role) > + return zone_obj > + > + def update_base_records(self): > + """ > + Update base DNS records for IPA services > + :return: [(record_name, node), ...], [(record_name, node, error), ...] > + where the first list contains successfully updated records, and the > + second list contains failed updates with particular exceptions > + """ > + fail = [] > + success = [] > + names_requiring_cname_templates = set( > + rec[0].derelativize(self.domain_abs) for rec in ( > + IPA_DEFAULT_MASTER_SRV_REC + > + IPA_DEFAULT_ADTRUST_SRV_REC > + ) > + ) > + > + base_zone = self.get_base_records() > + for record_name, node in base_zone.items(): > + set_cname_template = record_name in names_requiring_cname_templates > + try: > + self.__update_dns_records( > + record_name, node, set_cname_template) > + except errors.PublicError as e: > + fail.append((record_name, node, e)) > + else: > + success.append((record_name, node)) > + return success, fail > + > + def update_locations_records(self): > + """ > + Update locations DNS records for IPA services > + :return: [(record_name, node), ...], [(record_name, node, error), ...] > + where the first list contains successfully updated records, and the > + second list contains failed updates with particular exceptions > + """ > + fail = [] > + success = [] > + > + location_zone = self.get_locations_records() > + for record_name, nodes in location_zone.items(): > + try: > + self.__update_dns_records( > + record_name, nodes, > + set_cname_template=False) > + except errors.PublicError as e: > + fail.append((record_name, nodes, e)) > + else: > + success.append((record_name, nodes)) > + return success, fail I think that methods update_base_records() and update_locations_records() can be unified because they are basically the same. Condition "record_name in names_requiring_cname_templates" should evaluate to False for all location records (I hope :-) so you can save some code and just pass result of get_base_records()/get_locations_records() into the common function. > freeipa-mbasti-0507-DNS-Locations-permission-allow-to-read-status-of-ser.patch > > > From 6fb4de027ac56e32047c55d8690af078951c8c35 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Sat, 11 Jun 2016 17:49:00 +0200 > Subject: [PATCH 05/11] DNS Locations: permission: allow to read status of > services > > New permission was added: "System: Read Status of Services on IPA Servers" > This permission is needed for detection which records should be created > on which servers. > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ACI.txt | 2 ++ > ipaserver/plugins/server.py | 5 +++++ > 2 files changed, 7 insertions(+) > > diff --git a/ACI.txt b/ACI.txt > index 6f691f2a7b01f834006e3c796c14c256ee87faa6..62665c04f5c27ece0cec588d93f763db5f8cb054 100644 > --- a/ACI.txt > +++ b/ACI.txt > @@ -228,6 +228,8 @@ dn: cn=usermap,cn=selinux,dc=ipa,dc=example > aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User > Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > aci: (targetattr = "cn || createtimestamp || entryusn || ipalocation || ipalocationweight || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationMember)")(version 3.0;acl "permission:System: Read Locations of IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Locations of IPA > Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";) > +dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > +aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationMember)")(version 3.0;acl "permission:System: Read Status of Services on IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Status of Services on IPA How is "(targetfilter = (objectclass=ipaLocationMember)" going to work with non-upgraded servers? Correct me if I'm wrong but I guess that CentOS 6 replicas will not have ipaLocationMember object class. Does it mean that the command ran on CentOS 7 will not see and generate records for CentOS 6 replicas? > Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=services,cn=accounts,dc=ipa,dc=example > aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) > dn: cn=services,cn=accounts,dc=ipa,dc=example > diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py > index a2c2752d94913eda0636cd5a360921eb002282d3..eb40b97ad22b95a2054b6280140e48973b1ec229 100644 > --- a/ipaserver/plugins/server.py > +++ b/ipaserver/plugins/server.py > @@ -75,6 +75,11 @@ class server(LDAPObject): > }, > 'default_privileges': {'DNS Administrators'}, > }, > + 'System: Read Status of Services on IPA Servers': { > + 'ipapermright': {'read', 'search', 'compare'}, > + 'ipapermdefaultattr': {'objectclass', 'cn', 'ipaconfigstring'}, > + 'default_privileges': {'DNS Administrators'}, > + } Interesting, where is the (targetfilter = (objectclass=ipaLocationMember) ? How it gets to ACI.txt? > } > > takes_params = ( > -- 2.5.5 > freeipa-mbasti-0509-DNS-Locations-command-dns-update-system-records.patch > > > From 3dd971a197f5106cd021135056a15eb9c7521948 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Fri, 10 Jun 2016 17:03:25 +0200 > Subject: [PATCH 07/11] DNS Locations: command dns-update-system-records > > command dns-update-system-records updates/fixes DNS records for IPA > services: > * updating A, AAAA records for CA > * updating SRV records for LDAP, kerberos and AD trust > * updating TXT record in _kerberos with proper realm > * updating dns locations if used > > https://fedorahosted.org/freeipa/ticket/2008 > --- > API.txt | 10 ++++ > VERSION | 4 +- > ipaclient/plugins/dns.py | 26 +++++++++- > ipalib/dns_data_management.py | 24 ++++++++- > ipaserver/plugins/dns.py | 112 ++++++++++++++++++++++++++++++++++++++++++ > 5 files changed, 172 insertions(+), 4 deletions(-) > > diff --git a/API.txt b/API.txt > index 68ce3560d17c1fb6b6c50a91b5bf6ba810204922..c9268493a4c74a0a1557fc2930f618d1916c184d 100644 > --- a/API.txt > +++ b/API.txt > @@ -961,6 +961,16 @@ option: Str('version?') > output: Output('result', type=[]) > output: Output('summary', type=[, ]) > output: PrimaryKey('value') > +command: dns_update_system_records > +args: 0,2,6 > +option: Flag('dry_run', autofill=True, default=False) > +option: Str('version?') > +output: Output('failed_ipa_records', type=[, ]) > +output: Output('failed_location_records', type=[, ]) > +output: Output('ipa_records', type=[, ]) > +output: Output('location_records', type=[, ]) > +output: Output('summary', type=[, ]) > +output: Output('value', type=[]) > command: dnsconfig_mod > args: 0,11,3 > option: Str('addattr*', cli_name='addattr') > diff --git a/VERSION b/VERSION > index 7c3e46a98607f3b94a0c98406ed13aa278440875..c39e800ce9dadc7ba7f9fbe08f870903271a9031 100644 > --- a/VERSION > +++ b/VERSION > @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 > # # > ######################################################## > IPA_API_VERSION_MAJOR=2 > -IPA_API_VERSION_MINOR=180 > -# Last change: mbabink - Server Roles: provide an API for setting CA renewal master > +IPA_API_VERSION_MINOR=181 > +# Last change: mbasti - added command dns-update-system-records > diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py > index 4defb7c33d301c60c78b22aa6d71c9da19650ec3..b784c04116bec0bfcc37e83f2e0bcf42b011a40c 100644 > --- a/ipaclient/plugins/dns.py > +++ b/ipaclient/plugins/dns.py > @@ -22,7 +22,7 @@ from __future__ import print_function > > import six > > -from ipaclient.frontend import MethodOverride > +from ipaclient.frontend import MethodOverride, CommandOverride > from ipalib import errors > from ipalib.dns import (get_record_rrtype, > has_cli_options, > @@ -342,3 +342,27 @@ class dnsforwardzone_mod(MethodOverride): > _("Server will check DNS forwarder(s).")) > self.Backend.textui.print_plain( > _("This may take some time, please wait ...")) > + > + > + at register(override=True) > +class dns_update_system_records(CommandOverride): > + def output_for_cli(self, textui, output, *args, **options): > + failures = {'failed_ipa_records', 'failed_location_records'} > + for key in ( > + 'ipa_records', 'failed_ipa_records', > + 'location_records', 'failed_location_records' > + ): > + if output.get(key): > + textui.print_line(self.output[key].doc) > + if key in sorted(failures, key=lambda x: x[0]): > + for val, err in output[key]: > + textui.print_indented( > + u'{val} ({err})'.format(val=val, err=err), > + indent=1 > + ) > + else: > + for val in sorted(output[key]): > + textui.print_indented(val, indent=1) > + textui.print_line(u'') > + textui.print_summary(output['summary']) > + return int(not output['value']) > diff --git a/ipalib/dns_data_management.py b/ipalib/dns_data_management.py > index 939978d980c4c1292dd516245457795fc116d401..0d0466c18dea9830cfcfa89441d632f48bff3910 100644 > --- a/ipalib/dns_data_management.py > +++ b/ipalib/dns_data_management.py > @@ -4,6 +4,8 @@ > > from __future__ import absolute_import > > +import six > + > from collections import defaultdict > from dns import ( > rdataclass, > @@ -17,6 +19,10 @@ from ipalib import errors > from ipalib.dns import record_name_format > from ipapython.dnsutil import DNSName, resolve_rrsets > > +if six.PY3: > + unicode=str > + > + > IPA_DEFAULT_MASTER_SRV_REC = ( > # srv record name, port > (DNSName(u'_ldap._tcp'), 389), > @@ -229,7 +235,7 @@ class IPASystemRecords(object): > for rdata in rdataset: > option_name = (record_name_format % rdatatype.to_text( > rdata.rdtype).lower()) > - update_dict[option_name].append(rdata.to_text()) > + update_dict[option_name].append(unicode(rdata.to_text())) > return update_dict > > def __update_dns_records( > @@ -393,3 +399,19 @@ class IPASystemRecords(object): > self.update_base_records(), > self.update_locations_records() > ) > + > + @classmethod > + def records_list_from_node(cls, name, node): > + records = [] > + for dataset in node: nitpick: variable names are inconsistent with the rest, you have used rdataset in the code above > + for rd in dataset: > + records.append( > + u'{name} {ttl} {rdclass} {rdtype} {rdata}'.format( > + name=name.ToASCII(), > + ttl=dataset.ttl, > + rdclass=rdataclass.to_text(rd.rdclass), > + rdtype=rdatatype.to_text(rd.rdtype), > + rdata=rd.to_text() > + ) > + ) > + return records > diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py > index c0cd27713b20efe03f2707cfbddac344db74a085..130b1f26817a0f255150a0903dc924476c6e9549 100644 > --- a/ipaserver/plugins/dns.py > +++ b/ipaserver/plugins/dns.py > @@ -40,6 +40,10 @@ from ipalib.dns import (get_record_rrtype, > from ipalib.request import context > from ipalib import api, errors, output > from ipalib import Command > +from ipalib.dns_data_management import ( > + IPASystemRecords, > + IPADomainIsNotManagedByIPAError, > +) > from ipalib.capabilities import ( > VERSION_WITHOUT_CAPABILITIES, > client_has_capability) > @@ -4429,3 +4433,111 @@ class dnsforwardzone_add_permission(DNSZoneBase_add_permission): > @register() > class dnsforwardzone_remove_permission(DNSZoneBase_remove_permission): > __doc__ = _('Remove a permission for per-forward zone access delegation.') > + > + > + at register() > +class dns_update_system_records(Command): > + __doc__ = _('Update location and IPA server DNS records') > + > + has_output = ( > + output.summary, > + output.Output( > + 'ipa_records', (list, tuple), > + _('IPA DNS records') > + ), > + output.Output( > + 'failed_ipa_records', (list, tuple), > + _('Failed to update IPA DNS records') > + ), > + output.Output( > + 'location_records', (list, tuple), > + _('IPA location records') > + ), > + output.Output( > + 'failed_location_records', (list, tuple), > + _('Failed to update IPA location records') > + ), > + output.Output( > + 'value', bool, > + _('Result of the command'), ['no_display'] > + ) > + ) > + > + takes_options = ( > + Flag( > + 'dry_run', > + label=_('Dry run'), > + doc=_('Do not update recors only return expected records') > + ) > + ) > + > + def execute(self, *args, **options): > + > + def output_to_list(iterable): > + rec_list = [] > + for name, node in iterable: > + rec_list.extend(IPASystemRecords.records_list_from_node( > + name, node)) > + return rec_list > + > + def output_to_list_with_failed(iterable): > + err_rec_list = [] > + for name, node, error in iterable: > + err_rec_list.extend([ > + (v, unicode(error)) for v in > + IPASystemRecords.records_list_from_node(name, node) > + ]) > + return err_rec_list > + > + result = { > + 'summary': None, > + 'ipa_records': [], > + 'failed_ipa_records': [], > + 'location_records': [], > + 'failed_location_records': [], > + 'value': True, > + } > + > + system_records = IPASystemRecords(self.api) > + > + if options.get('dry_run'): > + result['ipa_records'] = output_to_list( > + system_records.get_base_records().items()) > + result['location_records'] = output_to_list( > + system_records.get_locations_records().items()) > + result['summary'] = unicode(_(u'List of IPA system DNS records.')) > + else: > + try: > + ( > + (success_base, failed_base), > + (success_loc, failed_loc), > + ) = system_records.update_dns_records() > + except IPADomainIsNotManagedByIPAError: > + result['value'] = False > + result['summary'] = unicode(_( > + u'IPA does not manage IPA domain zone itself (or IPA DNS ' > + u'subsystem is not installed), please add ' > + u'records to your DNS server manually' > + )) > + result['ipa_records'] = output_to_list( > + system_records.get_base_records().items()) > + else: > + result['ipa_records'] = output_to_list(success_base) > + result['failed_ipa_records'] = output_to_list_with_failed( > + failed_base) > + result['location_records'] = output_to_list(success_loc) > + result['failed_location_records'] = output_to_list_with_failed( > + failed_loc > + ) > + if failed_base or failed_loc: > + result['value'] = False > + result['summary'] = unicode(_( > + u"Not all IPA system DNS records were updated, please " > + u"update records or fix the failures and re-run " Did you mean "update the record manually or re-run"...? > + u"the update of records again")) > + else: > + result['summary'] = unicode(_( > + u'IPA system DNS records has been sucessfully updated' > + )) > + > + return result > -- 2.5.5 > > > freeipa-mbasti-0510-DNS-Locations-use-dns_update_service_records-in-inst.patch > > > From a38e1bac3c1f3a5f3c476bbd125ecf4431e87b26 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Sun, 12 Jun 2016 18:05:48 +0200 > Subject: [PATCH 08/11] DNS Locations: use dns_update_service_records in > installers > > use the dns_update_system_records command to set proper DNS records > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/tools/ipa-csreplica-manage | 2 +- > install/tools/ipa-replica-manage | 1 - > ipaserver/install/bindinstance.py | 99 ++++++------------------------------- > ipaserver/install/ca.py | 2 +- > ipaserver/install/dns.py | 3 ++ > ipaserver/install/server/upgrade.py | 7 +-- > 6 files changed, 23 insertions(+), 91 deletions(-) > > diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage > index f271863b8f8a6addf630bf8d570adf039db64d89..a0a61b54013315c85c9c04c1746cd6d005b119d2 100755 > --- a/install/tools/ipa-csreplica-manage > +++ b/install/tools/ipa-csreplica-manage > @@ -286,7 +286,7 @@ def del_master(realm, hostname, options): > if bindinstance.dns_container_exists(options.host, api.env.basedn, > dm_password=options.dirman_passwd): > bind = bindinstance.BindInstance() > - bind.remove_ipa_ca_dns_records(hostname, realm.lower()) > + bind.update_system_records() > except Exception as e: > print("Failed to cleanup %s DNS entries: %s" % (hostname, e)) > print("You may need to manually remove them from the tree") > diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage > index 095cca68890cd0f6c4cba9faa2395ffa3b980fc0..5a546e33c3bb741b45503580d3602d6be12f1fa5 100755 > --- a/install/tools/ipa-replica-manage > +++ b/install/tools/ipa-replica-manage > @@ -898,7 +898,6 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options): > dm_password=options.dirman_passwd): > bind = bindinstance.BindInstance() > bind.remove_master_dns_records(hostname, realm, realm.lower()) > - bind.remove_ipa_ca_dns_records(hostname, realm.lower()) Shoudn't you replace both lines with call to bind.update_system_records()? > bind.remove_server_ns_records(hostname) > > keysyncd = dnskeysyncinstance.DNSKeySyncInstance() > diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py > index 78e75359266bbefe7954242b98922272fb0c9194..e33da070147e39431a3982897f659d3ff7036896 100644 > --- a/ipaserver/install/bindinstance.py > +++ b/ipaserver/install/bindinstance.py > @@ -692,7 +692,6 @@ class BindInstance(service.Service): > self.step("setting up records for other masters", self.__add_others) > # all zones must be created before this step > self.step("adding NS record to the zones", self.__add_self_ns) > - self.step("setting up CA record", self.__add_ipa_ca_record) > > self.step("setting up kerberos principal", self.__setup_principal) > self.step("setting up named.conf", self.__setup_named_conf) > @@ -858,15 +857,7 @@ class BindInstance(service.Service): > else: > host_in_rr = normalize_zone(fqdn) > > - srv_records = ( > - ("_ldap._tcp", "0 100 389 %s" % host_in_rr), > - ("_kerberos._tcp", "0 100 88 %s" % host_in_rr), > - ("_kerberos._udp", "0 100 88 %s" % host_in_rr), > - ("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr), > - ("_kerberos-master._udp", "0 100 88 %s" % host_in_rr), > - ("_kpasswd._tcp", "0 100 464 %s" % host_in_rr), > - ("_kpasswd._udp", "0 100 464 %s" % host_in_rr), > - ) > + srv_records = () > if self.ntp: > srv_records += ( > ("_ntp._udp", "0 100 123 %s" % host_in_rr), This deserves FIXME becaise we have to fix it as soon as NTP role is merged. > @@ -942,36 +933,6 @@ class BindInstance(service.Service): > # there is a CNAME record in ipa-ca, we can't add A/AAAA records > pass > > - def __add_ipa_ca_record(self): > - self.__add_ipa_ca_records(self.fqdn, self.ip_addresses, > - self.ca_configured) > - > - if self.first_instance: > - ldap = self.api.Backend.ldap2 > - try: > - entries = ldap.get_entries( > - DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), > - self.api.env.basedn), > - ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))', > - ['dn']) > - except errors.NotFound: > - root_logger.debug('No server with CA found') > - entries = [] > - > - for entry in entries: > - fqdn = entry.dn[1]['cn'] > - if fqdn == self.fqdn: > - continue > - > - host, zone = fqdn.split('.', 1) > - if dns_zone_exists(zone, self.api): > - addrs = get_fwd_rr(zone, host, api=self.api) > - else: > - addrs = dnsutil.resolve_ip_addresses(fqdn) > - # hack, will go away with locations > - addrs = [str(addr) for addr in addrs] > - > - self.__add_ipa_ca_records(fqdn, addrs, True) > > def __setup_principal(self): > dns_principal = "DNS/" + self.fqdn + "@" + self.realm > @@ -1088,28 +1049,15 @@ class BindInstance(service.Service): > self.zonemgr = 'hostmaster.%s' % self.domain > > self.__add_self() > - self.__add_ipa_ca_record() > + self.update_system_records() > > - def add_ipa_ca_dns_records(self, fqdn, domain_name, ca_configured=True): > - host, zone = fqdn.split(".", 1) > - if dns_zone_exists(zone, self.api): > - addrs = get_fwd_rr(zone, host, api=self.api) > - else: > - addrs = dnsutil.resolve_ip_addresses(fqdn) > - # hack, will go away with locations > - addrs = [str(addr) for addr in addrs] > - > - self.domain = domain_name > - > - self.__add_ipa_ca_records(fqdn, addrs, ca_configured) > - > - def convert_ipa_ca_cnames(self, domain_name): > + def remove_ipa_ca_cnames(self, domain_name): > # get ipa-ca CNAMEs > cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api) > if not cnames: > return > > - root_logger.info('Converting IPA CA CNAME records to A/AAAA records') > + root_logger.info('Removing IPA CA CNAME records') > > # create CNAME to FQDN mapping > cname_fqdn = {} > @@ -1136,34 +1084,21 @@ class BindInstance(service.Service): > fqdn = cname_fqdn[cname] > if fqdn not in masters: > root_logger.warning( > - "Cannot convert IPA CA CNAME records to A/AAAA records, " > - "please convert them manually if necessary") > + "Cannot remove IPA CA CNAME please remove them manually " > + "if necessary") > return > > # delete all CNAMEs > for cname in cnames: > del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api) > > - # add A/AAAA records > - for cname in cnames: > - fqdn = cname_fqdn[cname] > - self.add_ipa_ca_dns_records(fqdn, domain_name, None) > - > def remove_master_dns_records(self, fqdn, realm_name, domain_name): > host, zone = fqdn.split(".", 1) > self.host = host > self.fqdn = fqdn > self.domain = domain_name > - suffix = ipautil.realm_to_suffix(realm_name) > > resource_records = ( > - ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr), > - ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), > - ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr), > - ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), > - ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr), > - ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr), > - ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr), > ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr), > ) > > @@ -1179,18 +1114,7 @@ class BindInstance(service.Service): > record = get_reverse_record_name(rzone, rdata) > del_rr(rzone, record, "PTR", normalize_zone(fqdn), > api=self.api) > - > - def remove_ipa_ca_dns_records(self, fqdn, domain_name): > - host, zone = fqdn.split(".", 1) > - if dns_zone_exists(zone, self.api): > - addrs = get_fwd_rr(zone, host, api=self.api) > - else: > - addrs = dnsutil.resolve_ip_addresses(fqdn) > - # hack, will go away with locations > - addrs = [str(addr) for addr in addrs] > - > - for addr in addrs: > - del_fwd_rr(domain_name, IPA_CA_RECORD, addr, api=self.api) > + self.update_system_records() > > def remove_server_ns_records(self, fqdn): > """ > @@ -1224,6 +1148,15 @@ class BindInstance(service.Service): > root_logger.debug("record %s in zone %s", record, zone) > del_ns_rr(zone, record, ns_rdata, api=self.api) > > + def update_system_records(self): > + self.print_msg("Updating DNS system records") > + result = self.api.Command.dns_update_system_records() > + if not result['value']: > + root_logger.error("Update of following records failed") > + for attr in ('failed_ipa_records', 'failed_location_records'): > + for record, error in result.get(attr, []): > + root_logger.error("%s (%s)", record, error) > + > def check_global_configuration(self): > """ > Check global DNS configuration in LDAP server and inform user when it > diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py > index ac72c76883fda00e2f258a9ecfe9925722041fe9..bce804ac1c4e3eaf8dd08bed894ad45ea2d73ae1 100644 > --- a/ipaserver/install/ca.py > +++ b/ipaserver/install/ca.py > @@ -253,7 +253,7 @@ def install_step_1(standalone, replica_config, options): > # Install CA DNS records > if bindinstance.dns_container_exists(host_name, basedn, dm_password): > bind = bindinstance.BindInstance(dm_password=dm_password) > - bind.add_ipa_ca_dns_records(host_name, domain_name) > + bind.update_system_records() > > > def uninstall(): > diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py > index 0fb869a7bab5b38f0a543b74220b2bb74888357f..2ea11739e07c73132bddee01309af618532e9815 100644 > --- a/ipaserver/install/dns.py > +++ b/ipaserver/install/dns.py > @@ -359,6 +359,9 @@ def install(standalone, replica, options, api=api): > dnskeysyncd.start_dnskeysyncd() > bind.start_named() > > + # this must be done when bind is started and operational > + bind.update_system_records() > + We need to investigate if this short delay is enough or if we need active waiting for BIND to come up. Will it work if first master is going to configure first zone and its host name is not resolvable? We have to test this. > if standalone: > print("==============================================================================") > print("Setup complete") > diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py > index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..c757813a07045295d2a6175795dbdc7f93369d36 100644 > --- a/ipaserver/install/server/upgrade.py > +++ b/ipaserver/install/server/upgrade.py > @@ -1094,12 +1094,9 @@ def add_ca_dns_records(): > > bind = bindinstance.BindInstance() > > - bind.convert_ipa_ca_cnames(api.env.domain) > + bind.remove_ipa_ca_cnames(api.env.domain) > > - # DNS is enabled, so let bindinstance find out if CA is enabled > - # and let it add the record in that case > - bind.add_ipa_ca_dns_records(api.env.host, api.env.domain, > - ca_configured=None) > + bind.update_system_records() > > sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) > > -- 2.5.5 > > > freeipa-mbasti-0511-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch > > > From e72248311a047f10f16c79b150df5e496aedeb01 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Mon, 13 Jun 2016 12:09:27 +0200 > Subject: [PATCH 09/11] DNS Locations: adtrustinstance simplify dns management > > The path how to get IPA domain in code was somehow obfuscated, this > patch simplifies and make clear what happened there with domain name. > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/tools/ipa-adtrust-install | 2 +- > ipaserver/install/adtrustinstance.py | 14 ++++++-------- > 2 files changed, 7 insertions(+), 9 deletions(-) > > diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install > index 36caa5c2d429c6cf107df03e82aa80e15d8efe01..5babcdb7cb169e4a944acca55739064e0464d41e 100755 > --- a/install/tools/ipa-adtrust-install > +++ b/install/tools/ipa-adtrust-install > @@ -387,7 +387,7 @@ def main(): > smb = adtrustinstance.ADTRUSTInstance(fstore) > smb.realm = api.env.realm > smb.autobind = ipaldap.AUTOBIND_ENABLED > - smb.setup(api.env.host, api.env.realm, api.env.domain, > + smb.setup(api.env.host, api.env.realm, > netbios_name, reset_netbios_name, > options.rid_base, options.secondary_rid_base, > options.no_msdcs, options.add_sids, > diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py > index fb88e5596b649c49939913389bb78dc79e905322..a5c68604c5e97a6c6959147bb8c687d82176edee 100644 > --- a/ipaserver/install/adtrustinstance.py > +++ b/ipaserver/install/adtrustinstance.py > @@ -135,7 +135,6 @@ class ADTRUSTInstance(service.Service): > self.fqdn = None > self.host_netbios_name = None > self.realm = None > - self.domain_name = None > > service.Service.__init__(self, "smb", service_desc="CIFS", > dm_password=None, ldapi=True) > @@ -162,7 +161,6 @@ class ADTRUSTInstance(service.Service): > self.fqdn = self.fqdn or api.env.host > self.host_netbios_name = make_netbios_name(self.fqdn) > self.realm = self.realm or api.env.realm > - self.domain_name = self.domain_name or api.env.domain > > self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm > self.suffix = ipautil.realm_to_suffix(self.realm) > @@ -177,7 +175,7 @@ class ADTRUSTInstance(service.Service): > ('cn', 'etc'), > self.suffix) > > - self.smb_dom_dn = DN(('cn', self.domain_name), > + self.smb_dom_dn = DN(('cn', api.env.domain), > api.env.container_cifsdomains, > self.suffix) > > @@ -426,7 +424,7 @@ class ADTRUSTInstance(service.Service): > self.smb_dom_dn, > { > 'objectclass': [self.OBJC_DOMAIN, "nsContainer"], > - 'cn': [self.domain_name], > + 'cn': [api.env.domain], > self.ATTR_FLAT_NAME: [self.netbios_name], > self.ATTR_SID: [self.__gen_sid_string()], > self.ATTR_GUID: [str(uuid.uuid4())], > @@ -581,7 +579,7 @@ class ADTRUSTInstance(service.Service): > their values are used. Otherwise default values are used. > """ > > - zone = self.domain_name > + zone = api.env.domain > host_in_rr = normalize_zone(self.fqdn) > > priority = 0 > @@ -787,12 +785,12 @@ class ADTRUSTInstance(service.Service): > LDAPI_SOCKET = self.ldapi_socket, > FQDN = self.fqdn) > > - def setup(self, fqdn, realm_name, domain_name, netbios_name, > + def setup(self, fqdn, realm_name, netbios_name, > reset_netbios_name, rid_base, secondary_rid_base, > - no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False): > + no_msdcs=False, add_sids=False, smbd_user="samba", > + enable_compat=False): > self.fqdn = fqdn > self.realm = realm_name > - self.domain_name = domain_name > self.netbios_name = netbios_name > self.reset_netbios_name = reset_netbios_name > self.rid_base = rid_base > -- 2.5.5 > > > freeipa-mbasti-0512-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch > > > From 606e0f3808883709a8734d7121ee1581050b9b8d Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Mon, 13 Jun 2016 12:28:58 +0200 > Subject: [PATCH 10/11] DNS Locations: use automatic records update in > ipa-adtrust-install > > DNS records for adtrust is added by call dns_update_system_records > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ipaserver/install/adtrustinstance.py | 45 +++++++++--------------------------- > 1 file changed, 11 insertions(+), 34 deletions(-) > > diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py > index a5c68604c5e97a6c6959147bb8c687d82176edee..51d5f4f1c4b23ad418544939ee6182bc80dd517b 100644 > --- a/ipaserver/install/adtrustinstance.py > +++ b/ipaserver/install/adtrustinstance.py > @@ -32,10 +32,10 @@ import six > > from ipaserver.install import service > from ipaserver.install import installutils > -from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ > - dns_zone_exists > +from ipaserver.install.bindinstance import dns_zone_exists Is dns_zone_exists still used in adtrustinstance? Why? > from ipaserver.install.replication import wait_for_task > from ipalib import errors, api > +from ipalib.dns_data_management import IPASystemRecords > from ipalib.util import normalize_zone > from ipapython.dn import DN > from ipapython import sysrestore > @@ -580,17 +580,6 @@ class ADTRUSTInstance(service.Service): > """ > > zone = api.env.domain > - host_in_rr = normalize_zone(self.fqdn) > - > - priority = 0 > - > - ipa_srv_rec = ( > - ("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389), > - ("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88), > - ("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88), > - ) > - win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs", > - ".dc._msdcs") > > err_msg = None > > @@ -610,27 +599,15 @@ class ADTRUSTInstance(service.Service): > self.print_msg(err_msg) > self.print_msg("Add the following service records to your DNS " \ > "server for DNS zone %s: " % zone) > - for suff in win_srv_suffix: > - for srv in ipa_srv_rec: > - self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1]))) > - self.print_msg("") > - return > - > - for (srv, rdata, port) in ipa_srv_rec: > - cifs_rdata = list() > - for fqdn in self.cifs_hosts: > - cifs_srv = self.srv_rec(fqdn, port, priority) > - cifs_rdata.append(cifs_srv) > - cifs_rdata.extend(rdata) > - > - for suff in win_srv_suffix: > - win_srv = srv+suff > - win_rdata = get_rr(zone, win_srv, "SRV") > - if win_rdata: > - for rec in win_rdata: > - del_rr(zone, win_srv, "SRV", rec) > - for rec in cifs_rdata: > - add_rr(zone, win_srv, "SRV", rec) > + system_records = IPASystemRecords(api) > + adtrust_recors = system_records.get_base_records( > + [self.fqdn], ["AD trust controller"], > + include_master_role=False, include_kerberos_realm=False) > + for r_name, node in adtrust_recors.items(): > + for rec in IPASystemRecords.records_list_from_node(r_name, node): > + self.print_msg(rec) > + else: > + api.Command.dns_update_system_records() > > def __configure_selinux_for_smbd(self): > try: > -- 2.5.5 > > > freeipa-mbasti-0513-DNS-Locations-server-mod-add-automatic-records-updat.patch > > > From cd2f01d1df07b338ca31fdadd9e053979cb3e67b Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Mon, 13 Jun 2016 13:32:25 +0200 > Subject: [PATCH 11/11] DNS Locations: server-mod: add automatic records update > > For any location or server weight change is required to update records > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ipalib/messages.py | 10 ++++++++++ > ipaserver/plugins/server.py | 8 ++++++++ > 2 files changed, 18 insertions(+) > > diff --git a/ipalib/messages.py b/ipalib/messages.py > index e863bdd495b55921c9e487794f5c9573a6166038..fcb86b38561d0f4a269b459080b81b6e9b58b93e 100644 > --- a/ipalib/messages.py > +++ b/ipalib/messages.py > @@ -395,6 +395,16 @@ class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): > ) > > > +class SystemDNSRecordsUpdateFailed(PublicMessage): > + errno = 13022 > + type = "warning" > + format = _( > + "Automatic update of DNS system records failed with error: %(emsg)s. " > + "Please re-run update of system records manually to get list of " > + "missing records." > + ) > + > + > def iter_messages(variables, base): > """Return a tuple with all subclasses > """ > diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py > index eb40b97ad22b95a2054b6280140e48973b1ec229..23901e3daf36312d38a51d1b0964644793065c1d 100644 > --- a/ipaserver/plugins/server.py > +++ b/ipaserver/plugins/server.py > @@ -232,6 +232,14 @@ class server_mod(LDAPUpdate): > assert isinstance(dn, DN) > self.obj.convert_location(entry_attrs, **options) > self.obj.get_enabled_roles(entry_attrs) > + > + if 'ipalocation' or 'ipalocationweight' in entry_attrs: > + result = self.api.Command.dns_update_system_records() > + if not result.get('value'): > + self.add_message(messages.SystemDNSRecordsUpdateFailed( > + emsg=result.get('summary', _("Unknown error")) > + )) > + > return dn > > > -- 2.5.5 Besides nits above it seems good. I will test it tomorrow when you send next version of patches. -- Petr^2 Spacek From abokovoy at redhat.com Mon Jun 13 14:57:21 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jun 2016 17:57:21 +0300 Subject: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <575EBEF7.9010201@redhat.com> References: <575EBEF7.9010201@redhat.com> Message-ID: <20160613145721.eed3myq5kqe3pvcb@redhat.com> On Mon, 13 Jun 2016, thierry bordaz wrote: >This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >>From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Wed, 8 Jun 2016 14:03:42 +0200 >Subject: [PATCH] Make sure ipapwd_extop takes precedence over > passwd_modify_extop > >DS core server provides a default plugin (passwd_modify_extop) to handle >1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) > >IPA delivers ipa_pwd_extop plugin that should take precedence over >the default DS plugin (passwd_modify_extop) >--- > install/updates/10-ipapwd.update | 9 +++++++++ > 1 file changed, 9 insertions(+) > create mode 100644 install/updates/10-ipapwd.update > >diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update >new file mode 100644 >index 0000000..d9bffa2 >--- /dev/null >+++ b/install/updates/10-ipapwd.update >@@ -0,0 +1,9 @@ >+dn: cn=ipa_pwd_extop,cn=plugins,cn=config >+# DS core server provides a default plugin (passwd_modify_extop) to handle >+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) >+# the pluginprecedence of the passwd_modify_extop is 50 (default value) >+# >+# IPA delivers ipa_pwd_extop plugin to handle that extended op >+# we need to make sure ipa_pwd_extop is called and so to set a lower >+# precedence value >+add:nsslapd-pluginprecedence: 49 Here is the problem: slapi-nis is 49 as well and it should be before ipa_pwd_extop. You need to update install/share/schema_compat.uldif and install/updates/10-schema_compat.update to get slapi-nis before ipa_pwd_extop. You also need to make sure we depend on the updated 389-ds-base package version. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 13 15:06:51 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jun 2016 18:06:51 +0300 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <575EC4C9.7070901@redhat.com> References: <575EC4C9.7070901@redhat.com> Message-ID: <20160613150651.qppi3qwlajuscxbg@redhat.com> On Mon, 13 Jun 2016, thierry bordaz wrote: >>From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Fri, 10 Jun 2016 15:34:40 +0200 >Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop > plugin > >ipapwd_extop allows to update the password on a specific entry, identified by its DN. >It can be usefull to support virtual DN in the extop so that update of a virtual entry >would land into the proper real entry. > >If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value >of TARGET_DN, instead of using the original one (in the ber req) > >https://fedorahosted.org/freeipa/ticket/5946 >--- > .../ipa-pwd-extop/ipa_pwd_extop.c | 33 ++++++++++++++++------ > 1 file changed, 25 insertions(+), 8 deletions(-) > >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >index 440e221..10fff30 100644 >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) > char *attrlist[] = {"*", "passwordHistory", NULL }; > struct ipapwd_data pwdata; > int is_krb, is_smb, is_ipant; >- char *principal = NULL; >+ char *principal = NULL; > Slapi_PBlock *chpwop_pb = NULL; >+ Slapi_DN *target_sdn = NULL; >+ char *target_dn = NULL; > > /* Get the ber value of the extended operation */ > slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >@@ -327,13 +329,28 @@ parse_req_done: > } > } > >- /* Determine the target DN for this operation */ >- /* Did they give us a DN ? */ >- if (dn == NULL || *dn == '\0') { >- /* Get the DN from the bind identity on this connection */ >- dn = slapi_ch_strdup(bindDN); >- LOG_TRACE("Missing userIdentity in request, " >- "using the bind DN instead.\n"); >+ /* Determine the target DN for this operation */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >+ target_dn = slapi_sdn_get_ndn(target_sdn); >+ if (target_dn) { can you please use the same style for writing comparisons as the file using already? if (!(target_dn == NULL || *target_dn == '\0')) { ... } >+ /* At this point if SLAPI_TARGET_SDN was set that means >+ * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >+ * So take this one rather that the raw one that is in the ber >+ */ >+ LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); >+ slapi_ch_free_string(&dn); >+ dn = slapi_ch_strdup(target_dn); >+ slapi_sdn_free(&target_sdn); >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >+ } else { >+ /* Did they give us a DN ? */ >+ if (dn == NULL || *dn == '\0') { >+ /* Get the DN from the bind identity on this connection */ >+ dn = slapi_ch_strdup(bindDN); >+ LOG_TRACE("Missing userIdentity in request, " >+ "using the bind DN instead.\n"); >+ } >+ LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); > } > > if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { >-- >2.5.0 > -- / Alexander Bokovoy From tbordaz at redhat.com Mon Jun 13 15:36:25 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 13 Jun 2016 17:36:25 +0200 Subject: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <20160613145721.eed3myq5kqe3pvcb@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> Message-ID: <575ED2F9.6010107@redhat.com> On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: > On Mon, 13 Jun 2016, thierry bordaz wrote: >> This is the fix for https://fedorahosted.org/freeipa/ticket/5944 > >>> From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Wed, 8 Jun 2016 14:03:42 +0200 >> Subject: [PATCH] Make sure ipapwd_extop takes precedence over >> passwd_modify_extop >> >> DS core server provides a default plugin (passwd_modify_extop) to handle >> 1.3.6.1.4.1.4203.1.11.1 extended op >> (https://www.ietf.org/rfc/rfc3062.txt) >> >> IPA delivers ipa_pwd_extop plugin that should take precedence over >> the default DS plugin (passwd_modify_extop) >> --- >> install/updates/10-ipapwd.update | 9 +++++++++ >> 1 file changed, 9 insertions(+) >> create mode 100644 install/updates/10-ipapwd.update >> >> diff --git a/install/updates/10-ipapwd.update >> b/install/updates/10-ipapwd.update >> new file mode 100644 >> index 0000000..d9bffa2 >> --- /dev/null >> +++ b/install/updates/10-ipapwd.update >> @@ -0,0 +1,9 @@ >> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> +# DS core server provides a default plugin (passwd_modify_extop) to >> handle >> +# 1.3.6.1.4.1.4203.1.11.1 extended op >> (https://www.ietf.org/rfc/rfc3062.txt) >> +# the pluginprecedence of the passwd_modify_extop is 50 (default value) >> +# >> +# IPA delivers ipa_pwd_extop plugin to handle that extended op >> +# we need to make sure ipa_pwd_extop is called and so to set a lower >> +# precedence value >> +add:nsslapd-pluginprecedence: 49 > Here is the problem: slapi-nis is 49 as well and it should be before > ipa_pwd_extop. > > You need to update install/share/schema_compat.uldif and > install/updates/10-schema_compat.update to get slapi-nis before > ipa_pwd_extop. ipapwd_plugin registers extendedop callback but slapi-nis does not. So I do not think they will "fight" for precedence. Even if slapi-nis register perextendedop they will be on different lists and it should not create any issue. Now I understand that slapi-nis must run with a precedence that should be lower than most of the others plugins. Currently it is 49, are you ok with a value like 40 ? > You also need to make sure we depend on the updated 389-ds-base package > version. Good ! Now with this dependency we should wait for 389-ds 1.3.5.5 to be available, I will resend the review when it will be available. thanks for the review thierry From mharmsen at redhat.com Mon Jun 13 15:53:56 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 13 Jun 2016 09:53:56 -0600 Subject: [Freeipa-devel] Updated External EPEL CentOS 7 COPR builds are now available . . . Message-ID: <575ED714.5060100@redhat.com> An updated external EPEL CentOS 7 COPR repo is available now available which contains Dogtag 10.3.2 builds: * https://copr.fedorainfracloud.org/coprs/g/pki/10.3.2/repo/epel-7/group_pki-10.3.2-epel-7.repo [group_pki-10.3.2] name=Copr repo for 10.3.2 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.2/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.2/pubkey.gpg enabled=1 enabled_metadata=1 -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 13 15:56:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 17:56:57 +0200 Subject: [Freeipa-devel] [PATCHES 0146-0152] Server Roles v2 In-Reply-To: <821ddea0-22b9-ad2e-7334-dffbab36d20d@redhat.com> References: <86eaf32c-e97a-b80b-27e5-d069399c100d@redhat.com> <42089226-da61-3838-6ab2-2e9f3a216949@redhat.com> <024930d7-b156-a2f3-06a4-09cd79869d7f@redhat.com> <55dac7f8-6f18-77e7-35dc-56c0882f3906@redhat.com> <9310f244-5a4a-e075-651c-d449445ec0d6@redhat.com> <821ddea0-22b9-ad2e-7334-dffbab36d20d@redhat.com> Message-ID: <3252bb54-92b4-c8cf-f6c0-38e2d5a199b5@redhat.com> On 13.06.2016 07:26, Jan Cholasta wrote: > On 12.6.2016 17:29, Martin Babinsky wrote: >> On 06/10/2016 05:42 PM, Martin Babinsky wrote: >>> On 06/10/2016 02:22 PM, Jan Cholasta wrote: >>>> On 9.6.2016 17:06, Martin Babinsky wrote: >>>>> On 06/09/2016 03:54 PM, Petr Vobornik wrote: >>>>>> On 06/09/2016 01:02 PM, Martin Babinsky wrote: >>>>>>> On 06/07/2016 07:01 PM, Pavel Vomacka wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 06/07/2016 12:07 PM, Martin Babinsky wrote: >>>>>>>>> On 06/03/2016 05:25 PM, Martin Babinsky wrote: >>>>>>>>>> I am sending rebased patches implementing >>>>>>>>>> http://www.freeipa.org/page/V4/Server_Roles >>>>>>>>>> >>>>>>>>>> I hope the patches work since I have had a lot of fun rebasing >>>>>>>>>> them on >>>>>>>>>> top of thin client and DNS locations effort. >>>>>>>>>> >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> Sending updated patches according to Jan's interactive review. >>>>>>>>> >>>>>>>>> Since the name of attributes returned by API commands and >>>>>>>>> signature of >>>>>>>>> `server-role-find` have changed, a small update in WebUI >>>>>>>>> patches is >>>>>>>>> required. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> NACK, why did you remove sizelimit from server_role_find >>>>>>>> command's? Is >>>>>>>> it possible to return it back? It breaks WebUI. >>>>>>> >>>>>>> Indeed, this was caused by changing the base class of the command. >>>>>>> It is >>>>>>> fixed in updated patches. >>>>>>> >>>>>> >>>>>> NACK >>>>>> >>>>>> Option timelimit? of command server_role_find in ipalib, not in API >>>>>> file: >>>>>> Int('timelimit?', autofill=False) >>>>>> Option sizelimit? of command server_role_find in ipalib, not in API >>>>>> file: >>>>>> Int('sizelimit?', autofill=False) >>>>>> >>>>>> There are one or more changes to the API. >>>>>> Either undo the API changes or update API.txt and increment the >>>>>> major >>>>>> version in VERSION. >>>>>> Makefile:159: recipe for target 'version-update' failed >>>>>> make: *** [version-update] Error 1 >>>>>> >>>>> >>>>> Oops, seems like a missed API.txt update. >>>>> >>>>> Fixed. >>>> >>>> "ipa server-role-find" does not return the "IPA master" role for my >>>> server ("ipa-server-role $HOSTNAME 'IPA master'" does). >>>> >>> This is intentional since we discussed during the design phase[1] that >>> "IPA master" role should be implicit and not shown to the user in >>> server-show and server-role-find operation. This however does not >>> preclude you to query its status manually if you know the role name. >>> >>> [1] http://www.freeipa.org/page/V4/Server_Roles#Server_Roles > > OK. There should be an option to get everything, though (can be added > later, I guess). > >>> >>>> I would rather skip the option altogether rather than hide it: >>>> >>>> + # we do not want to test negative membership for roles >>>> + # hide it from CLI >>>> + elif option.name == 'no_servrole': >>>> + option = option.clone(flags={'no_option'}) >>>> >>> So something like: >>> >>> elif option.name == 'no_servrole': >>> continue >>> >>> should do the trick? > > Correct. > >>>> The patches need a rebase (VERSION). >>>> >>>> Otherwise LGTM. >>>> >>> >>> Ok I will send fixed patches ASAP. >>> >> >> Attaching rebased patches. 'no_servrole' option is now skipped and does >> not show in the API. > > Good. ACK. > Functional tests: ACK pushed to master: * 7e2bef0b9f36a90902784be9363cbcb5ba4221b4 Server Roles: definitions of server roles and attributes * d07b7e0f6fe62eb10edcc7d3a4e884e5c8fd1d29 Server Roles: Backend plugin to query roles and attributes * 40d8dded7fc1e71621516da9197c736057c0b6e4 Test suite for `serverroles` backend * 80cbddaa37241e5c762edb656e4c658e652c87ef Server Roles: public API for server roles * b9aa31191b3067aced1432daa06d18b4382cd77f Server Roles: make server-{show,find} utilize role information * 5f7086e7183f0fcfece2bdd5be3d1ea17384717b Server Roles: make *config-show consume relevant roles/attributes * 21def4fde0b09a256fad3231a9042219f707fc8a Server Roles: provide an API for setting CA renewal master From abokovoy at redhat.com Mon Jun 13 16:01:31 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 13 Jun 2016 19:01:31 +0300 Subject: [Freeipa-devel] [PATCH] 0019 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <575ED2F9.6010107@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> <575ED2F9.6010107@redhat.com> Message-ID: <20160613160131.mqhy2aatb3rz3gn7@redhat.com> On Mon, 13 Jun 2016, thierry bordaz wrote: > > >On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: >>On Mon, 13 Jun 2016, thierry bordaz wrote: >>>This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >> >>>>From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 2001 >>>From: Thierry Bordaz >>>Date: Wed, 8 Jun 2016 14:03:42 +0200 >>>Subject: [PATCH] Make sure ipapwd_extop takes precedence over >>>passwd_modify_extop >>> >>>DS core server provides a default plugin (passwd_modify_extop) to handle >>>1.3.6.1.4.1.4203.1.11.1 extended op >>>(https://www.ietf.org/rfc/rfc3062.txt) >>> >>>IPA delivers ipa_pwd_extop plugin that should take precedence over >>>the default DS plugin (passwd_modify_extop) >>>--- >>>install/updates/10-ipapwd.update | 9 +++++++++ >>>1 file changed, 9 insertions(+) >>>create mode 100644 install/updates/10-ipapwd.update >>> >>>diff --git a/install/updates/10-ipapwd.update >>>b/install/updates/10-ipapwd.update >>>new file mode 100644 >>>index 0000000..d9bffa2 >>>--- /dev/null >>>+++ b/install/updates/10-ipapwd.update >>>@@ -0,0 +1,9 @@ >>>+dn: cn=ipa_pwd_extop,cn=plugins,cn=config >>>+# DS core server provides a default plugin (passwd_modify_extop) >>>to handle >>>+# 1.3.6.1.4.1.4203.1.11.1 extended op >>>(https://www.ietf.org/rfc/rfc3062.txt) >>>+# the pluginprecedence of the passwd_modify_extop is 50 (default value) >>>+# >>>+# IPA delivers ipa_pwd_extop plugin to handle that extended op >>>+# we need to make sure ipa_pwd_extop is called and so to set a lower >>>+# precedence value >>>+add:nsslapd-pluginprecedence: 49 >>Here is the problem: slapi-nis is 49 as well and it should be before >>ipa_pwd_extop. >> >>You need to update install/share/schema_compat.uldif and >>install/updates/10-schema_compat.update to get slapi-nis before >>ipa_pwd_extop. >ipapwd_plugin registers extendedop callback but slapi-nis does not. So >I do not think they will "fight" for precedence. >Even if slapi-nis register perextendedop they will be on different >lists and it should not create any issue. > >Now I understand that slapi-nis must run with a precedence that should >be lower than most of the others plugins. Currently it is 49, are you >ok with a value like 40 ? I'm OK with 40, yes. The precedence applies to all callbacks, not just to preextendedop, so a BIND callback would be affected too. >>You also need to make sure we depend on the updated 389-ds-base package >>version. > >Good ! >Now with this dependency we should wait for 389-ds 1.3.5.5 to be >available, I will resend the review when it will be available. Yep, thanks. -- / Alexander Bokovoy From mbasti at redhat.com Mon Jun 13 16:05:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 13 Jun 2016 18:05:45 +0200 Subject: [Freeipa-devel] [PATCH 0103-4] installer: Fix single command replica install with --setup-dns In-Reply-To: <15e27dc9-e70c-1225-e57b-c89f86043171@redhat.com> References: <15e27dc9-e70c-1225-e57b-c89f86043171@redhat.com> Message-ID: On 09.06.2016 16:16, Martin Babinsky wrote: > On 06/09/2016 08:16 AM, David Kupka wrote: >> Should go into master, ipa-4-3 and ipa-4-2. >> >> https://fedorahosted.org/freeipa/ticket/5945 > Works for me, ACK > Pushed to master: * 54318d1a2c5133fc3a735872b7edc3cfacb032f9 installer: positional_arguments must be tuple or list of strings * 9f48c396497bd3e07045838d23afbb0d051dc136 installer: index() raises ValueError ipa-4-3: * 160379bd21bcda62cd70eab83cbc6c7ed56e9bda installer: positional_arguments must be tuple or list of strings * 2909be8246c7781a3e9a26fd00e9e4044b0f334d installer: index() raises ValueError ipa-4-2: * 48aa3beab5267d3277b84ac9eae8bf30ddce653e installer: positional_arguments must be tuple or list of strings * 46802c8afb9bedef23103537806ab21bae9f871c installer: index() raises ValueError From ftweedal at redhat.com Mon Jun 13 16:19:27 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Jun 2016 02:19:27 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> References: <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> Message-ID: <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: > > > > > > > > Hi Fraser, > > > > > > > > during functional review I found the following issues: > > > > > > > > 1.) > > > > > > > > If I create a CAACL rule tied to a specific sub-CA let's say for user > > > > certificate issuance: > > > > > > > > """ > > > > ipa caacl-show user_cert_issuance > > > > Enabled: TRUE > > > > User category: all > > > > CAs: user_sub_ca > > > > Profiles: caIPAuserCert > > > > ACL name: user_cert_issuance > > > > > > > > """ > > > > > > > > I can still happily request certificate for a user using root-CA: > > > > > > > > """ > > > > ipa cert-request cert.csr --principal jdoe --ca ipa > > > > Certificate: MIID9j.../Ov8mkjFA== > > > > Subject: CN=jdoe,O=IPA.TEST > > > > Issuer: CN=Certificate Authority,O=IPA.TEST > > > > ... > > > > """ > > > > > > > > should not this be denied by CA-ACL rule? > > > > > > > > The default IPA CAACL rule is like this: > > > > > > > > """ > > > > ipa caacl-show hosts_services_caIPAserviceCert > > > > Enabled: TRUE > > > > Host category: all > > > > Service category: all > > > > Profiles: caIPAserviceCert > > > > ACL name: hosts_services_caIPAserviceCert > > > > > > > > """ > > > > > > > > so the default rule should not allow users to request certs at all. > > > > > > > Yes, these should be denied. Looking into it. > > > > > Were you using 'admin' account to request the cert? admin has > > permission 'Request Certificate ignoring CA ACLs' via the > > 'Certificate Manager' privilege. > > > > If so, please try again with less privileges (e.g. self-service as > > jdoe). > > > > You were right when I was requesting certs as user principals themselves > everything worked as expected. > > Regarding usb-CAs not present on replica, both machines run the following > version of dogtag CA: > > pki-ca-10.3.2-3.fc24.noarch > > Here are the last 256 lines of the debug log: > > http://paste.fedoraproject.org/378512/65828332 > Thanks for that. It seems there are two issues. The first one is: Unable to read key retriever class from CS.cfg: Property features.authority.keyRetrieverClass missing value This happens only on replica, until the first restart of Dogtag after installation. I have attached a patch to fix it. The second issue is: Failed to update certificate This needs to be fixed in Dogtag, however, the error is not triggered if the key retrieval succeeds when the replica first observes the addition of a new CA. The attached patch does help in this regard, so apply it and I hope it will see you through the rest of the functional testing of my patches... I hope. Thank you for testing! Cheers, Fraser -------------- next part -------------- From 0eb877bd715033538b0cf3ef724d62c6b20d273f Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 14 Jun 2016 01:22:41 +1000 Subject: [PATCH] replica-install: configure key retriever before starting Dogtag After installing a replica, Dogtag's Lightweight CA key retrieval fails until Dogtag is restarted, because the already-running instance doesn't pick up the changes to CS.cfg. Configure the key retriever before the instance is started. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c7f3116f62ce1158a04af23f29439c4a1d1a102f..8dfb71528d2dc020e05ccd7ff42199218a1c0839 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1344,6 +1344,8 @@ class CAInstance(DogtagInstance): self.enable_pkix) self.step("set up client auth to db", self.__client_auth_to_db) self.step("destroying installation admin user", self.teardown_admin) + self.step("Configure lightweight CA key retrieval", + self.setup_lightweight_ca_key_retrieval) self.step("starting instance", self.start_instance) self.step("importing CA chain to RA certificate database", @@ -1362,8 +1364,6 @@ class CAInstance(DogtagInstance): self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) - self.step("Configure lightweight CA key retrieval", - self.setup_lightweight_ca_key_retrieval) self.step("enabling CA instance", self.__enable_instance) -- 2.5.5 From pvomacka at redhat.com Mon Jun 13 17:48:58 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 13 Jun 2016 19:48:58 +0200 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> References: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> Message-ID: On 06/13/2016 06:55 AM, Fraser Tweedale wrote: > On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: >> Hello, >> >> please review these new patches which add WebUI for Sub-CAs. >> >> https://fedorahosted.org/freeipa/ticket/5939 >> > Hi Pavel, I have reviewed the functionality of the patches. > Functionality is good - a few minor comments below. Hello, thank you for review. > Patch 45: > > 1) In the main `Certificate Authorities' table, `Subject DN' is > showing the DN of the IPA object, instead of the Subject DN. Fixed. > > 2) In the `Certificate Authorities' detail table, there is an > unlabelled row showing the DN of the IPA object. IMO we do not need > to show this value at all. The field removed. > Patch 46: > > 3) I see a FIXME in certificate.js. The behaviour (default to IPA > CA / 'ipa') is OK. Alternatively, you could allow the user to not > specify a CA (this will allow the default - currently 'ipa' - to be > controlled by server). FIXME comment removed. > > Patch 47: > > 4) For backwards compatibility, a CA ACL without any specified CAs > (and not cacat=all) implies the 'ipa' CA. It would be good to > indicate this in the UI somehow, or include a notice to explain. I added tooltip next to the checkbox on adder dialog and also note above the table with CAs in CA ACL details view. > > Cheers, > Fraser -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0045-2-Add-new-webui-plugin-ca.patch Type: text/x-patch Size: 4050 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0046-2-Extend-certificate-entity-page.patch Type: text/x-patch Size: 7772 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0047-2-Extend-caacl-entity.patch Type: text/x-patch Size: 8428 bytes Desc: not available URL: From ftweedal at redhat.com Tue Jun 14 02:55:39 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Jun 2016 12:55:39 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> References: <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> On Tue, Jun 14, 2016 at 02:19:27AM +1000, Fraser Tweedale wrote: > On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: > > > > > > > > > > Hi Fraser, > > > > > > > > > > during functional review I found the following issues: > > > > > > > > > > 1.) > > > > > > > > > > If I create a CAACL rule tied to a specific sub-CA let's say for user > > > > > certificate issuance: > > > > > > > > > > """ > > > > > ipa caacl-show user_cert_issuance > > > > > Enabled: TRUE > > > > > User category: all > > > > > CAs: user_sub_ca > > > > > Profiles: caIPAuserCert > > > > > ACL name: user_cert_issuance > > > > > > > > > > """ > > > > > > > > > > I can still happily request certificate for a user using root-CA: > > > > > > > > > > """ > > > > > ipa cert-request cert.csr --principal jdoe --ca ipa > > > > > Certificate: MIID9j.../Ov8mkjFA== > > > > > Subject: CN=jdoe,O=IPA.TEST > > > > > Issuer: CN=Certificate Authority,O=IPA.TEST > > > > > ... > > > > > """ > > > > > > > > > > should not this be denied by CA-ACL rule? > > > > > > > > > > The default IPA CAACL rule is like this: > > > > > > > > > > """ > > > > > ipa caacl-show hosts_services_caIPAserviceCert > > > > > Enabled: TRUE > > > > > Host category: all > > > > > Service category: all > > > > > Profiles: caIPAserviceCert > > > > > ACL name: hosts_services_caIPAserviceCert > > > > > > > > > > """ > > > > > > > > > > so the default rule should not allow users to request certs at all. > > > > > > > > > Yes, these should be denied. Looking into it. > > > > > > > Were you using 'admin' account to request the cert? admin has > > > permission 'Request Certificate ignoring CA ACLs' via the > > > 'Certificate Manager' privilege. > > > > > > If so, please try again with less privileges (e.g. self-service as > > > jdoe). > > > > > > > You were right when I was requesting certs as user principals themselves > > everything worked as expected. > > > > Regarding usb-CAs not present on replica, both machines run the following > > version of dogtag CA: > > > > pki-ca-10.3.2-3.fc24.noarch > > > > Here are the last 256 lines of the debug log: > > > > http://paste.fedoraproject.org/378512/65828332 > > > Thanks for that. It seems there are two issues. The first one is: > > Unable to read key retriever class from CS.cfg: Property > features.authority.keyRetrieverClass missing value > > This happens only on replica, until the first restart of Dogtag > after installation. I have attached a patch to fix it. > > The second issue is: > > Failed to update certificate > > > This needs to be fixed in Dogtag, however, the error is not > triggered if the key retrieval succeeds when the replica first > observes the addition of a new CA. The attached patch does help in > this regard, so apply it and I hope it will see you through the rest > of the functional testing of my patches... I hope. > > Thank you for testing! > > Cheers, > Fraser > Rebased patches attached (VERSION conflicts; no other changes). -------------- next part -------------- From efef047bec394c0a881a641f518ea41757ca66eb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 14 May 2015 01:46:06 -0400 Subject: [PATCH 59/63] Add 'ca' plugin This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ACI.txt | 8 ++ API.txt | 64 +++++++++ VERSION | 4 +- install/conf/ipa-pki-proxy.conf | 4 +- install/share/60certificate-profiles.ldif | 4 + install/share/bootstrap-template.ldif | 6 + install/updates/41-lightweight-cas.update | 4 + install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/cainstance.py | 7 + ipaserver/install/server/upgrade.py | 16 ++- ipaserver/plugins/ca.py | 217 ++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 54 +++++++- 13 files changed, 385 insertions(+), 6 deletions(-) create mode 100644 install/updates/41-lightweight-cas.update create mode 100644 ipaserver/plugins/ca.py diff --git a/ACI.txt b/ACI.txt index 6f691f2a7b01f834006e3c796c14c256ee87faa6..a26e2dd4bcf7c75b93d2f11cfd470beb17b18873 100644 --- a/ACI.txt +++ b/ACI.txt @@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=automount,dc=ipa,dc=example aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow (write) groupdn = "ldap:///cn=System: Modify CA,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=cas,cn=ca,dc=ipa,dc=example +aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacaid || ipacaissuerdn || ipacasubjectdn || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example diff --git a/API.txt b/API.txt index 68ce3560d17c1fb6b6c50a91b5bf6ba810204922..155299223311dab169a4dead6397ba41d8d863cc 100644 --- a/API.txt +++ b/API.txt @@ -450,12 +450,76 @@ arg: Any('methods*') option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) +command: ca_add +args: 1,7,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('description?', cli_name='desc') +option: DNParam('ipacasubjectdn', cli_name='subject') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_del +args: 1,2,3 +arg: Str('cn+', cli_name='name') +option: Flag('continue', autofill=True, cli_name='continue', default=False) +option: Str('version?') +output: Output('result', type=[]) +output: Output('summary', type=[, ]) +output: ListOfPrimaryKeys('value') +command: ca_find +args: 1,11,4 +arg: Str('criteria?') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cn?', autofill=False, cli_name='name') +option: Str('description?', autofill=False, cli_name='desc') +option: Str('ipacaid?', autofill=False, cli_name='id') +option: DNParam('ipacaissuerdn?', autofill=False, cli_name='issuer') +option: DNParam('ipacasubjectdn?', autofill=False, cli_name='subject') +option: Flag('pkey_only?', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Int('sizelimit?', autofill=False) +option: Int('timelimit?', autofill=False) +option: Str('version?') +output: Output('count', type=[]) +output: ListOfEntries('result') +output: Output('summary', type=[, ]) +output: Output('truncated', type=[]) command: ca_is_enabled args: 0,1,3 option: Str('version?') output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: ca_mod +args: 1,9,3 +arg: Str('cn', cli_name='name') +option: Str('addattr*', cli_name='addattr') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('delattr*', cli_name='delattr') +option: Str('description?', autofill=False, cli_name='desc') +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('rename?', cli_name='rename') +option: Flag('rights', autofill=True, default=False) +option: Str('setattr*', cli_name='setattr') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') +command: ca_show +args: 1,4,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Flag('rights', autofill=True, default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[, ]) +output: PrimaryKey('value') command: caacl_add args: 1,12,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 7c3e46a98607f3b94a0c98406ed13aa278440875..990f647af3dc486a2d0d1632444e845acb6e3d18 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=180 -# Last change: mbabink - Server Roles: provide an API for setting CA renewal master +IPA_API_VERSION_MINOR=181 +# Last change: ftweedal - add lightweight CAs plugin diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 4b5b6f727105610e01bab033d93b03932008463f..545f21253ec8895397e43a3c9637956e94f40293 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -1,4 +1,4 @@ -# VERSION 8 - DO NOT REMOVE THIS LINE +# VERSION 9 - DO NOT REMOVE THIS LINE ProxyRequests Off @@ -27,7 +27,7 @@ ProxyRequests Off # matches for CA REST API - + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient optional ProxyPassMatch ajp://localhost:$DOGTAG_PORT diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index 798c3a3b0e3ff2148a1ec8c2d4aed6522f4735e3..a87fe667d56768419dacf57103e347e88c945e2a 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -4,5 +4,9 @@ attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.6 NAME 'ipaCaId' DESC 'Dogtag Authority ID' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.7 NAME 'ipaCaIssuerDN' DESC 'Issuer DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.8 NAME 'ipaCaSubjectDN' DESC 'Subject DN' SUP distinguishedName X-ORIGIN 'IPA v4.4 Lightweight CAs' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.3 NAME 'ipaCa' SUP top STRUCTURAL MUST ( cn $ ipaCaId $ ipaCaSubjectDN $ ipaCaIssuerDN ) MAY description X-ORIGIN 'IPA v4.4 Lightweight CAs' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index f6ab35495ad7e9377404eb7a6b0bca26906f5421..da12ddf0ca887e8305402048ceed5d5b28816164 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -476,3 +476,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: caacls + +dn: cn=cas,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: cas diff --git a/install/updates/41-lightweight-cas.update b/install/updates/41-lightweight-cas.update new file mode 100644 index 0000000000000000000000000000000000000000..72313e2ab12ab520eb12ade404fb5b6dd55a9d71 --- /dev/null +++ b/install/updates/41-lightweight-cas.update @@ -0,0 +1,4 @@ +dn: cn=cas,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: cas diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index fde69175caaee296577b8b990084e6f7619a8620..455fd209d171888dc94a7f708dc5fa1743f62bf4 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,6 +39,7 @@ app_DATA = \ 40-otp.update \ 40-vault.update \ 41-caacl.update \ + 41-lightweight-cas.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ diff --git a/ipalib/constants.py b/ipalib/constants.py index 97dff1d805a4f77469882103ab63cdb0fa55a024..05ba1adbbf215680c9c23963fc8c90c4bfca4ce8 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -122,6 +122,7 @@ DEFAULT_CONFIG = ( ('container_topology', DN(('cn', 'topology'), ('cn', 'ipa'), ('cn', 'etc'))), ('container_caacl', DN(('cn', 'caacls'), ('cn', 'ca'))), ('container_locations', DN(('cn', 'locations'), ('cn', 'etc'))), + ('container_ca', DN(('cn', 'cas'), ('cn', 'ca'))), # Ports, hosts, and URIs: ('xmlrpc_uri', 'http://localhost:8888/ipa/xml'), @@ -265,3 +266,4 @@ REPL_AGMT_STRIP_ATTRS = ('modifiersName', DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +IPA_CA_CN = u'ipa' diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index becb0b1728746bb2c432d08e92425ceb95bb261a..3e2576d058733c9859f4c5b003afdacf26408348 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1629,6 +1629,13 @@ def ensure_ldap_profiles_container(): ou=['certificateProfiles'], ) +def ensure_lightweight_cas_container(): + ensure_entry( + DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), + objectclass=['top', 'organizationalUnit'], + ou=['authorities'], + ) + def ensure_entry(dn, **attrs): server_id = installutils.realm_to_serverid(api.env.realm) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..81a49e8afa049aeaaf9abd2199f21e721eef2a20 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -345,6 +345,16 @@ def ca_import_included_profiles(ca): return cainstance.import_included_profiles() +def ca_ensure_lightweight_cas_container(ca): + root_logger.info('[Ensuring Lightweight CAs container exists in Dogtag database]') + + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + return cainstance.ensure_lightweight_cas_container() + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1438,7 +1448,10 @@ def ca_upgrade_schema(ca): root_logger.info('CA is not configured') return False - schema_files=['/usr/share/pki/server/conf/schema-certProfile.ldif'] + schema_files=[ + '/usr/share/pki/server/conf/schema-certProfile.ldif', + '/usr/share/pki/server/conf/schema-authority.ldif', + ] try: modified = schemaupdate.update_schema(schema_files, ldapi=True) except Exception as e: @@ -1698,6 +1711,7 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) + ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py new file mode 100644 index 0000000000000000000000000000000000000000..ee98f0a2a9dc469d67676a3123d82ce519ba6d59 --- /dev/null +++ b/ipaserver/plugins/ca.py @@ -0,0 +1,217 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ipalib import api, errors, DNParam, Str +from ipalib.constants import IPA_CA_CN +from ipalib.plugable import Registry +from ipaserver.plugins.baseldap import ( + LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, + LDAPUpdate, LDAPRetrieve) +from ipaserver.plugins.cert import ca_enabled_check +from ipalib import _, ngettext + + +__doc__ = _(""" +Manage Certificate Authorities + +Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance +of X.509 certificates. + +EXAMPLES: + + Create new CA, subordinate to the IPA CA. + + ipa ca-add puppet --desc "Puppet" \\ + --subject "CN=Puppet CA,O=EXAMPLE.COM" + +""") + + +register = Registry() + + + at register() +class ca(LDAPObject): + """ + Lightweight CA Object + """ + container_dn = api.env.container_ca + object_name = _('Certificate Authority') + object_name_plural = _('Certificate Authorities') + object_class = ['ipaca'] + permission_filter_objectclasses = ['ipaca'] + default_attributes = [ + 'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn', + ] + rdn_attribute = 'cn' + rdn_is_primary_key = True + label = _('Certificate Authorities') + label_singular = _('Certificate Authority') + + takes_params = ( + Str('cn', + primary_key=True, + cli_name='name', + label=_('Name'), + doc=_('Name for referencing the CA'), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of the purpose of the CA'), + ), + Str('ipacaid', + cli_name='id', + label=_('Authority ID'), + doc=_('Dogtag Authority ID'), + flags=['no_create', 'no_update'], + ), + DNParam('ipacasubjectdn', + cli_name='subject', + label=_('Subject DN'), + doc=_('Subject Distinguished Name'), + flags=['no_update'], + ), + DNParam('ipacaissuerdn', + cli_name='issuer', + label=_('Issuer DN'), + doc=_('Issuer Distinguished Name'), + flags=['no_create', 'no_update'], + ), + ) + + permission_filter_objectclasses = ['ipaca'] + managed_permissions = { + 'System: Read CAs': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + 'ipacaid', + 'ipacaissuerdn', + 'ipacasubjectdn', + 'objectclass', + }, + }, + 'System: Add CA': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Add CA";allow (add) groupdn = "ldap:///cn=Add CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Delete CA': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete CA";allow (delete) groupdn = "ldap:///cn=Delete CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + 'System: Modify CA': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': { + 'cn', + 'description', + }, + 'replaces': [ + '(targetattr = "cn || description")(target = "ldap:///cn=*,cn=cas,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify CA";allow (write) groupdn = "ldap:///cn=Modify CA,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'CA Administrator'}, + }, + } + + + at register() +class ca_find(LDAPSearch): + __doc__ = _("Search for CAs.") + msg_summary = ngettext( + '%(count)d CA matched', '%(count)d CAs matched', 0 + ) + + def execute(self, *keys, **options): + ca_enabled_check() + return super(ca_find, self).execute(*keys, **options) + + + at register() +class ca_show(LDAPRetrieve): + __doc__ = _("Display the properties of a CA.") + + def execute(self, *args, **kwargs): + ca_enabled_check() + return super(ca_show, self).execute(*args, **kwargs) + + + at register() +class ca_add(LDAPCreate): + __doc__ = _("Create a CA.") + msg_summary = _('Created CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options): + ca_enabled_check() + if not ldap.can_add(dn[1:]): + raise errors.ACIError( + info=_("Insufficient 'add' privilege for entry '%s'.") % dn) + + # check for name collision before creating CA in Dogtag + try: + api.Object.ca.get_dn_if_exists(keys[-1]) + self.obj.handle_duplicate_entry(*keys) + except errors.NotFound: + pass + + # Create the CA in Dogtag. + with self.api.Backend.ra_lightweight_ca as ca_api: + resp = ca_api.create_ca(options['ipacasubjectdn']) + entry['ipacaid'] = [resp['id']] + entry['ipacaissuerdn'] = [resp['issuerDN']] + + # In the event that the issued certificate's subject DN + # differs from what was requested, record the actual DN. + # + entry['ipacasubjectdn'] = [resp['dn']] + return dn + + + at register() +class ca_del(LDAPDelete): + __doc__ = _('Delete a CA.') + + msg_summary = _('Deleted CA "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=_("IPA CA cannot be deleted")) + + ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + ca_api.delete_ca(ca_id) + + return dn + + + at register() +class ca_mod(LDAPUpdate): + __doc__ = _("Modify CA configuration.") + msg_summary = _('Modified CA "%(value)s"') + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + ca_enabled_check() + + if 'rename' in options or 'cn' in entry_attrs: + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=keys[0], + reason=u'IPA CA cannot be renamed') + + return dn diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c4dc4e8c3ea55a0e1b67870dfb8eee45af..20349b05f02c6e186275a822a487eb4733d75c7d 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2073,7 +2073,10 @@ class RestClient(Backend): headers = headers or {} headers['Cookie'] = self.cookie - resource = os.path.join('/ca/rest', self.path, path) + if path is not None: + resource = os.path.join('/ca/rest', self.path, path) + else: + resource = os.path.join('/ca/rest', self.path) # perform main request status, resp_headers, resp_body = dogtag.https_request( @@ -2147,3 +2150,52 @@ class ra_certprofile(RestClient): Delete the profile from Dogtag """ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'}) + + + at register() +class ra_lightweight_ca(RestClient): + """ + Lightweight CA management backend plugin. + """ + path = 'authorities' + + def create_ca(self, dn): + """Create CA with the given DN. + + New CA is issued by IPA CA. Nested sub-CAs and unrelated + root CAs are not yet supported. + + Return the (parsed) JSON response from server. + + """ + + assert isinstance(dn, DN) + status, resp_headers, resp_body = self._ssldo( + 'POST', None, + headers={ + 'Content-type': 'application/json', + 'Accept': 'application/json', + }, + body=json.dumps({"parentID": "host-authority", "dn": unicode(dn)}), + ) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def read_ca(self, ca_id): + status, resp_headers, resp_body = self._ssldo( + 'GET', ca_id, headers={'Accept': 'application/json'}) + try: + return json.loads(resp_body) + except: + raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON")) + + def disable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/disable', + headers={'Accept': 'application/json'}, + ) + + def delete_ca(self, ca_id): + self._ssldo('DELETE', ca_id) -- 2.5.5 -------------- next part -------------- From b70618b7e80185d5d3db18f7d9b203bbdb89652c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 12:07:29 +1000 Subject: [PATCH 60/63] Add IPA CA entry on install / upgrade In addition to user-created lightweight CAs, CA ACLs need to be able to refer to the "main" CA. Add an entry for the IPA CA on installation and upgrade. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 37 +++++++++++++++++++++++++++++++++++++ ipaserver/install/server/upgrade.py | 1 + 2 files changed, 38 insertions(+) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3e2576d058733c9859f4c5b003afdacf26408348..c7f3116f62ce1158a04af23f29439c4a1d1a102f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -433,6 +433,7 @@ class CAInstance(DogtagInstance): self.step("importing IPA certificate profiles", import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) + self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) self.step("updating IPA configuration", update_ipa_conf) self.start_creation(runtime=210) @@ -1900,6 +1901,42 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): "(it is probably already enabled)") +def ensure_ipa_authority_entry(): + """Add the IPA CA ipaCa object if missing.""" + + # find out authority id, issuer DN and subject DN of IPA CA + # + api.Backend.ra_lightweight_ca._read_password() + api.Backend.ra_lightweight_ca.override_port = 8443 + with api.Backend.ra_lightweight_ca as lwca: + data = lwca.read_ca('host-authority') + attrs = dict( + ipacaid=data['id'], + ipacaissuerdn=data['issuerDN'], + ipacasubjectdn=data['dn'], + ) + api.Backend.ra_lightweight_ca.override_port = None + + is_already_connected = api.Backend.ldap2.isconnected() + if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA: %s", e) + return + + ensure_entry( + DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), + objectclass=['top', 'ipaca'], + cn=[ipalib.constants.IPA_CA_CN], + description=['IPA CA'], + **attrs + ) + + if not is_already_connected: + api.Backend.ldap2.disconnect() + + def ensure_default_caacl(): """Add the default CA ACL if missing.""" is_already_connected = api.Backend.ldap2.isconnected() diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 81a49e8afa049aeaaf9abd2199f21e721eef2a20..cd9b7c4a8aba6e346bd5277328223a5a0b2a83f4 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1724,6 +1724,7 @@ def upgrade_configuration(): if ca.is_configured(): cainstance.repair_profile_caIPAserviceCert() ca.setup_lightweight_ca_key_retrieval() + cainstance.ensure_ipa_authority_entry() set_sssd_domain_option('ipa_server_mode', 'True') -- 2.5.5 -------------- next part -------------- From 739f19f08bc43c10e155767ae1e61e30f33ce8a7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 10:36:22 +1000 Subject: [PATCH 61/63] Update 'caacl' plugin to support lightweight CAs For backwards compatibility, an ACL that has no CAs and no CA category allows access to the IPA CA (host authority) only. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 31 ++++++++++++-- VERSION | 4 +- ipaserver/plugins/caacl.py | 100 ++++++++++++++++++++++++++++++--------------- ipaserver/plugins/cert.py | 5 ++- 4 files changed, 99 insertions(+), 41 deletions(-) diff --git a/API.txt b/API.txt index 155299223311dab169a4dead6397ba41d8d863cc..3d0174a7dc605be137794de89cd523ab7e2bdef0 100644 --- a/API.txt +++ b/API.txt @@ -521,12 +521,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_add -args: 1,12,3 +args: 1,13,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('description?', cli_name='desc') option: StrEnum('hostcategory?', cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?') option: Flag('no_members', autofill=True, default=False) @@ -538,6 +539,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_add_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_add_host args: 1,6,3 arg: Str('cn', cli_name='name') @@ -607,12 +619,13 @@ output: Output('result', type=[]) output: Output('summary', type=[, ]) output: PrimaryKey('value') command: caacl_find -args: 1,14,4 +args: 1,15,4 arg: Str('criteria?') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('cn?', autofill=False, cli_name='name') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=True) @@ -628,13 +641,14 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: caacl_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) option: Str('delattr*', cli_name='delattr') option: Str('description?', autofill=False, cli_name='desc') option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all']) +option: StrEnum('ipacacategory?', autofill=False, cli_name='cacat', values=[u'all']) option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all']) option: Bool('ipaenabledflag?', autofill=False) option: Flag('no_members', autofill=True, default=False) @@ -647,6 +661,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') +command: caacl_remove_ca +args: 1,5,3 +arg: Str('cn', cli_name='name') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('ca*', alwaysask=True, cli_name='cas') +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Output('completed', type=[]) +output: Output('failed', type=[]) +output: Entry('result') command: caacl_remove_host args: 1,6,3 arg: Str('cn', cli_name='name') diff --git a/VERSION b/VERSION index 990f647af3dc486a2d0d1632444e845acb6e3d18..a4b24076f6a7fc8f514d703559ed618aba3a1f65 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=181 -# Last change: ftweedal - add lightweight CAs plugin +IPA_API_VERSION_MINOR=182 +# Last change: ftweedal - update caacl plugin for lightweight CAs diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 60eeb5a334acb7822549ff3530b6ec191f5e5abb..a543a1de780ae7abde342e51f6106271fcb21a9e 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -6,6 +6,7 @@ import pyhbac from ipalib import api, errors, output from ipalib import Bool, Str, StrEnum +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery, @@ -32,14 +33,16 @@ and followed by a sequence of letters, digits or underscore ("_"). EXAMPLES: Create a CA ACL "test" that grants all users access to the - "UserCert" profile: - ipa caacl-add test --usercat=all + "UserCert" profile on all CAs: + ipa caacl-add test --usercat=all --cacat=all ipa caacl-add-profile test --certprofiles UserCert Display the properties of a named CA ACL: ipa caacl-show test - Create a CA ACL to let user "alice" use the "DNP3" profile: + Create a CA ACL to let user "alice" use the "DNP3" profile on "DNP3-CA": + ipa caacl-add alice_dnp3 + ipa caacl-add-ca alice_dnp3 --cas DNP3-CA ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 ipa caacl-add-user alice_dnp3 --user=alice @@ -53,12 +56,12 @@ EXAMPLES: register = Registry() -def _acl_make_request(principal_type, principal, ca_ref, profile_id): +def _acl_make_request(principal_type, principal, ca_id, profile_id): """Construct HBAC request for the given principal, CA and profile""" service, name, realm = split_any_principal(principal) req = pyhbac.HbacRequest() - req.targethost.name = ca_ref + req.targethost.name = ca_id req.service.name = profile_id if principal_type == 'user': req.user.name = name @@ -90,12 +93,12 @@ def _acl_make_rule(principal_type, obj): rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) - # Hardcoded until caacl plugin arrives - rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': - # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} - #else: - # rule.targethosts.names = obj.get('ipacaaclcaref', []) + if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': + rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} + else: + # For compatibility with pre-lightweight-CAs CA ACLs, + # no CA members implies the host authority (only) + rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj @@ -120,8 +123,8 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_ref, profile_id): - req = _acl_make_request(principal_type, principal, ca_ref, profile_id) +def acl_evaluate(principal_type, principal, ca_id, profile_id): + req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] return req.evaluate(rules) == pyhbac.HBAC_EVAL_ALLOW @@ -151,6 +154,7 @@ class caacl(LDAPObject): 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'memberservice': ['service'], + 'ipamemberca': ['ca'], 'ipamembercertprofile': ['certprofile'], } managed_permissions = { @@ -226,13 +230,12 @@ class caacl(LDAPObject): label=_('Enabled'), flags=['no_option'], ), - # Commented until subca plugin arrives - #StrEnum('ipacacategory?', - # cli_name='cacat', - # label=_('CA category'), - # doc=_('CA category the ACL applies to'), - # values=(u'all', ), - #), + StrEnum('ipacacategory?', + cli_name='cacat', + label=_('CA category'), + doc=_('CA category the ACL applies to'), + values=(u'all', ), + ), StrEnum('ipacertprofilecategory?', cli_name='profilecat', label=_('Profile category'), @@ -257,11 +260,10 @@ class caacl(LDAPObject): doc=_('Service category the ACL applies to'), values=(u'all', ), ), - # Commented until subca plugin arrives - #Str('ipamemberca_subca?', - # label=_('CAs'), - # flags=['no_create', 'no_update', 'no_search'], - #), + Str('ipamemberca_ca?', + label=_('CAs'), + flags=['no_create', 'no_update', 'no_search'], + ), Str('ipamembercertprofile_certprofile?', label=_('Profiles'), flags=['no_create', 'no_update', 'no_search'], @@ -330,11 +332,10 @@ class caacl_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - # Commented until subca plugin arrives - #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: - # raise errors.MutuallyExclusiveError(reason=_( - # "CA category cannot be set to 'all' " - # "while there are allowed CAs")) + if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + "CA category cannot be set to 'all' " + "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( @@ -523,10 +524,9 @@ caacl_output_params = global_output_params + ( Str('ipamembercertprofile', label=_('Failed profiles'), ), - # Commented until caacl plugin arrives - #Str('ipamemberca', - # label=_('Failed CAs'), - #), + Str('ipamemberca', + label=_('Failed CAs'), + ), ) @@ -560,3 +560,35 @@ class caacl_remove_profile(LDAPRemoveMember): member_attributes = ['ipamembercertprofile'] member_count_out = (_('%i profile removed.'), _('%i profiles removed.')) + + + at register() +class caacl_add_ca(LDAPAddMember): + __doc__ = _('Add CAs to a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA added.'), _('%i CAs added.')) + + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) + try: + entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) + dn = entry_attrs.dn + except errors.NotFound: + self.obj.handle_not_found(*keys) + if is_all(entry_attrs, 'ipacacategory'): + raise errors.MutuallyExclusiveError(reason=_( + "CAs cannot be added when CA category='all'")) + return dn + + + at register() +class caacl_remove_ca(LDAPRemoveMember): + __doc__ = _('Remove CAs from a CA ACL.') + + has_output_params = caacl_output_params + + member_attributes = ['ipamemberca'] + member_count_out = (_('%i CA removed.'), _('%i CAs removed.')) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index cbb5382fb5217d92c65d4b215b497958a31e978c..ef53608ece00ca6951ddeab08e0915a596116fcf 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -29,6 +29,7 @@ from ipalib import errors from ipalib import pkcs10 from ipalib import x509 from ipalib import ngettext +from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from .virtual import VirtualCommand from .baseldap import pkey_to_value @@ -236,7 +237,7 @@ def caacl_check(principal_type, principal_string, ca, profile_id): "with profile '%(profile_id)s' for certificate issuance." ) % dict( principal=principal_string, - ca=ca or '.', + ca=ca, profile_id=profile_id ) ) @@ -320,7 +321,7 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = '.' # top-level CA hardcoded until subca plugin implemented + ca = IPA_CA_CN # hardcoded until --ca option implemented """ Access control is partially handled by the ACI titled -- 2.5.5 -------------- next part -------------- From 7f2dd0354a94878a9f69a79ac954b8ef893d1bbf Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:26:17 +1000 Subject: [PATCH 62/63] Add CA argument to ra.request_certificate Add the optional 'ca_id' argument to ra.request_certificate(), for passing an Authority ID to Dogtag. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- checks/check-ra.py | 2 +- ipaserver/plugins/cert.py | 2 +- ipaserver/plugins/dogtag.py | 21 +++++++++++++-------- ipaserver/plugins/rabase.py | 4 +++- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/checks/check-ra.py b/checks/check-ra.py index bc9cc215b02451f0e75ac3987c4f2c60668227ce..6942804a4f98259b1c6c892f8c3aa4fd2dae2ecf 100755 --- a/checks/check-ra.py +++ b/checks/check-ra.py @@ -90,7 +90,7 @@ def assert_equal(trial, reference): api.log.info('******** Testing ra.request_certificate() ********') -request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE) +request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE, None) if verbose: print("request_result=\n%s" % request_result) assert_equal(request_result, {'subject' : subject, diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ef53608ece00ca6951ddeab08e0915a596116fcf..8fccb76292b685033f8ebda347b51a4eb599d2bc 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -499,7 +499,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, request_type=request_type) + csr, profile_id, None, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 20349b05f02c6e186275a822a487eb4733d75c7d..43aab92ffe6bba42d21135eb4f87cbde635f86e0 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1554,10 +1554,12 @@ class ra(rabase.rabase): return cmd_result - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ :param csr: The certificate signing request. :param profile_id: The profile to use for the request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). Submit certificate signing request. @@ -1586,13 +1588,16 @@ class ra(rabase.rabase): self.debug('%s.request_certificate()', type(self).__name__) # Call CMS - http_status, http_headers, http_body = \ - self._sslget('/ca/eeca/ca/profileSubmitSSLClient', - self.env.ca_ee_port, - profileId=profile_id, - cert_request_type=request_type, - cert_request=csr, - xml='true') + kw = dict( + profileId=profile_id, + cert_request_type=request_type, + cert_request=csr, + xml='true') + if ca_id: + kw['authorityId'] = ca_id + + http_status, http_headers, http_body = self._sslget( + '/ca/eeca/ca/profileSubmitSSLClient', self.env.ca_ee_port, **kw) # Parse and handle errors if http_status != 200: self.raise_certificate_operation_error('request_certificate', diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py index 949f3c37e4b1fac38199d056d8b8a43a81f2926f..736c166982c60e07c0dff50aa41dc304ea427a00 100644 --- a/ipaserver/plugins/rabase.py +++ b/ipaserver/plugins/rabase.py @@ -65,12 +65,14 @@ class rabase(Backend): """ raise errors.NotImplementedError(name='%s.get_certificate' % self.name) - def request_certificate(self, csr, profile_id, request_type='pkcs10'): + def request_certificate( + self, csr, profile_id, ca_id, request_type='pkcs10'): """ Submit certificate signing request. :param csr: The certificate signing request. :param profile_id: Profile to use for this request. + :param ca_id: The Authority ID to send request to. ``None`` is allowed. :param request_type: The request type (defaults to ``'pkcs10'``). """ raise errors.NotImplementedError(name='%s.request_certificate' % self.name) -- 2.5.5 -------------- next part -------------- From 9e6be40e2a55bce49bea380839ea81d1ebdc4c45 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 6 May 2016 13:43:41 +1000 Subject: [PATCH 63/63] Update cert-request to allow specifying CA Add the '--ca' option to the 'ipa cert-request' command, for specifying the CA to which to direct the request. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 3 ++- VERSION | 4 ++-- ipaserver/plugins/cert.py | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/API.txt b/API.txt index 3d0174a7dc605be137794de89cd523ab7e2bdef0..c3fa78c0dc6f23464fbfdfb640365b7a08a69751 100644 --- a/API.txt +++ b/API.txt @@ -758,9 +758,10 @@ arg: Str('serial_number') option: Str('version?') output: Output('result') command: cert_request -args: 1,5,1 +args: 1,6,1 arg: File('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) +option: Str('cacn?', cli_name='ca') option: Str('principal') option: Str('profile_id?') option: Str('request_type', autofill=True, default=u'pkcs10') diff --git a/VERSION b/VERSION index a4b24076f6a7fc8f514d703559ed618aba3a1f65..b84b4a9ec0cff31107bdd4c33abf5535310a7500 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=182 -# Last change: ftweedal - update caacl plugin for lightweight CAs +IPA_API_VERSION_MINOR=183 +# Last change: ftweedal - add --ca option to cert-request diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 8fccb76292b685033f8ebda347b51a4eb599d2bc..63a051fabdcd89d430128d3f06f44f17b9e09a27 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -274,7 +274,13 @@ class cert_request(VirtualCommand): Str('profile_id?', validate_profile_id, label=_("Profile ID"), doc=_("Certificate Profile to use"), - ) + ), + Str('cacn?', + cli_name='ca', + query=True, + label=_("CA"), + doc=_("CA to use"), + ), ) has_output_params = ( @@ -321,7 +327,13 @@ class cert_request(VirtualCommand): add = kw.get('add') request_type = kw.get('request_type') profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) - ca = IPA_CA_CN # hardcoded until --ca option implemented + + # Check that requested authority exists (done before CA ACL + # enforcement so that user gets better error message if + # referencing nonexistant CA) and look up authority ID. + # + ca = kw.get('cacn', IPA_CA_CN) + ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ Access control is partially handled by the ACI titled @@ -499,7 +511,7 @@ class cert_request(VirtualCommand): # Request the certificate result = self.Backend.ra.request_certificate( - csr, profile_id, None, request_type=request_type) + csr, profile_id, ca_id, request_type=request_type) cert = x509.load_certificate(result['certificate']) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) -- 2.5.5 -------------- next part -------------- From cc52affcd179d3bb43b5d083c6f52fcd851304bb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 10 May 2016 13:56:40 +1000 Subject: [PATCH] Add issuer options to cert-show and cert-find Add options to cert-show and cert-find for specifying the issuer as a DN, or a CA name. Also add the issuer DN to the output of cert-find. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- API.txt | 7 +++++-- VERSION | 4 ++-- ipaserver/plugins/cert.py | 47 +++++++++++++++++++++++++++++++++++++++++++++ ipaserver/plugins/dogtag.py | 9 +++++++++ 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index c3fa78c0dc6f23464fbfdfb640365b7a08a69751..741c64365df35cd4b2c90b2e368faa75860180bf 100644 --- a/API.txt +++ b/API.txt @@ -730,11 +730,13 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_find -args: 0,17,4 +args: 0,19,4 option: Flag('all', autofill=True, cli_name='all', default=False) +option: Str('cacn?', autofill=False, cli_name='ca') option: Flag('exactly?', autofill=True, default=False) option: Str('issuedon_from?', autofill=False) option: Str('issuedon_to?', autofill=False) +option: Str('issuer?', autofill=False) option: Int('max_serial_number?', autofill=False) option: Int('min_serial_number?', autofill=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -774,8 +776,9 @@ option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') command: cert_show -args: 1,2,1 +args: 1,3,1 arg: Str('serial_number') +option: Str('cacn?', autofill=False, cli_name='ca') option: Str('out?') option: Str('version?') output: Output('result') diff --git a/VERSION b/VERSION index b84b4a9ec0cff31107bdd4c33abf5535310a7500..1f8e8ed14e50f77aae404fa98085ad135d7354b5 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=183 -# Last change: ftweedal - add --ca option to cert-request +IPA_API_VERSION_MINOR=184 +# Last change: ftweedal - add issuer options to cert-show and cert-find diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63a051fabdcd89d430128d3f06f44f17b9e09a27..171d08b9df6537e1e0422e461c56e6a170fb820d 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -610,6 +610,13 @@ class cert_show(VirtualCommand): ) takes_options = ( + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), Str('out?', label=_('Output filename'), doc=_('File to store the certificate in.'), @@ -631,8 +638,24 @@ class cert_show(VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) + issuer_dn = None + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] + + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we check the cert after). + # result=self.Backend.ra.get_certificate(serial_number) cert = x509.load_certificate(result['certificate']) + + if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + # DN of cert differs from what we requested + raise errors.NotFound( + reason=_("Certificate with serial number %(serial)s " + "issued by CA '%(ca)s' not found") + % dict(serial=serial_number, ca=options['cacn'])) + result['subject'] = unicode(cert.subject) result['issuer'] = unicode(cert.issuer) result['valid_not_before'] = unicode(cert.valid_not_before_str) @@ -734,6 +757,18 @@ class cert_find(Command): doc=_('Subject'), autofill=False, ), + Str('cacn?', + cli_name='ca', + query=True, + label=_('Issuing CA'), + doc=_('Name of issing CA'), + autofill=False, + ), + Str('issuer?', + label=_('Issuer'), + doc=_('Issuer DN'), + autofill=False, + ), Int('revocation_reason?', label=_('Reason'), doc=_('Reason for revoking the certificate (0-10). Type ' @@ -818,6 +853,18 @@ class cert_find(Command): def execute(self, **options): ca_enabled_check() + + if 'cacn' in options: + ca_obj = api.Command.ca_show(options['cacn'])['result'] + ca_sdn = unicode(ca_obj['ipacasubjectdn'][0]) + if 'issuer' in options: + if DN(ca_sdn) != DN(options['issuer']): + # client has provided both 'ca' and 'issuer' but + # issuer DNs don't match; result must be empty + return dict(result=[], count=0, truncated=False) + else: + options['issuer'] = ca_sdn + ret = dict( result=self.Backend.ra.find(options) ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 43aab92ffe6bba42d21135eb4f87cbde635f86e0..919ecfeaca6c3ca41040152157e5d275f230704a 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1809,6 +1809,10 @@ class ra(rabase.rabase): node.text = options['subject'] booloptions['subjectInUse'] = True + if 'issuer' in options: + node = etree.SubElement(page, 'issuerDN') + node.text = options['issuer'] + if 'revocation_reason' in options: node = etree.SubElement(page, 'revocationReason') node.text = unicode(options['revocation_reason']) @@ -1897,6 +1901,11 @@ class ra(rabase.rabase): dn = cert.xpath('SubjectDN') if len(dn) == 1: response_request['subject'] = unicode(dn[0].text) + + issuer_dn = cert.xpath('IssuerDN') + if len(dn) == 1: + response_request['issuer'] = unicode(issuer_dn[0].text) + status = cert.xpath('Status') if len(status) == 1: response_request['status'] = unicode(status[0].text) -- 2.5.5 -------------- next part -------------- From 74f22815e3590bd237c6d1c1548760dd58793c27 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 14 Jun 2016 01:22:41 +1000 Subject: [PATCH] replica-install: configure key retriever before starting Dogtag After installing a replica, Dogtag's Lightweight CA key retrieval fails until Dogtag is restarted, because the already-running instance doesn't pick up the changes to CS.cfg. Configure the key retriever before the instance is started. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c7f3116f62ce1158a04af23f29439c4a1d1a102f..8dfb71528d2dc020e05ccd7ff42199218a1c0839 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1344,6 +1344,8 @@ class CAInstance(DogtagInstance): self.enable_pkix) self.step("set up client auth to db", self.__client_auth_to_db) self.step("destroying installation admin user", self.teardown_admin) + self.step("Configure lightweight CA key retrieval", + self.setup_lightweight_ca_key_retrieval) self.step("starting instance", self.start_instance) self.step("importing CA chain to RA certificate database", @@ -1362,8 +1364,6 @@ class CAInstance(DogtagInstance): self.step("updating IPA configuration", update_ipa_conf) self.step("Restart HTTP server to pick up changes", self.__restart_http_instance) - self.step("Configure lightweight CA key retrieval", - self.setup_lightweight_ca_key_retrieval) self.step("enabling CA instance", self.__enable_instance) -- 2.5.5 From ftweedal at redhat.com Tue Jun 14 03:22:10 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Jun 2016 13:22:10 +1000 Subject: [Freeipa-devel] [Testplan review] Sub CAs In-Reply-To: <20160613011130.GJ4744@dhcp-40-8.bne.redhat.com> References: <20160613011130.GJ4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160614032210.GY4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 13, 2016 at 11:11:30AM +1000, Fraser Tweedale wrote: > On Fri, Jun 10, 2016 at 05:58:02PM +0200, Milan Kub?k wrote: > > Hi Fraser and list, > > > > I've wrote a (minimal) draft [1] of the test plan for the Sub CAs feature > > and I also have several questions. > > > > Could you please take a look at it? > > > > Questions: > > > > As described in the last (currently) test case, should it be possible to > > specify > > both the CA and certificate profile in cert-request call? > > This way one could use (at least) two ACLs (one affiliated with CA, one with > > a profile). > > Are there such use cases? > > > You can specify both CA and profile in cert-request call. CA ACLs > encompass both of these. (Implementation-wise, we use the HBAC > machinery; CA is the "host" and profile is the "service"). > > > Related to this, what happens when CA ACL has specific CA and profile > > category (all)? > > > If an ACL has profilecat=all and cacat=all, it will match if the > subject principal's name or groups match one of the name or groups > in the ACL rule. > > > Applicable to other combinations as well. The ACL category semantics is > > a bit unclear for me here. > > > > Is there any validation of the CA's DN (syntax)? > > > Yes; the subject DN is a DNParam (checked by IPA framework). Dogtag > also checks it and CA creation will fail if it is invalid OR if > there is already a CA with that DN. > > > How would you approach testing of the Sub CA certificate renewal and key > > replication > > > Renewal is not yet impemented, so ask me later :) > > Key replication: if you create a CA on one replica, there are a > couple ways to check. > > 1) After a short delay, a key and cert with the CA's Authority ID > appear in the CA replica's NSSDB (/etc/pki/pki-tomcat/alias) > > 2) After a short delay, hit the Dogtag REST API ( > GET /ca/rest/authorities/) or invoke the `pki' command to see if > the CA is "ready to sign", e.g.: > > # pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert \ > -P https -p 8443 ca-authority-show 24de435e-3b3b-4248-b187-fc719e579983 > Authority DN: CN=smime > ID: 24de435e-3b3b-4248-b187-fc719e579983 > Parent ID: 8568c666-00d6-435c-9446-1014c6ce1215 > Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201606091248 > Serial no: 15 > Enabled: true > Ready to sign: true <--- key replication completed > > > > (I do not know if this is covered at the respective component's level or > > not)? > > > > > > [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan > > > > Thanks > > > Thank you; I will review the rest of the test plan shortly. > > Cheers, > Fraser > Hi Milan, I've reviewed the full test plan now. Additional feedback follows. Test case: Sub CA manipulation ------------------------------ Consider adding tests for: - Adding or renaming CA with conflicting name (cn); should fail - Adding CA with non-conflicting name (cn) but conflicting subject DN; should fail - Manipulation of 'ipacaid', 'ipacaissuerdn' and 'ipacasubjectdn' attributes via --setattr, --addattr, --delattr options. All of these attributes should be read-only so these operations should fail. Test case: Show Sub CA certificate ---------------------------------- The ``--ca`` argument here is for specifying the issuer of the cert you wish to retrieve; it is not for retrieving the cert of the named CA. An appropriate test here would be: after a cert is issued from a sub-CA (named test-subca), that cert can be retrieved by executing:: ipa cert-show --ca=test-subca $SERIAL Also note that chain retrieval is not yet implemented, but the same usage will apply when retrieving the chain. Test case: Request certificate with Sub CA unrelated to used certificate profile -------------------------------------------------------------------------------- This section need rework. Hopefully my answers in the previous mail clarified the CA ACL situation, but let me know if I did not do a good job of expaining :) I don't think we need to specifically mention profiles in this test case; profiles lie on a different "axis" of the HBAC machinery that is used to enforce CA ACLs. Tests we want here will include: - ACL with cacategory=all allows any CA to be used - ACL with cacategory UNSET and NO CAs allows 'ipa' CA to be used, but not other CAs. - ACL with specific CA(s) set allows those CAs to be used, rejects others. Note that when executing these tests, a user that has the "Request certificate ignoring CA ACLs" permission must not be used. 'admin' has this permission by default via the 'CA Administrator' privilege. ----- That's all I have for now. Thanks for your work, Milan. Cheers, Fraser From ftweedal at redhat.com Tue Jun 14 04:42:12 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 14 Jun 2016 14:42:12 +1000 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: References: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160614044212.GZ4744@dhcp-40-8.bne.redhat.com> On Mon, Jun 13, 2016 at 07:48:58PM +0200, Pavel Vomacka wrote: > > > On 06/13/2016 06:55 AM, Fraser Tweedale wrote: > > On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: > > > Hello, > > > > > > please review these new patches which add WebUI for Sub-CAs. > > > > > > https://fedorahosted.org/freeipa/ticket/5939 > > > > > Hi Pavel, I have reviewed the functionality of the patches. > > Functionality is good - a few minor comments below. > Hello, thank you for review. > > Patch 45: > > > > 1) In the main `Certificate Authorities' table, `Subject DN' is > > showing the DN of the IPA object, instead of the Subject DN. > Fixed. > > > > 2) In the `Certificate Authorities' detail table, there is an > > unlabelled row showing the DN of the IPA object. IMO we do not need > > to show this value at all. > The field removed. > > Patch 46: > > > > 3) I see a FIXME in certificate.js. The behaviour (default to IPA > > CA / 'ipa') is OK. Alternatively, you could allow the user to not > > specify a CA (this will allow the default - currently 'ipa' - to be > > controlled by server). > FIXME comment removed. > > > > Patch 47: > > > > 4) For backwards compatibility, a CA ACL without any specified CAs > > (and not cacat=all) implies the 'ipa' CA. It would be good to > > indicate this in the UI somehow, or include a notice to explain. > I added tooltip next to the checkbox on adder dialog and also note above the > table with CAs in CA ACL details view. > The message has a small typo: "specificed" should be "specified" (the typo occurrs in both places). Once this is fixed, ACK. Thanks, Fraser From slaznick at redhat.com Tue Jun 14 06:04:47 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 14 Jun 2016 08:04:47 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <6ff1556f-965c-e78b-c0ed-1e0fbf2cedb4@redhat.com> Message-ID: <5af51c50-7760-9824-227c-779a51bd7a89@redhat.com> On 06/13/2016 10:15 AM, Petr Vobornik wrote: > On 06/10/2016 06:31 PM, Stanislav Laznicka wrote: >> On 06/08/2016 02:06 PM, Florence Blanc-Renaud wrote: >>> On 06/08/2016 10:07 AM, Petr Spacek wrote: >>>> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> Thank you for your patch. As the thin-client patches were pushed in the >>>>> meantime, the patch won't apply. Could you please send a rebased version? >>>>> >>>>> Also, I have a few comments to the patch: >>>>> >>>>> 1) I think that the commit message should be rather a brief conclusion to the >>>>> changes made in the commit. This could help for faster orientation in the >>>>> changes that were made to a certain part of code should you be searching for a >>>>> bug introduced by a commit. Should some more info be required, it can be added >>>>> to the ticket. Could you therefore shorten the commit message? >>>> (My personal opinion, no golden standard.) >>>> >>>> Honestly I disagree with Standa. Yes, the commit message seems to be a bit >>>> long but *tickets* are not the best place to put *technical* information into. >>>> >>>> Tickets are planning tool but keep in mind that Trac may/will vanish one day >>>> and all we will have will be (Git?) repo. >>>> >>>> I would recommend putting the comment about expected input format into code >>>> comments somewhere around batch command definition. >>>> >>>> This would reduce commit message (roughly, the text needs to be adapted) to >>>> part starting 'The code did not check the format of ' ... which is perfectly >>>> reasonable description of the change. >>>> >>>> IMHO. >>>> Petr^2 Spacek >>>> >>>> >>>>> 2) Please do not add the tickets to comments in the code. You can use git >>>>> blame -L or git log -L to see in which commits were the changes introduced to >>>>> a certain part of a file, these commits should include the ticket number if >>>>> more info is needed. >>>>> >>>>> Standa >>>>> >>>>> >>>>> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>>>>> Hi all, >>>>>> >>>>>> the following patch checks the format of parameters passed to a method >>>>>> called through the batch command. I picked the ConversionError for invalid >>>>>> parameters format but this choice can be discussed if you have better >>>>>> suggestions... >>>>>> >>>>>> Fixes:https://fedorahosted.org/freeipa/ticket/5810 >>>>>> -- >>>>>> Florence Blanc-Renaud >>>>>> Identity Management Team, Red Hat >>>>>> >>>>>> >>>>> >>> Hi, >>> >>> please find an updated patch version with a less verbose commit msg. I also >>> removed the reference to ticket # in the code. >>> >>> Flo. >>> >>> >> Hello, >> >> Thank you for your updated patch. I have just one small issue that maybe exceeds >> the scope of this ticket. If the check for dictionary instance in list: >> >> + if not isinstance(arg, dict): >> + raise errors.ConversionError( >> + name='methods', >> + error=_(u'must contain dict objects')) >> >> fails at a further member of the list, by raising an exception, you will lose >> information about execution of all the previous commands but these were already >> executed. This hasn't seem to be an issue until now so I wonder if it is a >> problem or not. > Right, this is something that we will need to address but not in scope > of this ticket and probably not 4.4 release. > >> So far, batch commands have only been utilized in the WebUI so I am adding Petr >> for opinions on how to handle this properly so that WebUI could react to it >> should it ever happen (although AFAIK this should never happen for batch >> commands called from the UI). > Web UI doesn't care because it sends it correctly :) The bug is trying > to use batch command while talking directly to API - e.g. because of > performance reasons. > Thank you for the explanation. ACK, then. From slaznick at redhat.com Tue Jun 14 07:25:36 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 14 Jun 2016 09:25:36 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> Message-ID: <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> On 06/13/2016 02:51 PM, Martin Babinsky wrote: > On 06/07/2016 10:14 AM, Stanislav Laznicka wrote: >> https://fedorahosted.org/freeipa/ticket/5775 >> >> >> > Umm, wouldn't it be better to augment the `Service.start()/restart()` > methods themselves with parameters that will suppress exception > raising and log an error instead of copy-pasting try: ... except: blocks? > A good point. SystemdService start()/restart() methods will need augmenting as well (signerd service) but I suppose that's about it for this issue. I'll send a patch updated accordingly. From mbasti at redhat.com Tue Jun 14 07:27:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 09:27:03 +0200 Subject: [Freeipa-devel] [PATCH] 0003 batch command can be used to trigger internal errors on server In-Reply-To: <5af51c50-7760-9824-227c-779a51bd7a89@redhat.com> References: <6b54d58e-58c5-02a7-d6fb-6f370ab14770@redhat.com> <78f47f8f-5ec5-b5a4-6c55-fdaf05f10d97@redhat.com> <9f140515-4d2c-b13c-afc0-18da0ab1dc76@redhat.com> <6ff1556f-965c-e78b-c0ed-1e0fbf2cedb4@redhat.com> <5af51c50-7760-9824-227c-779a51bd7a89@redhat.com> Message-ID: On 14.06.2016 08:04, Stanislav Laznicka wrote: > On 06/13/2016 10:15 AM, Petr Vobornik wrote: >> On 06/10/2016 06:31 PM, Stanislav Laznicka wrote: >>> On 06/08/2016 02:06 PM, Florence Blanc-Renaud wrote: >>>> On 06/08/2016 10:07 AM, Petr Spacek wrote: >>>>> On 7.6.2016 15:11, Stanislav Laznicka wrote: >>>>>> Hello, >>>>>> >>>>>> Thank you for your patch. As the thin-client patches were pushed >>>>>> in the >>>>>> meantime, the patch won't apply. Could you please send a rebased >>>>>> version? >>>>>> >>>>>> Also, I have a few comments to the patch: >>>>>> >>>>>> 1) I think that the commit message should be rather a brief >>>>>> conclusion to the >>>>>> changes made in the commit. This could help for faster >>>>>> orientation in the >>>>>> changes that were made to a certain part of code should you be >>>>>> searching for a >>>>>> bug introduced by a commit. Should some more info be required, it >>>>>> can be added >>>>>> to the ticket. Could you therefore shorten the commit message? >>>>> (My personal opinion, no golden standard.) >>>>> >>>>> Honestly I disagree with Standa. Yes, the commit message seems to >>>>> be a bit >>>>> long but *tickets* are not the best place to put *technical* >>>>> information into. >>>>> >>>>> Tickets are planning tool but keep in mind that Trac may/will >>>>> vanish one day >>>>> and all we will have will be (Git?) repo. >>>>> >>>>> I would recommend putting the comment about expected input format >>>>> into code >>>>> comments somewhere around batch command definition. >>>>> >>>>> This would reduce commit message (roughly, the text needs to be >>>>> adapted) to >>>>> part starting 'The code did not check the format of ' ... which is >>>>> perfectly >>>>> reasonable description of the change. >>>>> >>>>> IMHO. >>>>> Petr^2 Spacek >>>>> >>>>> >>>>>> 2) Please do not add the tickets to comments in the code. You can >>>>>> use git >>>>>> blame -L or git log -L to see in which commits were the changes >>>>>> introduced to >>>>>> a certain part of a file, these commits should include the ticket >>>>>> number if >>>>>> more info is needed. >>>>>> >>>>>> Standa >>>>>> >>>>>> >>>>>> On 05/27/2016 03:53 PM, Florence Blanc-Renaud wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> the following patch checks the format of parameters passed to a >>>>>>> method >>>>>>> called through the batch command. I picked the ConversionError >>>>>>> for invalid >>>>>>> parameters format but this choice can be discussed if you have >>>>>>> better >>>>>>> suggestions... >>>>>>> >>>>>>> Fixes:https://fedorahosted.org/freeipa/ticket/5810 >>>>>>> -- >>>>>>> Florence Blanc-Renaud >>>>>>> Identity Management Team, Red Hat >>>>>>> >>>>>>> >>>>>> >>>> Hi, >>>> >>>> please find an updated patch version with a less verbose commit >>>> msg. I also >>>> removed the reference to ticket # in the code. >>>> >>>> Flo. >>>> >>>> >>> Hello, >>> >>> Thank you for your updated patch. I have just one small issue that >>> maybe exceeds >>> the scope of this ticket. If the check for dictionary instance in list: >>> >>> + if not isinstance(arg, dict): >>> + raise errors.ConversionError( >>> + name='methods', >>> + error=_(u'must contain dict objects')) >>> >>> fails at a further member of the list, by raising an exception, you >>> will lose >>> information about execution of all the previous commands but these >>> were already >>> executed. This hasn't seem to be an issue until now so I wonder if >>> it is a >>> problem or not. >> Right, this is something that we will need to address but not in scope >> of this ticket and probably not 4.4 release. >> >>> So far, batch commands have only been utilized in the WebUI so I am >>> adding Petr >>> for opinions on how to handle this properly so that WebUI could >>> react to it >>> should it ever happen (although AFAIK this should never happen for >>> batch >>> commands called from the UI). >> Web UI doesn't care because it sends it correctly :) The bug is trying >> to use batch command while talking directly to API - e.g. because of >> performance reasons. >> > Thank you for the explanation. ACK, then. > Pushed to master: 2c7ec27ad94a5a369c7d8a45dcef66a18479900b From mbasti at redhat.com Tue Jun 14 08:14:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 10:14:33 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> References: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> Message-ID: On 10.06.2016 10:57, Martin Basti wrote: > > > On 10.06.2016 06:17, Jan Cholasta wrote: >> On 9.6.2016 20:57, Martin Basti wrote: >>> Py3 support was enabled prematurely, attached patches removes python3 >>> from /usr/bin/ipa >>> >>> >>> Notes: >>> >>> * ipa 4.3.x won't have enabled py3 >>> >>> * master (ipa 4.4+) will have disabled py3 temporarily >> >> NACK. you reverted this bit wrong: >> >> -%if 0%{?with_python3} >> -Requires: python3-ipaclient = %{version}-%{release} >> -%else >> Requires: python2-ipaclient = %{version}-%{release} >> -%endif >> +Requires: %{name}-client-common = %{version}-%{release} >> +Requires: python2-ipalib = %{version}-%{release} >> > > Shame on me, > > updated patch attached > > self NACK, even with reverted patch, /usr/bin/ipa has still configured python3, it's a magic something is still putting python3 into ipa -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Tue Jun 14 08:17:17 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 14 Jun 2016 10:17:17 +0200 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: <20160614044212.GZ4744@dhcp-40-8.bne.redhat.com> References: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> <20160614044212.GZ4744@dhcp-40-8.bne.redhat.com> Message-ID: <873f84c1-a81e-3f69-2902-91f4759e2a49@redhat.com> On 06/14/2016 06:42 AM, Fraser Tweedale wrote: > On Mon, Jun 13, 2016 at 07:48:58PM +0200, Pavel Vomacka wrote: >> >> On 06/13/2016 06:55 AM, Fraser Tweedale wrote: >>> On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review these new patches which add WebUI for Sub-CAs. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5939 >>>> >>> Hi Pavel, I have reviewed the functionality of the patches. >>> Functionality is good - a few minor comments below. >> Hello, thank you for review. >>> Patch 45: >>> >>> 1) In the main `Certificate Authorities' table, `Subject DN' is >>> showing the DN of the IPA object, instead of the Subject DN. >> Fixed. >>> 2) In the `Certificate Authorities' detail table, there is an >>> unlabelled row showing the DN of the IPA object. IMO we do not need >>> to show this value at all. >> The field removed. >>> Patch 46: >>> >>> 3) I see a FIXME in certificate.js. The behaviour (default to IPA >>> CA / 'ipa') is OK. Alternatively, you could allow the user to not >>> specify a CA (this will allow the default - currently 'ipa' - to be >>> controlled by server). >> FIXME comment removed. >>> Patch 47: >>> >>> 4) For backwards compatibility, a CA ACL without any specified CAs >>> (and not cacat=all) implies the 'ipa' CA. It would be good to >>> indicate this in the UI somehow, or include a notice to explain. >> I added tooltip next to the checkbox on adder dialog and also note above the >> table with CAs in CA ACL details view. >> > The message has a small typo: "specificed" should be "specified" > (the typo occurrs in both places). > > Once this is fixed, ACK. Updated patches attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0045-2-Add-new-webui-plugin-ca.patch Type: text/x-patch Size: 4050 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0046-2-Extend-certificate-entity-page.patch Type: text/x-patch Size: 7772 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0047-3-Extend-caacl-entity.patch Type: text/x-patch Size: 8426 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 14 09:44:54 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jun 2016 11:44:54 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> Message-ID: On 21.4.2016 09:11, Jan Cholasta wrote: > On 6.4.2016 15:46, Pavel Vomacka wrote: >> >> >> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>> Hi, >>> >>> the attached patches implement the server-side part of >>> . >>> >>> Honza >>> >> Hi, >> >> thank you for the patches. I tested them and they work well. But I would >> like to ask you whether would be possible to extend the response of >> 'basecert_find' method and probably also 'basecert_show' response. I >> think of these information: >> >> 1) information whether the certificate is issued by our CA or not. > > You can check for that by comparing the issuer name of the certificate > to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base > from config-show. > >> >> 2) this probably wouldn't be possible (as we discussed), but I rather >> write it too - the information about revocation reason. The same as the >> 'cert_show' provides. > > Added --check-revocation flag to request this information. Currently it > works only on certificates issued by our CA. > >> >> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns > > Added, also included SHA-256. > >> >> Thank you again. > > Updated patches attached. Updated and rebased patches attached. Requires Fraser's sub-CA patches. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-551.2-ldap-fix-handling-of-binary-data-in-search-filters.patch Type: text/x-patch Size: 1201 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-552.2-cert-add-object-plugin.patch Type: text/x-patch Size: 30439 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-623-cert-add-owner-information.patch Type: text/x-patch Size: 18007 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-624-cert-allow-search-by-certificate.patch Type: text/x-patch Size: 7684 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 14 09:56:07 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 11:56:07 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: References: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> Message-ID: <5bf0de2d-5412-ce1e-1c88-1a9e1902c7b8@redhat.com> On 14.06.2016 10:14, Martin Basti wrote: > > > > On 10.06.2016 10:57, Martin Basti wrote: >> >> >> On 10.06.2016 06:17, Jan Cholasta wrote: >>> On 9.6.2016 20:57, Martin Basti wrote: >>>> Py3 support was enabled prematurely, attached patches removes python3 >>>> from /usr/bin/ipa >>>> >>>> >>>> Notes: >>>> >>>> * ipa 4.3.x won't have enabled py3 >>>> >>>> * master (ipa 4.4+) will have disabled py3 temporarily >>> >>> NACK. you reverted this bit wrong: >>> >>> -%if 0%{?with_python3} >>> -Requires: python3-ipaclient = %{version}-%{release} >>> -%else >>> Requires: python2-ipaclient = %{version}-%{release} >>> -%endif >>> +Requires: %{name}-client-common = %{version}-%{release} >>> +Requires: python2-ipalib = %{version}-%{release} >>> >> >> Shame on me, >> >> updated patch attached >> >> > > self NACK, even with reverted patch, /usr/bin/ipa has still configured > python3, it's a magic something is still putting python3 into ipa > > Extra patch was added now it should work Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0514-Use-python2-for-ipa-cli.patch Type: text/x-patch Size: 1030 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0501-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2149 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-master-mbasti-0501.2-Revert-Switch-usr-bin-ipa-to-Python-3.patch Type: text/x-patch Size: 2135 bytes Desc: not available URL: From tbordaz at redhat.com Tue Jun 14 10:34:40 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Tue, 14 Jun 2016 12:34:40 +0200 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <20160613150651.qppi3qwlajuscxbg@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> Message-ID: <575FDDC0.70105@redhat.com> On 06/13/2016 05:06 PM, Alexander Bokovoy wrote: > On Mon, 13 Jun 2016, thierry bordaz wrote: >>> From fff11869d8cf3dfe98471e018c10926fc23b13da Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Fri, 10 Jun 2016 15:34:40 +0200 >> Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a >> pre-extop >> plugin >> >> ipapwd_extop allows to update the password on a specific entry, >> identified by its DN. >> It can be usefull to support virtual DN in the extop so that update >> of a virtual entry >> would land into the proper real entry. >> >> If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with >> the value >> of TARGET_DN, instead of using the original one (in the ber req) >> >> https://fedorahosted.org/freeipa/ticket/5946 >> --- >> .../ipa-pwd-extop/ipa_pwd_extop.c | 33 >> ++++++++++++++++------ >> 1 file changed, 25 insertions(+), 8 deletions(-) >> >> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> index 440e221..10fff30 100644 >> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, >> struct ipapwd_krbcfg *krbcfg) >> char *attrlist[] = {"*", "passwordHistory", NULL }; >> struct ipapwd_data pwdata; >> int is_krb, is_smb, is_ipant; >> - char *principal = NULL; >> + char *principal = NULL; >> Slapi_PBlock *chpwop_pb = NULL; >> + Slapi_DN *target_sdn = NULL; >> + char *target_dn = NULL; >> >> /* Get the ber value of the extended operation */ >> slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >> @@ -327,13 +329,28 @@ parse_req_done: >> } >> } >> >> - /* Determine the target DN for this operation */ >> - /* Did they give us a DN ? */ >> - if (dn == NULL || *dn == '\0') { >> - /* Get the DN from the bind identity on this connection */ >> - dn = slapi_ch_strdup(bindDN); >> - LOG_TRACE("Missing userIdentity in request, " >> - "using the bind DN instead.\n"); >> + /* Determine the target DN for this operation */ >> + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >> + target_dn = slapi_sdn_get_ndn(target_sdn); >> + if (target_dn) { > can you please use the same style for writing comparisons as the file > using already? > if (!(target_dn == NULL || *target_dn == '\0')) { ... } > >> + /* At this point if SLAPI_TARGET_SDN was set that means >> + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >> + * So take this one rather that the raw one that is in the ber >> + */ >> + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : >> "", target_dn); >> + slapi_ch_free_string(&dn); >> + dn = slapi_ch_strdup(target_dn); >> + slapi_sdn_free(&target_sdn); >> + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >> + } else { >> + /* Did they give us a DN ? */ >> + if (dn == NULL || *dn == '\0') { >> + /* Get the DN from the bind identity on this connection */ >> + dn = slapi_ch_strdup(bindDN); >> + LOG_TRACE("Missing userIdentity in request, " >> + "using the bind DN instead.\n"); >> + } >> + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >> } >> >> if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { >> -- >> 2.5.0 >> > > Changing the comparison style -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-ipapwd_extop-should-use-TARGET_DN-defined-by-a-pre-e.patch Type: text/x-patch Size: 3068 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 14 10:54:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 12:54:03 +0200 Subject: [Freeipa-devel] [PATCH 0494] Bump required version of pki-ca and pki-kra due bug in parsing '%' in DM password In-Reply-To: References: Message-ID: <402d2f2c-a48c-28ee-1432-60d381ce268b@redhat.com> On 02.06.2016 09:26, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5690 > > > Patch attached > > > You can ignore this patch, dogtag version has been bumped by different patch -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Tue Jun 14 11:05:02 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Jun 2016 13:05:02 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: <5bf0de2d-5412-ce1e-1c88-1a9e1902c7b8@redhat.com> References: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> <5bf0de2d-5412-ce1e-1c88-1a9e1902c7b8@redhat.com> Message-ID: On 06/14/2016 11:56 AM, Martin Basti wrote: > > > On 14.06.2016 10:14, Martin Basti wrote: >> >> >> >> On 10.06.2016 10:57, Martin Basti wrote: >>> >>> >>> On 10.06.2016 06:17, Jan Cholasta wrote: >>>> On 9.6.2016 20:57, Martin Basti wrote: >>>>> Py3 support was enabled prematurely, attached patches removes python3 >>>>> from /usr/bin/ipa >>>>> >>>>> >>>>> Notes: >>>>> >>>>> * ipa 4.3.x won't have enabled py3 >>>>> >>>>> * master (ipa 4.4+) will have disabled py3 temporarily >>>> >>>> NACK. you reverted this bit wrong: >>>> >>>> -%if 0%{?with_python3} >>>> -Requires: python3-ipaclient = %{version}-%{release} >>>> -%else >>>> Requires: python2-ipaclient = %{version}-%{release} >>>> -%endif >>>> +Requires: %{name}-client-common = %{version}-%{release} >>>> +Requires: python2-ipalib = %{version}-%{release} >>>> >>> >>> Shame on me, >>> >>> updated patch attached >>> >>> >> >> self NACK, even with reverted patch, /usr/bin/ipa has still configured >> python3, it's a magic something is still putting python3 into ipa >> >> > > Extra patch was added > > now it should work > > Martin^2 > > > > Thanks, ACK. -- Martin^3 Babinsky From mbasti at redhat.com Tue Jun 14 11:12:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 13:12:50 +0200 Subject: [Freeipa-devel] [PATCH 0501] Revert: switch /usr/bin/ipa to python3 In-Reply-To: References: <8f7eb533-c773-422b-5958-6829afb248ab@redhat.com> <5bf0de2d-5412-ce1e-1c88-1a9e1902c7b8@redhat.com> Message-ID: <9cbe6893-adcf-0d3c-2018-5254eadddc03@redhat.com> On 14.06.2016 13:05, Martin Babinsky wrote: > On 06/14/2016 11:56 AM, Martin Basti wrote: >> >> >> On 14.06.2016 10:14, Martin Basti wrote: >>> >>> >>> >>> On 10.06.2016 10:57, Martin Basti wrote: >>>> >>>> >>>> On 10.06.2016 06:17, Jan Cholasta wrote: >>>>> On 9.6.2016 20:57, Martin Basti wrote: >>>>>> Py3 support was enabled prematurely, attached patches removes >>>>>> python3 >>>>>> from /usr/bin/ipa >>>>>> >>>>>> >>>>>> Notes: >>>>>> >>>>>> * ipa 4.3.x won't have enabled py3 >>>>>> >>>>>> * master (ipa 4.4+) will have disabled py3 temporarily >>>>> >>>>> NACK. you reverted this bit wrong: >>>>> >>>>> -%if 0%{?with_python3} >>>>> -Requires: python3-ipaclient = %{version}-%{release} >>>>> -%else >>>>> Requires: python2-ipaclient = %{version}-%{release} >>>>> -%endif >>>>> +Requires: %{name}-client-common = %{version}-%{release} >>>>> +Requires: python2-ipalib = %{version}-%{release} >>>>> >>>> >>>> Shame on me, >>>> >>>> updated patch attached >>>> >>>> >>> >>> self NACK, even with reverted patch, /usr/bin/ipa has still configured >>> python3, it's a magic something is still putting python3 into ipa >>> >>> >> >> Extra patch was added >> >> now it should work >> >> Martin^2 >> >> >> >> > Thanks, ACK. > master: * ee08f3e237cb3668c06307aad74e47eb20080474 Revert "Switch /usr/bin/ipa to Python 3" * 5760cc918247746a4e55adc118bdbd9ffb01b78f Use python2 for ipa cli ipa-4-3: * b3024fb879a6b841822df1e15fe1c6218c87a4bb Revert "Switch /usr/bin/ipa to Python 3" * 64f078b8b21314000ddf7e95c441570254e249f7 Use python2 for ipa cli From abokovoy at redhat.com Tue Jun 14 11:25:13 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jun 2016 14:25:13 +0300 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <575FDDC0.70105@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> <575FDDC0.70105@redhat.com> Message-ID: <20160614112513.dhe7g27vljk7uvx6@redhat.com> On Tue, 14 Jun 2016, thierry bordaz wrote: >From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Fri, 10 Jun 2016 15:34:40 +0200 >Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop > plugin > >ipapwd_extop allows to update the password on a specific entry, identified by its DN. >It can be usefull to support virtual DN in the extop so that update of a virtual entry >would land into the proper real entry. > >If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value >of TARGET_DN, instead of using the original one (in the ber req) > >https://fedorahosted.org/freeipa/ticket/5946 >--- > .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +++++++++++++++++----- > 1 file changed, 28 insertions(+), 8 deletions(-) > >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >index 440e221..3c2c44f 100644 >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) > char *attrlist[] = {"*", "passwordHistory", NULL }; > struct ipapwd_data pwdata; > int is_krb, is_smb, is_ipant; >- char *principal = NULL; >+ char *principal = NULL; > Slapi_PBlock *chpwop_pb = NULL; >+ Slapi_DN *target_sdn = NULL; >+ char *target_dn = NULL; > > /* Get the ber value of the extended operation */ > slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >@@ -327,14 +329,32 @@ parse_req_done: > } > } > >- /* Determine the target DN for this operation */ >- /* Did they give us a DN ? */ >- if (dn == NULL || *dn == '\0') { >- /* Get the DN from the bind identity on this connection */ >- dn = slapi_ch_strdup(bindDN); >- LOG_TRACE("Missing userIdentity in request, " >- "using the bind DN instead.\n"); >+ /* Determine the target DN for this operation */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >+ if (target_sdn != NULL) { >+ /* If there is a TARGET_DN we are consuming it */ >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >+ target_dn = slapi_sdn_get_ndn(target_sdn); > } >+ if (target_dn == NULL || *target_dn == '\0') { >+ /* Did they give us a DN ? */ >+ if (dn == NULL || *dn == '\0') { >+ /* Get the DN from the bind identity on this connection */ >+ dn = slapi_ch_strdup(bindDN); >+ LOG_TRACE("Missing userIdentity in request, " >+ "using the bind DN instead.\n"); >+ } >+ LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >+ } else { >+ /* At this point if SLAPI_TARGET_SDN was set that means >+ * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >+ * So take this one rather that the raw one that is in the ber >+ */ >+ LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); >+ slapi_ch_free_string(&dn); >+ dn = slapi_ch_strdup(target_dn); >+ } >+ slapi_sdn_free(&target_sdn); Looks good now. ACK for the patch, the testing will come once slapi-nis patches will be available. Thanks. -- / Alexander Bokovoy From blipton at redhat.com Tue Jun 14 12:27:09 2016 From: blipton at redhat.com (Ben Lipton) Date: Tue, 14 Jun 2016 08:27:09 -0400 Subject: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation Message-ID: Hello all, I have written up a design proposal for making certificate requests easier to generate when using alternate certificate profiles: http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. The use case for this is described in https://fedorahosted.org/freeipa/ticket/4899. I will be working on implementing this design over the next couple of months. If you have the time and interest, please take a look and share any comments or concerns that you have. Thanks! Ben From pspacek at redhat.com Tue Jun 14 12:57:55 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jun 2016 14:57:55 +0200 Subject: [Freeipa-devel] bind-dyndb-ldap 10.0 development status (related to FreeIPA 4.4) In-Reply-To: <32d1d163-d716-ba00-3cb1-7ebd2388430a@redhat.com> References: <32d1d163-d716-ba00-3cb1-7ebd2388430a@redhat.com> Message-ID: On 11.6.2016 21:22, Petr Spacek wrote: > Hello, > > bind-dyndb-ldap 10.0 alpha 1 is available for testing (finally). > > AFAIK it implements all the critical functionality for FreeIPA 4.4, namely > RecordGenerator & default TTL support necessary for FreeIPA DNS locations. > > > Limitations > =========== > BIND has to be reloaded ("rndc reload" at least) after each change in server's > config or zone's default TTL. > > In case of FreeIPA it means that server-mod command which touches server's DNS > location has to be followed by "rndc reload" on the affected replica. > > > Outlook > ======= > I'm looking for a solution for quite a while now but it is an asynchronous > parallel event hell. > > We will probably end up with big hammer like "reconnect to LDAP and re-parse > everything". Most likely it will be error prone and racy (think about DNS > updates in the middle of re-synchronization) but any fine-grained approaches > seem to be even more fragile and even racier. Yuck. Detailed analysis revealed that even 'reconnect to LDAP and re-parse everything' hammer is unreliable and we do not have enough time to fix it. Fixing it would require major refactoring of bind-dyndb-ldap internals. Following alternative was considered, too: Extend ipa-dnskeysyncd (daemon in Python) to trigger named restart when particular attributes in LDAP are modified. Unfortunately automatic restart could easily cause global DNS failure if e.g. a script was used to modify locations on multiple IPA servers. The main problem is that bind-dyndb-ldap start (and also shutdown) takes some time if the LDAP database is not empty. During that time request are either not answered at all or are being answered with NXDOMAIN answer. For database with 3 DNS zones, 1 small (primary IPA domain) and 2 filled with 64k A records (1 record / name) it takes ~ 20 seconds to load the data and 60 seconds to shutdown the BIND. I.e. one restart means ~ 80 seconds of outage. Plan ==== For this reason me and Petr Vobornik decided against automatic restart. Next version of FreeIPA will issue a warning that admin has to manually restart named on affected servers. Comments are welcome. Petr^2 Spacek > Implemented designs > =================== > - https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator > - https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP > > Fixed tickets > ============= > - https://fedorahosted.org/bind-dyndb-ldap/ticket/126 > - https://fedorahosted.org/bind-dyndb-ldap/ticket/162 > - https://fedorahosted.org/bind-dyndb-ldap/ticket/70 > - https://fedorahosted.org/bind-dyndb-ldap/ticket/164 > - https://fedorahosted.org/bind-dyndb-ldap/ticket/165 > - https://fedorahosted.org/bind-dyndb-ldap/ticket/146 > > COPR packages > ============= > https://copr.fedorainfracloud.org/coprs/pspacek/bind-dyndb-ldap/build/339004/ > > SRPM > ==== > https://pspacek.fedorapeople.org/bind-dyndb-ldap/bind-dyndb-ldap-10.0-0.1alpha.fc23.src.rpm > > Git branch > ========== > https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 > > Git commit > ========== > 6722382b2344fd5acd6ba9fa858c139c16e3de99 > > > Enjoy. > -- Petr^2 Spacek From mbabinsk at redhat.com Tue Jun 14 13:21:24 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Jun 2016 15:21:24 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> References: <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> Message-ID: <48810984-37b5-7940-198f-f1845ccfe87d@redhat.com> On 06/14/2016 04:55 AM, Fraser Tweedale wrote: > On Tue, Jun 14, 2016 at 02:19:27AM +1000, Fraser Tweedale wrote: >> On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: >>>>>> >>>>>> Hi Fraser, >>>>>> >>>>>> during functional review I found the following issues: >>>>>> >>>>>> 1.) >>>>>> >>>>>> If I create a CAACL rule tied to a specific sub-CA let's say for user >>>>>> certificate issuance: >>>>>> >>>>>> """ >>>>>> ipa caacl-show user_cert_issuance >>>>>> Enabled: TRUE >>>>>> User category: all >>>>>> CAs: user_sub_ca >>>>>> Profiles: caIPAuserCert >>>>>> ACL name: user_cert_issuance >>>>>> >>>>>> """ >>>>>> >>>>>> I can still happily request certificate for a user using root-CA: >>>>>> >>>>>> """ >>>>>> ipa cert-request cert.csr --principal jdoe --ca ipa >>>>>> Certificate: MIID9j.../Ov8mkjFA== >>>>>> Subject: CN=jdoe,O=IPA.TEST >>>>>> Issuer: CN=Certificate Authority,O=IPA.TEST >>>>>> ... >>>>>> """ >>>>>> >>>>>> should not this be denied by CA-ACL rule? >>>>>> >>>>>> The default IPA CAACL rule is like this: >>>>>> >>>>>> """ >>>>>> ipa caacl-show hosts_services_caIPAserviceCert >>>>>> Enabled: TRUE >>>>>> Host category: all >>>>>> Service category: all >>>>>> Profiles: caIPAserviceCert >>>>>> ACL name: hosts_services_caIPAserviceCert >>>>>> >>>>>> """ >>>>>> >>>>>> so the default rule should not allow users to request certs at all. >>>>>> >>>>> Yes, these should be denied. Looking into it. >>>>> >>>> Were you using 'admin' account to request the cert? admin has >>>> permission 'Request Certificate ignoring CA ACLs' via the >>>> 'Certificate Manager' privilege. >>>> >>>> If so, please try again with less privileges (e.g. self-service as >>>> jdoe). >>>> >>> >>> You were right when I was requesting certs as user principals themselves >>> everything worked as expected. >>> >>> Regarding usb-CAs not present on replica, both machines run the following >>> version of dogtag CA: >>> >>> pki-ca-10.3.2-3.fc24.noarch >>> >>> Here are the last 256 lines of the debug log: >>> >>> http://paste.fedoraproject.org/378512/65828332 >>> >> Thanks for that. It seems there are two issues. The first one is: >> >> Unable to read key retriever class from CS.cfg: Property >> features.authority.keyRetrieverClass missing value >> >> This happens only on replica, until the first restart of Dogtag >> after installation. I have attached a patch to fix it. >> >> The second issue is: >> >> Failed to update certificate >> >> >> This needs to be fixed in Dogtag, however, the error is not >> triggered if the key retrieval succeeds when the replica first >> observes the addition of a new CA. The attached patch does help in >> this regard, so apply it and I hope it will see you through the rest >> of the functional testing of my patches... I hope. >> >> Thank you for testing! >> >> Cheers, >> Fraser >> > Rebased patches attached (VERSION conflicts; no other changes). > Thanks Fraser, the certificate issuance by sub-CA now works also on replica but I must first restart PKI for it to pick up stuff from master CA. If I set up a replica first and then create a sub-CA on master Dogtag picks this up and uses the new sub-CA and its key for signing without restart. This seems to be pure Dogtag issue, however and I concluded that IPA side works ok. If no one objects then I would give functional ACK to your patches and document/track the Dogtag issue in a separate ticket. -- Martin^3 Babinsky From Nikolai.Kondrashov at redhat.com Tue Jun 14 13:40:03 2016 From: Nikolai.Kondrashov at redhat.com (Nikolai Kondrashov) Date: Tue, 14 Jun 2016 16:40:03 +0300 Subject: [Freeipa-devel] Using JSON for tlog config files Message-ID: Hi everyone, Although this was mentioned several times before, I'd like to bring additional attention to the idea of using config files written in JSON for tlog, because there were some concerns over that being appropriate. Tlog is a terminal I/O recording package [1], with primary purpose of sending the recordings as JSON-formatted log messages to ElasticSearch. For the purpose of reading what it wrote, it links with json-c. At this moment both of tlog programs (tlog-rec and tlog-play) expect their global configuration to be in JSON, with comments allowed. See the default configurations attached. Plus, tlog-rec accepts an environment variable, containing the whole, or a part of the configuration to (partially) override the global one. That is also in JSON. Tlog uses the same json-c to parse all of these. Internally, tlog uses json-c structures to pass around and merge the configurations. The question is, should the global tlog configuration, located in /etc/tlog/tlog-rec.conf and /etc/tlog/tlog-play.conf, be in JSON, or should it be something else? The cons I heard so far: * Administrators don't expect to find JSON in /etc. * JSON is a fragile format. The pros I'd like to present: * Administrators setting up tlog are expected to also be familiar with ElasticSearch, which tlog targets as the storage. ElasticSearch speaks JSON exclusively and is configured using either YAML or JSON. So, the administrators should be largely familiar with it. * Although JSON uses explicit and rigid syntax, such as quoting and prohibited trailing commas, it is still easy to read, and its specification is succint and easy to learn: http://json.org/ * Tlog is already linked with json-c, to read what it wrote, and reusing it for configuration reading avoids adding another dependency. Overall, I consider the present situation a good compromise between smaller/simpler code and reduced dependencies vs. familiarity and ease of editing and reading for administrators. The alternatives presented so far are YAML and INI. I'll list each of their pros and cons, as I see them. YAML Pros * Has a subset of syntax (sufficient for our purposes), which is easy to read and write, doesn't require quoting, not critical to commas and other separators. * Has official specification. Cons * Requires additional dependency to be used in tlog. * Only one implementation in C. * Uses significant whitespace, which is easier to overlook than explicit syntax. * *Sometimes* requires quoting to enforce value type, which is easy to overlook. E.g. an all-digits string requires quoting, otherwise it is considered a number. * Although well-defined, specification is long and complicated: http://www.yaml.org/spec/1.2/spec.html This makes it hard to fully understand the language and be proficient at it. * In an attempt to make the language as human-readable as possible, made it actually harder for humans to write, in some cases. * Has too many features, complicating parsers, leading to harder to use APIs, and more bugs. INI Pros * Familiar, already used by sister projects: SSSD, Kerberos, Samba, etc. * Light, simple syntax Cons * Requires additional dependency to be used in tlog. * No official specification, lots of variance in the field: https://en.wikipedia.org/wiki/INI_file#Varying_features This requires explicit description of the actually used syntax in the program manuals. I.e. it cannot simply link to a specification. Administrators have to discover which flavor to use. This will become worse if we'll implement storing (a subset of) tlog-rec configuration in LDAP verbatim, as suggested so far, because the documentation for the format will be less discoverable for the person editing the directory. * Cannot be written without newlines, in a single line. This will make overriding configuration with an environment variable in tlog-rec harder to use. I.e. the environment variable value will have to contain newlines, or instead refer to a file containing the configuration. * No escaping for special characters, multiline value support is patchy (not present at all in dinglibs). This will limit the ways to specify the recording notice presented to the users at the start of tlog-rec. Your own pros/cons, and suggestions for other formats to use are welcome! Thank you for your attention. Nick [1]: https://github.com/Scribery/tlog -------------- next part -------------- // // Tlog-play system-wide configuration. See tlog-play.conf(5) for details. // This file uses JSON format with both C and C++ comments allowed. // { // The type of "log reader" to use for retrieving log messages. The chosen // reader needs to be configured using its own dedicated parameters. // "reader" : "file", // File reader parameters "file": { // The "file" reader log file path. // "path" : "" }, // ElasticSearch reader parameters "es": { // The base URL to request ElasticSearch through. Should not // contain the query (?...) or fragment (#...) parts. // "baseurl" : "", // The query string to send to ElasticSearch // "query" : "" } } -------------- next part -------------- // // Tlog-rec system-wide configuration. See tlog-rec.conf(5) for details. // This file uses JSON format with both C and C++ comments allowed. // { // The path to the shell executable that should be spawned. // "shell" : "/bin/bash", // A message which will be printed before starting // recording and the user shell. Can be used to warn // the user that the session is recorded. // "notice" : "\nATTENTION! Your session is being recorded!\n\n", // The data which does not exceed maximum payload // stays in memory and is not logged until this number of // seconds elapses. // "latency" : 10, // Maximum encoded data (payload) size per message, bytes. // As soon as payload exceeds this number of bytes, // it is formatted into a message and logged. // "payload" : 2048, // Logged data set parameters "log": { // If specified as true, user input is logged. // "input" : true, // If specified as true, terminal output is logged. // "output" : true, // If specified as true, terminal window size changes are logged. // "window" : true }, // The type of "log writer" to use for logging. The writer needs // to be configured using its dedicated parameters. // "writer" : "syslog", // File writer parameters "file": { // The "file" writer log file path. // "path" : "" }, // Syslog writer parameters "syslog": { // Syslog facility the "syslog" writer should use for the messages. // "facility" : "authpriv", // Syslog priority the "syslog" writer should use for the messages. // "priority" : "info" } } From mbabinsk at redhat.com Tue Jun 14 14:19:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Jun 2016 16:19:19 +0200 Subject: [Freeipa-devel] [IMPORTANT] regression in 389-ds-base-1.3.5.5-1.fc24 breaks replica install Message-ID: <344c4927-3f11-f7ec-fc72-c3b3c2f5d432@redhat.com> Hi list, 389-ds-base-1.3.5.5-1.fc24 package in Fedora updates-testing repo contains a fix for https://fedorahosted.org/389/ticket/48755 which most likely breaks FreeIPA replica installation during total update. Please downgrade this package (and 389-ds-base-libs) to the latest working version (389-ds-base-1.3.5.4-1.fc24.x86_64). If you already encountered the issue, give negative karma to the build here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5c965fe227 -- Martin^3 Babinsky From mbasti at redhat.com Tue Jun 14 14:27:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 16:27:22 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks In-Reply-To: References: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> <57567014.3080808@redhat.com> Message-ID: On 09.06.2016 12:42, Stanislav Laznicka wrote: > On 06/07/2016 08:56 AM, thierry bordaz wrote: >> >> >> On 06/06/2016 07:23 PM, Martin Basti wrote: >>> >>> >>> >>> On 03.06.2016 13:38, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> The attached patch implements solution to >>>> https://fedorahosted.org/freeipa/ticket/5914. The patch is rather >>>> hacky as nsslapd-db-locks requires to be modified when DS is not >>>> running although I accept proposals for better solution. >>>> >>>> Standa >>>> >>> LGTM and works for me, but I want ack from thierry because of the value >>> >>> * value set by this patch is 100K, it is okay or should be rather >>> 50K as is mentioned in the ticket >>> * should be upgrade for this change, or should be this done only for >>> new installations? (patch solves new installations only and I don't >>> think that we should change it by upgrade, users may have already >>> tuned DS) >>> >>> Martin^2 >> Hello, >> >> This value also depends of the data. For example adding groups with >> 10K members spikes the dblock consumption up to 40K because of >> membership computation during the update. >> The size of the entries can also contribute if for example we have >> several entries per page or they are too large and fit on several pages. >> >> IMHO we should support out of the box groups with 10K, so >> 'nsslapd-db-locks: 50000' looks good to me. >> However it could be documented why it can consum so much lock and how >> to tune it. >> >> thanks >> thierry >> > Thank you, Thierry. Reduced the 100k locks to 50k locks in the patch > (attached). ACK, I will push it later From mbasti at redhat.com Tue Jun 14 14:29:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 16:29:56 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> Message-ID: <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> On 08.06.2016 14:17, Stanislav Laznicka wrote: > On 06/07/2016 10:42 AM, Martin Basti wrote: >> >> >> On 07.06.2016 10:43, Jan Cholasta wrote: >>> On 7.6.2016 10:22, Martin Basti wrote: >>>> >>>> >>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>> >>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>> >>>>>>>>> >>>>>>>> NACK >>>>>>>> >>>>>>>> please remove it from LDAPAddReverseMember too, it contains the >>>>>>>> same >>>>>>>> code >>>>>>>> >>>>>>>> Martin^2 >>>>>>> >>>>>>> Please see the modified patch. >>>>>>> >>>>>>> Standa >>>>>>> >>>>>> ACK >>>>>> >>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>> >>>>> I think the attrs_list was supposed to be passed to the >>>>> ldap.get_entry() call rather than removed, which would fix that every >>>>> reverse member command always acts like --all was specified. >>>>> >>>> I'm really afraid, what can happen if we put attr_list into >>>> get_entry() >>>> instead of '*', because this code were there for 4 years and I don't >>>> feel happy enough to change it now, what we may break. >>>> >>>> Should I revert this commit then and postpone the ticket? >>> >>> It's a bug and should be fixed. The fix is easy so I see no point in >>> postponing it. I see no reason to be really afraid, I'm pretty sure >>> that removing the objectclass attribute (which is invisible in the >>> CLI anyway) from the output of all the 4 commands that use this code >>> won't break anything. >>> >> >> Ok > It seems that tests expect objectClass to be always returned in > derived methods. Is that expected behavior? If so, please see the > attached patch. I wonder if the keys of the passed options should make > it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? I still don't think that we should use that attrs list, because according git history, attrs_list was really used only with code that was removed, and as you can see Standa had add extra objectclass attribute there My 2c Martin^2 From jcholast at redhat.com Tue Jun 14 14:37:08 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jun 2016 16:37:08 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> Message-ID: On 14.6.2016 16:29, Martin Basti wrote: > > > On 08.06.2016 14:17, Stanislav Laznicka wrote: >> On 06/07/2016 10:42 AM, Martin Basti wrote: >>> >>> >>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>> >>>>> >>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>> >>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>> >>>>>>>>>> >>>>>>>>> NACK >>>>>>>>> >>>>>>>>> please remove it from LDAPAddReverseMember too, it contains the >>>>>>>>> same >>>>>>>>> code >>>>>>>>> >>>>>>>>> Martin^2 >>>>>>>> >>>>>>>> Please see the modified patch. >>>>>>>> >>>>>>>> Standa >>>>>>>> >>>>>>> ACK >>>>>>> >>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>> >>>>>> I think the attrs_list was supposed to be passed to the >>>>>> ldap.get_entry() call rather than removed, which would fix that every >>>>>> reverse member command always acts like --all was specified. >>>>>> >>>>> I'm really afraid, what can happen if we put attr_list into >>>>> get_entry() >>>>> instead of '*', because this code were there for 4 years and I don't >>>>> feel happy enough to change it now, what we may break. >>>>> >>>>> Should I revert this commit then and postpone the ticket? >>>> >>>> It's a bug and should be fixed. The fix is easy so I see no point in >>>> postponing it. I see no reason to be really afraid, I'm pretty sure >>>> that removing the objectclass attribute (which is invisible in the >>>> CLI anyway) from the output of all the 4 commands that use this code >>>> won't break anything. >>>> >>> >>> Ok >> It seems that tests expect objectClass to be always returned in >> derived methods. Is that expected behavior? If so, please see the >> attached patch. I wonder if the keys of the passed options should make >> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? > > I still don't think that we should use that attrs list, because > according git history, attrs_list was really used only with code that > was removed, and as you can see Standa had add extra objectclass > attribute there So the assumption here is that if it's in git history, it's not a bug? The extra object class should *not* be included by default. (Also I don't see any reason to have this split into 2 patches.) > > My 2c > Martin^2 -- Jan Cholasta From mbasti at redhat.com Tue Jun 14 14:35:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 16:35:19 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> Message-ID: <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> On 14.06.2016 16:37, Jan Cholasta wrote: > On 14.6.2016 16:29, Martin Basti wrote: >> >> >> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>> >>>> >>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> NACK >>>>>>>>>> >>>>>>>>>> please remove it from LDAPAddReverseMember too, it contains the >>>>>>>>>> same >>>>>>>>>> code >>>>>>>>>> >>>>>>>>>> Martin^2 >>>>>>>>> >>>>>>>>> Please see the modified patch. >>>>>>>>> >>>>>>>>> Standa >>>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>> >>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>> every >>>>>>> reverse member command always acts like --all was specified. >>>>>>> >>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>> get_entry() >>>>>> instead of '*', because this code were there for 4 years and I don't >>>>>> feel happy enough to change it now, what we may break. >>>>>> >>>>>> Should I revert this commit then and postpone the ticket? >>>>> >>>>> It's a bug and should be fixed. The fix is easy so I see no point in >>>>> postponing it. I see no reason to be really afraid, I'm pretty sure >>>>> that removing the objectclass attribute (which is invisible in the >>>>> CLI anyway) from the output of all the 4 commands that use this code >>>>> won't break anything. >>>>> >>>> >>>> Ok >>> It seems that tests expect objectClass to be always returned in >>> derived methods. Is that expected behavior? If so, please see the >>> attached patch. I wonder if the keys of the passed options should make >>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >> >> I still don't think that we should use that attrs list, because >> according git history, attrs_list was really used only with code that >> was removed, and as you can see Standa had add extra objectclass >> attribute there > > So the assumption here is that if it's in git history, it's not a bug? > > The extra object class should *not* be included by default. > > (Also I don't see any reason to have this split into 2 patches.) > The first one is revert the patch that removes attr_list, and was pushed. >> >> My 2c >> Martin^2 > > From jcholast at redhat.com Tue Jun 14 14:40:29 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 14 Jun 2016 16:40:29 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> Message-ID: <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> On 14.6.2016 16:35, Martin Basti wrote: > > > On 14.06.2016 16:37, Jan Cholasta wrote: >> On 14.6.2016 16:29, Martin Basti wrote: >>> >>> >>> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>>> >>>>> >>>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> NACK >>>>>>>>>>> >>>>>>>>>>> please remove it from LDAPAddReverseMember too, it contains the >>>>>>>>>>> same >>>>>>>>>>> code >>>>>>>>>>> >>>>>>>>>>> Martin^2 >>>>>>>>>> >>>>>>>>>> Please see the modified patch. >>>>>>>>>> >>>>>>>>>> Standa >>>>>>>>>> >>>>>>>>> ACK >>>>>>>>> >>>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>>> >>>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>>> every >>>>>>>> reverse member command always acts like --all was specified. >>>>>>>> >>>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>>> get_entry() >>>>>>> instead of '*', because this code were there for 4 years and I don't >>>>>>> feel happy enough to change it now, what we may break. >>>>>>> >>>>>>> Should I revert this commit then and postpone the ticket? >>>>>> >>>>>> It's a bug and should be fixed. The fix is easy so I see no point in >>>>>> postponing it. I see no reason to be really afraid, I'm pretty sure >>>>>> that removing the objectclass attribute (which is invisible in the >>>>>> CLI anyway) from the output of all the 4 commands that use this code >>>>>> won't break anything. >>>>>> >>>>> >>>>> Ok >>>> It seems that tests expect objectClass to be always returned in >>>> derived methods. Is that expected behavior? If so, please see the >>>> attached patch. I wonder if the keys of the passed options should make >>>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >>> >>> I still don't think that we should use that attrs list, because >>> according git history, attrs_list was really used only with code that >>> was removed, and as you can see Standa had add extra objectclass >>> attribute there >> >> So the assumption here is that if it's in git history, it's not a bug? >> >> The extra object class should *not* be included by default. >> >> (Also I don't see any reason to have this split into 2 patches.) >> > The first one is revert the patch that removes attr_list, and was pushed. That does not make it any more special than any other commit. > >>> >>> My 2c >>> Martin^2 >> >> > -- Jan Cholasta From abokovoy at redhat.com Tue Jun 14 14:45:26 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 14 Jun 2016 17:45:26 +0300 Subject: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter In-Reply-To: <20160607164046.kgntyvj54bvubrce@redhat.com> References: <20160607164046.kgntyvj54bvubrce@redhat.com> Message-ID: <20160614144526.4ktq5ji4r5y4arfw@redhat.com> On Tue, 07 Jun 2016, Alexander Bokovoy wrote: > Hi, > > `ipa trust-find' command should only show trusted forest root domains > > The child domains should be visible via > > ipa trustdomain-find forest.root > > The difference between forest root (or external domain) and child > domains is that root domain gets ipaIDObject class to allow assigning a > POSIX ID to the object. This POSIX ID is used by Samba when an Active > Directory domain controller connects as forest trusted domain object. > > Child domains can only talk to IPA via forest root domain, thus they > don't need POSIX ID for their TDOs. This allows us a way to > differentiate objects for the purpose of 'trust-find' / > 'trustdomain-find' commands. > > Fixes https://fedorahosted.org/freeipa/ticket/5942 > This patch needs review. -- / Alexander Bokovoy From mbasti at redhat.com Tue Jun 14 15:06:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 17:06:23 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> Message-ID: <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> On 12.06.2016 17:37, Martin Babinsky wrote: > These two patches turn oft-neglected ntp service into a full fledged > role whose status can be queried centrally. They should also enable > generation of location-specific _ntp._udp records. > > Please note that NTP is LDAP-enabled by additional call after DS > instance is configured. I was not feeling confident by swapping NTP > and DS configuration steps as I was afraid it will break things. If > not, I will happily update the patch accordingly. > > https://fedorahosted.org/freeipa/ticket/5815 > https://fedorahosted.org/freeipa/ticket/5826 > > > Hello, I have a few comments: Patch: 159 1) + if ntp.is_configured(): + ntp.ldap_enable('NTP', fqdn, None, base_dn) + ntp.enable() All ipa services are in disabled state, ipactl starts them according configuration in LDAP IMO it should be something like: ntp.disable() if running: ntp.start() 2) could you upgrade NTP only once in upgrade.py? Use sysupgrade state 3) + 'NTP': ('ntpd', 42), I prefer 45, it is easier to put any service before NTP if needed without huge renumbering Patch 160: LGTM Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Tue Jun 14 15:07:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 14 Jun 2016 17:07:03 +0200 Subject: [Freeipa-devel] [PATCH 0424-0426] Fix subtle bugs in event processing Message-ID: <7f60c256-c9a6-ab9d-ca16-aaa3a3113f60@redhat.com> Hello, these three bugs were found accidentally while analyzing requirements for https://fedorahosted.org/bind-dyndb-ldap/ticket/125 All three should go to master before the release because they were source of subtle bugs. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0424-Rework-hack-for-synchronous-event-processing-to-make.patch Type: text/x-patch Size: 8319 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0425-Avoid-redundant-sync_task_add-calls.patch Type: text/x-patch Size: 1568 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0426-Make-task-selection-in-syncrepl_update-deterministic.patch Type: text/x-patch Size: 1836 bytes Desc: not available URL: From slaznick at redhat.com Tue Jun 14 15:26:09 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 14 Jun 2016 17:26:09 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> Message-ID: On 06/14/2016 09:25 AM, Stanislav Laznicka wrote: > On 06/13/2016 02:51 PM, Martin Babinsky wrote: >> On 06/07/2016 10:14 AM, Stanislav Laznicka wrote: >>> https://fedorahosted.org/freeipa/ticket/5775 >>> >>> >>> >> Umm, wouldn't it be better to augment the `Service.start()/restart()` >> methods themselves with parameters that will suppress exception >> raising and log an error instead of copy-pasting try: ... except: >> blocks? >> > A good point. SystemdService start()/restart() methods will need > augmenting as well (signerd service) but I suppose that's about it for > this issue. I'll send a patch updated accordingly. > Actually, adding an argument to SystemdService's start()/restart() methods turned out to be very, very bad idea for this purpose (it would end up with way worse copy-paste than the original patch). Attached is probably the most minimal solution. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0043-1-Uninstaller-won-t-fail-if-service-can-t-be-started.patch Type: text/x-patch Size: 6177 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jun 14 16:28:15 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Jun 2016 18:28:15 +0200 Subject: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles In-Reply-To: <23d76534-e7bf-99d2-67b5-a7246646938c@redhat.com> References: <31a8b97f-5bd8-49bd-36b9-ff9a45d4e639@redhat.com> <6c5ee253-49b1-5f24-00a1-15feb77728e4@redhat.com> <5d97b475-c08a-951c-8064-f7c6030ff5bf@redhat.com> <23d76534-e7bf-99d2-67b5-a7246646938c@redhat.com> Message-ID: <381c3f6f-6ceb-df80-bca7-5ce37a35bd9b@redhat.com> On 06/09/2016 05:39 PM, Pavel Vomacka wrote: > > > On 06/08/2016 04:09 PM, Petr Vobornik wrote: >> On 06/05/2016 07:22 PM, Pavel Vomacka wrote: >>> >>> On 06/03/2016 03:10 PM, Petr Vobornik wrote: >>>> On 06/02/2016 01:40 PM, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> please review my patches which add webui for server roles. >>>>> >>>> Did not test yet. I'm waiting for rebase of backend. >>>> >>>> Patch 36: ACK (assuming it works when ^^ is available) >>>> >>>> Patch 37: >>>> >>>> 1. typo: 'overriden' - twice >>> Fixed. >>>> 2. 'create_column_link' is a bad name for the method. The method >>>> doesn't >>>> create a column link. It is a link's click handler. So the name should >>>> be e.g. on_column_link_click >>> Yes, this is better. Fixed. >>>> Patch 38: >>>> >>>> 1. in serverroles_nested_search_facet wouldn't it be better to override >>>> only get_refresh_command_options and maybe get_refresh_command_args >>>> instead of full create_refresh_command? >>>> >>> Fixed. >>> >>> Attached the whole patchset with edited patches. >>> >>> -- >>> Pavel^3 Vomacka >> 1. Following line breaks navigation: >> that.on_column_link_click(value, entity); >> it should be: >> return that.on_column_link_click(value, entity); >> > Attached patches are rebased and updated according to new Server Role > patches. ACK for all 4 patches. pushed to master: * 95c61c6a0b7d97a9f78fc5b83f38ce2b43cbebc4 Association table can be read only * 72fe7e3294fd2f0acdab161180609e9868c4a943 Extend table facet * 1eb57600185f96e61d0894148a5f50870173c7cd Add server roles on topology page * 31faf1c21d5635edfa9da23005a1942452a0248c Search facet can be without search field -- Petr Vobornik From pvoborni at redhat.com Tue Jun 14 16:30:14 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Jun 2016 18:30:14 +0200 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: <873f84c1-a81e-3f69-2902-91f4759e2a49@redhat.com> References: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> <20160614044212.GZ4744@dhcp-40-8.bne.redhat.com> <873f84c1-a81e-3f69-2902-91f4759e2a49@redhat.com> Message-ID: On 06/14/2016 10:17 AM, Pavel Vomacka wrote: > > > On 06/14/2016 06:42 AM, Fraser Tweedale wrote: >> On Mon, Jun 13, 2016 at 07:48:58PM +0200, Pavel Vomacka wrote: >>> >>> On 06/13/2016 06:55 AM, Fraser Tweedale wrote: >>>> On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> please review these new patches which add WebUI for Sub-CAs. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5939 >>>>> >>>> Hi Pavel, I have reviewed the functionality of the patches. >>>> Functionality is good - a few minor comments below. >>> Hello, thank you for review. >>>> Patch 45: >>>> >>>> 1) In the main `Certificate Authorities' table, `Subject DN' is >>>> showing the DN of the IPA object, instead of the Subject DN. >>> Fixed. >>>> 2) In the `Certificate Authorities' detail table, there is an >>>> unlabelled row showing the DN of the IPA object. IMO we do not need >>>> to show this value at all. >>> The field removed. >>>> Patch 46: >>>> >>>> 3) I see a FIXME in certificate.js. The behaviour (default to IPA >>>> CA / 'ipa') is OK. Alternatively, you could allow the user to not >>>> specify a CA (this will allow the default - currently 'ipa' - to be >>>> controlled by server). >>> FIXME comment removed. >>>> Patch 47: >>>> >>>> 4) For backwards compatibility, a CA ACL without any specified CAs >>>> (and not cacat=all) implies the 'ipa' CA. It would be good to >>>> indicate this in the UI somehow, or include a notice to explain. >>> I added tooltip next to the checkbox on adder dialog and also note >>> above the >>> table with CAs in CA ACL details view. >>> >> The message has a small typo: "specificed" should be "specified" >> (the typo occurrs in both places). >> >> Once this is fixed, ACK. > Updated patches attached. Also ACK from Web UI internals perspective. Patch 0045-2: ACK Patch 0046-2: ACK, could be split into two patches but don't bother... Patch 0047-3: ACK -- Petr Vobornik From pvoborni at redhat.com Tue Jun 14 16:36:16 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 14 Jun 2016 18:36:16 +0200 Subject: [Freeipa-devel] [PATCH] 0031 webui: add ability to review certificate request dialog In-Reply-To: <57206966.8030302@redhat.com> References: <57206966.8030302@redhat.com> Message-ID: <68283521-8583-7d42-4a95-7827508f14a0@redhat.com> On 04/27/2016 09:25 AM, Pavel Vomacka wrote: > Hi > > please review the attached patch. > > Fixes this ticket: https://fedorahosted.org/freeipa/ticket/5652 > > -- > Pavel^3 Vomacka > > ACK master: * 8135651abb857fbe489a1de8aacad3747d7d5cc9 Add ability to review cert request dialog -- Petr Vobornik From mbabinsk at redhat.com Tue Jun 14 16:58:18 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 14 Jun 2016 18:58:18 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> Message-ID: <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> On 06/14/2016 05:06 PM, Martin Basti wrote: > > > On 12.06.2016 17:37, Martin Babinsky wrote: >> These two patches turn oft-neglected ntp service into a full fledged >> role whose status can be queried centrally. They should also enable >> generation of location-specific _ntp._udp records. >> >> Please note that NTP is LDAP-enabled by additional call after DS >> instance is configured. I was not feeling confident by swapping NTP >> and DS configuration steps as I was afraid it will break things. If >> not, I will happily update the patch accordingly. >> >> https://fedorahosted.org/freeipa/ticket/5815 >> https://fedorahosted.org/freeipa/ticket/5826 >> >> >> > Hello, I have a few comments: > > Patch: 159 > 1) > + if ntp.is_configured(): > + ntp.ldap_enable('NTP', fqdn, None, base_dn) > + ntp.enable() > > All ipa services are in disabled state, ipactl starts them according > configuration in LDAP > IMO it should be something like: > ntp.disable() > if running: > ntp.start() > > 2) > could you upgrade NTP only once in upgrade.py? Use sysupgrade state > > 3) > + 'NTP': ('ntpd', 42), > I prefer 45, it is easier to put any service before NTP if needed > without huge renumbering > > > Patch 160: LGTM > > Martin^2 > > Right, attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0159.1-Add-NTP-to-the-list-of-services-stored-in-IPA-master.patch Type: text/x-patch Size: 5655 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0160.1-Introduce-NTP-server-role.patch Type: text/x-patch Size: 2329 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 14 17:28:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 19:28:03 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> Message-ID: <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> On 14.06.2016 18:58, Martin Babinsky wrote: > On 06/14/2016 05:06 PM, Martin Basti wrote: >> >> >> On 12.06.2016 17:37, Martin Babinsky wrote: >>> These two patches turn oft-neglected ntp service into a full fledged >>> role whose status can be queried centrally. They should also enable >>> generation of location-specific _ntp._udp records. >>> >>> Please note that NTP is LDAP-enabled by additional call after DS >>> instance is configured. I was not feeling confident by swapping NTP >>> and DS configuration steps as I was afraid it will break things. If >>> not, I will happily update the patch accordingly. >>> >>> https://fedorahosted.org/freeipa/ticket/5815 >>> https://fedorahosted.org/freeipa/ticket/5826 >>> >>> >>> >> Hello, I have a few comments: >> >> Patch: 159 >> 1) >> + if ntp.is_configured(): >> + ntp.ldap_enable('NTP', fqdn, None, base_dn) >> + ntp.enable() >> >> All ipa services are in disabled state, ipactl starts them according >> configuration in LDAP >> IMO it should be something like: >> ntp.disable() >> if running: >> ntp.start() >> >> 2) >> could you upgrade NTP only once in upgrade.py? Use sysupgrade state >> >> 3) >> + 'NTP': ('ntpd', 42), >> I prefer 45, it is easier to put any service before NTP if needed >> without huge renumbering >> >> >> Patch 160: LGTM >> >> Martin^2 >> >> > > Right, attaching updated patches. > Patches are good, but I'm curious if there is any chance for NTP to be able synchronize time before replication on replica install. If no, IMO better is to move NTP service configuration after dirserver to be able to configure LDAP entry directly. But if there is not time for this, I'm fine with opening ticket and fixing it later. Martin^2 From mbasti at redhat.com Tue Jun 14 18:32:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 14 Jun 2016 20:32:37 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> Message-ID: On 13.06.2016 16:51, Petr Spacek wrote: > On 13.6.2016 14:57, Martin Basti wrote: >> Patches attached. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> >> >> Missing parts: dns-server config, some warnings from design, some corner, >> cleanup of old unused location records cases, this will be covered in future >> patches > > >> freeipa-mbasti-0506-DNS-Locations-DNS-data-management.patch >> >> >> From f8eb14afe97111e58a8e5bce401a7ab8620888a6 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 8 Jun 2016 17:53:58 +0200 >> Subject: [PATCH 04/11] DNS Locations: DNS data management >> >> Adding module that allows to work with IPA DNS system records: >> * getting system records >> * updating system records >> * work with DNS locations >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ipalib/dns.py | 2 + >> ipalib/dns_data_management.py | 395 ++++++++++++++++++++++++++++++++++++++++++ >> ipaserver/plugins/dns.py | 1 + >> 3 files changed, 398 insertions(+) >> create mode 100644 ipalib/dns_data_management.py >> >> diff --git a/ipalib/dns.py b/ipalib/dns.py >> index 54a4c24a08c974d8e905e4630d91d2381c39778d..55e45a094e5b4171962abdc3f81e1647107ef96d 100644 >> --- a/ipalib/dns.py >> +++ b/ipalib/dns.py >> @@ -18,6 +18,8 @@ >> # You should have received a copy of the GNU General Public License >> # along with this program. If not, see . >> >> +from __future__ import absolute_import >> + >> import re >> >> from ipalib import errors >> diff --git a/ipalib/dns_data_management.py b/ipalib/dns_data_management.py >> new file mode 100644 >> index 0000000000000000000000000000000000000000..939978d980c4c1292dd516245457795fc116d401 >> --- /dev/null >> +++ b/ipalib/dns_data_management.py >> @@ -0,0 +1,395 @@ >> +# >> +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license >> +# >> + >> +from __future__ import absolute_import >> + >> +from collections import defaultdict >> +from dns import ( >> + rdataclass, >> + rdatatype, >> + zone, >> +) >> +from dns.rdtypes.IN.SRV import SRV >> +from dns.rdtypes.ANY.TXT import TXT >> + >> +from ipalib import errors >> +from ipalib.dns import record_name_format >> +from ipapython.dnsutil import DNSName, resolve_rrsets >> + >> +IPA_DEFAULT_MASTER_SRV_REC = ( >> + # srv record name, port >> + (DNSName(u'_ldap._tcp'), 389), >> + (DNSName(u'_kerberos._tcp'), 88), >> + (DNSName(u'_kerberos._udp'), 88), >> + (DNSName(u'_kerberos-master._tcp'), 88), >> + (DNSName(u'_kerberos-master._udp'), 88), >> + (DNSName(u'_kpasswd._tcp'), 464), >> + (DNSName(u'_kpasswd._udp'), 464), >> +) >> + >> +IPA_DEFAULT_ADTRUST_SRV_REC = ( >> + # srv record name, port >> + (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), >> + (DNSName(u'_ldap._tcp.dc._msdcs'), 389), >> + (DNSName(u'_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs'), 88), >> + (DNSName(u'_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs'), 88), >> + (DNSName(u'_kerberos._tcp.dc._msdcs'), 88), >> + (DNSName(u'_kerberos._udp.dc._msdcs'), 88), >> +) >> + >> + >> +class IPADomainIsNotManagedByIPAError(Exception): >> + pass >> + >> + >> +class IPASystemRecords(object): >> + >> + # fixme do it configurable >> + PRIORITY_HIGH = 0 >> + PRIORITY_LOW = 50 >> + >> + def __init__(self, api_instance): >> + self.api_instance = api_instance >> + self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute() >> + self.servers_data = {} >> + self.__init_data() >> + >> + def reload_data(self): >> + """ >> + After any change made to IPA servers, this method must be called to >> + update data in the object, otherwise invalid records may be >> + created/updated >> + """ >> + self.__init_data() >> + >> + def __get_server_attrs(self, hostname): >> + """ >> + Returns weight, location, and intersection of its roles and allowed >> + roles >> + :param hostname: server hostname >> + :param allowed_roles: *set* of server roles that are allowed, if None >> + all roles will be used >> + :return: (weight, location, intersection of roles and allowed roles) > There is no param allowed_roles :-) Removed, it was forgotten comment from very first version > > >> + """ >> + server_result = self.api_instance.Command.server_show(hostname)['result'] >> + weight = int(server_result.get('ipalocationweight', [u'100'])[0]) >> + location = server_result.get('ipalocation_location', [None])[0] >> + roles = set(server_result.get('enabled_role_servrole', ())) >> + >> + return weight, location, roles >> + >> + def __init_data(self): >> + self.servers_data = {} >> + >> + servers_result = self.api_instance.Command.server_find( >> + pkey_only=True)['result'] >> + servers = [s['cn'][0] for s in servers_result] >> + for s in servers: >> + weight, location, roles = self.__get_server_attrs(s) >> + self.servers_data[s] = { >> + 'weight': weight, >> + 'location': location, >> + 'roles': roles, >> + } >> + >> + def __get_srv_records( >> + self, zone_obj, hostname, rname_port_map, >> + weight=100, priority=0, location=None >> + ): >> + assert isinstance(hostname, DNSName) >> + assert isinstance(priority, int) >> + assert isinstance(weight, int) >> + >> + if location: >> + suffix = ( >> + location + DNSName('_locations') + self.domain_abs >> + ) >> + else: >> + suffix = self.domain_abs >> + >> + for name, port in rname_port_map: >> + rd = SRV( >> + rdataclass.IN, rdatatype.SRV, >> + priority, >> + weight, >> + port, >> + hostname.make_absolute() >> + ) >> + >> + r_name = name.derelativize(suffix) >> + >> + rdataset = zone_obj.get_rdataset( >> + r_name, rdatatype.SRV, create=True) >> + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config >> + >> + def __get_ca_records_from_hostname(self, zone_obj, hostname): > Name __get is misleading because it does not return a new object - it in fact > modifies one one of its arguments. I would rather start the name with __add_... Done >> + assert isinstance(hostname, DNSName) and hostname.is_absolute() >> + r_name = DNSName('ipa-ca') + self.domain_abs >> + rrsets = resolve_rrsets(hostname, (rdatatype.A, rdatatype.AAAA)) >> + for rrset in rrsets: >> + for rd in rrset: >> + rdataset = zone_obj.get_rdataset( >> + r_name, rd.rdtype, create=True) >> + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config >> + >> + def __get_kerberos_txt_rec(self, zone_obj): > The same as above. done > > >> + # FIXME: with external DNS, this should generate records for all >> + # realmdomains >> + r_name = DNSName('_kerberos') + self.domain_abs >> + rd = TXT(rdataclass.IN, rdatatype.TXT, [self.api_instance.env.realm]) >> + rdataset = zone_obj.get_rdataset( >> + r_name, rdatatype.TXT, create=True >> + ) >> + rdataset.add(rd, ttl=86400) # FIXME: use TTL from config >> + >> + def _get_base_dns_records_for_server( > The same as above. done >> + self, zone_obj, hostname, roles=None, include_master_role=True, >> + include_kerberos_realm=True, >> + ): >> + server = self.servers_data[hostname] >> + if roles: >> + eff_roles = server['roles'] & set(roles) >> + else: >> + eff_roles = server['roles'] >> + hostname_abs = DNSName(hostname).make_absolute() >> + >> + if include_kerberos_realm: >> + self.__get_kerberos_txt_rec(zone_obj) >> + >> + # get master records >> + if include_master_role: >> + self.__get_srv_records( >> + zone_obj, >> + hostname_abs, >> + IPA_DEFAULT_MASTER_SRV_REC, >> + weight=server['weight'] >> + ) >> + >> + if 'CA server' in eff_roles: >> + self.__get_ca_records_from_hostname(zone_obj, hostname_abs) >> + >> + if 'AD trust controller' in eff_roles: >> + self.__get_srv_records( >> + zone_obj, >> + hostname_abs, >> + IPA_DEFAULT_ADTRUST_SRV_REC, >> + weight=server['weight'] >> + ) >> + >> + def _get_location_dns_records_for_server( >> + self, zone_obj, hostname, locations, >> + roles=None, include_master_role=True): >> + """ >> + Function returns list of DNS records for server with proper locations >> + mappings > In fact it returns zone. removed comment >> + :param api_instance: instance of API >> + :param hostname: server hostname >> + :return: dict with keys as record name, and list of rrsets as values >> + """ >> + server = self.servers_data[hostname] >> + if roles: >> + eff_roles = server['roles'] & roles >> + else: >> + eff_roles = server['roles'] >> + hostname_abs = DNSName(hostname).make_absolute() >> + >> + # generate locations specific records >> + for location in locations: >> + if location == self.servers_data[hostname]['location']: >> + priority = self.PRIORITY_HIGH >> + else: >> + priority = self.PRIORITY_LOW >> + >> + if include_master_role: >> + self.__get_srv_records( >> + zone_obj, >> + hostname_abs, >> + IPA_DEFAULT_MASTER_SRV_REC, >> + weight=server['weight'], >> + priority=priority, >> + location=location >> + ) >> + >> + if 'AD trust controller' in eff_roles: >> + self.__get_srv_records( >> + zone_obj, >> + hostname_abs, >> + IPA_DEFAULT_ADTRUST_SRV_REC, >> + weight=server['weight'], >> + priority=priority, >> + location=location >> + ) >> + >> + return zone_obj >> + >> + def __prepare_records_update_dict(self, node): >> + update_dict = defaultdict(list) >> + for rdataset in node.rdatasets: > AFAIK "rdataset in node" would be better and would not touch internals of node. done >> + for rdata in rdataset: >> + option_name = (record_name_format % rdatatype.to_text( >> + rdata.rdtype).lower()) >> + update_dict[option_name].append(rdata.to_text()) >> + return update_dict >> + >> + def __update_dns_records( >> + self, record_name, nodes, set_cname_template=True >> + ): >> + update_dict = self.__prepare_records_update_dict(nodes) >> + cname_template = { >> + 'addattr': [u'objectclass=idnsTemplateObject'], >> + 'setattr': [ >> + u'idnsTemplateAttribute;cnamerecord=%s' >> + u'.\{substitutionvariable_ipalocation\}._locations' % >> + record_name.relativize(self.domain_abs) >> + ] >> + } >> + try: >> + if set_cname_template: >> + # only srv records should have configured cname templates >> + update_dict.update(cname_template) >> + self.api_instance.Command.dnsrecord_mod( >> + self.domain_abs, record_name, >> + **update_dict >> + ) >> + except errors.NotFound: >> + # because internal API magic, addattr and setattr doesn't work with >> + # dnsrecord-add well, use dnsrecord-mod instead later >> + update_dict.pop('addattr', None) >> + update_dict.pop('setattr', None) >> + >> + self.api_instance.Command.dnsrecord_add( >> + self.domain_abs, record_name, **update_dict) >> + >> + if set_cname_template: >> + try: >> + self.api_instance.Command.dnsrecord_add( > This ^^^ should be dnsrecord_mod. Nice catch, thanks > > >> + self.domain_abs, >> + record_name, **cname_template) >> + except errors.EmptyModlist: >> + pass >> + except errors.EmptyModlist: >> + pass >> + >> + def get_base_records( >> + self, servers=None, roles=None, include_master_role=True, >> + include_kerberos_realm=True >> + ): >> + """ >> + Generate IPA service records for specific servers and roles >> + :param servers: list of server which will be used in records, >> + if None all IPA servers will be used >> + :param roles: roles for which DNS records will be generated, >> + if None all roles will be used >> + :param include_master_role: generate records required by IPA master >> + role >> + :return: dns.zone.Zone object that contains base DNS records >> + """ >> + >> + zone_obj = zone.Zone(self.domain_abs, relativize=False) >> + if servers is None: >> + servers = self.servers_data.keys() >> + >> + for server in servers: >> + self._get_base_dns_records_for_server(zone_obj, server, >> + roles=roles, include_master_role=include_master_role, >> + include_kerberos_realm=include_kerberos_realm >> + ) >> + return zone_obj >> + >> + def get_locations_records( >> + self, servers=None, roles=None, include_master_role=True): >> + """ >> + Generate IPA location records for specific servers and roles. >> + :param servers: list of server which will be used in records, >> + if None all IPA servers will be used >> + :param roles: roles for which DNS records will be generated, >> + if None all roles will be used >> + :param include_master_role: generate records required by IPA master >> + role >> + :return: dns.zone.Zone object that contains location DNS records >> + """ >> + zone_obj = zone.Zone(self.domain_abs, relativize=False) >> + if servers is None: >> + servers_result = self.api_instance.Command.server_find( >> + pkey_only=True)['result'] >> + servers = [s['cn'][0] for s in servers_result] >> + >> + locations_result = self.api_instance.Command.location_find()['result'] >> + locations = [l['idnsname'][0] for l in locations_result] >> + >> + for server in servers: >> + self._get_location_dns_records_for_server( >> + zone_obj, server, >> + locations, roles=roles, >> + include_master_role=include_master_role) >> + return zone_obj >> + >> + def update_base_records(self): >> + """ >> + Update base DNS records for IPA services >> + :return: [(record_name, node), ...], [(record_name, node, error), ...] >> + where the first list contains successfully updated records, and the >> + second list contains failed updates with particular exceptions >> + """ >> + fail = [] >> + success = [] >> + names_requiring_cname_templates = set( >> + rec[0].derelativize(self.domain_abs) for rec in ( >> + IPA_DEFAULT_MASTER_SRV_REC + >> + IPA_DEFAULT_ADTRUST_SRV_REC >> + ) >> + ) >> + >> + base_zone = self.get_base_records() >> + for record_name, node in base_zone.items(): >> + set_cname_template = record_name in names_requiring_cname_templates >> + try: >> + self.__update_dns_records( >> + record_name, node, set_cname_template) >> + except errors.PublicError as e: >> + fail.append((record_name, node, e)) >> + else: >> + success.append((record_name, node)) >> + return success, fail >> + >> + def update_locations_records(self): >> + """ >> + Update locations DNS records for IPA services >> + :return: [(record_name, node), ...], [(record_name, node, error), ...] >> + where the first list contains successfully updated records, and the >> + second list contains failed updates with particular exceptions >> + """ >> + fail = [] >> + success = [] >> + >> + location_zone = self.get_locations_records() >> + for record_name, nodes in location_zone.items(): >> + try: >> + self.__update_dns_records( >> + record_name, nodes, >> + set_cname_template=False) >> + except errors.PublicError as e: >> + fail.append((record_name, nodes, e)) >> + else: >> + success.append((record_name, nodes)) >> + return success, fail > I think that methods update_base_records() and update_locations_records() can > be unified because they are basically the same. Condition "record_name in > names_requiring_cname_templates" should evaluate to False for all location > records (I hope :-) so you can save some code and just pass result of > get_base_records()/get_locations_records() into the common function. Well, there is much more than just 'names_requiring_cname_templates', I would like to stick with this for now > > >> freeipa-mbasti-0507-DNS-Locations-permission-allow-to-read-status-of-ser.patch >> >> >> From 6fb4de027ac56e32047c55d8690af078951c8c35 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Sat, 11 Jun 2016 17:49:00 +0200 >> Subject: [PATCH 05/11] DNS Locations: permission: allow to read status of >> services >> >> New permission was added: "System: Read Status of Services on IPA Servers" >> This permission is needed for detection which records should be created >> on which servers. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ACI.txt | 2 ++ >> ipaserver/plugins/server.py | 5 +++++ >> 2 files changed, 7 insertions(+) >> >> diff --git a/ACI.txt b/ACI.txt >> index 6f691f2a7b01f834006e3c796c14c256ee87faa6..62665c04f5c27ece0cec588d93f763db5f8cb054 100644 >> --- a/ACI.txt >> +++ b/ACI.txt >> @@ -228,6 +228,8 @@ dn: cn=usermap,cn=selinux,dc=ipa,dc=example >> aci: (targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Remove SELinux User Maps";allow (delete) groupdn = "ldap:///cn=System: Remove SELinux User >> Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example >> aci: (targetattr = "cn || createtimestamp || entryusn || ipalocation || ipalocationweight || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationMember)")(version 3.0;acl "permission:System: Read Locations of IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Locations of IPA >> Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> +dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example >> +aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaLocationMember)")(version 3.0;acl "permission:System: Read Status of Services on IPA Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Status of Services on IPA > How is "(targetfilter = (objectclass=ipaLocationMember)" going to work with > non-upgraded servers? > > Correct me if I'm wrong but I guess that CentOS 6 replicas will not have > ipaLocationMember object class. Does it mean that the command ran on CentOS 7 > will not see and generate records for CentOS 6 replicas? > Thank you nice catch. That objectlass is totally wrong and should not be there. It should be ipaConfigObject >> Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=services,cn=accounts,dc=ipa,dc=example >> aci: (targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Add Services";allow (add) groupdn = "ldap:///cn=System: Add Services,cn=permissions,cn=pbac,dc=ipa,dc=example";) >> dn: cn=services,cn=accounts,dc=ipa,dc=example >> diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py >> index a2c2752d94913eda0636cd5a360921eb002282d3..eb40b97ad22b95a2054b6280140e48973b1ec229 100644 >> --- a/ipaserver/plugins/server.py >> +++ b/ipaserver/plugins/server.py >> @@ -75,6 +75,11 @@ class server(LDAPObject): >> }, >> 'default_privileges': {'DNS Administrators'}, >> }, >> + 'System: Read Status of Services on IPA Servers': { >> + 'ipapermright': {'read', 'search', 'compare'}, >> + 'ipapermdefaultattr': {'objectclass', 'cn', 'ipaconfigstring'}, >> + 'default_privileges': {'DNS Administrators'}, >> + } > Interesting, where is the (targetfilter = (objectclass=ipaLocationMember) ? > How it gets to ACI.txt? fixed, same as above >> } >> >> takes_params = ( >> -- 2.5.5 > >> freeipa-mbasti-0509-DNS-Locations-command-dns-update-system-records.patch >> >> >> From 3dd971a197f5106cd021135056a15eb9c7521948 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Fri, 10 Jun 2016 17:03:25 +0200 >> Subject: [PATCH 07/11] DNS Locations: command dns-update-system-records >> >> command dns-update-system-records updates/fixes DNS records for IPA >> services: >> * updating A, AAAA records for CA >> * updating SRV records for LDAP, kerberos and AD trust >> * updating TXT record in _kerberos with proper realm >> * updating dns locations if used >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> API.txt | 10 ++++ >> VERSION | 4 +- >> ipaclient/plugins/dns.py | 26 +++++++++- >> ipalib/dns_data_management.py | 24 ++++++++- >> ipaserver/plugins/dns.py | 112 ++++++++++++++++++++++++++++++++++++++++++ >> 5 files changed, 172 insertions(+), 4 deletions(-) >> >> diff --git a/API.txt b/API.txt >> index 68ce3560d17c1fb6b6c50a91b5bf6ba810204922..c9268493a4c74a0a1557fc2930f618d1916c184d 100644 >> --- a/API.txt >> +++ b/API.txt >> @@ -961,6 +961,16 @@ option: Str('version?') >> output: Output('result', type=[]) >> output: Output('summary', type=[, ]) >> output: PrimaryKey('value') >> +command: dns_update_system_records >> +args: 0,2,6 >> +option: Flag('dry_run', autofill=True, default=False) >> +option: Str('version?') >> +output: Output('failed_ipa_records', type=[, ]) >> +output: Output('failed_location_records', type=[, ]) >> +output: Output('ipa_records', type=[, ]) >> +output: Output('location_records', type=[, ]) >> +output: Output('summary', type=[, ]) >> +output: Output('value', type=[]) >> command: dnsconfig_mod >> args: 0,11,3 >> option: Str('addattr*', cli_name='addattr') >> diff --git a/VERSION b/VERSION >> index 7c3e46a98607f3b94a0c98406ed13aa278440875..c39e800ce9dadc7ba7f9fbe08f870903271a9031 100644 >> --- a/VERSION >> +++ b/VERSION >> @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 >> # # >> ######################################################## >> IPA_API_VERSION_MAJOR=2 >> -IPA_API_VERSION_MINOR=180 >> -# Last change: mbabink - Server Roles: provide an API for setting CA renewal master >> +IPA_API_VERSION_MINOR=181 >> +# Last change: mbasti - added command dns-update-system-records >> diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py >> index 4defb7c33d301c60c78b22aa6d71c9da19650ec3..b784c04116bec0bfcc37e83f2e0bcf42b011a40c 100644 >> --- a/ipaclient/plugins/dns.py >> +++ b/ipaclient/plugins/dns.py >> @@ -22,7 +22,7 @@ from __future__ import print_function >> >> import six >> >> -from ipaclient.frontend import MethodOverride >> +from ipaclient.frontend import MethodOverride, CommandOverride >> from ipalib import errors >> from ipalib.dns import (get_record_rrtype, >> has_cli_options, >> @@ -342,3 +342,27 @@ class dnsforwardzone_mod(MethodOverride): >> _("Server will check DNS forwarder(s).")) >> self.Backend.textui.print_plain( >> _("This may take some time, please wait ...")) >> + >> + >> + at register(override=True) >> +class dns_update_system_records(CommandOverride): >> + def output_for_cli(self, textui, output, *args, **options): >> + failures = {'failed_ipa_records', 'failed_location_records'} >> + for key in ( >> + 'ipa_records', 'failed_ipa_records', >> + 'location_records', 'failed_location_records' >> + ): >> + if output.get(key): >> + textui.print_line(self.output[key].doc) >> + if key in sorted(failures, key=lambda x: x[0]): >> + for val, err in output[key]: >> + textui.print_indented( >> + u'{val} ({err})'.format(val=val, err=err), >> + indent=1 >> + ) >> + else: >> + for val in sorted(output[key]): >> + textui.print_indented(val, indent=1) >> + textui.print_line(u'') >> + textui.print_summary(output['summary']) >> + return int(not output['value']) >> diff --git a/ipalib/dns_data_management.py b/ipalib/dns_data_management.py >> index 939978d980c4c1292dd516245457795fc116d401..0d0466c18dea9830cfcfa89441d632f48bff3910 100644 >> --- a/ipalib/dns_data_management.py >> +++ b/ipalib/dns_data_management.py >> @@ -4,6 +4,8 @@ >> >> from __future__ import absolute_import >> >> +import six >> + >> from collections import defaultdict >> from dns import ( >> rdataclass, >> @@ -17,6 +19,10 @@ from ipalib import errors >> from ipalib.dns import record_name_format >> from ipapython.dnsutil import DNSName, resolve_rrsets >> >> +if six.PY3: >> + unicode=str >> + >> + >> IPA_DEFAULT_MASTER_SRV_REC = ( >> # srv record name, port >> (DNSName(u'_ldap._tcp'), 389), >> @@ -229,7 +235,7 @@ class IPASystemRecords(object): >> for rdata in rdataset: >> option_name = (record_name_format % rdatatype.to_text( >> rdata.rdtype).lower()) >> - update_dict[option_name].append(rdata.to_text()) >> + update_dict[option_name].append(unicode(rdata.to_text())) >> return update_dict >> >> def __update_dns_records( >> @@ -393,3 +399,19 @@ class IPASystemRecords(object): >> self.update_base_records(), >> self.update_locations_records() >> ) >> + >> + @classmethod >> + def records_list_from_node(cls, name, node): >> + records = [] >> + for dataset in node: > nitpick: variable names are inconsistent with the rest, you have used rdataset > in the code above done >> + for rd in dataset: >> + records.append( >> + u'{name} {ttl} {rdclass} {rdtype} {rdata}'.format( >> + name=name.ToASCII(), >> + ttl=dataset.ttl, >> + rdclass=rdataclass.to_text(rd.rdclass), >> + rdtype=rdatatype.to_text(rd.rdtype), >> + rdata=rd.to_text() >> + ) >> + ) >> + return records >> diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py >> index c0cd27713b20efe03f2707cfbddac344db74a085..130b1f26817a0f255150a0903dc924476c6e9549 100644 >> --- a/ipaserver/plugins/dns.py >> +++ b/ipaserver/plugins/dns.py >> @@ -40,6 +40,10 @@ from ipalib.dns import (get_record_rrtype, >> from ipalib.request import context >> from ipalib import api, errors, output >> from ipalib import Command >> +from ipalib.dns_data_management import ( >> + IPASystemRecords, >> + IPADomainIsNotManagedByIPAError, >> +) >> from ipalib.capabilities import ( >> VERSION_WITHOUT_CAPABILITIES, >> client_has_capability) >> @@ -4429,3 +4433,111 @@ class dnsforwardzone_add_permission(DNSZoneBase_add_permission): >> @register() >> class dnsforwardzone_remove_permission(DNSZoneBase_remove_permission): >> __doc__ = _('Remove a permission for per-forward zone access delegation.') >> + >> + >> + at register() >> +class dns_update_system_records(Command): >> + __doc__ = _('Update location and IPA server DNS records') >> + >> + has_output = ( >> + output.summary, >> + output.Output( >> + 'ipa_records', (list, tuple), >> + _('IPA DNS records') >> + ), >> + output.Output( >> + 'failed_ipa_records', (list, tuple), >> + _('Failed to update IPA DNS records') >> + ), >> + output.Output( >> + 'location_records', (list, tuple), >> + _('IPA location records') >> + ), >> + output.Output( >> + 'failed_location_records', (list, tuple), >> + _('Failed to update IPA location records') >> + ), >> + output.Output( >> + 'value', bool, >> + _('Result of the command'), ['no_display'] >> + ) >> + ) >> + >> + takes_options = ( >> + Flag( >> + 'dry_run', >> + label=_('Dry run'), >> + doc=_('Do not update recors only return expected records') >> + ) >> + ) >> + >> + def execute(self, *args, **options): >> + >> + def output_to_list(iterable): >> + rec_list = [] >> + for name, node in iterable: >> + rec_list.extend(IPASystemRecords.records_list_from_node( >> + name, node)) >> + return rec_list >> + >> + def output_to_list_with_failed(iterable): >> + err_rec_list = [] >> + for name, node, error in iterable: >> + err_rec_list.extend([ >> + (v, unicode(error)) for v in >> + IPASystemRecords.records_list_from_node(name, node) >> + ]) >> + return err_rec_list >> + >> + result = { >> + 'summary': None, >> + 'ipa_records': [], >> + 'failed_ipa_records': [], >> + 'location_records': [], >> + 'failed_location_records': [], >> + 'value': True, >> + } >> + >> + system_records = IPASystemRecords(self.api) >> + >> + if options.get('dry_run'): >> + result['ipa_records'] = output_to_list( >> + system_records.get_base_records().items()) >> + result['location_records'] = output_to_list( >> + system_records.get_locations_records().items()) >> + result['summary'] = unicode(_(u'List of IPA system DNS records.')) >> + else: >> + try: >> + ( >> + (success_base, failed_base), >> + (success_loc, failed_loc), >> + ) = system_records.update_dns_records() >> + except IPADomainIsNotManagedByIPAError: >> + result['value'] = False >> + result['summary'] = unicode(_( >> + u'IPA does not manage IPA domain zone itself (or IPA DNS ' >> + u'subsystem is not installed), please add ' >> + u'records to your DNS server manually' >> + )) >> + result['ipa_records'] = output_to_list( >> + system_records.get_base_records().items()) >> + else: >> + result['ipa_records'] = output_to_list(success_base) >> + result['failed_ipa_records'] = output_to_list_with_failed( >> + failed_base) >> + result['location_records'] = output_to_list(success_loc) >> + result['failed_location_records'] = output_to_list_with_failed( >> + failed_loc >> + ) >> + if failed_base or failed_loc: >> + result['value'] = False >> + result['summary'] = unicode(_( >> + u"Not all IPA system DNS records were updated, please " >> + u"update records or fix the failures and re-run " > Did you mean "update the record manually or re-run"...? > forgot how to write, fixed >> + u"the update of records again")) >> + else: >> + result['summary'] = unicode(_( >> + u'IPA system DNS records has been sucessfully updated' >> + )) >> + >> + return result >> -- 2.5.5 >> >> >> freeipa-mbasti-0510-DNS-Locations-use-dns_update_service_records-in-inst.patch >> >> >> From a38e1bac3c1f3a5f3c476bbd125ecf4431e87b26 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Sun, 12 Jun 2016 18:05:48 +0200 >> Subject: [PATCH 08/11] DNS Locations: use dns_update_service_records in >> installers >> >> use the dns_update_system_records command to set proper DNS records >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/tools/ipa-csreplica-manage | 2 +- >> install/tools/ipa-replica-manage | 1 - >> ipaserver/install/bindinstance.py | 99 ++++++------------------------------- >> ipaserver/install/ca.py | 2 +- >> ipaserver/install/dns.py | 3 ++ >> ipaserver/install/server/upgrade.py | 7 +-- >> 6 files changed, 23 insertions(+), 91 deletions(-) >> >> diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage >> index f271863b8f8a6addf630bf8d570adf039db64d89..a0a61b54013315c85c9c04c1746cd6d005b119d2 100755 >> --- a/install/tools/ipa-csreplica-manage >> +++ b/install/tools/ipa-csreplica-manage >> @@ -286,7 +286,7 @@ def del_master(realm, hostname, options): >> if bindinstance.dns_container_exists(options.host, api.env.basedn, >> dm_password=options.dirman_passwd): >> bind = bindinstance.BindInstance() >> - bind.remove_ipa_ca_dns_records(hostname, realm.lower()) >> + bind.update_system_records() >> except Exception as e: >> print("Failed to cleanup %s DNS entries: %s" % (hostname, e)) >> print("You may need to manually remove them from the tree") >> diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage >> index 095cca68890cd0f6c4cba9faa2395ffa3b980fc0..5a546e33c3bb741b45503580d3602d6be12f1fa5 100755 >> --- a/install/tools/ipa-replica-manage >> +++ b/install/tools/ipa-replica-manage >> @@ -898,7 +898,6 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options): >> dm_password=options.dirman_passwd): >> bind = bindinstance.BindInstance() >> bind.remove_master_dns_records(hostname, realm, realm.lower()) >> - bind.remove_ipa_ca_dns_records(hostname, realm.lower()) > Shoudn't you replace both lines with call to bind.update_system_records()? Nope, remove_master_dns_records does much more > >> bind.remove_server_ns_records(hostname) >> >> keysyncd = dnskeysyncinstance.DNSKeySyncInstance() >> diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py >> index 78e75359266bbefe7954242b98922272fb0c9194..e33da070147e39431a3982897f659d3ff7036896 100644 >> --- a/ipaserver/install/bindinstance.py >> +++ b/ipaserver/install/bindinstance.py >> @@ -692,7 +692,6 @@ class BindInstance(service.Service): >> self.step("setting up records for other masters", self.__add_others) >> # all zones must be created before this step >> self.step("adding NS record to the zones", self.__add_self_ns) >> - self.step("setting up CA record", self.__add_ipa_ca_record) >> >> self.step("setting up kerberos principal", self.__setup_principal) >> self.step("setting up named.conf", self.__setup_named_conf) >> @@ -858,15 +857,7 @@ class BindInstance(service.Service): >> else: >> host_in_rr = normalize_zone(fqdn) >> >> - srv_records = ( >> - ("_ldap._tcp", "0 100 389 %s" % host_in_rr), >> - ("_kerberos._tcp", "0 100 88 %s" % host_in_rr), >> - ("_kerberos._udp", "0 100 88 %s" % host_in_rr), >> - ("_kerberos-master._tcp", "0 100 88 %s" % host_in_rr), >> - ("_kerberos-master._udp", "0 100 88 %s" % host_in_rr), >> - ("_kpasswd._tcp", "0 100 464 %s" % host_in_rr), >> - ("_kpasswd._udp", "0 100 464 %s" % host_in_rr), >> - ) >> + srv_records = () >> if self.ntp: >> srv_records += ( >> ("_ntp._udp", "0 100 123 %s" % host_in_rr), > This deserves FIXME becaise we have to fix it as soon as NTP role is merged. Uneeded, I will do NTP ASAP (tomorrow), so no fixme required > > >> @@ -942,36 +933,6 @@ class BindInstance(service.Service): >> # there is a CNAME record in ipa-ca, we can't add A/AAAA records >> pass >> >> - def __add_ipa_ca_record(self): >> - self.__add_ipa_ca_records(self.fqdn, self.ip_addresses, >> - self.ca_configured) >> - >> - if self.first_instance: >> - ldap = self.api.Backend.ldap2 >> - try: >> - entries = ldap.get_entries( >> - DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), >> - self.api.env.basedn), >> - ldap.SCOPE_SUBTREE, '(&(objectClass=ipaConfigObject)(cn=CA))', >> - ['dn']) >> - except errors.NotFound: >> - root_logger.debug('No server with CA found') >> - entries = [] >> - >> - for entry in entries: >> - fqdn = entry.dn[1]['cn'] >> - if fqdn == self.fqdn: >> - continue >> - >> - host, zone = fqdn.split('.', 1) >> - if dns_zone_exists(zone, self.api): >> - addrs = get_fwd_rr(zone, host, api=self.api) >> - else: >> - addrs = dnsutil.resolve_ip_addresses(fqdn) >> - # hack, will go away with locations >> - addrs = [str(addr) for addr in addrs] >> - >> - self.__add_ipa_ca_records(fqdn, addrs, True) >> >> def __setup_principal(self): >> dns_principal = "DNS/" + self.fqdn + "@" + self.realm >> @@ -1088,28 +1049,15 @@ class BindInstance(service.Service): >> self.zonemgr = 'hostmaster.%s' % self.domain >> >> self.__add_self() >> - self.__add_ipa_ca_record() >> + self.update_system_records() >> >> - def add_ipa_ca_dns_records(self, fqdn, domain_name, ca_configured=True): >> - host, zone = fqdn.split(".", 1) >> - if dns_zone_exists(zone, self.api): >> - addrs = get_fwd_rr(zone, host, api=self.api) >> - else: >> - addrs = dnsutil.resolve_ip_addresses(fqdn) >> - # hack, will go away with locations >> - addrs = [str(addr) for addr in addrs] >> - >> - self.domain = domain_name >> - >> - self.__add_ipa_ca_records(fqdn, addrs, ca_configured) >> - >> - def convert_ipa_ca_cnames(self, domain_name): >> + def remove_ipa_ca_cnames(self, domain_name): >> # get ipa-ca CNAMEs >> cnames = get_rr(domain_name, IPA_CA_RECORD, "CNAME", api=self.api) >> if not cnames: >> return >> >> - root_logger.info('Converting IPA CA CNAME records to A/AAAA records') >> + root_logger.info('Removing IPA CA CNAME records') >> >> # create CNAME to FQDN mapping >> cname_fqdn = {} >> @@ -1136,34 +1084,21 @@ class BindInstance(service.Service): >> fqdn = cname_fqdn[cname] >> if fqdn not in masters: >> root_logger.warning( >> - "Cannot convert IPA CA CNAME records to A/AAAA records, " >> - "please convert them manually if necessary") >> + "Cannot remove IPA CA CNAME please remove them manually " >> + "if necessary") >> return >> >> # delete all CNAMEs >> for cname in cnames: >> del_rr(domain_name, IPA_CA_RECORD, "CNAME", cname, api=self.api) >> >> - # add A/AAAA records >> - for cname in cnames: >> - fqdn = cname_fqdn[cname] >> - self.add_ipa_ca_dns_records(fqdn, domain_name, None) >> - >> def remove_master_dns_records(self, fqdn, realm_name, domain_name): >> host, zone = fqdn.split(".", 1) >> self.host = host >> self.fqdn = fqdn >> self.domain = domain_name >> - suffix = ipautil.realm_to_suffix(realm_name) >> >> resource_records = ( >> - ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr), >> - ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), >> - ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr), >> - ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr), >> - ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr), >> - ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr), >> - ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr), >> ("_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr), >> ) >> >> @@ -1179,18 +1114,7 @@ class BindInstance(service.Service): >> record = get_reverse_record_name(rzone, rdata) >> del_rr(rzone, record, "PTR", normalize_zone(fqdn), >> api=self.api) >> - >> - def remove_ipa_ca_dns_records(self, fqdn, domain_name): >> - host, zone = fqdn.split(".", 1) >> - if dns_zone_exists(zone, self.api): >> - addrs = get_fwd_rr(zone, host, api=self.api) >> - else: >> - addrs = dnsutil.resolve_ip_addresses(fqdn) >> - # hack, will go away with locations >> - addrs = [str(addr) for addr in addrs] >> - >> - for addr in addrs: >> - del_fwd_rr(domain_name, IPA_CA_RECORD, addr, api=self.api) >> + self.update_system_records() >> >> def remove_server_ns_records(self, fqdn): >> """ >> @@ -1224,6 +1148,15 @@ class BindInstance(service.Service): >> root_logger.debug("record %s in zone %s", record, zone) >> del_ns_rr(zone, record, ns_rdata, api=self.api) >> >> + def update_system_records(self): >> + self.print_msg("Updating DNS system records") >> + result = self.api.Command.dns_update_system_records() >> + if not result['value']: >> + root_logger.error("Update of following records failed") >> + for attr in ('failed_ipa_records', 'failed_location_records'): >> + for record, error in result.get(attr, []): >> + root_logger.error("%s (%s)", record, error) >> + >> def check_global_configuration(self): >> """ >> Check global DNS configuration in LDAP server and inform user when it >> diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py >> index ac72c76883fda00e2f258a9ecfe9925722041fe9..bce804ac1c4e3eaf8dd08bed894ad45ea2d73ae1 100644 >> --- a/ipaserver/install/ca.py >> +++ b/ipaserver/install/ca.py >> @@ -253,7 +253,7 @@ def install_step_1(standalone, replica_config, options): >> # Install CA DNS records >> if bindinstance.dns_container_exists(host_name, basedn, dm_password): >> bind = bindinstance.BindInstance(dm_password=dm_password) >> - bind.add_ipa_ca_dns_records(host_name, domain_name) >> + bind.update_system_records() >> >> >> def uninstall(): >> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >> index 0fb869a7bab5b38f0a543b74220b2bb74888357f..2ea11739e07c73132bddee01309af618532e9815 100644 >> --- a/ipaserver/install/dns.py >> +++ b/ipaserver/install/dns.py >> @@ -359,6 +359,9 @@ def install(standalone, replica, options, api=api): >> dnskeysyncd.start_dnskeysyncd() >> bind.start_named() >> >> + # this must be done when bind is started and operational >> + bind.update_system_records() >> + > We need to investigate if this short delay is enough or if we need active > waiting for BIND to come up. > > Will it work if first master is going to configure first zone and its host > name is not resolvable? We have to test this. Noted, I will cover it in additional patches > > >> if standalone: >> print("==============================================================================") >> print("Setup complete") >> diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py >> index cd2ad2e112fde7e13b584cb550af4bcf65e781ad..c757813a07045295d2a6175795dbdc7f93369d36 100644 >> --- a/ipaserver/install/server/upgrade.py >> +++ b/ipaserver/install/server/upgrade.py >> @@ -1094,12 +1094,9 @@ def add_ca_dns_records(): >> >> bind = bindinstance.BindInstance() >> >> - bind.convert_ipa_ca_cnames(api.env.domain) >> + bind.remove_ipa_ca_cnames(api.env.domain) >> >> - # DNS is enabled, so let bindinstance find out if CA is enabled >> - # and let it add the record in that case >> - bind.add_ipa_ca_dns_records(api.env.host, api.env.domain, >> - ca_configured=None) >> + bind.update_system_records() >> >> sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True) >> >> -- 2.5.5 >> >> >> freeipa-mbasti-0511-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch >> >> >> From e72248311a047f10f16c79b150df5e496aedeb01 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Mon, 13 Jun 2016 12:09:27 +0200 >> Subject: [PATCH 09/11] DNS Locations: adtrustinstance simplify dns management >> >> The path how to get IPA domain in code was somehow obfuscated, this >> patch simplifies and make clear what happened there with domain name. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/tools/ipa-adtrust-install | 2 +- >> ipaserver/install/adtrustinstance.py | 14 ++++++-------- >> 2 files changed, 7 insertions(+), 9 deletions(-) >> >> diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install >> index 36caa5c2d429c6cf107df03e82aa80e15d8efe01..5babcdb7cb169e4a944acca55739064e0464d41e 100755 >> --- a/install/tools/ipa-adtrust-install >> +++ b/install/tools/ipa-adtrust-install >> @@ -387,7 +387,7 @@ def main(): >> smb = adtrustinstance.ADTRUSTInstance(fstore) >> smb.realm = api.env.realm >> smb.autobind = ipaldap.AUTOBIND_ENABLED >> - smb.setup(api.env.host, api.env.realm, api.env.domain, >> + smb.setup(api.env.host, api.env.realm, >> netbios_name, reset_netbios_name, >> options.rid_base, options.secondary_rid_base, >> options.no_msdcs, options.add_sids, >> diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py >> index fb88e5596b649c49939913389bb78dc79e905322..a5c68604c5e97a6c6959147bb8c687d82176edee 100644 >> --- a/ipaserver/install/adtrustinstance.py >> +++ b/ipaserver/install/adtrustinstance.py >> @@ -135,7 +135,6 @@ class ADTRUSTInstance(service.Service): >> self.fqdn = None >> self.host_netbios_name = None >> self.realm = None >> - self.domain_name = None >> >> service.Service.__init__(self, "smb", service_desc="CIFS", >> dm_password=None, ldapi=True) >> @@ -162,7 +161,6 @@ class ADTRUSTInstance(service.Service): >> self.fqdn = self.fqdn or api.env.host >> self.host_netbios_name = make_netbios_name(self.fqdn) >> self.realm = self.realm or api.env.realm >> - self.domain_name = self.domain_name or api.env.domain >> >> self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm >> self.suffix = ipautil.realm_to_suffix(self.realm) >> @@ -177,7 +175,7 @@ class ADTRUSTInstance(service.Service): >> ('cn', 'etc'), >> self.suffix) >> >> - self.smb_dom_dn = DN(('cn', self.domain_name), >> + self.smb_dom_dn = DN(('cn', api.env.domain), >> api.env.container_cifsdomains, >> self.suffix) >> >> @@ -426,7 +424,7 @@ class ADTRUSTInstance(service.Service): >> self.smb_dom_dn, >> { >> 'objectclass': [self.OBJC_DOMAIN, "nsContainer"], >> - 'cn': [self.domain_name], >> + 'cn': [api.env.domain], >> self.ATTR_FLAT_NAME: [self.netbios_name], >> self.ATTR_SID: [self.__gen_sid_string()], >> self.ATTR_GUID: [str(uuid.uuid4())], >> @@ -581,7 +579,7 @@ class ADTRUSTInstance(service.Service): >> their values are used. Otherwise default values are used. >> """ >> >> - zone = self.domain_name >> + zone = api.env.domain >> host_in_rr = normalize_zone(self.fqdn) >> >> priority = 0 >> @@ -787,12 +785,12 @@ class ADTRUSTInstance(service.Service): >> LDAPI_SOCKET = self.ldapi_socket, >> FQDN = self.fqdn) >> >> - def setup(self, fqdn, realm_name, domain_name, netbios_name, >> + def setup(self, fqdn, realm_name, netbios_name, >> reset_netbios_name, rid_base, secondary_rid_base, >> - no_msdcs=False, add_sids=False, smbd_user="samba", enable_compat=False): >> + no_msdcs=False, add_sids=False, smbd_user="samba", >> + enable_compat=False): >> self.fqdn = fqdn >> self.realm = realm_name >> - self.domain_name = domain_name >> self.netbios_name = netbios_name >> self.reset_netbios_name = reset_netbios_name >> self.rid_base = rid_base >> -- 2.5.5 >> >> >> freeipa-mbasti-0512-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch >> >> >> From 606e0f3808883709a8734d7121ee1581050b9b8d Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Mon, 13 Jun 2016 12:28:58 +0200 >> Subject: [PATCH 10/11] DNS Locations: use automatic records update in >> ipa-adtrust-install >> >> DNS records for adtrust is added by call dns_update_system_records >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ipaserver/install/adtrustinstance.py | 45 +++++++++--------------------------- >> 1 file changed, 11 insertions(+), 34 deletions(-) >> >> diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py >> index a5c68604c5e97a6c6959147bb8c687d82176edee..51d5f4f1c4b23ad418544939ee6182bc80dd517b 100644 >> --- a/ipaserver/install/adtrustinstance.py >> +++ b/ipaserver/install/adtrustinstance.py >> @@ -32,10 +32,10 @@ import six >> >> from ipaserver.install import service >> from ipaserver.install import installutils >> -from ipaserver.install.bindinstance import get_rr, add_rr, del_rr, \ >> - dns_zone_exists >> +from ipaserver.install.bindinstance import dns_zone_exists > Is dns_zone_exists still used in adtrustinstance? Why? To keep consistency with error message, and to distinguish between states when only to list records is required VS records should be updated manually and print errors >> from ipaserver.install.replication import wait_for_task >> from ipalib import errors, api >> +from ipalib.dns_data_management import IPASystemRecords >> from ipalib.util import normalize_zone >> from ipapython.dn import DN >> from ipapython import sysrestore >> @@ -580,17 +580,6 @@ class ADTRUSTInstance(service.Service): >> """ >> >> zone = api.env.domain >> - host_in_rr = normalize_zone(self.fqdn) >> - >> - priority = 0 >> - >> - ipa_srv_rec = ( >> - ("_ldap._tcp", [self.srv_rec(host_in_rr, 389, priority)], 389), >> - ("_kerberos._tcp", [self.srv_rec(host_in_rr, 88, priority)], 88), >> - ("_kerberos._udp", [self.srv_rec(host_in_rr, 88, priority)], 88), >> - ) >> - win_srv_suffix = (".Default-First-Site-Name._sites.dc._msdcs", >> - ".dc._msdcs") >> >> err_msg = None >> >> @@ -610,27 +599,15 @@ class ADTRUSTInstance(service.Service): >> self.print_msg(err_msg) >> self.print_msg("Add the following service records to your DNS " \ >> "server for DNS zone %s: " % zone) >> - for suff in win_srv_suffix: >> - for srv in ipa_srv_rec: >> - self.print_msg("%s%s IN SRV %s" % (srv[0], suff, " ".join(srv[1]))) >> - self.print_msg("") >> - return >> - >> - for (srv, rdata, port) in ipa_srv_rec: >> - cifs_rdata = list() >> - for fqdn in self.cifs_hosts: >> - cifs_srv = self.srv_rec(fqdn, port, priority) >> - cifs_rdata.append(cifs_srv) >> - cifs_rdata.extend(rdata) >> - >> - for suff in win_srv_suffix: >> - win_srv = srv+suff >> - win_rdata = get_rr(zone, win_srv, "SRV") >> - if win_rdata: >> - for rec in win_rdata: >> - del_rr(zone, win_srv, "SRV", rec) >> - for rec in cifs_rdata: >> - add_rr(zone, win_srv, "SRV", rec) >> + system_records = IPASystemRecords(api) >> + adtrust_recors = system_records.get_base_records( >> + [self.fqdn], ["AD trust controller"], >> + include_master_role=False, include_kerberos_realm=False) >> + for r_name, node in adtrust_recors.items(): >> + for rec in IPASystemRecords.records_list_from_node(r_name, node): >> + self.print_msg(rec) >> + else: >> + api.Command.dns_update_system_records() >> >> def __configure_selinux_for_smbd(self): >> try: >> -- 2.5.5 >> >> >> freeipa-mbasti-0513-DNS-Locations-server-mod-add-automatic-records-updat.patch >> >> >> From cd2f01d1df07b338ca31fdadd9e053979cb3e67b Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Mon, 13 Jun 2016 13:32:25 +0200 >> Subject: [PATCH 11/11] DNS Locations: server-mod: add automatic records update >> >> For any location or server weight change is required to update records >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ipalib/messages.py | 10 ++++++++++ >> ipaserver/plugins/server.py | 8 ++++++++ >> 2 files changed, 18 insertions(+) >> >> diff --git a/ipalib/messages.py b/ipalib/messages.py >> index e863bdd495b55921c9e487794f5c9573a6166038..fcb86b38561d0f4a269b459080b81b6e9b58b93e 100644 >> --- a/ipalib/messages.py >> +++ b/ipalib/messages.py >> @@ -395,6 +395,16 @@ class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): >> ) >> >> >> +class SystemDNSRecordsUpdateFailed(PublicMessage): >> + errno = 13022 >> + type = "warning" >> + format = _( >> + "Automatic update of DNS system records failed with error: %(emsg)s. " >> + "Please re-run update of system records manually to get list of " >> + "missing records." >> + ) >> + >> + >> def iter_messages(variables, base): >> """Return a tuple with all subclasses >> """ >> diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py >> index eb40b97ad22b95a2054b6280140e48973b1ec229..23901e3daf36312d38a51d1b0964644793065c1d 100644 >> --- a/ipaserver/plugins/server.py >> +++ b/ipaserver/plugins/server.py >> @@ -232,6 +232,14 @@ class server_mod(LDAPUpdate): >> assert isinstance(dn, DN) >> self.obj.convert_location(entry_attrs, **options) >> self.obj.get_enabled_roles(entry_attrs) >> + >> + if 'ipalocation' or 'ipalocationweight' in entry_attrs: >> + result = self.api.Command.dns_update_system_records() >> + if not result.get('value'): >> + self.add_message(messages.SystemDNSRecordsUpdateFailed( >> + emsg=result.get('summary', _("Unknown error")) >> + )) >> + >> return dn >> >> >> -- 2.5.5 > > Besides nits above it seems good. I will test it tomorrow when you send next > version of patches. > Hydra patching: Updated patches attached + new patches for dnsserver-* commands attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.2-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.2-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.2-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.2-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15962 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.2-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.2-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 8605 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.2-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10753 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.2-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 11681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.2-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.2-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3575 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.2-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1958 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.1-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.1-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 24369 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.1-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7373 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.1-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3434 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.1-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1275 bytes Desc: not available URL: From pvomacka at redhat.com Tue Jun 14 19:41:43 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 14 Jun 2016 21:41:43 +0200 Subject: [Freeipa-devel] [PATCH] 0018-0030, 52 webui: add support for more certificates In-Reply-To: References: <571F520B.2000501@redhat.com> <571F58E7.1070703@redhat.com> <571F79E2.2000106@redhat.com> Message-ID: On 05/13/2016 06:56 PM, Petr Vobornik wrote: > On 04/26/2016 04:23 PM, Pavel Vomacka wrote: >> Self-NACK for patches 0027, 28, 29, 30 - used incorrect policy. I also attach >> all patches which were not changed - it is easier to get the whole patchset. >> >> On 04/26/2016 02:02 PM, Pavel Vomacka wrote: >>> I forgot to mention that my patches requires patches from : >>> https://www.redhat.com/archives/freeipa-devel/2016-April/msg00209.html >>> >>> >>> On 04/26/2016 01:33 PM, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> the attached patches add support for more certificates and ability to add and >>>> remove certificates. Fixes these two tickets: >>>> https://fedorahosted.org/freeipa/ticket/5108 >>>> https://fedorahosted.org/freeipa/ticket/5381 >>>> >>>> These patches add ability to view, get, download, revoke, restore and delete >>>> each certificate directly from user/host/service details page. There is also >>>> button for adding new certificates. >>>> >>>> There is one known issue, that after page save action is performed some data >>>> disappear (includes certificates). This issue has a ticket already: >>>> https://fedorahosted.org/freeipa/ticket/5776 >>>> >>>> -- >>>> Pavel^3 Vomacka >>>> > Great stuff, couple comments below. > > We can discuss some items in person. Not everything needs to be done. > > I didn't run it, just reading the code. > > Patch 0018: > > 1. Nit pick: When a value should be boolean, then following method won't > make sure that dropdown_menu won't be e.g. an object. > + that.dropdown_menu = spec.dropdown_menu || false; > > I would prefer: > + that.dropdown_menu = !!spec.dropdown_menu; > > Which retypes it to boolean. If default should be true (not this case) then: > that.dropdown_menu = spec.dropdown_menu !== undefined ? > !!spec.dropdown_menu : true; > > Also the interface is very specific. It says that the child widget will > have dropdown menu. What if the actions won't be in dropdown menu but, > e.g., some overlay menu. > > Imho the interface should be: > > that.custom_actions = !!spec.custom_actions; > > Than the child object would have define,e.g., : > > action_object get_custom_actions() > > Interface of action_object would be e.g.: > get_items() > set_items(items) > enable_item(name) > disable_item(name) > > Dropdown menu would have to define these methods. > > Patch 0019: > > 1. Shouldn't disable_item or enable_item automatically rerender the items? > > 2. The rerender, used in later patches. Imo it should do only: > > if (this.ul_node) { > construct.empty(this.ul_node); > this._render_items(this.items); > } > > Or just re-render the one item. > $( "li[data-name=" + item.name +"]", this.ul_node ).replaceWith( > this._render_item(item)); > > 3. in future for loops write: > for (var i=0, l=this.items.length; i instead of > for (var i=0; i > It's defensive style when you don't know if computing length is O(1) or > O(n) or how big is n. In this instance it doesn't probably matter. > > Patch 0020: > > 1. Working widgets inherits from IPA.widget so why do you redefine > 'name', 'facet', 'entity' > > 2. why to you introduce 'base_cls' and 'other_cls' when there are > 'base_css_class' and 'css_class'? > > 3. typo in comment 'opaciti' > > 4. We can ignore IE < 9, I'm not sure if you avoid using some features > because of IE9. > > 5. _normalize_bg_color_css could be moved to util.js But I wonder if we > need it. rgba is supported in 95% of browsers and definitely in all > supported by IPA (chrome, firefox). > > Patch 0021: > > 1. The original code is not great - RPC code should be agnostic to > display layer. Ideally it would not call methods like > IPA.hide_activity_icon(); and IPA.display_activity_icon(); > > I would rather avoid adding more of such things there and would refactor > now, when it is easy. > > IMO the rpc class could use Evented mixin and have: > 4 local events: start, end, success, error > 2 global topics: rpc-start, rpc-end > > Local events will be new - will replace the notify_activity_start and > notify_activity_end. For convenience, spec object could accept a > handlers in similar fashion as now. The handlers would be registered to > the events. > > Global topics would replace current IPA.hide_activity_icon(); and > IPA.display_activity_icon(); > > App class would subscribe to the global events and to stuff (hide|show) > accordingly. Example of such subscription: > topic.subscribe('phase-error', lang.hitch(this, this.on_phase_error)); > > Then hide_activity_icon could be something like notify_global with > default to true which can be suppressed by setting it to false. > > What do you think? > > Patch 0022: > > 1. Leftover line: > var sn = record[i].serial_number; > > Patch 0023: > > 1. move the css code from ipa.css to layout.less? > > 2. Did you mean "display: table"? > display: cert-table; > > 3. Why are create_layout, create_row and create_cell private methods of > create_content? It would make sense to create a table dialog mixin > (similar as confirm mixin) and use the same code in all cert dialogs(if > applicable). > > 4. 'table-head' class is used in every cell. Why is it call 'head' when > it is in fact in all cells? > > Patch 0024: > > Will require changes described in patch 21(rpc). > > 1. should the methods have rather params: serial_number and > revocation_reason, instead of certificate(maybe ok) and dialog(not ok)? > That way it would be more general/reusable. > > Patch 0025: ACK > > Patch 0026: > > 1. Add link use exactly the same code as in multivalued_widget. The code > should be moved to method: create_add_link(container) and then reused. > new_row would be overridedn and it would call open_addcert_dialog or > open_addcert_dialog renamed to new_row. > > 2. it can have a spec default: > spec.dropdown_menu = spec.dropdown_menu !== undefined ? true : > spec.dropdown_menu; > > And then it doesn't have to be defined in patches 28, 29, 30. > > > Patch 0027: > > 1. Why is download action name a 'that.data_url' ? > > 2. the dropdown_menu -> custom_actions change > > 3. "that.certificate &&" is not required it will be always true > that.certificate = $.extend({}, certificate); > > if (that.certificate && that.certificate.revoked !== 'undefined') { > that.get_cert_revoke_status(); > } > > 4. update_link is weird name for a method which updates data in a table > > 5. "that.update_link = function(r)", "r" shouldn't be there > > 6. Following doesn't look future proof: > """ > that.get_cert_revoke_status = function() { > // Double check whether the certificate is issued by our CA. > var issuer = 'CN=' + that.ipa_issuer_commonname + ',' + > that.ipa_issuer_subjbase; > if (that.certificate.issuer !== issuer) return; > """ > Would check it with Fraser > > 7. in handle_revocation_reason, useless call: > var dd_menu = that.get_dropdown_menu(); > > 8. in compose_dialog_title, there is a check for `cert.subject` if true > it sets `cn`, `o`. But if false then the values are `undefined` which > are then used in the r.replace calls. Is it intended? > > Patch 0028: > Looks OK, "dropdown_menu: true" doesn't have to be there as mentioned > earlier > > Will test later. > > Patch 0029: > > 1. What about extending value_state_evaluator with adapter and param > property. So that it would use standard adapter by default and every > child could use it's own? IMO other parts of UI could use it as well. > The reason why it doesn't use adapter already is that adapters were > introduced later. > > It would simplify both definitions + the definitions in patch 30. > > Patch 0030: > > Same as patch 0029. Thank you for the review. I fixed everthing, only rpc code isn't changed. I will do it later in separate patch. These patches requires jcholast's patches 551.2, 552.2, 623, 624 (which require ftweedal's Sub-CA patches) and WebUI patches for Sub-CAs (because of download functionality). Edited and rebased patches are attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0018-2-Add-support-for-custom-menu-in-multivalued-widget.patch Type: text/x-patch Size: 4759 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0019-2-Extends-functionality-of-DropdownWidget.patch Type: text/x-patch Size: 2149 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0020-2-Add-working-widget.patch Type: text/x-patch Size: 3236 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0021-2-Add-ability-to-turn-off-activity-icon.patch Type: text/x-patch Size: 3385 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0022-2-Add-Object-adapter.patch Type: text/x-patch Size: 2275 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0023-2-Refactored-certificate-view-and-remove-hold-dialog.patch Type: text/x-patch Size: 15981 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0024-2-Changed-the-way-how-to-handle-remove-hold-and-revoke.patch Type: text/x-patch Size: 4884 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0025-2-Remove-old-useless-actions-get-and-view.patch Type: text/x-patch Size: 1158 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0026-2-Add-widget-for-showing-multiple-certificates.patch Type: text/x-patch Size: 11403 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0027-3-Add-certificate-widget.patch Type: text/x-patch Size: 17600 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0028-3-Add-new-certificates-widget-to-the-user-details-page.patch Type: text/x-patch Size: 2411 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0029-3-Add-new-certificates-widget-to-the-host-details-page.patch Type: text/x-patch Size: 5709 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0030-3-Add-new-certificates-widget-to-the-service-details-p.patch Type: text/x-patch Size: 3537 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0052-Updated-certificates-table.patch Type: text/x-patch Size: 1546 bytes Desc: not available URL: From simo at redhat.com Tue Jun 14 21:25:12 2016 From: simo at redhat.com (Simo Sorce) Date: Tue, 14 Jun 2016 17:25:12 -0400 Subject: [Freeipa-devel] Using JSON for tlog config files In-Reply-To: References: Message-ID: <1465939512.9981.2.camel@redhat.com> On Tue, 2016-06-14 at 16:40 +0300, Nikolai Kondrashov wrote: > Hi everyone, > > Although this was mentioned several times before, I'd like to bring additional > attention to the idea of using config files written in JSON for tlog, because > there were some concerns over that being appropriate. What was the reasoning behind this questioning ? In order to understand whether json is appropriate I need to ask who do you think will be the primary user of the configuration file. - Is it going to be mainly sysadmins manually setting things up ? - Is this going to be something that may need to be templated and delivered via things like puppet ansible ? - Is it going to be a file generated by some other program (like sssd or similar) based on rules stored in a central system ? The answer to these questions will help understanding what format is better suited. Simo. > Tlog is a terminal I/O recording package [1], with primary purpose of sending > the recordings as JSON-formatted log messages to ElasticSearch. For the > purpose of reading what it wrote, it links with json-c. > > At this moment both of tlog programs (tlog-rec and tlog-play) expect their > global configuration to be in JSON, with comments allowed. See the default > configurations attached. Plus, tlog-rec accepts an environment variable, > containing the whole, or a part of the configuration to (partially) override > the global one. That is also in JSON. Tlog uses the same json-c to parse all > of these. Internally, tlog uses json-c structures to pass around and merge the > configurations. > > The question is, should the global tlog configuration, located in > /etc/tlog/tlog-rec.conf and /etc/tlog/tlog-play.conf, be in JSON, or should it > be something else? > > The cons I heard so far: > > * Administrators don't expect to find JSON in /etc. > * JSON is a fragile format. > > The pros I'd like to present: > > * Administrators setting up tlog are expected to also be familiar with > ElasticSearch, which tlog targets as the storage. ElasticSearch speaks > JSON exclusively and is configured using either YAML or JSON. So, the > administrators should be largely familiar with it. > > * Although JSON uses explicit and rigid syntax, such as quoting and > prohibited trailing commas, it is still easy to read, and its > specification is succint and easy to learn: http://json.org/ > > * Tlog is already linked with json-c, to read what it wrote, and > reusing it for configuration reading avoids adding another dependency. > > Overall, I consider the present situation a good compromise between > smaller/simpler code and reduced dependencies vs. familiarity and ease of > editing and reading for administrators. > > The alternatives presented so far are YAML and INI. I'll list each of their > pros and cons, as I see them. > > YAML > > Pros > > * Has a subset of syntax (sufficient for our purposes), which is easy to > read and write, doesn't require quoting, not critical to commas and > other separators. > * Has official specification. > > Cons > > * Requires additional dependency to be used in tlog. > * Only one implementation in C. > * Uses significant whitespace, which is easier to overlook than explicit > syntax. > * *Sometimes* requires quoting to enforce value type, which is easy to > overlook. E.g. an all-digits string requires quoting, otherwise it is > considered a number. > * Although well-defined, specification is long and complicated: > http://www.yaml.org/spec/1.2/spec.html This makes it hard to fully > understand the language and be proficient at it. > * In an attempt to make the language as human-readable as possible, made > it actually harder for humans to write, in some cases. > * Has too many features, complicating parsers, leading to harder to use > APIs, and more bugs. > > INI > > Pros > > * Familiar, already used by sister projects: SSSD, Kerberos, Samba, etc. > * Light, simple syntax > > Cons > > * Requires additional dependency to be used in tlog. > * No official specification, lots of variance in the field: > https://en.wikipedia.org/wiki/INI_file#Varying_features > This requires explicit description of the actually used syntax in > the program manuals. I.e. it cannot simply link to a specification. > Administrators have to discover which flavor to use. This will become > worse if we'll implement storing (a subset of) tlog-rec configuration > in LDAP verbatim, as suggested so far, because the documentation for the > format will be less discoverable for the person editing the directory. > * Cannot be written without newlines, in a single line. This will make > overriding configuration with an environment variable in tlog-rec harder > to use. I.e. the environment variable value will have to contain > newlines, or instead refer to a file containing the configuration. > * No escaping for special characters, multiline value support is patchy > (not present at all in dinglibs). This will limit the ways to specify > the recording notice presented to the users at the start of tlog-rec. > > > Your own pros/cons, and suggestions for other formats to use are welcome! > Thank you for your attention. > > Nick > > [1]: https://github.com/Scribery/tlog -- Simo Sorce * Red Hat, Inc * New York From ftweedal at redhat.com Wed Jun 15 02:02:59 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Jun 2016 12:02:59 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <48810984-37b5-7940-198f-f1845ccfe87d@redhat.com> References: <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> <48810984-37b5-7940-198f-f1845ccfe87d@redhat.com> Message-ID: <20160615020259.GD4744@dhcp-40-8.bne.redhat.com> On Tue, Jun 14, 2016 at 03:21:24PM +0200, Martin Babinsky wrote: > On 06/14/2016 04:55 AM, Fraser Tweedale wrote: > > On Tue, Jun 14, 2016 at 02:19:27AM +1000, Fraser Tweedale wrote: > > > On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: > > > > > > > > > > > > > > Hi Fraser, > > > > > > > > > > > > > > during functional review I found the following issues: > > > > > > > > > > > > > > 1.) > > > > > > > > > > > > > > If I create a CAACL rule tied to a specific sub-CA let's say for user > > > > > > > certificate issuance: > > > > > > > > > > > > > > """ > > > > > > > ipa caacl-show user_cert_issuance > > > > > > > Enabled: TRUE > > > > > > > User category: all > > > > > > > CAs: user_sub_ca > > > > > > > Profiles: caIPAuserCert > > > > > > > ACL name: user_cert_issuance > > > > > > > > > > > > > > """ > > > > > > > > > > > > > > I can still happily request certificate for a user using root-CA: > > > > > > > > > > > > > > """ > > > > > > > ipa cert-request cert.csr --principal jdoe --ca ipa > > > > > > > Certificate: MIID9j.../Ov8mkjFA== > > > > > > > Subject: CN=jdoe,O=IPA.TEST > > > > > > > Issuer: CN=Certificate Authority,O=IPA.TEST > > > > > > > ... > > > > > > > """ > > > > > > > > > > > > > > should not this be denied by CA-ACL rule? > > > > > > > > > > > > > > The default IPA CAACL rule is like this: > > > > > > > > > > > > > > """ > > > > > > > ipa caacl-show hosts_services_caIPAserviceCert > > > > > > > Enabled: TRUE > > > > > > > Host category: all > > > > > > > Service category: all > > > > > > > Profiles: caIPAserviceCert > > > > > > > ACL name: hosts_services_caIPAserviceCert > > > > > > > > > > > > > > """ > > > > > > > > > > > > > > so the default rule should not allow users to request certs at all. > > > > > > > > > > > > > Yes, these should be denied. Looking into it. > > > > > > > > > > > Were you using 'admin' account to request the cert? admin has > > > > > permission 'Request Certificate ignoring CA ACLs' via the > > > > > 'Certificate Manager' privilege. > > > > > > > > > > If so, please try again with less privileges (e.g. self-service as > > > > > jdoe). > > > > > > > > > > > > > You were right when I was requesting certs as user principals themselves > > > > everything worked as expected. > > > > > > > > Regarding usb-CAs not present on replica, both machines run the following > > > > version of dogtag CA: > > > > > > > > pki-ca-10.3.2-3.fc24.noarch > > > > > > > > Here are the last 256 lines of the debug log: > > > > > > > > http://paste.fedoraproject.org/378512/65828332 > > > > > > > Thanks for that. It seems there are two issues. The first one is: > > > > > > Unable to read key retriever class from CS.cfg: Property > > > features.authority.keyRetrieverClass missing value > > > > > > This happens only on replica, until the first restart of Dogtag > > > after installation. I have attached a patch to fix it. > > > > > > The second issue is: > > > > > > Failed to update certificate > > > > > > > > > This needs to be fixed in Dogtag, however, the error is not > > > triggered if the key retrieval succeeds when the replica first > > > observes the addition of a new CA. The attached patch does help in > > > this regard, so apply it and I hope it will see you through the rest > > > of the functional testing of my patches... I hope. > > > > > > Thank you for testing! > > > > > > Cheers, > > > Fraser > > > > > Rebased patches attached (VERSION conflicts; no other changes). > > > > Thanks Fraser, > > the certificate issuance by sub-CA now works also on replica but I must > first restart PKI for it to pick up stuff from master CA. > > If I set up a replica first and then create a sub-CA on master Dogtag picks > this up and uses the new sub-CA and its key for signing without restart. > > This seems to be pure Dogtag issue, however and I concluded that IPA side > works ok. > > If no one objects then I would give functional ACK to your patches and > document/track the Dogtag issue in a separate ticket. > Thanks Martin, The Dogtag ticket is https://fedorahosted.org/pki/ticket/2359. Fix is merged and will go out in 10.3.3 this week or early next week. Cheers, Fraser From jcholast at redhat.com Wed Jun 15 05:30:26 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jun 2016 07:30:26 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <20160615020259.GD4744@dhcp-40-8.bne.redhat.com> References: <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> <48810984-37b5-7940-198f-f1845ccfe87d@redhat.com> <20160615020259.GD4744@dhcp-40-8.bne.redhat.com> Message-ID: On 15.6.2016 04:02, Fraser Tweedale wrote: > On Tue, Jun 14, 2016 at 03:21:24PM +0200, Martin Babinsky wrote: >> On 06/14/2016 04:55 AM, Fraser Tweedale wrote: >>> On Tue, Jun 14, 2016 at 02:19:27AM +1000, Fraser Tweedale wrote: >>>> On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: >>>>>>>> >>>>>>>> Hi Fraser, >>>>>>>> >>>>>>>> during functional review I found the following issues: >>>>>>>> >>>>>>>> 1.) >>>>>>>> >>>>>>>> If I create a CAACL rule tied to a specific sub-CA let's say for user >>>>>>>> certificate issuance: >>>>>>>> >>>>>>>> """ >>>>>>>> ipa caacl-show user_cert_issuance >>>>>>>> Enabled: TRUE >>>>>>>> User category: all >>>>>>>> CAs: user_sub_ca >>>>>>>> Profiles: caIPAuserCert >>>>>>>> ACL name: user_cert_issuance >>>>>>>> >>>>>>>> """ >>>>>>>> >>>>>>>> I can still happily request certificate for a user using root-CA: >>>>>>>> >>>>>>>> """ >>>>>>>> ipa cert-request cert.csr --principal jdoe --ca ipa >>>>>>>> Certificate: MIID9j.../Ov8mkjFA== >>>>>>>> Subject: CN=jdoe,O=IPA.TEST >>>>>>>> Issuer: CN=Certificate Authority,O=IPA.TEST >>>>>>>> ... >>>>>>>> """ >>>>>>>> >>>>>>>> should not this be denied by CA-ACL rule? >>>>>>>> >>>>>>>> The default IPA CAACL rule is like this: >>>>>>>> >>>>>>>> """ >>>>>>>> ipa caacl-show hosts_services_caIPAserviceCert >>>>>>>> Enabled: TRUE >>>>>>>> Host category: all >>>>>>>> Service category: all >>>>>>>> Profiles: caIPAserviceCert >>>>>>>> ACL name: hosts_services_caIPAserviceCert >>>>>>>> >>>>>>>> """ >>>>>>>> >>>>>>>> so the default rule should not allow users to request certs at all. >>>>>>>> >>>>>>> Yes, these should be denied. Looking into it. >>>>>>> >>>>>> Were you using 'admin' account to request the cert? admin has >>>>>> permission 'Request Certificate ignoring CA ACLs' via the >>>>>> 'Certificate Manager' privilege. >>>>>> >>>>>> If so, please try again with less privileges (e.g. self-service as >>>>>> jdoe). >>>>>> >>>>> >>>>> You were right when I was requesting certs as user principals themselves >>>>> everything worked as expected. >>>>> >>>>> Regarding usb-CAs not present on replica, both machines run the following >>>>> version of dogtag CA: >>>>> >>>>> pki-ca-10.3.2-3.fc24.noarch >>>>> >>>>> Here are the last 256 lines of the debug log: >>>>> >>>>> http://paste.fedoraproject.org/378512/65828332 >>>>> >>>> Thanks for that. It seems there are two issues. The first one is: >>>> >>>> Unable to read key retriever class from CS.cfg: Property >>>> features.authority.keyRetrieverClass missing value >>>> >>>> This happens only on replica, until the first restart of Dogtag >>>> after installation. I have attached a patch to fix it. >>>> >>>> The second issue is: >>>> >>>> Failed to update certificate >>>> >>>> >>>> This needs to be fixed in Dogtag, however, the error is not >>>> triggered if the key retrieval succeeds when the replica first >>>> observes the addition of a new CA. The attached patch does help in >>>> this regard, so apply it and I hope it will see you through the rest >>>> of the functional testing of my patches... I hope. >>>> >>>> Thank you for testing! >>>> >>>> Cheers, >>>> Fraser >>>> >>> Rebased patches attached (VERSION conflicts; no other changes). >>> >> >> Thanks Fraser, >> >> the certificate issuance by sub-CA now works also on replica but I must >> first restart PKI for it to pick up stuff from master CA. >> >> If I set up a replica first and then create a sub-CA on master Dogtag picks >> this up and uses the new sub-CA and its key for signing without restart. >> >> This seems to be pure Dogtag issue, however and I concluded that IPA side >> works ok. >> >> If no one objects then I would give functional ACK to your patches and >> document/track the Dogtag issue in a separate ticket. Pushed to master: f0915e61986f545ad9b282fa90a4b1d0538829c5 >> > Thanks Martin, > > The Dogtag ticket is https://fedorahosted.org/pki/ticket/2359. Fix > is merged and will go out in 10.3.3 this week or early next week. Once released, please send a patch bumping the minimum version in our spec file. I'm leaving https://fedorahosted.org/freeipa/ticket/4559 open until the patch is merged. -- Jan Cholasta From ftweedal at redhat.com Wed Jun 15 06:28:36 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Jun 2016 16:28:36 +1000 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: References: <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> <545d059b-df73-e7d1-9305-d69390321a68@redhat.com> <20160613131721.GS4744@dhcp-40-8.bne.redhat.com> <20160613133208.GT4744@dhcp-40-8.bne.redhat.com> <30a07efd-579d-9252-9aec-558bf656390f@redhat.com> <20160613161927.GU4744@dhcp-40-8.bne.redhat.com> <20160614025539.GX4744@dhcp-40-8.bne.redhat.com> <48810984-37b5-7940-198f-f1845ccfe87d@redhat.com> <20160615020259.GD4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160615062836.GE4744@dhcp-40-8.bne.redhat.com> On Wed, Jun 15, 2016 at 07:30:26AM +0200, Jan Cholasta wrote: > On 15.6.2016 04:02, Fraser Tweedale wrote: > > On Tue, Jun 14, 2016 at 03:21:24PM +0200, Martin Babinsky wrote: > > > On 06/14/2016 04:55 AM, Fraser Tweedale wrote: > > > > On Tue, Jun 14, 2016 at 02:19:27AM +1000, Fraser Tweedale wrote: > > > > > On Mon, Jun 13, 2016 at 04:35:54PM +0200, Martin Babinsky wrote: > > > > > > > > > > > > > > > > > > Hi Fraser, > > > > > > > > > > > > > > > > > > during functional review I found the following issues: > > > > > > > > > > > > > > > > > > 1.) > > > > > > > > > > > > > > > > > > If I create a CAACL rule tied to a specific sub-CA let's say for user > > > > > > > > > certificate issuance: > > > > > > > > > > > > > > > > > > """ > > > > > > > > > ipa caacl-show user_cert_issuance > > > > > > > > > Enabled: TRUE > > > > > > > > > User category: all > > > > > > > > > CAs: user_sub_ca > > > > > > > > > Profiles: caIPAuserCert > > > > > > > > > ACL name: user_cert_issuance > > > > > > > > > > > > > > > > > > """ > > > > > > > > > > > > > > > > > > I can still happily request certificate for a user using root-CA: > > > > > > > > > > > > > > > > > > """ > > > > > > > > > ipa cert-request cert.csr --principal jdoe --ca ipa > > > > > > > > > Certificate: MIID9j.../Ov8mkjFA== > > > > > > > > > Subject: CN=jdoe,O=IPA.TEST > > > > > > > > > Issuer: CN=Certificate Authority,O=IPA.TEST > > > > > > > > > ... > > > > > > > > > """ > > > > > > > > > > > > > > > > > > should not this be denied by CA-ACL rule? > > > > > > > > > > > > > > > > > > The default IPA CAACL rule is like this: > > > > > > > > > > > > > > > > > > """ > > > > > > > > > ipa caacl-show hosts_services_caIPAserviceCert > > > > > > > > > Enabled: TRUE > > > > > > > > > Host category: all > > > > > > > > > Service category: all > > > > > > > > > Profiles: caIPAserviceCert > > > > > > > > > ACL name: hosts_services_caIPAserviceCert > > > > > > > > > > > > > > > > > > """ > > > > > > > > > > > > > > > > > > so the default rule should not allow users to request certs at all. > > > > > > > > > > > > > > > > > Yes, these should be denied. Looking into it. > > > > > > > > > > > > > > > Were you using 'admin' account to request the cert? admin has > > > > > > > permission 'Request Certificate ignoring CA ACLs' via the > > > > > > > 'Certificate Manager' privilege. > > > > > > > > > > > > > > If so, please try again with less privileges (e.g. self-service as > > > > > > > jdoe). > > > > > > > > > > > > > > > > > > > You were right when I was requesting certs as user principals themselves > > > > > > everything worked as expected. > > > > > > > > > > > > Regarding usb-CAs not present on replica, both machines run the following > > > > > > version of dogtag CA: > > > > > > > > > > > > pki-ca-10.3.2-3.fc24.noarch > > > > > > > > > > > > Here are the last 256 lines of the debug log: > > > > > > > > > > > > http://paste.fedoraproject.org/378512/65828332 > > > > > > > > > > > Thanks for that. It seems there are two issues. The first one is: > > > > > > > > > > Unable to read key retriever class from CS.cfg: Property > > > > > features.authority.keyRetrieverClass missing value > > > > > > > > > > This happens only on replica, until the first restart of Dogtag > > > > > after installation. I have attached a patch to fix it. > > > > > > > > > > The second issue is: > > > > > > > > > > Failed to update certificate > > > > > > > > > > > > > > > This needs to be fixed in Dogtag, however, the error is not > > > > > triggered if the key retrieval succeeds when the replica first > > > > > observes the addition of a new CA. The attached patch does help in > > > > > this regard, so apply it and I hope it will see you through the rest > > > > > of the functional testing of my patches... I hope. > > > > > > > > > > Thank you for testing! > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > Rebased patches attached (VERSION conflicts; no other changes). > > > > > > > > > > Thanks Fraser, > > > > > > the certificate issuance by sub-CA now works also on replica but I must > > > first restart PKI for it to pick up stuff from master CA. > > > > > > If I set up a replica first and then create a sub-CA on master Dogtag picks > > > this up and uses the new sub-CA and its key for signing without restart. > > > > > > This seems to be pure Dogtag issue, however and I concluded that IPA side > > > works ok. > > > > > > If no one objects then I would give functional ACK to your patches and > > > document/track the Dogtag issue in a separate ticket. > > Pushed to master: f0915e61986f545ad9b282fa90a4b1d0538829c5 > > > > > > Thanks Martin, > > > > The Dogtag ticket is https://fedorahosted.org/pki/ticket/2359. Fix > > is merged and will go out in 10.3.3 this week or early next week. > > Once released, please send a patch bumping the minimum version in our spec > file. I'm leaving https://fedorahosted.org/freeipa/ticket/4559 open until > the patch is merged. > Thanks; I've made note of this on the tracking etherpad: http://idm.etherpad.corp.redhat.com/rhel73-cert-mgmt-progress Design page has also been updated to clarify some command args, etc, and add Certmonger details. From mbabinsk at redhat.com Wed Jun 15 07:02:00 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jun 2016 09:02:00 +0200 Subject: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter In-Reply-To: <20160614144526.4ktq5ji4r5y4arfw@redhat.com> References: <20160607164046.kgntyvj54bvubrce@redhat.com> <20160614144526.4ktq5ji4r5y4arfw@redhat.com> Message-ID: <70af3139-ca1c-cd10-d10b-1726ba1ee89b@redhat.com> On 06/14/2016 04:45 PM, Alexander Bokovoy wrote: > On Tue, 07 Jun 2016, Alexander Bokovoy wrote: >> Hi, >> >> `ipa trust-find' command should only show trusted forest root domains >> >> The child domains should be visible via >> >> ipa trustdomain-find forest.root >> >> The difference between forest root (or external domain) and child >> domains is that root domain gets ipaIDObject class to allow assigning a >> POSIX ID to the object. This POSIX ID is used by Samba when an Active >> Directory domain controller connects as forest trusted domain object. >> >> Child domains can only talk to IPA via forest root domain, thus they >> don't need POSIX ID for their TDOs. This allows us a way to >> differentiate objects for the purpose of 'trust-find' / >> 'trustdomain-find' commands. >> >> Fixes https://fedorahosted.org/freeipa/ticket/5942 >> > This patch needs review. > ACK. -- Martin^3 Babinsky From pvoborni at redhat.com Wed Jun 15 07:55:50 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 15 Jun 2016 09:55:50 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> Message-ID: On 06/14/2016 07:28 PM, Martin Basti wrote: > > > On 14.06.2016 18:58, Martin Babinsky wrote: >> On 06/14/2016 05:06 PM, Martin Basti wrote: >>> >>> >>> On 12.06.2016 17:37, Martin Babinsky wrote: >>>> These two patches turn oft-neglected ntp service into a full fledged >>>> role whose status can be queried centrally. They should also enable >>>> generation of location-specific _ntp._udp records. >>>> >>>> Please note that NTP is LDAP-enabled by additional call after DS >>>> instance is configured. I was not feeling confident by swapping NTP >>>> and DS configuration steps as I was afraid it will break things. If >>>> not, I will happily update the patch accordingly. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5815 >>>> https://fedorahosted.org/freeipa/ticket/5826 >>>> >>>> >>>> >>> Hello, I have a few comments: >>> >>> Patch: 159 >>> 1) >>> + if ntp.is_configured(): >>> + ntp.ldap_enable('NTP', fqdn, None, base_dn) >>> + ntp.enable() >>> >>> All ipa services are in disabled state, ipactl starts them according >>> configuration in LDAP >>> IMO it should be something like: >>> ntp.disable() >>> if running: >>> ntp.start() >>> >>> 2) >>> could you upgrade NTP only once in upgrade.py? Use sysupgrade state >>> >>> 3) >>> + 'NTP': ('ntpd', 42), >>> I prefer 45, it is easier to put any service before NTP if needed >>> without huge renumbering >>> >>> >>> Patch 160: LGTM >>> >>> Martin^2 >>> >>> >> >> Right, attaching updated patches. >> > > Patches are good, but I'm curious if there is any chance for NTP to be > able synchronize time before replication on replica install. If no, IMO > better is to move NTP service configuration after dirserver to be able > to configure LDAP entry directly. > But if there is not time for this, I'm fine with opening ticket and > fixing it later. > > Martin^2 Isn't it already done during Client part of replica installation? -- Petr Vobornik From mbasti at redhat.com Wed Jun 15 07:57:11 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 09:57:11 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> Message-ID: <355e2dca-d0d9-280c-c1fc-e5f3a15c6131@redhat.com> On 15.06.2016 09:55, Petr Vobornik wrote: > On 06/14/2016 07:28 PM, Martin Basti wrote: >> >> On 14.06.2016 18:58, Martin Babinsky wrote: >>> On 06/14/2016 05:06 PM, Martin Basti wrote: >>>> >>>> On 12.06.2016 17:37, Martin Babinsky wrote: >>>>> These two patches turn oft-neglected ntp service into a full fledged >>>>> role whose status can be queried centrally. They should also enable >>>>> generation of location-specific _ntp._udp records. >>>>> >>>>> Please note that NTP is LDAP-enabled by additional call after DS >>>>> instance is configured. I was not feeling confident by swapping NTP >>>>> and DS configuration steps as I was afraid it will break things. If >>>>> not, I will happily update the patch accordingly. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5815 >>>>> https://fedorahosted.org/freeipa/ticket/5826 >>>>> >>>>> >>>>> >>>> Hello, I have a few comments: >>>> >>>> Patch: 159 >>>> 1) >>>> + if ntp.is_configured(): >>>> + ntp.ldap_enable('NTP', fqdn, None, base_dn) >>>> + ntp.enable() >>>> >>>> All ipa services are in disabled state, ipactl starts them according >>>> configuration in LDAP >>>> IMO it should be something like: >>>> ntp.disable() >>>> if running: >>>> ntp.start() >>>> >>>> 2) >>>> could you upgrade NTP only once in upgrade.py? Use sysupgrade state >>>> >>>> 3) >>>> + 'NTP': ('ntpd', 42), >>>> I prefer 45, it is easier to put any service before NTP if needed >>>> without huge renumbering >>>> >>>> >>>> Patch 160: LGTM >>>> >>>> Martin^2 >>>> >>>> >>> Right, attaching updated patches. >>> >> Patches are good, but I'm curious if there is any chance for NTP to be >> able synchronize time before replication on replica install. If no, IMO >> better is to move NTP service configuration after dirserver to be able >> to configure LDAP entry directly. >> But if there is not time for this, I'm fine with opening ticket and >> fixing it later. >> >> Martin^2 > Isn't it already done during Client part of replica installation? > With domain level 1 yes, with domain level 0, no. From mbasti at redhat.com Wed Jun 15 08:01:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 10:01:52 +0200 Subject: [Freeipa-devel] [PATCH] 0045-47: webui: Sub-CAs In-Reply-To: References: <20160613045542.GL4744@dhcp-40-8.bne.redhat.com> <20160614044212.GZ4744@dhcp-40-8.bne.redhat.com> <873f84c1-a81e-3f69-2902-91f4759e2a49@redhat.com> Message-ID: <9038e86e-5f31-201a-70ff-b7fea76f6f58@redhat.com> On 14.06.2016 18:30, Petr Vobornik wrote: > On 06/14/2016 10:17 AM, Pavel Vomacka wrote: >> >> On 06/14/2016 06:42 AM, Fraser Tweedale wrote: >>> On Mon, Jun 13, 2016 at 07:48:58PM +0200, Pavel Vomacka wrote: >>>> On 06/13/2016 06:55 AM, Fraser Tweedale wrote: >>>>> On Fri, Jun 10, 2016 at 04:34:33PM +0200, Pavel Vomacka wrote: >>>>>> Hello, >>>>>> >>>>>> please review these new patches which add WebUI for Sub-CAs. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5939 >>>>>> >>>>> Hi Pavel, I have reviewed the functionality of the patches. >>>>> Functionality is good - a few minor comments below. >>>> Hello, thank you for review. >>>>> Patch 45: >>>>> >>>>> 1) In the main `Certificate Authorities' table, `Subject DN' is >>>>> showing the DN of the IPA object, instead of the Subject DN. >>>> Fixed. >>>>> 2) In the `Certificate Authorities' detail table, there is an >>>>> unlabelled row showing the DN of the IPA object. IMO we do not need >>>>> to show this value at all. >>>> The field removed. >>>>> Patch 46: >>>>> >>>>> 3) I see a FIXME in certificate.js. The behaviour (default to IPA >>>>> CA / 'ipa') is OK. Alternatively, you could allow the user to not >>>>> specify a CA (this will allow the default - currently 'ipa' - to be >>>>> controlled by server). >>>> FIXME comment removed. >>>>> Patch 47: >>>>> >>>>> 4) For backwards compatibility, a CA ACL without any specified CAs >>>>> (and not cacat=all) implies the 'ipa' CA. It would be good to >>>>> indicate this in the UI somehow, or include a notice to explain. >>>> I added tooltip next to the checkbox on adder dialog and also note >>>> above the >>>> table with CAs in CA ACL details view. >>>> >>> The message has a small typo: "specificed" should be "specified" >>> (the typo occurrs in both places). >>> >>> Once this is fixed, ACK. >> Updated patches attached. > Also ACK from Web UI internals perspective. > > Patch 0045-2: ACK > > Patch 0046-2: ACK, could be split into two patches but don't bother... > > Patch 0047-3: ACK sub-CA patches were pushed, we can push this pushed to master: * 6e78169e3bc71c5ff3824e91cce8a0d6d9580d7a Add new webui plugin - ca * f4dd2446cd8b2c2a814c7bcb95415eb186b0a70f Extend certificate entity page * 5e5df4abf037161d9c9d9fd5e6051f861dff4bd1 Extend caacl entity From mbasti at redhat.com Wed Jun 15 08:05:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 10:05:27 +0200 Subject: [Freeipa-devel] [PATCH] 0206 adtrust optimize forest root LDAP filter In-Reply-To: <70af3139-ca1c-cd10-d10b-1726ba1ee89b@redhat.com> References: <20160607164046.kgntyvj54bvubrce@redhat.com> <20160614144526.4ktq5ji4r5y4arfw@redhat.com> <70af3139-ca1c-cd10-d10b-1726ba1ee89b@redhat.com> Message-ID: On 15.06.2016 09:02, Martin Babinsky wrote: > On 06/14/2016 04:45 PM, Alexander Bokovoy wrote: >> On Tue, 07 Jun 2016, Alexander Bokovoy wrote: >>> Hi, >>> >>> `ipa trust-find' command should only show trusted forest root domains >>> >>> The child domains should be visible via >>> >>> ipa trustdomain-find forest.root >>> >>> The difference between forest root (or external domain) and child >>> domains is that root domain gets ipaIDObject class to allow assigning a >>> POSIX ID to the object. This POSIX ID is used by Samba when an Active >>> Directory domain controller connects as forest trusted domain object. >>> >>> Child domains can only talk to IPA via forest root domain, thus they >>> don't need POSIX ID for their TDOs. This allows us a way to >>> differentiate objects for the purpose of 'trust-find' / >>> 'trustdomain-find' commands. >>> >>> Fixes https://fedorahosted.org/freeipa/ticket/5942 >>> >> This patch needs review. >> > > ACK. > Pushed to master: 905db92e61c2e56f8cce723e9c9d28e7968eccc4 From pspacek at redhat.com Wed Jun 15 08:11:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 10:11:09 +0200 Subject: [Freeipa-devel] Another batch of Python 3 patches In-Reply-To: <951715715.48843327.1462459517282.JavaMail.zimbra@redhat.com> References: <951715715.48843327.1462459517282.JavaMail.zimbra@redhat.com> Message-ID: > master: > * f753ad322dfdd81907a309827bddfcb1e47917a7 test_xmlrpc: Use absolute imports > * 6406c7a5935e9fb9cd41af49f67d6200021b3574 xmlrpc_test: Rename exception instance before working with it > * 890f83b0bbd5ec03397e817ed1282fa66efab7da radiusproxy plugin: Use str(error) rather than error.message > * 095d0cb7afc3d404829d87bc894d8691be2228ef xmlrpc_test: Expect bytes rather than strings for binary attributes > * baaa041b8a272e43c99f00f69fc645a2e92216db ipalib.rpc: Send base64-encoded data as string under Python 3 > * 14aba1c7c16e3b4e6375305990fffbd86cefbfdd range plugin tests: Use bytes with MockLDAP under Python 3 > * bdee89001455825bfe2c7e820c6b2d651f1f45eb radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret > * 6ddf0d657f70eb03d17af2e63eb52d6ef33305be certprofile plugin: Use binary mode for file with binary data > * 20a6a42567f0fa21945f02aa58420c31bc0c9127 test_add_remove_cert_cmd: Use bytes for base64.b64encode() > > ipa-4-3: > * 5750c3ece9359ca5a1c9ddbbf727eb63862709ce test_xmlrpc: Use absolute imports > * ba3d77253a54e862249476e3d289ebf01f1a9f9a xmlrpc_test: Rename exception instance before working with it > * a514ebdc81548f37e5fedb7bb43ca7ddab473af8 radiusproxy plugin: Use str(error) rather than error.message > * 4c68bd671a89f3ddda0c09f9abffe0e1b87098cb xmlrpc_test: Expect bytes rather than strings for binary attributes > * 72fb2674117ee8c3c1cafa17512e524ea437f966 ipalib.rpc: Send base64-encoded data as string under Python 3 > * 8f637bc9b1343979a0ead7346a5b0d771f133420 range plugin tests: Use bytes with MockLDAP under Python 3 > * aa052a0976ce3ab643fd54a10bc5428711dd9b61 radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret > * ffb8fcc20848b570bff7a7776ad08d23ac882ff5 certprofile plugin: Use binary mode for file with binary data > * c009ea8a7622a567de2101d8577955942e67a44d test_add_remove_cert_cmd: Use bytes for base64.b64encode() I just found out one other nit: $ ipa help topics prints some commands as b'command' instead of plain command: $ ipa help topics automount b'automember' Auto Membership Rule. b'automount' Automount -- Petr^2 Spacek From jcholast at redhat.com Wed Jun 15 08:30:52 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jun 2016 10:30:52 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> Message-ID: <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> Hi, On 12.6.2016 17:31, Martin Babinsky wrote: > On 06/09/2016 08:12 PM, Martin Babinsky wrote: >> These patches expand `server_del` to a full fledged IPA master killer in >> domain level 1. >> >> Due to 'server uninstallation removed master from topology' use case, >> the individual steps are not in the same order as in the original code >> to facilitate self-removal from topology without introducing an array of >> permissions for master to remove itself. >> >> I had no opportunity to test out the CI test suite because of technical >> problems so it would be nice if our upstream QE could give it a spin and >> report errors. >> >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >> https://fedorahosted.org/freeipa/ticket/5181 >> >> >> > Attaching rebased patches and bumping for review. > > Please note that they depend on 'Server Roles v2' patchset. Patch 0153: Should be an ipaserver module, unless it is required on clients as well, in which case it should be an ipalib module. Patch 0154: LGTM Patch 0155: In LDAPDelete subclasses, the primary key argument is multivalue, so I'm guessing your post_callback won't work correctly. Also, since this is *server*-del, s/master/server/ where applicable. Patch 0156: LGTM Patch 0157: This looks suspicious: + result = server_del_cmd(hostname, version=api_version, **options) Version is automatically filled in in Command.__call__(), why do you add it manually here? Patch 0158: LGTM Honza -- Jan Cholasta From abokovoy at redhat.com Wed Jun 15 08:45:41 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jun 2016 11:45:41 +0300 Subject: [Freeipa-devel] Another batch of Python 3 patches In-Reply-To: References: <951715715.48843327.1462459517282.JavaMail.zimbra@redhat.com> Message-ID: <20160615084541.3ljkwjvhttsufzks@redhat.com> On Wed, 15 Jun 2016, Petr Spacek wrote: >> master: >> * f753ad322dfdd81907a309827bddfcb1e47917a7 test_xmlrpc: Use absolute imports >> * 6406c7a5935e9fb9cd41af49f67d6200021b3574 xmlrpc_test: Rename exception instance before working with it >> * 890f83b0bbd5ec03397e817ed1282fa66efab7da radiusproxy plugin: Use str(error) rather than error.message >> * 095d0cb7afc3d404829d87bc894d8691be2228ef xmlrpc_test: Expect bytes rather than strings for binary attributes >> * baaa041b8a272e43c99f00f69fc645a2e92216db ipalib.rpc: Send base64-encoded data as string under Python 3 >> * 14aba1c7c16e3b4e6375305990fffbd86cefbfdd range plugin tests: Use bytes with MockLDAP under Python 3 >> * bdee89001455825bfe2c7e820c6b2d651f1f45eb radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret >> * 6ddf0d657f70eb03d17af2e63eb52d6ef33305be certprofile plugin: Use binary mode for file with binary data >> * 20a6a42567f0fa21945f02aa58420c31bc0c9127 test_add_remove_cert_cmd: Use bytes for base64.b64encode() >> >> ipa-4-3: >> * 5750c3ece9359ca5a1c9ddbbf727eb63862709ce test_xmlrpc: Use absolute imports >> * ba3d77253a54e862249476e3d289ebf01f1a9f9a xmlrpc_test: Rename exception instance before working with it >> * a514ebdc81548f37e5fedb7bb43ca7ddab473af8 radiusproxy plugin: Use str(error) rather than error.message >> * 4c68bd671a89f3ddda0c09f9abffe0e1b87098cb xmlrpc_test: Expect bytes rather than strings for binary attributes >> * 72fb2674117ee8c3c1cafa17512e524ea437f966 ipalib.rpc: Send base64-encoded data as string under Python 3 >> * 8f637bc9b1343979a0ead7346a5b0d771f133420 range plugin tests: Use bytes with MockLDAP under Python 3 >> * aa052a0976ce3ab643fd54a10bc5428711dd9b61 radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret >> * ffb8fcc20848b570bff7a7776ad08d23ac882ff5 certprofile plugin: Use binary mode for file with binary data >> * c009ea8a7622a567de2101d8577955942e67a44d test_add_remove_cert_cmd: Use bytes for base64.b64encode() > > >I just found out one other nit: >$ ipa help topics >prints some commands as b'command' instead of plain command: > >$ ipa help topics >automount >b'automember' Auto Membership Rule. >b'automount' Automount These were the ones (and more) I reported in https://fedorahosted.org/freeipa/ticket/5940 -- / Alexander Bokovoy From akasurde at redhat.com Wed Jun 15 09:13:02 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 15 Jun 2016 14:43:02 +0530 Subject: [Freeipa-devel] [freeipa-devel][PATCH] Added missing translation to automount.py method Message-ID: <57611C1E.8090000@redhat.com> Hi All, Please review the attached patch. Fixes: https://fedorahosted.org/freeipa/ticket/5920 -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0016-Added-missing-translation-to-automount.py-method.patch Type: text/x-patch Size: 2598 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 15 10:33:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jun 2016 12:33:27 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> Message-ID: <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> On 14.6.2016 11:44, Jan Cholasta wrote: > On 21.4.2016 09:11, Jan Cholasta wrote: >> On 6.4.2016 15:46, Pavel Vomacka wrote: >>> >>> >>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> the attached patches implement the server-side part of >>>> . >>>> >>>> Honza >>>> >>> Hi, >>> >>> thank you for the patches. I tested them and they work well. But I would >>> like to ask you whether would be possible to extend the response of >>> 'basecert_find' method and probably also 'basecert_show' response. I >>> think of these information: >>> >>> 1) information whether the certificate is issued by our CA or not. >> >> You can check for that by comparing the issuer name of the certificate >> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base >> from config-show. >> >>> >>> 2) this probably wouldn't be possible (as we discussed), but I rather >>> write it too - the information about revocation reason. The same as the >>> 'cert_show' provides. >> >> Added --check-revocation flag to request this information. Currently it >> works only on certificates issued by our CA. >> >>> >>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >> >> Added, also included SHA-256. >> >>> >>> Thank you again. >> >> Updated patches attached. > > Updated and rebased patches attached. Requires Fraser's sub-CA patches. Attaching updated patch 623, which fixes these issues found by David: . -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-623.1-cert-add-owner-information.patch Type: text/x-patch Size: 18058 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 15 11:29:41 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 13:29:41 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <355e2dca-d0d9-280c-c1fc-e5f3a15c6131@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> <355e2dca-d0d9-280c-c1fc-e5f3a15c6131@redhat.com> Message-ID: <5f4b7b5b-96a3-d8f7-d19c-44e5c4099ac6@redhat.com> On 15.6.2016 09:57, Martin Basti wrote: > > > On 15.06.2016 09:55, Petr Vobornik wrote: >> On 06/14/2016 07:28 PM, Martin Basti wrote: >>> >>> On 14.06.2016 18:58, Martin Babinsky wrote: >>>> On 06/14/2016 05:06 PM, Martin Basti wrote: >>>>> >>>>> On 12.06.2016 17:37, Martin Babinsky wrote: >>>>>> These two patches turn oft-neglected ntp service into a full fledged >>>>>> role whose status can be queried centrally. They should also enable >>>>>> generation of location-specific _ntp._udp records. >>>>>> >>>>>> Please note that NTP is LDAP-enabled by additional call after DS >>>>>> instance is configured. I was not feeling confident by swapping NTP >>>>>> and DS configuration steps as I was afraid it will break things. If >>>>>> not, I will happily update the patch accordingly. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5815 >>>>>> https://fedorahosted.org/freeipa/ticket/5826 >>>>>> >>>>>> >>>>>> >>>>> Hello, I have a few comments: >>>>> >>>>> Patch: 159 >>>>> 1) >>>>> + if ntp.is_configured(): >>>>> + ntp.ldap_enable('NTP', fqdn, None, base_dn) >>>>> + ntp.enable() >>>>> >>>>> All ipa services are in disabled state, ipactl starts them according >>>>> configuration in LDAP >>>>> IMO it should be something like: >>>>> ntp.disable() >>>>> if running: >>>>> ntp.start() >>>>> >>>>> 2) >>>>> could you upgrade NTP only once in upgrade.py? Use sysupgrade state >>>>> >>>>> 3) >>>>> + 'NTP': ('ntpd', 42), >>>>> I prefer 45, it is easier to put any service before NTP if needed >>>>> without huge renumbering >>>>> >>>>> >>>>> Patch 160: LGTM >>>>> >>>>> Martin^2 >>>>> >>>>> >>>> Right, attaching updated patches. >>>> >>> Patches are good, but I'm curious if there is any chance for NTP to be >>> able synchronize time before replication on replica install. If no, IMO >>> better is to move NTP service configuration after dirserver to be able >>> to configure LDAP entry directly. >>> But if there is not time for this, I'm fine with opening ticket and >>> fixing it later. >>> >>> Martin^2 >> Isn't it already done during Client part of replica installation? >> > With domain level 1 yes, with domain level 0, no. ACK to current version of the patch. Please keep the order as it is (NTP first) because it ensures proper time sync even on domain level 0. -- Petr^2 Spacek From Nikolai.Kondrashov at redhat.com Wed Jun 15 11:29:54 2016 From: Nikolai.Kondrashov at redhat.com (Nikolai Kondrashov) Date: Wed, 15 Jun 2016 14:29:54 +0300 Subject: [Freeipa-devel] Using JSON for tlog config files In-Reply-To: <1465939512.9981.2.camel@redhat.com> References: <1465939512.9981.2.camel@redhat.com> Message-ID: <2a9fb06a-fca1-02fb-d355-bbf4a0b2a85f@redhat.com> Hi Simo, On 06/15/2016 12:25 AM, Simo Sorce wrote: > On Tue, 2016-06-14 at 16:40 +0300, Nikolai Kondrashov wrote: >> Although this was mentioned several times before, I'd like to bring additional >> attention to the idea of using config files written in JSON for tlog, because >> there were some concerns over that being appropriate. > > What was the reasoning behind this questioning ? The concern that JSON in those files might be inconvenient for administrators. > In order to understand whether json is appropriate I need to ask who do > you think will be the primary user of the configuration file. > - Is it going to be mainly sysadmins manually setting things up ? At first, yes. Later minimally, because we plan to implement central control of most (if not all) of the parameters. The suggestions so far were to have the same JSON simply stored in HBAC-bound LDAP entries verbatim. Although, I'm not sure if that would be best. > - Is this going to be something that may need to be templated and > delivered via things like puppet ansible ? I didn't plan specifically for that. I expect the chances of that are about the same as for any other config file. > - Is it going to be a file generated by some other program (like sssd or > similar) based on rules stored in a central system ? I'd like to avoid requiring any program controlling tlog to write any files. That's why I implemented passing the whole or part of the configuration via an environment variable value, overriding the global config. However, yes, that value is expected to be the same JSON at the moment. > The answer to these questions will help understanding what format is > better suited. Thanks, Simo! Nick From dkupka at redhat.com Wed Jun 15 11:33:26 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 15 Jun 2016 13:33:26 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <97dd554c-b1e1-c4f7-9f08-ab2b95c66cee@redhat.com> On 04/28/2016 02:45 PM, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Next batch: schema: exclude local commands frontend: call `execute` rather than `forward` in Local dns, passwd: fix output validation error misc: fix CLI output of `env` and `plugins` commands ipalib: replace Any with Dict schema: generate client-side commands on demand plugable: initialize plugins on demand plugable: allow plugins to be non-classes There is known regression that arguments with dynamic defaults are not filled automatically. This will be fixed soon. Otherwise works for me, ACK. -- David Kupka From mkosek at redhat.com Wed Jun 15 11:41:13 2016 From: mkosek at redhat.com (Martin Kosek) Date: Wed, 15 Jun 2016 13:41:13 +0200 Subject: [Freeipa-devel] Using JSON for tlog config files In-Reply-To: <2a9fb06a-fca1-02fb-d355-bbf4a0b2a85f@redhat.com> References: <1465939512.9981.2.camel@redhat.com> <2a9fb06a-fca1-02fb-d355-bbf4a0b2a85f@redhat.com> Message-ID: <1dad4aa3-6535-bbd5-2122-f32a5f919b31@redhat.com> Removing the secondary list from this discussion. On 06/15/2016 01:29 PM, Nikolai Kondrashov wrote: > Hi Simo, > > On 06/15/2016 12:25 AM, Simo Sorce wrote: >> On Tue, 2016-06-14 at 16:40 +0300, Nikolai Kondrashov wrote: >>> Although this was mentioned several times before, I'd like to bring additional >>> attention to the idea of using config files written in JSON for tlog, because >>> there were some concerns over that being appropriate. >> >> What was the reasoning behind this questioning ? > > The concern that JSON in those files might be inconvenient for administrators. > >> In order to understand whether json is appropriate I need to ask who do >> you think will be the primary user of the configuration file. >> - Is it going to be mainly sysadmins manually setting things up ? > > At first, yes. Later minimally, because we plan to implement central control > of most (if not all) of the parameters. Yes, but AFAIK, tlog will still also exist as standalone component and could be configured without integration with FreeIPA. This means admins main configuration file would still be the config file. > The suggestions so far were to have > the same JSON simply stored in HBAC-bound LDAP entries verbatim. Although, I'm > not sure if that would be best. > >> - Is this going to be something that may need to be templated and >> delivered via things like puppet ansible ? > > I didn't plan specifically for that. I expect the chances of that are about > the same as for any other config file. > >> - Is it going to be a file generated by some other program (like sssd or >> similar) based on rules stored in a central system ? > > I'd like to avoid requiring any program controlling tlog to write any files. > That's why I implemented passing the whole or part of the configuration via an > environment variable value, overriding the global config. However, yes, that > value is expected to be the same JSON at the moment. > >> The answer to these questions will help understanding what format is >> better suited. > > Thanks, Simo! > > Nick > From Nikolai.Kondrashov at redhat.com Wed Jun 15 11:52:49 2016 From: Nikolai.Kondrashov at redhat.com (Nikolai Kondrashov) Date: Wed, 15 Jun 2016 14:52:49 +0300 Subject: [Freeipa-devel] Using JSON for tlog config files In-Reply-To: <1dad4aa3-6535-bbd5-2122-f32a5f919b31@redhat.com> References: <1465939512.9981.2.camel@redhat.com> <2a9fb06a-fca1-02fb-d355-bbf4a0b2a85f@redhat.com> <1dad4aa3-6535-bbd5-2122-f32a5f919b31@redhat.com> Message-ID: <1844c7ce-3a36-a9d0-995e-6e0d331b37d0@redhat.com> On 06/15/2016 02:41 PM, Martin Kosek wrote: > Removing the secondary list from this discussion. > > On 06/15/2016 01:29 PM, Nikolai Kondrashov wrote: >> Hi Simo, >> >> On 06/15/2016 12:25 AM, Simo Sorce wrote: >>> On Tue, 2016-06-14 at 16:40 +0300, Nikolai Kondrashov wrote: >>>> Although this was mentioned several times before, I'd like to bring additional >>>> attention to the idea of using config files written in JSON for tlog, because >>>> there were some concerns over that being appropriate. >>> >>> What was the reasoning behind this questioning ? >> >> The concern that JSON in those files might be inconvenient for administrators. >> >>> In order to understand whether json is appropriate I need to ask who do >>> you think will be the primary user of the configuration file. >>> - Is it going to be mainly sysadmins manually setting things up ? >> >> At first, yes. Later minimally, because we plan to implement central control >> of most (if not all) of the parameters. > > Yes, but AFAIK, tlog will still also exist as standalone component and could be > configured without integration with FreeIPA. This means admins main > configuration file would still be the config file. Yes, that's true. It wouldn't make much sense for small setups to use tlog, though, because it implies ElasticSearch. At least Ansible or something like that will need to be used for bigger setups, if not FreeIPA/SSSD, but yes, in that case it will still be JSON. Nick From mbasti at redhat.com Wed Jun 15 11:53:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 13:53:31 +0200 Subject: [Freeipa-devel] [PATCH 0159-0160] emancipate IPA NTP service into role In-Reply-To: <5f4b7b5b-96a3-d8f7-d19c-44e5c4099ac6@redhat.com> References: <14080ab2-cde7-f8bf-9737-382cf70b0c9c@redhat.com> <4182078d-f894-a0ef-bfea-5a839ecafc72@redhat.com> <018f2832-a744-dab6-2154-858e4fb32c76@redhat.com> <54041158-63c1-726e-fd7c-a4303b6993eb@redhat.com> <355e2dca-d0d9-280c-c1fc-e5f3a15c6131@redhat.com> <5f4b7b5b-96a3-d8f7-d19c-44e5c4099ac6@redhat.com> Message-ID: On 15.06.2016 13:29, Petr Spacek wrote: > On 15.6.2016 09:57, Martin Basti wrote: >> >> On 15.06.2016 09:55, Petr Vobornik wrote: >>> On 06/14/2016 07:28 PM, Martin Basti wrote: >>>> On 14.06.2016 18:58, Martin Babinsky wrote: >>>>> On 06/14/2016 05:06 PM, Martin Basti wrote: >>>>>> On 12.06.2016 17:37, Martin Babinsky wrote: >>>>>>> These two patches turn oft-neglected ntp service into a full fledged >>>>>>> role whose status can be queried centrally. They should also enable >>>>>>> generation of location-specific _ntp._udp records. >>>>>>> >>>>>>> Please note that NTP is LDAP-enabled by additional call after DS >>>>>>> instance is configured. I was not feeling confident by swapping NTP >>>>>>> and DS configuration steps as I was afraid it will break things. If >>>>>>> not, I will happily update the patch accordingly. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5815 >>>>>>> https://fedorahosted.org/freeipa/ticket/5826 >>>>>>> >>>>>>> >>>>>>> >>>>>> Hello, I have a few comments: >>>>>> >>>>>> Patch: 159 >>>>>> 1) >>>>>> + if ntp.is_configured(): >>>>>> + ntp.ldap_enable('NTP', fqdn, None, base_dn) >>>>>> + ntp.enable() >>>>>> >>>>>> All ipa services are in disabled state, ipactl starts them according >>>>>> configuration in LDAP >>>>>> IMO it should be something like: >>>>>> ntp.disable() >>>>>> if running: >>>>>> ntp.start() >>>>>> >>>>>> 2) >>>>>> could you upgrade NTP only once in upgrade.py? Use sysupgrade state >>>>>> >>>>>> 3) >>>>>> + 'NTP': ('ntpd', 42), >>>>>> I prefer 45, it is easier to put any service before NTP if needed >>>>>> without huge renumbering >>>>>> >>>>>> >>>>>> Patch 160: LGTM >>>>>> >>>>>> Martin^2 >>>>>> >>>>>> >>>>> Right, attaching updated patches. >>>>> >>>> Patches are good, but I'm curious if there is any chance for NTP to be >>>> able synchronize time before replication on replica install. If no, IMO >>>> better is to move NTP service configuration after dirserver to be able >>>> to configure LDAP entry directly. >>>> But if there is not time for this, I'm fine with opening ticket and >>>> fixing it later. >>>> >>>> Martin^2 >>> Isn't it already done during Client part of replica installation? >>> >> With domain level 1 yes, with domain level 0, no. > ACK to current version of the patch. > > Please keep the order as it is (NTP first) because it ensures proper time sync > even on domain level 0. > master: * 567f00a59c53aca760336aea95423368ac621032 Add NTP to the list of services stored in IPA masters LDAP subtree * 3e6af238bb695572e462ff49a3096ab0e2e85bc5 Introduce "NTP server" role From dkupka at redhat.com Wed Jun 15 11:56:06 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 15 Jun 2016 13:56:06 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <97dd554c-b1e1-c4f7-9f08-ab2b95c66cee@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <97dd554c-b1e1-c4f7-9f08-ab2b95c66cee@redhat.com> Message-ID: On 06/15/2016 01:33 PM, David Kupka wrote: > On 04/28/2016 02:45 PM, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Next batch: > > schema: exclude local commands > frontend: call `execute` rather than `forward` in Local > dns, passwd: fix output validation error > misc: fix CLI output of `env` and `plugins` commands > ipalib: replace Any with Dict > schema: generate client-side commands on demand > plugable: initialize plugins on demand > plugable: allow plugins to be non-classes > > There is known regression that arguments with dynamic defaults are not > filled automatically. This will be fixed soon. > > Otherwise works for me, ACK. > Fix for dynamic defaults regression is: schema: fix client-side dynamic defaults Works for me, ACK. -- David Kupka From jcholast at redhat.com Wed Jun 15 12:04:39 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 15 Jun 2016 14:04:39 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <97dd554c-b1e1-c4f7-9f08-ab2b95c66cee@redhat.com> Message-ID: <2b17dcdc-d3ae-ea19-b0fb-55385ed9b21b@redhat.com> On 15.6.2016 13:56, David Kupka wrote: > On 06/15/2016 01:33 PM, David Kupka wrote: >> On 04/28/2016 02:45 PM, Jan Cholasta wrote: >>> Hi, >>> >>> I have pushed my thin client WIP branch to GitHub: >>> . >>> >>> All commits up to "ipalib: use relative imports for cross-plugin >>> imports" should be good for review. The rest is subject to change >>> (WARNING: I will force push into this branch). >>> >>> Honza >>> >> >> Hello! >> >> Next batch: >> >> schema: exclude local commands >> frontend: call `execute` rather than `forward` in Local >> dns, passwd: fix output validation error >> misc: fix CLI output of `env` and `plugins` commands >> ipalib: replace Any with Dict >> schema: generate client-side commands on demand >> plugable: initialize plugins on demand >> plugable: allow plugins to be non-classes >> >> There is known regression that arguments with dynamic defaults are not >> filled automatically. This will be fixed soon. >> >> Otherwise works for me, ACK. >> > > Fix for dynamic defaults regression is: > > schema: fix client-side dynamic defaults > > Works for me, ACK. Pushed to master: d26e42ffb065cc524c63d65d87c2a2b5d943c54a Attaching the patches for reference. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-625-plugable-allow-plugins-to-be-non-classes.patch Type: text/x-patch Size: 6021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-626-plugable-initialize-plugins-on-demand.patch Type: text/x-patch Size: 11338 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-627-schema-generate-client-side-commands-on-demand.patch Type: text/x-patch Size: 2957 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-628-batch-schema-use-Dict-instead-of-Any.patch Type: text/x-patch Size: 4543 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-629-misc-fix-empty-CLI-output-of-env-and-plugins-command.patch Type: text/x-patch Size: 1373 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-630-dns-passwd-fix-outputs-of-dns_resolve-and-passwd-com.patch Type: text/x-patch Size: 2545 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-631-frontend-call-execute-rather-than-forward-in-Local.patch Type: text/x-patch Size: 850 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-632-schema-exclude-local-commands.patch Type: text/x-patch Size: 1918 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-633-schema-fix-client-side-dynamic-defaults.patch Type: text/x-patch Size: 1296 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 15 12:03:09 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 14:03:09 +0200 Subject: [Freeipa-devel] Using JSON for tlog config files In-Reply-To: <1844c7ce-3a36-a9d0-995e-6e0d331b37d0@redhat.com> References: <1465939512.9981.2.camel@redhat.com> <2a9fb06a-fca1-02fb-d355-bbf4a0b2a85f@redhat.com> <1dad4aa3-6535-bbd5-2122-f32a5f919b31@redhat.com> <1844c7ce-3a36-a9d0-995e-6e0d331b37d0@redhat.com> Message-ID: <807f08ea-fbcc-712b-acc8-19e71132c5e6@redhat.com> On 15.6.2016 13:52, Nikolai Kondrashov wrote: > On 06/15/2016 02:41 PM, Martin Kosek wrote: >> Removing the secondary list from this discussion. >> >> On 06/15/2016 01:29 PM, Nikolai Kondrashov wrote: >>> Hi Simo, >>> >>> On 06/15/2016 12:25 AM, Simo Sorce wrote: >>>> On Tue, 2016-06-14 at 16:40 +0300, Nikolai Kondrashov wrote: >>>>> Although this was mentioned several times before, I'd like to bring >>>>> additional >>>>> attention to the idea of using config files written in JSON for tlog, >>>>> because >>>>> there were some concerns over that being appropriate. >>>> >>>> What was the reasoning behind this questioning ? >>> >>> The concern that JSON in those files might be inconvenient for administrators. >>> >>>> In order to understand whether json is appropriate I need to ask who do >>>> you think will be the primary user of the configuration file. >>>> - Is it going to be mainly sysadmins manually setting things up ? >>> >>> At first, yes. Later minimally, because we plan to implement central control >>> of most (if not all) of the parameters. >> >> Yes, but AFAIK, tlog will still also exist as standalone component and could be >> configured without integration with FreeIPA. This means admins main >> configuration file would still be the config file. > > Yes, that's true. > > It wouldn't make much sense for small setups to use tlog, though, because it > implies ElasticSearch. At least Ansible or something like that will need to be > used for bigger setups, if not FreeIPA/SSSD, but yes, in that case it will > still be JSON. I would say that properly indented JSON with extensive comments and examples is good enough. -- Petr^2 Spacek From ftweedal at redhat.com Wed Jun 15 12:18:21 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 15 Jun 2016 22:18:21 +1000 Subject: [Freeipa-devel] [PATCH] 0068 upgrade: do not try to start CA if not configured Message-ID: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5958. The regression was introduced in fix for https://fedorahosted.org/freeipa/ticket/5868. Thanks, Fraser -------------- next part -------------- From 9c6c1e2fb18f87b9e7e64756fd69e10b5949fb82 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 15 Jun 2016 22:12:52 +1000 Subject: [PATCH] upgrade: do not try to start CA if not configured The upgrade script always attempts to start the CA, even on instances where the CA is not configured. Add guards. Fixes: https://fedorahosted.org/freeipa/ticket/5958 --- ipaserver/install/server/upgrade.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0c5f32d954bb236b11eb3cfcda95e66c0c7913d5..044e36494df95f6624ce639ad6fda68025078aea 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1552,10 +1552,11 @@ def upgrade_configuration(): ) upgrade_pki(ca, fstore) - # several upgrade steps require running CA + # several upgrade steps require running CA. If CA is configured, # always run ca.start() because we need to wait until CA is really ready # by checking status using http - ca.start('pki-tomcat') + if ca.is_configured(): + ca.start('pki-tomcat') certmonger_service = services.knownservices.certmonger if ca.is_configured() and not certmonger_service.is_running(): @@ -1736,10 +1737,11 @@ def upgrade_configuration(): elif not ds_running and ds.is_running(): ds.stop(ds_serverid) - if ca_running and not ca.is_running(): - ca.start('pki-tomcat') - elif not ca_running and ca.is_running(): - ca.stop('pki-tomcat') + if ca.is_configured(): + if ca_running and not ca.is_running(): + ca.start('pki-tomcat') + elif not ca_running and ca.is_running(): + ca.stop('pki-tomcat') def upgrade_check(options): -- 2.5.5 From mbabinsk at redhat.com Wed Jun 15 12:30:49 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jun 2016 14:30:49 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> Message-ID: <480d72ef-7daa-4b40-8ca2-22ea86ed7a06@redhat.com> On 06/15/2016 10:30 AM, Jan Cholasta wrote: > Hi, > > On 12.6.2016 17:31, Martin Babinsky wrote: >> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>> These patches expand `server_del` to a full fledged IPA master killer in >>> domain level 1. >>> >>> Due to 'server uninstallation removed master from topology' use case, >>> the individual steps are not in the same order as in the original code >>> to facilitate self-removal from topology without introducing an array of >>> permissions for master to remove itself. >>> >>> I had no opportunity to test out the CI test suite because of technical >>> problems so it would be nice if our upstream QE could give it a spin and >>> report errors. >>> >>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>> https://fedorahosted.org/freeipa/ticket/5181 >>> >>> >>> >> Attaching rebased patches and bumping for review. >> >> Please note that they depend on 'Server Roles v2' patchset. > > Patch 0153: > > Should be an ipaserver module, unless it is required on clients as well, > in which case it should be an ipalib module. > > > Patch 0154: LGTM > > > Patch 0155: > > In LDAPDelete subclasses, the primary key argument is multivalue, so I'm > guessing your post_callback won't work correctly. > > Also, since this is *server*-del, s/master/server/ where applicable. > > > Patch 0156: LGTM > > > Patch 0157: > > This looks suspicious: > > + result = server_del_cmd(hostname, version=api_version, **options) > > Version is automatically filled in in Command.__call__(), why do you add > it manually here? > Because this uses server API which calls command's `execute` directly so it does not pass version automatically. So you get version mismatch warning every time this function is called. > > Patch 0158: LGTM > > > Honza > -- Martin^3 Babinsky From dkupka at redhat.com Wed Jun 15 12:36:34 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 15 Jun 2016 14:36:34 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client Message-ID: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> Hello! Schema caching for thin client is available here: https://github.com/dkupka/freeipa/commits/schema_cache Comments and reviews welcome. Enjoy! -- David Kupka From mbasti at redhat.com Wed Jun 15 12:52:20 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 14:52:20 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> Message-ID: <233cecb3-085c-9622-3090-da8046048d80@redhat.com> Hydra patching: Updated patches attached + new patches for dnsserver-* commands attached > > Updated+rebased patches after Honza's interactive review -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.3-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.3-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.3-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.3-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 8605 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.3-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10735 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.3-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 12501 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.3-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.3-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.3-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1947 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.3-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.3-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 25083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.3-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7373 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.3-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.3-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1275 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 15 13:29:54 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 15 Jun 2016 15:29:54 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> Message-ID: <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> On 06/15/2016 10:30 AM, Jan Cholasta wrote: > Hi, > > On 12.6.2016 17:31, Martin Babinsky wrote: >> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>> These patches expand `server_del` to a full fledged IPA master killer in >>> domain level 1. >>> >>> Due to 'server uninstallation removed master from topology' use case, >>> the individual steps are not in the same order as in the original code >>> to facilitate self-removal from topology without introducing an array of >>> permissions for master to remove itself. >>> >>> I had no opportunity to test out the CI test suite because of technical >>> problems so it would be nice if our upstream QE could give it a spin and >>> report errors. >>> >>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>> https://fedorahosted.org/freeipa/ticket/5181 >>> >>> >>> >> Attaching rebased patches and bumping for review. >> >> Please note that they depend on 'Server Roles v2' patchset. > > Patch 0153: > > Should be an ipaserver module, unless it is required on clients as well, > in which case it should be an ipalib module. > > > Patch 0154: LGTM > > > Patch 0155: > > In LDAPDelete subclasses, the primary key argument is multivalue, so I'm > guessing your post_callback won't work correctly. > > Also, since this is *server*-del, s/master/server/ where applicable. > > > Patch 0156: LGTM > > > Patch 0157: > > This looks suspicious: > > + result = server_del_cmd(hostname, version=api_version, **options) > > Version is automatically filled in in Command.__call__(), why do you add > it manually here? > > > Patch 0158: LGTM > > > Honza > Attaching updated patches. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0153-3-ipaserver-module-for-working-with-managed-topology.patch Type: text/x-patch Size: 9954 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0154-3-delegate-removal-of-master-DNS-record-and-replica-ke.patch Type: text/x-patch Size: 3115 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0155-3-server-del-perform-full-master-removal-in-managed-to.patch Type: text/x-patch Size: 20918 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0156-3-CI-test-suite-for-server-del.patch Type: text/x-patch Size: 15681 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0157-3-ipa-replica-manage-use-server_del-when-removing-doma.patch Type: text/x-patch Size: 12944 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0158-3-remove-the-master-from-managed-topology-during-unins.patch Type: text/x-patch Size: 10643 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 15 13:45:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 15:45:16 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: <233cecb3-085c-9622-3090-da8046048d80@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> Message-ID: <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> On 15.06.2016 14:52, Martin Basti wrote: > > Hydra patching: Updated patches attached + new patches for dnsserver-* > commands attached >> >> > Updated+rebased patches after Honza's interactive review > > Minor nitpick fixed -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.3-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.3-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.3-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.3-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 8605 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.3-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10764 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.3-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 12501 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.3-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.3-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.3-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1947 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.3-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.3-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 25083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.3-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7373 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.3-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.3-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1275 bytes Desc: not available URL: From pvomacka at redhat.com Wed Jun 15 13:49:46 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Wed, 15 Jun 2016 15:49:46 +0200 Subject: [Freeipa-devel] [PATCH] 0053: webui: allow to set weight of server without location Message-ID: Hello, I've found a small bug in locations in WebUI. It is not allowed to set weight of a server with no location (i.e. adding new server). Attached patch allows that. https://fedorahosted.org/freeipa/ticket/5905 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0053-Allow-to-set-weight-of-a-server-without-location.patch Type: text/x-patch Size: 1233 bytes Desc: not available URL: From tbordaz at redhat.com Wed Jun 15 13:50:52 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 15 Jun 2016 15:50:52 +0200 Subject: [Freeipa-devel] provisioning and RetroCL/Content_Sync Message-ID: <57615D3C.10407@redhat.com> Hello, The subject of provisioning was discussed https://www.redhat.com/archives/freeipa-devel/2016-May/msg00065.html. The documentation of the provisioning procedure is still going on but reviewing it I have a doubt about RetroCL/Content_Sync. Provisioning will be done with high recommendations/constraints: * The provisioned instance should not be accessed by ldap client during provisioning. * The IPA deployment should contain only one server (the one used for provisioning) in order to prevent replication latency During provisioning, disabling RetroCL/Content_Sync gives a ~10% improvements (reducing the #ADD). The drawback of disabling RetroCL/Content_Sync is that the provisioned instance will not be able to send provisioned entries through syncRepl. Now considering that the provisioned instance is unique in the topology and will do full init of replicas, I think SyncRepl is useless and then we can disable RetroCL/Content_Sync during provisioning. Anyone is seeing a problem if those plugins are disabled during provisioning ? thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 15 13:59:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 15:59:15 +0200 Subject: [Freeipa-devel] [freeipa-devel][PATCH] Added missing translation to automount.py method In-Reply-To: <57611C1E.8090000@redhat.com> References: <57611C1E.8090000@redhat.com> Message-ID: <25ad2f38-ede8-bcf9-b554-6b07803e2981@redhat.com> On 15.06.2016 11:13, Abhijeet Kasurde wrote: > Hi All, > > Please review the attached patch. > > Fixes: https://fedorahosted.org/freeipa/ticket/5920 > > > Thank you for the patch, Please follow this page for howto create internationalized strings: http://www.freeipa.org/page/Python_Coding_Style#Python_Internationalized_.28i18n.29_Strings you must use named subsitution, because translators may need to know what should be there, or they may change the order of words depending on translated language Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Wed Jun 15 14:24:27 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 15 Jun 2016 16:24:27 +0200 Subject: [Freeipa-devel] provisioning and RetroCL/Content_Sync In-Reply-To: <57615D3C.10407@redhat.com> References: <57615D3C.10407@redhat.com> Message-ID: <5761651B.4050307@redhat.com> On 06/15/2016 03:50 PM, thierry bordaz wrote: > Hello, > > The subject of provisioning was discussed > https://www.redhat.com/archives/freeipa-devel/2016-May/msg00065.html. > The documentation of the provisioning procedure is still going on > but reviewing it I have a doubt about RetroCL/Content_Sync. > > Provisioning will be done with high recommendations/constraints: > > * The provisioned instance should not be accessed by ldap client > during provisioning. > * The IPA deployment should contain only one server (the one > used for provisioning) in order to prevent replication latency > > During provisioning, disabling RetroCL/Content_Sync gives a ~10% > improvements (reducing the #ADD). > > The drawback of disabling RetroCL/Content_Sync is that the > provisioned instance will not be able to send provisioned entries > through syncRepl. > Now considering that the provisioned instance is unique in the > topology and will do full init of replicas, I think SyncRepl is > useless and then we can disable RetroCL/Content_Sync during > provisioning. > If the server was running before you do the provisioning there might be existing sync repl clients which have a cookie, if you disable rcl and sync repl for a while and they do a refresh later with that cookie, they will miss changes. At the moment I don't see a way to check that this cookie is invalid and a total refresh has to be done > > Anyone is seeing a problem if those plugins are disabled during > provisioning ? > > thanks > thierry > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From akasurde at redhat.com Wed Jun 15 14:26:46 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Wed, 15 Jun 2016 19:56:46 +0530 Subject: [Freeipa-devel] [freeipa-devel][PATCH] Added missing translation to automount.py method In-Reply-To: <25ad2f38-ede8-bcf9-b554-6b07803e2981@redhat.com> References: <57611C1E.8090000@redhat.com> <25ad2f38-ede8-bcf9-b554-6b07803e2981@redhat.com> Message-ID: <576165A6.9050801@redhat.com> On 06/15/2016 07:29 PM, Martin Basti wrote: > > > > On 15.06.2016 11:13, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review the attached patch. >> >> Fixes: https://fedorahosted.org/freeipa/ticket/5920 >> >> >> > > Thank you for the patch, > > Please follow this page for howto create internationalized strings: > http://www.freeipa.org/page/Python_Coding_Style#Python_Internationalized_.28i18n.29_Strings > > you must use named subsitution, because translators may need to know > what should be there, or they may change the order of words depending > on translated language > > Martin^2 Thanks Martin for suggestion. I will implement this in current patch and re-submit it for code review. -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jun 15 14:41:15 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 16:41:15 +0200 Subject: [Freeipa-devel] [PATCH] 0068 upgrade: do not try to start CA if not configured In-Reply-To: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> References: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> Message-ID: <5aeff21b-1386-1d2a-bd8b-3c5d843133e5@redhat.com> On 15.6.2016 14:18, Fraser Tweedale wrote: > Attached patch fixes https://fedorahosted.org/freeipa/ticket/5958. > The regression was introduced in fix for > https://fedorahosted.org/freeipa/ticket/5868. It works for me, ACK. -- Petr^2 Spacek From mbasti at redhat.com Wed Jun 15 15:17:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 17:17:56 +0200 Subject: [Freeipa-devel] [PATCH] 0068 upgrade: do not try to start CA if not configured In-Reply-To: <5aeff21b-1386-1d2a-bd8b-3c5d843133e5@redhat.com> References: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> <5aeff21b-1386-1d2a-bd8b-3c5d843133e5@redhat.com> Message-ID: <0b5b1dfa-feaf-ffbc-a056-2777286e5963@redhat.com> On 15.06.2016 16:41, Petr Spacek wrote: > On 15.6.2016 14:18, Fraser Tweedale wrote: >> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5958. >> The regression was introduced in fix for >> https://fedorahosted.org/freeipa/ticket/5868. > It works for me, ACK. > Pushed to master: 01795fca831ca5ce59a56755d261cb3100d6c3d4 From mbasti at redhat.com Wed Jun 15 15:19:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 17:19:28 +0200 Subject: [Freeipa-devel] [PATCH] 0068 upgrade: do not try to start CA if not configured In-Reply-To: <0b5b1dfa-feaf-ffbc-a056-2777286e5963@redhat.com> References: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> <5aeff21b-1386-1d2a-bd8b-3c5d843133e5@redhat.com> <0b5b1dfa-feaf-ffbc-a056-2777286e5963@redhat.com> Message-ID: <1fce6bf5-5616-836f-f86c-2722cfec4801@redhat.com> On 15.06.2016 17:17, Martin Basti wrote: > > > On 15.06.2016 16:41, Petr Spacek wrote: >> On 15.6.2016 14:18, Fraser Tweedale wrote: >>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5958. >>> The regression was introduced in fix for >>> https://fedorahosted.org/freeipa/ticket/5868. >> It works for me, ACK. >> > Pushed to master: 01795fca831ca5ce59a56755d261cb3100d6c3d4 > If commit that causes regression was pushed to 4.3.2, shouldn't go this to 4.3.2 too? From tbordaz at redhat.com Wed Jun 15 15:19:39 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 15 Jun 2016 17:19:39 +0200 Subject: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry Message-ID: <5761720B.7040904@redhat.com> Hello, This patch is for https://fedorahosted.org/freeipa/ticket/5955 This is the last patch related "IdM user password change support for legacy client compat tree" * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880) * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd (review by Alexander) * this PATCH 0021 This patch is not the final one because I had to locally define SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr. The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5 A test case is: create a user 'tb1' # step 1 verify that there is no passwd/krbkeys ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 2 verify that tb1 has a password/krbkeys ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 3 verify that tb1 has different passwd/krbkeys than in step 2 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 4 verify that tb1 has different passwd/krbkeys than in step 3 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey # step 5 verify that tb1 has different passwd/krbkeys than in step 4 ldappasswd -D "cn=directory manager" -w xxx "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy ldapsearch -LLL -D "cn=directory manager" -w xxx -b "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey thanks thierry -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-slapi-nis-should-allow-password-update-on-a-virtual-.patch Type: text/x-patch Size: 10377 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 15 15:21:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 17:21:37 +0200 Subject: [Freeipa-devel] [PATCH] 0068 upgrade: do not try to start CA if not configured In-Reply-To: <1fce6bf5-5616-836f-f86c-2722cfec4801@redhat.com> References: <20160615121821.GG4744@dhcp-40-8.bne.redhat.com> <5aeff21b-1386-1d2a-bd8b-3c5d843133e5@redhat.com> <0b5b1dfa-feaf-ffbc-a056-2777286e5963@redhat.com> <1fce6bf5-5616-836f-f86c-2722cfec4801@redhat.com> Message-ID: <7fa05ef6-a10b-b01e-4627-94d3fb633222@redhat.com> On 15.06.2016 17:19, Martin Basti wrote: > > > On 15.06.2016 17:17, Martin Basti wrote: >> >> >> On 15.06.2016 16:41, Petr Spacek wrote: >>> On 15.6.2016 14:18, Fraser Tweedale wrote: >>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5958. >>>> The regression was introduced in fix for >>>> https://fedorahosted.org/freeipa/ticket/5868. >>> It works for me, ACK. >>> >> Pushed to master: 01795fca831ca5ce59a56755d261cb3100d6c3d4 >> > If commit that causes regression was pushed to 4.3.2, shouldn't go > this to 4.3.2 too? > Should, pushed to ipa-4-3: * 7514b8b6df46b57ec9353a02d071347c931ea387 upgrade: do not try to start CA if not configured From pspacek at redhat.com Wed Jun 15 15:24:47 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 15 Jun 2016 17:24:47 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> Message-ID: <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> On 15.6.2016 15:45, Martin Basti wrote: > > > On 15.06.2016 14:52, Martin Basti wrote: >> >> Hydra patching: Updated patches attached + new patches for dnsserver-* >> commands attached >>> >>> >> Updated+rebased patches after Honza's interactive review >> >> > Minor nitpick fixed > > > freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch ACK freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch ACK I will get to the rest later on. -- Petr^2 Spacek From mbasti at redhat.com Wed Jun 15 15:26:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 17:26:32 +0200 Subject: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry In-Reply-To: <5761720B.7040904@redhat.com> References: <5761720B.7040904@redhat.com> Message-ID: <9797353e-4782-7094-5804-628d87c3d1a2@redhat.com> On 15.06.2016 17:19, thierry bordaz wrote: > Hello, > > This patch is for https://fedorahosted.org/freeipa/ticket/5955 Please put this link to commit message > > This is the last patch related "IdM user password change support for > legacy client compat tree" > > * It requires DS > 1.3.5.5 (https://fedorahosted.org/389/ticket/48880) > Please bump version in freeipa.spec.in and put DS srpms to @freeipa/freeipa-master if new DS is not at least in updates testing > * > > > > * PATCH 0020 https://fedorahosted.org/freeipa/ticket/5946 ipapwd > (review by Alexander) > * this PATCH 0021 > > This patch is not the final one because I had to locally define > SLAPI_PLUGIN_PRE_EXTOP_FN in order to build on copr. > The define SLAPI_PLUGIN_PRE_EXTOP_FN comes with DS > 1.3.5.5 > > A test case is: > > create a user 'tb1' > > # step 1 verify that there is no passwd/krbkeys > ldapsearch -LLL -D "cn=directory manager" -w xxx -b > "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey > > > # step 2 verify that tb1 has a password/krbkeys > ldappasswd -D "cn=directory manager" -w xxx > "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy > ldapsearch -LLL -D "cn=directory manager" -w xxx -b > "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey > > # step 3 verify that tb1 has different passwd/krbkeys than in step 2 > ldappasswd -D "cn=directory manager" -w xxx > "uid=tb1,cn=users,cn=*accounts*,SUFFIX" -s yyy > ldapsearch -LLL -D "cn=directory manager" -w xxx -b > "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey > > > # step 4 verify that tb1 has different passwd/krbkeys than in step 3 > ldappasswd -D "cn=directory manager" -w xxx > "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy > ldapsearch -LLL -D "cn=directory manager" -w xxx -b > "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey > > # step 5 verify that tb1 has different passwd/krbkeys than in step 4 > ldappasswd -D "cn=directory manager" -w xxx > "uid=tb1,cn=users,cn=*compat*,SUFFIX" -s yyy > ldapsearch -LLL -D "cn=directory manager" -w xxx -b > "uid=tb1,cn=users,cn=accounts,SUFFIX" userPassword krbPrincipalKey > Please put these steps to reproduce into ticket, we will need this for QA. > thanks > thierry > > > Thank you, Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Wed Jun 15 15:54:56 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 15 Jun 2016 18:54:56 +0300 Subject: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry In-Reply-To: <5761720B.7040904@redhat.com> References: <5761720B.7040904@redhat.com> Message-ID: <20160615155456.prd7m3pnzijjbwkr@redhat.com> On Wed, 15 Jun 2016, thierry bordaz wrote: >>From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Mon, 13 Jun 2016 18:13:04 +0200 >Subject: [PATCH] slapi-nis should allow password update on a virtual entry > >During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), >if the target entry is in the compat tree, slapi-nis should >remap the entry to the real entry. > >This needs to be done in a pre-op extop that calls the callback >function handling a given OID. >The password mod. callback does a reverse mapping of >extop USERID and set it in SLAPI_TARGET_SDN. >--- > configure.ac | 1 + > src/back-sch.c | 217 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > src/back-sch.h | 16 +++++ > src/plug-sch.c | 24 +++++++ > 4 files changed, 258 insertions(+) > >diff --git a/configure.ac b/configure.ac >index 5b10376..9ce6bcf 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -113,6 +113,7 @@ dirsrv) > SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, > SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, >+ SLAPI_PLUGIN_PRE_EXTOP_FN, > NULL] > ,,, > [AC_INCLUDES_DEFAULT >diff --git a/src/back-sch.c b/src/back-sch.c >index 32b1d9e..f9ab812 100644 >--- a/src/back-sch.c >+++ b/src/back-sch.c >@@ -54,6 +54,8 @@ > #include "map.h" > #include "back-sch.h" > >+backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, (IFP) backend_passwdmod_extop}, >+ {NULL, NULL}}; > static void > backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e); > >@@ -2223,6 +2225,203 @@ done_with_lock: > return ret; > } > >+/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" >+ * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to >+ * the reverse mapping of the USERID. >+ * >+ * If it is not possible to retrieve USERID in the ber >+ * then value of SLAPI_TARGET_SDN is unchanged. >+ * >+ * Else the value of SLAPI_TARGET_SDN is freed and replaced >+ * either by the USERID or the reverse mapping of USERID (if it exists) >+ */ >+static int >+backend_passwdmod_extop(Slapi_PBlock *pb) >+{ >+ struct backend_entry_data *data; >+ struct plugin_state *state; >+ Slapi_DN *sdn = NULL; >+ char *extopdn; >+ char *ndn; >+ char *username = NULL; >+ char *group = NULL; >+ const char *entry_group = NULL; >+ char *set = NULL; >+ const char *entry_set = NULL; >+ struct berval *extop_value = NULL; >+ BerElement *ber = NULL; >+ ber_tag_t tag = 0; >+ ber_len_t len = (ber_len_t) -1; >+ >+ if (wrap_get_call_level() > 0) { >+ return 0; >+ } >+ >+ slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &state); >+ if (state->ready_to_serve == 0) { >+ /* No data to serve yet */ >+ goto free_and_return; >+ } >+ /* Retrieve the original DN from the ber request */ >+ /* Get the ber value of the extended operation */ >+ slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >+ if (!BV_HAS_DATA(extop_value)) { >+ goto free_and_return; >+ } >+ >+ if ((ber = ber_init(extop_value)) == NULL) { >+ goto free_and_return; >+ } >+ >+ /* Format of request to parse >+ * >+ * PasswdModifyRequestValue ::= SEQUENCE { >+ * userIdentity [0] OCTET STRING OPTIONAL >+ * oldPasswd [1] OCTET STRING OPTIONAL >+ * newPasswd [2] OCTET STRING OPTIONAL } >+ * >+ * The request value field is optional. If it is >+ * provided, at least one field must be filled in. >+ */ >+ >+ /* ber parse code */ >+ if ( ber_scanf( ber, "{") == LBER_ERROR ) { >+ /* The request field wasn't provided. We'll >+ * now try to determine the userid and verify >+ * knowledge of the old password via other >+ * means. >+ */ >+ goto free_and_return; >+ } else { >+ tag = ber_peek_tag( ber, &len); >+ } >+ >+ /* identify userID field by tags */ >+ if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) { >+ >+ if ( ber_scanf( ber, "a", &extopdn) == LBER_ERROR ) { >+ slapi_ch_free_string(&extopdn); >+ goto free_and_return; >+ } >+ >+ slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", >+ "extopdn = %s\n", extopdn ? extopdn : "" ); >+ >+ /* Free the current target_DN */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); >+ if (sdn) { >+ const char *olddn; >+ olddn = slapi_sdn_get_ndn(sdn); >+ slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", >+ "olddn = %s (unknown expected)\n", olddn ? olddn : "" ); >+ slapi_sdn_free(&sdn); >+ } >+ >+ /* replace it with the one in the extop req*/ >+ sdn = slapi_sdn_new_dn_byref(extopdn); >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, sdn); >+ } else { >+ /* we can not retrieve the USERID */ >+ goto free_and_return; >+ } >+ >+ wrap_inc_call_level(); >+ if (map_rdlock() != 0) { >+ slapi_log_error(SLAPI_LOG_FATAL, state->plugin_desc->spd_id, >+ "backend_passwdmod_extop unable to acquire read lock\n"); >+ wrap_dec_call_level(); >+ goto free_and_return; >+ } >+ backend_locate(pb, &data, &entry_group, &entry_set); >+ if (data != NULL) { >+ /* If there is a mapping to a real entry >+ * ndn will contains its DN >+ */ >+ if (slapi_sdn_get_ndn(data->original_entry_dn)) { >+ ndn = slapi_ch_strdup(slapi_sdn_get_ndn(data->original_entry_dn)); >+ } else { >+ ndn = NULL; >+ } >+ slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", >+ "reverse mapped dn = %s\n", ndn ? ndn : "" ); >+ >+ username = slapi_entry_attr_get_charptr(data->e, "uid"); >+ group = slapi_ch_strdup(entry_group); >+ set = slapi_ch_strdup(entry_set); You don't use username/group/set anywhere, just remove them. >+ >+ /* the rest does not require to hold the map lock */ >+ map_unlock(); >+ wrap_dec_call_level(); >+ >+ if (ndn) { >+ /* replace the TARGET_SDN by the one found in the map >+ * This is the responsibility of the extop to free it >+ */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); >+ if (sdn != NULL) { >+ slapi_sdn_free(&sdn); >+ } >+ sdn = slapi_sdn_new_dn_byref(ndn); >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*) sdn); >+ } >+ >+ /* We are not really interested in those info, just free them */ >+ slapi_ch_free_string(&set); >+ slapi_ch_free_string(&group); >+ slapi_ch_free_string(&username); and here. >+ } else { >+ /* no mapping entry to real entry, this is fine */ >+ map_unlock(); >+ wrap_dec_call_level(); >+ } >+ >+free_and_return: >+ >+ if ( ber != NULL ){ >+ ber_free(ber, 1); >+ ber = NULL; >+ } >+ return 0; >+} >+static int >+backend_extop_cb(Slapi_PBlock *pb) >+{ >+ struct plugin_state *state; >+ int ret; >+ int i; >+ char *oid = NULL; >+ IFP fct = NULL; >+ >+ slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &state); >+ if (state->ready_to_serve == 0) { >+ /* No data to serve yet */ >+ return 0; >+ } >+ >+ /* First check this is a supported OID (for slapi-nis) */ >+ if ( slapi_pblock_get( pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0 ) >+ { >+ slapi_log_error( SLAPI_LOG_FATAL, state->plugin_desc->spd_id, "Could not get OID from request\n" ); >+ return 0; >+ } >+ >+ for (i = 0; extop_handlers[i].oid != NULL; i++) { >+ if (strcmp( oid, extop_handlers[i].oid) == 0 ) { >+ fct = extop_handlers[i].extop_fct; >+ break; >+ } >+ } >+ >+ if (fct) { >+ ret = fct(pb); >+ if (ret) { >+ slapi_log_error( SLAPI_LOG_FATAL, "backend_extop_cb", >+ "pre-extop for %s failed %d\n", oid, ret ); >+ } >+ } >+ return (ret); >+} >+ > static int > backend_compare_cb(Slapi_PBlock *pb) > { >@@ -2286,6 +2485,24 @@ backend_shutdown(struct plugin_state *state) > backend_shr_shutdown(state); > } > >+#ifndef SLAPI_PLUGIN_PRE_EXTOP_FN >+#define SLAPI_PLUGIN_PRE_EXTOP_FN 413 >+#endif >+int >+backend_init_extop(Slapi_PBlock *pb, struct plugin_state *state) >+{ >+ slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >+ "hooking up extop callbacks\n"); >+ /* Intercept extended operation requests */ >+ if (slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_EXTOP_FN, >+ backend_extop_cb) != 0) { >+ slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >+ "error hooking up pre extop callback\n"); >+ return -1; >+ } >+ return 0; >+} >+ > int > backend_init_preop(Slapi_PBlock *pb, struct plugin_state *state) > { >diff --git a/src/back-sch.h b/src/back-sch.h >index e8ec400..72ba641 100644 >--- a/src/back-sch.h >+++ b/src/back-sch.h >@@ -127,6 +127,22 @@ struct backend_search_filter_config { > void *callback_data; > }; > >+/* OIDs of the supported extended operation */ >+#define EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" >+ >+/* ber tags for the PasswdModifyRequestValue sequence */ >+#define LDAP_EXTOP_PASSMOD_TAG_USERID 0x80U >+#define LDAP_EXTOP_PASSMOD_TAG_OLDPWD 0x81U >+#define LDAP_EXTOP_PASSMOD_TAG_NEWPWD 0x82U >+ >+typedef int (*IFP)(); >+static int backend_passwdmod_extop(Slapi_PBlock *pb); >+typedef struct backend_extop_handlers { >+ char *oid; >+ IFP extop_fct; >+} backend_extop_handlers_t; >+ >+ > /* Analyzes the filter to decide what kind of NSS search is it > * Returns 0 on success, 1 on failure > * struct backend_search_filter_config is populated with information about the filter >diff --git a/src/plug-sch.c b/src/plug-sch.c >index 7af8480..00e7041 100644 >--- a/src/plug-sch.c >+++ b/src/plug-sch.c >@@ -65,6 +65,7 @@ > #define PLUGIN_BETXN_POSTOP_ID PLUGIN_ID "-betxn_postop" > #define PLUGIN_POSTOP_ID PLUGIN_ID "-postop" > #define PLUGIN_INTERNAL_POSTOP_ID PLUGIN_ID "-internal-postop" >+#define PLUGIN_PRE_EXTOP_ID PLUGIN_ID "-extop-preop" > > /* the module initialization function */ > static Slapi_PluginDesc >@@ -185,6 +186,20 @@ plugin_shutdown(Slapi_PBlock *pb) > "plugin shutdown completed\n"); > return 0; > } >+static int >+schema_compat_plugin_init_extop(Slapi_PBlock *pb) >+{ >+ slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_03); >+ slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, &plugin_description); >+ slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, global_plugin_state); >+ if (backend_init_extop(pb, global_plugin_state) == -1) { >+ slapi_log_error(SLAPI_LOG_PLUGIN, >+ global_plugin_state->plugin_desc->spd_id, >+ "error registering extop hooks\n"); >+ return -1; >+ } >+ return 0; >+} > > static int > schema_compat_plugin_init_preop(Slapi_PBlock *pb) >@@ -343,6 +358,15 @@ schema_compat_plugin_init(Slapi_PBlock *pb) > return -1; > } > #endif >+ if (slapi_register_plugin("preextendedop", TRUE, >+ "schema_compat_plugin_init_extop", >+ schema_compat_plugin_init_extop, >+ PLUGIN_PRE_EXTOP_ID, NULL, >+ state->plugin_identity) != 0) { >+ slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >+ "error registering extop plugin\n"); >+ return -1; >+ } > slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, > "registered plugin hooks\n"); > global_plugin_state = NULL; >-- >2.5.0 > -- / Alexander Bokovoy From mbasti at redhat.com Wed Jun 15 16:12:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 18:12:33 +0200 Subject: [Freeipa-devel] [PATCH 0033] Fix CA being presented as running even if it weren't In-Reply-To: <7f19fdcf-84d1-4af8-91bd-5fefc22daf86@redhat.com> References: <4967dac0-c475-17da-45b5-399da32e545c@redhat.com> <651ee173-8f3d-b01f-7bf5-9d1f67dab451@redhat.com> <07c4d154-954f-eee0-127c-3574ceab7435@redhat.com> <654f3bb1-384d-e914-c7fc-67647558b0d0@redhat.com> <7f19fdcf-84d1-4af8-91bd-5fefc22daf86@redhat.com> Message-ID: <622238e9-5438-63c0-b46f-f59a73b16e82@redhat.com> On 02.06.2016 19:21, Martin Basti wrote: > > > On 31.05.2016 16:32, Stanislav Laznicka wrote: >> On 05/31/2016 11:40 AM, Stanislav Laznicka wrote: >>> On 05/31/2016 10:22 AM, Stanislav Laznicka wrote: >>>> On 05/30/2016 12:54 PM, Jan Cholasta wrote: >>>>> On 30.5.2016 12:36, Martin Basti wrote: >>>>>> >>>>>> >>>>>> On 26.05.2016 19:31, Stanislav Laznicka wrote: >>>>>>> >>>>>>> Self NACK. I should not post patches when tired, sorry. Minor >>>>>>> fix is >>>>>>> attached. >>>>>>> >>>>>>> >>>>>>> On 05/26/2016 07:21 PM, Stanislav Laznicka wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Please, see the attached patch. Fixes >>>>>>>> https://fedorahosted.org/freeipa/ticket/5898 >>>>>>>> >>>>>>>> Standa >>>>>>>> >>>>>>> >>>>>> >>>>>> LGTM, if nobody is against this, I will push it in 2 days >>>>> >>>>> NACK, please add `wait` argument and call >>>>> self.wait_until_running(), same as in start() and restart(). >>>>> >>>> A pretty good point, please see the modified patch. >>> Self.NACK - can't add 'wait' agrument to service.Service.is_running >>> this easy. >>> >> Should be fixed now. > > > works for me, can be pushed if Honza agree > > Martin^2 > ACK Pushed to master: fb4e19713d509a0a14acb7eee37f5fee7a9fb375 From mbasti at redhat.com Wed Jun 15 16:15:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 15 Jun 2016 18:15:34 +0200 Subject: [Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks In-Reply-To: References: <76bd71c5-80b6-7201-aa50-96ed14ad2080@redhat.com> <56f6f4b0-156b-44eb-9b92-afed58699dce@redhat.com> <57567014.3080808@redhat.com> Message-ID: On 14.06.2016 16:27, Martin Basti wrote: > > > On 09.06.2016 12:42, Stanislav Laznicka wrote: >> On 06/07/2016 08:56 AM, thierry bordaz wrote: >>> >>> >>> On 06/06/2016 07:23 PM, Martin Basti wrote: >>>> >>>> >>>> >>>> On 03.06.2016 13:38, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> The attached patch implements solution to >>>>> https://fedorahosted.org/freeipa/ticket/5914. The patch is rather >>>>> hacky as nsslapd-db-locks requires to be modified when DS is not >>>>> running although I accept proposals for better solution. >>>>> >>>>> Standa >>>>> >>>> LGTM and works for me, but I want ack from thierry because of the >>>> value >>>> >>>> * value set by this patch is 100K, it is okay or should be rather >>>> 50K as is mentioned in the ticket >>>> * should be upgrade for this change, or should be this done only >>>> for new installations? (patch solves new installations only and I >>>> don't think that we should change it by upgrade, users may have >>>> already tuned DS) >>>> >>>> Martin^2 >>> Hello, >>> >>> This value also depends of the data. For example adding groups with >>> 10K members spikes the dblock consumption up to 40K because of >>> membership computation during the update. >>> The size of the entries can also contribute if for example we have >>> several entries per page or they are too large and fit on several >>> pages. >>> >>> IMHO we should support out of the box groups with 10K, so >>> 'nsslapd-db-locks: 50000' looks good to me. >>> However it could be documented why it can consum so much lock and >>> how to tune it. >>> >>> thanks >>> thierry >>> >> Thank you, Thierry. Reduced the 100k locks to 50k locks in the patch >> (attached). > > ACK, I will push it later > Pushed to master: 8e3b7b24c1bec5b7e2519e7c9466e3c336f9a409 From tbordaz at redhat.com Wed Jun 15 16:42:39 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 15 Jun 2016 18:42:39 +0200 Subject: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry In-Reply-To: <20160615155456.prd7m3pnzijjbwkr@redhat.com> References: <5761720B.7040904@redhat.com> <20160615155456.prd7m3pnzijjbwkr@redhat.com> Message-ID: <5761857F.7000904@redhat.com> Thanks Alexander for the review. You are right I forgot to remove those lines during the cleanup. thanks thierry On 06/15/2016 05:54 PM, Alexander Bokovoy wrote: > On Wed, 15 Jun 2016, thierry bordaz wrote: >>> From 6cd06b9004f8ab72e13c26742d11ee31d30bbc79 Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Mon, 13 Jun 2016 18:13:04 +0200 >> Subject: [PATCH] slapi-nis should allow password update on a virtual >> entry >> >> During password modification ext. op (1.3.6.1.4.1.4203.1.11.1), >> if the target entry is in the compat tree, slapi-nis should >> remap the entry to the real entry. >> >> This needs to be done in a pre-op extop that calls the callback >> function handling a given OID. >> The password mod. callback does a reverse mapping of >> extop USERID and set it in SLAPI_TARGET_SDN. >> --- >> configure.ac | 1 + >> src/back-sch.c | 217 >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> src/back-sch.h | 16 +++++ >> src/plug-sch.c | 24 +++++++ >> 4 files changed, 258 insertions(+) >> >> diff --git a/configure.ac b/configure.ac >> index 5b10376..9ce6bcf 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -113,6 +113,7 @@ dirsrv) >> SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN, >> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN, >> SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN, >> + SLAPI_PLUGIN_PRE_EXTOP_FN, >> NULL] >> ,,, >> [AC_INCLUDES_DEFAULT >> diff --git a/src/back-sch.c b/src/back-sch.c >> index 32b1d9e..f9ab812 100644 >> --- a/src/back-sch.c >> +++ b/src/back-sch.c >> @@ -54,6 +54,8 @@ >> #include "map.h" >> #include "back-sch.h" >> >> +backend_extop_handlers_t extop_handlers[] = {{EXTOP_PASSWD_OID, >> (IFP) backend_passwdmod_extop}, + {NULL, NULL}}; >> static void >> backend_entries_to_return_push(struct backend_search_cbdata *cbdata, >> Slapi_Entry *e); >> >> @@ -2223,6 +2225,203 @@ done_with_lock: >> return ret; >> } >> >> +/* This callback handles EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" >> + * If the extop defines a USERID, it sets SLAPI_TARGET_SDN to >> + * the reverse mapping of the USERID. >> + * >> + * If it is not possible to retrieve USERID in the ber >> + * then value of SLAPI_TARGET_SDN is unchanged. >> + * >> + * Else the value of SLAPI_TARGET_SDN is freed and replaced >> + * either by the USERID or the reverse mapping of USERID (if it exists) >> + */ >> +static int >> +backend_passwdmod_extop(Slapi_PBlock *pb) >> +{ >> + struct backend_entry_data *data; >> + struct plugin_state *state; >> + Slapi_DN *sdn = NULL; >> + char *extopdn; >> + char *ndn; >> + char *username = NULL; >> + char *group = NULL; >> + const char *entry_group = NULL; >> + char *set = NULL; >> + const char *entry_set = NULL; >> + struct berval *extop_value = NULL; >> + BerElement *ber = NULL; >> + ber_tag_t tag = 0; >> + ber_len_t len = (ber_len_t) -1; >> + >> + if (wrap_get_call_level() > 0) { >> + return 0; >> + } >> + >> + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &state); >> + if (state->ready_to_serve == 0) { >> + /* No data to serve yet */ >> + goto free_and_return; >> + } >> + /* Retrieve the original DN from the ber request */ >> + /* Get the ber value of the extended operation */ >> + slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >> + if (!BV_HAS_DATA(extop_value)) { >> + goto free_and_return; >> + } >> + >> + if ((ber = ber_init(extop_value)) == NULL) { >> + goto free_and_return; >> + } >> + + /* Format of request to parse >> + * >> + * PasswdModifyRequestValue ::= SEQUENCE { >> + * userIdentity [0] OCTET STRING OPTIONAL >> + * oldPasswd [1] OCTET STRING OPTIONAL >> + * newPasswd [2] OCTET STRING OPTIONAL } >> + * >> + * The request value field is optional. If it is >> + * provided, at least one field must be filled in. >> + */ >> + >> + /* ber parse code */ >> + if ( ber_scanf( ber, "{") == LBER_ERROR ) { >> + /* The request field wasn't provided. We'll >> + * now try to determine the userid and verify >> + * knowledge of the old password via other >> + * means. >> + */ >> + goto free_and_return; >> + } else { >> + tag = ber_peek_tag( ber, &len); >> + } >> + >> + /* identify userID field by tags */ >> + if (tag == LDAP_EXTOP_PASSMOD_TAG_USERID ) { >> + >> + if ( ber_scanf( ber, "a", &extopdn) == LBER_ERROR ) { >> + slapi_ch_free_string(&extopdn); >> + goto free_and_return; >> + } >> + >> + slapi_log_error(SLAPI_LOG_PLUGIN, >> "backend_passwdmod_extop", >> + "extopdn = %s\n", extopdn ? extopdn : "" ); >> + >> + /* Free the current target_DN */ >> + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); >> + if (sdn) { >> + const char *olddn; >> + olddn = slapi_sdn_get_ndn(sdn); >> + slapi_log_error(SLAPI_LOG_PLUGIN, >> "backend_passwdmod_extop", >> + "olddn = %s (unknown expected)\n", >> olddn ? olddn : "" ); >> + slapi_sdn_free(&sdn); >> + } >> + >> + /* replace it with the one in the extop req*/ >> + sdn = slapi_sdn_new_dn_byref(extopdn); >> + slapi_pblock_set(pb, SLAPI_TARGET_SDN, sdn); >> + } else { >> + /* we can not retrieve the USERID */ >> + goto free_and_return; >> + } >> + >> + wrap_inc_call_level(); >> + if (map_rdlock() != 0) { >> + slapi_log_error(SLAPI_LOG_FATAL, state->plugin_desc->spd_id, >> + "backend_passwdmod_extop unable to acquire read >> lock\n"); >> + wrap_dec_call_level(); >> + goto free_and_return; >> + } >> + backend_locate(pb, &data, &entry_group, &entry_set); >> + if (data != NULL) { >> + /* If there is a mapping to a real entry >> + * ndn will contains its DN >> + */ >> + if (slapi_sdn_get_ndn(data->original_entry_dn)) { >> + ndn = >> slapi_ch_strdup(slapi_sdn_get_ndn(data->original_entry_dn)); >> + } else { >> + ndn = NULL; >> + } >> + slapi_log_error(SLAPI_LOG_PLUGIN, "backend_passwdmod_extop", >> + "reverse mapped dn = %s\n", ndn ? ndn : "" ); >> + >> + username = slapi_entry_attr_get_charptr(data->e, "uid"); >> + group = slapi_ch_strdup(entry_group); >> + set = slapi_ch_strdup(entry_set); > You don't use username/group/set anywhere, just remove them. > >> + >> + /* the rest does not require to hold the map lock */ >> + map_unlock(); >> + wrap_dec_call_level(); >> + >> + if (ndn) { >> + /* replace the TARGET_SDN by the one found in the map >> + * This is the responsibility of the extop to free it >> + */ >> + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); >> + if (sdn != NULL) { >> + slapi_sdn_free(&sdn); >> + } >> + sdn = slapi_sdn_new_dn_byref(ndn); >> + slapi_pblock_set(pb, SLAPI_TARGET_SDN, (void*) sdn); >> + } >> + >> + /* We are not really interested in those info, just free >> them */ >> + slapi_ch_free_string(&set); >> + slapi_ch_free_string(&group); >> + slapi_ch_free_string(&username); > and here. > >> + } else { >> + /* no mapping entry to real entry, this is fine */ >> + map_unlock(); >> + wrap_dec_call_level(); >> + } >> + >> +free_and_return: >> + >> + if ( ber != NULL ){ >> + ber_free(ber, 1); >> + ber = NULL; >> + } >> + return 0; >> +} >> +static int >> +backend_extop_cb(Slapi_PBlock *pb) >> +{ >> + struct plugin_state *state; >> + int ret; >> + int i; >> + char *oid = NULL; >> + IFP fct = NULL; >> + >> + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &state); >> + if (state->ready_to_serve == 0) { >> + /* No data to serve yet */ >> + return 0; >> + } >> + >> + /* First check this is a supported OID (for slapi-nis) */ >> + if ( slapi_pblock_get( pb, SLAPI_EXT_OP_REQ_OID, &oid ) != 0 ) >> + { >> + slapi_log_error( SLAPI_LOG_FATAL, >> state->plugin_desc->spd_id, "Could not get OID from request\n" ); >> + return 0; >> + } >> + >> + for (i = 0; extop_handlers[i].oid != NULL; i++) { >> + if (strcmp( oid, extop_handlers[i].oid) == 0 ) { >> + fct = extop_handlers[i].extop_fct; >> + break; >> + } >> + } >> + >> + if (fct) { >> + ret = fct(pb); >> + if (ret) { >> + slapi_log_error( SLAPI_LOG_FATAL, "backend_extop_cb", >> + "pre-extop for %s failed %d\n", oid, ret ); >> + } >> + } >> + return (ret); >> +} >> + >> static int >> backend_compare_cb(Slapi_PBlock *pb) >> { >> @@ -2286,6 +2485,24 @@ backend_shutdown(struct plugin_state *state) >> backend_shr_shutdown(state); >> } >> >> +#ifndef SLAPI_PLUGIN_PRE_EXTOP_FN >> +#define SLAPI_PLUGIN_PRE_EXTOP_FN 413 >> +#endif >> +int >> +backend_init_extop(Slapi_PBlock *pb, struct plugin_state *state) >> +{ >> + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >> + "hooking up extop callbacks\n"); >> + /* Intercept extended operation requests */ >> + if (slapi_pblock_set(pb, SLAPI_PLUGIN_PRE_EXTOP_FN, >> + backend_extop_cb) != 0) { >> + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >> + "error hooking up pre extop callback\n"); >> + return -1; >> + } >> + return 0; >> +} >> + >> int >> backend_init_preop(Slapi_PBlock *pb, struct plugin_state *state) >> { >> diff --git a/src/back-sch.h b/src/back-sch.h >> index e8ec400..72ba641 100644 >> --- a/src/back-sch.h >> +++ b/src/back-sch.h >> @@ -127,6 +127,22 @@ struct backend_search_filter_config { >> void *callback_data; >> }; >> >> +/* OIDs of the supported extended operation */ >> +#define EXTOP_PASSWD_OID "1.3.6.1.4.1.4203.1.11.1" >> + >> +/* ber tags for the PasswdModifyRequestValue sequence */ >> +#define LDAP_EXTOP_PASSMOD_TAG_USERID 0x80U >> +#define LDAP_EXTOP_PASSMOD_TAG_OLDPWD 0x81U >> +#define LDAP_EXTOP_PASSMOD_TAG_NEWPWD 0x82U >> + >> +typedef int (*IFP)(); >> +static int backend_passwdmod_extop(Slapi_PBlock *pb); >> +typedef struct backend_extop_handlers { >> + char *oid; >> + IFP extop_fct; >> +} backend_extop_handlers_t; >> + >> + >> /* Analyzes the filter to decide what kind of NSS search is it >> * Returns 0 on success, 1 on failure >> * struct backend_search_filter_config is populated with information >> about the filter >> diff --git a/src/plug-sch.c b/src/plug-sch.c >> index 7af8480..00e7041 100644 >> --- a/src/plug-sch.c >> +++ b/src/plug-sch.c >> @@ -65,6 +65,7 @@ >> #define PLUGIN_BETXN_POSTOP_ID PLUGIN_ID "-betxn_postop" >> #define PLUGIN_POSTOP_ID PLUGIN_ID "-postop" >> #define PLUGIN_INTERNAL_POSTOP_ID PLUGIN_ID "-internal-postop" >> +#define PLUGIN_PRE_EXTOP_ID PLUGIN_ID "-extop-preop" >> >> /* the module initialization function */ >> static Slapi_PluginDesc >> @@ -185,6 +186,20 @@ plugin_shutdown(Slapi_PBlock *pb) >> "plugin shutdown completed\n"); >> return 0; >> } >> +static int >> +schema_compat_plugin_init_extop(Slapi_PBlock *pb) >> +{ >> + slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, >> SLAPI_PLUGIN_VERSION_03); >> + slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, >> &plugin_description); >> + slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, global_plugin_state); >> + if (backend_init_extop(pb, global_plugin_state) == -1) { >> + slapi_log_error(SLAPI_LOG_PLUGIN, >> + global_plugin_state->plugin_desc->spd_id, >> + "error registering extop hooks\n"); >> + return -1; >> + } >> + return 0; >> +} >> >> static int >> schema_compat_plugin_init_preop(Slapi_PBlock *pb) >> @@ -343,6 +358,15 @@ schema_compat_plugin_init(Slapi_PBlock *pb) >> return -1; >> } >> #endif >> + if (slapi_register_plugin("preextendedop", TRUE, >> + "schema_compat_plugin_init_extop", >> + schema_compat_plugin_init_extop, >> + PLUGIN_PRE_EXTOP_ID, NULL, >> + state->plugin_identity) != 0) { >> + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >> + "error registering extop plugin\n"); >> + return -1; >> + } >> slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, >> "registered plugin hooks\n"); >> global_plugin_state = NULL; >> -- >> 2.5.0 >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-slapi-nis-should-allow-password-update-on-a-virtual-.patch Type: text/x-patch Size: 10044 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 15 18:15:59 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 15 Jun 2016 20:15:59 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> Message-ID: <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> On 06/15/2016 02:36 PM, David Kupka wrote: > Hello! > Schema caching for thin client is available here: > > https://github.com/dkupka/freeipa/commits/schema_cache > > Comments and reviews welcome. > > Enjoy! Not doing proper review. I'll test by using it. But: 1. lint fails Pylint is running, please wait ... ************* Module ipaclient.remote_plugins.schema_cache ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), _refresh_schema] unicode built-in referenced) Makefile:137: recipe for target 'lint' failed make: *** [lint] Error 1 I.e, you miss: import six if six.PY3: unicode = str -- Petr Vobornik From yurchor at ukr.net Wed Jun 15 18:57:05 2016 From: yurchor at ukr.net (Yuri Chornoivan) Date: Wed, 15 Jun 2016 21:57:05 +0300 Subject: [Freeipa-devel] [PATCH] Fix minor typos Message-ID: Hi, There are several minor typos in the new portion of FreeIPA code (see the patch attached). Thanks for fixing them. Best regards, Yuri -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-minor-typos.patch Type: application/octet-stream Size: 2755 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 16 03:16:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 05:16:01 +0200 Subject: [Freeipa-devel] [PATCH] Fix minor typos In-Reply-To: References: Message-ID: <7a146328-3891-f43c-9749-e0b074eaa202@redhat.com> On 15.6.2016 20:57, Yuri Chornoivan wrote: > Hi, > > There are several minor typos in the new portion of FreeIPA code (see the > patch attached). > > Thanks for fixing them. Thank *you* for fixing them! ACK -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 16 04:55:47 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 06:55:47 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation Message-ID: Hello, TL;DR version: Upgrade to 389-ds-base-1.3.5.6-1.fc24. I was facing weird filter/ACI evaluation with 389 DS 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I realized that DS is old one ...): Test ==== First, let's try LDAP search with OR filter consisting of 5 components: [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH base="cn=dns,dc=toplevel" scope=2 filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" attrs="objectClass" [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 It returns 1 entry - the idnsServerConfigObject object. Now let us re-try shortened filter containing only 4 OR components. I would expect to get less entries but that is not the case: [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH base="cn=dns,dc=toplevel" scope=2 filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" attrs="objectClass" [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 nentries=11 etime=0 Huh? Now we got 11 entries. When I do the first search as Directory Manager it returns all 12 matching entries (which is expected number, at least according to my match-by-eye algorithm :-)). Schema ====== idnsServerId attribute definition contains an equality specification: ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v4.4' ) Indices ======= The attribute itself is not indexed but that should not hurt I guess. Mere addition of equality index to the attribute did not help. Reindexing using https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks did not help either. ACI === Relevant ACIs are: (targetattr = "createtimestamp || entryusn || idnsforwarders || idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable || modifytimestamp || objectclass")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Read DNS Servers Configuration";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || idnssubstitutionvariable")(targetfilter = "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) BIND DN krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel is member of cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel which is member of cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel so we should be all good. Now was totally confused and was looking for a bug in bind-dyndb-ldap until I realized that DS is returning weird results... Upgrade to 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. This would be a blocker for FreeIPA 4.4 because the old version totally breaks bind-dyndb-ldap. -- Petr^2 Spacek From akasurde at redhat.com Thu Jun 16 06:31:01 2016 From: akasurde at redhat.com (Abhijeet Kasurde) Date: Thu, 16 Jun 2016 12:01:01 +0530 Subject: [Freeipa-devel] [freeipa-devel][PATCH] Added missing translation to automount.py method In-Reply-To: <576165A6.9050801@redhat.com> References: <57611C1E.8090000@redhat.com> <25ad2f38-ede8-bcf9-b554-6b07803e2981@redhat.com> <576165A6.9050801@redhat.com> Message-ID: <576247A5.2060800@redhat.com> Hi All, Please review updated patch. On 06/15/2016 07:56 PM, Abhijeet Kasurde wrote: > > > On 06/15/2016 07:29 PM, Martin Basti wrote: >> >> >> >> On 15.06.2016 11:13, Abhijeet Kasurde wrote: >>> Hi All, >>> >>> Please review the attached patch. >>> >>> Fixes: https://fedorahosted.org/freeipa/ticket/5920 >>> >>> >>> >> >> Thank you for the patch, >> >> Please follow this page for howto create internationalized strings: >> http://www.freeipa.org/page/Python_Coding_Style#Python_Internationalized_.28i18n.29_Strings >> >> you must use named subsitution, because translators may need to know >> what should be there, or they may change the order of words depending >> on translated language >> >> Martin^2 > > Thanks Martin for suggestion. I will implement this in current patch > and re-submit it for code review. > > -- > Thanks, > Abhijeet Kasurde > > IRC: akasurde > http://akasurde.github.io > > > -- Thanks, Abhijeet Kasurde IRC: akasurde http://akasurde.github.io -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-akasurde-0016-1-Added-missing-translation-to-automount.py-method.patch Type: text/x-patch Size: 2808 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 16 06:47:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 08:47:58 +0200 Subject: [Freeipa-devel] [PATCH] Fix minor typos In-Reply-To: <7a146328-3891-f43c-9749-e0b074eaa202@redhat.com> References: <7a146328-3891-f43c-9749-e0b074eaa202@redhat.com> Message-ID: <99eb63e0-f076-1fdf-eff4-29e0c5489771@redhat.com> On 16.06.2016 05:16, Petr Spacek wrote: > On 15.6.2016 20:57, Yuri Chornoivan wrote: >> Hi, >> >> There are several minor typos in the new portion of FreeIPA code (see the >> patch attached). >> >> Thanks for fixing them. > Thank *you* for fixing them! > > ACK > Pushed to master: dd6645afa92d456b483747769cf72b2457113e21 From mbasti at redhat.com Thu Jun 16 06:58:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 08:58:36 +0200 Subject: [Freeipa-devel] [freeipa-devel][PATCH] Added missing translation to automount.py method In-Reply-To: <576247A5.2060800@redhat.com> References: <57611C1E.8090000@redhat.com> <25ad2f38-ede8-bcf9-b554-6b07803e2981@redhat.com> <576165A6.9050801@redhat.com> <576247A5.2060800@redhat.com> Message-ID: On 16.06.2016 08:31, Abhijeet Kasurde wrote: > Hi All, > > Please review updated patch. > > On 06/15/2016 07:56 PM, Abhijeet Kasurde wrote: >> >> >> On 06/15/2016 07:29 PM, Martin Basti wrote: >>> >>> >>> >>> On 15.06.2016 11:13, Abhijeet Kasurde wrote: >>>> Hi All, >>>> >>>> Please review the attached patch. >>>> >>>> Fixes: https://fedorahosted.org/freeipa/ticket/5920 >>>> >>>> >>>> >>> >>> Thank you for the patch, >>> >>> Please follow this page for howto create internationalized strings: >>> http://www.freeipa.org/page/Python_Coding_Style#Python_Internationalized_.28i18n.29_Strings >>> >>> you must use named subsitution, because translators may need to know >>> what should be there, or they may change the order of words >>> depending on translated language >>> >>> Martin^2 >> >> Thanks Martin for suggestion. I will implement this in current patch >> and re-submit it for code review. >> >> -- >> Thanks, >> Abhijeet Kasurde >> >> IRC: akasurde >> http://akasurde.github.io >> >> >> > > -- > Thanks, > Abhijeet Kasurde > > IRC: akasurde > http://akasurde.github.io > > > Thank you! ACK Pushed to master: 6873ac5b0370562c314ada931416c110fc51c1b2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Thu Jun 16 07:12:50 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 16 Jun 2016 09:12:50 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> Message-ID: On 06/15/2016 08:15 PM, Petr Vobornik wrote: > On 06/15/2016 02:36 PM, David Kupka wrote: >> Hello! >> Schema caching for thin client is available here: >> >> https://github.com/dkupka/freeipa/commits/schema_cache >> >> Comments and reviews welcome. >> >> Enjoy! > > Not doing proper review. I'll test by using it. But: > > 1. lint fails > > Pylint is running, please wait ... > ************* Module ipaclient.remote_plugins.schema_cache > ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), > _refresh_schema] unicode built-in referenced) > Makefile:137: recipe for target 'lint' failed > make: *** [lint] Error 1 > > I.e, you miss: > > import six > > if six.PY3: > unicode = str > Thanks for the catch, fixed version force-pushed. -- David Kupka From pspacek at redhat.com Thu Jun 16 07:19:25 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 09:19:25 +0200 Subject: [Freeipa-devel] [PATCH 0413-0416] Support fake_mname option in per-server configuration in LDAP In-Reply-To: <98d386ec-9dbb-de60-cf5d-68902afd6812@redhat.com> References: <4d3bdecd-9222-8040-58fa-87a6ad58af47@redhat.com> <98d386ec-9dbb-de60-cf5d-68902afd6812@redhat.com> Message-ID: On 13.6.2016 09:56, Petr Spacek wrote: > On 11.6.2016 20:36, Petr Spacek wrote: >> Hello, >> >> Support fake_mname option in per-server configuration in LDAP. >> >> https://fedorahosted.org/bind-dyndb-ldap/ticket/162 >> >> >> Patch set contains necessary infrastructure changes so the configuration is >> read before zone loading starts. > > This version fixes crash which could be triggered by failure in second > syncrepl session. > > (I.e. config sync succeeded but data sync failed.) This version fixes another crash triggered by empty set of zones in LDAP. I've force-pushed this version to branch https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 . -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 16 07:20:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 09:20:03 +0200 Subject: [Freeipa-devel] [PATCH 0413-0416] Support fake_mname option in per-server configuration in LDAP In-Reply-To: References: <4d3bdecd-9222-8040-58fa-87a6ad58af47@redhat.com> <98d386ec-9dbb-de60-cf5d-68902afd6812@redhat.com> Message-ID: <90c17c03-aa48-21e2-73c0-ab008c565902@redhat.com> On 16.6.2016 09:19, Petr Spacek wrote: > On 13.6.2016 09:56, Petr Spacek wrote: >> On 11.6.2016 20:36, Petr Spacek wrote: >>> Hello, >>> >>> Support fake_mname option in per-server configuration in LDAP. >>> >>> https://fedorahosted.org/bind-dyndb-ldap/ticket/162 >>> >>> >>> Patch set contains necessary infrastructure changes so the configuration is >>> read before zone loading starts. >> >> This version fixes crash which could be triggered by failure in second >> syncrepl session. >> >> (I.e. config sync succeeded but data sync failed.) > > This version fixes another crash triggered by empty set of zones in LDAP. > > I've force-pushed this version to branch > https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 . And here are the patches :-D -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0413-3-Do-not-log-connection-to-the-LDAP-server-was-lost-on.patch Type: text/x-patch Size: 1135 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0414-3-Refactor-LDAP-SyncRepl-connection-handling-to-make-i.patch Type: text/x-patch Size: 9257 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0415-3-Read-configuration-from-LDAP-first-to-guarantee-its-.patch Type: text/x-patch Size: 15427 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0416-3-Support-fake_mname-option-in-per-server-configuratio.patch Type: text/x-patch Size: 1914 bytes Desc: not available URL: From slaznick at redhat.com Thu Jun 16 08:16:41 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 16 Jun 2016 10:16:41 +0200 Subject: [Freeipa-devel] [PATCH 0047] Fix uninitialized variables in replicainstall Message-ID: <2ef0fd8b-dfb0-02eb-9a2c-b3fffd8c1c7e@redhat.com> Hello, There was a possible use of uninitialized variables in replicainstall. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0047-Fix-unitialized-variables-in-replicainstall.patch Type: text/x-patch Size: 1690 bytes Desc: not available URL: From ofayans at redhat.com Thu Jun 16 08:29:02 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 16 Jun 2016 10:29:02 +0200 Subject: [Freeipa-devel] [Patch-0046] Increased certmonger timeout to address ticket N 5758 Message-ID: <5762634E.4090207@redhat.com> With this change the certmonger timeout issue is no longer observed in abcd lab. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0046-Increased-certmonger-timeout.patch Type: text/x-patch Size: 964 bytes Desc: not available URL: From tbordaz at redhat.com Thu Jun 16 08:47:28 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Jun 2016 10:47:28 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: References: Message-ID: <576267A0.1080001@redhat.com> On 06/16/2016 06:55 AM, Petr Spacek wrote: > Hello, > > TL;DR version: > Upgrade to 389-ds-base-1.3.5.6-1.fc24. > > I was facing weird filter/ACI evaluation with 389 DS > 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I > realized that DS is old one ...): > > > Test > ==== > First, let's try LDAP search with OR filter consisting of 5 components: > > [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" > attrs="objectClass" > [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND > [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 > > It returns 1 entry - the idnsServerConfigObject object. Hi Petr, In fact it is difficult to justify and identify which fix fixes this issue (I suspect https://fedorahosted.org/389/ticket/48275 but not clear why it participates). in 1.3.5.6-1, it returns 11 entries. How many of them are idnsServerConfigObject ? thanks theirry > > > > Now let us re-try shortened filter containing only 4 OR components. I would > expect to get less entries but that is not the case: > > [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection > from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 > [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES > [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" > attrs="objectClass" > [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 > nentries=11 etime=0 > > Huh? Now we got 11 entries. > > > When I do the first search as Directory Manager it returns all 12 matching > entries (which is expected number, at least according to my match-by-eye > algorithm :-)). > > > Schema > ====== > idnsServerId attribute definition contains an equality specification: > ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' > EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE > X-ORIGIN 'IPA v4.4' ) > > > Indices > ======= > The attribute itself is not indexed but that should not hurt I guess. > > Mere addition of equality index to the attribute did not help. > > Reindexing using > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks > did not help either. > > > > ACI > === > Relevant ACIs are: > (targetattr = "createtimestamp || entryusn || idnsforwarders || > idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable > || modifytimestamp || objectclass")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Read DNS Servers Configuration";allow (compare,read,search) groupdn = > "ldap:///cn=System: Read DNS Servers > Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || > idnssubstitutionvariable")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: > Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > > BIND DN > krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel > is member of > cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel > which is member of > cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel > > so we should be all good. > > > > Now was totally confused and was looking for a bug in bind-dyndb-ldap until I > realized that DS is returning weird results... Upgrade to > 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. > > This would be a blocker for FreeIPA 4.4 because the old version totally breaks > bind-dyndb-ldap. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 16 08:50:07 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 10:50:07 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: <576267A0.1080001@redhat.com> References: <576267A0.1080001@redhat.com> Message-ID: On 16.6.2016 10:47, thierry bordaz wrote: > On 06/16/2016 06:55 AM, Petr Spacek wrote: >> Hello, >> >> TL;DR version: >> Upgrade to 389-ds-base-1.3.5.6-1.fc24. >> >> I was facing weird filter/ACI evaluation with 389 DS >> 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I >> realized that DS is old one ...): >> >> >> Test >> ==== >> First, let's try LDAP search with OR filter consisting of 5 components: >> >> [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >> >> [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH >> base="cn=dns,dc=toplevel" scope=2 >> filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >> >> attrs="objectClass" >> [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND >> [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 >> >> It returns 1 entry - the idnsServerConfigObject object. > Hi Petr, > > In fact it is difficult to justify and identify which fix fixes this issue (I > suspect https://fedorahosted.org/389/ticket/48275 but not clear why it > participates). > > in 1.3.5.6-1, it returns 11 entries. How many of them are > idnsServerConfigObject ? thanks theirry Exactly one. Petr^2 Spacek >> Now let us re-try shortened filter containing only 4 OR components. I would >> expect to get less entries but that is not the case: >> >> [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection >> from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 >> [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES >> [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 >> nentries=0 etime=0, SASL bind in progress >> [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >> >> [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH >> base="cn=dns,dc=toplevel" scope=2 >> filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >> >> attrs="objectClass" >> [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 >> nentries=11 etime=0 >> >> Huh? Now we got 11 entries. >> >> >> When I do the first search as Directory Manager it returns all 12 matching >> entries (which is expected number, at least according to my match-by-eye >> algorithm :-)). >> >> >> Schema >> ====== >> idnsServerId attribute definition contains an equality specification: >> ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' >> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE >> X-ORIGIN 'IPA v4.4' ) >> >> >> Indices >> ======= >> The attribute itself is not indexed but that should not hurt I guess. >> >> Mere addition of equality index to the attribute did not help. >> >> Reindexing using >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks >> >> did not help either. >> >> >> >> ACI >> === >> Relevant ACIs are: >> (targetattr = "createtimestamp || entryusn || idnsforwarders || >> idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable >> || modifytimestamp || objectclass")(targetfilter = >> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >> Read DNS Servers Configuration";allow (compare,read,search) groupdn = >> "ldap:///cn=System: Read DNS Servers >> Configuration,cn=permissions,cn=pbac,dc=toplevel";) >> >> (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || >> idnssubstitutionvariable")(targetfilter = >> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >> Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: >> Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) >> >> >> BIND DN >> krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel >> >> is member of >> cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel >> which is member of >> cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel >> >> so we should be all good. >> >> >> >> Now was totally confused and was looking for a bug in bind-dyndb-ldap until I >> realized that DS is returning weird results... Upgrade to >> 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. >> >> This would be a blocker for FreeIPA 4.4 because the old version totally breaks >> bind-dyndb-ldap. From lkrispen at redhat.com Thu Jun 16 08:54:57 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jun 2016 10:54:57 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: References: Message-ID: <57626961.9060104@redhat.com> On 06/16/2016 06:55 AM, Petr Spacek wrote: > Hello, > > TL;DR version: > Upgrade to 389-ds-base-1.3.5.6-1.fc24. > > I was facing weird filter/ACI evaluation with 389 DS > 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I > realized that DS is old one ...): > > > Test > ==== > First, let's try LDAP search with OR filter consisting of 5 components: > > [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" you don't have 5 OR components, you have only 2, the second one is an AND with 4 components, > attrs="objectClass" > [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND > [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 > > It returns 1 entry - the idnsServerConfigObject object. > > > > Now let us re-try shortened filter containing only 4 OR components. I would > expect to get less entries but that is not the case: > > [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection > from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 > [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES > [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" > attrs="objectClass" > [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 > nentries=11 etime=0 > > Huh? Now we got 11 entries. > > > When I do the first search as Directory Manager it returns all 12 matching > entries (which is expected number, at least according to my match-by-eye > algorithm :-)). > > > Schema > ====== > idnsServerId attribute definition contains an equality specification: > ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' > EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE > X-ORIGIN 'IPA v4.4' ) > > > Indices > ======= > The attribute itself is not indexed but that should not hurt I guess. > > Mere addition of equality index to the attribute did not help. > > Reindexing using > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks > did not help either. > > > > ACI > === > Relevant ACIs are: > (targetattr = "createtimestamp || entryusn || idnsforwarders || > idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable > || modifytimestamp || objectclass")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Read DNS Servers Configuration";allow (compare,read,search) groupdn = > "ldap:///cn=System: Read DNS Servers > Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || > idnssubstitutionvariable")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: > Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > > BIND DN > krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel > is member of > cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel > which is member of > cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel > > so we should be all good. > > > > Now was totally confused and was looking for a bug in bind-dyndb-ldap until I > realized that DS is returning weird results... Upgrade to > 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. > > This would be a blocker for FreeIPA 4.4 because the old version totally breaks > bind-dyndb-ldap. > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From tbordaz at redhat.com Thu Jun 16 08:59:10 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Jun 2016 10:59:10 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: References: <576267A0.1080001@redhat.com> Message-ID: <57626A5E.3040904@redhat.com> On 06/16/2016 10:50 AM, Petr Spacek wrote: > On 16.6.2016 10:47, thierry bordaz wrote: >> On 06/16/2016 06:55 AM, Petr Spacek wrote: >>> Hello, >>> >>> TL;DR version: >>> Upgrade to 389-ds-base-1.3.5.6-1.fc24. >>> >>> I was facing weird filter/ACI evaluation with 389 DS >>> 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I >>> realized that DS is old one ...): >>> >>> >>> Test >>> ==== >>> First, let's try LDAP search with OR filter consisting of 5 components: >>> >>> [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >>> >>> [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH >>> base="cn=dns,dc=toplevel" scope=2 >>> filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >>> >>> attrs="objectClass" >>> [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND >>> [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 >>> >>> It returns 1 entry - the idnsServerConfigObject object. >> Hi Petr, >> >> In fact it is difficult to justify and identify which fix fixes this issue (I >> suspect https://fedorahosted.org/389/ticket/48275 but not clear why it >> participates). >> >> in 1.3.5.6-1, it returns 11 entries. How many of them are >> idnsServerConfigObject ? thanks theirry > Exactly one. So "permission:System:Read DNS Servers Configuration" should grant read/search rights only for this one. There should be others ACI that grant you the access to the 10 others. You may turn on ACI logging ("nsslapd-errorlog-level: 262272") to identify which ACIs granted you this read/search access. thanks thierry > > Petr^2 Spacek > >>> Now let us re-try shortened filter containing only 4 OR components. I would >>> expect to get less entries but that is not the case: >>> >>> [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection >>> from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 >>> [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES >>> [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >>> >>> [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH >>> base="cn=dns,dc=toplevel" scope=2 >>> filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >>> >>> attrs="objectClass" >>> [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 >>> nentries=11 etime=0 >>> >>> Huh? Now we got 11 entries. >>> >>> >>> When I do the first search as Directory Manager it returns all 12 matching >>> entries (which is expected number, at least according to my match-by-eye >>> algorithm :-)). >>> >>> >>> Schema >>> ====== >>> idnsServerId attribute definition contains an equality specification: >>> ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' >>> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE >>> X-ORIGIN 'IPA v4.4' ) >>> >>> >>> Indices >>> ======= >>> The attribute itself is not indexed but that should not hurt I guess. >>> >>> Mere addition of equality index to the attribute did not help. >>> >>> Reindexing using >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks >>> >>> did not help either. >>> >>> >>> >>> ACI >>> === >>> Relevant ACIs are: >>> (targetattr = "createtimestamp || entryusn || idnsforwarders || >>> idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable >>> || modifytimestamp || objectclass")(targetfilter = >>> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >>> Read DNS Servers Configuration";allow (compare,read,search) groupdn = >>> "ldap:///cn=System: Read DNS Servers >>> Configuration,cn=permissions,cn=pbac,dc=toplevel";) >>> >>> (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || >>> idnssubstitutionvariable")(targetfilter = >>> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >>> Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: >>> Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) >>> >>> >>> BIND DN >>> krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel >>> >>> is member of >>> cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel >>> which is member of >>> cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel >>> >>> so we should be all good. >>> >>> >>> >>> Now was totally confused and was looking for a bug in bind-dyndb-ldap until I >>> realized that DS is returning weird results... Upgrade to >>> 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. >>> >>> This would be a blocker for FreeIPA 4.4 because the old version totally breaks >>> bind-dyndb-ldap. From lkrispen at redhat.com Thu Jun 16 09:23:22 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jun 2016 11:23:22 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: References: Message-ID: <5762700A.7000302@redhat.com> On 06/16/2016 06:55 AM, Petr Spacek wrote: > Hello, > > TL;DR version: > Upgrade to 389-ds-base-1.3.5.6-1.fc24. > > I was facing weird filter/ACI evaluation with 389 DS > 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I > realized that DS is old one ...): > > > Test > ==== > First, let's try LDAP search with OR filter consisting of 5 components: > > [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" > attrs="objectClass" > [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND > [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 > > It returns 1 entry - the idnsServerConfigObject object. > > > > Now let us re-try shortened filter containing only 4 OR components. I would > expect to get less entries but that is not the case: > > [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection > from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 > [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES > [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" > [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH > base="cn=dns,dc=toplevel" scope=2 > filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" > attrs="objectClass" > [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 > nentries=11 etime=0 > > Huh? Now we got 11 entries. > > > When I do the first search as Directory Manager it returns all 12 matching > entries (which is expected number, at least according to my match-by-eye > algorithm :-)). > > > Schema > ====== > idnsServerId attribute definition contains an equality specification: > ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' > EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE > X-ORIGIN 'IPA v4.4' ) > > > Indices > ======= > The attribute itself is not indexed but that should not hurt I guess. > > Mere addition of equality index to the attribute did not help. > > Reindexing using > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks > did not help either. > > > > ACI > === > Relevant ACIs are: > (targetattr = "createtimestamp || entryusn || idnsforwarders || > idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable > || modifytimestamp || objectclass")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Read DNS Servers Configuration";allow (compare,read,search) groupdn = > "ldap:///cn=System: Read DNS Servers > Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || > idnssubstitutionvariable")(targetfilter = > "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: > Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: > Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) > > > BIND DN > krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel > is member of > cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel > which is member of > cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel > > so we should be all good. > > > > Now was totally confused and was looking for a bug in bind-dyndb-ldap until I > realized that DS is returning weird results... Upgrade to > 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. I'm still not sure that I get your 5 and 4 OR filter searches, as in the example you provided there was also an AND involved, but there is a fix in 1.3.5.6. which makes a difference: 48275 Before we requested that in an OR filter the user has to have access to ALL attributes matched, so if you don't get results with 5 components, you could get results with 4. This was known, but much complained about. With the fix for 48275 we only request access to attributes contributing to the result set, components with attributes without access are ignored in bulding the result set. This could explain different behaviour of 1.3.5.4 and .6 If you still think there are inconsistencies in 1.3.5.6 I would like to check it > > This would be a blocker for FreeIPA 4.4 because the old version totally breaks > bind-dyndb-ldap. > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From lkrispen at redhat.com Thu Jun 16 09:34:20 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jun 2016 11:34:20 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: <5762700A.7000302@redhat.com> References: <5762700A.7000302@redhat.com> Message-ID: <5762729C.6060605@redhat.com> On 06/16/2016 11:23 AM, Ludwig Krispenz wrote: > > On 06/16/2016 06:55 AM, Petr Spacek wrote: >> Hello, >> >> TL;DR version: >> Upgrade to 389-ds-base-1.3.5.6-1.fc24. >> >> I was facing weird filter/ACI evaluation with 389 DS >> 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I >> realized that DS is old one ...): >> >> >> Test >> ==== >> First, let's try LDAP search with OR filter consisting of 5 components: >> >> [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >> >> [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH >> base="cn=dns,dc=toplevel" scope=2 >> filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >> >> attrs="objectClass" >> [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 >> tag=101 >> nentries=1 etime=0 >> [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND >> [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 >> >> It returns 1 entry - the idnsServerConfigObject object. >> >> >> >> Now let us re-try shortened filter containing only 4 OR components. I >> would >> expect to get less entries but that is not the case: >> >> [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL >> connection >> from 2620:52:0:224e:21a:4aff:fe23:12d2 to >> 2620:52:0:224e:21a:4aff:fe23:12d2 >> [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES >> [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" >> method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 >> tag=97 >> nentries=0 etime=0, SASL bind in progress >> [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" >> method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 >> tag=97 >> nentries=0 etime=0, SASL bind in progress >> [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" >> method=sasl >> version=3 mech=GSSAPI >> [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >> >> [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH >> base="cn=dns,dc=toplevel" scope=2 >> filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >> >> attrs="objectClass" >> [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 >> tag=101 >> nentries=11 etime=0 >> >> Huh? Now we got 11 entries. >> >> >> When I do the first search as Directory Manager it returns all 12 >> matching >> entries (which is expected number, at least according to my match-by-eye >> algorithm :-)). >> >> >> Schema >> ====== >> idnsServerId attribute definition contains an equality specification: >> ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server >> identifier' >> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 >> SINGLE-VALUE >> X-ORIGIN 'IPA v4.4' ) >> >> >> Indices >> ======= >> The attribute itself is not indexed but that should not hurt I guess. >> >> Mere addition of equality index to the attribute did not help. >> >> Reindexing using >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks >> >> did not help either. >> >> >> >> ACI >> === >> Relevant ACIs are: >> (targetattr = "createtimestamp || entryusn || idnsforwarders || >> idnsforwardpolicy || idnsserverid || idnssoamname || >> idnssubstitutionvariable >> || modifytimestamp || objectclass")(targetfilter = >> "(objectclass=idnsServerConfigObject)")(version 3.0;acl >> "permission:System: >> Read DNS Servers Configuration";allow (compare,read,search) groupdn = >> "ldap:///cn=System: Read DNS Servers >> Configuration,cn=permissions,cn=pbac,dc=toplevel";) >> >> (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || >> idnssubstitutionvariable")(targetfilter = >> "(objectclass=idnsServerConfigObject)")(version 3.0;acl >> "permission:System: >> Modify DNS Servers Configuration";allow (write) groupdn = >> "ldap:///cn=System: >> Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) >> >> >> BIND DN >> krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel >> >> is member of >> cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel >> which is member of >> cn=System: Read DNS Servers >> Configuration,cn=permissions,cn=pbac,dc=toplevel >> >> so we should be all good. >> >> >> >> Now was totally confused and was looking for a bug in bind-dyndb-ldap >> until I >> realized that DS is returning weird results... Upgrade to >> 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. > I'm still not sure that I get your 5 and 4 OR filter searches, as in > the example you provided there was also an AND involved, but there is > a fix in 1.3.5.6. which makes a difference: 48275 sorry, I now got it, I missed a closing ")" for teh AND :-( but I think now it makes sense: for the first search, access to the idnsServerId attribute is only granted to the idnsServerConfigObject object and only this is returned because for teh other entries with other objectclasses we don't have access to it and we did require it. With the fix (rfe) this is handled more client friendly > > Before we requested that in an OR filter the user has to have access > to ALL attributes matched, so if you don't get results with 5 > components, you could get results with 4. This was known, but much > complained about. With the fix for 48275 we only request access to > attributes contributing to the result set, components with attributes > without access are ignored in bulding the result set. > This could explain different behaviour of 1.3.5.4 and .6 > If you still think there are inconsistencies in 1.3.5.6 I would like > to check it >> >> This would be a blocker for FreeIPA 4.4 because the old version >> totally breaks >> bind-dyndb-ldap. >> > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From pspacek at redhat.com Thu Jun 16 09:47:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 11:47:32 +0200 Subject: [Freeipa-devel] beware of 389-ds-base-1.3.5.4-1.fc24.x86_64: weird filter/ACI evaluation In-Reply-To: <5762729C.6060605@redhat.com> References: <5762700A.7000302@redhat.com> <5762729C.6060605@redhat.com> Message-ID: <15087250-2bd1-29e8-8416-b7bf70921d20@redhat.com> On 16.6.2016 11:34, Ludwig Krispenz wrote: > > On 06/16/2016 11:23 AM, Ludwig Krispenz wrote: >> >> On 06/16/2016 06:55 AM, Petr Spacek wrote: >>> Hello, >>> >>> TL;DR version: >>> Upgrade to 389-ds-base-1.3.5.6-1.fc24. >>> >>> I was facing weird filter/ACI evaluation with 389 DS >>> 389-ds-base-1.3.5.4-1.fc24.x86_64. Here is full story (written before I >>> realized that DS is old one ...): >>> >>> >>> Test >>> ==== >>> First, let's try LDAP search with OR filter consisting of 5 components: >>> >>> [16/Jun/2016:06:05:18.145159021 +0200] conn=119 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >>> >>> [16/Jun/2016:06:05:18.145920002 +0200] conn=119 op=3 SRCH >>> base="cn=dns,dc=toplevel" scope=2 >>> filter="(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=vm-046.abc.idm.lab.eng.brq.redhat.com))(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >>> >>> attrs="objectClass" >>> [16/Jun/2016:06:05:18.149821586 +0200] conn=119 op=3 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [16/Jun/2016:06:05:18.150433307 +0200] conn=119 op=4 UNBIND >>> [16/Jun/2016:06:05:18.150459102 +0200] conn=119 op=4 fd=108 closed - U1 >>> >>> It returns 1 entry - the idnsServerConfigObject object. >>> >>> >>> >>> Now let us re-try shortened filter containing only 4 OR components. I would >>> expect to get less entries but that is not the case: >>> >>> [16/Jun/2016:06:05:21.007494823 +0200] conn=120 fd=108 slot=108 SSL connection >>> from 2620:52:0:224e:21a:4aff:fe23:12d2 to 2620:52:0:224e:21a:4aff:fe23:12d2 >>> [16/Jun/2016:06:05:21.022115576 +0200] conn=120 TLS1.2 128-bit AES >>> [16/Jun/2016:06:05:21.029902095 +0200] conn=120 op=0 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.042047525 +0200] conn=120 op=0 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [16/Jun/2016:06:05:21.043007851 +0200] conn=120 op=1 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.044811757 +0200] conn=120 op=1 RESULT err=14 tag=97 >>> nentries=0 etime=0, SASL bind in progress >>> [16/Jun/2016:06:05:21.045183711 +0200] conn=120 op=2 BIND dn="" method=sasl >>> version=3 mech=GSSAPI >>> [16/Jun/2016:06:05:21.046395695 +0200] conn=120 op=2 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel" >>> >>> [16/Jun/2016:06:05:21.046947437 +0200] conn=120 op=3 SRCH >>> base="cn=dns,dc=toplevel" scope=2 >>> filter="(|(objectClass=idnsConfigObject)(objectClass=idnsZone)(objectClass=idnsForwardZone)(objectClass=idnsRecord))" >>> >>> attrs="objectClass" >>> [16/Jun/2016:06:05:21.052008250 +0200] conn=120 op=3 RESULT err=0 tag=101 >>> nentries=11 etime=0 >>> >>> Huh? Now we got 11 entries. >>> >>> >>> When I do the first search as Directory Manager it returns all 12 matching >>> entries (which is expected number, at least according to my match-by-eye >>> algorithm :-)). >>> >>> >>> Schema >>> ====== >>> idnsServerId attribute definition contains an equality specification: >>> ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' >>> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE >>> X-ORIGIN 'IPA v4.4' ) >>> >>> >>> Indices >>> ======= >>> The attribute itself is not indexed but that should not hurt I guess. >>> >>> Mere addition of equality index to the attribute did not help. >>> >>> Reindexing using >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/applying-indexes.html#index-cn-tasks >>> >>> did not help either. >>> >>> >>> >>> ACI >>> === >>> Relevant ACIs are: >>> (targetattr = "createtimestamp || entryusn || idnsforwarders || >>> idnsforwardpolicy || idnsserverid || idnssoamname || idnssubstitutionvariable >>> || modifytimestamp || objectclass")(targetfilter = >>> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >>> Read DNS Servers Configuration";allow (compare,read,search) groupdn = >>> "ldap:///cn=System: Read DNS Servers >>> Configuration,cn=permissions,cn=pbac,dc=toplevel";) >>> >>> (targetattr = "idnsforwarders || idnsforwardpolicy || idnssoamname || >>> idnssubstitutionvariable")(targetfilter = >>> "(objectclass=idnsServerConfigObject)")(version 3.0;acl "permission:System: >>> Modify DNS Servers Configuration";allow (write) groupdn = "ldap:///cn=System: >>> Modify DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel";) >>> >>> >>> BIND DN >>> krbprincipalname=dns/vm-046.abc.idm.lab.eng.brq.redhat.com at dom-046.abc.idm.lab.eng.brq.redhat.com,cn=services,cn=accounts,dc=toplevel >>> >>> is member of >>> cn=DNS Servers,cn=privileges,cn=pbac,dc=toplevel >>> which is member of >>> cn=System: Read DNS Servers Configuration,cn=permissions,cn=pbac,dc=toplevel >>> >>> so we should be all good. >>> >>> >>> >>> Now was totally confused and was looking for a bug in bind-dyndb-ldap until I >>> realized that DS is returning weird results... Upgrade to >>> 389-ds-base-1.3.5.6-1.fc24.x86_64 fixed that. >> I'm still not sure that I get your 5 and 4 OR filter searches, as in the >> example you provided there was also an AND involved, but there is a fix in >> 1.3.5.6. which makes a difference: 48275 > sorry, I now got it, I missed a closing ")" for teh AND :-( > > but I think now it makes sense: for the first search, access to the > idnsServerId attribute is only granted to the idnsServerConfigObject object > and only this is returned because for teh other entries with other > objectclasses we don't have access to it and we did require it. > With the fix (rfe) this is handled more client friendly Okay, so we need to bump Requries: in FreeIPA to newer DS to make sure it actually works. I will send a patch. Thank you for your time guys! Petr^2 Spacek >> >> Before we requested that in an OR filter the user has to have access to ALL >> attributes matched, so if you don't get results with 5 components, you could >> get results with 4. This was known, but much complained about. With the fix >> for 48275 we only request access to attributes contributing to the result >> set, components with attributes without access are ignored in bulding the >> result set. >> This could explain different behaviour of 1.3.5.4 and .6 >> If you still think there are inconsistencies in 1.3.5.6 I would like to >> check it >>> >>> This would be a blocker for FreeIPA 4.4 because the old version totally breaks >>> bind-dyndb-ldap. From pspacek at redhat.com Thu Jun 16 10:00:23 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 12:00:23 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 Message-ID: Hello, Require 389-ds-base >= 1.3.5.6 Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html https://fedorahosted.org/freeipa/ticket/2008 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0133-Require-389-ds-base-1.3.5.6.patch Type: text/x-patch Size: 1697 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 16 10:06:23 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 16 Jun 2016 12:06:23 +0200 Subject: [Freeipa-devel] [PATCH] 0056 webui: Counterpart of dnsserver-{find, show, mod} Message-ID: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> Hello, please review attached patch. https://fedorahosted.org/freeipa/ticket/5905 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0056-DNS-Servers-Web-UI-part.patch Type: text/x-patch Size: 3968 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 16 10:09:11 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 16 Jun 2016 12:09:11 +0200 Subject: [Freeipa-devel] [PATCH] 0056 webui: Counterpart of dnsserver-{find, show, mod} In-Reply-To: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> References: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> Message-ID: On 06/16/2016 12:06 PM, Pavel Vomacka wrote: > Hello, > > please review attached patch. > > https://fedorahosted.org/freeipa/ticket/5905 > Fixed commit message -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0056-2-DNS-Servers-Web-UI-part.patch Type: text/x-patch Size: 3899 bytes Desc: not available URL: From lkrispen at redhat.com Thu Jun 16 10:12:23 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jun 2016 12:12:23 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: References: Message-ID: <57627B87.1090501@redhat.com> On 06/16/2016 12:00 PM, Petr Spacek wrote: > Hello, > > Require 389-ds-base >= 1.3.5.6 > > Old DS handles LDAP filters incorrectly no. Old DS handles filters strictly as documented in the admin guide, requiring access rights to each attribute used in the search filter. This was known and applications had to adapt, in your case there would have had to be two searches one with the (&()()) filter and one with (|()()()()). This was improved in the latest version and componets withou access are ignored in filter evaluation to avoid the problems you did run into. otherwise your fix is ok Ludwig > and breaks bind-dyndb-ldap. > See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html > > https://fedorahosted.org/freeipa/ticket/2008 > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 16 10:09:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 12:09:40 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> Message-ID: <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> On 15.6.2016 17:24, Petr Spacek wrote: > On 15.6.2016 15:45, Martin Basti wrote: >> >> >> On 15.06.2016 14:52, Martin Basti wrote: >>> >>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>> commands attached >>>> >>>> >>> Updated+rebased patches after Honza's interactive review >>> >>> >> Minor nitpick fixed >> >> >> > freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch > ACK > > freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch > ACK > > > I will get to the rest later on. Problems I found (could be solved in separate patches if you wish): 1. NACK # ipa dns-update-system-records --dry-run ipa: ERROR: an internal error has occurred ValueError: dns_update_system_records.validate_output(): unexpected keys ['summary'] in { ... 2. NACK Command ipa dns-update-system-records does not work with DNS Administrators privilege when some record is missing: ipa: WARNING: Update of system record '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient access: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. 3. NACK IPA server upgrade does not create idnsServerConfigObjects in cn=dns In fact the upgrade does not even add the object class into schema. These needs to be fixed before we can proceed. -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 16 10:14:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 12:14:27 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <57627B87.1090501@redhat.com> References: <57627B87.1090501@redhat.com> Message-ID: <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> On 16.6.2016 12:12, Ludwig Krispenz wrote: > > On 06/16/2016 12:00 PM, Petr Spacek wrote: >> Hello, >> >> Require 389-ds-base >= 1.3.5.6 >> >> Old DS handles LDAP filters incorrectly > no. Old DS handles filters strictly as documented in the admin guide, > requiring access rights to each attribute used in the search filter. This was > known and applications had to adapt, in your case there would have had to be > two searches one with the (&()()) filter and one with (|()()()()). You know, it is quite hard to adapt when your application rely on one SyncRepl session ... Anyway, feel free to send patch with rephrased commit message if you wish, I'm okay with superseding my patch with yours. Petr^2 Spacek > This was improved in the latest version and componets withou access are > ignored in filter evaluation to avoid the problems you did run into. > > otherwise your fix is ok > > Ludwig >> and breaks bind-dyndb-ldap. >> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >> >> https://fedorahosted.org/freeipa/ticket/2008 From lkrispen at redhat.com Thu Jun 16 10:21:28 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 16 Jun 2016 12:21:28 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> References: <57627B87.1090501@redhat.com> <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> Message-ID: <57627DA8.1060100@redhat.com> On 06/16/2016 12:14 PM, Petr Spacek wrote: > On 16.6.2016 12:12, Ludwig Krispenz wrote: >> On 06/16/2016 12:00 PM, Petr Spacek wrote: >>> Hello, >>> >>> Require 389-ds-base >= 1.3.5.6 >>> >>> Old DS handles LDAP filters incorrectly >> no. Old DS handles filters strictly as documented in the admin guide, >> requiring access rights to each attribute used in the search filter. This was >> known and applications had to adapt, in your case there would have had to be >> two searches one with the (&()()) filter and one with (|()()()()). > You know, it is quite hard to adapt when your application rely on one SyncRepl > session ... > > Anyway, feel free to send patch with rephrased commit message if you wish, I'm > okay with superseding my patch with yours. no, it's fine, only sometimes I need to defend DS a bit > > Petr^2 Spacek > >> This was improved in the latest version and componets withou access are >> ignored in filter evaluation to avoid the problems you did run into. >> >> otherwise your fix is ok >> >> Ludwig >>> and breaks bind-dyndb-ldap. >>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >>> >>> https://fedorahosted.org/freeipa/ticket/2008 -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From tbordaz at redhat.com Thu Jun 16 10:18:50 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Jun 2016 12:18:50 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> References: <57627B87.1090501@redhat.com> <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> Message-ID: <57627D0A.3040901@redhat.com> On 06/16/2016 12:14 PM, Petr Spacek wrote: > On 16.6.2016 12:12, Ludwig Krispenz wrote: >> On 06/16/2016 12:00 PM, Petr Spacek wrote: >>> Hello, >>> >>> Require 389-ds-base >= 1.3.5.6 >>> >>> Old DS handles LDAP filters incorrectly >> no. Old DS handles filters strictly as documented in the admin guide, >> requiring access rights to each attribute used in the search filter. This was >> known and applications had to adapt, in your case there would have had to be >> two searches one with the (&()()) filter and one with (|()()()()). > You know, it is quite hard to adapt when your application rely on one SyncRepl > session ... > > Anyway, feel free to send patch with rephrased commit message if you wish, I'm > okay with superseding my patch with yours. Note that https://fedorahosted.org/freeipa/ticket/5944 (patch 0019 still under review) has the same requirement on DS >=1.3.5.5. So the requirement >=1.3.5.6 makes me happy. thanks thierry > > Petr^2 Spacek > >> This was improved in the latest version and componets withou access are >> ignored in filter evaluation to avoid the problems you did run into. >> >> otherwise your fix is ok >> >> Ludwig >>> and breaks bind-dyndb-ldap. >>> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >>> >>> https://fedorahosted.org/freeipa/ticket/2008 From mbasti at redhat.com Thu Jun 16 10:45:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 12:45:17 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> Message-ID: <4462a7b3-bcad-c063-6527-732d785bcf2a@redhat.com> On 15.06.2016 15:29, Martin Babinsky wrote: > On 06/15/2016 10:30 AM, Jan Cholasta wrote: >> Hi, >> >> On 12.6.2016 17:31, Martin Babinsky wrote: >>> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>>> These patches expand `server_del` to a full fledged IPA master >>>> killer in >>>> domain level 1. >>>> >>>> Due to 'server uninstallation removed master from topology' use case, >>>> the individual steps are not in the same order as in the original code >>>> to facilitate self-removal from topology without introducing an >>>> array of >>>> permissions for master to remove itself. >>>> >>>> I had no opportunity to test out the CI test suite because of >>>> technical >>>> problems so it would be nice if our upstream QE could give it a >>>> spin and >>>> report errors. >>>> >>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>> https://fedorahosted.org/freeipa/ticket/5181 >>>> >>>> >>>> >>> Attaching rebased patches and bumping for review. >>> >>> Please note that they depend on 'Server Roles v2' patchset. >> >> Patch 0153: >> >> Should be an ipaserver module, unless it is required on clients as well, >> in which case it should be an ipalib module. >> >> >> Patch 0154: LGTM >> >> >> Patch 0155: >> >> In LDAPDelete subclasses, the primary key argument is multivalue, so I'm >> guessing your post_callback won't work correctly. >> >> Also, since this is *server*-del, s/master/server/ where applicable. >> >> >> Patch 0156: LGTM >> >> >> Patch 0157: >> >> This looks suspicious: >> >> + result = server_del_cmd(hostname, version=api_version, **options) >> >> Version is automatically filled in in Command.__call__(), why do you add >> it manually here? >> >> >> Patch 0158: LGTM >> >> >> Honza >> > > Attaching updated patches. > > > Hello, I have a few comments: 1) you reused ID numbers for the your messages +class ServerRemovalInfo(PublicMessage): ... + errno = 13020 +class ServerRemovalWarning(PublicMessage): ... + errno = 13021 class FailedToRemoveHostDNSRecords(PublicMessage): ... errno = 13020 class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): ... errno = 13021 2) + def _check_topology_connectivity(self, topology_connectivity, master_cn): + try: + topology_connectivity.check_current_state() + except ValueError as e: + raise errors.ServerRemovalError(reason=_(str(e))) + + try: + topology_connectivity.check_state_after_removal(master_cn) + except ValueError as e: + raise errors.ServerRemovalError(reason=_(str(e))) * _(str(e)): gettext cannot be used by this way * str(e): you dont need to convert exception to string, this is done automatically in exception 3) gettext again + self.add_message( + messages.ServerRemovalWarning( + message=_(msg) + ) + ) 4) + messages.ServerRemovalWarning( + message=_("Failed to clean memberPrincipal {principal}" + " from s4u2proxy entry {dn}: {err}".format( + principal=member_principal, + dn=dn, + err=e)))) + messages.ServerRemovalWarning( + message=_("Failed to clean up DNA hostname entries for " + "{master}: {err}".format( + master=master, err=e)))) several more times I'm not sure if this will work, for safety I would prefer to change it to dictionary substitution https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668226 It looks like it was fixed in gettext 18.3, some distributions still have the older one I have to test more how gettext works with the new python format strings 5) + def interactive_prompt_callback(self, kw): + self.api.Backend.textui.print_plain( + _("Removing {server} from replication topology, " + "please wait...".format(server=', '.join(kw['cn'])))) Will this work? IMO this should be on client side -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Thu Jun 16 11:38:01 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 13:38:01 +0200 Subject: [Freeipa-devel] [PATCH] 0056 webui: Counterpart of dnsserver-{find, show, mod} In-Reply-To: References: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> Message-ID: On 16.6.2016 12:09, Pavel Vomacka wrote: > > > On 06/16/2016 12:06 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patch. >> >> https://fedorahosted.org/freeipa/ticket/5905 >> > Fixed commit message LGTM from user's perspective but I did not review the code. -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 16 11:57:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 13:57:02 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> Message-ID: <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> On 16.06.2016 12:09, Petr Spacek wrote: > On 15.6.2016 17:24, Petr Spacek wrote: >> On 15.6.2016 15:45, Martin Basti wrote: >>> >>> On 15.06.2016 14:52, Martin Basti wrote: >>>> >>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>> commands attached >>>>> >>>> Updated+rebased patches after Honza's interactive review >>>> >>>> >>> Minor nitpick fixed >>> >>> >>> >> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >> ACK >> >> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >> ACK >> >> >> I will get to the rest later on. > > Problems I found (could be solved in separate patches if you wish): > > 1. NACK > # ipa dns-update-system-records --dry-run > ipa: ERROR: an internal error has occurred > ValueError: dns_update_system_records.validate_output(): unexpected keys > ['summary'] in { ... Fixed > > 2. NACK > Command ipa dns-update-system-records does not work with DNS Administrators > privilege when some record is missing: > > ipa: WARNING: Update of system record > '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 > vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient > access: Insufficient 'write' privilege to the 'objectClass' attribute of entry > 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. Fixed (I hope) > 3. NACK > IPA server upgrade does not create idnsServerConfigObjects in cn=dns > In fact the upgrade does not even add the object class into schema. > Fixed > These needs to be fixed before we can proceed. > Updated patches attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.4-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.4-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.4-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.4-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.4-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.4-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 9190 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.4-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.4-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 12501 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.4-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.4-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.4-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1947 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.4-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.4-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 25083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.4-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7389 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.4-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3303 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.4-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1275 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 16 13:02:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 15:02:49 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <57627DA8.1060100@redhat.com> References: <57627B87.1090501@redhat.com> <9fbb14fd-9d92-a034-4714-a913d77c22e5@redhat.com> <57627DA8.1060100@redhat.com> Message-ID: On 16.06.2016 12:21, Ludwig Krispenz wrote: > > On 06/16/2016 12:14 PM, Petr Spacek wrote: >> On 16.6.2016 12:12, Ludwig Krispenz wrote: >>> On 06/16/2016 12:00 PM, Petr Spacek wrote: >>>> Hello, >>>> >>>> Require 389-ds-base >= 1.3.5.6 >>>> >>>> Old DS handles LDAP filters incorrectly >>> no. Old DS handles filters strictly as documented in the admin guide, >>> requiring access rights to each attribute used in the search filter. >>> This was >>> known and applications had to adapt, in your case there would have >>> had to be >>> two searches one with the (&()()) filter and one with (|()()()()). >> You know, it is quite hard to adapt when your application rely on one >> SyncRepl >> session ... >> >> Anyway, feel free to send patch with rephrased commit message if you >> wish, I'm >> okay with superseding my patch with yours. > no, it's fine, only sometimes I need to defend DS a bit >> >> Petr^2 Spacek >> >>> This was improved in the latest version and componets withou access are >>> ignored in filter evaluation to avoid the problems you did run into. >>> >>> otherwise your fix is ok >>> >>> Ludwig >>>> and breaks bind-dyndb-ldap. >>>> See >>>> https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 > ACK Pushed to master: 85d083c36651b15457af75e009f83bc6bb8114b0 From ldoudova at redhat.com Thu Jun 16 13:23:21 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 16 Jun 2016 15:23:21 +0200 Subject: [Freeipa-devel] [PATCH 0014-0016][Tests] Authentication indicators Message-ID: <766fd34a-b83b-1105-57d0-bd51420720a7@redhat.com> Hi, attached are tests for authentication indicators. Please note: 1. newly created service tracker is not exactly complete, list of unimplemented methods is in doc. These methods can be filled in when existing declarative tests are refactored. 2. patch 0015 depends on 0014, so it should not be pushed without it. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0014-Tests-Tracker-class-for-services.patch Type: text/x-patch Size: 7242 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0015-Tests-Authentication-indicators-xmlrpc-tests.patch Type: text/x-patch Size: 2806 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0016-Tests-Authentication-indicators-integration-tests.patch Type: text/x-patch Size: 3216 bytes Desc: not available URL: From mkosek at redhat.com Thu Jun 16 13:55:23 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 16 Jun 2016 15:55:23 +0200 Subject: [Freeipa-devel] [PATCH] 497 Update Developers in Contributors.txt Message-ID: <7811a181-a031-67b8-6a04-69b51b11b388@redhat.com> Since we are close to 4.4 release, let's add the latest contributors. (master branch should be enough). -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-497-update-developers-in-contributors.txt.patch Type: text/x-patch Size: 1459 bytes Desc: not available URL: From lslebodn at redhat.com Thu Jun 16 13:58:32 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 16 Jun 2016 15:58:32 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: References: Message-ID: <20160616135831.GC22874@10.4.128.1> On (16/06/16 12:00), Petr Spacek wrote: >Hello, > >Require 389-ds-base >= 1.3.5.6 > >Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html > >https://fedorahosted.org/freeipa/ticket/2008 > >-- >Petr^2 Spacek >From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001 >From: Petr Spacek >Date: Thu, 16 Jun 2016 11:58:56 +0200 >Subject: [PATCH] Require 389-ds-base >= 1.3.5.6 > >Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html > >https://fedorahosted.org/freeipa/ticket/2008 >--- > freeipa.spec.in | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -42,7 +42,7 @@ Source0: freeipa-%{version}.tar.gz > BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) > > %if ! %{ONLY_CLIENT} >-BuildRequires: 389-ds-base-devel >= 1.3.5 >+BuildRequires: 389-ds-base-devel >= 1.3.5.6 I know that patch was pushed and it fixed your problem. but I am little bit curious why did you need to change version in BuildRequires? If I understand correctly FreeIPA complies well with 1.3.5. The only problem was at runtime. LS From pspacek at redhat.com Thu Jun 16 13:59:56 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 15:59:56 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519] DNS locations In-Reply-To: <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> Message-ID: On 16.6.2016 13:57, Martin Basti wrote: > > > On 16.06.2016 12:09, Petr Spacek wrote: >> On 15.6.2016 17:24, Petr Spacek wrote: >>> On 15.6.2016 15:45, Martin Basti wrote: >>>> >>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>> >>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>> commands attached >>>>>> >>>>> Updated+rebased patches after Honza's interactive review >>>>> >>>>> >>>> Minor nitpick fixed >>>> >>>> >>>> >>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>> ACK >>> >>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>> ACK >>> >>> >>> I will get to the rest later on. >> >> Problems I found (could be solved in separate patches if you wish): >> >> 1. NACK >> # ipa dns-update-system-records --dry-run >> ipa: ERROR: an internal error has occurred >> ValueError: dns_update_system_records.validate_output(): unexpected keys >> ['summary'] in { ... > Fixed >> >> 2. NACK >> Command ipa dns-update-system-records does not work with DNS Administrators >> privilege when some record is missing: >> >> ipa: WARNING: Update of system record >> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 >> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >> access: Insufficient 'write' privilege to the 'objectClass' attribute of entry >> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >> > Fixed (I hope) >> 3. NACK >> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >> In fact the upgrade does not even add the object class into schema. >> > Fixed >> These needs to be fixed before we can proceed. >> > Updated patches attached 4. NACK ipa-ca-install does not add A/AAAA records for the new CA. 5. NACK ipa-replica-manage del does not delete SRV records from the remaining master # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com WARNING: yacc table file version is out of date Checking connectivity in topology suffix 'domain' Checking connectivity in topology suffix 'ca' Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid 'idnsserverid': must be Unicode text You may need to manually remove them from the tree Checking for deleted segments in suffix 'domain' Agreements deleted Checking for deleted segments in suffix 'ca' Agreements deleted Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: abc.idm.lab.eng.brq.redhat.com.: DNS zone not found You may need to manually remove them from the tree Manual execution of ipa dns-update-system-records fixes that. Besides NACKs above one more thing is missing: Following config options are not migrated from named.conf to LDAP object: https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade This can go to a separate patch set if you wish (at the very end). -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 16 14:02:15 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 16 Jun 2016 16:02:15 +0200 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <20160616135831.GC22874@10.4.128.1> References: <20160616135831.GC22874@10.4.128.1> Message-ID: On 16.6.2016 15:58, Lukas Slebodnik wrote: > On (16/06/16 12:00), Petr Spacek wrote: >> Hello, >> >> Require 389-ds-base >= 1.3.5.6 >> >> Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >> >> https://fedorahosted.org/freeipa/ticket/2008 >> >> -- >> Petr^2 Spacek > >>From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001 >> From: Petr Spacek >> Date: Thu, 16 Jun 2016 11:58:56 +0200 >> Subject: [PATCH] Require 389-ds-base >= 1.3.5.6 >> >> Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >> See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> freeipa.spec.in | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -42,7 +42,7 @@ Source0: freeipa-%{version}.tar.gz >> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) >> >> %if ! %{ONLY_CLIENT} >> -BuildRequires: 389-ds-base-devel >= 1.3.5 >> +BuildRequires: 389-ds-base-devel >= 1.3.5.6 > I know that patch was pushed and it fixed your problem. > but I am little bit curious why did you need to change > version in BuildRequires? > > If I understand correctly FreeIPA complies well with 1.3.5. > The only problem was at runtime. Right, I did not bother to test it. Feel free to submit correcting patch. -- Petr^2 Spacek From tbordaz at redhat.com Thu Jun 16 14:30:36 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Thu, 16 Jun 2016 16:30:36 +0200 Subject: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <20160613160131.mqhy2aatb3rz3gn7@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> <575ED2F9.6010107@redhat.com> <20160613160131.mqhy2aatb3rz3gn7@redhat.com> Message-ID: <5762B80C.5040009@redhat.com> The version DS 1.3.5.6 is now available. Here is the second version of the patch taking into account lower precedence for Schema Compat On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: > On Mon, 13 Jun 2016, thierry bordaz wrote: >> >> >> On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: >>> On Mon, 13 Jun 2016, thierry bordaz wrote: >>>> This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >>> >>>>> From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 00:00:00 >>>>> 2001 >>>> From: Thierry Bordaz >>>> Date: Wed, 8 Jun 2016 14:03:42 +0200 >>>> Subject: [PATCH] Make sure ipapwd_extop takes precedence over >>>> passwd_modify_extop >>>> >>>> DS core server provides a default plugin (passwd_modify_extop) to >>>> handle >>>> 1.3.6.1.4.1.4203.1.11.1 extended op >>>> (https://www.ietf.org/rfc/rfc3062.txt) >>>> >>>> IPA delivers ipa_pwd_extop plugin that should take precedence over >>>> the default DS plugin (passwd_modify_extop) >>>> --- >>>> install/updates/10-ipapwd.update | 9 +++++++++ >>>> 1 file changed, 9 insertions(+) >>>> create mode 100644 install/updates/10-ipapwd.update >>>> >>>> diff --git a/install/updates/10-ipapwd.update >>>> b/install/updates/10-ipapwd.update >>>> new file mode 100644 >>>> index 0000000..d9bffa2 >>>> --- /dev/null >>>> +++ b/install/updates/10-ipapwd.update >>>> @@ -0,0 +1,9 @@ >>>> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config >>>> +# DS core server provides a default plugin (passwd_modify_extop) >>>> to handle >>>> +# 1.3.6.1.4.1.4203.1.11.1 extended op >>>> (https://www.ietf.org/rfc/rfc3062.txt) >>>> +# the pluginprecedence of the passwd_modify_extop is 50 (default >>>> value) >>>> +# >>>> +# IPA delivers ipa_pwd_extop plugin to handle that extended op >>>> +# we need to make sure ipa_pwd_extop is called and so to set a lower >>>> +# precedence value >>>> +add:nsslapd-pluginprecedence: 49 >>> Here is the problem: slapi-nis is 49 as well and it should be before >>> ipa_pwd_extop. >>> >>> You need to update install/share/schema_compat.uldif and >>> install/updates/10-schema_compat.update to get slapi-nis before >>> ipa_pwd_extop. >> ipapwd_plugin registers extendedop callback but slapi-nis does not. >> So I do not think they will "fight" for precedence. >> Even if slapi-nis register perextendedop they will be on different >> lists and it should not create any issue. >> >> Now I understand that slapi-nis must run with a precedence that >> should be lower than most of the others plugins. Currently it is 49, >> are you ok with a value like 40 ? > I'm OK with 40, yes. The precedence applies to all callbacks, not just > to preextendedop, so a BIND callback would be affected too. > >>> You also need to make sure we depend on the updated 389-ds-base package >>> version. >> >> Good ! >> Now with this dependency we should wait for 389-ds 1.3.5.5 to be >> available, I will resend the review when it will be available. > Yep, thanks. > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Make-sure-ipapwd_extop-takes-precedence-over-passwd_.patch Type: text/x-patch Size: 2764 bytes Desc: not available URL: From ofayans at redhat.com Thu Jun 16 14:46:53 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 16 Jun 2016 16:46:53 +0200 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 Message-ID: <5762BBDD.4010502@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0047-Automated-clean-ruv-subcommand-test.patch Type: text/x-patch Size: 3595 bytes Desc: not available URL: From slaznick at redhat.com Thu Jun 16 15:33:54 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 16 Jun 2016 17:33:54 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules Message-ID: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> Hello, This patch removes most sys.exits() from installer modules and scripts and replaces them with ScriptError. I only left sys.exits at places where the user decides yes/no on continuation of the script. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0048-Remove-sys.exit-from-install-modules-and-scripts.patch Type: text/x-patch Size: 49613 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 16 20:14:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 16 Jun 2016 22:14:35 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> Message-ID: <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> On 16.06.2016 15:59, Petr Spacek wrote: > On 16.6.2016 13:57, Martin Basti wrote: >> >> On 16.06.2016 12:09, Petr Spacek wrote: >>> On 15.6.2016 17:24, Petr Spacek wrote: >>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>> >>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>> commands attached >>>>>> Updated+rebased patches after Honza's interactive review >>>>>> >>>>>> >>>>> Minor nitpick fixed >>>>> >>>>> >>>>> >>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>> ACK >>>> >>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>> ACK >>>> >>>> >>>> I will get to the rest later on. >>> Problems I found (could be solved in separate patches if you wish): >>> >>> 1. NACK >>> # ipa dns-update-system-records --dry-run >>> ipa: ERROR: an internal error has occurred >>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>> ['summary'] in { ... >> Fixed >>> 2. NACK >>> Command ipa dns-update-system-records does not work with DNS Administrators >>> privilege when some record is missing: >>> >>> ipa: WARNING: Update of system record >>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 >>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>> access: Insufficient 'write' privilege to the 'objectClass' attribute of entry >>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>> >> Fixed (I hope) >>> 3. NACK >>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>> In fact the upgrade does not even add the object class into schema. >>> >> Fixed >>> These needs to be fixed before we can proceed. >>> >> Updated patches attached > 4. NACK > ipa-ca-install does not add A/AAAA records for the new CA. This should work, code is on the right place. Maybe it is a race condition. ... 2 hours later ... I found that this is broken since 4.3.0, I will fix it separately https://fedorahosted.org/freeipa/ticket/5966 Anyway I found bug in replicainstall (fixed) because copy&paste everywhere > > 5. NACK > ipa-replica-manage del does not delete SRV records from the > remaining master > > # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com > WARNING: yacc table file version is out of date > Checking connectivity in topology suffix 'domain' > Checking connectivity in topology suffix 'ca' > Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid > 'idnsserverid': must be Unicode text > You may need to manually remove them from the tree > Checking for deleted segments in suffix 'domain' > Agreements deleted > Checking for deleted segments in suffix 'ca' > Agreements deleted > Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: > abc.idm.lab.eng.brq.redhat.com.: DNS zone not found > You may need to manually remove them from the tree Fixed > > Manual execution of ipa dns-update-system-records fixes that. > > > > Besides NACKs above one more thing is missing: > Following config options are not migrated from named.conf to LDAP object: > > https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade > > This can go to a separate patch set if you wish (at the very end). I will leave this for later, bind-dyndb-ldap will continue working with local configuration as before, patches are of course welcome. Updated patches attached, + hydra patching Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.5-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.5-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.5-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.5-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.5-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.5-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 9190 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.5-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.5-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 15115 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.5-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.5-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.5-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1947 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.5-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.5-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 25083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.5-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7389 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.5-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3301 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.5-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0520.1-DNS-Locations-set-proper-substitution-variable.patch Type: text/x-patch Size: 1349 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0521.1-DNS-Locations-require-to-restart-named-pkcs11-affter.patch Type: text/x-patch Size: 2126 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0522.1-DNS-Locations-show-warning-if-there-is-no-DNS-server.patch Type: text/x-patch Size: 4396 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0523.1-DNS-Locations-prevent-to-remove-used-locations.patch Type: text/x-patch Size: 1781 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0524.1-DNS-Locations-do-not-generate-location-records-for-u.patch Type: text/x-patch Size: 2323 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0525.1-DNS-Locations-location-del-remove-location-record.patch Type: text/x-patch Size: 3633 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0526.1-DNS-Locations-Rename-ipalocationweight-to-ipaservice.patch Type: text/x-patch Size: 17868 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0527.1-DNS-Locations-generate-NTP-records.patch Type: text/x-patch Size: 4223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0528.1-upgrade-don-t-fail-if-zone-does-not-exists-in-in-fin.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: From abokovoy at redhat.com Thu Jun 16 20:28:24 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jun 2016 23:28:24 +0300 Subject: [Freeipa-devel] [PATCH 0133] Require 389-ds-base >= 1.3.5.6 In-Reply-To: <20160616135831.GC22874@10.4.128.1> References: <20160616135831.GC22874@10.4.128.1> Message-ID: <20160616202824.g4aud7rtqzwlnzo3@redhat.com> On Thu, 16 Jun 2016, Lukas Slebodnik wrote: >On (16/06/16 12:00), Petr Spacek wrote: >>Hello, >> >>Require 389-ds-base >= 1.3.5.6 >> >>Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >>See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >> >>https://fedorahosted.org/freeipa/ticket/2008 >> >>-- >>Petr^2 Spacek > >>From 6cadda4044cf2ea85c84e04937455ab7726207e1 Mon Sep 17 00:00:00 2001 >>From: Petr Spacek >>Date: Thu, 16 Jun 2016 11:58:56 +0200 >>Subject: [PATCH] Require 389-ds-base >= 1.3.5.6 >> >>Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap. >>See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html >> >>https://fedorahosted.org/freeipa/ticket/2008 >>--- >> freeipa.spec.in | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >>diff --git a/freeipa.spec.in b/freeipa.spec.in >>index d0f6888b47dbc6bcb7dcaf271d71900d67f97a2b..0d5c745d5306cd7141c573454bd1c1e6a78c7e7f 100644 >>--- a/freeipa.spec.in >>+++ b/freeipa.spec.in >>@@ -42,7 +42,7 @@ Source0: freeipa-%{version}.tar.gz >> BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) >> >> %if ! %{ONLY_CLIENT} >>-BuildRequires: 389-ds-base-devel >= 1.3.5 >>+BuildRequires: 389-ds-base-devel >= 1.3.5.6 >I know that patch was pushed and it fixed your problem. >but I am little bit curious why did you need to change >version in BuildRequires? > >If I understand correctly FreeIPA complies well with 1.3.5. >The only problem was at runtime. We actually need 1.3.5.6 for slapi-nis and pwd extop plugins to build as we are using all new pre-extop operation callback. -- / Alexander Bokovoy From abokovoy at redhat.com Thu Jun 16 20:29:03 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 16 Jun 2016 23:29:03 +0300 Subject: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <5762B80C.5040009@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> <575ED2F9.6010107@redhat.com> <20160613160131.mqhy2aatb3rz3gn7@redhat.com> <5762B80C.5040009@redhat.com> Message-ID: <20160616202903.7xallvxuo3mpdvcd@redhat.com> On Thu, 16 Jun 2016, thierry bordaz wrote: >The version DS 1.3.5.6 is now available. Here is the second version of >the patch taking into account lower precedence for Schema Compat > > > >On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: >>On Mon, 13 Jun 2016, thierry bordaz wrote: >>> >>> >>>On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: >>>>On Mon, 13 Jun 2016, thierry bordaz wrote: >>>>>This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >>>> >>>>>>From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 >>>>>>00:00:00 2001 >>>>>From: Thierry Bordaz >>>>>Date: Wed, 8 Jun 2016 14:03:42 +0200 >>>>>Subject: [PATCH] Make sure ipapwd_extop takes precedence over >>>>>passwd_modify_extop >>>>> >>>>>DS core server provides a default plugin (passwd_modify_extop) >>>>>to handle >>>>>1.3.6.1.4.1.4203.1.11.1 extended op >>>>>(https://www.ietf.org/rfc/rfc3062.txt) >>>>> >>>>>IPA delivers ipa_pwd_extop plugin that should take precedence over >>>>>the default DS plugin (passwd_modify_extop) >>>>>--- >>>>>install/updates/10-ipapwd.update | 9 +++++++++ >>>>>1 file changed, 9 insertions(+) >>>>>create mode 100644 install/updates/10-ipapwd.update >>>>> >>>>>diff --git a/install/updates/10-ipapwd.update >>>>>b/install/updates/10-ipapwd.update >>>>>new file mode 100644 >>>>>index 0000000..d9bffa2 >>>>>--- /dev/null >>>>>+++ b/install/updates/10-ipapwd.update >>>>>@@ -0,0 +1,9 @@ >>>>>+dn: cn=ipa_pwd_extop,cn=plugins,cn=config >>>>>+# DS core server provides a default plugin >>>>>(passwd_modify_extop) to handle >>>>>+# 1.3.6.1.4.1.4203.1.11.1 extended op >>>>>(https://www.ietf.org/rfc/rfc3062.txt) >>>>>+# the pluginprecedence of the passwd_modify_extop is 50 >>>>>(default value) >>>>>+# >>>>>+# IPA delivers ipa_pwd_extop plugin to handle that extended op >>>>>+# we need to make sure ipa_pwd_extop is called and so to set a lower >>>>>+# precedence value >>>>>+add:nsslapd-pluginprecedence: 49 >>>>Here is the problem: slapi-nis is 49 as well and it should be before >>>>ipa_pwd_extop. >>>> >>>>You need to update install/share/schema_compat.uldif and >>>>install/updates/10-schema_compat.update to get slapi-nis before >>>>ipa_pwd_extop. >>>ipapwd_plugin registers extendedop callback but slapi-nis does >>>not. So I do not think they will "fight" for precedence. >>>Even if slapi-nis register perextendedop they will be on different >>>lists and it should not create any issue. >>> >>>Now I understand that slapi-nis must run with a precedence that >>>should be lower than most of the others plugins. Currently it is >>>49, are you ok with a value like 40 ? >>I'm OK with 40, yes. The precedence applies to all callbacks, not just >>to preextendedop, so a BIND callback would be affected too. >> >>>>You also need to make sure we depend on the updated 389-ds-base package >>>>version. >>> >>>Good ! >>>Now with this dependency we should wait for 389-ds 1.3.5.5 to be >>>available, I will resend the review when it will be available. >>Yep, thanks. >> > >From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Thu, 16 Jun 2016 16:28:03 +0200 >Subject: [PATCH] Make sure ipapwd_extop takes precedence over > passwd_modify_extop > >DS core server provides a default plugin (passwd_modify_extop) to handle >1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) > >IPA delivers ipa_pwd_extop plugin that should take precedence over >the default DS plugin (passwd_modify_extop) > >In addition make sure that slapi-nis has a low precedence >--- > install/share/schema_compat.uldif | 2 +- > install/updates/10-ipapwd.update | 9 +++++++++ > install/updates/10-schema_compat.update | 2 +- > 3 files changed, 11 insertions(+), 2 deletions(-) > create mode 100644 install/updates/10-ipapwd.update > >diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif >index a3d412f..66f8ea1 100644 >--- a/install/share/schema_compat.uldif >+++ b/install/share/schema_compat.uldif >@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin > # We need to run schema-compat pre-bind callback before > # other IPA pre-bind callbacks to make sure bind DN is > # rewritten to the original entry if needed >-default:nsslapd-pluginprecedence: 49 >+default:nsslapd-pluginprecedence: 40 > default:nsslapd-pluginversion: 0.8 > default:nsslapd-pluginbetxn: on > default:nsslapd-pluginvendor: redhat.com >diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update >new file mode 100644 >index 0000000..d9bffa2 >--- /dev/null >+++ b/install/updates/10-ipapwd.update >@@ -0,0 +1,9 @@ >+dn: cn=ipa_pwd_extop,cn=plugins,cn=config >+# DS core server provides a default plugin (passwd_modify_extop) to handle >+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) >+# the pluginprecedence of the passwd_modify_extop is 50 (default value) >+# >+# IPA delivers ipa_pwd_extop plugin to handle that extended op >+# we need to make sure ipa_pwd_extop is called and so to set a lower >+# precedence value >+add:nsslapd-pluginprecedence: 49 >diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update >index 2d257a3..e4c257d 100644 >--- a/install/updates/10-schema_compat.update >+++ b/install/updates/10-schema_compat.update >@@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config > # We need to run schema-compat pre-bind callback before > # other IPA pre-bind callbacks to make sure bind DN is > # rewritten to the original entry if needed >-add:nsslapd-pluginprecedence: 49 >+add:nsslapd-pluginprecedence: 40 > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") >-- >2.5.0 > ACK -- / Alexander Bokovoy From blipton at redhat.com Thu Jun 16 22:06:20 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 16 Jun 2016 18:06:20 -0400 Subject: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation In-Reply-To: References: Message-ID: On 06/14/2016 08:27 AM, Ben Lipton wrote: > Hello all, > > I have written up a design proposal for making certificate requests > easier to generate when using alternate certificate profiles: > http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. > The use case for this is described in > https://fedorahosted.org/freeipa/ticket/4899. I will be working on > implementing this design over the next couple of months. If you have > the time and interest, please take a look and share any comments or > concerns that you have. > > Thanks! > > Ben > Just a quick update to say that I've created a new document that covers the proposed schema additions in a more descriptive way (with diagrams!) I'm very new to developing with LDAP, so some more experienced eyes on the proposal would be very helpful, even if you don't have time to absorb the full design. Please take a look at http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema if you have a chance. Thanks, Ben From ftweedal at redhat.com Fri Jun 17 04:55:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Jun 2016 14:55:26 +1000 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True Message-ID: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 Thanks, Fraser -------------- next part -------------- From 47ddd811f37fc026c296dd6c2fd44be606ba5a75 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 14:18:05 +1000 Subject: [PATCH] renew_ca_cert: bootstrap api with in_server=True renew_ca_cert is failing because it cannot access the 'config' plugin. Bootstrap with in_server=True to remedy. Fixes: https://fedorahosted.org/freeipa/ticket/5968 --- install/restart_scripts/renew_ca_cert | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bfb726cddf1b747f01512a85408fd479427ced44..dc0f1117b366e3fdcf6d00f0e6d928e2e32b8f2b 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -38,7 +38,7 @@ from ipaplatform.paths import paths def _main(): nickname = sys.argv[1] - api.bootstrap(context='restart') + api.bootstrap(in_server=True, context='restart') api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] -- 2.5.5 From pspacek at redhat.com Fri Jun 17 05:45:19 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 07:45:19 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> Message-ID: On 16.6.2016 17:33, Stanislav Laznicka wrote: > Hello, > > This patch removes most sys.exits() from installer modules and scripts and > replaces them with ScriptError. I only left sys.exits at places where the user > decides yes/no on continuation of the script. I wonder if yes/no should be replaced with KeyboardInterrupt or some other exception, too... -- Petr^2 Spacek From jcholast at redhat.com Fri Jun 17 06:35:45 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Jun 2016 08:35:45 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> Message-ID: <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> Hi, On 17.6.2016 06:55, Fraser Tweedale wrote: > Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 This should be fixed for all the restart scripts, not just renew_ca_cert. > > Thanks, > Fraser Honza -- Jan Cholasta From slaznick at redhat.com Fri Jun 17 06:43:11 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 17 Jun 2016 08:43:11 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> Message-ID: <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> On 06/17/2016 07:45 AM, Petr Spacek wrote: > On 16.6.2016 17:33, Stanislav Laznicka wrote: >> Hello, >> >> This patch removes most sys.exits() from installer modules and scripts and >> replaces them with ScriptError. I only left sys.exits at places where the user >> decides yes/no on continuation of the script. > I wonder if yes/no should be replaced with KeyboardInterrupt or some other > exception, too... > I'm not sure, it seems more clear to just really exit if the user desires it and it's what we say we'll do (with possible cleanup beforehand). Do you think we could benefit somehow by raising an exception here? From pspacek at redhat.com Fri Jun 17 06:46:33 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 08:46:33 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> Message-ID: <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> On 16.6.2016 22:14, Martin Basti wrote: > > > On 16.06.2016 15:59, Petr Spacek wrote: >> On 16.6.2016 13:57, Martin Basti wrote: >>> >>> On 16.06.2016 12:09, Petr Spacek wrote: >>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>> >>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>> commands attached >>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>> >>>>>>> >>>>>> Minor nitpick fixed >>>>>> >>>>>> >>>>>> >>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>> >>>>> ACK >>>>> >>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>> ACK >>>>> >>>>> >>>>> I will get to the rest later on. >>>> Problems I found (could be solved in separate patches if you wish): >>>> >>>> 1. NACK >>>> # ipa dns-update-system-records --dry-run >>>> ipa: ERROR: an internal error has occurred >>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>> ['summary'] in { ... >>> Fixed >>>> 2. NACK >>>> Command ipa dns-update-system-records does not work with DNS Administrators >>>> privilege when some record is missing: >>>> >>>> ipa: WARNING: Update of system record >>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 >>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>> entry >>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>> >>>> >>> Fixed (I hope) >>>> 3. NACK >>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>> In fact the upgrade does not even add the object class into schema. >>>> >>> Fixed >>>> These needs to be fixed before we can proceed. >>>> >>> Updated patches attached >> 4. NACK >> ipa-ca-install does not add A/AAAA records for the new CA. > This should work, code is on the right place. Maybe it is a race condition. > > ... 2 hours later ... > > I found that this is broken since 4.3.0, I will fix it separately > https://fedorahosted.org/freeipa/ticket/5966 > > Anyway I found bug in replicainstall (fixed) because copy&paste everywhere > >> >> 5. NACK >> ipa-replica-manage del does not delete SRV records from the >> remaining master >> >> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >> WARNING: yacc table file version is out of date >> Checking connectivity in topology suffix 'domain' >> Checking connectivity in topology suffix 'ca' >> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >> 'idnsserverid': must be Unicode text >> You may need to manually remove them from the tree >> Checking for deleted segments in suffix 'domain' >> Agreements deleted >> Checking for deleted segments in suffix 'ca' >> Agreements deleted >> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >> You may need to manually remove them from the tree > Fixed >> >> Manual execution of ipa dns-update-system-records fixes that. >> >> >> >> Besides NACKs above one more thing is missing: >> Following config options are not migrated from named.conf to LDAP object: >> >> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >> >> >> This can go to a separate patch set if you wish (at the very end). > I will leave this for later, bind-dyndb-ldap will continue working with local > configuration as before, patches are of course welcome. > > Updated patches attached, + hydra patching 6. NACK # ipa server-show $(hostname) Managed suffixes: domain, ca Min domain level: 0 Max domain level: 1 Location: l1 Enabled server roles: CA server, DNS server, NTP server Server name: vm-046.abc.idm.lab.eng.brq.redhat.com [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 ipa: ERROR: no modifications to be performed -- Petr^2 Spacek From pspacek at redhat.com Fri Jun 17 06:48:34 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 08:48:34 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> Message-ID: <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> On 17.6.2016 08:43, Stanislav Laznicka wrote: > On 06/17/2016 07:45 AM, Petr Spacek wrote: >> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>> Hello, >>> >>> This patch removes most sys.exits() from installer modules and scripts and >>> replaces them with ScriptError. I only left sys.exits at places where the user >>> decides yes/no on continuation of the script. >> I wonder if yes/no should be replaced with KeyboardInterrupt or some other >> exception, too... >> > I'm not sure, it seems more clear to just really exit if the user desires it > and it's what we say we'll do (with possible cleanup beforehand). Do you think > we could benefit somehow by raising an exception here? I'm just thinking out loud. It seemed to me that it is easier to share cleanup on one except block instead of having if (interrupt): cleanup; if (interrupt2): same_cleanup; etc. Again, just wondering out loud. -- Petr^2 Spacek From ftweedal at redhat.com Fri Jun 17 06:53:09 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Jun 2016 16:53:09 +1000 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> Message-ID: <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote: > Hi, > > On 17.6.2016 06:55, Fraser Tweedale wrote: > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 > > This should be fixed for all the restart scripts, not just renew_ca_cert. > Updated patch attached. -------------- next part -------------- From dac1e3e748fc5b9b3d48aa1dc2050d5f9a505773 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 14:18:05 +1000 Subject: [PATCH] restart scripts: bootstrap api with in_server=True renew_ca_cert fails because it cannot access the 'config' plugin. Bootstrap all the restart scripts to avoid such issues. Fixes: https://fedorahosted.org/freeipa/ticket/5968 --- install/restart_scripts/renew_ca_cert | 2 +- install/restart_scripts/renew_ra_cert | 2 +- install/restart_scripts/restart_dirsrv | 2 +- install/restart_scripts/stop_pkicad | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index bfb726cddf1b747f01512a85408fd479427ced44..dc0f1117b366e3fdcf6d00f0e6d928e2e32b8f2b 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -38,7 +38,7 @@ from ipaplatform.paths import paths def _main(): nickname = sys.argv[1] - api.bootstrap(context='restart') + api.bootstrap(in_server=True, context='restart') api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 9b5e231b526432bec3e6d187a674042a27b94b57..17a7af9b079ea6d91fc60fac2bcc65d8ec7d8bc0 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -37,7 +37,7 @@ from ipaplatform.paths import paths def _main(): nickname = 'ipaCert' - api.bootstrap(context='restart') + api.bootstrap(in_server=True, context='restart') api.finalize() tmpdir = tempfile.mkdtemp(prefix="tmp-") diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index 856729b5cd8dcfe7885a6ccf64aa847e6379102c..a8e78184f9a6f595a11440fbddae3c41933bb29b 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -33,7 +33,7 @@ def _main(): except IndexError: instance = "" - api.bootstrap(context='restart') + api.bootstrap(in_server=True, context='restart') api.finalize() syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad index 30b99eeff80b42aedbada583df37f9fddb076aec..ae07dcd588a54bbb1328b289c9218d2053f32c0b 100644 --- a/install/restart_scripts/stop_pkicad +++ b/install/restart_scripts/stop_pkicad @@ -27,7 +27,7 @@ from ipaserver.install import certs def main(): - api.bootstrap(context='restart') + api.bootstrap(in_server=True, context='restart') api.finalize() dogtag_service = services.knownservices['pki_tomcatd'] -- 2.5.5 From ftweedal at redhat.com Fri Jun 17 06:59:51 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Jun 2016 16:59:51 +1000 Subject: [Freeipa-devel] [PATCH] 0070..0071 Fix replica installation from IPA v4.2 Message-ID: <20160617065950.GQ4744@dhcp-40-8.bne.redhat.com> The attached patches fix https://fedorahosted.org/freeipa/ticket/5963 Thanks Milan for reporting. Cheers, Fraser -------------- next part -------------- From aef64476fef6e3a850d7a4375dbbff098a9439ba Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 10:57:32 +1000 Subject: [PATCH 70/71] Split CA replica installation steps for domain level 0 Installation from replica file is broken because lightweight CA replication setup is attempted before Kerberos is set up. To fix the issue, explicitly execute step 1 before Kerberos setup, and step 2 afterwards. Part of: https://fedorahosted.org/freeipa/ticket/5963 --- ipaserver/install/server/replicainstall.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index f597880471eb3710ebc7163f771d4e6dc9f1e3d6..39d528b3e21ce858a9d5334a3884560dea9ca675 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -798,12 +798,17 @@ def install(installer): if ca_enabled: options.ra_p12 = config.dir + "/ra.p12" - ca.install(False, config, options) + ca.install_step_0(False, config, options) krb = install_krb(config, setup_pkinit=not options.no_pkinit) http = install_http(config, auto_redirect=not options.no_ui_redirect, ca_is_configured=ca_enabled) + if config.setup_ca: + # Done after install_krb() because lightweight CA key + # retrieval setup needs to create kerberos principal. + ca.install_step_1(False, config, options) + otpd = otpdinstance.OtpdInstance() otpd.create_instance('OTPD', config.host_name, config.dirman_password, ipautil.realm_to_suffix(config.realm_name)) -- 2.5.5 -------------- next part -------------- From 128ef9ebf89699f34e5420f567aac7ea1d07d547 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 14:31:08 +1000 Subject: [PATCH 71/71] Fix migration from pre-lightweight CAs master Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 --- ipaserver/install/cainstance.py | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..e8b505cf04ffd784c21da2be3899cf3681210b0f 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -420,6 +420,8 @@ class CAInstance(DogtagInstance): self.step("authorizing RA to modify profiles", configure_profiles_acl) self.step("authorizing RA to manage lightweight CAs", configure_lightweight_ca_acls) + self.step("Ensure lightweight CAs container exists", + ensure_lightweight_cas_container) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) self.step("configure certificate renewals", self.configure_renewal) if not self.clone: @@ -1344,6 +1346,8 @@ class CAInstance(DogtagInstance): self.enable_pkix) self.step("set up client auth to db", self.__client_auth_to_db) self.step("destroying installation admin user", self.teardown_admin) + self.step("Ensure lightweight CAs container exists", + ensure_lightweight_cas_container) self.step("Configure lightweight CA key retrieval", self.setup_lightweight_ca_key_retrieval) self.step("starting instance", self.start_instance) @@ -1414,6 +1418,18 @@ class CAInstance(DogtagInstance): pent = pwd.getpwnam(constants.PKI_USER) root_logger.info('Creating Custodia keys') + custodia_basedn = DN( + ('cn', 'custodia'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + ensure_entry( + custodia_basedn, + objectclass=['top', 'nsContainer'], + cn=['custodia'], + ) + ensure_entry( + DN(('cn', 'dogtag'), custodia_basedn), + objectclass=['top', 'nsContainer'], + cn=['dogtag'], + ) keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') keystore = IPAKEMKeys({'server_keys': keyfile}) keystore.generate_keys(service) @@ -1902,7 +1918,15 @@ def _create_dogtag_profile(profile_id, profile_data, overwrite): def ensure_ipa_authority_entry(): - """Add the IPA CA ipaCa object if missing.""" + """Add the IPA CA ipaCa object if missing. + + This requires the "host authority" authority entry to have been + created, which Dogtag will do automatically upon startup, if the + ou=authorities,ou=ca,o=ipaca container exists. Therefore, the + ``ensure_lightweight_cas_container`` function must be executed, + and Dogtag restarted, before executing this function. + + """ # find out authority id, issuer DN and subject DN of IPA CA # @@ -1926,6 +1950,11 @@ def ensure_ipa_authority_entry(): return ensure_entry( + DN(api.env.container_ca, api.env.basedn), + objectclass=['top', 'nsContainer'], + cn=['cas'], + ) + ensure_entry( DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca, api.env.basedn), objectclass=['top', 'ipaca'], cn=[ipalib.constants.IPA_CA_CN], -- 2.5.5 From slaznick at redhat.com Fri Jun 17 07:14:11 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 17 Jun 2016 09:14:11 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> Message-ID: <3a8c2f35-6be5-81ff-431f-39f2bad39ce2@redhat.com> On 06/14/2016 04:40 PM, Jan Cholasta wrote: > On 14.6.2016 16:35, Martin Basti wrote: >> On 14.06.2016 16:37, Jan Cholasta wrote: >>> On 14.6.2016 16:29, Martin Basti wrote: >>>> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>>>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>>>> >>>>>>>>>>>> NACK >>>>>>>>>>>> >>>>>>>>>>>> please remove it from LDAPAddReverseMember too, it contains >>>>>>>>>>>> the >>>>>>>>>>>> same >>>>>>>>>>>> code >>>>>>>>>>>> >>>>>>>>>>>> Martin^2 >>>>>>>>>>> >>>>>>>>>>> Please see the modified patch. >>>>>>>>>>> >>>>>>>>>>> Standa >>>>>>>>>>> >>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>>>> >>>>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>>>> every >>>>>>>>> reverse member command always acts like --all was specified. >>>>>>>>> >>>>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>>>> get_entry() >>>>>>>> instead of '*', because this code were there for 4 years and I >>>>>>>> don't >>>>>>>> feel happy enough to change it now, what we may break. >>>>>>>> >>>>>>>> Should I revert this commit then and postpone the ticket? >>>>>>> >>>>>>> It's a bug and should be fixed. The fix is easy so I see no >>>>>>> point in >>>>>>> postponing it. I see no reason to be really afraid, I'm pretty sure >>>>>>> that removing the objectclass attribute (which is invisible in the >>>>>>> CLI anyway) from the output of all the 4 commands that use this >>>>>>> code >>>>>>> won't break anything. >>>>>>> >>>>>> >>>>>> Ok >>>>> It seems that tests expect objectClass to be always returned in >>>>> derived methods. Is that expected behavior? If so, please see the >>>>> attached patch. I wonder if the keys of the passed options should >>>>> make >>>>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >>>> >>>> I still don't think that we should use that attrs list, because >>>> according git history, attrs_list was really used only with code that >>>> was removed, and as you can see Standa had add extra objectclass >>>> attribute there >>> >>> So the assumption here is that if it's in git history, it's not a bug? >>> >>> The extra object class should *not* be included by default. >>> >>> (Also I don't see any reason to have this split into 2 patches.) >>> Right. I added the objectclass so that it behaves similar to what the other commands do and so that it does not break tests but it can be removed and tests could be fixed. The question here is - do we want it in 4.4, then? If so can we be sure it won't break anything (although we know that it's broken as it is, and it's been like that for the past 4 years)? Currently, the LDAP*ReverseMember are used in adding/removing permissions/privileges to privileges/roles so I think we don't want it to go bad - but could it? From slaznick at redhat.com Fri Jun 17 07:24:40 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 17 Jun 2016 09:24:40 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> Message-ID: <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> On 06/17/2016 08:48 AM, Petr Spacek wrote: > On 17.6.2016 08:43, Stanislav Laznicka wrote: >> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> This patch removes most sys.exits() from installer modules and scripts and >>>> replaces them with ScriptError. I only left sys.exits at places where the user >>>> decides yes/no on continuation of the script. >>> I wonder if yes/no should be replaced with KeyboardInterrupt or some other >>> exception, too... >>> >> I'm not sure, it seems more clear to just really exit if the user desires it >> and it's what we say we'll do (with possible cleanup beforehand). Do you think >> we could benefit somehow by raising an exception here? > I'm just thinking out loud. > > It seemed to me that it is easier to share cleanup on one except block instead > of having if (interrupt): cleanup; if (interrupt2): same_cleanup; > > etc. > > Again, just wondering out loud. > If the cleanup is the same, or similar it might be more beneficial to have it in a function where you could pass what was set up already and therefore needs cleanup. But that's just an opinion coming from thinking out loud as well. I went through the code to see if there's much cleanup after these user actions and it seems that usually there's nothing much if anything. However, thinking in advance may save us much trouble in the future, of course. From ftweedal at redhat.com Fri Jun 17 07:34:27 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 17 Jun 2016 17:34:27 +1000 Subject: [Freeipa-devel] [DESIGN] Lightweight CA renewal In-Reply-To: References: <20160506060158.GZ1237@dhcp-40-8.bne.redhat.com> Message-ID: <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: > Hi, > > On 6.5.2016 08:01, Fraser Tweedale wrote: > > Hullo all, > > > > FreeIPA Lightweight CAs implementation is progressing well. The > > remaining big unknown in the design is how to do renewal. I have > > put my ideas into the design page[1] and would appreciate any and > > all feedback! > > > > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal > > > > Some brief commentary on the options: > > > > I intend to implement approach (1) as a baseline. Apart from > > implementing machinery in Dogtag to actually perform the renewal - > > which is required for all the approaches - it's not much work and > > gets us over the "lightweight CAs can be renewed easily" line, even > > if it is a manual process. > > > > For automatic renewal, I am leaning towards approach (2). Dogtag > > owns the lightweight CAs so I think it makes sense to give Dogtag > > the ability to renew them automatically (if configured to do so), > > without relying on external tools i.e. Certmonger. But as you will > > see from the outlines, each approach has its upside and downside. > > I would prefer (3), as I would very much like to avoid duplicating > certmonger's functionality in Dogtag. > > Some comments on the disadvantages: > > * "Proliferation of Certmonger tracking requests; one for each > FreeIPA-managed lightweight CA." > > I don't think this is an actual issue, as it's purely cosmetic. > > * "Either lightweight CA creation is restricted to the renewal master, or > the renewal master must observe the creation of new lightweight CAs and > start tracking their certificate." > > IMO this doesn't have to be done automatically in the initial > implementation. You could extend ipa-certupdate to set up certmonger for > lightweight CAs and have admins run it manually on masters after adding a > new lightweight CA. They will have to run it anyway to get the new > lightweight CA certificate installed in the system, so it should be fine to > do it this way. > I have updated the renew_ca_cert post-save script to perform the database update necessary for CA replicas to pick up the new cert. What remains is the command to tell certmonger to track the CA. You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a better fit, e.g.: ipa-cacert-manage track It would look up the necessary info (basically just the CA-ID) and set up the certmonger tracking. It could be an error to run the command on other than the renewal master. An untrack command could also be provided. Thoughts? > * "Development of new Certmonger renewal helpers solely for lightweight CA > renewal." > > It would be easier to extend the existing helpers. I don't think there > is anything preventing them from being used for lighweight CAs, except not > conveying the CA name, which should be easy to implement. > > > I would also avoid starting with (1), I don't believe it adds any real > value. IMHO the first thing that should be done is implement lightweight CA > support in certmonger (add new 'request' / 'start-tracking' option for CA > name, store it in tracking requests, pass it to CA helpers in a new > environment variable). > > > Honza > > -- > Jan Cholasta From ofayans at redhat.com Fri Jun 17 07:43:19 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 17 Jun 2016 09:43:19 +0200 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <5762BBDD.4010502@redhat.com> References: <5762BBDD.4010502@redhat.com> Message-ID: <5763AA17.60207@redhat.com> Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0047.1-Automated-clean-ruv-subcommand-test.patch Type: text/x-patch Size: 3565 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0048-Automated-ipa-replica-manage-del-tests.patch Type: text/x-patch Size: 3353 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 17 07:51:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jun 2016 09:51:09 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> Message-ID: <5763ABED.9010102@redhat.com> On 17.6.2016 09:24, Stanislav Laznicka wrote: > On 06/17/2016 08:48 AM, Petr Spacek wrote: >> On 17.6.2016 08:43, Stanislav Laznicka wrote: >>> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> This patch removes most sys.exits() from installer modules and >>>>> scripts and >>>>> replaces them with ScriptError. I only left sys.exits at places >>>>> where the user >>>>> decides yes/no on continuation of the script. >>>> I wonder if yes/no should be replaced with KeyboardInterrupt or some >>>> other >>>> exception, too... >>>> >>> I'm not sure, it seems more clear to just really exit if the user >>> desires it >>> and it's what we say we'll do (with possible cleanup beforehand). Do >>> you think >>> we could benefit somehow by raising an exception here? >> I'm just thinking out loud. >> >> It seemed to me that it is easier to share cleanup on one except block >> instead >> of having if (interrupt): cleanup; if (interrupt2): same_cleanup; >> >> etc. >> >> Again, just wondering out loud. >> > If the cleanup is the same, or similar it might be more beneficial to > have it in a function where you could pass what was set up already and > therefore needs cleanup. But that's just an opinion coming from thinking > out loud as well. I went through the code to see if there's much cleanup > after these user actions and it seems that usually there's nothing much > if anything. However, thinking in advance may save us much trouble in > the future, of course. > Btw the original scope of the ticket is to replace sys.exit calls ONLY in installer modules. Please don't waste time with debugging other use cases before 4.4 is out. -- Petr Vobornik From pspacek at redhat.com Fri Jun 17 08:17:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 10:17:54 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> Message-ID: On 17.6.2016 09:24, Stanislav Laznicka wrote: > On 06/17/2016 08:48 AM, Petr Spacek wrote: >> On 17.6.2016 08:43, Stanislav Laznicka wrote: >>> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> This patch removes most sys.exits() from installer modules and scripts and >>>>> replaces them with ScriptError. I only left sys.exits at places where the >>>>> user >>>>> decides yes/no on continuation of the script. >>>> I wonder if yes/no should be replaced with KeyboardInterrupt or some other >>>> exception, too... >>>> >>> I'm not sure, it seems more clear to just really exit if the user desires it >>> and it's what we say we'll do (with possible cleanup beforehand). Do you think >>> we could benefit somehow by raising an exception here? >> I'm just thinking out loud. >> >> It seemed to me that it is easier to share cleanup on one except block instead >> of having if (interrupt): cleanup; if (interrupt2): same_cleanup; >> >> etc. >> >> Again, just wondering out loud. >> > If the cleanup is the same, or similar it might be more beneficial to have it > in a function where you could pass what was set up already and therefore needs > cleanup. But that's just an opinion coming from thinking out loud as well. I > went through the code to see if there's much cleanup after these user actions > and it seems that usually there's nothing much if anything. However, thinking > in advance may save us much trouble in the future, of course. In that case I'm perfectly fine with leaving some exits are they are. -- Petr^2 Spacek From mkosek at redhat.com Fri Jun 17 08:33:43 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 17 Jun 2016 10:33:43 +0200 Subject: [Freeipa-devel] I plan to delete my FreeIPA COPR repos In-Reply-To: References: Message-ID: <643eed39-3aea-b6d2-373f-f6808ebca1cd@redhat.com> On 05/13/2016 01:43 PM, Martin Kosek wrote: > Hi all, > > When we were starting building FreeIPA in the Fedora COPR service [1], the > service did not support the organizations as it can do now and we did the > official repos in my personal name space [2] as I was the common denominator > for the project at the time. > > However, since that time, COPR support supports organizations, we created the > FreeIPA organization [3] and do the official builds there. FreeIPA should have > all currently supported repos, usually around 4.3 and master FreeIPA versions. > > Now, is anyone still using any of my FreeIPA related repos? Can I delete them > so that it does not confuse people about what is the official repo? Comparing > what I see in FreeIPA organization repos and personal repos, the FreeIPA > organization miss FreeIPA 4.0 and 4.1 versions, but I think these can be safely > removed. > > So my current plan is to delete all my personal FreeIPA repos unless I hear any > blocker. So please holler if you depend on some of my repos. > > [1] https://copr.fedorainfracloud.org > [2] https://copr.fedorainfracloud.org/coprs/mkosek/ > [3] https://copr.fedorainfracloud.org/groups/g/freeipa/coprs/ I heard no concerns, my personal previously official COPR repos were deleted. https://copr.fedorainfracloud.org/groups/g/freeipa/coprs/ for the win! Martin From mbasti at redhat.com Fri Jun 17 08:35:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 10:35:04 +0200 Subject: [Freeipa-devel] I plan to delete my FreeIPA COPR repos In-Reply-To: <643eed39-3aea-b6d2-373f-f6808ebca1cd@redhat.com> References: <643eed39-3aea-b6d2-373f-f6808ebca1cd@redhat.com> Message-ID: <8ad92bc6-36b2-ab58-8f60-d6444b52b6c7@redhat.com> On 17.06.2016 10:33, Martin Kosek wrote: > On 05/13/2016 01:43 PM, Martin Kosek wrote: >> Hi all, >> >> When we were starting building FreeIPA in the Fedora COPR service [1], the >> service did not support the organizations as it can do now and we did the >> official repos in my personal name space [2] as I was the common denominator >> for the project at the time. >> >> However, since that time, COPR support supports organizations, we created the >> FreeIPA organization [3] and do the official builds there. FreeIPA should have >> all currently supported repos, usually around 4.3 and master FreeIPA versions. >> >> Now, is anyone still using any of my FreeIPA related repos? Can I delete them >> so that it does not confuse people about what is the official repo? Comparing >> what I see in FreeIPA organization repos and personal repos, the FreeIPA >> organization miss FreeIPA 4.0 and 4.1 versions, but I think these can be safely >> removed. >> >> So my current plan is to delete all my personal FreeIPA repos unless I hear any >> blocker. So please holler if you depend on some of my repos. >> >> [1] https://copr.fedorainfracloud.org >> [2] https://copr.fedorainfracloud.org/coprs/mkosek/ >> [3] https://copr.fedorainfracloud.org/groups/g/freeipa/coprs/ > I heard no concerns, my personal previously official COPR repos were deleted. > > https://copr.fedorainfracloud.org/groups/g/freeipa/coprs/ > for the win! > > Martin > +1 From ofayans at redhat.com Fri Jun 17 09:18:43 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 17 Jun 2016 11:18:43 +0200 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <5763AA17.60207@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> Message-ID: <5763C073.5020503@redhat.com> One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: > Fixed a bug in the previous patch, automated 2 more testcases from > http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan > > On 06/16/2016 04:46 PM, Oleg Fayans wrote: >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0048.1-Automated-ipa-replica-manage-del-tests.patch Type: text/x-patch Size: 4769 bytes Desc: not available URL: From slaznick at redhat.com Fri Jun 17 10:12:45 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 17 Jun 2016 12:12:45 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <5763ABED.9010102@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> <5763ABED.9010102@redhat.com> Message-ID: On 06/17/2016 09:51 AM, Petr Vobornik wrote: > On 17.6.2016 09:24, Stanislav Laznicka wrote: >> On 06/17/2016 08:48 AM, Petr Spacek wrote: >>> On 17.6.2016 08:43, Stanislav Laznicka wrote: >>>> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>>>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>>>> Hello, >>>>>> >>>>>> This patch removes most sys.exits() from installer modules and >>>>>> scripts and >>>>>> replaces them with ScriptError. I only left sys.exits at places >>>>>> where the user >>>>>> decides yes/no on continuation of the script. >>>>> I wonder if yes/no should be replaced with KeyboardInterrupt or some >>>>> other >>>>> exception, too... >>>>> >>>> I'm not sure, it seems more clear to just really exit if the user >>>> desires it >>>> and it's what we say we'll do (with possible cleanup beforehand). Do >>>> you think >>>> we could benefit somehow by raising an exception here? >>> I'm just thinking out loud. >>> >>> It seemed to me that it is easier to share cleanup on one except block >>> instead >>> of having if (interrupt): cleanup; if (interrupt2): same_cleanup; >>> >>> etc. >>> >>> Again, just wondering out loud. >>> >> If the cleanup is the same, or similar it might be more beneficial to >> have it in a function where you could pass what was set up already and >> therefore needs cleanup. But that's just an opinion coming from thinking >> out loud as well. I went through the code to see if there's much cleanup >> after these user actions and it seems that usually there's nothing much >> if anything. However, thinking in advance may save us much trouble in >> the future, of course. >> > Btw the original scope of the ticket is to replace sys.exit calls ONLY > in installer modules. Please don't waste time with debugging other use > cases before 4.4 is out. > I might have gotten carried away a bit. Would you suggest keeping the sys.exits replaced only in ipaserver/install/server/replicainstall.py, ipaserver/install/server/install.py modules which are the installer modules managed by AdminTool? I considered the modules in ipaserver/install/ to also be installer modules as they are heavily used during installation and the sys.exits there mainly occur in functions called from install()/install_check() methods. The *-install scripts were perhaps really obviously over the scope. I'll keep the sys.exit replaces that won't make it here on the side, we may want to do them later. From mbasti at redhat.com Fri Jun 17 10:25:01 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 12:25:01 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> Message-ID: <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> On 17.06.2016 08:46, Petr Spacek wrote: > On 16.6.2016 22:14, Martin Basti wrote: >> >> On 16.06.2016 15:59, Petr Spacek wrote: >>> On 16.6.2016 13:57, Martin Basti wrote: >>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>> >>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>> commands attached >>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>> >>>>>>>> >>>>>>> Minor nitpick fixed >>>>>>> >>>>>>> >>>>>>> >>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>> >>>>>> ACK >>>>>> >>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>> ACK >>>>>> >>>>>> >>>>>> I will get to the rest later on. >>>>> Problems I found (could be solved in separate patches if you wish): >>>>> >>>>> 1. NACK >>>>> # ipa dns-update-system-records --dry-run >>>>> ipa: ERROR: an internal error has occurred >>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>> ['summary'] in { ... >>>> Fixed >>>>> 2. NACK >>>>> Command ipa dns-update-system-records does not work with DNS Administrators >>>>> privilege when some record is missing: >>>>> >>>>> ipa: WARNING: Update of system record >>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 100 464 >>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>> entry >>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>> >>>>> >>>> Fixed (I hope) >>>>> 3. NACK >>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>> In fact the upgrade does not even add the object class into schema. >>>>> >>>> Fixed >>>>> These needs to be fixed before we can proceed. >>>>> >>>> Updated patches attached >>> 4. NACK >>> ipa-ca-install does not add A/AAAA records for the new CA. >> This should work, code is on the right place. Maybe it is a race condition. >> >> ... 2 hours later ... >> >> I found that this is broken since 4.3.0, I will fix it separately >> https://fedorahosted.org/freeipa/ticket/5966 >> >> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >> >>> 5. NACK >>> ipa-replica-manage del does not delete SRV records from the >>> remaining master >>> >>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>> WARNING: yacc table file version is out of date >>> Checking connectivity in topology suffix 'domain' >>> Checking connectivity in topology suffix 'ca' >>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>> 'idnsserverid': must be Unicode text >>> You may need to manually remove them from the tree >>> Checking for deleted segments in suffix 'domain' >>> Agreements deleted >>> Checking for deleted segments in suffix 'ca' >>> Agreements deleted >>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>> You may need to manually remove them from the tree >> Fixed >>> Manual execution of ipa dns-update-system-records fixes that. >>> >>> >>> >>> Besides NACKs above one more thing is missing: >>> Following config options are not migrated from named.conf to LDAP object: >>> >>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>> >>> >>> This can go to a separate patch set if you wish (at the very end). >> I will leave this for later, bind-dyndb-ldap will continue working with local >> configuration as before, patches are of course welcome. >> >> Updated patches attached, + hydra patching > 6. NACK > # ipa server-show $(hostname) > Managed suffixes: domain, ca > Min domain level: 0 > Max domain level: 1 > Location: l1 > Enabled server roles: CA server, DNS server, NTP server > Server name: vm-046.abc.idm.lab.eng.brq.redhat.com > > [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 > ipa: ERROR: no modifications to be performed > Updated patches attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0503.6-DNS-Locations-add-index-for-ipalocation-attribute.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0504.6-DNS-Locations-fix-location-del.patch Type: text/x-patch Size: 1021 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0505.6-DNS-Locations-add-idnsTemplateObject-objectclass.patch Type: text/x-patch Size: 3849 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0506.6-DNS-Locations-DNS-data-management.patch Type: text/x-patch Size: 15980 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0507.6-DNS-Locations-permission-allow-to-read-status-of-ser.patch Type: text/x-patch Size: 3707 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0508.6-DNS-Locations-add-ACI-for-template-attribute.patch Type: text/x-patch Size: 9190 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0509.6-DNS-Locations-command-dns-update-system-records.patch Type: text/x-patch Size: 10811 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0510.6-DNS-Locations-use-dns_update_service_records-in-inst.patch Type: text/x-patch Size: 15115 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0511.6-DNS-Locations-adtrustinstance-simplify-dns-managemen.patch Type: text/x-patch Size: 4112 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0512.6-DNS-Locations-use-automatic-records-update-in-ipa-ad.patch Type: text/x-patch Size: 3528 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0513.6-DNS-Locations-server-mod-add-automatic-records-updat.patch Type: text/x-patch Size: 1990 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0515.6-DNS-Locations-dnsservers-add-required-objectclasses.patch Type: text/x-patch Size: 4547 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0516.6-DNS-Locations-dnsserver-commands.patch Type: text/x-patch Size: 24114 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0517.6-DNS-Locations-dnsserver-put-server_id-option-into-na.patch Type: text/x-patch Size: 7389 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0518.6-DNS-Locations-dnsserver-use-the-newer-config-way-in-.patch Type: text/x-patch Size: 3301 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0519.6-DNS-Locations-dnsserver-remove-config-when-replica-i.patch Type: text/x-patch Size: 1705 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0520.2-DNS-Locations-set-proper-substitution-variable.patch Type: text/x-patch Size: 1634 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0521.2-DNS-Locations-require-to-restart-named-pkcs11-affter.patch Type: text/x-patch Size: 2280 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0522.2-DNS-Locations-show-warning-if-there-is-no-DNS-server.patch Type: text/x-patch Size: 4005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0523.2-DNS-Locations-prevent-to-remove-used-locations.patch Type: text/x-patch Size: 1781 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0524.2-DNS-Locations-do-not-generate-location-records-for-u.patch Type: text/x-patch Size: 2323 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0525.2-DNS-Locations-location-del-remove-location-record.patch Type: text/x-patch Size: 3633 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0526.2-DNS-Locations-Rename-ipalocationweight-to-ipaservice.patch Type: text/x-patch Size: 17835 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0527.2-DNS-Locations-generate-NTP-records.patch Type: text/x-patch Size: 4223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0528.2-upgrade-don-t-fail-if-zone-does-not-exists-in-in-fin.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 17 11:01:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jun 2016 13:01:38 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> <5763ABED.9010102@redhat.com> Message-ID: <5763D892.20605@redhat.com> On 17.6.2016 12:12, Stanislav Laznicka wrote: > On 06/17/2016 09:51 AM, Petr Vobornik wrote: >> On 17.6.2016 09:24, Stanislav Laznicka wrote: >>> On 06/17/2016 08:48 AM, Petr Spacek wrote: >>>> On 17.6.2016 08:43, Stanislav Laznicka wrote: >>>>> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>>>>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> This patch removes most sys.exits() from installer modules and >>>>>>> scripts and >>>>>>> replaces them with ScriptError. I only left sys.exits at places >>>>>>> where the user >>>>>>> decides yes/no on continuation of the script. >>>>>> I wonder if yes/no should be replaced with KeyboardInterrupt or some >>>>>> other >>>>>> exception, too... >>>>>> >>>>> I'm not sure, it seems more clear to just really exit if the user >>>>> desires it >>>>> and it's what we say we'll do (with possible cleanup beforehand). Do >>>>> you think >>>>> we could benefit somehow by raising an exception here? >>>> I'm just thinking out loud. >>>> >>>> It seemed to me that it is easier to share cleanup on one except block >>>> instead >>>> of having if (interrupt): cleanup; if (interrupt2): same_cleanup; >>>> >>>> etc. >>>> >>>> Again, just wondering out loud. >>>> >>> If the cleanup is the same, or similar it might be more beneficial to >>> have it in a function where you could pass what was set up already and >>> therefore needs cleanup. But that's just an opinion coming from thinking >>> out loud as well. I went through the code to see if there's much cleanup >>> after these user actions and it seems that usually there's nothing much >>> if anything. However, thinking in advance may save us much trouble in >>> the future, of course. >>> >> Btw the original scope of the ticket is to replace sys.exit calls ONLY >> in installer modules. Please don't waste time with debugging other use >> cases before 4.4 is out. >> > I might have gotten carried away a bit. Would you suggest keeping the > sys.exits replaced only in ipaserver/install/server/replicainstall.py, > ipaserver/install/server/install.py modules which are the installer > modules managed by AdminTool? I considered the modules in > ipaserver/install/ to also be installer modules as they are heavily used > during installation and the sys.exits there mainly occur in functions > called from install()/install_check() methods. The *-install scripts > were perhaps really obviously over the scope. Yes, modules: ipaserver/install/bindinstance.py | 2 +- ipaserver/install/ca.py | 19 +++--- ipaserver/install/cainstance.py | 5 +- ipaserver/install/dns.py | 5 +- ipaserver/install/dsinstance.py | 3 +- ipaserver/install/installutils.py | 16 +++--- ipaserver/install/ipa_ldap_updater.py | 2 +- ipaserver/install/krainstance.py | 3 +- ipaserver/install/replication.py | 10 ++-- ipaserver/install/server/install.py | 64 +++++++++++---------- ipaserver/install/server/replicainstall.py | 92 not modules: install/tools/ipa-adtrust-install | 17 +++--- install/tools/ipa-ca-install | 23 ++++---- install/tools/ipa-compat-manage | 11 ++-- install/tools/ipa-dns-install | 3 +- > > I'll keep the sys.exit replaces that won't make it here on the side, we > may want to do them later. I'm a bit worried that the patch might change some behavior. Maybe I'm wrong. -- Petr Vobornik From slaznick at redhat.com Fri Jun 17 11:56:08 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 17 Jun 2016 13:56:08 +0200 Subject: [Freeipa-devel] [PATCH 0048] Remove sys.exit() from installer modules In-Reply-To: <5763D892.20605@redhat.com> References: <91e234f8-554f-7efd-a399-d51db521a2fe@redhat.com> <9e9d6098-cbe2-3455-47c0-a21d1aea8ae5@redhat.com> <28420a22-04ad-b04c-4c25-bd9a71f9051f@redhat.com> <9171d38e-da4f-0693-1f53-767dc4dfe219@redhat.com> <5763ABED.9010102@redhat.com> <5763D892.20605@redhat.com> Message-ID: <3b048d9c-03c8-1675-0a3f-20e4b8e293c2@redhat.com> On 06/17/2016 01:01 PM, Petr Vobornik wrote: > On 17.6.2016 12:12, Stanislav Laznicka wrote: >> On 06/17/2016 09:51 AM, Petr Vobornik wrote: >>> On 17.6.2016 09:24, Stanislav Laznicka wrote: >>>> On 06/17/2016 08:48 AM, Petr Spacek wrote: >>>>> On 17.6.2016 08:43, Stanislav Laznicka wrote: >>>>>> On 06/17/2016 07:45 AM, Petr Spacek wrote: >>>>>>> On 16.6.2016 17:33, Stanislav Laznicka wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> This patch removes most sys.exits() from installer modules and >>>>>>>> scripts and >>>>>>>> replaces them with ScriptError. I only left sys.exits at places >>>>>>>> where the user >>>>>>>> decides yes/no on continuation of the script. >>>>>>> I wonder if yes/no should be replaced with KeyboardInterrupt or some >>>>>>> other >>>>>>> exception, too... >>>>>>> >>>>>> I'm not sure, it seems more clear to just really exit if the user >>>>>> desires it >>>>>> and it's what we say we'll do (with possible cleanup beforehand). Do >>>>>> you think >>>>>> we could benefit somehow by raising an exception here? >>>>> I'm just thinking out loud. >>>>> >>>>> It seemed to me that it is easier to share cleanup on one except block >>>>> instead >>>>> of having if (interrupt): cleanup; if (interrupt2): same_cleanup; >>>>> >>>>> etc. >>>>> >>>>> Again, just wondering out loud. >>>>> >>>> If the cleanup is the same, or similar it might be more beneficial to >>>> have it in a function where you could pass what was set up already and >>>> therefore needs cleanup. But that's just an opinion coming from thinking >>>> out loud as well. I went through the code to see if there's much cleanup >>>> after these user actions and it seems that usually there's nothing much >>>> if anything. However, thinking in advance may save us much trouble in >>>> the future, of course. >>>> >>> Btw the original scope of the ticket is to replace sys.exit calls ONLY >>> in installer modules. Please don't waste time with debugging other use >>> cases before 4.4 is out. >>> >> I might have gotten carried away a bit. Would you suggest keeping the >> sys.exits replaced only in ipaserver/install/server/replicainstall.py, >> ipaserver/install/server/install.py modules which are the installer >> modules managed by AdminTool? I considered the modules in >> ipaserver/install/ to also be installer modules as they are heavily used >> during installation and the sys.exits there mainly occur in functions >> called from install()/install_check() methods. The *-install scripts >> were perhaps really obviously over the scope. > Yes, modules: > ipaserver/install/bindinstance.py | 2 +- > ipaserver/install/ca.py | 19 +++--- > ipaserver/install/cainstance.py | 5 +- > ipaserver/install/dns.py | 5 +- > ipaserver/install/dsinstance.py | 3 +- > ipaserver/install/installutils.py | 16 +++--- > ipaserver/install/ipa_ldap_updater.py | 2 +- > ipaserver/install/krainstance.py | 3 +- > ipaserver/install/replication.py | 10 ++-- > ipaserver/install/server/install.py | 64 +++++++++++---------- > ipaserver/install/server/replicainstall.py | 92 > > not modules: > install/tools/ipa-adtrust-install | 17 +++--- > install/tools/ipa-ca-install | 23 ++++---- > install/tools/ipa-compat-manage | 11 ++-- > install/tools/ipa-dns-install | 3 +- > >> I'll keep the sys.exit replaces that won't make it here on the side, we >> may want to do them later. > I'm a bit worried that the patch might change some behavior. Maybe I'm > wrong. > Attached is the patch with correct modules with sys.exits replaced. I double-checked the changes and I believe the behavior shouldn't really change. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0048-2-Remove-sys.exit-from-install-modules-and-scripts.patch Type: text/x-patch Size: 39881 bytes Desc: not available URL: From msehnout at redhat.com Fri Jun 17 11:58:06 2016 From: msehnout at redhat.com (Martin Sehnoutka) Date: Fri, 17 Jun 2016 07:58:06 -0400 (EDT) Subject: [Freeipa-devel] bind-dyndb-ldap reviews In-Reply-To: References: Message-ID: <528640880.56449601.1466164686395.JavaMail.zimbra@redhat.com> ACK Martin Sehnoutka ----- Original Message ----- From: "Petr Spacek" To: msehnout at redhat.com Sent: Wednesday, June 15, 2016 4:25:15 PM Subject: bind-dyndb-ldap reviews Hello, please review patches mentioned below. Do not hesitate to contact me whenever you have a question or anything is unclear. Project home page: https://fedorahosted.org/bind-dyndb-ldap/ README file in Git: http://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README Design pages for new features: https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator Notes regarding current state: https://www.redhat.com/archives/freeipa-devel/2016-June/msg00395.html Patches waiting for review on the mailing list: https://www.redhat.com/archives/freeipa-devel/2016-June/msg00203.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00205.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00329.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00207.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00343.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00331.html https://www.redhat.com/archives/freeipa-devel/2016-June/msg00332.html Git repo with all patches: https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 COPR build: https://copr.fedorainfracloud.org/coprs/pspacek/bind-dyndb-ldap/build/342711/ Lab user guide: https://mojo.redhat.com/docs/DOC-1005343 Thank you very much for your time. -- Petr^2 Spacek From jcholast at redhat.com Fri Jun 17 13:21:07 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Fri, 17 Jun 2016 15:21:07 +0200 Subject: [Freeipa-devel] [DESIGN] Lightweight CA renewal In-Reply-To: <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> References: <20160506060158.GZ1237@dhcp-40-8.bne.redhat.com> <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: On 17.6.2016 09:34, Fraser Tweedale wrote: > On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: >> Hi, >> >> On 6.5.2016 08:01, Fraser Tweedale wrote: >>> Hullo all, >>> >>> FreeIPA Lightweight CAs implementation is progressing well. The >>> remaining big unknown in the design is how to do renewal. I have >>> put my ideas into the design page[1] and would appreciate any and >>> all feedback! >>> >>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal >>> >>> Some brief commentary on the options: >>> >>> I intend to implement approach (1) as a baseline. Apart from >>> implementing machinery in Dogtag to actually perform the renewal - >>> which is required for all the approaches - it's not much work and >>> gets us over the "lightweight CAs can be renewed easily" line, even >>> if it is a manual process. >>> >>> For automatic renewal, I am leaning towards approach (2). Dogtag >>> owns the lightweight CAs so I think it makes sense to give Dogtag >>> the ability to renew them automatically (if configured to do so), >>> without relying on external tools i.e. Certmonger. But as you will >>> see from the outlines, each approach has its upside and downside. >> >> I would prefer (3), as I would very much like to avoid duplicating >> certmonger's functionality in Dogtag. >> >> Some comments on the disadvantages: >> >> * "Proliferation of Certmonger tracking requests; one for each >> FreeIPA-managed lightweight CA." >> >> I don't think this is an actual issue, as it's purely cosmetic. >> >> * "Either lightweight CA creation is restricted to the renewal master, or >> the renewal master must observe the creation of new lightweight CAs and >> start tracking their certificate." >> >> IMO this doesn't have to be done automatically in the initial >> implementation. You could extend ipa-certupdate to set up certmonger for >> lightweight CAs and have admins run it manually on masters after adding a >> new lightweight CA. They will have to run it anyway to get the new >> lightweight CA certificate installed in the system, so it should be fine to >> do it this way. >> > I have updated the renew_ca_cert post-save script to perform the > database update necessary for CA replicas to pick up the new cert. > What remains is the command to tell certmonger to track the CA. > > You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a > better fit, e.g.: > > ipa-cacert-manage track > > It would look up the necessary info (basically just the CA-ID) and > set up the certmonger tracking. No. ipa-cacert-manage updates global configuration in LDAP, whereas ipa-certupdate applies the global configuration on the local system. Updating certmonger configuration is the latter, hence it should be done in ipa-certupdate. Also, I don't think we should expose (un)tracking certificates by CA ID to users, as all our CA certificates should always be tracked. > > It could be an error to run the command on other than the renewal > master. Note that the main CA certificate is tracked on all CA servers, not just the renewal master, otherwise it wouldn't get updated on the other CA servers after renewal. I would think the same needs to be done for lightweight CA certificates, unless there is a different mechanism for distributing the certificates to other CA masters, in which case I would prefer if the mechanism was also used for the main CA certificate. > > An untrack command could also be provided. > > Thoughts? > >> * "Development of new Certmonger renewal helpers solely for lightweight CA >> renewal." >> >> It would be easier to extend the existing helpers. I don't think there >> is anything preventing them from being used for lighweight CAs, except not >> conveying the CA name, which should be easy to implement. >> >> >> I would also avoid starting with (1), I don't believe it adds any real >> value. IMHO the first thing that should be done is implement lightweight CA >> support in certmonger (add new 'request' / 'start-tracking' option for CA >> name, store it in tracking requests, pass it to CA helpers in a new >> environment variable). >> >> >> Honza >> >> -- >> Jan Cholasta -- Jan Cholasta From pspacek at redhat.com Fri Jun 17 13:17:58 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 15:17:58 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> Message-ID: <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> On 17.6.2016 12:25, Martin Basti wrote: > > > On 17.06.2016 08:46, Petr Spacek wrote: >> On 16.6.2016 22:14, Martin Basti wrote: >>> >>> On 16.06.2016 15:59, Petr Spacek wrote: >>>> On 16.6.2016 13:57, Martin Basti wrote: >>>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>>> >>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>>> commands attached >>>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>>> >>>>>>>>> >>>>>>>> Minor nitpick fixed >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>>> >>>>>>> >>>>>>> ACK >>>>>>> >>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>>> >>>>>>> ACK >>>>>>> >>>>>>> >>>>>>> I will get to the rest later on. >>>>>> Problems I found (could be solved in separate patches if you wish): >>>>>> >>>>>> 1. NACK >>>>>> # ipa dns-update-system-records --dry-run >>>>>> ipa: ERROR: an internal error has occurred >>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>>> ['summary'] in { ... >>>>> Fixed >>>>>> 2. NACK >>>>>> Command ipa dns-update-system-records does not work with DNS Administrators >>>>>> privilege when some record is missing: >>>>>> >>>>>> ipa: WARNING: Update of system record >>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 >>>>>> 100 464 >>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>>> entry >>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>>> >>>>>> >>>>>> >>>>> Fixed (I hope) >>>>>> 3. NACK >>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>>> In fact the upgrade does not even add the object class into schema. >>>>>> >>>>> Fixed >>>>>> These needs to be fixed before we can proceed. >>>>>> >>>>> Updated patches attached >>>> 4. NACK >>>> ipa-ca-install does not add A/AAAA records for the new CA. >>> This should work, code is on the right place. Maybe it is a race condition. >>> >>> ... 2 hours later ... >>> >>> I found that this is broken since 4.3.0, I will fix it separately >>> https://fedorahosted.org/freeipa/ticket/5966 >>> >>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >>> >>>> 5. NACK >>>> ipa-replica-manage del does not delete SRV records from the >>>> remaining master >>>> >>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>>> WARNING: yacc table file version is out of date >>>> Checking connectivity in topology suffix 'domain' >>>> Checking connectivity in topology suffix 'ca' >>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>>> 'idnsserverid': must be Unicode text >>>> You may need to manually remove them from the tree >>>> Checking for deleted segments in suffix 'domain' >>>> Agreements deleted >>>> Checking for deleted segments in suffix 'ca' >>>> Agreements deleted >>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>>> You may need to manually remove them from the tree >>> Fixed >>>> Manual execution of ipa dns-update-system-records fixes that. >>>> >>>> >>>> >>>> Besides NACKs above one more thing is missing: >>>> Following config options are not migrated from named.conf to LDAP object: >>>> >>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>>> >>>> >>>> >>>> This can go to a separate patch set if you wish (at the very end). >>> I will leave this for later, bind-dyndb-ldap will continue working with local >>> configuration as before, patches are of course welcome. >>> >>> Updated patches attached, + hydra patching >> 6. NACK >> # ipa server-show $(hostname) >> Managed suffixes: domain, ca >> Min domain level: 0 >> Max domain level: 1 >> Location: l1 >> Enabled server roles: CA server, DNS server, NTP server >> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >> >> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 >> ipa: ERROR: no modifications to be performed >> > Updated patches attached ACK up to patch 519. 7th NACK to the rest: It fails while attempting to add non-DNS to a location: # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com Managed suffixes: domain Min domain level: 0 Max domain level: 1 Location: l1 Enabled server roles: Server name: vm-046.abc.idm.lab.eng.brq.redhat.com # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2 ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found -- Petr^2 Spacek From mbasti at redhat.com Fri Jun 17 13:27:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 15:27:15 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> Message-ID: On 17.06.2016 15:17, Petr Spacek wrote: > On 17.6.2016 12:25, Martin Basti wrote: >> >> On 17.06.2016 08:46, Petr Spacek wrote: >>> On 16.6.2016 22:14, Martin Basti wrote: >>>> On 16.06.2016 15:59, Petr Spacek wrote: >>>>> On 16.6.2016 13:57, Martin Basti wrote: >>>>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>>>> commands attached >>>>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Minor nitpick fixed >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>>>> >>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>>> >>>>>>>> I will get to the rest later on. >>>>>>> Problems I found (could be solved in separate patches if you wish): >>>>>>> >>>>>>> 1. NACK >>>>>>> # ipa dns-update-system-records --dry-run >>>>>>> ipa: ERROR: an internal error has occurred >>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>>>> ['summary'] in { ... >>>>>> Fixed >>>>>>> 2. NACK >>>>>>> Command ipa dns-update-system-records does not work with DNS Administrators >>>>>>> privilege when some record is missing: >>>>>>> >>>>>>> ipa: WARNING: Update of system record >>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 >>>>>>> 100 464 >>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>>>> entry >>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>>>> >>>>>>> >>>>>>> >>>>>> Fixed (I hope) >>>>>>> 3. NACK >>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>>>> In fact the upgrade does not even add the object class into schema. >>>>>>> >>>>>> Fixed >>>>>>> These needs to be fixed before we can proceed. >>>>>>> >>>>>> Updated patches attached >>>>> 4. NACK >>>>> ipa-ca-install does not add A/AAAA records for the new CA. >>>> This should work, code is on the right place. Maybe it is a race condition. >>>> >>>> ... 2 hours later ... >>>> >>>> I found that this is broken since 4.3.0, I will fix it separately >>>> https://fedorahosted.org/freeipa/ticket/5966 >>>> >>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >>>> >>>>> 5. NACK >>>>> ipa-replica-manage del does not delete SRV records from the >>>>> remaining master >>>>> >>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>>>> WARNING: yacc table file version is out of date >>>>> Checking connectivity in topology suffix 'domain' >>>>> Checking connectivity in topology suffix 'ca' >>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>>>> 'idnsserverid': must be Unicode text >>>>> You may need to manually remove them from the tree >>>>> Checking for deleted segments in suffix 'domain' >>>>> Agreements deleted >>>>> Checking for deleted segments in suffix 'ca' >>>>> Agreements deleted >>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>>>> You may need to manually remove them from the tree >>>> Fixed >>>>> Manual execution of ipa dns-update-system-records fixes that. >>>>> >>>>> >>>>> >>>>> Besides NACKs above one more thing is missing: >>>>> Following config options are not migrated from named.conf to LDAP object: >>>>> >>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>>>> >>>>> >>>>> >>>>> This can go to a separate patch set if you wish (at the very end). >>>> I will leave this for later, bind-dyndb-ldap will continue working with local >>>> configuration as before, patches are of course welcome. >>>> >>>> Updated patches attached, + hydra patching >>> 6. NACK >>> # ipa server-show $(hostname) >>> Managed suffixes: domain, ca >>> Min domain level: 0 >>> Max domain level: 1 >>> Location: l1 >>> Enabled server roles: CA server, DNS server, NTP server >>> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >>> >>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 >>> ipa: ERROR: no modifications to be performed >>> >> Updated patches attached > ACK up to patch 519. master: * 0f5cca0e45481520d25b20b48f939b2581f4d27b DNS Locations: add index for ipalocation attribute * d7671ee66786b674454b7b58c9558e0c7c853cd5 DNS Locations: fix location-del * 745a2e6471b27faabeb5479b9d2845b18606d8b0 DNS Locations: add idnsTemplateObject objectclass * 87c23ba029df9227384b3f5e2028f3f0e429e9ab DNS Locations: DNS data management * 394b094fc22ef67742824ec03d4e851a2876fd81 DNS Locations: permission: allow to read status of services * cf634a4ff8a100589f99e57c51b2c4591853e88a DNS Locations: add ACI for template attribute * e23159596e1851f156461d00b9f9f99dc698e12b DNS Locations: command dns-update-system-records * 45a93265740fdfc14e6ee8785f844f8d34508fc4 DNS Locations: use dns_update_service_records in installers * a5a6ceafcd3418a6242bbf948d825f2b61c95f23 DNS Locations: adtrustinstance simplify dns management * a7e463948db5870d264f59954c9a2e9b5b59e1dd DNS Locations: use automatic records update in ipa-adtrust-install * 4076e8e4e50d527f613536138cd851cd068cd2d9 DNS Locations: server-mod: add automatic records update * 88a0952f26f9d1e2ee9d02126b27f3075dbad46a DNS Locations: dnsservers: add required objectclasses * 2157ea0e6d0d762bdc71022ddd55045406c4b300 DNS Locations: dnsserver-* commands * 52590d6fa581e3b53e2c9350dc307a1f360c40a3 DNS Locations: dnsserver: put server_id option into named.conf * 08265f1e92bd91d9e4ba3285b953ff9ccd79040b DNS Locations: dnsserver: use the newer config way in installer * d70e52b61b35f42ca2d34ef05310fd2c18c882ce DNS Locations: dnsserver: remove config when replica is removed > > 7th NACK to the rest: Actually it is just 2nd NACK, because patches 520+ have just 2nd revision ;-) > > It fails while attempting to add non-DNS to a location: > > # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com > Managed suffixes: domain > Min domain level: 0 > Max domain level: 1 > Location: l1 > Enabled server roles: > Server name: vm-046.abc.idm.lab.eng.brq.redhat.com > > # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2 > ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found > Will send fix, soon... Martin^2 From mbabinsk at redhat.com Fri Jun 17 13:56:05 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Jun 2016 15:56:05 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <4462a7b3-bcad-c063-6527-732d785bcf2a@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> <4462a7b3-bcad-c063-6527-732d785bcf2a@redhat.com> Message-ID: <50606cf0-4ec4-fc3e-0eb4-e4157f120550@redhat.com> On 06/16/2016 12:45 PM, Martin Basti wrote: > > > On 15.06.2016 15:29, Martin Babinsky wrote: >> On 06/15/2016 10:30 AM, Jan Cholasta wrote: >>> Hi, >>> >>> On 12.6.2016 17:31, Martin Babinsky wrote: >>>> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>>>> These patches expand `server_del` to a full fledged IPA master >>>>> killer in >>>>> domain level 1. >>>>> >>>>> Due to 'server uninstallation removed master from topology' use case, >>>>> the individual steps are not in the same order as in the original code >>>>> to facilitate self-removal from topology without introducing an >>>>> array of >>>>> permissions for master to remove itself. >>>>> >>>>> I had no opportunity to test out the CI test suite because of >>>>> technical >>>>> problems so it would be nice if our upstream QE could give it a >>>>> spin and >>>>> report errors. >>>>> >>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>> >>>>> >>>>> >>>> Attaching rebased patches and bumping for review. >>>> >>>> Please note that they depend on 'Server Roles v2' patchset. >>> >>> Patch 0153: >>> >>> Should be an ipaserver module, unless it is required on clients as well, >>> in which case it should be an ipalib module. >>> >>> >>> Patch 0154: LGTM >>> >>> >>> Patch 0155: >>> >>> In LDAPDelete subclasses, the primary key argument is multivalue, so I'm >>> guessing your post_callback won't work correctly. >>> >>> Also, since this is *server*-del, s/master/server/ where applicable. >>> >>> >>> Patch 0156: LGTM >>> >>> >>> Patch 0157: >>> >>> This looks suspicious: >>> >>> + result = server_del_cmd(hostname, version=api_version, **options) >>> >>> Version is automatically filled in in Command.__call__(), why do you add >>> it manually here? >>> >>> >>> Patch 0158: LGTM >>> >>> >>> Honza >>> >> >> Attaching updated patches. >> >> >> > > Hello, I have a few comments: > > 1) > you reused ID numbers for the your messages > > +class ServerRemovalInfo(PublicMessage): > ... > + errno = 13020 > > +class ServerRemovalWarning(PublicMessage): > ... > + errno = 13021 > > > class FailedToRemoveHostDNSRecords(PublicMessage): > ... > errno = 13020 > > > class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): > ... > errno = 13021 > > 2) > + def _check_topology_connectivity(self, topology_connectivity, > master_cn): > + try: > + topology_connectivity.check_current_state() > + except ValueError as e: > + raise errors.ServerRemovalError(reason=_(str(e))) > + > + try: > + topology_connectivity.check_state_after_removal(master_cn) > + except ValueError as e: > + raise errors.ServerRemovalError(reason=_(str(e))) > > * _(str(e)): gettext cannot be used by this way > * str(e): you dont need to convert exception to string, this is done > automatically in exception > > > 3) gettext again > + self.add_message( > + messages.ServerRemovalWarning( > + message=_(msg) > + ) > + ) > > > 4) > + messages.ServerRemovalWarning( > + message=_("Failed to clean memberPrincipal > {principal}" > + " from s4u2proxy entry {dn}: > {err}".format( > + principal=member_principal, > + dn=dn, > + err=e)))) > > + messages.ServerRemovalWarning( > + message=_("Failed to clean up DNA hostname entries > for " > + "{master}: {err}".format( > + master=master, err=e)))) > > several more times > > I'm not sure if this will work, for safety I would prefer to change it > to dictionary substitution > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668226 > It looks like it was fixed in gettext 18.3, some distributions still > have the older one > > I have to test more how gettext works with the new python format strings > > 5) > + def interactive_prompt_callback(self, kw): > + self.api.Backend.textui.print_plain( > + _("Removing {server} from replication topology, " > + "please wait...".format(server=', '.join(kw['cn'])))) > > Will this work? IMO this should be on client side > > > > Updated and rebased patches attached. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0153-4-ipaserver-module-for-working-with-managed-topology.patch Type: text/x-patch Size: 9954 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0154-4-delegate-removal-of-master-DNS-record-and-replica-ke.patch Type: text/x-patch Size: 2983 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0155-4-server-del-perform-full-master-removal-in-managed-to.patch Type: text/x-patch Size: 22324 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0156-4-CI-test-suite-for-server-del.patch Type: text/x-patch Size: 16669 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0157-4-ipa-replica-manage-use-server_del-when-removing-doma.patch Type: text/x-patch Size: 12944 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0158-4-remove-the-master-from-managed-topology-during-unins.patch Type: text/x-patch Size: 10643 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jun 17 14:18:36 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Jun 2016 16:18:36 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <50606cf0-4ec4-fc3e-0eb4-e4157f120550@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> <4462a7b3-bcad-c063-6527-732d785bcf2a@redhat.com> <50606cf0-4ec4-fc3e-0eb4-e4157f120550@redhat.com> Message-ID: <4c39b89b-8a9e-563f-16c3-8bcac3a8e5e5@redhat.com> On 06/17/2016 03:56 PM, Martin Babinsky wrote: > On 06/16/2016 12:45 PM, Martin Basti wrote: >> >> >> On 15.06.2016 15:29, Martin Babinsky wrote: >>> On 06/15/2016 10:30 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 12.6.2016 17:31, Martin Babinsky wrote: >>>>> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>>>>> These patches expand `server_del` to a full fledged IPA master >>>>>> killer in >>>>>> domain level 1. >>>>>> >>>>>> Due to 'server uninstallation removed master from topology' use case, >>>>>> the individual steps are not in the same order as in the original >>>>>> code >>>>>> to facilitate self-removal from topology without introducing an >>>>>> array of >>>>>> permissions for master to remove itself. >>>>>> >>>>>> I had no opportunity to test out the CI test suite because of >>>>>> technical >>>>>> problems so it would be nice if our upstream QE could give it a >>>>>> spin and >>>>>> report errors. >>>>>> >>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>> >>>>>> >>>>>> >>>>> Attaching rebased patches and bumping for review. >>>>> >>>>> Please note that they depend on 'Server Roles v2' patchset. >>>> >>>> Patch 0153: >>>> >>>> Should be an ipaserver module, unless it is required on clients as >>>> well, >>>> in which case it should be an ipalib module. >>>> >>>> >>>> Patch 0154: LGTM >>>> >>>> >>>> Patch 0155: >>>> >>>> In LDAPDelete subclasses, the primary key argument is multivalue, so >>>> I'm >>>> guessing your post_callback won't work correctly. >>>> >>>> Also, since this is *server*-del, s/master/server/ where applicable. >>>> >>>> >>>> Patch 0156: LGTM >>>> >>>> >>>> Patch 0157: >>>> >>>> This looks suspicious: >>>> >>>> + result = server_del_cmd(hostname, version=api_version, **options) >>>> >>>> Version is automatically filled in in Command.__call__(), why do you >>>> add >>>> it manually here? >>>> >>>> >>>> Patch 0158: LGTM >>>> >>>> >>>> Honza >>>> >>> >>> Attaching updated patches. >>> >>> >>> >> >> Hello, I have a few comments: >> >> 1) >> you reused ID numbers for the your messages >> >> +class ServerRemovalInfo(PublicMessage): >> ... >> + errno = 13020 >> >> +class ServerRemovalWarning(PublicMessage): >> ... >> + errno = 13021 >> >> >> class FailedToRemoveHostDNSRecords(PublicMessage): >> ... >> errno = 13020 >> >> >> class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): >> ... >> errno = 13021 >> >> 2) >> + def _check_topology_connectivity(self, topology_connectivity, >> master_cn): >> + try: >> + topology_connectivity.check_current_state() >> + except ValueError as e: >> + raise errors.ServerRemovalError(reason=_(str(e))) >> + >> + try: >> + topology_connectivity.check_state_after_removal(master_cn) >> + except ValueError as e: >> + raise errors.ServerRemovalError(reason=_(str(e))) >> >> * _(str(e)): gettext cannot be used by this way >> * str(e): you dont need to convert exception to string, this is done >> automatically in exception >> >> >> 3) gettext again >> + self.add_message( >> + messages.ServerRemovalWarning( >> + message=_(msg) >> + ) >> + ) >> >> >> 4) >> + messages.ServerRemovalWarning( >> + message=_("Failed to clean memberPrincipal >> {principal}" >> + " from s4u2proxy entry {dn}: >> {err}".format( >> + principal=member_principal, >> + dn=dn, >> + err=e)))) >> >> + messages.ServerRemovalWarning( >> + message=_("Failed to clean up DNA hostname entries >> for " >> + "{master}: {err}".format( >> + master=master, err=e)))) >> >> several more times >> >> I'm not sure if this will work, for safety I would prefer to change it >> to dictionary substitution >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668226 >> It looks like it was fixed in gettext 18.3, some distributions still >> have the older one >> >> I have to test more how gettext works with the new python format strings >> >> 5) >> + def interactive_prompt_callback(self, kw): >> + self.api.Backend.textui.print_plain( >> + _("Removing {server} from replication topology, " >> + "please wait...".format(server=', '.join(kw['cn'])))) >> >> Will this work? IMO this should be on client side >> >> >> >> > Updated and rebased patches attached. > > > I made an error during rebase of patch 153. Re-sending the whole batch with the correct one. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0153-5-ipaserver-module-for-working-with-managed-topology.patch Type: text/x-patch Size: 10033 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0154-4-delegate-removal-of-master-DNS-record-and-replica-ke.patch Type: text/x-patch Size: 2983 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0155-4-server-del-perform-full-master-removal-in-managed-to.patch Type: text/x-patch Size: 22324 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0156-4-CI-test-suite-for-server-del.patch Type: text/x-patch Size: 16669 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0157-4-ipa-replica-manage-use-server_del-when-removing-doma.patch Type: text/x-patch Size: 12944 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0158-4-remove-the-master-from-managed-topology-during-unins.patch Type: text/x-patch Size: 10643 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jun 17 14:21:24 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 17 Jun 2016 16:21:24 +0200 Subject: [Freeipa-devel] [PATCH 0161] Fix listing of enabled roles in `server-find` Message-ID: <90bdd0ff-4321-9e50-c1f2-46c2f06027b7@redhat.com> There is an issue with outputting enabled roles in server-find regarding our lovely `--raw`, `--all` and `--no-member` options. This quick patch fixes that. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0161-Fix-listing-of-enabled-roles-in-server-find.patch Type: text/x-patch Size: 1215 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 17 14:30:52 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 17 Jun 2016 16:30:52 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> Message-ID: <5764099C.1020403@redhat.com> On 17.6.2016 08:53, Fraser Tweedale wrote: > On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote: >> Hi, >> >> On 17.6.2016 06:55, Fraser Tweedale wrote: >>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 >> >> This should be fixed for all the restart scripts, not just renew_ca_cert. >> > Updated patch attached. > I'm not sure if following is related to thin client or other work, but it should be looked at. Feel free to open different ticket for it. I was doing some testing yesterday and this was in audit: time->Thu Jun 16 22:11:32 2016 type=AVC msg=audit(1466107892.404:662): avc: denied { write } for pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" ino=183080 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file permissive=0 I did not investigate further, but couldn't it be caused by initialing api with api.bootstrap(in_server=True.. which then initializes session plugin which then initializes MemcacheSessionManager? Similar issue could be in other usages. -- Petr Vobornik From dkupka at redhat.com Fri Jun 17 14:31:31 2016 From: dkupka at redhat.com (David Kupka) Date: Fri, 17 Jun 2016 16:31:31 +0200 Subject: [Freeipa-devel] [PATCH 0105] Remove unused locking "context manager" Message-ID: <5053a01d-3102-b0ff-4273-599e226ac276@redhat.com> Just dropping tiny piece of no longer used code. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ipa42-dkupka-0105.0-Remove-unused-locking-context-manager.patch Type: text/x-patch Size: 1370 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-master,ipa43-dkupka-0105.0-Remove-unused-locking-context-manager.patch Type: text/x-patch Size: 1382 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 17 15:05:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 17:05:44 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> Message-ID: On 17.06.2016 15:17, Petr Spacek wrote: > On 17.6.2016 12:25, Martin Basti wrote: >> >> On 17.06.2016 08:46, Petr Spacek wrote: >>> On 16.6.2016 22:14, Martin Basti wrote: >>>> On 16.06.2016 15:59, Petr Spacek wrote: >>>>> On 16.6.2016 13:57, Martin Basti wrote: >>>>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>>>> >>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>>>> commands attached >>>>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Minor nitpick fixed >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>>>> >>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>>>> >>>>>>>> ACK >>>>>>>> >>>>>>>> >>>>>>>> I will get to the rest later on. >>>>>>> Problems I found (could be solved in separate patches if you wish): >>>>>>> >>>>>>> 1. NACK >>>>>>> # ipa dns-update-system-records --dry-run >>>>>>> ipa: ERROR: an internal error has occurred >>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>>>> ['summary'] in { ... >>>>>> Fixed >>>>>>> 2. NACK >>>>>>> Command ipa dns-update-system-records does not work with DNS Administrators >>>>>>> privilege when some record is missing: >>>>>>> >>>>>>> ipa: WARNING: Update of system record >>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 >>>>>>> 100 464 >>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>>>> entry >>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>>>> >>>>>>> >>>>>>> >>>>>> Fixed (I hope) >>>>>>> 3. NACK >>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>>>> In fact the upgrade does not even add the object class into schema. >>>>>>> >>>>>> Fixed >>>>>>> These needs to be fixed before we can proceed. >>>>>>> >>>>>> Updated patches attached >>>>> 4. NACK >>>>> ipa-ca-install does not add A/AAAA records for the new CA. >>>> This should work, code is on the right place. Maybe it is a race condition. >>>> >>>> ... 2 hours later ... >>>> >>>> I found that this is broken since 4.3.0, I will fix it separately >>>> https://fedorahosted.org/freeipa/ticket/5966 >>>> >>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >>>> >>>>> 5. NACK >>>>> ipa-replica-manage del does not delete SRV records from the >>>>> remaining master >>>>> >>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>>>> WARNING: yacc table file version is out of date >>>>> Checking connectivity in topology suffix 'domain' >>>>> Checking connectivity in topology suffix 'ca' >>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>>>> 'idnsserverid': must be Unicode text >>>>> You may need to manually remove them from the tree >>>>> Checking for deleted segments in suffix 'domain' >>>>> Agreements deleted >>>>> Checking for deleted segments in suffix 'ca' >>>>> Agreements deleted >>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>>>> You may need to manually remove them from the tree >>>> Fixed >>>>> Manual execution of ipa dns-update-system-records fixes that. >>>>> >>>>> >>>>> >>>>> Besides NACKs above one more thing is missing: >>>>> Following config options are not migrated from named.conf to LDAP object: >>>>> >>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>>>> >>>>> >>>>> >>>>> This can go to a separate patch set if you wish (at the very end). >>>> I will leave this for later, bind-dyndb-ldap will continue working with local >>>> configuration as before, patches are of course welcome. >>>> >>>> Updated patches attached, + hydra patching >>> 6. NACK >>> # ipa server-show $(hostname) >>> Managed suffixes: domain, ca >>> Min domain level: 0 >>> Max domain level: 1 >>> Location: l1 >>> Enabled server roles: CA server, DNS server, NTP server >>> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >>> >>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 >>> ipa: ERROR: no modifications to be performed >>> >> Updated patches attached > ACK up to patch 519. > > 7th NACK to the rest: > > It fails while attempting to add non-DNS to a location: > > # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com > Managed suffixes: domain > Min domain level: 0 > Max domain level: 1 > Location: l1 > Enabled server roles: > Server name: vm-046.abc.idm.lab.eng.brq.redhat.com > > # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2 > ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found > Updated patches attached + 2 extra hydra patches :) -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0520.3-DNS-Locations-set-proper-substitution-variable.patch Type: text/x-patch Size: 1740 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0521.3-DNS-Locations-require-to-restart-named-pkcs11-affter.patch Type: text/x-patch Size: 2283 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0522.3-DNS-Locations-show-warning-if-there-is-no-DNS-server.patch Type: text/x-patch Size: 4005 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0523.3-DNS-Locations-prevent-to-remove-used-locations.patch Type: text/x-patch Size: 1781 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0524.3-DNS-Locations-do-not-generate-location-records-for-u.patch Type: text/x-patch Size: 2323 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0525.3-DNS-Locations-location-del-remove-location-record.patch Type: text/x-patch Size: 3633 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0526.3-DNS-Locations-Rename-ipalocationweight-to-ipaservice.patch Type: text/x-patch Size: 17838 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0527.3-DNS-Locations-generate-NTP-records.patch Type: text/x-patch Size: 4223 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0528.3-upgrade-don-t-fail-if-zone-does-not-exists-in-in-fin.patch Type: text/x-patch Size: 1154 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0529.1-DNS-Location-add-list-of-roles-and-DNS-servers-to-lo.patch Type: text/x-patch Size: 3795 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0530.1-DNS-Locations-dnsserver-print-specific-error-when-DN.patch Type: text/x-patch Size: 1379 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 17 15:32:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 17:32:30 +0200 Subject: [Freeipa-devel] [PATCH] 0005 Always qualify requests for admin in ipa-replica-conncheck In-Reply-To: References: <03e2c4d9-54b3-c3ac-537a-e6c9069af409@redhat.com> <69456999-093e-1d4a-5ff7-6f5cd13e1712@redhat.com> Message-ID: <7e3f13bf-35f3-134f-db6d-802f5d4277b4@redhat.com> On 07.06.2016 17:25, Florence Blanc-Renaud wrote: > On 06/06/2016 07:18 PM, Martin Basti wrote: >> >> >> >> On 02.06.2016 14:58, Florence Blanc-Renaud wrote: >>> >>> Hi, >>> >>> this patch modifies ipa-replica-conncheck when it performs the SSH >>> connection to the master, so that the username is always fully >>> qualified. >>> >>> https://fedorahosted.org/freeipa/ticket/5812 >>> -- >>> Florence Blanc-Renaud >>> Identity Management Team, Red Hat >>> >>> >> >> LGTM, but because current issues with replica install in master >> branch, I couldn't test it and I would like to be sure that >> ipa-replica-install using NTP will work too >> >> >> Just little nitpick, for better readibility, 'command' should be on >> new line >> - '%s@%s' % (self.user, self.addr), command >> + '-o User=%s' % self.user, >> + '%s' % self.addr, command >> >> Martin^2 > > Hi Martin, > > thanks for the review. I am attaching a new patch with your > suggestion. Just for my record, what would be the command-line options > to test the scenario you're referring to? > > Flo. > ACK Pushed to master: 4a7345e44804cf14f664814a2ab60f7a43ffa4ee -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Fri Jun 17 15:44:13 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 17:44:13 +0200 Subject: [Freeipa-devel] bind-dyndb-ldap reviews In-Reply-To: <528640880.56449601.1466164686395.JavaMail.zimbra@redhat.com> References: <528640880.56449601.1466164686395.JavaMail.zimbra@redhat.com> Message-ID: <79a9ae8c-68f2-2fe9-dbc2-e44401c2e341@redhat.com> On 17.6.2016 13:58, Martin Sehnoutka wrote: > ACK Thanks, pushed to master: 75d1dbabc3893deac89d36d56c9ff86d88ed3b55 Make task selection in syncrepl_update() deterministic. 431b8c47b4c6a27a933c842ed875cb5155f968fb Avoid redundant sync_task_add() calls. 62b19b4d423164e4a0dfb00a13358611c86ed789 Rework hack for synchronous event processing to make it reliable. ca9551ac12d597867870332f667ee872eacd5749 Remove misleading zonemgr check from task selection mechanism. c24cae2626ca36909022a05d361996584ac82493 Remove unused inst->local_settings("base") lookup from ldap_sync_search_entry. cfde79fec8f6fc14b10fabed6280777b4a0de525 Support default TTL configuration at zone level: dNSdefaultTTL attribute. b1d31eeacd438950dfde38e55a284dfbc119bce8 Optimize idnsTemplateAttribute processing. 3780a448e403ac525de322901c09cec83d49bfbc Detect unsupported combination of idnsTemplateObject with other object classes. 0c7560b921805581b6a98e72c8bb0fa3672c82d8 Support dynamic record generation using idnsTemplateAttribute. 73ef87f498839ea264b93513f6539618c3419376 Revive str.c:str_cat_char_len function from git history. adb38c70803401b8b7c28e4ff08696d5bb0ae67c Refactor ldap_parse_rrentry to make settings system available to it. 3d3fbc6ef1fdba2e9184379ce28aefaadcbb03b5 Read idnsSubstitutionVariable;ipalocation variable from server's config in LDAP. aa9bed122a59064c9d0885e1f7401863335f6af2 Support fake_mname option in per-server configuration in LDAP. 97e9d93cb0e7d0f72fe130c6bfa6a886bc609928 Read configuration from LDAP first to guarantee its availability. 112f50a6d9d746753bb793437975fb895c1f0606 Refactor LDAP SyncRepl connection handling to make it reusable. a47a591225593243c89da7df1cf2a58cffc37653 Do not log "connection to the LDAP server was lost" on forced reconnects. 9864fadfeecd6b13d7c98bd752b78fce039224c4 Fix interaction between root zone and global forwarders. ad9bb03a45f84b523ba5721998698c5f905f34d7 Parse idnsServerConfigObject and use its values for forwarder configuration. 6cc8e7264cdf46242c8be06d7d6ed7519ac26e78 Add LDAP schema for per-server config in LDAP. 5dd20013d1fd1ce964485b279f78c50ce7bbb416 Add server_ldap_settings layer to tree of setting objects. fdfb1a635824fe45bd7a8deb52442fc8cfad891d Do not apply forwarding configuration for disabled master zones. 759f3d97329faf08447cc3195b29cb87c95c4e56 Untangle forwarder configuration from LDAP code. ee433742457950c138127e90fdbb7f614a3b43a9 Settings: Expose API for setting_unset and setting_find to other modules. 6c40c6067340e845eccebb73793f43574d698997 Settings: Support enum description->value mapping. 6a1e2512668e59f434e86cddc3f9320557723e1d Separate BIND config utilities from ACL parsing. f0de8168979520541eeb3186227bd4a4470e91e5 Fix in destroy_ldap_instance() caused by uninitialized MetaLDAP. f5b1da78950dc6a28934b2778f5a6853ba37019f Initialize empty zone iterator to avoid potential crashes. Petr^2 Spacek > > Martin Sehnoutka > > ----- Original Message ----- > From: "Petr Spacek" > To: msehnout at redhat.com > Sent: Wednesday, June 15, 2016 4:25:15 PM > Subject: bind-dyndb-ldap reviews > > Hello, > > please review patches mentioned below. > > Do not hesitate to contact me whenever you have a question or anything is unclear. > > > Project home page: > https://fedorahosted.org/bind-dyndb-ldap/ > > README file in Git: > http://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README > > Design pages for new features: > https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP > https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator > > Notes regarding current state: > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00395.html > > Patches waiting for review on the mailing list: > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00203.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00205.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00329.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00207.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00343.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00331.html > https://www.redhat.com/archives/freeipa-devel/2016-June/msg00332.html > > Git repo with all patches: > https://github.com/pspacek/bind-dyndb-ldap/tree/server_config_in_ldap4 > > COPR build: > https://copr.fedorainfracloud.org/coprs/pspacek/bind-dyndb-ldap/build/342711/ > > Lab user guide: > https://mojo.redhat.com/docs/DOC-1005343 > > > Thank you very much for your time. From pspacek at redhat.com Fri Jun 17 16:00:05 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 17 Jun 2016 18:00:05 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> Message-ID: <81d06737-2eaf-a8ad-894d-1d98790ff151@redhat.com> On 17.6.2016 17:05, Martin Basti wrote: > > > On 17.06.2016 15:17, Petr Spacek wrote: >> On 17.6.2016 12:25, Martin Basti wrote: >>> >>> On 17.06.2016 08:46, Petr Spacek wrote: >>>> On 16.6.2016 22:14, Martin Basti wrote: >>>>> On 16.06.2016 15:59, Petr Spacek wrote: >>>>>> On 16.6.2016 13:57, Martin Basti wrote: >>>>>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>>>>> >>>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>>>>> commands attached >>>>>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Minor nitpick fixed >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ACK >>>>>>>>> >>>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>>>>> >>>>>>>>> >>>>>>>>> ACK >>>>>>>>> >>>>>>>>> >>>>>>>>> I will get to the rest later on. >>>>>>>> Problems I found (could be solved in separate patches if you wish): >>>>>>>> >>>>>>>> 1. NACK >>>>>>>> # ipa dns-update-system-records --dry-run >>>>>>>> ipa: ERROR: an internal error has occurred >>>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>>>>> ['summary'] in { ... >>>>>>> Fixed >>>>>>>> 2. NACK >>>>>>>> Command ipa dns-update-system-records does not work with DNS >>>>>>>> Administrators >>>>>>>> privilege when some record is missing: >>>>>>>> >>>>>>>> ipa: WARNING: Update of system record >>>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 >>>>>>>> 100 464 >>>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>>>>> entry >>>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Fixed (I hope) >>>>>>>> 3. NACK >>>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>>>>> In fact the upgrade does not even add the object class into schema. >>>>>>>> >>>>>>> Fixed >>>>>>>> These needs to be fixed before we can proceed. >>>>>>>> >>>>>>> Updated patches attached >>>>>> 4. NACK >>>>>> ipa-ca-install does not add A/AAAA records for the new CA. >>>>> This should work, code is on the right place. Maybe it is a race condition. >>>>> >>>>> ... 2 hours later ... >>>>> >>>>> I found that this is broken since 4.3.0, I will fix it separately >>>>> https://fedorahosted.org/freeipa/ticket/5966 >>>>> >>>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >>>>> >>>>>> 5. NACK >>>>>> ipa-replica-manage del does not delete SRV records from the >>>>>> remaining master >>>>>> >>>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>>>>> WARNING: yacc table file version is out of date >>>>>> Checking connectivity in topology suffix 'domain' >>>>>> Checking connectivity in topology suffix 'ca' >>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>>>>> 'idnsserverid': must be Unicode text >>>>>> You may need to manually remove them from the tree >>>>>> Checking for deleted segments in suffix 'domain' >>>>>> Agreements deleted >>>>>> Checking for deleted segments in suffix 'ca' >>>>>> Agreements deleted >>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>>>>> You may need to manually remove them from the tree >>>>> Fixed >>>>>> Manual execution of ipa dns-update-system-records fixes that. >>>>>> >>>>>> >>>>>> >>>>>> Besides NACKs above one more thing is missing: >>>>>> Following config options are not migrated from named.conf to LDAP object: >>>>>> >>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This can go to a separate patch set if you wish (at the very end). >>>>> I will leave this for later, bind-dyndb-ldap will continue working with >>>>> local >>>>> configuration as before, patches are of course welcome. >>>>> >>>>> Updated patches attached, + hydra patching >>>> 6. NACK >>>> # ipa server-show $(hostname) >>>> Managed suffixes: domain, ca >>>> Min domain level: 0 >>>> Max domain level: 1 >>>> Location: l1 >>>> Enabled server roles: CA server, DNS server, NTP server >>>> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >>>> >>>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 >>>> ipa: ERROR: no modifications to be performed >>>> >>> Updated patches attached >> ACK up to patch 519. >> >> 7th NACK to the rest: >> >> It fails while attempting to add non-DNS to a location: >> >> # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com >> Managed suffixes: domain >> Min domain level: 0 >> Max domain level: 1 >> Location: l1 >> Enabled server roles: >> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >> >> # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2 >> ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found >> > > Updated patches attached + 2 extra hydra patches :) ACK with full force! -- Petr^2 Spacek From mbasti at redhat.com Fri Jun 17 16:10:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 18:10:24 +0200 Subject: [Freeipa-devel] [PATCH 0503-0513, 0515-0519, 0520-0528] DNS locations In-Reply-To: <81d06737-2eaf-a8ad-894d-1d98790ff151@redhat.com> References: <5603ea2b-4fa5-dec5-b7ec-d68518443418@redhat.com> <233cecb3-085c-9622-3090-da8046048d80@redhat.com> <8cc28c03-81ca-21c6-da1c-ec2ea724fb4e@redhat.com> <04019696-063a-f2c6-d69e-6de3a1d097a1@redhat.com> <69969227-8705-7d5c-6a19-c705aeea9d61@redhat.com> <11f7beec-1a7f-b301-ee91-e18089d502dd@redhat.com> <9d36c98f-1897-2ba1-fcf3-9ae31ced75c2@redhat.com> <2c8f3538-f32e-adf8-0a01-7c96a74235d2@redhat.com> <2ef0f0d5-c6bc-a9c7-bd5d-4c0f065b5e86@redhat.com> <69c42073-5e7c-1de0-731c-57ad52dadc65@redhat.com> <81d06737-2eaf-a8ad-894d-1d98790ff151@redhat.com> Message-ID: On 17.06.2016 18:00, Petr Spacek wrote: > On 17.6.2016 17:05, Martin Basti wrote: >> >> On 17.06.2016 15:17, Petr Spacek wrote: >>> On 17.6.2016 12:25, Martin Basti wrote: >>>> On 17.06.2016 08:46, Petr Spacek wrote: >>>>> On 16.6.2016 22:14, Martin Basti wrote: >>>>>> On 16.06.2016 15:59, Petr Spacek wrote: >>>>>>> On 16.6.2016 13:57, Martin Basti wrote: >>>>>>>> On 16.06.2016 12:09, Petr Spacek wrote: >>>>>>>>> On 15.6.2016 17:24, Petr Spacek wrote: >>>>>>>>>> On 15.6.2016 15:45, Martin Basti wrote: >>>>>>>>>>> On 15.06.2016 14:52, Martin Basti wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hydra patching: Updated patches attached + new patches for dnsserver-* >>>>>>>>>>>> commands attached >>>>>>>>>>>> Updated+rebased patches after Honza's interactive review >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> Minor nitpick fixed >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> freeipa-mbasti-0503.3-DNS-Locations-add-index-for-ipalocation-attribute.patch >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>>> freeipa-mbasti-0505.3-DNS-Locations-add-idnsTemplateObject-objectclass.patch >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ACK >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I will get to the rest later on. >>>>>>>>> Problems I found (could be solved in separate patches if you wish): >>>>>>>>> >>>>>>>>> 1. NACK >>>>>>>>> # ipa dns-update-system-records --dry-run >>>>>>>>> ipa: ERROR: an internal error has occurred >>>>>>>>> ValueError: dns_update_system_records.validate_output(): unexpected keys >>>>>>>>> ['summary'] in { ... >>>>>>>> Fixed >>>>>>>>> 2. NACK >>>>>>>>> Command ipa dns-update-system-records does not work with DNS >>>>>>>>> Administrators >>>>>>>>> privilege when some record is missing: >>>>>>>>> >>>>>>>>> ipa: WARNING: Update of system record >>>>>>>>> '_kpasswd._tcp.dom-046.abc.idm.lab.eng.brq.redhat.com. 86400 IN SRV 0 >>>>>>>>> 100 464 >>>>>>>>> vm-046.abc.idm.lab.eng.brq.redhat.com.' failed with error: Insufficient >>>>>>>>> access: Insufficient 'write' privilege to the 'objectClass' attribute of >>>>>>>>> entry >>>>>>>>> 'idnsname=_kpasswd._tcp,idnsname=dom-046.abc.idm.lab.eng.brq.redhat.com.,cn=dns,dc=suffix'. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Fixed (I hope) >>>>>>>>> 3. NACK >>>>>>>>> IPA server upgrade does not create idnsServerConfigObjects in cn=dns >>>>>>>>> In fact the upgrade does not even add the object class into schema. >>>>>>>>> >>>>>>>> Fixed >>>>>>>>> These needs to be fixed before we can proceed. >>>>>>>>> >>>>>>>> Updated patches attached >>>>>>> 4. NACK >>>>>>> ipa-ca-install does not add A/AAAA records for the new CA. >>>>>> This should work, code is on the right place. Maybe it is a race condition. >>>>>> >>>>>> ... 2 hours later ... >>>>>> >>>>>> I found that this is broken since 4.3.0, I will fix it separately >>>>>> https://fedorahosted.org/freeipa/ticket/5966 >>>>>> >>>>>> Anyway I found bug in replicainstall (fixed) because copy&paste everywhere >>>>>> >>>>>>> 5. NACK >>>>>>> ipa-replica-manage del does not delete SRV records from the >>>>>>> remaining master >>>>>>> >>>>>>> # ipa-replica-manage del vm-046.abc.idm.lab.eng.brq.redhat.com >>>>>>> WARNING: yacc table file version is out of date >>>>>>> Checking connectivity in topology suffix 'domain' >>>>>>> Checking connectivity in topology suffix 'ca' >>>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com entries: invalid >>>>>>> 'idnsserverid': must be Unicode text >>>>>>> You may need to manually remove them from the tree >>>>>>> Checking for deleted segments in suffix 'domain' >>>>>>> Agreements deleted >>>>>>> Checking for deleted segments in suffix 'ca' >>>>>>> Agreements deleted >>>>>>> Failed to cleanup vm-046.abc.idm.lab.eng.brq.redhat.com DNS entries: >>>>>>> abc.idm.lab.eng.brq.redhat.com.: DNS zone not found >>>>>>> You may need to manually remove them from the tree >>>>>> Fixed >>>>>>> Manual execution of ipa dns-update-system-records fixes that. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Besides NACKs above one more thing is missing: >>>>>>> Following config options are not migrated from named.conf to LDAP object: >>>>>>> >>>>>>> https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP#Upgrade >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> This can go to a separate patch set if you wish (at the very end). >>>>>> I will leave this for later, bind-dyndb-ldap will continue working with >>>>>> local >>>>>> configuration as before, patches are of course welcome. >>>>>> >>>>>> Updated patches attached, + hydra patching >>>>> 6. NACK >>>>> # ipa server-show $(hostname) >>>>> Managed suffixes: domain, ca >>>>> Min domain level: 0 >>>>> Max domain level: 1 >>>>> Location: l1 >>>>> Enabled server roles: CA server, DNS server, NTP server >>>>> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >>>>> >>>>> [root at vm-046 review]# ipa server-mod $(hostname) --location=l2 >>>>> ipa: ERROR: no modifications to be performed >>>>> >>>> Updated patches attached >>> ACK up to patch 519. >>> >>> 7th NACK to the rest: >>> >>> It fails while attempting to add non-DNS to a location: >>> >>> # ipa server-show vm-046.abc.idm.lab.eng.brq.redhat.com >>> Managed suffixes: domain >>> Min domain level: 0 >>> Max domain level: 1 >>> Location: l1 >>> Enabled server roles: >>> Server name: vm-046.abc.idm.lab.eng.brq.redhat.com >>> >>> # ipa server-mod vm-046.abc.idm.lab.eng.brq.redhat.com --location l2 >>> ipa: ERROR: vm-046.abc.idm.lab.eng.brq.redhat.com: DNS server not found >>> >> Updated patches attached + 2 extra hydra patches :) > ACK with full force! > pushed to master: * ef12cad30b3fc867b3b09abe6521c168dbc3ceaf DNS Locations: set proper substitution variable * 1997733cdf60bbd5fee8a5286d567580fa4e0198 DNS Locations: require to restart named-pkcs11 affter location change * 8dde1201ed9b0ca839ffe7421be7efd04b666e11 DNS Locations: show warning if there is no DNS servers in location * b2931210eb794e52eac4b0e295fcbdfc5bb07f87 DNS Locations: prevent to remove used locations * bbf8227e3fd678d4bd6659a12055ba3dbe1c8230 DNS Locations: do not generate location records for unused locations * 3c50e42036427d7c5e36828f24bd3c180e18a677 DNS Locations: location-del: remove location record * 4155eb7b13b20605886ba79c02c232f83a7b439c DNS Locations: Rename ipalocationweight to ipaserviceweight * 313e63e3e4ba1aa3dd2ae5de54f6d277329fffee DNS Locations: generate NTP records * 88ac58a1ce0641e65bcc7934020f85ef39d8e82b upgrade: don't fail if zone does not exists in in find * e82ce439c4c8a4d2f5b4ef384158de93de1644cc DNS Location: add list of roles and DNS servers to location-show * 8253727de1f823bb6c06d4687019e64dab825ec3 DNS Locations: dnsserver: print specific error when DNS is not installed From mbasti at redhat.com Fri Jun 17 16:28:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 18:28:31 +0200 Subject: [Freeipa-devel] [PATCH 0105] Remove unused locking "context manager" In-Reply-To: <5053a01d-3102-b0ff-4273-599e226ac276@redhat.com> References: <5053a01d-3102-b0ff-4273-599e226ac276@redhat.com> Message-ID: <62de7e49-45f7-3363-fc23-5a24bfdbb7d0@redhat.com> On 17.06.2016 16:31, David Kupka wrote: > Just dropping tiny piece of no longer used code. > ACK Pushed to master: 45bb2ad045654c020fe6ac4e77ed2741cd35d717 Only master, feel free to open tickets if backport is needed From mbasti at redhat.com Fri Jun 17 16:57:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 18:57:03 +0200 Subject: [Freeipa-devel] [PATCH 0153-0158] move ipa-replica-manage del functionality into server-del In-Reply-To: <4c39b89b-8a9e-563f-16c3-8bcac3a8e5e5@redhat.com> References: <78f324f8-cfcb-dd4c-92d1-ba3ee2b2b400@redhat.com> <158045fb-80d3-bea1-4048-74bc66601dbb@redhat.com> <44313b4e-744e-b408-85be-f4941d364da3@redhat.com> <07067481-f228-4a92-64a3-7569bf66c7cf@redhat.com> <4462a7b3-bcad-c063-6527-732d785bcf2a@redhat.com> <50606cf0-4ec4-fc3e-0eb4-e4157f120550@redhat.com> <4c39b89b-8a9e-563f-16c3-8bcac3a8e5e5@redhat.com> Message-ID: <220fd50e-6008-a386-a8d7-8973367e09b9@redhat.com> On 17.06.2016 16:18, Martin Babinsky wrote: > On 06/17/2016 03:56 PM, Martin Babinsky wrote: >> On 06/16/2016 12:45 PM, Martin Basti wrote: >>> >>> >>> On 15.06.2016 15:29, Martin Babinsky wrote: >>>> On 06/15/2016 10:30 AM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> On 12.6.2016 17:31, Martin Babinsky wrote: >>>>>> On 06/09/2016 08:12 PM, Martin Babinsky wrote: >>>>>>> These patches expand `server_del` to a full fledged IPA master >>>>>>> killer in >>>>>>> domain level 1. >>>>>>> >>>>>>> Due to 'server uninstallation removed master from topology' use >>>>>>> case, >>>>>>> the individual steps are not in the same order as in the original >>>>>>> code >>>>>>> to facilitate self-removal from topology without introducing an >>>>>>> array of >>>>>>> permissions for master to remove itself. >>>>>>> >>>>>>> I had no opportunity to test out the CI test suite because of >>>>>>> technical >>>>>>> problems so it would be nice if our upstream QE could give it a >>>>>>> spin and >>>>>>> report errors. >>>>>>> >>>>>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 >>>>>>> https://fedorahosted.org/freeipa/ticket/5181 >>>>>>> >>>>>>> >>>>>>> >>>>>> Attaching rebased patches and bumping for review. >>>>>> >>>>>> Please note that they depend on 'Server Roles v2' patchset. >>>>> >>>>> Patch 0153: >>>>> >>>>> Should be an ipaserver module, unless it is required on clients as >>>>> well, >>>>> in which case it should be an ipalib module. >>>>> >>>>> >>>>> Patch 0154: LGTM >>>>> >>>>> >>>>> Patch 0155: >>>>> >>>>> In LDAPDelete subclasses, the primary key argument is multivalue, so >>>>> I'm >>>>> guessing your post_callback won't work correctly. >>>>> >>>>> Also, since this is *server*-del, s/master/server/ where applicable. >>>>> >>>>> >>>>> Patch 0156: LGTM >>>>> >>>>> >>>>> Patch 0157: >>>>> >>>>> This looks suspicious: >>>>> >>>>> + result = server_del_cmd(hostname, version=api_version, >>>>> **options) >>>>> >>>>> Version is automatically filled in in Command.__call__(), why do you >>>>> add >>>>> it manually here? >>>>> >>>>> >>>>> Patch 0158: LGTM >>>>> >>>>> >>>>> Honza >>>>> >>>> >>>> Attaching updated patches. >>>> >>>> >>>> >>> >>> Hello, I have a few comments: >>> >>> 1) >>> you reused ID numbers for the your messages >>> >>> +class ServerRemovalInfo(PublicMessage): >>> ... >>> + errno = 13020 >>> >>> +class ServerRemovalWarning(PublicMessage): >>> ... >>> + errno = 13021 >>> >>> >>> class FailedToRemoveHostDNSRecords(PublicMessage): >>> ... >>> errno = 13020 >>> >>> >>> class DNSForwardPolicyConflictWithEmptyZone(PublicMessage): >>> ... >>> errno = 13021 >>> >>> 2) >>> + def _check_topology_connectivity(self, topology_connectivity, >>> master_cn): >>> + try: >>> + topology_connectivity.check_current_state() >>> + except ValueError as e: >>> + raise errors.ServerRemovalError(reason=_(str(e))) >>> + >>> + try: >>> + topology_connectivity.check_state_after_removal(master_cn) >>> + except ValueError as e: >>> + raise errors.ServerRemovalError(reason=_(str(e))) >>> >>> * _(str(e)): gettext cannot be used by this way >>> * str(e): you dont need to convert exception to string, this is done >>> automatically in exception >>> >>> >>> 3) gettext again >>> + self.add_message( >>> + messages.ServerRemovalWarning( >>> + message=_(msg) >>> + ) >>> + ) >>> >>> >>> 4) >>> + messages.ServerRemovalWarning( >>> + message=_("Failed to clean memberPrincipal >>> {principal}" >>> + " from s4u2proxy entry {dn}: >>> {err}".format( >>> + principal=member_principal, >>> + dn=dn, >>> + err=e)))) >>> >>> + messages.ServerRemovalWarning( >>> + message=_("Failed to clean up DNA hostname entries >>> for " >>> + "{master}: {err}".format( >>> + master=master, err=e)))) >>> >>> several more times >>> >>> I'm not sure if this will work, for safety I would prefer to change it >>> to dictionary substitution >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668226 >>> It looks like it was fixed in gettext 18.3, some distributions still >>> have the older one >>> >>> I have to test more how gettext works with the new python format >>> strings >>> >>> 5) >>> + def interactive_prompt_callback(self, kw): >>> + self.api.Backend.textui.print_plain( >>> + _("Removing {server} from replication topology, " >>> + "please wait...".format(server=', '.join(kw['cn'])))) >>> >>> Will this work? IMO this should be on client side >>> >>> >>> >>> >> Updated and rebased patches attached. >> >> >> > I made an error during rebase of patch 153. Re-sending the whole batch > with the correct one. > ACK, rebased and pushed master: * d8ae2b4055284de8c1baf76819d6611978f83cc6 ipaserver module for working with managed topology * db882ae8d6eba768e08be9317e386f8ab3c8fcf7 delegate removal of master DNS record and replica keys to separate functions * a6eb87bd68295e15ea19f5cb274cffbef5954d04 server-del: perform full master removal in managed topology * 081941a5b9c9ac8832c465b857032e474bb9b09f CI test suite for `server-del` * 47decc9b843b1b1d292511bcc8a24f8ac85745c0 ipa-replica-manage: use `server_del` when removing domain level 1 replica * 31ffe1a12922b5118c847cbd6ac1ca9ea232ef94 remove the master from managed topology during uninstallation From mbasti at redhat.com Fri Jun 17 17:00:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 17 Jun 2016 19:00:45 +0200 Subject: [Freeipa-devel] [PATCH 0161] Fix listing of enabled roles in `server-find` In-Reply-To: <90bdd0ff-4321-9e50-c1f2-46c2f06027b7@redhat.com> References: <90bdd0ff-4321-9e50-c1f2-46c2f06027b7@redhat.com> Message-ID: On 17.06.2016 16:21, Martin Babinsky wrote: > There is an issue with outputting enabled roles in server-find > regarding our lovely `--raw`, `--all` and `--no-member` options. > > This quick patch fixes that. > > > ACK Added ticket to commit message https://fedorahosted.org/freeipa/ticket/5181 Pushed to master: a540c909a7f63e7b0c19207eec69bd5914cb186e -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Sat Jun 18 00:38:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Sat, 18 Jun 2016 10:38:03 +1000 Subject: [Freeipa-devel] [DESIGN] Lightweight CA renewal In-Reply-To: References: <20160506060158.GZ1237@dhcp-40-8.bne.redhat.com> <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> Message-ID: <20160618003803.GB4200@dhcp-40-8.bne.redhat.com> On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote: > On 17.6.2016 09:34, Fraser Tweedale wrote: > > On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: > > > Hi, > > > > > > On 6.5.2016 08:01, Fraser Tweedale wrote: > > > > Hullo all, > > > > > > > > FreeIPA Lightweight CAs implementation is progressing well. The > > > > remaining big unknown in the design is how to do renewal. I have > > > > put my ideas into the design page[1] and would appreciate any and > > > > all feedback! > > > > > > > > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal > > > > > > > > Some brief commentary on the options: > > > > > > > > I intend to implement approach (1) as a baseline. Apart from > > > > implementing machinery in Dogtag to actually perform the renewal - > > > > which is required for all the approaches - it's not much work and > > > > gets us over the "lightweight CAs can be renewed easily" line, even > > > > if it is a manual process. > > > > > > > > For automatic renewal, I am leaning towards approach (2). Dogtag > > > > owns the lightweight CAs so I think it makes sense to give Dogtag > > > > the ability to renew them automatically (if configured to do so), > > > > without relying on external tools i.e. Certmonger. But as you will > > > > see from the outlines, each approach has its upside and downside. > > > > > > I would prefer (3), as I would very much like to avoid duplicating > > > certmonger's functionality in Dogtag. > > > > > > Some comments on the disadvantages: > > > > > > * "Proliferation of Certmonger tracking requests; one for each > > > FreeIPA-managed lightweight CA." > > > > > > I don't think this is an actual issue, as it's purely cosmetic. > > > > > > * "Either lightweight CA creation is restricted to the renewal master, or > > > the renewal master must observe the creation of new lightweight CAs and > > > start tracking their certificate." > > > > > > IMO this doesn't have to be done automatically in the initial > > > implementation. You could extend ipa-certupdate to set up certmonger for > > > lightweight CAs and have admins run it manually on masters after adding a > > > new lightweight CA. They will have to run it anyway to get the new > > > lightweight CA certificate installed in the system, so it should be fine to > > > do it this way. > > > > > I have updated the renew_ca_cert post-save script to perform the > > database update necessary for CA replicas to pick up the new cert. > > What remains is the command to tell certmonger to track the CA. > > > > You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a > > better fit, e.g.: > > > > ipa-cacert-manage track > > > > It would look up the necessary info (basically just the CA-ID) and > > set up the certmonger tracking. > > No. ipa-cacert-manage updates global configuration in LDAP, whereas > ipa-certupdate applies the global configuration on the local system. > Updating certmonger configuration is the latter, hence it should be done in > ipa-certupdate. > > Also, I don't think we should expose (un)tracking certificates by CA ID to > users, as all our CA certificates should always be tracked. > OK, so ipa-certupdate just gets run without arguments on a CA master, and it ensures that all CA certificates are tracked by Certmonger. Makes sense to me. Thanks for the clarifications. > > > > It could be an error to run the command on other than the renewal > > master. > > Note that the main CA certificate is tracked on all CA servers, not just the > renewal master, otherwise it wouldn't get updated on the other CA servers > after renewal. I would think the same needs to be done for lightweight CA > certificates, unless there is a different mechanism for distributing the > certificates to other CA masters, in which case I would prefer if the > mechanism was also used for the main CA certificate. > There is a different mechanism that causes other CA masters to update their NSSDBs with the new certificate. After the renewal is performed, the authoritySerial attribute is updated in the authority's entry in Dogtag's database; other CA replicas replicas notice the update and install the new cert in their own NSSDBs without requiring restart (thus, we only need to track LWCA certs on the renewal master). The mechanism is available on versions of Dogtag that support lightweight CAs, with the ou=authorities container existing in Dogtag's database. It should work for the main CA, but I have not tested this yet. > > > > An untrack command could also be provided. > > > > Thoughts? > > > > > * "Development of new Certmonger renewal helpers solely for lightweight CA > > > renewal." > > > > > > It would be easier to extend the existing helpers. I don't think there > > > is anything preventing them from being used for lighweight CAs, except not > > > conveying the CA name, which should be easy to implement. > > > > > > > > > I would also avoid starting with (1), I don't believe it adds any real > > > value. IMHO the first thing that should be done is implement lightweight CA > > > support in certmonger (add new 'request' / 'start-tracking' option for CA > > > name, store it in tracking requests, pass it to CA helpers in a new > > > environment variable). > > > > > > > > > Honza > > > > > > -- > > > Jan Cholasta > > > -- > Jan Cholasta From yurchor at ukr.net Sun Jun 19 08:08:16 2016 From: yurchor at ukr.net (Yuri Chornoivan) Date: Sun, 19 Jun 2016 11:08:16 +0300 Subject: [Freeipa-devel] [PATCH] Fix minor typos Message-ID: Hi, Just a fix for two minor typos: recors -> records recieve -> receive Thanks for fixing these typos. Best regards, Yuri -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-minor-typos.patch Type: application/octet-stream Size: 3188 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 20 07:54:11 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jun 2016 09:54:11 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> Message-ID: On 15.6.2016 12:33, Jan Cholasta wrote: > On 14.6.2016 11:44, Jan Cholasta wrote: >> On 21.4.2016 09:11, Jan Cholasta wrote: >>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>> >>>> >>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> the attached patches implement the server-side part of >>>>> . >>>>> >>>>> Honza >>>>> >>>> Hi, >>>> >>>> thank you for the patches. I tested them and they work well. But I >>>> would >>>> like to ask you whether would be possible to extend the response of >>>> 'basecert_find' method and probably also 'basecert_show' response. I >>>> think of these information: >>>> >>>> 1) information whether the certificate is issued by our CA or not. >>> >>> You can check for that by comparing the issuer name of the certificate >>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base >>> from config-show. >>> >>>> >>>> 2) this probably wouldn't be possible (as we discussed), but I rather >>>> write it too - the information about revocation reason. The same as the >>>> 'cert_show' provides. >>> >>> Added --check-revocation flag to request this information. Currently it >>> works only on certificates issued by our CA. >>> >>>> >>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>> >>> Added, also included SHA-256. >>> >>>> >>>> Thank you again. >>> >>> Updated patches attached. >> >> Updated and rebased patches attached. Requires Fraser's sub-CA patches. > > Attaching updated patch 623, which fixes these issues found by David: > . Updated and rebased patches attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-551.2-ldap-fix-handling-of-binary-data-in-search-filters.patch Type: text/x-patch Size: 1201 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-552.3-cert-add-object-plugin.patch Type: text/x-patch Size: 30431 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-623.2-cert-add-owner-information.patch Type: text/x-patch Size: 17913 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-624.1-cert-allow-search-by-certificate.patch Type: text/x-patch Size: 7683 bytes Desc: not available URL: From ldoudova at redhat.com Mon Jun 20 08:35:50 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 20 Jun 2016 10:35:50 +0200 Subject: [Freeipa-devel] [PATCH 0017][Tests] Fix failing ipatests/test_ipalib/test_errors.py Message-ID: <897924a1-d9d2-2032-e676-e8f58864f184@redhat.com> Hi, attaching patch to fix failing test in ipatests/test_ipalib/test_errors.py. Failures were caused by comparing unicode and non-unicode strings, hence I modified responsible non-unicode strings to unicode. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0017-Tests-Fix-failing-ipatests-test_ipalib-test_errors.patch Type: text/x-patch Size: 2038 bytes Desc: not available URL: From frenaud at redhat.com Mon Jun 20 10:00:09 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Mon, 20 Jun 2016 12:00:09 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> Message-ID: <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> On 06/09/2016 05:10 PM, Petr Spacek wrote: > Hello, > > I've received a bunch of pylint fixes produced by upstream contributor who is > not subscribed to the list so I'm resending them here. > > All credit goes to B?rta Jan<55042barta at sstebrno.eu>. > > Flo, if you have time for it I think that it could be a good exercise which > will lead you to various dark corners in IPA :-) > > Petr^2 Spacek > > > -------- Forwarded Message -------- > Date: Fri, 3 Jun 2016 14:57:16 +0200 > From: B?rta Jan<55042barta at sstebrno.eu> > To:pspacek at redhat.com ___- In the patch 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index aebd907..ca2e10f 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -149,11 +149,7 @@ def host_service_active(host, service): res = host.run_command(['systemctl', 'is-active', '--quiet', service], raiseonerr=False) - if res.returncode == 0: - return True - else: - return False - + return res.returncode should be instead: return res.returncode *== 0* (otherwise the return type is an int and not a boolean). In the same file: @@ -295,11 +291,7 @@ def master_authoritative_for_client_domain(master, client): zone = ".".join(client.hostname.split('.')[1:]) result = master.run_command(["ipa", "dnszone-show", zone], raiseonerr=False) - if result.returncode == 0: - return True - else: - return False - + result.returncode == 0 should be instead: *return* result.returncode == 0 (otherwise there is no return statement) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 197814c..36b6ba5 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): # Return command result cmd_result = {} - if parse_result.get('revoked') == 'yes': - cmd_result['revoked'] = True - else: - cmd_result['revoked'] = False - - return cmd_result + cmd_result['revoked'] = parse_result.get('revoked') Should be instead: cmd_result['revoked'] = parse_result.get('revoked') *== 'yes'* (otherwise the type is a string and not a boolean) _- in the patch 00__04-pylint-fix-unneeded-not.patch_ @@ -632,7 +632,7 @@ class host_add(LDAPCreate): options['ip_address'], check_forward=True, check_reverse=check_reverse) - if not options.get('force', False) and not 'ip_address' in options: + if options.get('force', False) and 'ip_address' not in options: Should be instead: if *not* options.get('force', False) and 'ip_address' not in options: because of operators precedence I will review patches 0005 to 0010 later today. Flo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvomacka at redhat.com Mon Jun 20 10:47:40 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 20 Jun 2016 12:47:40 +0200 Subject: [Freeipa-devel] [PATCH] 0048-50: webui: extend topology graph functionality In-Reply-To: <7269e62e-a2bb-4082-5248-c580403a0719@redhat.com> References: <7269e62e-a2bb-4082-5248-c580403a0719@redhat.com> Message-ID: <53f0d0d6-73a9-076c-5a5f-920b5ee36623@redhat.com> On 06/13/2016 10:48 AM, Pavel Vomacka wrote: > Hello, > > please review attached patches which extend topology graph > functionality. First two add possibility to create agreement using > mouse and the third one adds 'Autogenerated' placeholder. > > 0047,48: https://fedorahosted.org/freeipa/ticket/5648 > > 0050: https://fedorahosted.org/freeipa/ticket/5867 > > -- > > Pavel^3 Vomacka > > > Updated patch 48 attached. Added FontAwesome to css style of plus icon and set lower stabilization timeout. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0048-2-Add-creating-a-segment-using-mouse.patch Type: text/x-patch Size: 18664 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 11:44:56 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 13:44:56 +0200 Subject: [Freeipa-devel] [PATCH 0531] Fix undefined variable in replica install Message-ID: <6a731832-b5fd-c94f-362a-ea6e8d53dcad@redhat.com> Patch attached. https://fedorahosted.org/freeipa/ticket/5975 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0531-Fix-undefined-ipaconf-in-replica-promotion.patch Type: text/x-patch Size: 1641 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 11:50:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 13:50:27 +0200 Subject: [Freeipa-devel] [PATCH] Fix minor typos In-Reply-To: References: Message-ID: <7e894faf-353b-8ca5-e30e-65ae40fbedb6@redhat.com> On 19.06.2016 10:08, Yuri Chornoivan wrote: > Hi, > > Just a fix for two minor typos: > > recors -> records > recieve -> receive > > Thanks for fixing these typos. > > Best regards, > Yuri > > Thanks! ACK master: * a95e0777ac64cc8edad152f189be5347117785ef Fix minor typos -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 11:57:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 13:57:10 +0200 Subject: [Freeipa-devel] [PATCH 0531] Fix undefined variable in replica install In-Reply-To: <6a731832-b5fd-c94f-362a-ea6e8d53dcad@redhat.com> References: <6a731832-b5fd-c94f-362a-ea6e8d53dcad@redhat.com> Message-ID: <16176f1c-c7db-05cd-77cc-5e0ed83142ff@redhat.com> On 20.06.2016 13:44, Martin Basti wrote: > Patch attached. > > https://fedorahosted.org/freeipa/ticket/5975 > > > Discard this, Honza set patch independently because it was related to thin client -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 20 12:35:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Jun 2016 14:35:32 +0200 Subject: [Freeipa-devel] [PATCH 0134] DNS: Fix realm domains integration with DNS zone add Message-ID: <65045a2a-df9a-9b50-4753-0d0ef728e8fc@redhat.com> Hello, DNS: Fix realm domains integration with DNS zone add. Realmdomains integration into DNS commands pre-dates split of DNS forward zones and DNS master zones into two distinct commands. There was an forgotten condition in dnszone_add command which caused omission of DNS master zones with non-empty forwarders from realmdomain list. https://fedorahosted.org/freeipa/ticket/5980 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0134-DNS-Fix-realm-domains-integration-with-DNS-zone-add.patch Type: text/x-patch Size: 1392 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 20 12:37:20 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 20 Jun 2016 14:37:20 +0200 Subject: [Freeipa-devel] [PATCH] 0018-0030, 52 webui: add support for more certificates In-Reply-To: References: <571F520B.2000501@redhat.com> <571F58E7.1070703@redhat.com> <571F79E2.2000106@redhat.com> Message-ID: On 06/14/2016 09:41 PM, Pavel Vomacka wrote: > > > On 05/13/2016 06:56 PM, Petr Vobornik wrote: >> On 04/26/2016 04:23 PM, Pavel Vomacka wrote: >>> Self-NACK for patches 0027, 28, 29, 30 - used incorrect policy. I >>> also attach >>> all patches which were not changed - it is easier to get the whole >>> patchset. >>> >>> On 04/26/2016 02:02 PM, Pavel Vomacka wrote: >>>> I forgot to mention that my patches requires patches from : >>>> https://www.redhat.com/archives/freeipa-devel/2016-April/msg00209.html >>>> >>>> >>>> On 04/26/2016 01:33 PM, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> the attached patches add support for more certificates and ability >>>>> to add and >>>>> remove certificates. Fixes these two tickets: >>>>> https://fedorahosted.org/freeipa/ticket/5108 >>>>> https://fedorahosted.org/freeipa/ticket/5381 >>>>> >>>>> These patches add ability to view, get, download, revoke, restore >>>>> and delete >>>>> each certificate directly from user/host/service details page. >>>>> There is also >>>>> button for adding new certificates. >>>>> >>>>> There is one known issue, that after page save action is performed >>>>> some data >>>>> disappear (includes certificates). This issue has a ticket already: >>>>> https://fedorahosted.org/freeipa/ticket/5776 >>>>> >>>>> -- >>>>> Pavel^3 Vomacka >>>>> >> Great stuff, couple comments below. >> >> We can discuss some items in person. Not everything needs to be done. >> >> I didn't run it, just reading the code. >> >> Patch 0018: >> >> 1. Nit pick: When a value should be boolean, then following method won't >> make sure that dropdown_menu won't be e.g. an object. >> + that.dropdown_menu = spec.dropdown_menu || false; >> >> I would prefer: >> + that.dropdown_menu = !!spec.dropdown_menu; >> >> Which retypes it to boolean. If default should be true (not this >> case) then: >> that.dropdown_menu = spec.dropdown_menu !== undefined ? >> !!spec.dropdown_menu : true; >> >> Also the interface is very specific. It says that the child widget will >> have dropdown menu. What if the actions won't be in dropdown menu but, >> e.g., some overlay menu. >> >> Imho the interface should be: >> >> that.custom_actions = !!spec.custom_actions; >> >> Than the child object would have define,e.g., : >> >> action_object get_custom_actions() >> >> Interface of action_object would be e.g.: >> get_items() >> set_items(items) >> enable_item(name) >> disable_item(name) >> >> Dropdown menu would have to define these methods. >> >> Patch 0019: >> >> 1. Shouldn't disable_item or enable_item automatically rerender the >> items? >> >> 2. The rerender, used in later patches. Imo it should do only: >> >> if (this.ul_node) { >> construct.empty(this.ul_node); >> this._render_items(this.items); >> } >> >> Or just re-render the one item. >> $( "li[data-name=" + item.name +"]", this.ul_node ).replaceWith( >> this._render_item(item)); >> >> 3. in future for loops write: >> for (var i=0, l=this.items.length; i> instead of >> for (var i=0; i> >> It's defensive style when you don't know if computing length is O(1) or >> O(n) or how big is n. In this instance it doesn't probably matter. >> >> Patch 0020: >> >> 1. Working widgets inherits from IPA.widget so why do you redefine >> 'name', 'facet', 'entity' >> >> 2. why to you introduce 'base_cls' and 'other_cls' when there are >> 'base_css_class' and 'css_class'? >> >> 3. typo in comment 'opaciti' >> >> 4. We can ignore IE < 9, I'm not sure if you avoid using some features >> because of IE9. >> >> 5. _normalize_bg_color_css could be moved to util.js But I wonder if we >> need it. rgba is supported in 95% of browsers and definitely in all >> supported by IPA (chrome, firefox). >> >> Patch 0021: >> >> 1. The original code is not great - RPC code should be agnostic to >> display layer. Ideally it would not call methods like >> IPA.hide_activity_icon(); and IPA.display_activity_icon(); >> >> I would rather avoid adding more of such things there and would refactor >> now, when it is easy. >> >> IMO the rpc class could use Evented mixin and have: >> 4 local events: start, end, success, error >> 2 global topics: rpc-start, rpc-end >> >> Local events will be new - will replace the notify_activity_start and >> notify_activity_end. For convenience, spec object could accept a >> handlers in similar fashion as now. The handlers would be registered to >> the events. >> >> Global topics would replace current IPA.hide_activity_icon(); and >> IPA.display_activity_icon(); >> >> App class would subscribe to the global events and to stuff (hide|show) >> accordingly. Example of such subscription: >> topic.subscribe('phase-error', lang.hitch(this, >> this.on_phase_error)); >> >> Then hide_activity_icon could be something like notify_global with >> default to true which can be suppressed by setting it to false. >> >> What do you think? >> >> Patch 0022: >> >> 1. Leftover line: >> var sn = record[i].serial_number; >> >> Patch 0023: >> >> 1. move the css code from ipa.css to layout.less? >> >> 2. Did you mean "display: table"? >> display: cert-table; >> >> 3. Why are create_layout, create_row and create_cell private methods of >> create_content? It would make sense to create a table dialog mixin >> (similar as confirm mixin) and use the same code in all cert dialogs(if >> applicable). >> >> 4. 'table-head' class is used in every cell. Why is it call 'head' when >> it is in fact in all cells? >> >> Patch 0024: >> >> Will require changes described in patch 21(rpc). >> >> 1. should the methods have rather params: serial_number and >> revocation_reason, instead of certificate(maybe ok) and dialog(not ok)? >> That way it would be more general/reusable. >> >> Patch 0025: ACK >> >> Patch 0026: >> >> 1. Add link use exactly the same code as in multivalued_widget. The code >> should be moved to method: create_add_link(container) and then reused. >> new_row would be overridedn and it would call open_addcert_dialog or >> open_addcert_dialog renamed to new_row. >> >> 2. it can have a spec default: >> spec.dropdown_menu = spec.dropdown_menu !== undefined ? true : >> spec.dropdown_menu; >> >> And then it doesn't have to be defined in patches 28, 29, 30. >> >> >> Patch 0027: >> >> 1. Why is download action name a 'that.data_url' ? >> >> 2. the dropdown_menu -> custom_actions change >> >> 3. "that.certificate &&" is not required it will be always true >> that.certificate = $.extend({}, certificate); >> >> if (that.certificate && that.certificate.revoked !== >> 'undefined') { >> that.get_cert_revoke_status(); >> } >> >> 4. update_link is weird name for a method which updates data in a table >> >> 5. "that.update_link = function(r)", "r" shouldn't be there >> >> 6. Following doesn't look future proof: >> """ >> that.get_cert_revoke_status = function() { >> // Double check whether the certificate is issued by our CA. >> var issuer = 'CN=' + that.ipa_issuer_commonname + ',' + >> that.ipa_issuer_subjbase; >> if (that.certificate.issuer !== issuer) return; >> """ >> Would check it with Fraser >> >> 7. in handle_revocation_reason, useless call: >> var dd_menu = that.get_dropdown_menu(); >> >> 8. in compose_dialog_title, there is a check for `cert.subject` if true >> it sets `cn`, `o`. But if false then the values are `undefined` which >> are then used in the r.replace calls. Is it intended? >> >> Patch 0028: >> Looks OK, "dropdown_menu: true" doesn't have to be there as mentioned >> earlier >> >> Will test later. >> >> Patch 0029: >> >> 1. What about extending value_state_evaluator with adapter and param >> property. So that it would use standard adapter by default and every >> child could use it's own? IMO other parts of UI could use it as well. >> The reason why it doesn't use adapter already is that adapters were >> introduced later. >> >> It would simplify both definitions + the definitions in patch 30. >> >> Patch 0030: >> >> Same as patch 0029. > Thank you for the review. I fixed everthing, only rpc code isn't > changed. I will do it later in separate patch. > > These patches requires jcholast's patches 551.2, 552.2, 623, 624 > (which require ftweedal's Sub-CA patches) and WebUI patches for > Sub-CAs (because of download functionality). > > Edited and rebased patches are attached. > > -- > Pavel^3 Vomacka > > I moved big part of certs_widget code to more general custom_command_multivalued_widget. This change will be useful in future. Updated patches attached. It would be nice to apply patch 57 between patches 25 and 26, but it should be possible to apply it on the top. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0026-3-Add-widget-for-showing-multiple-certificates.patch Type: text/x-patch Size: 9137 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0027-4-Add-certificate-widget.patch Type: text/x-patch Size: 17447 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0052-2-Updated-certificates-table.patch Type: text/x-patch Size: 1546 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0057-Add-new-custom-command-multivalued-widget.patch Type: text/x-patch Size: 8820 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 20 13:31:44 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jun 2016 15:31:44 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> Message-ID: <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> On 20.6.2016 09:54, Jan Cholasta wrote: > On 15.6.2016 12:33, Jan Cholasta wrote: >> On 14.6.2016 11:44, Jan Cholasta wrote: >>> On 21.4.2016 09:11, Jan Cholasta wrote: >>>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>>> >>>>> >>>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> the attached patches implement the server-side part of >>>>>> . >>>>>> >>>>>> Honza >>>>>> >>>>> Hi, >>>>> >>>>> thank you for the patches. I tested them and they work well. But I >>>>> would >>>>> like to ask you whether would be possible to extend the response of >>>>> 'basecert_find' method and probably also 'basecert_show' response. I >>>>> think of these information: >>>>> >>>>> 1) information whether the certificate is issued by our CA or not. >>>> >>>> You can check for that by comparing the issuer name of the certificate >>>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base >>>> from config-show. >>>> >>>>> >>>>> 2) this probably wouldn't be possible (as we discussed), but I rather >>>>> write it too - the information about revocation reason. The same as >>>>> the >>>>> 'cert_show' provides. >>>> >>>> Added --check-revocation flag to request this information. Currently it >>>> works only on certificates issued by our CA. >>>> >>>>> >>>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>>> >>>> Added, also included SHA-256. >>>> >>>>> >>>>> Thank you again. >>>> >>>> Updated patches attached. >>> >>> Updated and rebased patches attached. Requires Fraser's sub-CA patches. >> >> Attaching updated patch 623, which fixes these issues found by David: >> . > > Updated and rebased patches attached. Attaching updated patches 552 and 623, which fix the --sizelimit option. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-552.4-cert-add-object-plugin.patch Type: text/x-patch Size: 30450 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-623.3-cert-add-owner-information.patch Type: text/x-patch Size: 18045 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jun 20 13:35:23 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 20 Jun 2016 15:35:23 +0200 Subject: [Freeipa-devel] [PATCH 0162] Do not update result of *-config-show with empty server attributes Message-ID: https://fedorahosted.org/freeipa/ticket/5960 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0162-Do-not-update-result-of-config-show-with-empty-serve.patch Type: text/x-patch Size: 1347 bytes Desc: not available URL: From dkupka at redhat.com Mon Jun 20 14:13:02 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 20 Jun 2016 16:13:02 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: On 28/04/16 14:45, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Patches: replica install: fix thin client regression schema: remove `no_cli` from command schema schema: remove redundant information schema: merge command args and options schema: remove output_params schema: add object class schema permission: handle ipapermright deprecated CLI alias on the client passwd: handle sort order of passwd argument on the client misc: skip `count` and `total` output in env.output_for_cli dns: do not rely on custom param fields in record attributes automember: add object plugin for automember_rebuild frontend: do not crash on missing output in output_for_cli frontend: skip `value` output in output_for_cli frontend: don't copy command arguments to output params makeaci, makeapi: use in-server API work for me, ACK. Note: There is one one known issue in automember output, will be fixed later. -- David Kupka From jcholast at redhat.com Mon Jun 20 14:42:11 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 20 Jun 2016 16:42:11 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> On 20.6.2016 16:13, David Kupka wrote: > On 28/04/16 14:45, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Patches: > replica install: fix thin client regression > schema: remove `no_cli` from command schema > schema: remove redundant information > schema: merge command args and options > schema: remove output_params > schema: add object class schema > permission: handle ipapermright deprecated CLI alias on the client > passwd: handle sort order of passwd argument on the client > misc: skip `count` and `total` output in env.output_for_cli > dns: do not rely on custom param fields in record attributes > automember: add object plugin for automember_rebuild > frontend: do not crash on missing output in output_for_cli > frontend: skip `value` output in output_for_cli > frontend: don't copy command arguments to output params > makeaci, makeapi: use in-server API > > work for me, ACK. Pushed to master: 8cc8b6fb1023fa4aeafac0df01cfacff4ebf537a Note that I haven't pushed "replica install: fix thin client regression" yet, I would like Martin to review it first. Attaching the patches for reference. > > Note: There is one one known issue in automember output, will be fixed > later. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-634-makeaci-makeapi-use-in-server-API.patch Type: text/x-patch Size: 11121 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-635-frontend-don-t-copy-command-arguments-to-output-para.patch Type: text/x-patch Size: 10841 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-636-frontend-skip-value-output-in-output_for_cli.patch Type: text/x-patch Size: 970 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-637-frontend-do-not-crash-on-missing-output-in-output_fo.patch Type: text/x-patch Size: 853 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-638-automember-add-object-plugin-for-automember_rebuild.patch Type: text/x-patch Size: 1862 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-639-dns-do-not-rely-on-custom-param-fields-in-record-att.patch Type: text/x-patch Size: 9842 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-640-misc-skip-count-and-total-output-in-env.output_for_c.patch Type: text/x-patch Size: 1049 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-641-passwd-handle-sort-order-of-passwd-argument-on-the-c.patch Type: text/x-patch Size: 1516 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-642-permission-handle-ipapermright-deprecated-CLI-alias-.patch Type: text/x-patch Size: 4776 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-643-schema-add-object-class-schema.patch Type: text/x-patch Size: 20620 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-644-schema-remove-output_params.patch Type: text/x-patch Size: 8588 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-645-schema-merge-command-args-and-options.patch Type: text/x-patch Size: 4136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-646-schema-remove-redundant-information.patch Type: text/x-patch Size: 8759 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-647-schema-remove-no_cli-from-command-schema.patch Type: text/x-patch Size: 3325 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 20 14:57:32 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Jun 2016 16:57:32 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone Message-ID: Hello, DNS: Warn about restart when default TTL setting DNS is changed bind-dyndb-ldap 10.0 has to be restarted after each change to default TTL. https://fedorahosted.org/freeipa/ticket/2956 DNS: Support default TTL setting for master DNS zones https://fedorahosted.org/freeipa/ticket/2956 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0135-DNS-Support-default-TTL-setting-for-master-DNS-zones.patch Type: text/x-patch Size: 12304 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0136-DNS-Warn-about-restart-when-default-TTL-setting-DNS-.patch Type: text/x-patch Size: 2052 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 16:05:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 18:05:12 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: References: Message-ID: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> On 20.06.2016 16:57, Petr Spacek wrote: > Hello, > > DNS: Warn about restart when default TTL setting DNS is changed > > bind-dyndb-ldap 10.0 has to be restarted after each change to default > TTL. > > https://fedorahosted.org/freeipa/ticket/2956 > > DNS: Support default TTL setting for master DNS zones > > https://fedorahosted.org/freeipa/ticket/2956 > > > Thank you for patches, but I have a few comments TTL patch: 1) VERSION - please put short note why API was incremented 2) 60ipadns.ldif - please keep ordered attr definitions by OID 3) You missed ACI for updating Warning patch: LGTM -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 20 16:28:46 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Jun 2016 18:28:46 +0200 Subject: [Freeipa-devel] [PATCH 0137] DNS Locations: make ipa-ca record generation more robus Message-ID: Hello, DNS Locations: make ipa-ca record generation more robust __add_ca_records_from_hostname() now skips over DNS exceptions and retries resolution until timeout of 120 seconds is reached. Luckily current logic fails safe: In cases where resolution failed for all the CA servers, the resulting zone object will not contain ipa-ca record at all and the update logic will skip update for this name. I.e. the original values in ipa-ca record set will be left in place. https://fedorahosted.org/freeipa/ticket/2008 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0137-DNS-Locations-make-ipa-ca-record-generation-more-rob.patch Type: text/x-patch Size: 2495 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 20 16:32:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 20 Jun 2016 18:32:40 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> References: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> Message-ID: On 20.6.2016 18:05, Martin Basti wrote: > > > On 20.06.2016 16:57, Petr Spacek wrote: >> Hello, >> >> DNS: Warn about restart when default TTL setting DNS is changed >> >> bind-dyndb-ldap 10.0 has to be restarted after each change to default >> TTL. >> >> https://fedorahosted.org/freeipa/ticket/2956 >> >> DNS: Support default TTL setting for master DNS zones >> >> https://fedorahosted.org/freeipa/ticket/2956 >> >> >> > Thank you for patches, but I have a few comments > > TTL patch: > 1) > VERSION - please put short note why API was incremented > > 2) > 60ipadns.ldif - please keep ordered attr definitions by OID > > 3) > You missed ACI for updating > > Warning patch: LGTM Thank you very much for review! Here is revised version. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0135-2-DNS-Support-default-TTL-setting-for-master-DNS-zones.patch Type: text/x-patch Size: 13380 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0136-2-DNS-Warn-about-restart-when-default-TTL-setting-DNS-.patch Type: text/x-patch Size: 2052 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 16:48:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 18:48:16 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> Message-ID: <0a5e8dbf-4f18-c396-eb10-39873fb7b09e@redhat.com> On 20.06.2016 16:42, Jan Cholasta wrote: > On 20.6.2016 16:13, David Kupka wrote: >> On 28/04/16 14:45, Jan Cholasta wrote: >>> Hi, >>> >>> I have pushed my thin client WIP branch to GitHub: >>> . >>> >>> All commits up to "ipalib: use relative imports for cross-plugin >>> imports" should be good for review. The rest is subject to change >>> (WARNING: I will force push into this branch). >>> >>> Honza >>> >> >> Hello! >> >> Patches: >> replica install: fix thin client regression >> schema: remove `no_cli` from command schema >> schema: remove redundant information >> schema: merge command args and options >> schema: remove output_params >> schema: add object class schema >> permission: handle ipapermright deprecated CLI alias on the client >> passwd: handle sort order of passwd argument on the client >> misc: skip `count` and `total` output in env.output_for_cli >> dns: do not rely on custom param fields in record attributes >> automember: add object plugin for automember_rebuild >> frontend: do not crash on missing output in output_for_cli >> frontend: skip `value` output in output_for_cli >> frontend: don't copy command arguments to output params >> makeaci, makeapi: use in-server API >> >> work for me, ACK. > > Pushed to master: 8cc8b6fb1023fa4aeafac0df01cfacff4ebf537a > > Note that I haven't pushed "replica install: fix thin client > regression" yet, I would like Martin to review it first. ACK pushed to master: * 91d6d87ca76e3aa27d5f87fd4f0b70f1d4fe4e72 replica install: fix thin client regression > > Attaching the patches for reference. > >> >> Note: There is one one known issue in automember output, will be fixed >> later. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-0000.0-replica-install-fix-thin-client-regression.patch Type: text/x-patch Size: 3580 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 16:52:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 18:52:54 +0200 Subject: [Freeipa-devel] [PATCH 0532] Fix possibly undefined variable Message-ID: <65698bcb-d35b-55cb-42b4-5d66e9d74898@redhat.com> Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0532-Fix-possibly-undefined-variable-in-ipa_smb_conf_exis.patch Type: text/x-patch Size: 896 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 20 16:54:14 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 20 Jun 2016 18:54:14 +0200 Subject: [Freeipa-devel] [PATCH] 0058 WebUI: certificate widget on ID override user page Message-ID: <8d5edba0-0b80-8ccf-6d71-13f977c4b94b@redhat.com> Hello, please review attached patch. https://fedorahosted.org/freeipa/ticket/5926 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0058-Add-certificate-widget-to-ID-override-user-details-p.patch Type: text/x-patch Size: 6747 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 17:03:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:03:44 +0200 Subject: [Freeipa-devel] [PATCH 0134] DNS: Fix realm domains integration with DNS zone add In-Reply-To: <65045a2a-df9a-9b50-4753-0d0ef728e8fc@redhat.com> References: <65045a2a-df9a-9b50-4753-0d0ef728e8fc@redhat.com> Message-ID: <7db988d5-1374-3152-98e7-6a27d228e1df@redhat.com> On 20.06.2016 14:35, Petr Spacek wrote: > Hello, > > DNS: Fix realm domains integration with DNS zone add. > > Realmdomains integration into DNS commands pre-dates split of DNS forward zones > and DNS master zones into two distinct commands. > > There was an forgotten condition in dnszone_add command which caused omission > of DNS master zones with non-empty forwarders from realmdomain list. > > https://fedorahosted.org/freeipa/ticket/5980 > > > ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 17:06:13 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:06:13 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> Message-ID: On 20.06.2016 12:00, Florence Blanc-Renaud wrote: > On 06/09/2016 05:10 PM, Petr Spacek wrote: >> Hello, >> >> I've received a bunch of pylint fixes produced by upstream contributor who is >> not subscribed to the list so I'm resending them here. >> >> All credit goes to B?rta Jan<55042barta at sstebrno.eu>. >> >> Flo, if you have time for it I think that it could be a good exercise which >> will lead you to various dark corners in IPA :-) >> >> Petr^2 Spacek >> >> >> -------- Forwarded Message -------- >> Date: Fri, 3 Jun 2016 14:57:16 +0200 >> From: B?rta Jan<55042barta at sstebrno.eu> >> To:pspacek at redhat.com > ___- In the patch > 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ > > diff --git a/ipatests/test_integration/tasks.py > b/ipatests/test_integration/tasks.py > index aebd907..ca2e10f 100644 > --- a/ipatests/test_integration/tasks.py > +++ b/ipatests/test_integration/tasks.py > @@ -149,11 +149,7 @@ def host_service_active(host, service): > res = host.run_command(['systemctl', 'is-active', '--quiet', > service], > raiseonerr=False) > > - if res.returncode == 0: > - return True > - else: > - return False > - > + return res.returncode > > should be instead: return res.returncode *== 0* (otherwise the return > type is an int and not a boolean). > > In the same file: > @@ -295,11 +291,7 @@ def > master_authoritative_for_client_domain(master, client): > zone = ".".join(client.hostname.split('.')[1:]) > result = master.run_command(["ipa", "dnszone-show", zone], > raiseonerr=False) > - if result.returncode == 0: > - return True > - else: > - return False > - > + result.returncode == 0 > > should be instead: *return* result.returncode == 0 (otherwise there is > no return statement) > > diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py > index 197814c..36b6ba5 100644 > --- a/ipaserver/plugins/dogtag.py > +++ b/ipaserver/plugins/dogtag.py > @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): > # Return command result > cmd_result = {} > > - if parse_result.get('revoked') == 'yes': > - cmd_result['revoked'] = True > - else: > - cmd_result['revoked'] = False > - > - return cmd_result > + cmd_result['revoked'] = parse_result.get('revoked') > > Should be instead: cmd_result['revoked'] = parse_result.get('revoked') > *== 'yes'* (otherwise the type is a string and not a boolean) > > _- in the patch 00__04-pylint-fix-unneeded-not.patch_ > > @@ -632,7 +632,7 @@ class host_add(LDAPCreate): > options['ip_address'], > check_forward=True, > check_reverse=check_reverse) > - if not options.get('force', False) and not 'ip_address' in > options: > + if options.get('force', False) and 'ip_address' not in options: > > Should be instead: if *not* options.get('force', False) and > 'ip_address' not in options: > because of operators precedence > > I will review patches 0005 to 0010 later today. > Flo. > > How about patches 1, and 3? Because patches are independent, we can separately ACK them and push them. Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 17:08:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:08:17 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> Message-ID: <9fb20d03-4559-8ad2-1e95-4c1da386ae06@redhat.com> On 20.06.2016 19:06, Martin Basti wrote: > > > > On 20.06.2016 12:00, Florence Blanc-Renaud wrote: >> On 06/09/2016 05:10 PM, Petr Spacek wrote: >>> Hello, >>> >>> I've received a bunch of pylint fixes produced by upstream contributor who is >>> not subscribed to the list so I'm resending them here. >>> >>> All credit goes to B?rta Jan<55042barta at sstebrno.eu>. >>> >>> Flo, if you have time for it I think that it could be a good exercise which >>> will lead you to various dark corners in IPA :-) >>> >>> Petr^2 Spacek >>> >>> >>> -------- Forwarded Message -------- >>> Date: Fri, 3 Jun 2016 14:57:16 +0200 >>> From: B?rta Jan<55042barta at sstebrno.eu> >>> To:pspacek at redhat.com >> ___- In the patch >> 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ >> >> diff --git a/ipatests/test_integration/tasks.py >> b/ipatests/test_integration/tasks.py >> index aebd907..ca2e10f 100644 >> --- a/ipatests/test_integration/tasks.py >> +++ b/ipatests/test_integration/tasks.py >> @@ -149,11 +149,7 @@ def host_service_active(host, service): >> res = host.run_command(['systemctl', 'is-active', '--quiet', >> service], >> raiseonerr=False) >> >> - if res.returncode == 0: >> - return True >> - else: >> - return False >> - >> + return res.returncode >> >> should be instead: return res.returncode *== 0* (otherwise the return >> type is an int and not a boolean). >> >> In the same file: >> @@ -295,11 +291,7 @@ def >> master_authoritative_for_client_domain(master, client): >> zone = ".".join(client.hostname.split('.')[1:]) >> result = master.run_command(["ipa", "dnszone-show", zone], >> raiseonerr=False) >> - if result.returncode == 0: >> - return True >> - else: >> - return False >> - >> + result.returncode == 0 >> >> should be instead: *return* result.returncode == 0 (otherwise there >> is no return statement) >> >> diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py >> index 197814c..36b6ba5 100644 >> --- a/ipaserver/plugins/dogtag.py >> +++ b/ipaserver/plugins/dogtag.py >> @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): >> # Return command result >> cmd_result = {} >> >> - if parse_result.get('revoked') == 'yes': >> - cmd_result['revoked'] = True >> - else: >> - cmd_result['revoked'] = False >> - >> - return cmd_result >> + cmd_result['revoked'] = parse_result.get('revoked') >> >> Should be instead: cmd_result['revoked'] = >> parse_result.get('revoked') *== 'yes'* (otherwise the type is a >> string and not a boolean) >> >> _- in the patch 00__04-pylint-fix-unneeded-not.patch_ >> >> @@ -632,7 +632,7 @@ class host_add(LDAPCreate): >> options['ip_address'], >> check_forward=True, >> check_reverse=check_reverse) >> - if not options.get('force', False) and not 'ip_address' in >> options: >> + if options.get('force', False) and 'ip_address' not in options: >> >> Should be instead: if *not* options.get('force', False) and >> 'ip_address' not in options: >> because of operators precedence >> >> I will review patches 0005 to 0010 later today. >> Flo. >> >> > > How about patches 1, and 3? Because patches are independent, we can > separately ACK them and push them. > > Martin^2 > > Sorry, I just noticed that there is no patch 1 :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 17:10:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:10:19 +0200 Subject: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <20160616202903.7xallvxuo3mpdvcd@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> <575ED2F9.6010107@redhat.com> <20160613160131.mqhy2aatb3rz3gn7@redhat.com> <5762B80C.5040009@redhat.com> <20160616202903.7xallvxuo3mpdvcd@redhat.com> Message-ID: On 16.06.2016 22:29, Alexander Bokovoy wrote: > On Thu, 16 Jun 2016, thierry bordaz wrote: >> The version DS 1.3.5.6 is now available. Here is the second version >> of the patch taking into account lower precedence for Schema Compat >> >> >> >> On 06/13/2016 06:01 PM, Alexander Bokovoy wrote: >>> On Mon, 13 Jun 2016, thierry bordaz wrote: >>>> >>>> >>>> On 06/13/2016 04:57 PM, Alexander Bokovoy wrote: >>>>> On Mon, 13 Jun 2016, thierry bordaz wrote: >>>>>> This is the fix for https://fedorahosted.org/freeipa/ticket/5944 >>>>> >>>>>>> From 2838fbfc7a22b9bc0c1c4dfaf3660d1ac7099461 Mon Sep 17 >>>>>>> 00:00:00 2001 >>>>>> From: Thierry Bordaz >>>>>> Date: Wed, 8 Jun 2016 14:03:42 +0200 >>>>>> Subject: [PATCH] Make sure ipapwd_extop takes precedence over >>>>>> passwd_modify_extop >>>>>> >>>>>> DS core server provides a default plugin (passwd_modify_extop) to >>>>>> handle >>>>>> 1.3.6.1.4.1.4203.1.11.1 extended op >>>>>> (https://www.ietf.org/rfc/rfc3062.txt) >>>>>> >>>>>> IPA delivers ipa_pwd_extop plugin that should take precedence over >>>>>> the default DS plugin (passwd_modify_extop) >>>>>> --- >>>>>> install/updates/10-ipapwd.update | 9 +++++++++ >>>>>> 1 file changed, 9 insertions(+) >>>>>> create mode 100644 install/updates/10-ipapwd.update >>>>>> >>>>>> diff --git a/install/updates/10-ipapwd.update >>>>>> b/install/updates/10-ipapwd.update >>>>>> new file mode 100644 >>>>>> index 0000000..d9bffa2 >>>>>> --- /dev/null >>>>>> +++ b/install/updates/10-ipapwd.update >>>>>> @@ -0,0 +1,9 @@ >>>>>> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config >>>>>> +# DS core server provides a default plugin (passwd_modify_extop) >>>>>> to handle >>>>>> +# 1.3.6.1.4.1.4203.1.11.1 extended op >>>>>> (https://www.ietf.org/rfc/rfc3062.txt) >>>>>> +# the pluginprecedence of the passwd_modify_extop is 50 (default >>>>>> value) >>>>>> +# >>>>>> +# IPA delivers ipa_pwd_extop plugin to handle that extended op >>>>>> +# we need to make sure ipa_pwd_extop is called and so to set a >>>>>> lower >>>>>> +# precedence value >>>>>> +add:nsslapd-pluginprecedence: 49 >>>>> Here is the problem: slapi-nis is 49 as well and it should be before >>>>> ipa_pwd_extop. >>>>> >>>>> You need to update install/share/schema_compat.uldif and >>>>> install/updates/10-schema_compat.update to get slapi-nis before >>>>> ipa_pwd_extop. >>>> ipapwd_plugin registers extendedop callback but slapi-nis does not. >>>> So I do not think they will "fight" for precedence. >>>> Even if slapi-nis register perextendedop they will be on different >>>> lists and it should not create any issue. >>>> >>>> Now I understand that slapi-nis must run with a precedence that >>>> should be lower than most of the others plugins. Currently it is >>>> 49, are you ok with a value like 40 ? >>> I'm OK with 40, yes. The precedence applies to all callbacks, not just >>> to preextendedop, so a BIND callback would be affected too. >>> >>>>> You also need to make sure we depend on the updated 389-ds-base >>>>> package >>>>> version. >>>> >>>> Good ! >>>> Now with this dependency we should wait for 389-ds 1.3.5.5 to be >>>> available, I will resend the review when it will be available. >>> Yep, thanks. >>> >> > >> From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Thu, 16 Jun 2016 16:28:03 +0200 >> Subject: [PATCH] Make sure ipapwd_extop takes precedence over >> passwd_modify_extop >> >> DS core server provides a default plugin (passwd_modify_extop) to handle >> 1.3.6.1.4.1.4203.1.11.1 extended op >> (https://www.ietf.org/rfc/rfc3062.txt) >> >> IPA delivers ipa_pwd_extop plugin that should take precedence over >> the default DS plugin (passwd_modify_extop) >> >> In addition make sure that slapi-nis has a low precedence >> --- >> install/share/schema_compat.uldif | 2 +- >> install/updates/10-ipapwd.update | 9 +++++++++ >> install/updates/10-schema_compat.update | 2 +- >> 3 files changed, 11 insertions(+), 2 deletions(-) >> create mode 100644 install/updates/10-ipapwd.update >> >> diff --git a/install/share/schema_compat.uldif >> b/install/share/schema_compat.uldif >> index a3d412f..66f8ea1 100644 >> --- a/install/share/schema_compat.uldif >> +++ b/install/share/schema_compat.uldif >> @@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin >> # We need to run schema-compat pre-bind callback before >> # other IPA pre-bind callbacks to make sure bind DN is >> # rewritten to the original entry if needed >> -default:nsslapd-pluginprecedence: 49 >> +default:nsslapd-pluginprecedence: 40 >> default:nsslapd-pluginversion: 0.8 >> default:nsslapd-pluginbetxn: on >> default:nsslapd-pluginvendor: redhat.com >> diff --git a/install/updates/10-ipapwd.update >> b/install/updates/10-ipapwd.update >> new file mode 100644 >> index 0000000..d9bffa2 >> --- /dev/null >> +++ b/install/updates/10-ipapwd.update >> @@ -0,0 +1,9 @@ >> +dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> +# DS core server provides a default plugin (passwd_modify_extop) to >> handle >> +# 1.3.6.1.4.1.4203.1.11.1 extended op >> (https://www.ietf.org/rfc/rfc3062.txt) >> +# the pluginprecedence of the passwd_modify_extop is 50 (default value) >> +# >> +# IPA delivers ipa_pwd_extop plugin to handle that extended op >> +# we need to make sure ipa_pwd_extop is called and so to set a lower >> +# precedence value >> +add:nsslapd-pluginprecedence: 49 >> diff --git a/install/updates/10-schema_compat.update >> b/install/updates/10-schema_compat.update >> index 2d257a3..e4c257d 100644 >> --- a/install/updates/10-schema_compat.update >> +++ b/install/updates/10-schema_compat.update >> @@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config >> # We need to run schema-compat pre-bind callback before >> # other IPA pre-bind callbacks to make sure bind DN is >> # rewritten to the original entry if needed >> -add:nsslapd-pluginprecedence: 49 >> +add:nsslapd-pluginprecedence: 40 >> >> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config >> add:schema-compat-entry-attribute: >> %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") >> -- >> 2.5.0 >> > ACK > Pushed to: master: 8192e2f8c19acbc0c20903b54707cb42aec6e778 ipa-4-3: cabcd81396d4fe4b214b0b830c0beab1350f7a14 From mbasti at redhat.com Mon Jun 20 17:15:52 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:15:52 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: References: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> Message-ID: On 20.06.2016 18:32, Petr Spacek wrote: > On 20.6.2016 18:05, Martin Basti wrote: >> >> On 20.06.2016 16:57, Petr Spacek wrote: >>> Hello, >>> >>> DNS: Warn about restart when default TTL setting DNS is changed >>> >>> bind-dyndb-ldap 10.0 has to be restarted after each change to default >>> TTL. >>> >>> https://fedorahosted.org/freeipa/ticket/2956 >>> >>> DNS: Support default TTL setting for master DNS zones >>> >>> https://fedorahosted.org/freeipa/ticket/2956 >>> >>> >>> >> Thank you for patches, but I have a few comments >> >> TTL patch: >> 1) >> VERSION - please put short note why API was incremented >> >> 2) >> 60ipadns.ldif - please keep ordered attr definitions by OID >> >> 3) >> You missed ACI for updating >> >> Warning patch: LGTM > Thank you very much for review! > > Here is revised version. > I cannot apply patches on current master, even with git am -3 Martin^2 From mbasti at redhat.com Mon Jun 20 17:34:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:34:02 +0200 Subject: [Freeipa-devel] [PATCH 0533] Server-del: fix system records removal Message-ID: <019eea02-4a5c-e196-667e-eefe9aaba149@redhat.com> Patch attached. Services must be removed before records are updated -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0533-Server-del-fix-system-records-removal.patch Type: text/x-patch Size: 1303 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 17:39:19 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:39:19 +0200 Subject: [Freeipa-devel] [Patch-0046] Increased certmonger timeout to address ticket N 5758 In-Reply-To: <5762634E.4090207@redhat.com> References: <5762634E.4090207@redhat.com> Message-ID: On 16.06.2016 10:29, Oleg Fayans wrote: > With this change the certmonger timeout issue is no longer observed in > abcd lab. > > > ACK Pushed to: master: 0ba9e72057bd372a7cf8ee51d1521ec5d11069d5 ipa-4-3: 084340b1c513c874e259378c0e24008c8f0237ed -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 17:56:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 19:56:10 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <0a5e8dbf-4f18-c396-eb10-39873fb7b09e@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> <0a5e8dbf-4f18-c396-eb10-39873fb7b09e@redhat.com> Message-ID: On 20.06.2016 18:48, Martin Basti wrote: > > > On 20.06.2016 16:42, Jan Cholasta wrote: >> On 20.6.2016 16:13, David Kupka wrote: >>> On 28/04/16 14:45, Jan Cholasta wrote: >>>> Hi, >>>> >>>> I have pushed my thin client WIP branch to GitHub: >>>> . >>>> >>>> All commits up to "ipalib: use relative imports for cross-plugin >>>> imports" should be good for review. The rest is subject to change >>>> (WARNING: I will force push into this branch). >>>> >>>> Honza >>>> >>> >>> Hello! >>> >>> Patches: >>> replica install: fix thin client regression >>> schema: remove `no_cli` from command schema >>> schema: remove redundant information >>> schema: merge command args and options >>> schema: remove output_params >>> schema: add object class schema >>> permission: handle ipapermright deprecated CLI alias on the client >>> passwd: handle sort order of passwd argument on the client >>> misc: skip `count` and `total` output in env.output_for_cli >>> dns: do not rely on custom param fields in record attributes >>> automember: add object plugin for automember_rebuild >>> frontend: do not crash on missing output in output_for_cli >>> frontend: skip `value` output in output_for_cli >>> frontend: don't copy command arguments to output params >>> makeaci, makeapi: use in-server API >>> >>> work for me, ACK. >> >> Pushed to master: 8cc8b6fb1023fa4aeafac0df01cfacff4ebf537a >> >> Note that I haven't pushed "replica install: fix thin client >> regression" yet, I would like Martin to review it first. > > ACK > > pushed to master: > * 91d6d87ca76e3aa27d5f87fd4f0b70f1d4fe4e72 replica install: fix thin > client regression > >> >> Attaching the patches for reference. >> >>> >>> Note: There is one one known issue in automember output, will be fixed >>> later. >> >> > > > Guys, I suspect that one of previously pushed patches breaks following command on the client side # ipa dns-update-system-records ipa: ERROR: KeyError: 'ipa_records' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1346, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1111, in run rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options) File "/usr/lib/python2.7/site-packages/ipaclient/plugins/dns.py", line 367, in output_for_cli textui.print_indented(u'{}:'.format(labels[key]), indent=1) KeyError: 'ipa_records' ipa: ERROR: an internal error has occurred -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 20 18:04:50 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 20:04:50 +0200 Subject: [Freeipa-devel] [PATCH 0137] DNS Locations: make ipa-ca record generation more robus In-Reply-To: References: Message-ID: On 20.06.2016 18:28, Petr Spacek wrote: > Hello, > > DNS Locations: make ipa-ca record generation more robust > > __add_ca_records_from_hostname() now skips over DNS exceptions and > retries resolution until timeout of 120 seconds is reached. > > Luckily current logic fails safe: In cases where resolution failed for > all the CA servers, the resulting zone object will not contain ipa-ca > record at all and the update logic will skip update for this name. > I.e. the original values in ipa-ca record set will be left in place. > > https://fedorahosted.org/freeipa/ticket/2008 > ACK master: * b6bab8d4e0d6f4715ef353b6944c85c5e88d44ab DNS Locations: make ipa-ca record generation more robust From abokovoy at redhat.com Mon Jun 20 18:24:23 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jun 2016 21:24:23 +0300 Subject: [Freeipa-devel] [PATCH] 0019 - 2 ipapwd_extop should take precedence over default DS plugin In-Reply-To: <5762B80C.5040009@redhat.com> References: <575EBEF7.9010201@redhat.com> <20160613145721.eed3myq5kqe3pvcb@redhat.com> <575ED2F9.6010107@redhat.com> <20160613160131.mqhy2aatb3rz3gn7@redhat.com> <5762B80C.5040009@redhat.com> Message-ID: <20160620182423.uo4alotxpmgnpkz6@redhat.com> On Thu, 16 Jun 2016, thierry bordaz wrote: >From 81af4f17deca1814851429a054804b5bc9f63491 Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Thu, 16 Jun 2016 16:28:03 +0200 >Subject: [PATCH] Make sure ipapwd_extop takes precedence over > passwd_modify_extop > >DS core server provides a default plugin (passwd_modify_extop) to handle >1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) > >IPA delivers ipa_pwd_extop plugin that should take precedence over >the default DS plugin (passwd_modify_extop) > >In addition make sure that slapi-nis has a low precedence >--- > install/share/schema_compat.uldif | 2 +- > install/updates/10-ipapwd.update | 9 +++++++++ > install/updates/10-schema_compat.update | 2 +- > 3 files changed, 11 insertions(+), 2 deletions(-) > create mode 100644 install/updates/10-ipapwd.update > >diff --git a/install/share/schema_compat.uldif b/install/share/schema_compat.uldif >index a3d412f..66f8ea1 100644 >--- a/install/share/schema_compat.uldif >+++ b/install/share/schema_compat.uldif >@@ -16,7 +16,7 @@ default:nsslapd-pluginid: schema-compat-plugin > # We need to run schema-compat pre-bind callback before > # other IPA pre-bind callbacks to make sure bind DN is > # rewritten to the original entry if needed >-default:nsslapd-pluginprecedence: 49 >+default:nsslapd-pluginprecedence: 40 > default:nsslapd-pluginversion: 0.8 > default:nsslapd-pluginbetxn: on > default:nsslapd-pluginvendor: redhat.com >diff --git a/install/updates/10-ipapwd.update b/install/updates/10-ipapwd.update >new file mode 100644 >index 0000000..d9bffa2 >--- /dev/null >+++ b/install/updates/10-ipapwd.update >@@ -0,0 +1,9 @@ >+dn: cn=ipa_pwd_extop,cn=plugins,cn=config >+# DS core server provides a default plugin (passwd_modify_extop) to handle >+# 1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt) >+# the pluginprecedence of the passwd_modify_extop is 50 (default value) >+# >+# IPA delivers ipa_pwd_extop plugin to handle that extended op >+# we need to make sure ipa_pwd_extop is called and so to set a lower >+# precedence value >+add:nsslapd-pluginprecedence: 49 >diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update >index 2d257a3..e4c257d 100644 >--- a/install/updates/10-schema_compat.update >+++ b/install/updates/10-schema_compat.update >@@ -74,7 +74,7 @@ dn: cn=Schema Compatibility,cn=plugins,cn=config > # We need to run schema-compat pre-bind callback before > # other IPA pre-bind callbacks to make sure bind DN is > # rewritten to the original entry if needed >-add:nsslapd-pluginprecedence: 49 >+add:nsslapd-pluginprecedence: 40 > > dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config > add:schema-compat-entry-attribute: %ifeq("ipauniqueid","%{ipauniqueid}","objectclass=ipaOverrideTarget","") >-- >2.5.0 > ACK. A build override with 389-ds-base 1.3.5.6-1.fc24 is also created. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 20 18:27:07 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jun 2016 21:27:07 +0300 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <575FDDC0.70105@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> <575FDDC0.70105@redhat.com> Message-ID: <20160620182707.ay7lmfjixlbcrzbx@redhat.com> On Tue, 14 Jun 2016, thierry bordaz wrote: >From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Fri, 10 Jun 2016 15:34:40 +0200 >Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop > plugin > >ipapwd_extop allows to update the password on a specific entry, identified by its DN. >It can be usefull to support virtual DN in the extop so that update of a virtual entry >would land into the proper real entry. > >If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value >of TARGET_DN, instead of using the original one (in the ber req) > >https://fedorahosted.org/freeipa/ticket/5946 >--- > .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +++++++++++++++++----- > 1 file changed, 28 insertions(+), 8 deletions(-) > >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >index 440e221..3c2c44f 100644 >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) > char *attrlist[] = {"*", "passwordHistory", NULL }; > struct ipapwd_data pwdata; > int is_krb, is_smb, is_ipant; >- char *principal = NULL; >+ char *principal = NULL; > Slapi_PBlock *chpwop_pb = NULL; >+ Slapi_DN *target_sdn = NULL; >+ char *target_dn = NULL; > > /* Get the ber value of the extended operation */ > slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >@@ -327,14 +329,32 @@ parse_req_done: > } > } > >- /* Determine the target DN for this operation */ >- /* Did they give us a DN ? */ >- if (dn == NULL || *dn == '\0') { >- /* Get the DN from the bind identity on this connection */ >- dn = slapi_ch_strdup(bindDN); >- LOG_TRACE("Missing userIdentity in request, " >- "using the bind DN instead.\n"); >+ /* Determine the target DN for this operation */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >+ if (target_sdn != NULL) { >+ /* If there is a TARGET_DN we are consuming it */ >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >+ target_dn = slapi_sdn_get_ndn(target_sdn); > } >+ if (target_dn == NULL || *target_dn == '\0') { >+ /* Did they give us a DN ? */ >+ if (dn == NULL || *dn == '\0') { >+ /* Get the DN from the bind identity on this connection */ >+ dn = slapi_ch_strdup(bindDN); >+ LOG_TRACE("Missing userIdentity in request, " >+ "using the bind DN instead.\n"); >+ } >+ LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >+ } else { >+ /* At this point if SLAPI_TARGET_SDN was set that means >+ * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >+ * So take this one rather that the raw one that is in the ber >+ */ >+ LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); >+ slapi_ch_free_string(&dn); >+ dn = slapi_ch_strdup(target_dn); >+ } >+ slapi_sdn_free(&target_sdn); > > if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { > LOG_FATAL("slapi_pblock_set failed!\n"); >-- >2.5.0 > ACK. A build with slapi-nis 0.56.0-2.fc24 that includes pre-extop callback is available in Fedora -- https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 so you can test against it. I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 for this. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 20 18:28:35 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jun 2016 21:28:35 +0300 Subject: [Freeipa-devel] [PATCH] 0021 slapi-nis should allow password update on a virtual entry In-Reply-To: <5761857F.7000904@redhat.com> References: <5761720B.7040904@redhat.com> <20160615155456.prd7m3pnzijjbwkr@redhat.com> <5761857F.7000904@redhat.com> Message-ID: <20160620182835.hnhoikfrlxo2rgqk@redhat.com> On Wed, 15 Jun 2016, thierry bordaz wrote: >Thanks Alexander for the review. >You are right I forgot to remove those lines during the cleanup. ACK -- I've committed this patch to slapi-nis and released 0.56.0 version. https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 -- / Alexander Bokovoy From abokovoy at redhat.com Mon Jun 20 18:31:49 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 20 Jun 2016 21:31:49 +0300 Subject: [Freeipa-devel] [PATCH 0532] Fix possibly undefined variable In-Reply-To: <65698bcb-d35b-55cb-42b4-5d66e9d74898@redhat.com> References: <65698bcb-d35b-55cb-42b4-5d66e9d74898@redhat.com> Message-ID: <20160620183149.pgipxwb3z2srjdh7@redhat.com> On Mon, 20 Jun 2016, Martin Basti wrote: >Patch attached. > >From a073b44587a5b34c4f1de5742d54e7c547cd5821 Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Mon, 20 Jun 2016 12:48:38 +0200 >Subject: [PATCH] Fix possibly undefined variable in ipa_smb_conf_exists() > >There was missing else statement what may result in undefined conf_fd >variable. >--- > ipaserver/install/adtrustinstance.py | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py >index 94474122125a59d7da8b05a13dcd6c0f20568855..6ab15df27216580d440ce72386113d6872c046b2 100644 >--- a/ipaserver/install/adtrustinstance.py >+++ b/ipaserver/install/adtrustinstance.py >@@ -81,6 +81,8 @@ def ipa_smb_conf_exists(): > except IOError as err: > if err.errno == errno.ENOENT: > return False >+ else: >+ raise > > lines = conf_fd.readlines() > conf_fd.close() >-- >2.5.5 > ACK, thanks! -- / Alexander Bokovoy From pvomacka at redhat.com Mon Jun 20 18:48:43 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 20 Jun 2016 20:48:43 +0200 Subject: [Freeipa-devel] [PATCH] 0059: webui: make 'Actions' strings translatable Message-ID: <328f412b-dabf-d479-293f-ccb9981a229d@redhat.com> Hello, please review attached patch. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0059-Make-Actions-string-translatable.patch Type: text/x-patch Size: 2179 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 20 18:50:14 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 20 Jun 2016 20:50:14 +0200 Subject: [Freeipa-devel] [PATCH 0532] Fix possibly undefined variable In-Reply-To: <20160620183149.pgipxwb3z2srjdh7@redhat.com> References: <65698bcb-d35b-55cb-42b4-5d66e9d74898@redhat.com> <20160620183149.pgipxwb3z2srjdh7@redhat.com> Message-ID: <04c08237-28e9-36e5-dd9d-0cba07fee3d0@redhat.com> On 20.06.2016 20:31, Alexander Bokovoy wrote: > On Mon, 20 Jun 2016, Martin Basti wrote: >> Patch attached. >> > >> From a073b44587a5b34c4f1de5742d54e7c547cd5821 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Mon, 20 Jun 2016 12:48:38 +0200 >> Subject: [PATCH] Fix possibly undefined variable in >> ipa_smb_conf_exists() >> >> There was missing else statement what may result in undefined conf_fd >> variable. >> --- >> ipaserver/install/adtrustinstance.py | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/ipaserver/install/adtrustinstance.py >> b/ipaserver/install/adtrustinstance.py >> index >> 94474122125a59d7da8b05a13dcd6c0f20568855..6ab15df27216580d440ce72386113d6872c046b2 >> 100644 >> --- a/ipaserver/install/adtrustinstance.py >> +++ b/ipaserver/install/adtrustinstance.py >> @@ -81,6 +81,8 @@ def ipa_smb_conf_exists(): >> except IOError as err: >> if err.errno == errno.ENOENT: >> return False >> + else: >> + raise >> >> lines = conf_fd.readlines() >> conf_fd.close() >> -- >> 2.5.5 >> > ACK, thanks! > Thanks pushed to master master: * fe689e9938d6bcddd848f70b2f719253c55c09d7 Fix possibly undefined variable in ipa_smb_conf_exists() From jcholast at redhat.com Tue Jun 21 05:19:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 07:19:19 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> Message-ID: On 20.6.2016 15:31, Jan Cholasta wrote: > On 20.6.2016 09:54, Jan Cholasta wrote: >> On 15.6.2016 12:33, Jan Cholasta wrote: >>> On 14.6.2016 11:44, Jan Cholasta wrote: >>>> On 21.4.2016 09:11, Jan Cholasta wrote: >>>>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>>>> >>>>>> >>>>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>>>> Hi, >>>>>>> >>>>>>> the attached patches implement the server-side part of >>>>>>> . >>>>>>> >>>>>>> Honza >>>>>>> >>>>>> Hi, >>>>>> >>>>>> thank you for the patches. I tested them and they work well. But I >>>>>> would >>>>>> like to ask you whether would be possible to extend the response of >>>>>> 'basecert_find' method and probably also 'basecert_show' response. I >>>>>> think of these information: >>>>>> >>>>>> 1) information whether the certificate is issued by our CA or not. >>>>> >>>>> You can check for that by comparing the issuer name of the certificate >>>>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base >>>>> from config-show. >>>>> >>>>>> >>>>>> 2) this probably wouldn't be possible (as we discussed), but I rather >>>>>> write it too - the information about revocation reason. The same as >>>>>> the >>>>>> 'cert_show' provides. >>>>> >>>>> Added --check-revocation flag to request this information. >>>>> Currently it >>>>> works only on certificates issued by our CA. >>>>> >>>>>> >>>>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>>>> >>>>> Added, also included SHA-256. >>>>> >>>>>> >>>>>> Thank you again. >>>>> >>>>> Updated patches attached. >>>> >>>> Updated and rebased patches attached. Requires Fraser's sub-CA patches. >>> >>> Attaching updated patch 623, which fixes these issues found by David: >>> . >> >> Updated and rebased patches attached. > > Attaching updated patches 552 and 623, which fix the --sizelimit option. Updated and rebased patches attached. The --revocation-reason option now works as expected. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-551.3-ldap-fix-handling-of-binary-data-in-search-filters.patch Type: text/x-patch Size: 1201 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-552.5-cert-add-object-plugin.patch Type: text/x-patch Size: 30485 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-623.4-cert-add-owner-information.patch Type: text/x-patch Size: 18093 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-624.2-cert-allow-search-by-certificate.patch Type: text/x-patch Size: 7576 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 21 05:29:22 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 07:29:22 +0200 Subject: [Freeipa-devel] [DESIGN] Lightweight CA renewal In-Reply-To: <20160618003803.GB4200@dhcp-40-8.bne.redhat.com> References: <20160506060158.GZ1237@dhcp-40-8.bne.redhat.com> <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> <20160618003803.GB4200@dhcp-40-8.bne.redhat.com> Message-ID: <9406ecb2-8727-370e-6a7a-d0f22b3d7499@redhat.com> On 18.6.2016 02:38, Fraser Tweedale wrote: > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote: >> On 17.6.2016 09:34, Fraser Tweedale wrote: >>> On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 6.5.2016 08:01, Fraser Tweedale wrote: >>>>> Hullo all, >>>>> >>>>> FreeIPA Lightweight CAs implementation is progressing well. The >>>>> remaining big unknown in the design is how to do renewal. I have >>>>> put my ideas into the design page[1] and would appreciate any and >>>>> all feedback! >>>>> >>>>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal >>>>> >>>>> Some brief commentary on the options: >>>>> >>>>> I intend to implement approach (1) as a baseline. Apart from >>>>> implementing machinery in Dogtag to actually perform the renewal - >>>>> which is required for all the approaches - it's not much work and >>>>> gets us over the "lightweight CAs can be renewed easily" line, even >>>>> if it is a manual process. >>>>> >>>>> For automatic renewal, I am leaning towards approach (2). Dogtag >>>>> owns the lightweight CAs so I think it makes sense to give Dogtag >>>>> the ability to renew them automatically (if configured to do so), >>>>> without relying on external tools i.e. Certmonger. But as you will >>>>> see from the outlines, each approach has its upside and downside. >>>> >>>> I would prefer (3), as I would very much like to avoid duplicating >>>> certmonger's functionality in Dogtag. >>>> >>>> Some comments on the disadvantages: >>>> >>>> * "Proliferation of Certmonger tracking requests; one for each >>>> FreeIPA-managed lightweight CA." >>>> >>>> I don't think this is an actual issue, as it's purely cosmetic. >>>> >>>> * "Either lightweight CA creation is restricted to the renewal master, or >>>> the renewal master must observe the creation of new lightweight CAs and >>>> start tracking their certificate." >>>> >>>> IMO this doesn't have to be done automatically in the initial >>>> implementation. You could extend ipa-certupdate to set up certmonger for >>>> lightweight CAs and have admins run it manually on masters after adding a >>>> new lightweight CA. They will have to run it anyway to get the new >>>> lightweight CA certificate installed in the system, so it should be fine to >>>> do it this way. >>>> >>> I have updated the renew_ca_cert post-save script to perform the >>> database update necessary for CA replicas to pick up the new cert. >>> What remains is the command to tell certmonger to track the CA. >>> >>> You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a >>> better fit, e.g.: >>> >>> ipa-cacert-manage track >>> >>> It would look up the necessary info (basically just the CA-ID) and >>> set up the certmonger tracking. >> >> No. ipa-cacert-manage updates global configuration in LDAP, whereas >> ipa-certupdate applies the global configuration on the local system. >> Updating certmonger configuration is the latter, hence it should be done in >> ipa-certupdate. >> >> Also, I don't think we should expose (un)tracking certificates by CA ID to >> users, as all our CA certificates should always be tracked. >> > OK, so ipa-certupdate just gets run without arguments on a CA > master, and it ensures that all CA certificates are tracked by > Certmonger. Right. > > Makes sense to me. Thanks for the clarifications. > >>> >>> It could be an error to run the command on other than the renewal >>> master. >> >> Note that the main CA certificate is tracked on all CA servers, not just the >> renewal master, otherwise it wouldn't get updated on the other CA servers >> after renewal. I would think the same needs to be done for lightweight CA >> certificates, unless there is a different mechanism for distributing the >> certificates to other CA masters, in which case I would prefer if the >> mechanism was also used for the main CA certificate. >> > There is a different mechanism that causes other CA masters to > update their NSSDBs with the new certificate. After the renewal is > performed, the authoritySerial attribute is updated in the > authority's entry in Dogtag's database; other CA replicas replicas > notice the update and install the new cert in their own NSSDBs > without requiring restart (thus, we only need to track LWCA certs on > the renewal master). > > The mechanism is available on versions of Dogtag that support > lightweight CAs, with the ou=authorities container existing in > Dogtag's database. It should work for the main CA, but I have not > tested this yet. Sounds great! I hope it works, I would very much like to get rid of our thing now that Dogtag handles it. > >>> >>> An untrack command could also be provided. >>> >>> Thoughts? >>> >>>> * "Development of new Certmonger renewal helpers solely for lightweight CA >>>> renewal." >>>> >>>> It would be easier to extend the existing helpers. I don't think there >>>> is anything preventing them from being used for lighweight CAs, except not >>>> conveying the CA name, which should be easy to implement. >>>> >>>> >>>> I would also avoid starting with (1), I don't believe it adds any real >>>> value. IMHO the first thing that should be done is implement lightweight CA >>>> support in certmonger (add new 'request' / 'start-tracking' option for CA >>>> name, store it in tracking requests, pass it to CA helpers in a new >>>> environment variable). >>>> >>>> >>>> Honza >>>> >>>> -- >>>> Jan Cholasta >> >> >> -- >> Jan Cholasta -- Jan Cholasta From jcholast at redhat.com Tue Jun 21 05:53:20 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 07:53:20 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> <0a5e8dbf-4f18-c396-eb10-39873fb7b09e@redhat.com> Message-ID: On 20.6.2016 19:56, Martin Basti wrote: > > > On 20.06.2016 18:48, Martin Basti wrote: >> >> >> On 20.06.2016 16:42, Jan Cholasta wrote: >>> On 20.6.2016 16:13, David Kupka wrote: >>>> On 28/04/16 14:45, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> I have pushed my thin client WIP branch to GitHub: >>>>> . >>>>> >>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>> imports" should be good for review. The rest is subject to change >>>>> (WARNING: I will force push into this branch). >>>>> >>>>> Honza >>>>> >>>> >>>> Hello! >>>> >>>> Patches: >>>> replica install: fix thin client regression >>>> schema: remove `no_cli` from command schema >>>> schema: remove redundant information >>>> schema: merge command args and options >>>> schema: remove output_params >>>> schema: add object class schema >>>> permission: handle ipapermright deprecated CLI alias on the client >>>> passwd: handle sort order of passwd argument on the client >>>> misc: skip `count` and `total` output in env.output_for_cli >>>> dns: do not rely on custom param fields in record attributes >>>> automember: add object plugin for automember_rebuild >>>> frontend: do not crash on missing output in output_for_cli >>>> frontend: skip `value` output in output_for_cli >>>> frontend: don't copy command arguments to output params >>>> makeaci, makeapi: use in-server API >>>> >>>> work for me, ACK. >>> >>> Pushed to master: 8cc8b6fb1023fa4aeafac0df01cfacff4ebf537a >>> >>> Note that I haven't pushed "replica install: fix thin client >>> regression" yet, I would like Martin to review it first. >> >> ACK >> >> pushed to master: >> * 91d6d87ca76e3aa27d5f87fd4f0b70f1d4fe4e72 replica install: fix thin >> client regression >> >>> >>> Attaching the patches for reference. >>> >>>> >>>> Note: There is one one known issue in automember output, will be fixed >>>> later. >>> >>> >> >> >> > Guys, I suspect that one of previously pushed patches breaks following > command on the client side > > # ipa dns-update-system-records > ipa: ERROR: KeyError: 'ipa_records' > Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1346, in run > sys.exit(api.Backend.cli.run(argv)) > File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1111, in run > rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, > **options) > File "/usr/lib/python2.7/site-packages/ipaclient/plugins/dns.py", line > 367, in output_for_cli > textui.print_indented(u'{}:'.format(labels[key]), indent=1) > KeyError: 'ipa_records' > ipa: ERROR: an internal error has occurred Sorry. Fixed. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-649-dns-fix-dns_update_system_records-to-work-with-thin-.patch Type: text/x-patch Size: 3963 bytes Desc: not available URL: From ftweedal at redhat.com Tue Jun 21 05:55:00 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 21 Jun 2016 15:55:00 +1000 Subject: [Freeipa-devel] [DESIGN] Lightweight CA renewal In-Reply-To: <9406ecb2-8727-370e-6a7a-d0f22b3d7499@redhat.com> References: <20160506060158.GZ1237@dhcp-40-8.bne.redhat.com> <20160617073427.GR4744@dhcp-40-8.bne.redhat.com> <20160618003803.GB4200@dhcp-40-8.bne.redhat.com> <9406ecb2-8727-370e-6a7a-d0f22b3d7499@redhat.com> Message-ID: <20160621055500.GC4200@dhcp-40-8.bne.redhat.com> On Tue, Jun 21, 2016 at 07:29:22AM +0200, Jan Cholasta wrote: > On 18.6.2016 02:38, Fraser Tweedale wrote: > > On Fri, Jun 17, 2016 at 03:21:07PM +0200, Jan Cholasta wrote: > > > On 17.6.2016 09:34, Fraser Tweedale wrote: > > > > On Mon, May 09, 2016 at 09:35:06AM +0200, Jan Cholasta wrote: > > > > > Hi, > > > > > > > > > > On 6.5.2016 08:01, Fraser Tweedale wrote: > > > > > > Hullo all, > > > > > > > > > > > > FreeIPA Lightweight CAs implementation is progressing well. The > > > > > > remaining big unknown in the design is how to do renewal. I have > > > > > > put my ideas into the design page[1] and would appreciate any and > > > > > > all feedback! > > > > > > > > > > > > [1] http://www.freeipa.org/page/V4/Sub-CAs#Renewal > > > > > > > > > > > > Some brief commentary on the options: > > > > > > > > > > > > I intend to implement approach (1) as a baseline. Apart from > > > > > > implementing machinery in Dogtag to actually perform the renewal - > > > > > > which is required for all the approaches - it's not much work and > > > > > > gets us over the "lightweight CAs can be renewed easily" line, even > > > > > > if it is a manual process. > > > > > > > > > > > > For automatic renewal, I am leaning towards approach (2). Dogtag > > > > > > owns the lightweight CAs so I think it makes sense to give Dogtag > > > > > > the ability to renew them automatically (if configured to do so), > > > > > > without relying on external tools i.e. Certmonger. But as you will > > > > > > see from the outlines, each approach has its upside and downside. > > > > > > > > > > I would prefer (3), as I would very much like to avoid duplicating > > > > > certmonger's functionality in Dogtag. > > > > > > > > > > Some comments on the disadvantages: > > > > > > > > > > * "Proliferation of Certmonger tracking requests; one for each > > > > > FreeIPA-managed lightweight CA." > > > > > > > > > > I don't think this is an actual issue, as it's purely cosmetic. > > > > > > > > > > * "Either lightweight CA creation is restricted to the renewal master, or > > > > > the renewal master must observe the creation of new lightweight CAs and > > > > > start tracking their certificate." > > > > > > > > > > IMO this doesn't have to be done automatically in the initial > > > > > implementation. You could extend ipa-certupdate to set up certmonger for > > > > > lightweight CAs and have admins run it manually on masters after adding a > > > > > new lightweight CA. They will have to run it anyway to get the new > > > > > lightweight CA certificate installed in the system, so it should be fine to > > > > > do it this way. > > > > > > > > > I have updated the renew_ca_cert post-save script to perform the > > > > database update necessary for CA replicas to pick up the new cert. > > > > What remains is the command to tell certmonger to track the CA. > > > > > > > > You mentioned ipa-certupdate but perhaps ipa-cacert-manage is a > > > > better fit, e.g.: > > > > > > > > ipa-cacert-manage track > > > > > > > > It would look up the necessary info (basically just the CA-ID) and > > > > set up the certmonger tracking. > > > > > > No. ipa-cacert-manage updates global configuration in LDAP, whereas > > > ipa-certupdate applies the global configuration on the local system. > > > Updating certmonger configuration is the latter, hence it should be done in > > > ipa-certupdate. > > > > > > Also, I don't think we should expose (un)tracking certificates by CA ID to > > > users, as all our CA certificates should always be tracked. > > > > > OK, so ipa-certupdate just gets run without arguments on a CA > > master, and it ensures that all CA certificates are tracked by > > Certmonger. > > Right. > > > > > Makes sense to me. Thanks for the clarifications. > > > > > > > > > > It could be an error to run the command on other than the renewal > > > > master. > > > > > > Note that the main CA certificate is tracked on all CA servers, not just the > > > renewal master, otherwise it wouldn't get updated on the other CA servers > > > after renewal. I would think the same needs to be done for lightweight CA > > > certificates, unless there is a different mechanism for distributing the > > > certificates to other CA masters, in which case I would prefer if the > > > mechanism was also used for the main CA certificate. > > > > > There is a different mechanism that causes other CA masters to > > update their NSSDBs with the new certificate. After the renewal is > > performed, the authoritySerial attribute is updated in the > > authority's entry in Dogtag's database; other CA replicas replicas > > notice the update and install the new cert in their own NSSDBs > > without requiring restart (thus, we only need to track LWCA certs on > > the renewal master). > > > > The mechanism is available on versions of Dogtag that support > > lightweight CAs, with the ou=authorities container existing in > > Dogtag's database. It should work for the main CA, but I have not > > tested this yet. > > Sounds great! I hope it works, I would very much like to get rid of our > thing now that Dogtag handles it. > I'll need to check a few things, because the current renewal hook updates certificate values in CS.cfg for the main CA signing and subsystem certs. Therefore, the patches (I'm about to send them) preserve existing behaviour for the main CA cert. It will be easy to change to the new mechanism for the main CA cert once I make sure that everything will work. Cheers, Fraser > > > > > > > > > > An untrack command could also be provided. > > > > > > > > Thoughts? > > > > > > > > > * "Development of new Certmonger renewal helpers solely for lightweight CA > > > > > renewal." > > > > > > > > > > It would be easier to extend the existing helpers. I don't think there > > > > > is anything preventing them from being used for lighweight CAs, except not > > > > > conveying the CA name, which should be easy to implement. > > > > > > > > > > > > > > > I would also avoid starting with (1), I don't believe it adds any real > > > > > value. IMHO the first thing that should be done is implement lightweight CA > > > > > support in certmonger (add new 'request' / 'start-tracking' option for CA > > > > > name, store it in tracking requests, pass it to CA helpers in a new > > > > > environment variable). > > > > > > > > > > > > > > > Honza > > > > > > > > > > -- > > > > > Jan Cholasta > > > > > > > > > -- > > > Jan Cholasta > > > -- > Jan Cholasta From ftweedal at redhat.com Tue Jun 21 06:24:16 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 21 Jun 2016 16:24:16 +1000 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal Message-ID: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> The attached patches add lightweight CA renewal. There are two substantive aspects: 1. The renew_ca_cert updates the serial number in the lightweight CA's entry in the Dogtag database. This causes CA clones to observe the renewal and update the certs in their own NSSDBs. 2. The ipa-certupdate command adds Certmonger tracking requests for lightweight CAs (on the renewal master only). Correct behaviour also depends on my patch 0069 (in-server API for renew_ca_cert script). Cheers, Fraser -------------- next part -------------- From c2333f0dbe0560a67059030e1a04eb96a52c20d8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 10:05:49 +1000 Subject: [PATCH 72/75] ipaldap: turn LDAP filter utility functions into class methods The LDAP filter utilities do not use any instance attributes, so collectively turn them into class methods to promote reuse. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipapython/ipaldap.py | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 410ddae2c484f060abf2bbf3e897549a26b0ebc9..67a3c82f03bd89299ce12a35112e9cfda35d6fe6 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -1153,7 +1153,8 @@ class LDAPClient(object): # entry_attrs = {u'firstName': u'Pavel', u'lastName': u'Zuna'} # f = ldap2.make_filter(entry_attrs, rules=ldap2.MATCH_ALL) - def combine_filters(self, filters, rules='|'): + @classmethod + def combine_filters(cls, filters, rules='|'): """ Combine filters into one for ldap2.find_entries. @@ -1164,9 +1165,9 @@ class LDAPClient(object): assert isinstance(filters, (list, tuple)) filters = [f for f in filters if f] - if filters and rules == self.MATCH_NONE: # unary operator - return '(%s%s)' % (self.MATCH_NONE, - self.combine_filters(filters, self.MATCH_ANY)) + if filters and rules == cls.MATCH_NONE: # unary operator + return '(%s%s)' % (cls.MATCH_NONE, + cls.combine_filters(filters, cls.MATCH_ANY)) if len(filters) > 1: flt = '(%s' % rules @@ -1180,8 +1181,9 @@ class LDAPClient(object): flt = '%s)' % flt return flt + @classmethod def make_filter_from_attr( - self, attr, value, rules='|', exact=True, + cls, attr, value, rules='|', exact=True, leading_wildcard=True, trailing_wildcard=True): """ Make filter for ldap2.find_entries from attribute. @@ -1198,18 +1200,18 @@ class LDAPClient(object): False - forbid trailing filter wildcard when exact=False """ if isinstance(value, (list, tuple)): - if rules == self.MATCH_NONE: - make_filter_rules = self.MATCH_ANY + if rules == cls.MATCH_NONE: + make_filter_rules = cls.MATCH_ANY else: make_filter_rules = rules flts = [ - self.make_filter_from_attr( + cls.make_filter_from_attr( attr, v, exact=exact, leading_wildcard=leading_wildcard, trailing_wildcard=trailing_wildcard) for v in value ] - return self.combine_filters(flts, rules) + return cls.combine_filters(flts, rules) elif value is not None: value = ldap.filter.escape_filter_chars(value_to_utf8(value)) if not exact: @@ -1219,13 +1221,14 @@ class LDAPClient(object): if trailing_wildcard: template = template + '*' value = template % value - if rules == self.MATCH_NONE: + if rules == cls.MATCH_NONE: return '(!(%s=%s))' % (attr, value) return '(%s=%s)' % (attr, value) return '' + @classmethod def make_filter( - self, entry_attrs, attrs_list=None, rules='|', exact=True, + cls, entry_attrs, attrs_list=None, rules='|', exact=True, leading_wildcard=True, trailing_wildcard=True): """ Make filter for ldap2.find_entries from entry attributes. @@ -1247,15 +1250,15 @@ class LDAPClient(object): ldap2.MATCH_ALL - match entries that match all attributes ldap2.MATCH_ANY - match entries that match any of attribute """ - if rules == self.MATCH_NONE: - make_filter_rules = self.MATCH_ANY + if rules == cls.MATCH_NONE: + make_filter_rules = cls.MATCH_ANY else: make_filter_rules = rules flts = [] if attrs_list is None: for (k, v) in entry_attrs.items(): flts.append( - self.make_filter_from_attr( + cls.make_filter_from_attr( k, v, make_filter_rules, exact, leading_wildcard, trailing_wildcard) ) @@ -1264,11 +1267,11 @@ class LDAPClient(object): value = entry_attrs.get(a, None) if value is not None: flts.append( - self.make_filter_from_attr( + cls.make_filter_from_attr( a, value, make_filter_rules, exact, leading_wildcard, trailing_wildcard) ) - return self.combine_filters(flts, rules) + return cls.combine_filters(flts, rules) def get_entries(self, base_dn, scope=ldap.SCOPE_SUBTREE, filter=None, attrs_list=None, **kwargs): -- 2.5.5 -------------- next part -------------- From 7bc9cdbf661dc5cc62d0676f5489269c7c78e6d2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 13:33:26 +1000 Subject: [PATCH 73/75] Skip CS.cfg update if cert nickname not known After CA certificate renewal, the ``renew_ca_cert`` helper updates certificate data in CS.cfg. An unrecognised nickname will raise ``KeyError``. To allow the helper to be used for arbitrary certificates (e.g. lightweight CAs), do not fail if the nickname is unrecognised - just skip the update. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/install/cainstance.py | 5 +++-- ipaserver/install/dogtaginstance.py | 7 +++---- ipaserver/install/krainstance.py | 5 +++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..2ef568605e3148b30a9a62cf66e7202412910740 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1240,8 +1240,9 @@ class CAInstance(DogtagInstance): except Exception as e: syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e) - DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, paths.CA_CS_CFG_PATH) + if nickname in directives: + DogtagInstance.update_cert_cs_cfg( + directives[nickname], cert, paths.CA_CS_CFG_PATH) def __create_ds_db(self): ''' diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 9f094d83404d8d59c871cadca325a8b8a5a0c0bc..b65628277d9e361a3ab5674dfd2689e258b1887b 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -370,21 +370,20 @@ class DogtagInstance(service.Service): cmonger.stop() @staticmethod - def update_cert_cs_cfg(nickname, cert, directives, cs_cfg): + def update_cert_cs_cfg(directive, cert, cs_cfg): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. - nickname is one of the known nicknames. + ``directive`` is the directive to update in CS.cfg cert is a DER-encoded certificate. - directives is the list of directives to be updated for the subsystem cs_cfg is the path to the CS.cfg file """ with stopped_service('pki-tomcatd', 'pki-tomcat'): installutils.set_directive( cs_cfg, - directives[nickname], + directive, base64.b64encode(cert), quotes=False, separator='=') diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 67ad6544c16734a0f0a9fcb1355499daeec48642..dc44726887916c7216564679c6ea8e9902177b64 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -348,8 +348,9 @@ class KRAInstance(DogtagInstance): 'subsystemCert cert-pki-kra': 'kra.subsystem.cert', 'Server-Cert cert-pki-ca': 'kra.sslserver.cert'} - DogtagInstance.update_cert_cs_cfg( - nickname, cert, directives, paths.KRA_CS_CFG_PATH) + if nickname in directives: + DogtagInstance.update_cert_cs_cfg( + directives[nickname], cert, paths.KRA_CS_CFG_PATH) def __enable_instance(self): self.ldap_enable('KRA', self.fqdn, None, self.suffix) -- 2.5.5 -------------- next part -------------- From d6088f223caca532e524355f82dbe05b27f91e02 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 17 Jun 2016 15:11:08 +1000 Subject: [PATCH 74/75] Update lightweight CA serial after renewal For CA replicas to pick up renewed lightweight CA signing certificates, the authoritySerial attribute can be updated with the new serial number. Update the renew_ca_cert script, which is executed by Certmonger after writing a renewed CA certificate to the NSSDB, to update the authoritySerial attribute if the certificate belongs to a lightweight CA. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- install/restart_scripts/renew_ca_cert | 1 + ipaserver/install/cainstance.py | 89 ++++++++++++++++++++++++++++------- 2 files changed, 72 insertions(+), 18 deletions(-) diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index dc0f1117b366e3fdcf6d00f0e6d928e2e32b8f2b..186fb34f65ebce1aff9c852ff03e392c2324e28a 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -78,6 +78,7 @@ def _main(): ca.update_cert_config(nickname, cert) if ca.is_renewal_master(): cainstance.update_people_entry(cert) + cainstance.update_authority_entry(cert) if nickname == 'auditSigningCert cert-pki-ca': # Fix trust on the audit cert diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 2ef568605e3148b30a9a62cf66e7202412910740..ffdabcee32547214a3d7ae9575cb9deac5938781 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1544,17 +1544,31 @@ def backup_config(): "Dogtag must be stopped when creating backup of %s" % path) shutil.copy(path, path + '.ipabkp') -def update_people_entry(dercert): +def __update_entry_from_cert(make_filter, make_entry, dercert): """ - Update the userCerticate for an entry in the dogtag ou=People. This - is needed when a certificate is renewed. + Given a certificate and functions to make a filter based on the + cert, and make a new entry based on the cert, update database + accordingly. - dercert: An X509.3 certificate in DER format + ``make_filter`` + function that takes a certificate in DER format and + returns an LDAP search filter - Logging is done via syslog + ``make_entry`` + function that takes a certificate in DER format and an + LDAP entry, and returns the new state of the LDAP entry. + Return the input unchanged to skip an entry. + + ``dercert`` + An X509.3 certificate in DER format + + Logging is done via syslog. + + Return ``True`` if all updates were successful (zero updates is + vacuously successful) otherwise ``False``. - Returns True or False """ + base_dn = DN(('o', 'ipaca')) serial_number = x509.get_serial_number(dercert, datatype=x509.DER) subject = x509.get_subject(dercert, datatype=x509.DER) @@ -1571,14 +1585,7 @@ def update_people_entry(dercert): conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) conn.connect(autobind=True) - db_filter = conn.combine_filters( - [ - conn.make_filter({'objectClass': 'inetOrgPerson'}), - conn.make_filter( - {'description': ';%s;%s' % (issuer, subject)}, - exact=False, trailing_wildcard=False), - ], - conn.MATCH_ALL) + db_filter = make_filter(dercert) try: entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter) except errors.NotFound: @@ -1591,10 +1598,7 @@ def update_people_entry(dercert): syslog.LOG_NOTICE, 'Updating entry %s' % str(entry.dn)) try: - entry['usercertificate'].append(dercert) - entry['description'] = '2;%d;%s;%s' % ( - serial_number, issuer, subject) - + entry = make_entry(dercert, entry) conn.update_entry(entry) except errors.EmptyModlist: pass @@ -1624,6 +1628,55 @@ def update_people_entry(dercert): return True + +def update_people_entry(dercert): + """ + Update the userCerticate for an entry in the dogtag ou=People. This + is needed when a certificate is renewed. + """ + def make_filter(dercert): + subject = x509.get_subject(dercert, datatype=x509.DER) + issuer = x509.get_issuer(dercert, datatype=x509.DER) + return ldap2.ldap2.combine_filters( + [ + ldap2.ldap2.make_filter({'objectClass': 'inetOrgPerson'}), + ldap2.ldap2.make_filter( + {'description': ';%s;%s' % (issuer, subject)}, + exact=False, trailing_wildcard=False), + ], + ldap2.ldap2.MATCH_ALL) + + def make_entry(dercert, entry): + serial_number = x509.get_serial_number(dercert, datatype=x509.DER) + subject = x509.get_subject(dercert, datatype=x509.DER) + issuer = x509.get_issuer(dercert, datatype=x509.DER) + entry['usercertificate'].append(dercert) + entry['description'] = '2;%d;%s;%s' % (serial_number, issuer, subject) + return entry + + return __update_entry_from_cert(make_filter, make_entry, dercert) + + +def update_authority_entry(dercert): + """ + Find the authority entry for the given cert, and update the + serial number to match the given cert. + """ + def make_filter(dercert): + subject = x509.get_subject(dercert, datatype=x509.DER) + return ldap2.ldap2.make_filter( + dict(objectclass='authority', authoritydn=subject), + rules=ldap2.ldap2.MATCH_ALL, + ) + + def make_entry(dercert, entry): + serial_number = x509.get_serial_number(dercert, datatype=x509.DER) + entry['authoritySerial'] = serial_number + return entry + + return __update_entry_from_cert(make_filter, make_entry, dercert) + + def ensure_ldap_profiles_container(): ensure_entry( DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), -- 2.5.5 -------------- next part -------------- From c27e67c513e5c85ff877febb24c9bc73e962f7e8 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Jun 2016 15:01:41 +1000 Subject: [PATCH 75/75] ipa-certupdate: track lightweight CA certs on renewal master Enhance the ipa-certupdate program to add Certmonger tracking requests for lightweight CA certificates. This operation is performed on the renewal master only, because Dogtag clones observe renewals and update their NSSDBs on their own. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaclient/ipa_certupdate.py | 52 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 4 deletions(-) diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index b9572196c0eab3b35aa62790eed4ce8a21e3c130..b8f4f788e3ff87da8cdebce56cf18dda13a622d5 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -29,7 +29,10 @@ from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509, certstore +from ipalib.constants import IPA_CA_CN +IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' +RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' class CertUpdate(admintool.AdminTool): command_name = 'ipa-certupdate' @@ -76,18 +79,29 @@ class CertUpdate(admintool.AdminTool): version=u'2.0', ) ca_enabled = result['result']['enable_ra'] - api.Backend.rpcclient.disconnect() ldap.do_sasl_gssapi_bind() certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) + + # find lightweight CAs (on renewal master only) + lwcas = [] + config = api.Command.config_show()['result'] + if api.env.host in config.get('ca_renewal_master_server', []): + for ca_obj in api.Command.ca_find()['result']: + if IPA_CA_CN not in ca_obj['cn']: + lwcas.append(ca_obj) + + api.Backend.rpcclient.disconnect() finally: shutil.rmtree(tmpdir) server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): self.update_server(certs) + for entry in lwcas: + self.server_track_lightweight_ca(entry) self.update_client(certs) @@ -122,11 +136,10 @@ class CertUpdate(admintool.AdminTool): if services.knownservices.httpd.is_running(): services.knownservices.httpd.restart() - nickname = 'caSigningCert cert-pki-ca' criteria = { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, - 'cert-nickname': nickname, - 'ca-name': 'dogtag-ipa-ca-renew-agent', + 'cert-nickname': IPA_CA_NICKNAME, + 'ca-name': RENEWAL_CA_NAME } request_id = certmonger.get_request_id(criteria) if request_id is not None: @@ -152,6 +165,37 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.CA_CRT, certs) + def server_track_lightweight_ca(self, entry): + nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0]) + criteria = { + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, + 'cert-nickname': nickname, + 'ca-name': RENEWAL_CA_NAME, + } + request_id = certmonger.get_request_id(criteria) + if request_id is None: + try: + certmonger.dogtag_start_tracking( + secdir=paths.PKI_TOMCAT_ALIAS_DIR, + pin=certmonger.get_pin('internal'), + pinfile=None, + nickname=nickname, + ca=RENEWAL_CA_NAME, + pre_command='stop_pkicad', + post_command='renew_ca_cert "%s"' % nickname, + ) + self.log.debug( + 'Lightweight CA renewal: ' + 'added tracking request for "%s"', nickname) + except RuntimeError as e: + self.log.error( + 'Lightweight CA renewal: Certmonger failed to ' + 'start tracking certificate: %s', e) + else: + self.log.debug( + 'Lightweight CA renewal: ' + 'already tracking certificate "%s"', nickname) + def update_file(self, filename, certs, mode=0o444): certs = (c[0] for c in certs if c[2] is not False) try: -- 2.5.5 From slaznick at redhat.com Tue Jun 21 06:25:49 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 21 Jun 2016 08:25:49 +0200 Subject: [Freeipa-devel] [PATCH 0047] Fix uninitialized variables in replicainstall In-Reply-To: <2ef0fd8b-dfb0-02eb-9a2c-b3fffd8c1c7e@redhat.com> References: <2ef0fd8b-dfb0-02eb-9a2c-b3fffd8c1c7e@redhat.com> Message-ID: On 06/16/2016 10:16 AM, Stanislav Laznicka wrote: > Hello, > > There was a possible use of uninitialized variables in replicainstall. > > > Discard the patch, Martin sent the same patch yesterday but Honza seems to have already taken care of it. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Tue Jun 21 06:31:26 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 08:31:26 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <5764099C.1020403@redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> <5764099C.1020403@redhat.com> Message-ID: On 17.6.2016 16:30, Petr Vobornik wrote: > On 17.6.2016 08:53, Fraser Tweedale wrote: >> On Fri, Jun 17, 2016 at 08:35:45AM +0200, Jan Cholasta wrote: >>> Hi, >>> >>> On 17.6.2016 06:55, Fraser Tweedale wrote: >>>> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5968 >>> >>> This should be fixed for all the restart scripts, not just renew_ca_cert. >>> >> Updated patch attached. Thanks, ACK. Pushed to master: 3edf13cd8ab541908d7e2011a54e31edf1844ea2 >> > > I'm not sure if following is related to thin client or other work, but > it should be looked at. Feel free to open different ticket for it. > > I was doing some testing yesterday and this was in audit: > > time->Thu Jun 16 22:11:32 2016 > type=AVC msg=audit(1466107892.404:662): avc: denied { write } for > pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" > ino=183080 scontext=system_u:system_r:certmonger_t:s0 > tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file > permissive=0 > > I did not investigate further, but couldn't it be caused by initialing > api with api.bootstrap(in_server=True.. which then initializes session > plugin which then initializes MemcacheSessionManager? > > Similar issue could be in other usages. AFAIK this is trigerred by importing ipalib.session and can happen even with client API. -- Jan Cholasta From dkupka at redhat.com Tue Jun 21 06:34:27 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 21 Jun 2016 08:34:27 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> Message-ID: <26ee170a-67ef-a0e3-ad98-03bccc4bb1ea@redhat.com> On 21/06/16 07:19, Jan Cholasta wrote: > On 20.6.2016 15:31, Jan Cholasta wrote: >> On 20.6.2016 09:54, Jan Cholasta wrote: >>> On 15.6.2016 12:33, Jan Cholasta wrote: >>>> On 14.6.2016 11:44, Jan Cholasta wrote: >>>>> On 21.4.2016 09:11, Jan Cholasta wrote: >>>>>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>>>>> >>>>>>> >>>>>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> the attached patches implement the server-side part of >>>>>>>> . >>>>>>>> >>>>>>>> Honza >>>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> thank you for the patches. I tested them and they work well. But I >>>>>>> would >>>>>>> like to ask you whether would be possible to extend the response of >>>>>>> 'basecert_find' method and probably also 'basecert_show' response. I >>>>>>> think of these information: >>>>>>> >>>>>>> 1) information whether the certificate is issued by our CA or not. >>>>>> >>>>>> You can check for that by comparing the issuer name of the >>>>>> certificate >>>>>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject base >>>>>> from config-show. >>>>>> >>>>>>> >>>>>>> 2) this probably wouldn't be possible (as we discussed), but I >>>>>>> rather >>>>>>> write it too - the information about revocation reason. The same as >>>>>>> the >>>>>>> 'cert_show' provides. >>>>>> >>>>>> Added --check-revocation flag to request this information. >>>>>> Currently it >>>>>> works only on certificates issued by our CA. >>>>>> >>>>>>> >>>>>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>>>>> >>>>>> Added, also included SHA-256. >>>>>> >>>>>>> >>>>>>> Thank you again. >>>>>> >>>>>> Updated patches attached. >>>>> >>>>> Updated and rebased patches attached. Requires Fraser's sub-CA >>>>> patches. >>>> >>>> Attaching updated patch 623, which fixes these issues found by David: >>>> . >>> >>> Updated and rebased patches attached. >> >> Attaching updated patches 552 and 623, which fix the --sizelimit option. > > Updated and rebased patches attached. The --revocation-reason option now > works as expected. > > > Hello! Thanks for patch set. Code looks good to me and works as expected. Pavel will test it with WebUI and the we can hopefully push it. -- David Kupka From frenaud at redhat.com Tue Jun 21 06:38:17 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 21 Jun 2016 08:38:17 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: <9fb20d03-4559-8ad2-1e95-4c1da386ae06@redhat.com> References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> <9fb20d03-4559-8ad2-1e95-4c1da386ae06@redhat.com> Message-ID: <7bf2dcab-0a71-abc6-2062-aa291fd82278@redhat.com> On 06/20/2016 07:08 PM, Martin Basti wrote: > > > On 20.06.2016 19:06, Martin Basti wrote: >> >> >> >> On 20.06.2016 12:00, Florence Blanc-Renaud wrote: >>> On 06/09/2016 05:10 PM, Petr Spacek wrote: >>>> Hello, >>>> >>>> I've received a bunch of pylint fixes produced by upstream contributor who is >>>> not subscribed to the list so I'm resending them here. >>>> >>>> All credit goes to B?rta Jan <55042barta at sstebrno.eu>. >>>> >>>> Flo, if you have time for it I think that it could be a good exercise which >>>> will lead you to various dark corners in IPA :-) >>>> >>>> Petr^2 Spacek >>>> >>>> >>>> -------- Forwarded Message -------- >>>> Date: Fri, 3 Jun 2016 14:57:16 +0200 >>>> From: B?rta Jan <55042barta at sstebrno.eu> >>>> To: pspacek at redhat.com >>> ___- In the patch >>> 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ >>> >>> diff --git a/ipatests/test_integration/tasks.py >>> b/ipatests/test_integration/tasks.py >>> index aebd907..ca2e10f 100644 >>> --- a/ipatests/test_integration/tasks.py >>> +++ b/ipatests/test_integration/tasks.py >>> @@ -149,11 +149,7 @@ def host_service_active(host, service): >>> res = host.run_command(['systemctl', 'is-active', '--quiet', >>> service], >>> raiseonerr=False) >>> >>> - if res.returncode == 0: >>> - return True >>> - else: >>> - return False >>> - >>> + return res.returncode >>> >>> should be instead: return res.returncode *== 0* (otherwise the return >>> type is an int and not a boolean). >>> >>> In the same file: >>> @@ -295,11 +291,7 @@ def >>> master_authoritative_for_client_domain(master, client): >>> zone = ".".join(client.hostname.split('.')[1:]) >>> result = master.run_command(["ipa", "dnszone-show", zone], >>> raiseonerr=False) >>> - if result.returncode == 0: >>> - return True >>> - else: >>> - return False >>> - >>> + result.returncode == 0 >>> >>> should be instead: *return* result.returncode == 0 (otherwise there >>> is no return statement) >>> >>> diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py >>> index 197814c..36b6ba5 100644 >>> --- a/ipaserver/plugins/dogtag.py >>> +++ b/ipaserver/plugins/dogtag.py >>> @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): >>> # Return command result >>> cmd_result = {} >>> >>> - if parse_result.get('revoked') == 'yes': >>> - cmd_result['revoked'] = True >>> - else: >>> - cmd_result['revoked'] = False >>> - >>> - return cmd_result >>> + cmd_result['revoked'] = parse_result.get('revoked') >>> >>> Should be instead: cmd_result['revoked'] = >>> parse_result.get('revoked') *== 'yes'* (otherwise the type is a >>> string and not a boolean) >>> >>> _- in the patch 00__04-pylint-fix-unneeded-not.patch_ >>> >>> @@ -632,7 +632,7 @@ class host_add(LDAPCreate): >>> options['ip_address'], >>> check_forward=True, >>> check_reverse=check_reverse) >>> - if not options.get('force', False) and not 'ip_address' in >>> options: >>> + if options.get('force', False) and 'ip_address' not in options: >>> >>> Should be instead: if *not* options.get('force', False) and >>> 'ip_address' not in options: >>> because of operators precedence >>> >>> I will review patches 0005 to 0010 later today. >>> Flo. >>> >>> >> >> How about patches 1, and 3? Because patches are independent, we can >> separately ACK them and push them. >> >> Martin^2 >> >> > > Sorry, I just noticed that there is no patch 1 :) > > Patch 0003 is OK, ACK for this one. Flo. From pvoborni at redhat.com Tue Jun 21 07:35:14 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 09:35:14 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> <5764099C.1020403@redhat.com> Message-ID: <6b589665-b224-493a-7125-a94cbcae9734@redhat.com> On 06/21/2016 08:31 AM, Jan Cholasta wrote: > On 17.6.2016 16:30, Petr Vobornik wrote: >> >> I'm not sure if following is related to thin client or other work, but >> it should be looked at. Feel free to open different ticket for it. >> >> I was doing some testing yesterday and this was in audit: >> >> time->Thu Jun 16 22:11:32 2016 >> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for >> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" >> ino=183080 scontext=system_u:system_r:certmonger_t:s0 >> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file >> permissive=0 >> >> I did not investigate further, but couldn't it be caused by initialing >> api with api.bootstrap(in_server=True.. which then initializes session >> plugin which then initializes MemcacheSessionManager? >> >> Similar issue could be in other usages. > > AFAIK this is trigerred by importing ipalib.session and can happen even > with client API. > True, but it would have to be explicit, which won't probably happen. In ipaserver/plugins/session.py it is done automatically: if api.env.in_server: from ipalib.session import session_mgr -- Petr Vobornik From jcholast at redhat.com Tue Jun 21 07:40:33 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 09:40:33 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <6b589665-b224-493a-7125-a94cbcae9734@redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> <5764099C.1020403@redhat.com> <6b589665-b224-493a-7125-a94cbcae9734@redhat.com> Message-ID: <3ac150e0-79c8-8efd-831a-618d0f7edad3@redhat.com> On 21.6.2016 09:35, Petr Vobornik wrote: > On 06/21/2016 08:31 AM, Jan Cholasta wrote: >> On 17.6.2016 16:30, Petr Vobornik wrote: >>> >>> I'm not sure if following is related to thin client or other work, but >>> it should be looked at. Feel free to open different ticket for it. >>> >>> I was doing some testing yesterday and this was in audit: >>> >>> time->Thu Jun 16 22:11:32 2016 >>> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for >>> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" >>> ino=183080 scontext=system_u:system_r:certmonger_t:s0 >>> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file >>> permissive=0 >>> >>> I did not investigate further, but couldn't it be caused by initialing >>> api with api.bootstrap(in_server=True.. which then initializes session >>> plugin which then initializes MemcacheSessionManager? >>> >>> Similar issue could be in other usages. >> >> AFAIK this is trigerred by importing ipalib.session and can happen even >> with client API. >> > > True, but it would have to be explicit, which won't probably happen. > > In ipaserver/plugins/session.py it is done automatically: > > if api.env.in_server: > from ipalib.session import session_mgr IMHO that doesn't really matter, it should be fixed not to connect on import, because that's just plain wrong. -- Jan Cholasta From pvomacka at redhat.com Tue Jun 21 07:40:47 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 21 Jun 2016 09:40:47 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: <26ee170a-67ef-a0e3-ad98-03bccc4bb1ea@redhat.com> References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> <26ee170a-67ef-a0e3-ad98-03bccc4bb1ea@redhat.com> Message-ID: On 06/21/2016 08:34 AM, David Kupka wrote: > On 21/06/16 07:19, Jan Cholasta wrote: >> On 20.6.2016 15:31, Jan Cholasta wrote: >>> On 20.6.2016 09:54, Jan Cholasta wrote: >>>> On 15.6.2016 12:33, Jan Cholasta wrote: >>>>> On 14.6.2016 11:44, Jan Cholasta wrote: >>>>>> On 21.4.2016 09:11, Jan Cholasta wrote: >>>>>>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>>>>>> >>>>>>>> >>>>>>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the attached patches implement the server-side part of >>>>>>>>> . >>>>>>>>> >>>>>>>>> Honza >>>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> thank you for the patches. I tested them and they work well. But I >>>>>>>> would >>>>>>>> like to ask you whether would be possible to extend the >>>>>>>> response of >>>>>>>> 'basecert_find' method and probably also 'basecert_show' >>>>>>>> response. I >>>>>>>> think of these information: >>>>>>>> >>>>>>>> 1) information whether the certificate is issued by our CA or not. >>>>>>> >>>>>>> You can check for that by comparing the issuer name of the >>>>>>> certificate >>>>>>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject >>>>>>> base >>>>>>> from config-show. >>>>>>> >>>>>>>> >>>>>>>> 2) this probably wouldn't be possible (as we discussed), but I >>>>>>>> rather >>>>>>>> write it too - the information about revocation reason. The >>>>>>>> same as >>>>>>>> the >>>>>>>> 'cert_show' provides. >>>>>>> >>>>>>> Added --check-revocation flag to request this information. >>>>>>> Currently it >>>>>>> works only on certificates issued by our CA. >>>>>>> >>>>>>>> >>>>>>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>>>>>> >>>>>>> Added, also included SHA-256. >>>>>>> >>>>>>>> >>>>>>>> Thank you again. >>>>>>> >>>>>>> Updated patches attached. >>>>>> >>>>>> Updated and rebased patches attached. Requires Fraser's sub-CA >>>>>> patches. >>>>> >>>>> Attaching updated patch 623, which fixes these issues found by David: >>>>> . >>>> >>>> Updated and rebased patches attached. >>> >>> Attaching updated patches 552 and 623, which fix the --sizelimit >>> option. >> >> Updated and rebased patches attached. The --revocation-reason option now >> works as expected. >> >> >> > > Hello! > > Thanks for patch set. Code looks good to me and works as expected. > Pavel will test it with WebUI and the we can hopefully push it. > Hello, Thank you for patches. Works as expected also in WebUI, so we can push it. -- Pavel^3 Vomacka From jcholast at redhat.com Tue Jun 21 07:45:51 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 09:45:51 +0200 Subject: [Freeipa-devel] [PATCHES 551-552, 623-624] cert: add owner information, allow search by certificate In-Reply-To: References: <56E956B0.9000804@redhat.com> <57051322.8090706@redhat.com> <6e3eb7fe-020a-215d-4345-620ffea891de@redhat.com> <47a044af-454d-68df-e4d1-c84cef49e16b@redhat.com> <26ee170a-67ef-a0e3-ad98-03bccc4bb1ea@redhat.com> Message-ID: On 21.6.2016 09:40, Pavel Vomacka wrote: > > > On 06/21/2016 08:34 AM, David Kupka wrote: >> On 21/06/16 07:19, Jan Cholasta wrote: >>> On 20.6.2016 15:31, Jan Cholasta wrote: >>>> On 20.6.2016 09:54, Jan Cholasta wrote: >>>>> On 15.6.2016 12:33, Jan Cholasta wrote: >>>>>> On 14.6.2016 11:44, Jan Cholasta wrote: >>>>>>> On 21.4.2016 09:11, Jan Cholasta wrote: >>>>>>>> On 6.4.2016 15:46, Pavel Vomacka wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On 03/16/2016 01:50 PM, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the attached patches implement the server-side part of >>>>>>>>>> . >>>>>>>>>> >>>>>>>>>> Honza >>>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> thank you for the patches. I tested them and they work well. But I >>>>>>>>> would >>>>>>>>> like to ask you whether would be possible to extend the >>>>>>>>> response of >>>>>>>>> 'basecert_find' method and probably also 'basecert_show' >>>>>>>>> response. I >>>>>>>>> think of these information: >>>>>>>>> >>>>>>>>> 1) information whether the certificate is issued by our CA or not. >>>>>>>> >>>>>>>> You can check for that by comparing the issuer name of the >>>>>>>> certificate >>>>>>>> to "CN=Certificate Authority,$SUBJECT_BASE". You can get subject >>>>>>>> base >>>>>>>> from config-show. >>>>>>>> >>>>>>>>> >>>>>>>>> 2) this probably wouldn't be possible (as we discussed), but I >>>>>>>>> rather >>>>>>>>> write it too - the information about revocation reason. The >>>>>>>>> same as >>>>>>>>> the >>>>>>>>> 'cert_show' provides. >>>>>>>> >>>>>>>> Added --check-revocation flag to request this information. >>>>>>>> Currently it >>>>>>>> works only on certificates issued by our CA. >>>>>>>> >>>>>>>>> >>>>>>>>> 3) MD5 and SHA1 fingerprints as the 'cert_show' method returns >>>>>>>> >>>>>>>> Added, also included SHA-256. >>>>>>>> >>>>>>>>> >>>>>>>>> Thank you again. >>>>>>>> >>>>>>>> Updated patches attached. >>>>>>> >>>>>>> Updated and rebased patches attached. Requires Fraser's sub-CA >>>>>>> patches. >>>>>> >>>>>> Attaching updated patch 623, which fixes these issues found by David: >>>>>> . >>>>> >>>>> Updated and rebased patches attached. >>>> >>>> Attaching updated patches 552 and 623, which fix the --sizelimit >>>> option. >>> >>> Updated and rebased patches attached. The --revocation-reason option now >>> works as expected. >>> >>> >>> >> >> Hello! >> >> Thanks for patch set. Code looks good to me and works as expected. >> Pavel will test it with WebUI and the we can hopefully push it. >> > Hello, > > Thank you for patches. Works as expected also in WebUI, so we can push it. The word you are looking for is "ACK" ;-) Thanks, pushed to master: b00dbca98fee86f0c7584f1f37db376db9a57566 -- Jan Cholasta From pvoborni at redhat.com Tue Jun 21 07:50:30 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 09:50:30 +0200 Subject: [Freeipa-devel] [PATCH] 0069 renew_ca_cert: bootstrap api with in_server=True In-Reply-To: <3ac150e0-79c8-8efd-831a-618d0f7edad3@redhat.com> References: <20160617045526.GN4744@dhcp-40-8.bne.redhat.com> <1642ce52-a6f3-1d23-7108-9e3a6043da85@redhat.com> <20160617065309.GO4744@dhcp-40-8.bne.redhat.com> <5764099C.1020403@redhat.com> <6b589665-b224-493a-7125-a94cbcae9734@redhat.com> <3ac150e0-79c8-8efd-831a-618d0f7edad3@redhat.com> Message-ID: <2c16a39f-611f-3d70-358d-5fec0ecb20cd@redhat.com> On 06/21/2016 09:40 AM, Jan Cholasta wrote: > On 21.6.2016 09:35, Petr Vobornik wrote: >> On 06/21/2016 08:31 AM, Jan Cholasta wrote: >>> On 17.6.2016 16:30, Petr Vobornik wrote: >>>> >>>> I'm not sure if following is related to thin client or other work, but >>>> it should be looked at. Feel free to open different ticket for it. >>>> >>>> I was doing some testing yesterday and this was in audit: >>>> >>>> time->Thu Jun 16 22:11:32 2016 >>>> type=AVC msg=audit(1466107892.404:662): avc: denied { write } for >>>> pid=26289 comm="dogtag-ipa-ca-r" name="ipa_memcached" dev="tmpfs" >>>> ino=183080 scontext=system_u:system_r:certmonger_t:s0 >>>> tcontext=system_u:object_r:memcached_var_run_t:s0 tclass=sock_file >>>> permissive=0 >>>> >>>> I did not investigate further, but couldn't it be caused by initialing >>>> api with api.bootstrap(in_server=True.. which then initializes session >>>> plugin which then initializes MemcacheSessionManager? >>>> >>>> Similar issue could be in other usages. >>> >>> AFAIK this is trigerred by importing ipalib.session and can happen even >>> with client API. >>> >> >> True, but it would have to be explicit, which won't probably happen. >> >> In ipaserver/plugins/session.py it is done automatically: >> >> if api.env.in_server: >> from ipalib.session import session_mgr > > IMHO that doesn't really matter, it should be fixed not to connect on > import, because that's just plain wrong. > True, new ticket: https://fedorahosted.org/freeipa/ticket/5988 -- Petr Vobornik From pspacek at redhat.com Tue Jun 21 08:00:04 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 10:00:04 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: References: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> Message-ID: <945b3ce6-1b32-025e-1119-2c8d00824068@redhat.com> On 20.6.2016 19:15, Martin Basti wrote: > > > On 20.06.2016 18:32, Petr Spacek wrote: >> On 20.6.2016 18:05, Martin Basti wrote: >>> >>> On 20.06.2016 16:57, Petr Spacek wrote: >>>> Hello, >>>> >>>> DNS: Warn about restart when default TTL setting DNS is changed >>>> >>>> bind-dyndb-ldap 10.0 has to be restarted after each change to default >>>> TTL. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2956 >>>> >>>> DNS: Support default TTL setting for master DNS zones >>>> >>>> https://fedorahosted.org/freeipa/ticket/2956 >>>> >>>> >>>> >>> Thank you for patches, but I have a few comments >>> >>> TTL patch: >>> 1) >>> VERSION - please put short note why API was incremented >>> >>> 2) >>> 60ipadns.ldif - please keep ordered attr definitions by OID >>> >>> 3) >>> You missed ACI for updating >>> >>> Warning patch: LGTM >> Thank you very much for review! >> >> Here is revised version. >> > > I cannot apply patches on current master, even with git am -3 I do not what could be problem, there was only "standard" conflict on VERSION. Anyway, there are patches rebased to current master. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0135-3-DNS-Support-default-TTL-setting-for-master-DNS-zones.patch Type: text/x-patch Size: 13354 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0136-3-DNS-Warn-about-restart-when-default-TTL-setting-DNS-.patch Type: text/x-patch Size: 2052 bytes Desc: not available URL: From ldoudova at redhat.com Tue Jun 21 08:21:44 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 21 Jun 2016 10:21:44 +0200 Subject: [Freeipa-devel] [PATCH 0018][Tests] Fix some of the failing tests in test_ipalib/test_frontend.py Message-ID: <84901af3-4f60-b145-41f0-9558bbbb1e48@redhat.com> Hi, attaching patch with fix for a few failing tests in ipatests/test_ipalib/test_frontend.py. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0018-Tests-Fix-failing-tests-in-ipatests-test_ipalib-test.patch Type: text/x-patch Size: 3850 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 21 08:48:44 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 10:48:44 +0200 Subject: [Freeipa-devel] [PATCH 0534] Updated translations for future IPA 4.4 Message-ID: Exported from zanata. Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0534-Updated-IPA-translations.patch Type: text/x-patch Size: 1134119 bytes Desc: not available URL: From frenaud at redhat.com Tue Jun 21 09:03:08 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 21 Jun 2016 11:03:08 +0200 Subject: [Freeipa-devel] Questions re. 3rd party certificates Message-ID: <86208383-7f9a-efa8-6b4b-f94af2b25c53@redhat.com> Hi, I am working on the following issues and I have questions re. 3rd party certificates: - https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger - https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs First I would like to validate that my scenario is the correct one: FreeIPA installed with an embedded CA. The customer now wants to use a different certificate for httpd and dirsrv, signed by a 3rd party CA. The steps to achieve this are: 1. run "ipa-cacert-manage install -t C,, " to install the 3rd party CA certificate. This step puts the CA certificate in the LDAP entry cn=certificates,cn=ipa,cn=etc,dc=... 2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias Note that this command does not put the CA cert into /etc/pki/pki-tomcat/alias, is this expected? I had to perform this manually (otherwise tomcat won't restart later). 3. run "ipa-server-certinstall -d -w key.pem cert.pem" This commands should stop tracking the previous cert, install the new one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w is used), and track the new one only if signed by IPA CA. It also updates the attribute nssslpersonalityssl of the entry cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd). After those steps, I noticed that - the entries krbprincipalname=HTTP/hostname at dom,cn=services,cn=accounts,dc=domain... and krbprincipalname=ldap/hostname at dom,cn=services,cn=accounts,dc=domain... are not updated: their attribute userCertificate still contains the old certificate. Did I miss a manual step? Is it an issue? - the new certificate nickname is not "Server-Cert" any more but rather the full subject (even if --cert-name was supplied to ipa-server-certinstall). Can this cause issues? Thanks for any input, Flo. From mbabinsk at redhat.com Tue Jun 21 09:39:12 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 21 Jun 2016 11:39:12 +0200 Subject: [Freeipa-devel] [PATCH 0534] Updated translations for future IPA 4.4 In-Reply-To: References: Message-ID: <6d197da8-cbc6-ca77-239e-23bc6fb980e8@redhat.com> On 06/21/2016 10:48 AM, Martin Basti wrote: > Exported from zanata. Patch attached. > I found no problem when building from master branch with the updated translations. ACK. -- Martin^3 Babinsky From ftweedal at redhat.com Tue Jun 21 09:51:36 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 21 Jun 2016 19:51:36 +1000 Subject: [Freeipa-devel] [PATCH] 0076 Require Dogtag >= 10.3.3 Message-ID: <20160621095136.GG4200@dhcp-40-8.bne.redhat.com> Dogtag 10.3.3, which fixes a lightweight CA initialisation bug, should land in updates-testing soon[2]. Pursuant to [2], this patch bumps minimum required Dogtag version to 10.3.3. [1] https://bodhi.fedoraproject.org/updates/?packages=pki-core [2] https://www.redhat.com/archives/freeipa-devel/2016-June/msg00417.html Thanks, Fraser -------------- next part -------------- From bdb3f40f89a70803b3b1b3069b8dce7cff4390f2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Jun 2016 19:42:53 +1000 Subject: [PATCH] Require Dogtag >= 10.3.3 Dogtag 10.3.3 fixes a lightweight CA initialisation issue that caused existing lightweight CAs to not be initialised on CA replicas on first run (see https://fedorahosted.org/pki/ticket/2359). Part of: https://fedorahosted.org/freeipa/ticket/4559 --- freeipa.spec.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..d31ddfaf78a455f4e4d65724bbbe23461e1336e0 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -94,7 +94,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.2 +BuildRequires: pki-base >= 10.3.3 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -155,8 +155,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.55-1 -Requires: pki-ca >= 10.3.2 -Requires: pki-kra >= 10.3.2 +Requires: pki-ca >= 10.3.3 +Requires: pki-kra >= 10.3.3 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip -- 2.5.5 From pspacek at redhat.com Tue Jun 21 09:55:26 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 11:55:26 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: <945b3ce6-1b32-025e-1119-2c8d00824068@redhat.com> References: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> <945b3ce6-1b32-025e-1119-2c8d00824068@redhat.com> Message-ID: <4ca5478e-574a-7875-a86a-6254ee8d8f97@redhat.com> On 21.6.2016 10:00, Petr Spacek wrote: > On 20.6.2016 19:15, Martin Basti wrote: >> >> >> On 20.06.2016 18:32, Petr Spacek wrote: >>> On 20.6.2016 18:05, Martin Basti wrote: >>>> >>>> On 20.06.2016 16:57, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> DNS: Warn about restart when default TTL setting DNS is changed >>>>> >>>>> bind-dyndb-ldap 10.0 has to be restarted after each change to default >>>>> TTL. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2956 >>>>> >>>>> DNS: Support default TTL setting for master DNS zones >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2956 >>>>> >>>>> >>>>> >>>> Thank you for patches, but I have a few comments >>>> >>>> TTL patch: >>>> 1) >>>> VERSION - please put short note why API was incremented >>>> >>>> 2) >>>> 60ipadns.ldif - please keep ordered attr definitions by OID >>>> >>>> 3) >>>> You missed ACI for updating >>>> >>>> Warning patch: LGTM >>> Thank you very much for review! >>> >>> Here is revised version. >>> >> >> I cannot apply patches on current master, even with git am -3 > > I do not what could be problem, there was only "standard" conflict on VERSION. > > Anyway, there are patches rebased to current master. ... and now with results from makeaci :-) -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0135-4-DNS-Support-default-TTL-setting-for-master-DNS-zones.patch Type: text/x-patch Size: 16171 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0136-4-DNS-Warn-about-restart-when-default-TTL-setting-DNS-.patch Type: text/x-patch Size: 2052 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 21 10:33:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 12:33:15 +0200 Subject: [Freeipa-devel] Questions re. 3rd party certificates In-Reply-To: <86208383-7f9a-efa8-6b4b-f94af2b25c53@redhat.com> References: <86208383-7f9a-efa8-6b4b-f94af2b25c53@redhat.com> Message-ID: <721bca3a-d337-93a9-a2f2-b3c3da5ac5ca@redhat.com> Hi, On 21.6.2016 11:03, Florence Blanc-Renaud wrote: > Hi, > > I am working on the following issues and I have questions re. 3rd party > certificates: > - https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall > tracks the 3rd party cert it installs with certmonger > - https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall > does not accept certs signed by 3rd party CAs > > First I would like to validate that my scenario is the correct one: > FreeIPA installed with an embedded CA. The customer now wants to use a > different certificate for httpd and dirsrv, signed by a 3rd party CA. > The steps to achieve this are: > 1. run "ipa-cacert-manage install -t C,, " to install the > 3rd party CA certificate. This step puts the CA certificate in the LDAP > entry cn=certificates,cn=ipa,cn=etc,dc=... Right. > > 2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it > into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias > Note that this command does not put the CA cert into > /etc/pki/pki-tomcat/alias, is this expected? I had to perform this > manually (otherwise tomcat won't restart later). ipa-certupdate is supposed to update /etc/pki/pki-tomcat/alias. Here is the relevant code: > > 3. run "ipa-server-certinstall -d -w key.pem cert.pem" > This commands should stop tracking the previous cert, install the new > one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w > is used), and track the new one only if signed by IPA CA. It also > updates the attribute nssslpersonalityssl of the entry > cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the > dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd). Right. > > After those steps, I noticed that > - the entries > krbprincipalname=HTTP/hostname at dom,cn=services,cn=accounts,dc=domain... > and > krbprincipalname=ldap/hostname at dom,cn=services,cn=accounts,dc=domain... > are not updated: their attribute userCertificate still contains the old > certificate. > Did I miss a manual step? Is it an issue? AFAIK ipa-server-certinstall never updated these entries. It's probably not an issue, but it would be nice to update them, for consistency. > > - the new certificate nickname is not "Server-Cert" any more but rather > the full subject (even if --cert-name was supplied to > ipa-server-certinstall). > Can this cause issues? Actually, full subject name is used only if the originating PKCS#12 files does not have nickname for the server certificate. The --cert-name is used to select a single server certificate from the PKCS#12 file in case there are multiple, it is not supposed to change the nickname. It could cause an issue if someone assumed that the nickname is always "Server-Cert", but I don't think that there currently is code that does. > > Thanks for any input, > Flo. > Honza -- Jan Cholasta From pspacek at redhat.com Tue Jun 21 10:30:00 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 12:30:00 +0200 Subject: [Freeipa-devel] [PATCH 0427-0431] Release bind-dyndb-ldap 10.0 Message-ID: <8a28c7a8-379a-15fd-592c-438bea92cd64@redhat.com> Hello, pushed to master: 3d9e6072e6b212b7fa1b54be40bbc1e56941b400 Bump NVR to 10.0. be88f6a9f34c5b1ee0021d9cf0a0e4b4d5ce43ba Update NEWS for upcoming 10.0 release. d0530e6197ef36664e94ee8938b14d83145cfa8a Docs: Descibe record template (idnsTemplateObject). ee1239f79ddfa53619a8901de942ef44127ea67f Docs: Describe per-server configuration object (idnsServerConfigObject). 28b015625068287f19d432bc58ac85da559976f0 Docs: Describe global configuration object (idnsConfigObject). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0427-Docs-Describe-global-configuration-object-idnsConfig.patch Type: text/x-patch Size: 1192 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0428-Docs-Describe-per-server-configuration-object-idnsSe.patch Type: text/x-patch Size: 1860 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0429-Docs-Descibe-record-template-idnsTemplateObject.patch Type: text/x-patch Size: 2797 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0430-Update-NEWS-for-upcoming-10.0-release.patch Type: text/x-patch Size: 2202 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pspacek-0431-Bump-NVR-to-10.0.patch Type: text/x-patch Size: 1149 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 21 10:34:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 12:34:12 +0200 Subject: [Freeipa-devel] [PATCH] 0059: webui: make 'Actions' strings translatable In-Reply-To: <328f412b-dabf-d479-293f-ccb9981a229d@redhat.com> References: <328f412b-dabf-d479-293f-ccb9981a229d@redhat.com> Message-ID: On 20.06.2016 20:48, Pavel Vomacka wrote: > Hello, > > please review attached patch. > > -- > > Pavel^3 Vomacka > > > Functional ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 21 10:41:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 12:41:58 +0200 Subject: [Freeipa-devel] [PATCH 0135-0136] DNS: Warn about restart when default TTL setting DNS is change DNS: Support default TTL setting for master DNS zone In-Reply-To: <4ca5478e-574a-7875-a86a-6254ee8d8f97@redhat.com> References: <19acf673-9f07-1b95-b725-714121a5eb9e@redhat.com> <945b3ce6-1b32-025e-1119-2c8d00824068@redhat.com> <4ca5478e-574a-7875-a86a-6254ee8d8f97@redhat.com> Message-ID: <2a3ba4ac-77b4-e959-6fba-588f6d54bdf7@redhat.com> On 21.06.2016 11:55, Petr Spacek wrote: > On 21.6.2016 10:00, Petr Spacek wrote: >> On 20.6.2016 19:15, Martin Basti wrote: >>> >>> On 20.06.2016 18:32, Petr Spacek wrote: >>>> On 20.6.2016 18:05, Martin Basti wrote: >>>>> On 20.06.2016 16:57, Petr Spacek wrote: >>>>>> Hello, >>>>>> >>>>>> DNS: Warn about restart when default TTL setting DNS is changed >>>>>> >>>>>> bind-dyndb-ldap 10.0 has to be restarted after each change to default >>>>>> TTL. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2956 >>>>>> >>>>>> DNS: Support default TTL setting for master DNS zones >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2956 >>>>>> >>>>>> >>>>>> >>>>> Thank you for patches, but I have a few comments >>>>> >>>>> TTL patch: >>>>> 1) >>>>> VERSION - please put short note why API was incremented >>>>> >>>>> 2) >>>>> 60ipadns.ldif - please keep ordered attr definitions by OID >>>>> >>>>> 3) >>>>> You missed ACI for updating >>>>> >>>>> Warning patch: LGTM >>>> Thank you very much for review! >>>> >>>> Here is revised version. >>>> >>> I cannot apply patches on current master, even with git am -3 >> I do not what could be problem, there was only "standard" conflict on VERSION. >> >> Anyway, there are patches rebased to current master. > ... and now with results from makeaci :-) > ACK master: * eefdcc6b076e4305a14f231865636d46e4f16cf5 DNS: Support default TTL setting for master DNS zones * f2974b8d965c14247d8a9d03e0df3b5183e20d76 DNS: Warn about restart when default TTL setting DNS is changed From mbasti at redhat.com Tue Jun 21 10:48:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 12:48:47 +0200 Subject: [Freeipa-devel] [PATCH 0534] Updated translations for future IPA 4.4 In-Reply-To: <6d197da8-cbc6-ca77-239e-23bc6fb980e8@redhat.com> References: <6d197da8-cbc6-ca77-239e-23bc6fb980e8@redhat.com> Message-ID: <407f8aac-0dcd-ecd8-dbe4-24a7e6a0138f@redhat.com> On 21.06.2016 11:39, Martin Babinsky wrote: > On 06/21/2016 10:48 AM, Martin Basti wrote: >> Exported from zanata. Patch attached. >> > > I found no problem when building from master branch with the updated > translations. > > ACK. > Pushed to master: 0787af8d5a1a75e25f73cc632c4c7ebdd212ad02 From pvomacka at redhat.com Tue Jun 21 10:57:01 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 21 Jun 2016 12:57:01 +0200 Subject: [Freeipa-devel] [PATCH 0162] Do not update result of *-config-show with empty server attributes In-Reply-To: References: Message-ID: <4b6358e0-c8f7-8f2f-ae00-862f40937eb9@redhat.com> On 06/20/2016 03:35 PM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5960 > > > Hello, thank you for the patch, it works for me. But I didn't do the code review. -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 21 11:03:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:03:53 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <3649d210-196e-993c-5b5b-aa7a8ef280d4@redhat.com> <0a5e8dbf-4f18-c396-eb10-39873fb7b09e@redhat.com> Message-ID: On 21.06.2016 07:53, Jan Cholasta wrote: > On 20.6.2016 19:56, Martin Basti wrote: >> >> >> On 20.06.2016 18:48, Martin Basti wrote: >>> >>> >>> On 20.06.2016 16:42, Jan Cholasta wrote: >>>> On 20.6.2016 16:13, David Kupka wrote: >>>>> On 28/04/16 14:45, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> I have pushed my thin client WIP branch to GitHub: >>>>>> . >>>>>> >>>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>>> imports" should be good for review. The rest is subject to change >>>>>> (WARNING: I will force push into this branch). >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> Hello! >>>>> >>>>> Patches: >>>>> replica install: fix thin client regression >>>>> schema: remove `no_cli` from command schema >>>>> schema: remove redundant information >>>>> schema: merge command args and options >>>>> schema: remove output_params >>>>> schema: add object class schema >>>>> permission: handle ipapermright deprecated CLI alias on the client >>>>> passwd: handle sort order of passwd argument on the client >>>>> misc: skip `count` and `total` output in env.output_for_cli >>>>> dns: do not rely on custom param fields in record attributes >>>>> automember: add object plugin for automember_rebuild >>>>> frontend: do not crash on missing output in output_for_cli >>>>> frontend: skip `value` output in output_for_cli >>>>> frontend: don't copy command arguments to output params >>>>> makeaci, makeapi: use in-server API >>>>> >>>>> work for me, ACK. >>>> >>>> Pushed to master: 8cc8b6fb1023fa4aeafac0df01cfacff4ebf537a >>>> >>>> Note that I haven't pushed "replica install: fix thin client >>>> regression" yet, I would like Martin to review it first. >>> >>> ACK >>> >>> pushed to master: >>> * 91d6d87ca76e3aa27d5f87fd4f0b70f1d4fe4e72 replica install: fix thin >>> client regression >>> >>>> >>>> Attaching the patches for reference. >>>> >>>>> >>>>> Note: There is one one known issue in automember output, will be >>>>> fixed >>>>> later. >>>> >>>> >>> >>> >>> >> Guys, I suspect that one of previously pushed patches breaks following >> command on the client side >> >> # ipa dns-update-system-records >> ipa: ERROR: KeyError: 'ipa_records' >> Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1346, >> in run >> sys.exit(api.Backend.cli.run(argv)) >> File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1111, >> in run >> rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, >> **options) >> File "/usr/lib/python2.7/site-packages/ipaclient/plugins/dns.py", line >> 367, in output_for_cli >> textui.print_indented(u'{}:'.format(labels[key]), indent=1) >> KeyError: 'ipa_records' >> ipa: ERROR: an internal error has occurred > > Sorry. Fixed. > ACK Pushed to master: 894be1bd50905b86d87244d0ede3f266e9737b9a From mbasti at redhat.com Tue Jun 21 11:07:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:07:54 +0200 Subject: [Freeipa-devel] [PATCH 0162] Do not update result of *-config-show with empty server attributes In-Reply-To: <4b6358e0-c8f7-8f2f-ae00-862f40937eb9@redhat.com> References: <4b6358e0-c8f7-8f2f-ae00-862f40937eb9@redhat.com> Message-ID: On 21.06.2016 12:57, Pavel Vomacka wrote: > > > > On 06/20/2016 03:35 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5960 >> >> >> > Hello, > > thank you for the patch, it works for me. But I didn't do the code > review. > > -- > Pavel^3 Vomacka > > code ACK Pushed to master: 702ab0008b3c781f34e62925b2dbb6f49b49a571 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Jun 21 11:09:50 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 13:09:50 +0200 Subject: [Freeipa-devel] [PATCH] 0059: webui: make 'Actions' strings translatable In-Reply-To: References: <328f412b-dabf-d479-293f-ccb9981a229d@redhat.com> Message-ID: <5c9bde92-bc6a-c4c7-5366-3a012927c90c@redhat.com> On 06/21/2016 12:34 PM, Martin Basti wrote: > > > On 20.06.2016 20:48, Pavel Vomacka wrote: >> Hello, >> >> please review attached patch. >> >> -- >> >> Pavel^3 Vomacka >> >> >> > Functional ACK > > Code ACK -- Petr Vobornik From pvomacka at redhat.com Tue Jun 21 11:12:25 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 21 Jun 2016 13:12:25 +0200 Subject: [Freeipa-devel] [PATCH] 0054-55: WebUI: extend DNS and trust config pages Message-ID: Hello, please review attached patches - they extend DNS and trust config pages. https://fedorahosted.org/freeipa/ticket/5906 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0054-Extend-DNS-config-page.patch Type: text/x-patch Size: 1276 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0055-Extend-trust-config-page.patch Type: text/x-patch Size: 1318 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 21 11:14:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:14:18 +0200 Subject: [Freeipa-devel] [PATCH] 0059: webui: make 'Actions' strings translatable In-Reply-To: <5c9bde92-bc6a-c4c7-5366-3a012927c90c@redhat.com> References: <328f412b-dabf-d479-293f-ccb9981a229d@redhat.com> <5c9bde92-bc6a-c4c7-5366-3a012927c90c@redhat.com> Message-ID: <1b7ced22-d1e9-3501-28ce-52b67da97b44@redhat.com> On 21.06.2016 13:09, Petr Vobornik wrote: > On 06/21/2016 12:34 PM, Martin Basti wrote: >> >> On 20.06.2016 20:48, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patch. >>> >>> -- >>> >>> Pavel^3 Vomacka >>> >>> >>> >> Functional ACK >> >> > Code ACK Pushed to master: 13e0d2e4d1c0da055644d87f1b8a9465b2ef6dfa From mbasti at redhat.com Tue Jun 21 11:39:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:39:24 +0200 Subject: [Freeipa-devel] [PATCH] 0054-55: WebUI: extend DNS and trust config pages In-Reply-To: References: Message-ID: <2e0bea96-ffe1-d20f-bd2a-dfd6162dfe8b@redhat.com> On 21.06.2016 13:12, Pavel Vomacka wrote: > Hello, > > please review attached patches - they extend DNS and trust config pages. > > https://fedorahosted.org/freeipa/ticket/5906 > > -- > Pavel^3 Vomacka > > ACK master: * a7f937e82cd8fdfa457ef9ae7de227d7e2502c3b Extend DNS config page * fac0c7b26002156e4154dc2bc5b198fccdaf71e0 Extend trust config page -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 21 11:49:45 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:49:45 +0200 Subject: [Freeipa-devel] [PATCH 0134] DNS: Fix realm domains integration with DNS zone add In-Reply-To: <7db988d5-1374-3152-98e7-6a27d228e1df@redhat.com> References: <65045a2a-df9a-9b50-4753-0d0ef728e8fc@redhat.com> <7db988d5-1374-3152-98e7-6a27d228e1df@redhat.com> Message-ID: <691b8f35-ec2c-a769-8928-403ad9183d90@redhat.com> On 20.06.2016 19:03, Martin Basti wrote: > > > > On 20.06.2016 14:35, Petr Spacek wrote: >> Hello, >> >> DNS: Fix realm domains integration with DNS zone add. >> >> Realmdomains integration into DNS commands pre-dates split of DNS forward zones >> and DNS master zones into two distinct commands. >> >> There was an forgotten condition in dnszone_add command which caused omission >> of DNS master zones with non-empty forwarders from realmdomain list. >> >> https://fedorahosted.org/freeipa/ticket/5980 >> >> >> > ACK > > master: * 22f4045f72daf182c44ce574291c0d8a7733713b DNS: Fix realm domains integration with DNS zone add. ipa-4-3: * 043737e35f58b6cf08f17eb78c28ee7527a8fc27 DNS: Fix realm domains integration with DNS zone add. ipa-4-2: * 8d57d3b6083f874bbeac8ac65d67bdca2c8c1c2a DNS: Fix realm domains integration with DNS zone add. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 21 11:51:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 13:51:57 +0200 Subject: [Freeipa-devel] [PATCH] pylint fixes In-Reply-To: <7bf2dcab-0a71-abc6-2062-aa291fd82278@redhat.com> References: <495588b7-9e02-942d-81fd-01e852f07e6c@redhat.com> <623d1af4-7e4c-63ce-d6d3-3874a6ef87cd@redhat.com> <9fb20d03-4559-8ad2-1e95-4c1da386ae06@redhat.com> <7bf2dcab-0a71-abc6-2062-aa291fd82278@redhat.com> Message-ID: <6b1ff078-f1dd-c5d3-607b-2e2e84b9d878@redhat.com> On 21.06.2016 08:38, Florence Blanc-Renaud wrote: > On 06/20/2016 07:08 PM, Martin Basti wrote: >> >> >> On 20.06.2016 19:06, Martin Basti wrote: >>> >>> >>> >>> On 20.06.2016 12:00, Florence Blanc-Renaud wrote: >>>> On 06/09/2016 05:10 PM, Petr Spacek wrote: >>>>> Hello, >>>>> >>>>> I've received a bunch of pylint fixes produced by upstream >>>>> contributor who is >>>>> not subscribed to the list so I'm resending them here. >>>>> >>>>> All credit goes to B?rta Jan <55042barta at sstebrno.eu>. >>>>> >>>>> Flo, if you have time for it I think that it could be a good >>>>> exercise which >>>>> will lead you to various dark corners in IPA :-) >>>>> >>>>> Petr^2 Spacek >>>>> >>>>> >>>>> -------- Forwarded Message -------- >>>>> Date: Fri, 3 Jun 2016 14:57:16 +0200 >>>>> From: B?rta Jan <55042barta at sstebrno.eu> >>>>> To: pspacek at redhat.com >>>> ___- In the patch >>>> 0002-pylint-fix-simplifiable-if-statement-warnings.patch:_ >>>> >>>> diff --git a/ipatests/test_integration/tasks.py >>>> b/ipatests/test_integration/tasks.py >>>> index aebd907..ca2e10f 100644 >>>> --- a/ipatests/test_integration/tasks.py >>>> +++ b/ipatests/test_integration/tasks.py >>>> @@ -149,11 +149,7 @@ def host_service_active(host, service): >>>> res = host.run_command(['systemctl', 'is-active', '--quiet', >>>> service], >>>> raiseonerr=False) >>>> >>>> - if res.returncode == 0: >>>> - return True >>>> - else: >>>> - return False >>>> - >>>> + return res.returncode >>>> >>>> should be instead: return res.returncode *== 0* (otherwise the return >>>> type is an int and not a boolean). >>>> >>>> In the same file: >>>> @@ -295,11 +291,7 @@ def >>>> master_authoritative_for_client_domain(master, client): >>>> zone = ".".join(client.hostname.split('.')[1:]) >>>> result = master.run_command(["ipa", "dnszone-show", zone], >>>> raiseonerr=False) >>>> - if result.returncode == 0: >>>> - return True >>>> - else: >>>> - return False >>>> - >>>> + result.returncode == 0 >>>> >>>> should be instead: *return* result.returncode == 0 (otherwise there >>>> is no return statement) >>>> >>>> diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py >>>> index 197814c..36b6ba5 100644 >>>> --- a/ipaserver/plugins/dogtag.py >>>> +++ b/ipaserver/plugins/dogtag.py >>>> @@ -1689,12 +1689,7 @@ class ra(rabase.rabase): >>>> # Return command result >>>> cmd_result = {} >>>> >>>> - if parse_result.get('revoked') == 'yes': >>>> - cmd_result['revoked'] = True >>>> - else: >>>> - cmd_result['revoked'] = False >>>> - >>>> - return cmd_result >>>> + cmd_result['revoked'] = parse_result.get('revoked') >>>> >>>> Should be instead: cmd_result['revoked'] = >>>> parse_result.get('revoked') *== 'yes'* (otherwise the type is a >>>> string and not a boolean) >>>> >>>> _- in the patch 00__04-pylint-fix-unneeded-not.patch_ >>>> >>>> @@ -632,7 +632,7 @@ class host_add(LDAPCreate): >>>> options['ip_address'], >>>> check_forward=True, >>>> check_reverse=check_reverse) >>>> - if not options.get('force', False) and not 'ip_address' in >>>> options: >>>> + if options.get('force', False) and 'ip_address' not in >>>> options: >>>> >>>> Should be instead: if *not* options.get('force', False) and >>>> 'ip_address' not in options: >>>> because of operators precedence >>>> >>>> I will review patches 0005 to 0010 later today. >>>> Flo. >>>> >>>> >>> >>> How about patches 1, and 3? Because patches are independent, we can >>> separately ACK them and push them. >>> >>> Martin^2 >>> >>> >> >> Sorry, I just noticed that there is no patch 1 :) >> >> > Patch 0003 is OK, ACK for this one. > Flo. > Patch 0003: Pushed to master: 94909d21dbf033cbe34089782c430ec25b9ad0bc From pvoborni at redhat.com Tue Jun 21 12:16:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 14:16:33 +0200 Subject: [Freeipa-devel] [PATCH] 0048-50: webui: extend topology graph functionality In-Reply-To: <7269e62e-a2bb-4082-5248-c580403a0719@redhat.com> References: <7269e62e-a2bb-4082-5248-c580403a0719@redhat.com> Message-ID: On 06/13/2016 10:48 AM, Pavel Vomacka wrote: > Hello, > > please review attached patches which extend topology graph > functionality. First two add possibility to create agreement using mouse > and the third one adds 'Autogenerated' placeholder. > > 0047,48: https://fedorahosted.org/freeipa/ticket/5648 > > 0050: https://fedorahosted.org/freeipa/ticket/5867 > > -- > > Pavel^3 Vomacka > ACK master: * be235cedf88ee69430abea44ad1eca4bc5817d7b Add creating a segment using mouse * ab52b33c71d62524b9d46a66a22ec0440d23ff38 Add listener which opens add segment dialog * f85c347f4d2f50d49e77373a56c55f3e2b4bc473 Add placeholder to add segment dialog -- Petr Vobornik From jcholast at redhat.com Tue Jun 21 13:11:41 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 15:11:41 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> Message-ID: <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> On 16.6.2016 09:12, David Kupka wrote: > On 06/15/2016 08:15 PM, Petr Vobornik wrote: >> On 06/15/2016 02:36 PM, David Kupka wrote: >>> Hello! >>> Schema caching for thin client is available here: >>> >>> https://github.com/dkupka/freeipa/commits/schema_cache >>> >>> Comments and reviews welcome. >>> >>> Enjoy! >> >> Not doing proper review. I'll test by using it. But: >> >> 1. lint fails >> >> Pylint is running, please wait ... >> ************* Module ipaclient.remote_plugins.schema_cache >> ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), >> _refresh_schema] unicode built-in referenced) >> Makefile:137: recipe for target 'lint' failed >> make: *** [lint] Error 1 >> >> I.e, you miss: >> >> import six >> >> if six.PY3: >> unicode = str >> > > Thanks for the catch, fixed version force-pushed. ACK on the server part, i.e. the first 3 commits: 0cd99a7 schema: Cache schema in api instance b9a58c4 schema: Add known_fingerprints option to schema command f6f4e53 schema: Add fingerprint and TTL Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a -- Jan Cholasta From ldoudova at redhat.com Tue Jun 21 13:39:10 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 21 Jun 2016 15:39:10 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests Message-ID: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> Hi, attaching patch for failing location tests (ipatests/test_xmlrpc/test_location_plugin.py). Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0019-Tests-Fix-for-failing-location-tests.patch Type: text/x-patch Size: 10331 bytes Desc: not available URL: From pvomacka at redhat.com Tue Jun 21 13:50:10 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 21 Jun 2016 15:50:10 +0200 Subject: [Freeipa-devel] [PATCH] 0060: webui: Add dnsdefaultttl field on DNS Zone config page Message-ID: Hello, please review the attached patch. It is counterpart of: https://fedorahosted.org/freeipa/ticket/2956 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0060-Add-DNS-default-TTL-field.patch Type: text/x-patch Size: 923 bytes Desc: not available URL: From pspacek at redhat.com Tue Jun 21 13:56:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 15:56:44 +0200 Subject: [Freeipa-devel] [PATCH] 0060: webui: Add dnsdefaultttl field on DNS Zone config page In-Reply-To: References: Message-ID: On 21.6.2016 15:50, Pavel Vomacka wrote: > Hello, > > please review the attached patch. > > It is counterpart of: https://fedorahosted.org/freeipa/ticket/2956 ACK -- Petr^2 Spacek From mbasti at redhat.com Tue Jun 21 14:12:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:12:21 +0200 Subject: [Freeipa-devel] [PATCH] 0060: webui: Add dnsdefaultttl field on DNS Zone config page In-Reply-To: References: Message-ID: On 21.06.2016 15:56, Petr Spacek wrote: > On 21.6.2016 15:50, Pavel Vomacka wrote: >> Hello, >> >> please review the attached patch. >> >> It is counterpart of: https://fedorahosted.org/freeipa/ticket/2956 > ACK > Pushed to master: 75d2f9fe06f9f7c8d9f1b882b631fed739d35c75 From jcholast at redhat.com Tue Jun 21 14:24:56 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 16:24:56 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> Message-ID: <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> On 21.6.2016 15:11, Jan Cholasta wrote: > On 16.6.2016 09:12, David Kupka wrote: >> On 06/15/2016 08:15 PM, Petr Vobornik wrote: >>> On 06/15/2016 02:36 PM, David Kupka wrote: >>>> Hello! >>>> Schema caching for thin client is available here: >>>> >>>> https://github.com/dkupka/freeipa/commits/schema_cache >>>> >>>> Comments and reviews welcome. >>>> >>>> Enjoy! >>> >>> Not doing proper review. I'll test by using it. But: >>> >>> 1. lint fails >>> >>> Pylint is running, please wait ... >>> ************* Module ipaclient.remote_plugins.schema_cache >>> ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), >>> _refresh_schema] unicode built-in referenced) >>> Makefile:137: recipe for target 'lint' failed >>> make: *** [lint] Error 1 >>> >>> I.e, you miss: >>> >>> import six >>> >>> if six.PY3: >>> unicode = str >>> >> >> Thanks for the catch, fixed version force-pushed. > > ACK on the server part, i.e. the first 3 commits: > > 0cd99a7 schema: Cache schema in api instance > b9a58c4 schema: Add known_fingerprints option to schema command > f6f4e53 schema: Add fingerprint and TTL > > Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a ACK on this commit: 7fc7941 schema: return fingerprint as unicode text Pushed to master: a5f48476adfd9971a1756bd5ad3cb7c9e2afef22 -- Jan Cholasta From mbasti at redhat.com Tue Jun 21 14:27:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:27:30 +0200 Subject: [Freeipa-devel] [PATCH 0535] Replica promotion: check if IPA domain is the right one Message-ID: <96b03330-4aee-e53b-22f6-8a8f98e15507@redhat.com> https://fedorahosted.org/freeipa/ticket/5976 Client must have properly set domain to allow install replica Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0535-Replica-promotion-use-the-correct-IPA-domain-for-rep.patch Type: text/x-patch Size: 2870 bytes Desc: not available URL: From pvoborni at redhat.com Tue Jun 21 14:31:50 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 16:31:50 +0200 Subject: [Freeipa-devel] [PATCH] 0053: webui: allow to set weight of server without location In-Reply-To: References: Message-ID: On 06/15/2016 03:49 PM, Pavel Vomacka wrote: > Hello, > > I've found a small bug in locations in WebUI. It is not allowed to set > weight of a server with no location (i.e. adding new server). Attached > patch allows that. > > https://fedorahosted.org/freeipa/ticket/5905 > > -- > Pavel^3 Vomacka > > I had to rebase because of 4155eb7b13b20605886ba79c02c232f83a7b439c ACK master: https://fedorahosted.org/freeipa/changeset/68c748c2b68b82ef5989f00dcda3d8d5a77b7bb6 -- Petr Vobornik From mbasti at redhat.com Tue Jun 21 14:33:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:33:37 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> Message-ID: <475bdc05-7908-9d93-303a-5146869e0918@redhat.com> On 21.06.2016 16:24, Jan Cholasta wrote: > On 21.6.2016 15:11, Jan Cholasta wrote: >> On 16.6.2016 09:12, David Kupka wrote: >>> On 06/15/2016 08:15 PM, Petr Vobornik wrote: >>>> On 06/15/2016 02:36 PM, David Kupka wrote: >>>>> Hello! >>>>> Schema caching for thin client is available here: >>>>> >>>>> https://github.com/dkupka/freeipa/commits/schema_cache >>>>> >>>>> Comments and reviews welcome. >>>>> >>>>> Enjoy! >>>> >>>> Not doing proper review. I'll test by using it. But: >>>> >>>> 1. lint fails >>>> >>>> Pylint is running, please wait ... >>>> ************* Module ipaclient.remote_plugins.schema_cache >>>> ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), >>>> _refresh_schema] unicode built-in referenced) >>>> Makefile:137: recipe for target 'lint' failed >>>> make: *** [lint] Error 1 >>>> >>>> I.e, you miss: >>>> >>>> import six >>>> >>>> if six.PY3: >>>> unicode = str >>>> >>> >>> Thanks for the catch, fixed version force-pushed. >> >> ACK on the server part, i.e. the first 3 commits: >> >> 0cd99a7 schema: Cache schema in api instance >> b9a58c4 schema: Add known_fingerprints option to schema command >> f6f4e53 schema: Add fingerprint and TTL >> >> Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a > > ACK on this commit: > > 7fc7941 schema: return fingerprint as unicode text > > Pushed to master: a5f48476adfd9971a1756bd5ad3cb7c9e2afef22 > Is Okay to keep just last 4 bytes from SHA1, how big is possibility for conflict? Martin^2 From mbasti at redhat.com Tue Jun 21 14:35:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:35:15 +0200 Subject: [Freeipa-devel] [PATCH] 497 Update Developers in Contributors.txt In-Reply-To: <7811a181-a031-67b8-6a04-69b51b11b388@redhat.com> References: <7811a181-a031-67b8-6a04-69b51b11b388@redhat.com> Message-ID: On 16.06.2016 15:55, Martin Kosek wrote: > Since we are close to 4.4 release, let's add the latest contributors. (master > branch should be enough). > > > ACK Pushed to master: 858b74e66b529f4b7ff1c791e6101445b1d18174 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Tue Jun 21 14:39:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:39:10 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> Message-ID: <1a670c65-4ad8-bcd9-e7b3-86ab0077e287@redhat.com> On 14.06.2016 17:26, Stanislav Laznicka wrote: > - signerd_service.start() > + try: > + signerd_service.start() > + except Exception as e: > + root_logger.error("Unable to start '{svcname}': {err}" > + .format(svcname=signerd_service.service_name, > + err=e)) why is signerd so special? Martin^2 From pvoborni at redhat.com Tue Jun 21 14:44:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 16:44:20 +0200 Subject: [Freeipa-devel] [PATCH] 0056 webui: Counterpart of dnsserver-{find, show, mod} In-Reply-To: References: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> Message-ID: On 06/16/2016 01:38 PM, Petr Spacek wrote: > On 16.6.2016 12:09, Pavel Vomacka wrote: >> >> >> On 06/16/2016 12:06 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patch. >>> >>> https://fedorahosted.org/freeipa/ticket/5905 >>> >> Fixed commit message > > > LGTM from user's perspective but I did not review the code. > Code looks OK, applies well, but I did not test yet. So if Petr's LGTM is functional test ACK, then ACK from me. -- Petr Vobornik From jcholast at redhat.com Tue Jun 21 14:51:38 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 21 Jun 2016 16:51:38 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <475bdc05-7908-9d93-303a-5146869e0918@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> <475bdc05-7908-9d93-303a-5146869e0918@redhat.com> Message-ID: On 21.6.2016 16:33, Martin Basti wrote: > > > On 21.06.2016 16:24, Jan Cholasta wrote: >> On 21.6.2016 15:11, Jan Cholasta wrote: >>> On 16.6.2016 09:12, David Kupka wrote: >>>> On 06/15/2016 08:15 PM, Petr Vobornik wrote: >>>>> On 06/15/2016 02:36 PM, David Kupka wrote: >>>>>> Hello! >>>>>> Schema caching for thin client is available here: >>>>>> >>>>>> https://github.com/dkupka/freeipa/commits/schema_cache >>>>>> >>>>>> Comments and reviews welcome. >>>>>> >>>>>> Enjoy! >>>>> >>>>> Not doing proper review. I'll test by using it. But: >>>>> >>>>> 1. lint fails >>>>> >>>>> Pylint is running, please wait ... >>>>> ************* Module ipaclient.remote_plugins.schema_cache >>>>> ipaclient/remote_plugins/schema_cache.py:283: [W1612(unicode-builtin), >>>>> _refresh_schema] unicode built-in referenced) >>>>> Makefile:137: recipe for target 'lint' failed >>>>> make: *** [lint] Error 1 >>>>> >>>>> I.e, you miss: >>>>> >>>>> import six >>>>> >>>>> if six.PY3: >>>>> unicode = str >>>>> >>>> >>>> Thanks for the catch, fixed version force-pushed. >>> >>> ACK on the server part, i.e. the first 3 commits: >>> >>> 0cd99a7 schema: Cache schema in api instance >>> b9a58c4 schema: Add known_fingerprints option to schema command >>> f6f4e53 schema: Add fingerprint and TTL >>> >>> Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a >> >> ACK on this commit: >> >> 7fc7941 schema: return fingerprint as unicode text >> >> Pushed to master: a5f48476adfd9971a1756bd5ad3cb7c9e2afef22 >> > > Is Okay to keep just last 4 bytes from SHA1, how big is possibility for > conflict? 2.3283064365386963e-10 Git uses 3.5 bytes for short commit IDs by default. So far, there are only 4 conflicts in freeipa git: $ git log --oneline | grep -E '^[0-9a-z]{8,}' c6c84fae Py3: replace tab with space b194b850 Fix remove while iterating in suppress_netgroup_memberof. 58a3b1d0 85: Added ReadOnly._lock() method to make class easier to use; updated subclasses and unit tests bc524460 Fix build issues by combining patches submitted by Michael Gregg and Karl MacMillan Remove #!/usr/bin/python from many files to quiet rpmlint So IMO 4 bytes is good enough for our API schema fingerprints. Even if 4 bytes turn out not to be good enough, we can increase the length at any time without breaking clients, because clients don't care about fingerprint specifics. -- Jan Cholasta From mbasti at redhat.com Tue Jun 21 14:49:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:49:21 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> <475bdc05-7908-9d93-303a-5146869e0918@redhat.com> Message-ID: <8c777221-f39b-370e-2038-3eac431da36c@redhat.com> On 21.06.2016 16:51, Jan Cholasta wrote: > On 21.6.2016 16:33, Martin Basti wrote: >> >> >> On 21.06.2016 16:24, Jan Cholasta wrote: >>> On 21.6.2016 15:11, Jan Cholasta wrote: >>>> On 16.6.2016 09:12, David Kupka wrote: >>>>> On 06/15/2016 08:15 PM, Petr Vobornik wrote: >>>>>> On 06/15/2016 02:36 PM, David Kupka wrote: >>>>>>> Hello! >>>>>>> Schema caching for thin client is available here: >>>>>>> >>>>>>> https://github.com/dkupka/freeipa/commits/schema_cache >>>>>>> >>>>>>> Comments and reviews welcome. >>>>>>> >>>>>>> Enjoy! >>>>>> >>>>>> Not doing proper review. I'll test by using it. But: >>>>>> >>>>>> 1. lint fails >>>>>> >>>>>> Pylint is running, please wait ... >>>>>> ************* Module ipaclient.remote_plugins.schema_cache >>>>>> ipaclient/remote_plugins/schema_cache.py:283: >>>>>> [W1612(unicode-builtin), >>>>>> _refresh_schema] unicode built-in referenced) >>>>>> Makefile:137: recipe for target 'lint' failed >>>>>> make: *** [lint] Error 1 >>>>>> >>>>>> I.e, you miss: >>>>>> >>>>>> import six >>>>>> >>>>>> if six.PY3: >>>>>> unicode = str >>>>>> >>>>> >>>>> Thanks for the catch, fixed version force-pushed. >>>> >>>> ACK on the server part, i.e. the first 3 commits: >>>> >>>> 0cd99a7 schema: Cache schema in api instance >>>> b9a58c4 schema: Add known_fingerprints option to schema command >>>> f6f4e53 schema: Add fingerprint and TTL >>>> >>>> Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a >>> >>> ACK on this commit: >>> >>> 7fc7941 schema: return fingerprint as unicode text >>> >>> Pushed to master: a5f48476adfd9971a1756bd5ad3cb7c9e2afef22 >>> >> >> Is Okay to keep just last 4 bytes from SHA1, how big is possibility for >> conflict? > > 2.3283064365386963e-10 > > Git uses 3.5 bytes for short commit IDs by default. So far, there are > only 4 conflicts in freeipa git: > > $ git log --oneline | grep -E '^[0-9a-z]{8,}' > c6c84fae Py3: replace tab with space > b194b850 Fix remove while iterating in suppress_netgroup_memberof. > 58a3b1d0 85: Added ReadOnly._lock() method to make class easier to > use; updated subclasses and unit tests > bc524460 Fix build issues by combining patches submitted by Michael > Gregg and Karl MacMillan Remove #!/usr/bin/python from many files to > quiet rpmlint > > So IMO 4 bytes is good enough for our API schema fingerprints. > > Even if 4 bytes turn out not to be good enough, we can increase the > length at any time without breaking clients, because clients don't > care about fingerprint specifics. > Okay From mbasti at redhat.com Tue Jun 21 14:56:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 16:56:24 +0200 Subject: [Freeipa-devel] [PATCH] 0056 webui: Counterpart of dnsserver-{find, show, mod} In-Reply-To: References: <24df01da-06c1-bd86-c430-3d0a2483105b@redhat.com> Message-ID: <73190d43-8767-b003-b15f-faa94bc170c2@redhat.com> On 21.06.2016 16:44, Petr Vobornik wrote: > On 06/16/2016 01:38 PM, Petr Spacek wrote: >> On 16.6.2016 12:09, Pavel Vomacka wrote: >>> >>> On 06/16/2016 12:06 PM, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patch. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5905 >>>> >>> Fixed commit message >> >> LGTM from user's perspective but I did not review the code. >> > Code looks OK, applies well, but I did not test yet. > > So if Petr's LGTM is functional test ACK, then ACK from me. > Pushed to master: cc6a3325d497286620cada12dca22fe5e5cf15e7 From mkubik at redhat.com Tue Jun 21 15:01:35 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 21 Jun 2016 17:01:35 +0200 Subject: [Freeipa-devel] [patch 0038-0040] Sub CA test patches Message-ID: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> Hi Fraser and list, I have made changes to the test plan on the wiki [1] according to the information in "[Testplan review] Sub CAs" thread. I also implemented the tests in the test plan: patch 0038 - CATracker and CA CRUD test patch 0039 - extension to CA ACL test patch 0040 - functional test with ACLs and certificate profile, reusing my previous S/MIME based tests. This patch also tests for the cert-request behavior when profile ID or CA cn are ommited. The tests ATM do not verify the Issuer name in the certificate itself, just from the ipa entry of the certificate. Fraser, could you please verify my reasoning behind the test cases for cert-request in the patch 40? [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan Cheers -- Milan Kubik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0038-ipatests-Tracker-implementation-for-Sub-CA-feature.patch Type: text/x-patch Size: 11931 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0039-ipatests-Extend-CAACL-suite-to-cover-Sub-CA-members.patch Type: text/x-patch Size: 6442 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0040-ipatests-Test-Sub-CA-with-CAACL-and-certificate-prof.patch Type: text/x-patch Size: 6341 bytes Desc: not available URL: From pspacek at redhat.com Tue Jun 21 15:08:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 21 Jun 2016 17:08:35 +0200 Subject: [Freeipa-devel] [PATCH 0535] Replica promotion: check if IPA domain is the right one In-Reply-To: <96b03330-4aee-e53b-22f6-8a8f98e15507@redhat.com> References: <96b03330-4aee-e53b-22f6-8a8f98e15507@redhat.com> Message-ID: <8d035ed7-1614-de03-1fa2-d38dd9c4a7dc@redhat.com> On 21.6.2016 16:27, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5976 > > Client must have properly set domain to allow install replica > > Patch attached. ACK The CRITICAL message is awesome :-) -- Petr^2 Spacek From mbasti at redhat.com Tue Jun 21 15:10:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 17:10:47 +0200 Subject: [Freeipa-devel] [PATCH 0535] Replica promotion: check if IPA domain is the right one In-Reply-To: <8d035ed7-1614-de03-1fa2-d38dd9c4a7dc@redhat.com> References: <96b03330-4aee-e53b-22f6-8a8f98e15507@redhat.com> <8d035ed7-1614-de03-1fa2-d38dd9c4a7dc@redhat.com> Message-ID: <555c3161-53e5-6d1a-bec0-d6ae3a17b620@redhat.com> On 21.06.2016 17:08, Petr Spacek wrote: > On 21.6.2016 16:27, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5976 >> >> Client must have properly set domain to allow install replica >> >> Patch attached. > > ACK > > The CRITICAL message is awesome :-) > master: * 9ae98420e94ea2973ecc21be0a984eac855a2a14 Replica promotion: use the correct IPA domain for replica ipa-4-3: * 290e6c08c9eccb585e8b0b760115a0d442e72787 Replica promotion: use the correct IPA domain for replica From mbasti at redhat.com Tue Jun 21 16:57:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 18:57:54 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> Message-ID: <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> On 21.06.2016 15:39, Lenka Doudova wrote: > Hi, > > attaching patch for failing location tests > (ipatests/test_xmlrpc/test_location_plugin.py). > > Lenka > > > Hello, 1) + expected_updates={u'ipalocation_location': [location.idnsname_obj], + u'enabled_role_servrole': ( + u'CA server', u'DNS server', u'NTP server')}, This depends on services installed on server, so server without DNS will cause test failures. We probably should skip test id DNS isn't installed. Without DNS installed you get much more different warnings 2) + def update(self, updates, expected_updates=None, messages=None): .... + self.messages = messages Why is this needed? I'm puzzled by this It is defined outside __init__ what is wrong and it is never used. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Tue Jun 21 17:56:20 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 21 Jun 2016 19:56:20 +0200 Subject: [Freeipa-devel] Announcing FreeIPA 4.4.0 alpha1 Message-ID: == FreeIPA 4.4.0 Alpha 1 === The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release! A tarball can be downloaded from http://www.freeipa.org/page/Downloads == Highlights in 4.4.0 Alpha 1 == Enhancements: * Improved Topology Management * Added Overview of IPA server roles: * Added support certificates for AD users: * Added support of UPN for trusted domains * Added support for Kerberos Authentication Indicators * Added DNS Location Mechanism * Several performance improvements * Refactored IPA command line tool * Added support for Sub-CAs == Detailed Changelog since 4.3.1 == Abhijeet Kasurde (12): Added kpasswd_server directive in client krb5.conf Fixed login error message box in LoginScreen page Added fix for notifying user about Kerberos principal expiration in WebUI Added description related to 'status' in ipactl man page Added warning to user for Internet Explorer Added fix for notifying user about locked user account in WebUI Updated ipa command man page Fix added to ipa-compat-manage command line help Removed custom implementation of CalledProcessError Replaced find_hostname with api.env.host Added exception handling for mal-formatted XML Parsing Added missing translation to automount.py method Alexander Bokovoy (11): slapi-nis: update configuration to allow external members of IPA groups extdom: do not fail to process error case when no request is specified otptoken: support Python 3 for the qr code trusts: Add support for an external trust to Active Directory domain adtrust: remove nttrustpartner parameter adtrust: remove nttrustpartner parameter adtrust: support GSSAPI authentication to LDAP as Active Directory user adtrust: support UPNs for trusted domain users webui: show UPN suffixes in trust properties webui: support external flag to trust-add adtrust: optimize forest root LDAP filter Christian Heimes (3): Require Dogtag 10.2.6-13 to fix KRA uninstall Modernize mod_nss's cipher suites Move user/group constants for PKI and DS into ipaplatform David Kupka (28): installer: Propagate option values from components instead of copying them. installer: Fix logic of reading option values from cache. ipa-dns-install: Do not check for zone overlap when DNS installed. ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options installer: Change reverse zones question to better reflect reality. Fix: Use unattended parameter instead of options.unattended CI: Add '2-connected' topology generator. CI: Add simple replication test in 2-connected topology. CI: Add test for 2-connected topology generator. CI: Fix pep8 errors in 2-connected topology generator CI: add empty topology test for 2-connected topology generator CI: Add double circle topology. CI: Add replication test utilizing double-circle topology. CI: Add test for double-circle topology generator. CI: Make double circle topology python3 compatible upgrade: Match whole pre/post command not just basename. dsinstance: add start_tracking_certificates method httpinstance: add start_tracking_certificates method Look up HTTPD_USER's UID and GID during installation. test: test_cli: Do not expect defaults in kwargs. man: Decribe ipa-client-install workaround for broken D-Bus enviroment. installer: positional_arguments must be tuple or list of strings installer: index() raises ValueError Remove unused locking "context manager" schema: Add fingerprint and TTL schema: Add known_fingerprints option to schema command schema: Cache schema in api instance schema: return fingerprint as unicode text Filip Skola (9): Refactor test_user_plugin, use UserTracker for tests Refactor test_replace Refactor test_attr Refactor test_sudocmd_plugin Refactor test_sudocmdgroup_plugin Refactor test_group_plugin, use GroupTracker for tests Refactor test_nesting, create HostGroupTracker Refactor test_hostgroup_plugin Refactor test_automember_plugin, create AutomemberTracker Florence Blanc-Renaud (5): Add missing CA options to the manpage for ipa-replica-install Add the culprit line when a configuration file has an incorrect format add context to exception on LdapEntry decode error batch command can be used to trigger internal errors on server Always qualify requests for admin in ipa-replica-conncheck Fraser Tweedale (22): Do not decode HTTP reason phrase from Dogtag Remove workaround for CA running check caacl: correctly handle full user principal name Prevent replica install from overwriting cert profiles Detect and repair incorrect caIPAserviceCert config Remove service and host cert issuer validation Allow CustodiaClient to be used by arbitrary principals Load server plugins in certmonger renewal helper Add ACIs for Dogtag custodia client Optionally add service name to Custodia key DNs Setup lightweight CA key retrieval on install/upgrade Authorise CA Agent to manage lightweight CAs Add custodia store for lightweight CA key replication Add 'ca' plugin Add IPA CA entry on install / upgrade Update 'caacl' plugin to support lightweight CAs Add CA argument to ra.request_certificate Update cert-request to allow specifying CA Add issuer options to cert-show and cert-find replica-install: configure key retriever before starting Dogtag upgrade: do not try to start CA if not configured restart scripts: bootstrap api with in_server=True Gabe Alford (1): ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' Jakub Hrozek (1): sudo: Fix a typo in the --help output of sudocmdgroup James Groffen (1): Set close button type attribute to 'button'. Jan Barta (1): pylint: fix: multiple-statements Jan Cholasta (112): ipautil: remove unused import causing cyclic import in tests ipalib: assume version 2.0 when skip_version_check is enabled ipapython: remove default_encoding_utf8 ipapython: port p11helper C code to Python ipapython: use python-cryptography instead of libcrypto in p11helper spec file: package python-ipalib as noarch cert renewal: import all external CA certs on IPA CA cert renewal replica install: validate DS and HTTP server certificates replica promotion: fix AVC denials in remote connection check cacert install: fix trust chain validation client: stop using /etc/pki/nssdb ipalib: provide per-call command context ipalib: add convenient Command method for adding messages certdb: never use the -r option of certutil spec file: bump minimum required pki-core version build: fix client-only build makeapi: use the same formatting for `int` and `long` values replica install: do not set CA renewal master flag rpc: do not crash when unable to parse JSON parameters: remove unused ConversionError and ValidationError arguments rpc: include structured error information in responses frontend: re-raise remote RequirementError using CLI name in CLI frontend: remove the unused Command.soft_validate method frontend: perform argument value validation only on server batch: do not crash when no argument is specified ipalib: make optional positional command arguments actually optional frontend: do not forward unspecified positional arguments to server user: do not assume the preserve flags have value in user_del frontend: do not forward argument defaults to server makeapi: optimize API.txt ipalib: remove the unused `csv` argument of Param makeaci: load additional plugins using API.add_module plugable: replace API.import_plugins with new API.add_package ipalib, ipaserver: migrate all plugins to Registry-based registration ipalib, ipaserver: fix incorrect API.register calls in docstrings plugable: remove the unused deprecated API.register method plugable: switch API to Registry-based plugin discovery frontend: merge baseldap.CallbackRegistry into Command frontend: move the interactive_prompt callback type to Command automount: do not inherit automountlocation_import from LDAPQuery dns: move code called on client to the module level dns: do not rely on server data structures in code called on client otptoken: fix import of DN otptoken_yubikey: fix otptoken_add_yubikey arguments vault: move client-side code to the module level vault: copy arguments of client commands from server counterparts ipalib: use relative imports for cross-plugin imports frontend: allow commands to have an argument named `name` cli: make optional positional command arguments actually optional dns: fix dnsrecord interactive mode ipaclient: introduce ipaclient.plugins ipalib: move client-side plugins to ipaclient help, makeapi: allow setting command topic explicitly help, makeapi: specify module topic by name help, makeapi: do not use hardcoded plugin package name plugable: turn Plugin attributes into properties plugable: simplify API plugin initialization code plugable: remember overriden plugins in API frontend: turn Method attributes into properties ipaclient: add client-side command override class dns: move code shared by client and server to separate module ipalib: split off client-side plugin code into ipaclient parameters: introduce cli_metavar keyword argument parameters: introduce no_convert keyword argument ipalib: replace DeprecatedParam with `deprecated` Param argument ipalib: introduce API schema plugins rpc: respect API config in RPCClient.create_connection rpc: allow overriding NSS DB directory in API config rpc: specify connection options in API config rpc: optimize JSON-RPC response handling rpc: do not validate command name in RPCClient.forward client install: finalize API after CA certs are available ipactl: use server API ipalib: move File command arguments to ipaclient misc: hide the unused --all option of `env` and `plugins` in CLI ipaclient: implement thin client ipalib: move server-side plugins to ipaserver frontend: do not check API minor version of the client schema: do not validate unrequested params in command_defaults replica install: use remote server API to create service entries schema: fix topic command output schema: fix typo spec file: require correct packages to get API plugins plugable: allow plugins to be non-classes plugable: initialize plugins on demand schema: generate client-side commands on demand batch, schema: use Dict instead of Any misc: fix empty CLI output of `env` and `plugins` commands dns, passwd: fix outputs of `dns_resolve` and `passwd` commands frontend: call `execute` rather than `forward` in Local schema: exclude local commands schema: fix client-side dynamic defaults makeaci, makeapi: use in-server API frontend: don't copy command arguments to output params frontend: skip `value` output in output_for_cli frontend: do not crash on missing output in output_for_cli automember: add object plugin for automember_rebuild dns: do not rely on custom param fields in record attributes misc: skip `count` and `total` output in env.output_for_cli passwd: handle sort order of passwd argument on the client permission: handle ipapermright deprecated CLI alias on the client schema: add object class schema schema: remove output_params schema: merge command args and options schema: remove redundant information schema: remove `no_cli` from command schema replica install: fix thin client regression ldap: fix handling of binary data in search filters cert: add object plugin cert: add owner information cert: allow search by certificate dns: fix dns_update_system_records to work with thin client J?r?me Fenal (1): Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French. Lenka Doudova (5): WebUI tests: fix failing of tests due to unclicable label WebUI test: ID views WebUI: Test creating user without private group Test fix: Cleanup for host certificate Test: Maximum username length higher than 255 cannot be set Ludwig Krispenz (2): prevent moving of topology entries out of managed scope by modrdn operations v2 - avoid crash in topology plugin when host list contains host with no hostname Luk?? Slebodn?k (6): extdom: Remove unused macro IPA-SAM: Fix build with samba 4.4 CONFIGURE: Replace obsolete macros ipa-sam: Do not redefine LDAP_PAGE_SIZE SPEC: Remove unused build dependency on libwbclient BUILD: Remove detection of libcheck Martin Babinsky (44): raise more descriptive Backend connection-related exceptions harden domain level 1 topology connectivity checks ipalib/x509.py: revert deletion of ipalib api import prevent crash of CA-less server upgrade due to absent certmonger use FFI call to rpmvercmp function for version comparison tests for package version comparison fix Py3 incompatible exception instantiation in replica install code ipa-csreplica-manage: remove extraneous ldap2 connection IPA upgrade: move replication ACIs to the mapping tree entry uninstallation: more robust check for master removal from topology correctly set LDAP bind related attributes when setting up replication disable RA plugins when promoting a replica from CA-less master fix standalone installation of externally signed CA on IPA master reset ldap.conf to point to newly installer replica after promotion always start certmonger during IPA server configuration upgrade upgrade: unconditional import of certificate profiles into LDAP CI tests: use old schema when testing hostmask-based sudo rules use LDAPS during standalone CA/KRA subsystem deployment test_cert_plugin: use only first part of the hostname to construct short name only search for Kerberos SRV records when autodiscovery was requested spec: add conflict with bind-chroot to freeipa-server-dns spec: require python-cryptography newer than 0.9 ipa-replica-manage: print traceback on unexpected error when in verbose mode otptoken-add: improve the robustness of QR code printing differentiate between limit types when LDAP search exceeds configured limits specify type of exceeded limit when warning about truncated search results replica-prepare: do not add PTR records if there is no IPA managed reverse zone Server Roles: definitions of server roles and attributes Server Roles: Backend plugin to query roles and attributes Test suite for `serverroles` backend Server Roles: public API for server roles Server Roles: make server-{show,find} utilize role information Server Roles: make *config-show consume relevant roles/attributes Server Roles: provide an API for setting CA renewal master Add NTP to the list of services stored in IPA masters LDAP subtree Introduce "NTP server" role ipaserver module for working with managed topology delegate removal of master DNS record and replica keys to separate functions server-del: perform full master removal in managed topology CI test suite for `server-del` ipa-replica-manage: use `server_del` when removing domain level 1 replica remove the master from managed topology during uninstallation Fix listing of enabled roles in `server-find` Do not update result of *-config-show with empty server attributes Martin Ba?ti (147): Fix DNS tests: dns-resolve returns warning Remove unused code in server installer related to KRA Fix version comparison Fix: replace mkdir with chmod Use module variables for timedate_services Remove empty test file Remove unused imports Remove wildcard imports Enable multiple warnings checks in Pylint Enable pylint lost exception check Enable pylint duplicated-key check Enable pylint trailing-whitespace check Enable pylint missing-final-newline check Enable pylint unused-format-string-key check Enable pylint expression-not-assigned check Enable pylint empty-docstring check Enable pylint unnecessary-pass check update_uniqueness plugin: fix referenced before assigment error Allow to used mixed case for sysrestore Upgrade: Fix upgrade of NIS Server configuration DNSSEC test: fix adding zones with --skip-overlap-check DNSSEC CI: add missing ldns-utils dependency Enable pylint unpacking-non-sequence check Enable pylint unbalanced-tuple-unpacking check CI test: fix regression in task.install_kra Warn about potential loss of CA, KRA, DNSSEC during uninstall Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter Exclude o=ipaca subtree from Retro Changelog (syncrepl) Fix DNSSEC test: add glue record Warn user when ipa *-find reach limit DNSSEC CI: fix zone delegations make lint: use config file and plugin for pylint Upgrade: log to ipaupgrade.log when IPA server is not installed Disable new pylint checks Py3: do not use dict.iteritems() upgrade: fix config of sidgen and extdom plugins trusts: use ipaNTTrustPartner attribute to detect trust entries Warn user if trust is broken fix upgrade: wait for proper DS socket after DS restart Revert "test: Temporarily increase timeout in vault test." Remove duplicated except Pylint: add missing attributes of errors to definitions fix permission: Read Replication Agreements Make PTR records check optional for IPA installation Fix connections to DS during installation pylint: supress false positive no-member errors CI: allow customized DS install test to work with domain levels fix suspicious except statements Remove unused arguments from update_ssh_keys method Configure 389ds with "default" cipher suite krb5conf: use 'true' instead of 'yes' for forwardable option stageuser-activate: Normalize manager value Remove redundant parameters from CS.cfg in dogtaginstance Use platform path constant for SSSD log dir Fix broken trust warnings spec: Add missing dependencies to python*-ipalib package client: enable ChallengeResponseAuthentication in sshd_config pylint: remove bare except Pylint: fix definition of global variables Pylint: enable pointless-except check Pylint: enable reimported check Pylint: use list comprehension instead of iteration Pylint: import max one module per line Pylint: remove unnecessary-semicolon Pylint: enable invalid-name check SPEC: do not run upgrade when ipa server is not installed Fix: catch Exception instead of more specific exception types Fix stageuser-activate - managers test Add missing pre_common_callback to stageuser_add host_del: fix removal of host records host_del: replace dns-record find command with show host_del: remove unneeded dnszone-show command call host_del: split removing A/AAAA and PTR records to separate functions host_del: remove only A, AAAA, SSHFP, PTR records host_del: update help for --updatedns option host-del --updatedns: print warnings instead of error Use netifaces module instead of 'ip' command Limit max username length to 255 in config-mod Increase API version for 'ipamaxusernamelength' attribute change Configure httpd service from installer instead of directly from RPM Performace: don't download password attributes in host/user-find Do not do extra search for ipasshpubkey to generate fingerprints Always set hostname Remove deprecated hostname restoration from Fedora18 Remove unused hostname variables Log errors from backup_and_replace hostname to logger Tasks: raise NotImplementedError for not implemented methods fix stageuser tests (removal of has_keytab and has_password from find) make: fail when ACI.txt or API.txt differs from values in source code ipactl: advertise --ignore-service-failure option Remove unused variable and finally block in SchemaCache Fix referenced before assigment variables in except statements Upgrade: always start CA Remove unused variables in automount plugin fix pylint false positive errors Translations: remove deprecated locale configuration Make option --no-members public in CLI Performance: Find commands: do not process members by default Test: fix failing host_test Fix: replace incorrect no_cli with no_option flag Fix: topologysuffix_find doesn't have no_members option DNS Locations: Always create DNS related privileges DNS Locations: add new attributes and objectclasses DNS Locations: location-* commands DNS Locations: API tests Allow to use non-Str attributes as keys for members DNS Locations: extend server-* command with locations DNS Location: location-show: return list of servers in location DNS Locations: when removing location remove it from servers first DNS Locations: extend tests with server-* commands Upgrade mod_wsgi socket-timeout on existing installation Exclude unneeded dirs and files from pylint check Fix resolve_rrsets: RRSet is not hashable Revert "adtrust: remove nttrustpartner parameter" Fix: Local variable s_indent might be referenced before defined Revert "Switch /usr/bin/ipa to Python 3" Use python2 for ipa cli DNS Locations: add index for ipalocation attribute DNS Locations: fix location-del DNS Locations: add idnsTemplateObject objectclass DNS Locations: DNS data management DNS Locations: permission: allow to read status of services DNS Locations: add ACI for template attribute DNS Locations: command dns-update-system-records DNS Locations: use dns_update_service_records in installers DNS Locations: adtrustinstance simplify dns management DNS Locations: use automatic records update in ipa-adtrust-install DNS Locations: server-mod: add automatic records update DNS Locations: dnsservers: add required objectclasses DNS Locations: dnsserver-* commands DNS Locations: dnsserver: put server_id option into named.conf DNS Locations: dnsserver: use the newer config way in installer DNS Locations: dnsserver: remove config when replica is removed DNS Locations: set proper substitution variable DNS Locations: require to restart named-pkcs11 affter location change DNS Locations: show warning if there is no DNS servers in location DNS Locations: prevent to remove used locations DNS Locations: do not generate location records for unused locations DNS Locations: location-del: remove location record DNS Locations: Rename ipalocationweight to ipaserviceweight DNS Locations: generate NTP records upgrade: don't fail if zone does not exists in in find DNS Location: add list of roles and DNS servers to location-show DNS Locations: dnsserver: print specific error when DNS is not installed Fix possibly undefined variable in ipa_smb_conf_exists() Updated IPA translations Replica promotion: use the correct IPA domain for replica Martin Ko?ek (1): Update Developers in Contributors.txt Matt Rogers (1): ipa_kdb: add krbPrincipalAuthInd handling Michael Simacek (1): Fix bytes/string handling in rpc Milan Kub?k (11): ipatests: replace the test-example.com domain in tests ipatests: Roll back the forwarder config after a test case ipatests: Fix configuration problems in dns tests ipatests: Make the A record for hosts in topology conditional ipatests: fix the install of external ca ipatests: Add missing certificate profile fixture ipatests: extend permission plugin test with new expected output spec file: rename the python-polib dependency name to python2-polib ipatests: fix for change_principal context manager ipatests: Add test case for requesting a certificate with full principal. spec: Add python-sssdconfig dependency for python-ipatests package Nathaniel McCallum (7): Don't error when find_base() fails if a base is not required Rename syncreq.[ch] to otpctrl.[ch] Ensure that ipa-otpd bind auths validate an OTP Return password-only preauth if passwords are allowed Enable authentication indicators for OTP and RADIUS Migrate from #ifndef guards to #pragma once Enable service authentication indicator management Oleg Fayans (26): CI tests: Enabled automatic creation of reverse zone during master installation CI tests: Added domain realm as a parameter to master installation in integration tests Fixed install_ca and install_kra under domain level 0 fixed an issue with master installation not creating reverse zone Enabled recreation of test directory in apply_common_fixes function Updated connect/disconnect replica to work with both domainlevels Removed --ip-address option from replica installation Removed messing around with resolv.conf Integration tests for replica promotion feature Enabled setting domain level explicitly in test class Removed a constantly failing call to prepare_host Made apply_common_fixes call at replica installation independent on domain_level Workaround for ticket 5627 Added copyright info to replica promotion tests rewrite a misprocessed teardown_method method as a custom decorator Reverted changes in mh fixture causing some tests to fail Fixed a bug with prepare_host failing upon existing ipatests folder Added a kdestroy call to clean ccache at master/client uninstallation Added 5 more tests to Replica Promotion testsuite Fixed a failure in legacy_client tests Add test if replica is working after domain upgrade Improve reporting of failed tests in topology test suite Bugfixes in managed topology tests A workaround for ticket N 5348 Added necessary A record for the replica to root zone Increased certmonger timeout Patrice Duc-Jacquet (2): Incorrect message when KRA already installed Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h". Pavel Vomacka (41): Add tool tips for Revert, Refresh, Undo, and Undo All Add support for the 'user' url parameter for the reset_password.html Add validation to Issue new certificate dialog Add pan and zoom functionality to the topology graph Nodes stay fixed after initial animation. Add field for group id in user add dialog Resize topology graph canvas according to window size Add X-Frame-Options and frame-ancestors options Add activate option to stage user details page Add 'skip overlap check' checkbox into add zone dialog Add 'skip overlap check' checkbox to the add dns forward zone dialog Add option to show OTP when adding host Update the delete dialog on details user page Add ability to stage multiple users Add option to stage user from details page Change lang.hitch to javascript bind method Change 'Restore' to 'Remove Hold' Extend the certificate request dialog Auth Indicators WebUI part Fix bad searching of reverse DNS zone Add adapter attribute for choosing record DNS Locations: WebUI part Add lists of hosts allowed to create or retrieve keytabs Correct a jslint warning Association table can be read only Extend table facet Add server roles on topology page Search facet can be without search field Add ability to review cert request dialog Add new webui plugin - ca Extend certificate entity page Extend caacl entity Make Actions string translatable Extend DNS config page Extend trust config page Add creating a segment using mouse Add listener which opens add segment dialog Add placeholder to add segment dialog Add DNS default TTL field Allow to set weight of a server without location DNS Servers: Web UI part Peter Lacko (1): Ping module tests. Petr Viktorin (46): Package ipapython, ipalib, ipaplatform, ipatests for Python 3 Use explicit truncating division Don't index exceptions directly Use print_function future definition wherever print() is used Alias "unicode" to "str" under Python 3 Avoid builtins that were removed in Python 3 dnsutil: Rename __nonzero__ to __bool__ Remove deprecated contrib/RHEL4 make-lint: Allow running pylint --py3k to detect Python3 issues Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts) test_parameters: Ignore specific error message ipaldap, ldapupdate: Encoding fixes for Python 3 ipautil.run, kernel_keyring: Encoding fixes for Python 3 tests: Use absolute imports ipautil: Use mode 'w+' in write_tmp_file test_util: str/bytes check fixes for Python 3 p11helper: Port to Python 3 cli: Don't encode/decode for stdin/stdout on Python 3 Package python3-ipaclient Move get_ipa_basedn from ipautil to ipadiscovery ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() ipapython.sysrestore: Use str methods instead of functions from the string module ipalib.x809: Accept bytes for make_pem dns plugin: Fix zone normalization under Python 3 sysrestore: Iterate over a list of dict keys test_xmlrpc: Use absolute imports xmlrpc_test: Rename exception instance before working with it radiusproxy plugin: Use str(error) rather than error.message xmlrpc_test: Expect bytes rather than strings for binary attributes ipalib.rpc: Send base64-encoded data as string under Python 3 range plugin tests: Use bytes with MockLDAP under Python 3 radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret certprofile plugin: Use binary mode for file with binary data test_add_remove_cert_cmd: Use bytes for base64.b64encode() Switch /usr/bin/ipa to Python 3 Fix remaining relative import and enable Pylint check ipalib.cli: Improve reporting of binary values in the CLI test_cert_plugin: Encode 'certificate' for comparison with 'usercertificate' ipaldap: Keep attribute names as text, not bytes ipapython.secrets.kem: Use ConfigParser from six.moves test_topology_plugin: Don't rely on order of an attribute's values test_rpcserver: Expect updated error message under Python 3 ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison test_ipaserver.test_ldap: Use bytestrings for raw LDAP values ipaldap: Convert dict items to list before iterating test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView Petr Voborn?k (16): Bump 4.4 development version to 4.3.90 webui: add examples to network address validator error message webui: pwpolicy cospriority field was marked as required spec: do not require arch specific ipalib package from noarch packages webui: dislay server suffixes in server search page stop installer when setup-ds.pl fail webui: crash nicely if sessionStorage is not available webui: remove moot error from webui build webui: use API call ca_is_enabled instead of enable_ra env variable. webui: fixed showing of success message after password change on login advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins cookie parser: do not fail on cookie with empty value fix incorrect name of ipa-winsync-migrate command in help webui: fail nicely if cookies are disabled ipa-client-install: fix typo in nslcd service name Become IPA 4.4.0 Alpha 1 Petr ?pa?ek (51): dns: Handle SERVFAIL in check if domain already exists. DNSSEC: Improve error reporting from ipa-ods-exporter DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP DNSSEC: Make sure that current key state in LDAP matches key state in BIND DNSSEC: remove obsolete TODO note DNSSEC: add debug mode to ldapkeydb.py DNSSEC: logging improvements in ipa-ods-exporter DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP DNSSEC: ipa-ods-exporter: add ldap-cleanup command DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal DNSSEC: Log debug messages at log level DEBUG Fix --auto-reverse option in --unattended mode. Fix dns_is_enabled() API command to throw exceptions as appropriate Fix DNS zone overlap check to allow ipa-replica-install to work Fix ipa-adtrust-install to always generate SRV records with FQDNs Fix URL for reporting bugs in strings Pylint: enable parallelism Makefile: replace perl with sed Remove function ipapython.ipautil.host_exists() Extend installers with --forward-policy option Move automatic empty zone list into ipapython.dnsutil and make it reusable Add assert_absolute_dnsname() helper to ipapython.dnsutil Move function is_auto_empty_zone() into ipapython.dnsutil Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone() Add function ipapython.dnsutil.inside_auto_empty_zone() Auto-detect default value for --forward-policy option in installers ipa-nis-manage: Replace text references to compat plugin with NIS ipa-nis-manage: mention return code 3 in man page DNS: Fix upgrade - master to forward zone transformation DNS installer: accept --auto-forwarders option in unattended mode Remove unused file install/share/fedora-ds.init.patch Batch command: avoid accessing potentially undefined context.principal pylint: replace Refactor category with individual check names ipa-nis-manage: add status option DNS: Warn if forwarding policy conflicts with automatic empty zones Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil Use root_logger for verify_host_resolvable() Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil Add ipaDNSVersion option to dnsconfig* commands and use new attribute DNS upgrade: separate backup logic to make it reusable Add function ipapython.dnsutil.related_to_auto_empty_zone() DNS upgrade: change forwarding policy to = only for conflicting forward zones DNS upgrade: change global forwarding policy in LDAP to "only" if private IPs are used DNS upgrade: change global forwarding policy in named.conf to "only" if private IPs are used Require 389-ds-base >= 1.3.5.6 DNS Locations: make ipa-ca record generation more robust DNS: Support default TTL setting for master DNS zones DNS: Warn about restart when default TTL setting DNS is changed DNS: Fix realm domains integration with DNS zone add. Simo Sorce (6): Use only AES enctypes by default Always verify we have a valid ldap context. Improve keytab code to select the right principal. Convert ipa-sam to use the new getkeytab control Allow admins to disable preauth for SPNs. Allow to specify Kerberos authz data type per user Stanislav Laznicka (21): Listing and cleaning RUV extended for CA suffix Automatically detect and remove dangling RUVs Cosmetic changes to the code Fixes minor issues replica-manage: fail nicely when DM psswd required ipa-replica-manage refactoring abort-clean/list/clean-ruv now work for both suffixes Moved password check from clean_dangling_ruv Fix to clean-dangling-ruv for single CA topologies Added pyusb as a dependency Added some attributes to Modify Users permission Deprecated the domain-level option in ipa-server-install Increased mod_wsgi socket-timeout Added = mapping to krb5.conf Decreased timeout for IO blocking for DS fixes premature sys.exit in ipa-replica-manage del Remove dangling RUVs even if replicas are offline Added krb5.conf.d/ to included dirs in krb5.conf Removed dead code from LDAP{Remove,Add}ReverseMember Fixes CA always being presented as running Increase nsslapd-db-locks to 50000 Sumit Bose (3): ipa-kdb: get_authz_data_types() make sure entry can be NULL ipa-kdb: map_groups() consider all results extdom: add certificate request Thierry Bordaz (3): configure DNA plugin shared config entries to allow connection with GSSAPI DS deadlock when memberof scopes topology plugin updates Make sure ipapwd_extop takes precedence over passwd_modify_extop Thorsten Scherf (1): Fixed typo in service-add Timo Aaltonen (6): Use HTTPD_USER in dogtaginstance.py Move freeipa certmonger helpers to libexecdir. ipa_restore: Import only FQDN from ipalib.constants ipaplatform: Move remaining user/group constants to ipaplatform.constants. Use ODS_USER/ODS_GROUP in opendnssec_conf.template Fix kdc.conf.template to use ipaplatform.paths. Tom?? Babej (10): py3: Remove py3 incompatible exception handling logger: Use warning instead of warn Loggger: Use warning instead of warn - dns plugin ipa-getkeytab: Handle the possibility of not obtaining a result ipa-adtrust-install: Allow dash in the NETBIOS name spec: Bump required sssd version to 1.13.3-5 adtrustinstance: Make sure smb.conf exists l10n: Remove Transifex configuration ipalib: Fix user certificate docstrings idviews: Add user certificate attribute to user ID overrides Yuri Chornoivan (3): Fix minor typo Fix minor typos Fix minor typos -- Petr Vobornik From mbasti at redhat.com Tue Jun 21 17:58:10 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 21 Jun 2016 19:58:10 +0200 Subject: [Freeipa-devel] [Test][Patch-0043-0045] DNSSec key rotation test In-Reply-To: <575EAA34.2000501@redhat.com> References: <575EAA34.2000501@redhat.com> Message-ID: <37ac5574-89c2-273c-c8b4-59cc7d3501d6@redhat.com> On 13.06.2016 14:42, Oleg Fayans wrote: > Hi guys, > > Here is a test for dnssec key rotation mechanism. > The full set of commands works perfectly when run manually (even in the > mode of a full copy-pasting from the test). However, when run > automatically, the test always fails as `dig +rrcomments test.here DS` > does not display zone keytag. I tried to decrease default key TTL values > with no success. Could anyone take a look into this (after 4.4 is > released, of course)? > > > > Patch 0043: NACK 1) + DNSSEC_KSK_LIFETIME = 'P2Y' + DNSSEC_ZSK_LIFETIME = 'P90D' Why this is needed? This is no used in code so you have no guarantee that if we change default values this will still work. If you want use this, you need to use this values in installers too otherwise it can be in patch 44 2) + DNSSEC_KASP_TEMPLATE = '/usr/share/ipa/opendnssec_kasp.template' This is precedent, for templates other parts of IPA just use os.patch.join(USR_SHARE_IPA_DIR, 'opendnssec_kasp.template'), But if you want we may keep this. Patch 0044: NACK 1) You should raise error if values haven't been replaces (when I tried sed, it returned 0 even if nothing was replaced). Without this check it will be lot of fun to detect why tests failed in case we change default config of DNSSEC (what is possible in distant future) Maybe this http://stackoverflow.com/questions/15965073/return-code-of-sed-for-no-match or do grep before 2) I'm not sure if just changing of this two values are enough, there are multiple timeouts, and I'm afraid it may delay key rotation and you will not be able to test it. This should be discussed. Patch 0045: NACK 1) PEP8 2 lines required ), ("Zone %s is not signed (master)" % example3_test_zone) +class TestDNSSECRotation(IntegrationTest): + num_replicas = 0 2) the rest of testuite/code use 'absolute' or 'relative', not 'reduced'. I prefer to use absolute + testzone = "myexample.test." + testzone_reduced = "myexample.test" 3) Why is sleep here? + def test_dnssec_rotation(self): + time.sleep(850) + self.master.run_command(['ipa', 'dnszone-add', + '--dnssec=true', self.testzone]) 4) I really prefer to parse lines using regexp (as extra method), and get particular parts in list of dicts [{domain: 'example_com', key_type:'KSK', next_trans: '2015-06-08 12:33:00 (retire)', state:'active'},] + assert(text.count('ready') == 1), ( + "Zone must have 1 ready key, found %i" % text.count('ready')) + ksk_keytag = ods_output.stdout_text.split('\n')[2].split(' ')[-1] 5) + self.master.run_command("dig %s DNSKEY > dnskey.txt" % self.testzone) + result0 = self.master.run_command(['dnssec-dsfromkey', '-f', + 'dnskey.txt', '-2', self.testzone]) + dsrec = " ".join(result0.stdout_text.split(' ')[3:]).strip() + self.master.run_command( + "ipa dnsrecord-add test. %s --ns-rec=%s. --ds-rec='%s'" % ( + self.testzone, self.master.hostname, dsrec + ) + ) This is done using python in test_chain_of_trust, please extract that part into function and use in both tests 6) + self.master.run_command(['ipa', 'dnszone-add', '--dnssec=true', + 'test.']) Use variable for 'test.' please 7) + result1 = self.master.run_command(['dig', '+rrcomments', + self.testzone, 'DS']) + assert(ksk_keytag in result1.stdout_text), ( + "Failed to find zone's ksk keytag in the command output") Use function ans = resolve_with_dnssec(nameserver, self.testzone , log, rtype="DS") ans.rrset contains all DS records, you can iterate over it ans.rrset.items[0].key_tag will return keytag for DS record (just example count with multiple DS records) 8) + assert(text2.count('ready') == 2), ( + "Zone must have 2 keys in ready state, found %i" % + text2.count(self.testzone_reduced)) explicitly test which key has which state, because you will have multiple keys there (continue reading :-) ) 9) + self.master.run_command(['ipa', 'dnszone-add', '--dnssec=true', + 'test.']) + restart_named([self.master]) + dsrec = " ".join(result0.stdout_text.split(' ')[3:]).strip() + self.master.run_command( + "ipa dnsrecord-add test. %s --ns-rec=%s. --ds-rec='%s'" % ( + self.testzone, self.master.hostname, dsrec + ) + ) + + result1 = self.master.run_command(['dig', '+rrcomments', + self.testzone, 'DS']) Give time to named service to process newly added zone and records, maybe wait_until_signed function may help 10) + # activate rotation + result2 = self.master.run_command( + "export SOFTHSM2_CONF=%s ; %s key ds-seen --zone %s --keytag %s" % + (paths.DNSSEC_SOFTHSM2_CONF, paths.ODS_KSMUTIL, + self.testzone, ksk_keytag)) Nope this is not a key rotation, you just enabled KSK key (current bind-dyndb-ldap implementation uses key even without activation) 10) I miss the part where key rotation is tested for ZSK key I expected some sleep for '15M' and then new check if new key is in opendnssec database and if new key is used in RRSIG records, and if DNSKEY was updated 11) I miss the part where key rotation is tested for KSK key I expected to see 3 rotation of ZSK key, and then one KSK key rotation, with new ds-seen procedure Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From npmccallum at redhat.com Tue Jun 21 18:25:49 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Tue, 21 Jun 2016 14:25:49 -0400 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects Message-ID: <1466533549.17252.2.camel@redhat.com> https://fedorahosted.org/freeipa/ticket/433 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0096-Add-authentication-indicators-support-to-Host-object.patch Type: text/x-patch Size: 2397 bytes Desc: not available URL: From ldoudova at redhat.com Wed Jun 22 05:37:46 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 22 Jun 2016 07:37:46 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> Message-ID: <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> On 06/21/2016 06:57 PM, Martin Basti wrote: > > > > On 21.06.2016 15:39, Lenka Doudova wrote: >> Hi, >> >> attaching patch for failing location tests >> (ipatests/test_xmlrpc/test_location_plugin.py). >> >> Lenka >> >> >> > > Hello, > > 1) > + expected_updates={u'ipalocation_location': > [location.idnsname_obj], > + u'enabled_role_servrole': ( > + u'CA server', u'DNS server', u'NTP > server')}, > > This depends on services installed on server, so server without DNS > will cause test failures. We probably should skip test id DNS isn't > installed. > Without DNS installed you get much more different warnings > > > 2) > + def update(self, updates, expected_updates=None, messages=None): > .... > + self.messages = messages > > Why is this needed? I'm puzzled by this > > It is defined outside __init__ what is wrong and it is never used. > Hi, thanks for review. ad 1: will fix ad 2: the 'messages' key is indeed used, because this key is returned every time a server is attached to/removed from a location. If the 'messages' is not supplied to the result comparison, the test fails (see https://paste.fedoraproject.org/382936/65732411/ for result of test without applied patch). Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Wed Jun 22 06:13:45 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 22 Jun 2016 00:13:45 -0600 Subject: [Freeipa-devel] Updated External EPEL CentOS 7 COPR builds are now available . . . Message-ID: <576A2C99.60409@redhat.com> An updated external EPEL CentOS 7 COPR repo is now available which contains Dogtag 10.3.3 builds: * https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo [group_pki-10.3.3] name=Copr repo for 10.3.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/ skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg enabled=1 enabled_metadata=1 -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 22 06:33:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jun 2016 08:33:03 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> Message-ID: <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> On 22.06.2016 07:37, Lenka Doudova wrote: > > > > On 06/21/2016 06:57 PM, Martin Basti wrote: >> >> >> >> On 21.06.2016 15:39, Lenka Doudova wrote: >>> Hi, >>> >>> attaching patch for failing location tests >>> (ipatests/test_xmlrpc/test_location_plugin.py). >>> >>> Lenka >>> >>> >>> >> >> Hello, >> >> 1) >> + expected_updates={u'ipalocation_location': >> [location.idnsname_obj], >> + u'enabled_role_servrole': ( >> + u'CA server', u'DNS server', u'NTP >> server')}, >> >> This depends on services installed on server, so server without DNS >> will cause test failures. We probably should skip test id DNS isn't >> installed. >> Without DNS installed you get much more different warnings >> >> >> 2) >> + def update(self, updates, expected_updates=None, messages=None): >> .... >> + self.messages = messages >> >> Why is this needed? I'm puzzled by this >> >> It is defined outside __init__ what is wrong and it is never used. >> > Hi, thanks for review. > ad 1: will fix > ad 2: the 'messages' key is indeed used, because this key is returned > every time a server is attached to/removed from a location. If the > 'messages' is not supplied to the result comparison, the test fails > (see https://paste.fedoraproject.org/382936/65732411/ for result of > test without applied patch). > > Lenka Please point me to the line where ServerTracker.messages is used, I still don't see it. In your fpaste, removed self.messages in that context is TestLocationsServer.messages not ServerTracker.messages Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Jun 22 07:46:09 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jun 2016 09:46:09 +0200 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: <5612745A.2090805@redhat.com> References: <5612745A.2090805@redhat.com> Message-ID: <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> On 10/05/2015 03:00 PM, Martin Babinsky wrote: > These patches implement the plumbing required to properly support > canonicalization of Kerberos principals ( > https://fedorahosted.org/freeipa/ticket/3864). > > Setting multiple principal aliases on hosts/services is beyond the scope > of this patchset and should be done after these patches are pushed. > > I will try to send some tests for the patches later this week. > > Please review the hell out of them. > > > Long time no see. I am attaching rebased infrastructure patches which were reviewed and tested by David a year ago :). Now that all related DS bugs were fixed and the patches still work as expected, we may push them so that the plumbing for further work (API for alias handling etc.) is in place. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0069-2-perform-case-insensitive-principal-search-when-canon.patch Type: text/x-patch Size: 2329 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0070-2-mark-ipaKrbPrincipalAlias-attribute-as-deprecated-in.patch Type: text/x-patch Size: 1389 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0071-2-add-case-insensitive-matching-rule-to-krbprincipalna.patch Type: text/x-patch Size: 1630 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0072-2-add-krbCanonicalName-to-attributes-watched-by-MODRDN.patch Type: text/x-patch Size: 1189 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0073-2-ipa-kdb-set-krbCanonicalName-when-creating-new-princ.patch Type: text/x-patch Size: 1503 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0074-2-ipa-enrollment-set-krbCanonicalName-attribute-on-enr.patch Type: text/x-patch Size: 1961 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0075-2-IPA-API-set-krbcanonicalname-instead-of-ipakrbprinci.patch Type: text/x-patch Size: 5229 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0076-2-set-krbcanonicalname-on-host-entry-during-krbinstanc.patch Type: text/x-patch Size: 1096 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0077-2-account-for-added-krbcanonicalname-attribute-during-.patch Type: text/x-patch Size: 9675 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 22 09:57:38 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jun 2016 11:57:38 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> Message-ID: <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> On 09.06.2016 21:02, Martin Basti wrote: > > > On 09.06.2016 14:45, Martin Basti wrote: >> >> >> On 09.06.2016 14:42, Martin Basti wrote: >>> >>> >>> On 09.06.2016 14:38, Lukas Slebodnik wrote: >>>> On (09/06/16 14:29), Martin Basti wrote: >>>>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> this patch allows the extom plugin to lookup users by >>>>>>>> certificate which >>>>>>>> is needed in the case where a IPA client wants to lookup an AD >>>>>>>> user who >>>>>>>> has the certificate stored in AD. To make this work the related >>>>>>>> patches >>>>>>>> I just send to sssd-devel are needed as well. >>>>>>>> >>>>>>>> Currently the patches miss the change in the required version >>>>>>>> of SSSD. >>>>>>>> since the SSSD patches are not committed. But the patches are >>>>>>>> needed to >>>>>>>> fully test the SSSD patches. I will send a new version with the >>>>>>>> needed >>>>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>>>> committed. >>>>>>>> >>>>>>>> bye, >>>>>>>> Sumit >>>>>>> The patch works fine (tested together with the corresponding SSSD >>>>>>> patches), so ACK from me. The code also looks good to me, but >>>>>>> I'm not >>>>>>> sure if reviewing an IPA patch requires something more (CI? >>>>>>> Coverity?) >>>>>> ACK from me as well, I forgot to send email about it, though I >>>>>> reviewed >>>>>> this patch a week ago. >>>>>> >>>>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>>>> >>>> It's very likey that this commit will break build of >>>> freeipa-master. I didn't try. >>>> >>>> Because it uses new function sss_nss_getnamebycert >>>> from the library libsss_nss_idmap which is not in fedora. >>>> It was pushed to sssd master just today. >>>> >>>> LS >>> >>> If this is true, can you/somebody provide the SRPM of SSSD with the >>> required functionality please? We may need to add it to >>> @freeipa/freeipa-master copr and bump required version of SSSD. >>> >>> Martin^2 >>> >> >> Yes, you were right, master build is broken. >> Martin^2 >> > > SSSD master build has been added to @freeipa/freeipa-master copr as a > workaround (to unblock automatic testing an developers) > > Please bump version in specfile accordingly (I don't know in which > version of SSSD will be required function) > > Martin^2 > Bumping SSSD version in requires and buildrequires Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0536-Bump-SSSD-requires.patch Type: text/x-patch Size: 1121 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 22 13:13:56 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jun 2016 15:13:56 +0200 Subject: [Freeipa-devel] [PATCH 0163] server-del: handle missing server attributes when checking for last of role Message-ID: <8fd7768a-198d-9873-bcc4-00ccdb43ffce@redhat.com> https://fedorahosted.org/freeipa/ticket/5960 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0163-server-del-handle-missing-server-attributes-when-che.patch Type: text/x-patch Size: 1187 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 22 13:29:57 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jun 2016 15:29:57 +0200 Subject: [Freeipa-devel] [PATCH 0163] server-del: handle missing server attributes when checking for last of role In-Reply-To: <8fd7768a-198d-9873-bcc4-00ccdb43ffce@redhat.com> References: <8fd7768a-198d-9873-bcc4-00ccdb43ffce@redhat.com> Message-ID: <1a19213d-159f-709a-143a-603a2cfc27d9@redhat.com> On 06/22/2016 03:13 PM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5960 > > > self-NACK, this check needs some more hardening. -- Martin^3 Babinsky From mbabinsk at redhat.com Wed Jun 22 13:47:58 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jun 2016 15:47:58 +0200 Subject: [Freeipa-devel] [PATCH 0163] server-del: handle missing server attributes when checking for last of role In-Reply-To: <1a19213d-159f-709a-143a-603a2cfc27d9@redhat.com> References: <8fd7768a-198d-9873-bcc4-00ccdb43ffce@redhat.com> <1a19213d-159f-709a-143a-603a2cfc27d9@redhat.com> Message-ID: On 06/22/2016 03:29 PM, Martin Babinsky wrote: > On 06/22/2016 03:13 PM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/5960 >> >> >> > > self-NACK, this check needs some more hardening. > This patch should fix the issue in more thorough way. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0163-2-server-del-harden-check-for-last-roles.patch Type: text/x-patch Size: 4729 bytes Desc: not available URL: From slaznick at redhat.com Wed Jun 22 14:22:46 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 22 Jun 2016 16:22:46 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install Message-ID: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> Hello, Please see the patch attached that fixes the issue from https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a while to create as I thought something was wrong with the SshExec class which actually was where the password was required. The fact is that should rpcclient connection fail for some other reason and the control would fall back to SSH, this will still be broken and needs fixing. I will create a ticket for that. Standa -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0049-Fix-to-ipa-ca-install-asking-for-host-principal-pass.patch Type: text/x-patch Size: 1536 bytes Desc: not available URL: From ldoudova at redhat.com Wed Jun 22 14:37:37 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 22 Jun 2016 16:37:37 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> Message-ID: <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> On 06/22/2016 08:33 AM, Martin Basti wrote: > > > > On 22.06.2016 07:37, Lenka Doudova wrote: >> >> >> >> On 06/21/2016 06:57 PM, Martin Basti wrote: >>> >>> >>> >>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>> Hi, >>>> >>>> attaching patch for failing location tests >>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>> >>>> Lenka >>>> >>>> >>>> >>> >>> Hello, >>> >>> 1) >>> + expected_updates={u'ipalocation_location': >>> [location.idnsname_obj], >>> + u'enabled_role_servrole': ( >>> + u'CA server', u'DNS server', >>> u'NTP server')}, >>> >>> This depends on services installed on server, so server without DNS >>> will cause test failures. We probably should skip test id DNS isn't >>> installed. >>> Without DNS installed you get much more different warnings >>> >>> >>> 2) >>> + def update(self, updates, expected_updates=None, messages=None): >>> .... >>> + self.messages = messages >>> >>> Why is this needed? I'm puzzled by this >>> >>> It is defined outside __init__ what is wrong and it is never used. >>> >> Hi, thanks for review. >> ad 1: will fix >> ad 2: the 'messages' key is indeed used, because this key is returned >> every time a server is attached to/removed from a location. If the >> 'messages' is not supplied to the result comparison, the test fails >> (see https://paste.fedoraproject.org/382936/65732411/ for result of >> test without applied patch). >> >> Lenka > > Please point me to the line where ServerTracker.messages is used, I > still don't see it. In your fpaste, removed self.messages in that > context is TestLocationsServer.messages not ServerTracker.messages > > Martin^2 Ah, right you are, my good sir. I fixed both issues, hopefully will be fine now. Fixed patch attached. Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0019.2-Tests-Fix-for-failing-location-tests.patch Type: text/x-patch Size: 12239 bytes Desc: not available URL: From ldoudova at redhat.com Wed Jun 22 15:11:19 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 22 Jun 2016 17:11:19 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> Message-ID: <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> On 06/22/2016 04:37 PM, Lenka Doudova wrote: > > > > On 06/22/2016 08:33 AM, Martin Basti wrote: >> >> >> >> On 22.06.2016 07:37, Lenka Doudova wrote: >>> >>> >>> >>> On 06/21/2016 06:57 PM, Martin Basti wrote: >>>> >>>> >>>> >>>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>>> Hi, >>>>> >>>>> attaching patch for failing location tests >>>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>>> >>>>> Lenka >>>>> >>>>> >>>>> >>>> >>>> Hello, >>>> >>>> 1) >>>> + expected_updates={u'ipalocation_location': >>>> [location.idnsname_obj], >>>> + u'enabled_role_servrole': ( >>>> + u'CA server', u'DNS server', >>>> u'NTP server')}, >>>> >>>> This depends on services installed on server, so server without DNS >>>> will cause test failures. We probably should skip test id DNS isn't >>>> installed. >>>> Without DNS installed you get much more different warnings >>>> >>>> >>>> 2) >>>> + def update(self, updates, expected_updates=None, messages=None): >>>> .... >>>> + self.messages = messages >>>> >>>> Why is this needed? I'm puzzled by this >>>> >>>> It is defined outside __init__ what is wrong and it is never used. >>>> >>> Hi, thanks for review. >>> ad 1: will fix >>> ad 2: the 'messages' key is indeed used, because this key is >>> returned every time a server is attached to/removed from a location. >>> If the 'messages' is not supplied to the result comparison, the test >>> fails (see https://paste.fedoraproject.org/382936/65732411/ for >>> result of test without applied patch). >>> >>> Lenka >> >> Please point me to the line where ServerTracker.messages is used, I >> still don't see it. In your fpaste, removed self.messages in that >> context is TestLocationsServer.messages not ServerTracker.messages >> >> Martin^2 > > Ah, right you are, my good sir. I fixed both issues, hopefully will be > fine now. Fixed patch attached. > Lenka > > Self NACK, will provide some more changes tomorrow. Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 22 15:28:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jun 2016 17:28:29 +0200 Subject: [Freeipa-devel] [PATCH 0163] server-del: handle missing server attributes when checking for last of role In-Reply-To: References: <8fd7768a-198d-9873-bcc4-00ccdb43ffce@redhat.com> <1a19213d-159f-709a-143a-603a2cfc27d9@redhat.com> Message-ID: On 22.06.2016 15:47, Martin Babinsky wrote: > On 06/22/2016 03:29 PM, Martin Babinsky wrote: >> On 06/22/2016 03:13 PM, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5960 >>> >>> >>> >> >> self-NACK, this check needs some more hardening. >> > > This patch should fix the issue in more thorough way. > > > ACK master: * be3ad1ed7a34e90c7107380bb2939f737306ba77 server-del: harden check for last roles -------------- next part -------------- An HTML attachment was scrubbed... URL: From tbordaz at redhat.com Wed Jun 22 15:30:32 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 22 Jun 2016 17:30:32 +0200 Subject: [Freeipa-devel] [PATCH] 0022 Topology plugins sigsev/heap corruption when adding a managed host Message-ID: <576AAF18.2020003@redhat.com> https://fedorahosted.org/freeipa/ticket/5977 -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Topology-plugins-sigsev-heap-corruption-when-adding-.patch Type: text/x-patch Size: 1418 bytes Desc: not available URL: From lkrispen at redhat.com Wed Jun 22 15:39:44 2016 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Wed, 22 Jun 2016 17:39:44 +0200 Subject: [Freeipa-devel] [PATCH] 0022 Topology plugins sigsev/heap corruption when adding a managed host In-Reply-To: <576AAF18.2020003@redhat.com> References: <576AAF18.2020003@redhat.com> Message-ID: <576AB140.30204@redhat.com> ACK. good catch, the fix is correct and hopefully fixes the heap corruption issues On 06/22/2016 05:30 PM, thierry bordaz wrote: > https://fedorahosted.org/freeipa/ticket/5977 > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Wed Jun 22 15:45:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jun 2016 17:45:18 +0200 Subject: [Freeipa-devel] [PATCH 0046] Don't fail in find/show methods if userCertificate is invalid In-Reply-To: References: <8c12bab1-a48f-8815-5132-276d91537e2f@redhat.com> <57596665.9070308@redhat.com> <6ec8d501-ee36-4943-791a-fdc31072fc30@redhat.com> <608ca29e-db49-7948-9c06-35bebc733ab1@redhat.com> <20160609140447.GC4744@dhcp-40-8.bne.redhat.com> <57597DEE.4010704@redhat.com> Message-ID: <4e250838-513f-80c5-1e4e-5c7d6b362a23@redhat.com> On 10.06.2016 13:25, Stanislav Laznicka wrote: > On 06/09/2016 04:32 PM, Rob Crittenden wrote: >> Fraser Tweedale wrote: >>> On Thu, Jun 09, 2016 at 03:07:34PM +0200, Martin Basti wrote: >>>> On 09.06.2016 15:03, Martin Basti wrote: >>>>> On 09.06.2016 15:02, Stanislav Laznicka wrote: >>>>>> On 06/09/2016 02:51 PM, Rob Crittenden wrote: >>>>>>> Stanislav Laznicka wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> Please see the attached patch of >>>>>>>> https://fedorahosted.org/freeipa/ticket/5797. >>>>>>>> >>>>>>>> Standa >>>>>>>> >>>>>>> Just wondering out loud but should usercertificate be excluded >>>>>>> from the output if it is unparsable? Is there any value in >>>>>>> showing that a bogus value is in there? >>>>>>> >>>>>>> rob >>>>>> I think it is a good pointer that something has gone wrong with the >>>>>> certificate. Another way would be to print 'Invalid certificate' >>>>>> instead of it similar to what Apache LDAP Browser does. >>>>> We can return a warning message that something with certificates is >>>>> broken. >>>>> >>>>> Martin^2 >>>>> >>>> And you should log it at error log level, because it is error >>>> >>> Is the data from LDAP actually invalid? It should not be possible >>> to store data that is not a syntactically valid X.509 cert in the >>> userCertificate attribute (if it is, we should file a ticket against >>> 389). >>> >>> Is there a full traceback for the original error of #5797? What is >>> the datum that is the immediate cause of the error and what happens >>> to it between the database and the function that throws? >>> >>> Could it be a python3 bytes/str problem originating in >>> x509.normalize_certificate? >>> >>> Cheers, >>> Fraser >>> >> >> A cert can get in several different ways. IPA sure tries hard not to >> allow bad certs but I guess they can happen: >> >> $ ldapmodify -Y GSSAPI >> SASL/GSSAPI authentication started >> SASL username: admin at GREYOAK.COM >> SASL SSF: 56 >> SASL data security layer installed. >> dn: >> krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com >> changetype: modify >> add: usercertificate >> usercertificate: foo >> >> modifying entry >> "krbprincipalname=cert/slithy.greyoak.com at GREYOAK.COM,cn=services,cn=accounts,dc=greyoak,dc=com" > < .. snip .. > > That is exactly how I was reproducing this issue. > > Added is the patch that adds error message and logs properly. ACK master: * 9a8c5c9dfd10ab1c0bb66b5f25bf815a43d45f2a host/service-show/find shouldn't fail on invalid certificate From mbasti at redhat.com Wed Jun 22 15:52:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 22 Jun 2016 17:52:46 +0200 Subject: [Freeipa-devel] [PATCH] 0022 Topology plugins sigsev/heap corruption when adding a managed host In-Reply-To: <576AB140.30204@redhat.com> References: <576AAF18.2020003@redhat.com> <576AB140.30204@redhat.com> Message-ID: <2f916028-8dba-177d-44fe-6b6be9854993@redhat.com> On 22.06.2016 17:39, Ludwig Krispenz wrote: > ACK. > > good catch, the fix is correct and hopefully fixes the heap corruption > issues > > On 06/22/2016 05:30 PM, thierry bordaz wrote: >> https://fedorahosted.org/freeipa/ticket/5977 >> >> >> >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > > Pushed to master: a76d4402a6bf68245801f6b65d0569c47aad88c6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Wed Jun 22 16:26:59 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Jun 2016 12:26:59 -0400 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> References: <5612745A.2090805@redhat.com> <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> Message-ID: <1466612819.9981.133.camel@redhat.com> On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: > On 10/05/2015 03:00 PM, Martin Babinsky wrote: > > These patches implement the plumbing required to properly support > > canonicalization of Kerberos principals ( > > https://fedorahosted.org/freeipa/ticket/3864). > > > > Setting multiple principal aliases on hosts/services is beyond the scope > > of this patchset and should be done after these patches are pushed. > > > > I will try to send some tests for the patches later this week. > > > > Please review the hell out of them. > > > > > > > > Long time no see. > > I am attaching rebased infrastructure patches which were reviewed and > tested by David a year ago :). Now that all related DS bugs were fixed > and the patches still work as expected, we may push them so that the > plumbing for further work (API for alias handling etc.) is in place. > If the patches were all reviewed and tested I say push them. Simo. -- Simo Sorce * Red Hat, Inc * New York From mbabinsk at redhat.com Wed Jun 22 16:36:04 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 22 Jun 2016 18:36:04 +0200 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: <1466612819.9981.133.camel@redhat.com> References: <5612745A.2090805@redhat.com> <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> <1466612819.9981.133.camel@redhat.com> Message-ID: On 06/22/2016 06:26 PM, Simo Sorce wrote: > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: >> On 10/05/2015 03:00 PM, Martin Babinsky wrote: >>> These patches implement the plumbing required to properly support >>> canonicalization of Kerberos principals ( >>> https://fedorahosted.org/freeipa/ticket/3864). >>> >>> Setting multiple principal aliases on hosts/services is beyond the scope >>> of this patchset and should be done after these patches are pushed. >>> >>> I will try to send some tests for the patches later this week. >>> >>> Please review the hell out of them. >>> >>> >>> >> >> Long time no see. >> >> I am attaching rebased infrastructure patches which were reviewed and >> tested by David a year ago :). Now that all related DS bugs were fixed >> and the patches still work as expected, we may push them so that the >> plumbing for further work (API for alias handling etc.) is in place. >> > > If the patches were all reviewed and tested I say push them. > > Simo. > There is one problem remaining, however, that when a user is kinit'ing for the first name using his alias and has to change password, the operation fails: """ [root at master1 ~]# kinit -C talias Password for talias at IPA.TEST: kinit: KDC reply did not match expectations while getting initial credentials """ This is the related snippet from KDC log: """ Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: talias at IPA.TEST for krbtgt/IPA.TEST at IPA.TEST, Password has expired Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: talias at IPA.TEST for kadmin/changepw at IPA.TEST, Additional pre-authentication required Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes {rep=18 tkt=18 ses=18}, talias at IPA.TEST for kadmin/changepw at IPA.TEST Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12 """ Here is the same command repeated with captured libkrb5 trace: https://paste.fedoraproject.org/383358/14666131 If I use kinit with the canonical principal everything works as expected, even with '-C' and '-'E' options. Subsequent kinits using canonicalization work as expected. Frankly I have no idea why this happens and I do not know how much this error blocks us. We may need to investigate this before pizza orders arrive. -- Martin^3 Babinsky From tbordaz at redhat.com Wed Jun 22 16:47:12 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Wed, 22 Jun 2016 18:47:12 +0200 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <20160620182707.ay7lmfjixlbcrzbx@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> <575FDDC0.70105@redhat.com> <20160620182707.ay7lmfjixlbcrzbx@redhat.com> Message-ID: <576AC110.90307@redhat.com> On 06/20/2016 08:27 PM, Alexander Bokovoy wrote: > On Tue, 14 Jun 2016, thierry bordaz wrote: >> From ac6c0617f618fc609df93dc18ec25255484b533d Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Fri, 10 Jun 2016 15:34:40 +0200 >> Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a >> pre-extop >> plugin >> >> ipapwd_extop allows to update the password on a specific entry, >> identified by its DN. >> It can be usefull to support virtual DN in the extop so that update >> of a virtual entry >> would land into the proper real entry. >> >> If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with >> the value >> of TARGET_DN, instead of using the original one (in the ber req) >> >> https://fedorahosted.org/freeipa/ticket/5946 >> --- >> .../ipa-pwd-extop/ipa_pwd_extop.c | 36 >> +++++++++++++++++----- >> 1 file changed, 28 insertions(+), 8 deletions(-) >> >> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> index 440e221..3c2c44f 100644 >> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, >> struct ipapwd_krbcfg *krbcfg) >> char *attrlist[] = {"*", "passwordHistory", NULL }; >> struct ipapwd_data pwdata; >> int is_krb, is_smb, is_ipant; >> - char *principal = NULL; >> + char *principal = NULL; >> Slapi_PBlock *chpwop_pb = NULL; >> + Slapi_DN *target_sdn = NULL; >> + char *target_dn = NULL; >> >> /* Get the ber value of the extended operation */ >> slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >> @@ -327,14 +329,32 @@ parse_req_done: >> } >> } >> >> - /* Determine the target DN for this operation */ >> - /* Did they give us a DN ? */ >> - if (dn == NULL || *dn == '\0') { >> - /* Get the DN from the bind identity on this connection */ >> - dn = slapi_ch_strdup(bindDN); >> - LOG_TRACE("Missing userIdentity in request, " >> - "using the bind DN instead.\n"); >> + /* Determine the target DN for this operation */ >> + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >> + if (target_sdn != NULL) { >> + /* If there is a TARGET_DN we are consuming it */ >> + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >> + target_dn = slapi_sdn_get_ndn(target_sdn); >> } >> + if (target_dn == NULL || *target_dn == '\0') { >> + /* Did they give us a DN ? */ >> + if (dn == NULL || *dn == '\0') { >> + /* Get the DN from the bind identity on this connection */ >> + dn = slapi_ch_strdup(bindDN); >> + LOG_TRACE("Missing userIdentity in request, " >> + "using the bind DN instead.\n"); >> + } >> + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >> + } else { >> + /* At this point if SLAPI_TARGET_SDN was set that means >> + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >> + * So take this one rather that the raw one that is in the ber >> + */ >> + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : >> "", target_dn); >> + slapi_ch_free_string(&dn); >> + dn = slapi_ch_strdup(target_dn); >> + } >> + slapi_sdn_free(&target_sdn); >> >> if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { >> LOG_FATAL("slapi_pblock_set failed!\n"); >> -- >> 2.5.0 >> > ACK. A build with slapi-nis 0.56.0-2.fc24 that includes pre-extop > callback is available in Fedora -- > https://bodhi.fedoraproject.org/updates/slapi-nis-0.56.0-2.fc24 so you > can test against it. > > I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 > for this. > Testing with slapi-nis 0.56.0-2, successful update of password from compat tree users. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-ipapwd_extop-should-use-TARGET_DN-defined-by-a-pre-e.patch Type: text/x-patch Size: 3703 bytes Desc: not available URL: From simo at redhat.com Wed Jun 22 16:56:51 2016 From: simo at redhat.com (Simo Sorce) Date: Wed, 22 Jun 2016 12:56:51 -0400 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: References: <5612745A.2090805@redhat.com> <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> <1466612819.9981.133.camel@redhat.com> Message-ID: <1466614611.9981.135.camel@redhat.com> On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote: > On 06/22/2016 06:26 PM, Simo Sorce wrote: > > On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: > >> On 10/05/2015 03:00 PM, Martin Babinsky wrote: > >>> These patches implement the plumbing required to properly support > >>> canonicalization of Kerberos principals ( > >>> https://fedorahosted.org/freeipa/ticket/3864). > >>> > >>> Setting multiple principal aliases on hosts/services is beyond the scope > >>> of this patchset and should be done after these patches are pushed. > >>> > >>> I will try to send some tests for the patches later this week. > >>> > >>> Please review the hell out of them. > >>> > >>> > >>> > >> > >> Long time no see. > >> > >> I am attaching rebased infrastructure patches which were reviewed and > >> tested by David a year ago :). Now that all related DS bugs were fixed > >> and the patches still work as expected, we may push them so that the > >> plumbing for further work (API for alias handling etc.) is in place. > >> > > > > If the patches were all reviewed and tested I say push them. > > > > Simo. > > > > There is one problem remaining, however, that when a user is kinit'ing > for the first name using his alias and has to change password, the > operation fails: > > """ > [root at master1 ~]# kinit -C talias > Password for talias at IPA.TEST: > kinit: KDC reply did not match expectations while getting initial > credentials > > """ > > This is the related snippet from KDC log: > > """ > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: > talias at IPA.TEST for krbtgt/IPA.TEST at IPA.TEST, Password has expired > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: talias at IPA.TEST > for kadmin/changepw at IPA.TEST, Additional pre-authentication required > Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes > {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes > {rep=18 tkt=18 ses=18}, talias at IPA.TEST for kadmin/changepw at IPA.TEST > Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12 > > """ > > Here is the same command repeated with captured libkrb5 trace: > https://paste.fedoraproject.org/383358/14666131 > > If I use kinit with the canonical principal everything works as > expected, even with '-C' and '-'E' options. Subsequent kinits using > canonicalization work as expected. > > Frankly I have no idea why this happens and I do not know how much this > error blocks us. We may need to investigate this before pizza orders arrive. I guess the password changing code is making a request without canonicalization flags set for the kpasswd service. As you can see the kpasswd case is special because we are making an AS REQ (not a TGS req) directly for that service, and that request needs to use canonicalization as well, it probably isn't. Simo. -- Simo Sorce * Red Hat, Inc * New York From abokovoy at redhat.com Wed Jun 22 17:02:30 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 22 Jun 2016 20:02:30 +0300 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <576AC110.90307@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> <575FDDC0.70105@redhat.com> <20160620182707.ay7lmfjixlbcrzbx@redhat.com> <576AC110.90307@redhat.com> Message-ID: <20160622170230.ms7hatqvewwwclgq@redhat.com> On Wed, 22 Jun 2016, thierry bordaz wrote: >>I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 >>for this. >> > >Testing with slapi-nis 0.56.0-2, successful update of password from >compat tree users. Great, ACK! > > > >From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001 >From: Thierry Bordaz >Date: Fri, 10 Jun 2016 15:34:40 +0200 >Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a pre-extop > plugin > >ipapwd_extop allows to update the password on a specific entry, identified by its DN. >It can be usefull to support virtual DN in the extop so that update of a virtual entry >would land into the proper real entry. > >If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value >of TARGET_DN, instead of using the original one (in the ber req) >There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955) > >https://fedorahosted.org/freeipa/ticket/5946 >--- > .../ipa-pwd-extop/ipa_pwd_extop.c | 36 +++++++++++++++++----- > freeipa.spec.in | 2 +- > 2 files changed, 29 insertions(+), 9 deletions(-) > >diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >index 440e221..3c2c44f 100644 >--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >@@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) > char *attrlist[] = {"*", "passwordHistory", NULL }; > struct ipapwd_data pwdata; > int is_krb, is_smb, is_ipant; >- char *principal = NULL; >+ char *principal = NULL; > Slapi_PBlock *chpwop_pb = NULL; >+ Slapi_DN *target_sdn = NULL; >+ char *target_dn = NULL; > > /* Get the ber value of the extended operation */ > slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >@@ -327,14 +329,32 @@ parse_req_done: > } > } > >- /* Determine the target DN for this operation */ >- /* Did they give us a DN ? */ >- if (dn == NULL || *dn == '\0') { >- /* Get the DN from the bind identity on this connection */ >- dn = slapi_ch_strdup(bindDN); >- LOG_TRACE("Missing userIdentity in request, " >- "using the bind DN instead.\n"); >+ /* Determine the target DN for this operation */ >+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >+ if (target_sdn != NULL) { >+ /* If there is a TARGET_DN we are consuming it */ >+ slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >+ target_dn = slapi_sdn_get_ndn(target_sdn); > } >+ if (target_dn == NULL || *target_dn == '\0') { >+ /* Did they give us a DN ? */ >+ if (dn == NULL || *dn == '\0') { >+ /* Get the DN from the bind identity on this connection */ >+ dn = slapi_ch_strdup(bindDN); >+ LOG_TRACE("Missing userIdentity in request, " >+ "using the bind DN instead.\n"); >+ } >+ LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >+ } else { >+ /* At this point if SLAPI_TARGET_SDN was set that means >+ * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >+ * So take this one rather that the raw one that is in the ber >+ */ >+ LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : "", target_dn); >+ slapi_ch_free_string(&dn); >+ dn = slapi_ch_strdup(target_dn); >+ } >+ slapi_sdn_free(&target_sdn); > > if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { > LOG_FATAL("slapi_pblock_set failed!\n"); >diff --git a/freeipa.spec.in b/freeipa.spec.in >index 0d5c745..84a1d65 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -154,7 +154,7 @@ Requires(pre): systemd-units > Requires(post): systemd-units > Requires: selinux-policy >= %{selinux_policy_version} > Requires(post): selinux-policy-base >= %{selinux_policy_version} >-Requires: slapi-nis >= 0.55-1 >+Requires: slapi-nis >= 0.56.0 > Requires: pki-ca >= 10.3.2 > Requires: pki-kra >= 10.3.2 > Requires(preun): python systemd-units >-- >2.5.0 > -- / Alexander Bokovoy From frenaud at redhat.com Wed Jun 22 19:29:14 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Wed, 22 Jun 2016 21:29:14 +0200 Subject: [Freeipa-devel] [PATCH] 0007 Fix ipa-server-certinstall with certs signed by 3rd-party CA Message-ID: <264af0c4-f182-78fb-2c32-2195fe09874b@redhat.com> Hi, This patch fixes ipa-server-certinstall when used with 3rd-party certs. The scenario is the following: - install the server with an embedded CA - use ipa-cacert-manage to install a 3rd party CA - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and /etc/dirsrv/slapd-XXX) - use ipa-server-certinstall to replace the Directory/Apache server certificates with a cert signed by the 3rd party CA. Note that I had to run ipa-certupdate after putting selinux mode to permissive (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz has been opened against selinux-policy to solve this issue. https://fedorahosted.org/freeipa/ticket/4785 https://fedorahosted.org/freeipa/ticket/4786 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0007-Fix-ipa-server-certinstall-with-certs-signed-by-3rd-.patch Type: text/x-patch Size: 3432 bytes Desc: not available URL: From lslebodn at redhat.com Wed Jun 22 21:20:39 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Wed, 22 Jun 2016 23:20:39 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> Message-ID: <20160622212039.GA5410@10.4.128.1> On (22/06/16 11:57), Martin Basti wrote: > > >On 09.06.2016 21:02, Martin Basti wrote: >> >> >> On 09.06.2016 14:45, Martin Basti wrote: >> > >> > >> > On 09.06.2016 14:42, Martin Basti wrote: >> > > >> > > >> > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> > > > On (09/06/16 14:29), Martin Basti wrote: >> > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >> > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > > > > > > Hi, >> > > > > > > > >> > > > > > > > this patch allows the extom plugin to lookup >> > > > > > > > users by certificate which >> > > > > > > > is needed in the case where a IPA client >> > > > > > > > wants to lookup an AD user who >> > > > > > > > has the certificate stored in AD. To make >> > > > > > > > this work the related patches >> > > > > > > > I just send to sssd-devel are needed as well. >> > > > > > > > >> > > > > > > > Currently the patches miss the change in the >> > > > > > > > required version of SSSD. >> > > > > > > > since the SSSD patches are not committed. But >> > > > > > > > the patches are needed to >> > > > > > > > fully test the SSSD patches. I will send a >> > > > > > > > new version with the needed >> > > > > > > > changes to the minimal SSSD version when the SSSD patches are >> > > > > > > > committed. >> > > > > > > > >> > > > > > > > bye, >> > > > > > > > Sumit >> > > > > > > The patch works fine (tested together with the corresponding SSSD >> > > > > > > patches), so ACK from me. The code also looks >> > > > > > > good to me, but I'm not >> > > > > > > sure if reviewing an IPA patch requires something >> > > > > > > more (CI? Coverity?) >> > > > > > ACK from me as well, I forgot to send email about it, >> > > > > > though I reviewed >> > > > > > this patch a week ago. >> > > > > > >> > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > > > > >> > > > It's very likey that this commit will break build of >> > > > freeipa-master. I didn't try. >> > > > >> > > > Because it uses new function sss_nss_getnamebycert >> > > > from the library libsss_nss_idmap which is not in fedora. >> > > > It was pushed to sssd master just today. >> > > > >> > > > LS >> > > >> > > If this is true, can you/somebody provide the SRPM of SSSD with >> > > the required functionality please? We may need to add it to >> > > @freeipa/freeipa-master copr and bump required version of SSSD. >> > > >> > > Martin^2 >> > > >> > >> > Yes, you were right, master build is broken. >> > Martin^2 >> > >> >> SSSD master build has been added to @freeipa/freeipa-master copr as a >> workaround (to unblock automatic testing an developers) >> >> Please bump version in specfile accordingly (I don't know in which >> version of SSSD will be required function) >> >> Martin^2 >> >Bumping SSSD version in requires and buildrequires >Patch attached >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 00:00:00 2001 >From: Martin Basti >Date: Wed, 22 Jun 2016 10:49:39 +0200 >Subject: [PATCH] Bump SSSD requires > >https://fedorahosted.org/freeipa/ticket/4955 >--- > freeipa.spec.in | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/freeipa.spec.in b/freeipa.spec.in >index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 100644 >--- a/freeipa.spec.in >+++ b/freeipa.spec.in >@@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a > BuildRequires: python-qrcode-core >= 5.0.0 > BuildRequires: python-dns >= 1.11.1 > BuildRequires: libsss_idmap-devel >-BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >+BuildRequires: libsss_nss_idmap-devel >= 1.14.0 > BuildRequires: java-headless > BuildRequires: rhino > BuildRequires: libverto-devel >@@ -327,7 +327,7 @@ Requires: pam_krb5 > Requires: curl > Requires: libcurl >= 7.21.7-2 > Requires: xmlrpc-c >= 1.27.4 >-Requires: sssd >= 1.13.3-5 >+Requires: sssd >= 1.14.0 NACK A) It's not explained in commit message why you need to bump Requires for sssd. IIRC, you need just new libsss_nss_idmap-devel. B) You forgot add detection for newer version of libsss_nss_idmap at configure time Hint: * daemons/configure.ac * https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification LS From ldoudova at redhat.com Thu Jun 23 04:32:12 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 23 Jun 2016 06:32:12 +0200 Subject: [Freeipa-devel] [PATCH 0014-0016][Tests] Authentication indicators In-Reply-To: <766fd34a-b83b-1105-57d0-bd51420720a7@redhat.com> References: <766fd34a-b83b-1105-57d0-bd51420720a7@redhat.com> Message-ID: Bump for review. Thanks. On 06/16/2016 03:23 PM, Lenka Doudova wrote: > Hi, > > attached are tests for authentication indicators. Please note: > > 1. newly created service tracker is not exactly complete, list of > unimplemented methods is in doc. These methods can be filled in when > existing declarative tests are refactored. > > 2. patch 0015 depends on 0014, so it should not be pushed without it. > > > Lenka > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldoudova at redhat.com Thu Jun 23 04:55:20 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 23 Jun 2016 06:55:20 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> Message-ID: <0a5ec8ab-6ec0-ee67-9fb0-4536705cf254@redhat.com> On 06/22/2016 05:11 PM, Lenka Doudova wrote: > > > > On 06/22/2016 04:37 PM, Lenka Doudova wrote: >> >> >> >> On 06/22/2016 08:33 AM, Martin Basti wrote: >>> >>> >>> >>> On 22.06.2016 07:37, Lenka Doudova wrote: >>>> >>>> >>>> >>>> On 06/21/2016 06:57 PM, Martin Basti wrote: >>>>> >>>>> >>>>> >>>>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>>>> Hi, >>>>>> >>>>>> attaching patch for failing location tests >>>>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>>>> >>>>>> Lenka >>>>>> >>>>>> >>>>>> >>>>> >>>>> Hello, >>>>> >>>>> 1) >>>>> + expected_updates={u'ipalocation_location': >>>>> [location.idnsname_obj], >>>>> + u'enabled_role_servrole': ( >>>>> + u'CA server', u'DNS server', >>>>> u'NTP server')}, >>>>> >>>>> This depends on services installed on server, so server without >>>>> DNS will cause test failures. We probably should skip test id DNS >>>>> isn't installed. >>>>> Without DNS installed you get much more different warnings >>>>> >>>>> >>>>> 2) >>>>> + def update(self, updates, expected_updates=None, messages=None): >>>>> .... >>>>> + self.messages = messages >>>>> >>>>> Why is this needed? I'm puzzled by this >>>>> >>>>> It is defined outside __init__ what is wrong and it is never used. >>>>> >>>> Hi, thanks for review. >>>> ad 1: will fix >>>> ad 2: the 'messages' key is indeed used, because this key is >>>> returned every time a server is attached to/removed from a >>>> location. If the 'messages' is not supplied to the result >>>> comparison, the test fails (see >>>> https://paste.fedoraproject.org/382936/65732411/ for result of test >>>> without applied patch). >>>> >>>> Lenka >>> >>> Please point me to the line where ServerTracker.messages is used, I >>> still don't see it. In your fpaste, removed self.messages in that >>> context is TestLocationsServer.messages not ServerTracker.messages >>> >>> Martin^2 >> >> Ah, right you are, my good sir. I fixed both issues, hopefully will >> be fine now. Fixed patch attached. >> Lenka >> >> > Self NACK, will provide some more changes tomorrow. > Lenka > > And here it goes... Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0019.3-Tests-Fix-for-failing-location-tests.patch Type: text/x-patch Size: 10731 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 23 05:37:15 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2016 07:37:15 +0200 Subject: [Freeipa-devel] [PATCH] 0004 Report missing certificate in external trust chain In-Reply-To: <6b99905c-5520-d4b2-f825-28983ee6f31d@redhat.com> References: <45575d05-92a0-bc30-d287-a547d76dd62e@redhat.com> <20160602065525.GG4744@dhcp-40-8.bne.redhat.com> <6b99905c-5520-d4b2-f825-28983ee6f31d@redhat.com> Message-ID: <38484acb-e80f-2c54-bbbd-6ba676c44122@redhat.com> On 2.6.2016 12:38, Florence Blanc-Renaud wrote: > Hi, > > thanks to Jan and Fraser for the review and the suggested error message. > Please find the updated patch attached. > > Flo. > > > On 06/02/2016 08:55 AM, Fraser Tweedale wrote: >> On Thu, Jun 02, 2016 at 07:54:31AM +0200, Jan Cholasta wrote: >>> Hi, >>> >>> On 30.5.2016 19:58, Florence Blanc-Renaud wrote: >>>> Hi all, >>>> >>>> this patch adds in the error message the missing certificate that caused >>>> i/pa-server-install --external-cert-file=.../ to fail. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5792 >>> I think someone may confuse "issuer" with the "issuer name" field in the >>> certificate, also IMO we should use "certificate" rather than "cert" in >>> error messages, so I would rather use something like "missing certificate >>> with subject '%s'" or maybe just "missing certificate '%s'". >>> >> Let us be as specific as possible; Honza's suggestion "missing >> certificate with subject '%s'" is preferable. >> >> Cheers, >> Fraser Thanks, ACK. Pushed to master: 517964f746e004801e5e73d61f3f5e16102b7299 -- Jan Cholasta From jcholast at redhat.com Thu Jun 23 06:09:34 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2016 08:09:34 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install In-Reply-To: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> References: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> Message-ID: On 22.6.2016 16:22, Stanislav Laznicka wrote: > Hello, > > Please see the patch attached that fixes the issue from > https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a > while to create as I thought something was wrong with the SshExec class > which actually was where the password was required. "The nss_db variable didn't go through the proper initialization" You are going to have to be more specific, because the variable is properly initialized right here: with certdb.NSSDatabase(nss_dir) as nss_db: And the nss_db.secdir attribute used in the api.bootstrap() call is properly initialized in NSSDatabase(): def __init__(self, nssdir=None): if nssdir is None: self.secdir = tempfile.mkdtemp() self._is_temporary = True else: self.secdir = nssdir self._is_temporary = False -- Jan Cholasta From slaznick at redhat.com Thu Jun 23 06:52:51 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 23 Jun 2016 08:52:51 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install In-Reply-To: References: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> Message-ID: <541c5c87-6121-9ff5-1081-306fac42a123@redhat.com> On 06/23/2016 08:09 AM, Jan Cholasta wrote: > On 22.6.2016 16:22, Stanislav Laznicka wrote: >> Hello, >> >> Please see the patch attached that fixes the issue from >> https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a >> while to create as I thought something was wrong with the SshExec class >> which actually was where the password was required. > > "The nss_db variable didn't go through the proper initialization" > > You are going to have to be more specific, because the variable is > properly initialized right here: > > with certdb.NSSDatabase(nss_dir) as nss_db: > > And the nss_db.secdir attribute used in the api.bootstrap() call is > properly initialized in NSSDatabase(): > > def __init__(self, nssdir=None): > if nssdir is None: > self.secdir = tempfile.mkdtemp() > self._is_temporary = True > else: > self.secdir = nssdir > self._is_temporary = False > You're right, the commit message was rather generic. Hopefully this new one will be better. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0049-2-Fix-to-ipa-ca-install-asking-for-host-principal-pass.patch Type: text/x-patch Size: 1661 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 23 07:14:28 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2016 09:14:28 +0200 Subject: [Freeipa-devel] [PATCH] 0076 Require Dogtag >= 10.3.3 In-Reply-To: <20160621095136.GG4200@dhcp-40-8.bne.redhat.com> References: <20160621095136.GG4200@dhcp-40-8.bne.redhat.com> Message-ID: <54df7cf4-ddd6-c982-7794-f148d582f371@redhat.com> On 21.6.2016 11:51, Fraser Tweedale wrote: > Dogtag 10.3.3, which fixes a lightweight CA initialisation bug, > should land in updates-testing soon[2]. Pursuant to [2], this patch > bumps minimum required Dogtag version to 10.3.3. > > [1] https://bodhi.fedoraproject.org/updates/?packages=pki-core > [2] https://www.redhat.com/archives/freeipa-devel/2016-June/msg00417.html > > Thanks, > Fraser Thanks, ACK. Pushed to master: b59e82298ca0322713bc1dd947ba7a0ae79e44ce -- Jan Cholasta From dkupka at redhat.com Thu Jun 23 07:44:15 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 23 Jun 2016 09:44:15 +0200 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: <1466614611.9981.135.camel@redhat.com> References: <5612745A.2090805@redhat.com> <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> <1466612819.9981.133.camel@redhat.com> <1466614611.9981.135.camel@redhat.com> Message-ID: On 22/06/16 18:56, Simo Sorce wrote: > On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote: >> On 06/22/2016 06:26 PM, Simo Sorce wrote: >>> On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: >>>> On 10/05/2015 03:00 PM, Martin Babinsky wrote: >>>>> These patches implement the plumbing required to properly support >>>>> canonicalization of Kerberos principals ( >>>>> https://fedorahosted.org/freeipa/ticket/3864). >>>>> >>>>> Setting multiple principal aliases on hosts/services is beyond the scope >>>>> of this patchset and should be done after these patches are pushed. >>>>> >>>>> I will try to send some tests for the patches later this week. >>>>> >>>>> Please review the hell out of them. >>>>> >>>>> >>>>> >>>> >>>> Long time no see. >>>> >>>> I am attaching rebased infrastructure patches which were reviewed and >>>> tested by David a year ago :). Now that all related DS bugs were fixed >>>> and the patches still work as expected, we may push them so that the >>>> plumbing for further work (API for alias handling etc.) is in place. >>>> >>> >>> If the patches were all reviewed and tested I say push them. >>> >>> Simo. >>> >> >> There is one problem remaining, however, that when a user is kinit'ing >> for the first name using his alias and has to change password, the >> operation fails: >> >> """ >> [root at master1 ~]# kinit -C talias >> Password for talias at IPA.TEST: >> kinit: KDC reply did not match expectations while getting initial >> credentials >> >> """ >> >> This is the related snippet from KDC log: >> >> """ >> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: >> talias at IPA.TEST for krbtgt/IPA.TEST at IPA.TEST, Password has expired >> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 >> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: talias at IPA.TEST >> for kadmin/changepw at IPA.TEST, Additional pre-authentication required >> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down fd 12 >> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >> {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, etypes >> {rep=18 tkt=18 ses=18}, talias at IPA.TEST for kadmin/changepw at IPA.TEST >> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down fd 12 >> >> """ >> >> Here is the same command repeated with captured libkrb5 trace: >> https://paste.fedoraproject.org/383358/14666131 >> >> If I use kinit with the canonical principal everything works as >> expected, even with '-C' and '-'E' options. Subsequent kinits using >> canonicalization work as expected. >> >> Frankly I have no idea why this happens and I do not know how much this >> error blocks us. We may need to investigate this before pizza orders arrive. > > I guess the password changing code is making a request without > canonicalization flags set for the kpasswd service. > As you can see the kpasswd case is special because we are making an AS > REQ (not a TGS req) directly for that service, and that request needs to > use canonicalization as well, it probably isn't. > > Simo. > > Hello! I've reviewed and tested the patches a year ago and now with current master again. The only issue I've found is the problem Martin is describing. User can not kinit with alias after password reset. Since this is not regression I believe the patches can be pushed now. and the issue can be solved together with the rest of missing functionality. ACK! -- David Kupka From jcholast at redhat.com Thu Jun 23 07:51:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2016 09:51:02 +0200 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal In-Reply-To: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> References: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> Message-ID: <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> Hi, On 21.6.2016 08:24, Fraser Tweedale wrote: > The attached patches add lightweight CA renewal. There are two > substantive aspects: > > 1. The renew_ca_cert updates the serial number in the lightweight > CA's entry in the Dogtag database. This causes CA clones to observe > the renewal and update the certs in their own NSSDBs. > > 2. The ipa-certupdate command adds Certmonger tracking requests for > lightweight CAs (on the renewal master only). > > Correct behaviour also depends on my patch 0069 (in-server API for > renew_ca_cert script). Patch 0072-0074: LGTM Patch 0075: 1) Lightweight CA certs should be tracked by certmonger on all CA servers, not just on the renewal master. The behavior should be the same as for the main CA cert, i.e. the actual renewal is done only on the renewal master, other CA servers only update their NSS DBs (this is handled in dogtag-ipa-ca-renew-agent-submit). This is important because CA renewal master can change at any time, and without all CA certs being tracked on all CA servers, there is no guarantee the renewal would happen. 2) Since CA clones update their NSS DBs on their own, dogtag-ipa-ca-renew-agent should be updated not to put them in cn=ca_renewal,cn=ipa,cn=etc. Honza -- Jan Cholasta From enewland at redhat.com Wed Jun 22 14:10:13 2016 From: enewland at redhat.com (Ellen Newlands) Date: Wed, 22 Jun 2016 10:10:13 -0400 Subject: [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA 4.4.0 alpha1 In-Reply-To: References: Message-ID: <01BE773B-3058-4BF1-961F-CA024E8A7E0C@redhat.com> Hello Peter and Team - Excellent news and great work behind this announcement. Congratulations! On 21 Jun 2016, at 13:56, Petr Vobornik wrote: > == FreeIPA 4.4.0 Alpha 1 === > > The FreeIPA team would like to announce FreeIPA v4.4.0 alpha1 release! > > A tarball can be downloaded from http://www.freeipa.org/page/Downloads > > == Highlights in 4.4.0 Alpha 1 == > > Enhancements: > * Improved Topology Management > > * Added Overview of IPA server roles: > > * Added support certificates for AD users: > > * Added support of UPN for trusted domains > > * Added support for Kerberos Authentication Indicators > > * Added DNS Location Mechanism > > * Several performance improvements > > * Refactored IPA command line tool > > * Added support for Sub-CAs > > == Detailed Changelog since 4.3.1 == > > Abhijeet Kasurde (12): > Added kpasswd_server directive in client krb5.conf > Fixed login error message box in LoginScreen page > Added fix for notifying user about Kerberos principal expiration > in WebUI > Added description related to 'status' in ipactl man page > Added warning to user for Internet Explorer > Added fix for notifying user about locked user account in WebUI > Updated ipa command man page > Fix added to ipa-compat-manage command line help > Removed custom implementation of CalledProcessError > Replaced find_hostname with api.env.host > Added exception handling for mal-formatted XML Parsing > Added missing translation to automount.py method > > Alexander Bokovoy (11): > slapi-nis: update configuration to allow external members of IPA > groups > extdom: do not fail to process error case when no request is specified > otptoken: support Python 3 for the qr code > trusts: Add support for an external trust to Active Directory domain > adtrust: remove nttrustpartner parameter > adtrust: remove nttrustpartner parameter > adtrust: support GSSAPI authentication to LDAP as Active Directory > user > adtrust: support UPNs for trusted domain users > webui: show UPN suffixes in trust properties > webui: support external flag to trust-add > adtrust: optimize forest root LDAP filter > > Christian Heimes (3): > Require Dogtag 10.2.6-13 to fix KRA uninstall > Modernize mod_nss's cipher suites > Move user/group constants for PKI and DS into ipaplatform > > David Kupka (28): > installer: Propagate option values from components instead of > copying them. > installer: Fix logic of reading option values from cache. > ipa-dns-install: Do not check for zone overlap when DNS installed. > ipa-replica-prepare: Add '--auto-reverse' and > '--allow-zone-overlap' options > installer: Change reverse zones question to better reflect reality. > Fix: Use unattended parameter instead of options.unattended > CI: Add '2-connected' topology generator. > CI: Add simple replication test in 2-connected topology. > CI: Add test for 2-connected topology generator. > CI: Fix pep8 errors in 2-connected topology generator > CI: add empty topology test for 2-connected topology generator > CI: Add double circle topology. > CI: Add replication test utilizing double-circle topology. > CI: Add test for double-circle topology generator. > CI: Make double circle topology python3 compatible > upgrade: Match whole pre/post command not just basename. > dsinstance: add start_tracking_certificates method > httpinstance: add start_tracking_certificates method > Look up HTTPD_USER's UID and GID during installation. > test: test_cli: Do not expect defaults in kwargs. > man: Decribe ipa-client-install workaround for broken D-Bus > enviroment. > installer: positional_arguments must be tuple or list of strings > installer: index() raises ValueError > Remove unused locking "context manager" > schema: Add fingerprint and TTL > schema: Add known_fingerprints option to schema command > schema: Cache schema in api instance > schema: return fingerprint as unicode text > > Filip Skola (9): > Refactor test_user_plugin, use UserTracker for tests > Refactor test_replace > Refactor test_attr > Refactor test_sudocmd_plugin > Refactor test_sudocmdgroup_plugin > Refactor test_group_plugin, use GroupTracker for tests > Refactor test_nesting, create HostGroupTracker > Refactor test_hostgroup_plugin > Refactor test_automember_plugin, create AutomemberTracker > > Florence Blanc-Renaud (5): > Add missing CA options to the manpage for ipa-replica-install > Add the culprit line when a configuration file has an incorrect format > add context to exception on LdapEntry decode error > batch command can be used to trigger internal errors on server > Always qualify requests for admin in ipa-replica-conncheck > > Fraser Tweedale (22): > Do not decode HTTP reason phrase from Dogtag > Remove workaround for CA running check > caacl: correctly handle full user principal name > Prevent replica install from overwriting cert profiles > Detect and repair incorrect caIPAserviceCert config > Remove service and host cert issuer validation > Allow CustodiaClient to be used by arbitrary principals > Load server plugins in certmonger renewal helper > Add ACIs for Dogtag custodia client > Optionally add service name to Custodia key DNs > Setup lightweight CA key retrieval on install/upgrade > Authorise CA Agent to manage lightweight CAs > Add custodia store for lightweight CA key replication > Add 'ca' plugin > Add IPA CA entry on install / upgrade > Update 'caacl' plugin to support lightweight CAs > Add CA argument to ra.request_certificate > Update cert-request to allow specifying CA > Add issuer options to cert-show and cert-find > replica-install: configure key retriever before starting Dogtag > upgrade: do not try to start CA if not configured > restart scripts: bootstrap api with in_server=True > > Gabe Alford (1): > ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind' > > Jakub Hrozek (1): > sudo: Fix a typo in the --help output of sudocmdgroup > > James Groffen (1): > Set close button type attribute to 'button'. > > Jan Barta (1): > pylint: fix: multiple-statements > > Jan Cholasta (112): > ipautil: remove unused import causing cyclic import in tests > ipalib: assume version 2.0 when skip_version_check is enabled > ipapython: remove default_encoding_utf8 > ipapython: port p11helper C code to Python > ipapython: use python-cryptography instead of libcrypto in p11helper > spec file: package python-ipalib as noarch > cert renewal: import all external CA certs on IPA CA cert renewal > replica install: validate DS and HTTP server certificates > replica promotion: fix AVC denials in remote connection check > cacert install: fix trust chain validation > client: stop using /etc/pki/nssdb > ipalib: provide per-call command context > ipalib: add convenient Command method for adding messages > certdb: never use the -r option of certutil > spec file: bump minimum required pki-core version > build: fix client-only build > makeapi: use the same formatting for `int` and `long` values > replica install: do not set CA renewal master flag > rpc: do not crash when unable to parse JSON > parameters: remove unused ConversionError and ValidationError > arguments > rpc: include structured error information in responses > frontend: re-raise remote RequirementError using CLI name in CLI > frontend: remove the unused Command.soft_validate method > frontend: perform argument value validation only on server > batch: do not crash when no argument is specified > ipalib: make optional positional command arguments actually optional > frontend: do not forward unspecified positional arguments to server > user: do not assume the preserve flags have value in user_del > frontend: do not forward argument defaults to server > makeapi: optimize API.txt > ipalib: remove the unused `csv` argument of Param > makeaci: load additional plugins using API.add_module > plugable: replace API.import_plugins with new API.add_package > ipalib, ipaserver: migrate all plugins to Registry-based registration > ipalib, ipaserver: fix incorrect API.register calls in docstrings > plugable: remove the unused deprecated API.register method > plugable: switch API to Registry-based plugin discovery > frontend: merge baseldap.CallbackRegistry into Command > frontend: move the interactive_prompt callback type to Command > automount: do not inherit automountlocation_import from LDAPQuery > dns: move code called on client to the module level > dns: do not rely on server data structures in code called on client > otptoken: fix import of DN > otptoken_yubikey: fix otptoken_add_yubikey arguments > vault: move client-side code to the module level > vault: copy arguments of client commands from server counterparts > ipalib: use relative imports for cross-plugin imports > frontend: allow commands to have an argument named `name` > cli: make optional positional command arguments actually optional > dns: fix dnsrecord interactive mode > ipaclient: introduce ipaclient.plugins > ipalib: move client-side plugins to ipaclient > help, makeapi: allow setting command topic explicitly > help, makeapi: specify module topic by name > help, makeapi: do not use hardcoded plugin package name > plugable: turn Plugin attributes into properties > plugable: simplify API plugin initialization code > plugable: remember overriden plugins in API > frontend: turn Method attributes into properties > ipaclient: add client-side command override class > dns: move code shared by client and server to separate module > ipalib: split off client-side plugin code into ipaclient > parameters: introduce cli_metavar keyword argument > parameters: introduce no_convert keyword argument > ipalib: replace DeprecatedParam with `deprecated` Param argument > ipalib: introduce API schema plugins > rpc: respect API config in RPCClient.create_connection > rpc: allow overriding NSS DB directory in API config > rpc: specify connection options in API config > rpc: optimize JSON-RPC response handling > rpc: do not validate command name in RPCClient.forward > client install: finalize API after CA certs are available > ipactl: use server API > ipalib: move File command arguments to ipaclient > misc: hide the unused --all option of `env` and `plugins` in CLI > ipaclient: implement thin client > ipalib: move server-side plugins to ipaserver > frontend: do not check API minor version of the client > schema: do not validate unrequested params in command_defaults > replica install: use remote server API to create service entries > schema: fix topic command output > schema: fix typo > spec file: require correct packages to get API plugins > plugable: allow plugins to be non-classes > plugable: initialize plugins on demand > schema: generate client-side commands on demand > batch, schema: use Dict instead of Any > misc: fix empty CLI output of `env` and `plugins` commands > dns, passwd: fix outputs of `dns_resolve` and `passwd` commands > frontend: call `execute` rather than `forward` in Local > schema: exclude local commands > schema: fix client-side dynamic defaults > makeaci, makeapi: use in-server API > frontend: don't copy command arguments to output params > frontend: skip `value` output in output_for_cli > frontend: do not crash on missing output in output_for_cli > automember: add object plugin for automember_rebuild > dns: do not rely on custom param fields in record attributes > misc: skip `count` and `total` output in env.output_for_cli > passwd: handle sort order of passwd argument on the client > permission: handle ipapermright deprecated CLI alias on the client > schema: add object class schema > schema: remove output_params > schema: merge command args and options > schema: remove redundant information > schema: remove `no_cli` from command schema > replica install: fix thin client regression > ldap: fix handling of binary data in search filters > cert: add object plugin > cert: add owner information > cert: allow search by certificate > dns: fix dns_update_system_records to work with thin client > > J?r?me Fenal (1): > Fix the man page part for shorter sentences, to avoid dual > understanding, and punctuation, all spotted while translating to French. > > Lenka Doudova (5): > WebUI tests: fix failing of tests due to unclicable label > WebUI test: ID views > WebUI: Test creating user without private group > Test fix: Cleanup for host certificate > Test: Maximum username length higher than 255 cannot be set > > Ludwig Krispenz (2): > prevent moving of topology entries out of managed scope by modrdn > operations > v2 - avoid crash in topology plugin when host list contains host > with no hostname > > Luk?? Slebodn?k (6): > extdom: Remove unused macro > IPA-SAM: Fix build with samba 4.4 > CONFIGURE: Replace obsolete macros > ipa-sam: Do not redefine LDAP_PAGE_SIZE > SPEC: Remove unused build dependency on libwbclient > BUILD: Remove detection of libcheck > > Martin Babinsky (44): > raise more descriptive Backend connection-related exceptions > harden domain level 1 topology connectivity checks > ipalib/x509.py: revert deletion of ipalib api import > prevent crash of CA-less server upgrade due to absent certmonger > use FFI call to rpmvercmp function for version comparison > tests for package version comparison > fix Py3 incompatible exception instantiation in replica install code > ipa-csreplica-manage: remove extraneous ldap2 connection > IPA upgrade: move replication ACIs to the mapping tree entry > uninstallation: more robust check for master removal from topology > correctly set LDAP bind related attributes when setting up replication > disable RA plugins when promoting a replica from CA-less master > fix standalone installation of externally signed CA on IPA master > reset ldap.conf to point to newly installer replica after promotion > always start certmonger during IPA server configuration upgrade > upgrade: unconditional import of certificate profiles into LDAP > CI tests: use old schema when testing hostmask-based sudo rules > use LDAPS during standalone CA/KRA subsystem deployment > test_cert_plugin: use only first part of the hostname to construct > short name > only search for Kerberos SRV records when autodiscovery was requested > spec: add conflict with bind-chroot to freeipa-server-dns > spec: require python-cryptography newer than 0.9 > ipa-replica-manage: print traceback on unexpected error when in > verbose mode > otptoken-add: improve the robustness of QR code printing > differentiate between limit types when LDAP search exceeds > configured limits > specify type of exceeded limit when warning about truncated search > results > replica-prepare: do not add PTR records if there is no IPA managed > reverse zone > Server Roles: definitions of server roles and attributes > Server Roles: Backend plugin to query roles and attributes > Test suite for `serverroles` backend > Server Roles: public API for server roles > Server Roles: make server-{show,find} utilize role information > Server Roles: make *config-show consume relevant roles/attributes > Server Roles: provide an API for setting CA renewal master > Add NTP to the list of services stored in IPA masters LDAP subtree > Introduce "NTP server" role > ipaserver module for working with managed topology > delegate removal of master DNS record and replica keys to separate > functions > server-del: perform full master removal in managed topology > CI test suite for `server-del` > ipa-replica-manage: use `server_del` when removing domain level 1 > replica > remove the master from managed topology during uninstallation > Fix listing of enabled roles in `server-find` > Do not update result of *-config-show with empty server attributes > > Martin Ba?ti (147): > Fix DNS tests: dns-resolve returns warning > Remove unused code in server installer related to KRA > Fix version comparison > Fix: replace mkdir with chmod > Use module variables for timedate_services > Remove empty test file > Remove unused imports > Remove wildcard imports > Enable multiple warnings checks in Pylint > Enable pylint lost exception check > Enable pylint duplicated-key check > Enable pylint trailing-whitespace check > Enable pylint missing-final-newline check > Enable pylint unused-format-string-key check > Enable pylint expression-not-assigned check > Enable pylint empty-docstring check > Enable pylint unnecessary-pass check > update_uniqueness plugin: fix referenced before assigment error > Allow to used mixed case for sysrestore > Upgrade: Fix upgrade of NIS Server configuration > DNSSEC test: fix adding zones with --skip-overlap-check > DNSSEC CI: add missing ldns-utils dependency > Enable pylint unpacking-non-sequence check > Enable pylint unbalanced-tuple-unpacking check > CI test: fix regression in task.install_kra > Warn about potential loss of CA, KRA, DNSSEC during uninstall > Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter > Exclude o=ipaca subtree from Retro Changelog (syncrepl) > Fix DNSSEC test: add glue record > Warn user when ipa *-find reach limit > DNSSEC CI: fix zone delegations > make lint: use config file and plugin for pylint > Upgrade: log to ipaupgrade.log when IPA server is not installed > Disable new pylint checks > Py3: do not use dict.iteritems() > upgrade: fix config of sidgen and extdom plugins > trusts: use ipaNTTrustPartner attribute to detect trust entries > Warn user if trust is broken > fix upgrade: wait for proper DS socket after DS restart > Revert "test: Temporarily increase timeout in vault test." > Remove duplicated except > Pylint: add missing attributes of errors to definitions > fix permission: Read Replication Agreements > Make PTR records check optional for IPA installation > Fix connections to DS during installation > pylint: supress false positive no-member errors > CI: allow customized DS install test to work with domain levels > fix suspicious except statements > Remove unused arguments from update_ssh_keys method > Configure 389ds with "default" cipher suite > krb5conf: use 'true' instead of 'yes' for forwardable option > stageuser-activate: Normalize manager value > Remove redundant parameters from CS.cfg in dogtaginstance > Use platform path constant for SSSD log dir > Fix broken trust warnings > spec: Add missing dependencies to python*-ipalib package > client: enable ChallengeResponseAuthentication in sshd_config > pylint: remove bare except > Pylint: fix definition of global variables > Pylint: enable pointless-except check > Pylint: enable reimported check > Pylint: use list comprehension instead of iteration > Pylint: import max one module per line > Pylint: remove unnecessary-semicolon > Pylint: enable invalid-name check > SPEC: do not run upgrade when ipa server is not installed > Fix: catch Exception instead of more specific exception types > Fix stageuser-activate - managers test > Add missing pre_common_callback to stageuser_add > host_del: fix removal of host records > host_del: replace dns-record find command with show > host_del: remove unneeded dnszone-show command call > host_del: split removing A/AAAA and PTR records to separate functions > host_del: remove only A, AAAA, SSHFP, PTR records > host_del: update help for --updatedns option > host-del --updatedns: print warnings instead of error > Use netifaces module instead of 'ip' command > Limit max username length to 255 in config-mod > Increase API version for 'ipamaxusernamelength' attribute change > Configure httpd service from installer instead of directly from RPM > Performace: don't download password attributes in host/user-find > Do not do extra search for ipasshpubkey to generate fingerprints > Always set hostname > Remove deprecated hostname restoration from Fedora18 > Remove unused hostname variables > Log errors from backup_and_replace hostname to logger > Tasks: raise NotImplementedError for not implemented methods > fix stageuser tests (removal of has_keytab and has_password from find) > make: fail when ACI.txt or API.txt differs from values in source code > ipactl: advertise --ignore-service-failure option > Remove unused variable and finally block in SchemaCache > Fix referenced before assigment variables in except statements > Upgrade: always start CA > Remove unused variables in automount plugin > fix pylint false positive errors > Translations: remove deprecated locale configuration > Make option --no-members public in CLI > Performance: Find commands: do not process members by default > Test: fix failing host_test > Fix: replace incorrect no_cli with no_option flag > Fix: topologysuffix_find doesn't have no_members option > DNS Locations: Always create DNS related privileges > DNS Locations: add new attributes and objectclasses > DNS Locations: location-* commands > DNS Locations: API tests > Allow to use non-Str attributes as keys for members > DNS Locations: extend server-* command with locations > DNS Location: location-show: return list of servers in location > DNS Locations: when removing location remove it from servers first > DNS Locations: extend tests with server-* commands > Upgrade mod_wsgi socket-timeout on existing installation > Exclude unneeded dirs and files from pylint check > Fix resolve_rrsets: RRSet is not hashable > Revert "adtrust: remove nttrustpartner parameter" > Fix: Local variable s_indent might be referenced before defined > Revert "Switch /usr/bin/ipa to Python 3" > Use python2 for ipa cli > DNS Locations: add index for ipalocation attribute > DNS Locations: fix location-del > DNS Locations: add idnsTemplateObject objectclass > DNS Locations: DNS data management > DNS Locations: permission: allow to read status of services > DNS Locations: add ACI for template attribute > DNS Locations: command dns-update-system-records > DNS Locations: use dns_update_service_records in installers > DNS Locations: adtrustinstance simplify dns management > DNS Locations: use automatic records update in ipa-adtrust-install > DNS Locations: server-mod: add automatic records update > DNS Locations: dnsservers: add required objectclasses > DNS Locations: dnsserver-* commands > DNS Locations: dnsserver: put server_id option into named.conf > DNS Locations: dnsserver: use the newer config way in installer > DNS Locations: dnsserver: remove config when replica is removed > DNS Locations: set proper substitution variable > DNS Locations: require to restart named-pkcs11 affter location change > DNS Locations: show warning if there is no DNS servers in location > DNS Locations: prevent to remove used locations > DNS Locations: do not generate location records for unused locations > DNS Locations: location-del: remove location record > DNS Locations: Rename ipalocationweight to ipaserviceweight > DNS Locations: generate NTP records > upgrade: don't fail if zone does not exists in in find > DNS Location: add list of roles and DNS servers to location-show > DNS Locations: dnsserver: print specific error when DNS is not > installed > Fix possibly undefined variable in ipa_smb_conf_exists() > Updated IPA translations > Replica promotion: use the correct IPA domain for replica > > Martin Ko?ek (1): > Update Developers in Contributors.txt > > Matt Rogers (1): > ipa_kdb: add krbPrincipalAuthInd handling > > Michael Simacek (1): > Fix bytes/string handling in rpc > > Milan Kub?k (11): > ipatests: replace the test-example.com domain in tests > ipatests: Roll back the forwarder config after a test case > ipatests: Fix configuration problems in dns tests > ipatests: Make the A record for hosts in topology conditional > ipatests: fix the install of external ca > ipatests: Add missing certificate profile fixture > ipatests: extend permission plugin test with new expected output > spec file: rename the python-polib dependency name to python2-polib > ipatests: fix for change_principal context manager > ipatests: Add test case for requesting a certificate with full > principal. > spec: Add python-sssdconfig dependency for python-ipatests package > > Nathaniel McCallum (7): > Don't error when find_base() fails if a base is not required > Rename syncreq.[ch] to otpctrl.[ch] > Ensure that ipa-otpd bind auths validate an OTP > Return password-only preauth if passwords are allowed > Enable authentication indicators for OTP and RADIUS > Migrate from #ifndef guards to #pragma once > Enable service authentication indicator management > > Oleg Fayans (26): > CI tests: Enabled automatic creation of reverse zone during master > installation > CI tests: Added domain realm as a parameter to master installation > in integration tests > Fixed install_ca and install_kra under domain level 0 > fixed an issue with master installation not creating reverse zone > Enabled recreation of test directory in apply_common_fixes function > Updated connect/disconnect replica to work with both domainlevels > Removed --ip-address option from replica installation > Removed messing around with resolv.conf > Integration tests for replica promotion feature > Enabled setting domain level explicitly in test class > Removed a constantly failing call to prepare_host > Made apply_common_fixes call at replica installation independent > on domain_level > Workaround for ticket 5627 > Added copyright info to replica promotion tests > rewrite a misprocessed teardown_method method as a custom decorator > Reverted changes in mh fixture causing some tests to fail > Fixed a bug with prepare_host failing upon existing ipatests folder > Added a kdestroy call to clean ccache at master/client uninstallation > Added 5 more tests to Replica Promotion testsuite > Fixed a failure in legacy_client tests > Add test if replica is working after domain upgrade > Improve reporting of failed tests in topology test suite > Bugfixes in managed topology tests > A workaround for ticket N 5348 > Added necessary A record for the replica to root zone > Increased certmonger timeout > > Patrice Duc-Jacquet (2): > Incorrect message when KRA already installed > Add more information regarding where to find revocation reason in > "ipa cert_revoke -h" and "ipa cert_find -h". > > Pavel Vomacka (41): > Add tool tips for Revert, Refresh, Undo, and Undo All > Add support for the 'user' url parameter for the reset_password.html > Add validation to Issue new certificate dialog > Add pan and zoom functionality to the topology graph > Nodes stay fixed after initial animation. > Add field for group id in user add dialog > Resize topology graph canvas according to window size > Add X-Frame-Options and frame-ancestors options > Add activate option to stage user details page > Add 'skip overlap check' checkbox into add zone dialog > Add 'skip overlap check' checkbox to the add dns forward zone dialog > Add option to show OTP when adding host > Update the delete dialog on details user page > Add ability to stage multiple users > Add option to stage user from details page > Change lang.hitch to javascript bind method > Change 'Restore' to 'Remove Hold' > Extend the certificate request dialog > Auth Indicators WebUI part > Fix bad searching of reverse DNS zone > Add adapter attribute for choosing record > DNS Locations: WebUI part > Add lists of hosts allowed to create or retrieve keytabs > Correct a jslint warning > Association table can be read only > Extend table facet > Add server roles on topology page > Search facet can be without search field > Add ability to review cert request dialog > Add new webui plugin - ca > Extend certificate entity page > Extend caacl entity > Make Actions string translatable > Extend DNS config page > Extend trust config page > Add creating a segment using mouse > Add listener which opens add segment dialog > Add placeholder to add segment dialog > Add DNS default TTL field > Allow to set weight of a server without location > DNS Servers: Web UI part > > Peter Lacko (1): > Ping module tests. > > Petr Viktorin (46): > Package ipapython, ipalib, ipaplatform, ipatests for Python 3 > Use explicit truncating division > Don't index exceptions directly > Use print_function future definition wherever print() is used > Alias "unicode" to "str" under Python 3 > Avoid builtins that were removed in Python 3 > dnsutil: Rename __nonzero__ to __bool__ > Remove deprecated contrib/RHEL4 > make-lint: Allow running pylint --py3k to detect Python3 issues > Split ipa-client/ into ipaclient/ (Python library) and client/ (C, > scripts) > test_parameters: Ignore specific error message > ipaldap, ldapupdate: Encoding fixes for Python 3 > ipautil.run, kernel_keyring: Encoding fixes for Python 3 > tests: Use absolute imports > ipautil: Use mode 'w+' in write_tmp_file > test_util: str/bytes check fixes for Python 3 > p11helper: Port to Python 3 > cli: Don't encode/decode for stdin/stdout on Python 3 > Package python3-ipaclient > Move get_ipa_basedn from ipautil to ipadiscovery > ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn() > ipapython.sysrestore: Use str methods instead of functions from > the string module > ipalib.x809: Accept bytes for make_pem > dns plugin: Fix zone normalization under Python 3 > sysrestore: Iterate over a list of dict keys > test_xmlrpc: Use absolute imports > xmlrpc_test: Rename exception instance before working with it > radiusproxy plugin: Use str(error) rather than error.message > xmlrpc_test: Expect bytes rather than strings for binary attributes > ipalib.rpc: Send base64-encoded data as string under Python 3 > range plugin tests: Use bytes with MockLDAP under Python 3 > radiusproxy plugin tests: Expect bytes, not text, for > ipatokenradiussecret > certprofile plugin: Use binary mode for file with binary data > test_add_remove_cert_cmd: Use bytes for base64.b64encode() > Switch /usr/bin/ipa to Python 3 > Fix remaining relative import and enable Pylint check > ipalib.cli: Improve reporting of binary values in the CLI > test_cert_plugin: Encode 'certificate' for comparison with > 'usercertificate' > ipaldap: Keep attribute names as text, not bytes > ipapython.secrets.kem: Use ConfigParser from six.moves > test_topology_plugin: Don't rely on order of an attribute's values > test_rpcserver: Expect updated error message under Python 3 > ipaplatform.redhat: Use bytestrings when calling rpm.so for > version comparison > test_ipaserver.test_ldap: Use bytestrings for raw LDAP values > ipaldap: Convert dict items to list before iterating > test_ipaserver.test_ldap: Adjust tests to Python 3's KeyView > > Petr Voborn?k (16): > Bump 4.4 development version to 4.3.90 > webui: add examples to network address validator error message > webui: pwpolicy cospriority field was marked as required > spec: do not require arch specific ipalib package from noarch packages > webui: dislay server suffixes in server search page > stop installer when setup-ds.pl fail > webui: crash nicely if sessionStorage is not available > webui: remove moot error from webui build > webui: use API call ca_is_enabled instead of enable_ra env variable. > webui: fixed showing of success message after password change on login > advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap > plugins > cookie parser: do not fail on cookie with empty value > fix incorrect name of ipa-winsync-migrate command in help > webui: fail nicely if cookies are disabled > ipa-client-install: fix typo in nslcd service name > Become IPA 4.4.0 Alpha 1 > > Petr ?pa?ek (51): > dns: Handle SERVFAIL in check if domain already exists. > DNSSEC: Improve error reporting from ipa-ods-exporter > DNSSEC: Make sure that current state in OpenDNSSEC matches key > state in LDAP > DNSSEC: Make sure that current key state in LDAP matches key state > in BIND > DNSSEC: remove obsolete TODO note > DNSSEC: add debug mode to ldapkeydb.py > DNSSEC: logging improvements in ipa-ods-exporter > DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP > DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP > DNSSEC: ipa-ods-exporter: add ldap-cleanup command > DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal > DNSSEC: Log debug messages at log level DEBUG > Fix --auto-reverse option in --unattended mode. > Fix dns_is_enabled() API command to throw exceptions as appropriate > Fix DNS zone overlap check to allow ipa-replica-install to work > Fix ipa-adtrust-install to always generate SRV records with FQDNs > Fix URL for reporting bugs in strings > Pylint: enable parallelism > Makefile: replace perl with sed > Remove function ipapython.ipautil.host_exists() > Extend installers with --forward-policy option > Move automatic empty zone list into ipapython.dnsutil and make it > reusable > Add assert_absolute_dnsname() helper to ipapython.dnsutil > Move function is_auto_empty_zone() into ipapython.dnsutil > Use shared sanity check and tests > ipapython.dnsutil.is_auto_empty_zone() > Add function ipapython.dnsutil.inside_auto_empty_zone() > Auto-detect default value for --forward-policy option in installers > ipa-nis-manage: Replace text references to compat plugin with NIS > ipa-nis-manage: mention return code 3 in man page > DNS: Fix upgrade - master to forward zone transformation > DNS installer: accept --auto-forwarders option in unattended mode > Remove unused file install/share/fedora-ds.init.patch > Batch command: avoid accessing potentially undefined context.principal > pylint: replace Refactor category with individual check names > ipa-nis-manage: add status option > DNS: Warn if forwarding policy conflicts with automatic empty zones > Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil > Use root_logger for verify_host_resolvable() > Move IP address resolution from ipaserver.install.installutils to > ipapython.dnsutil > Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil > Add ipaDNSVersion option to dnsconfig* commands and use new attribute > DNS upgrade: separate backup logic to make it reusable > Add function ipapython.dnsutil.related_to_auto_empty_zone() > DNS upgrade: change forwarding policy to = only for conflicting > forward zones > DNS upgrade: change global forwarding policy in LDAP to "only" if > private IPs are used > DNS upgrade: change global forwarding policy in named.conf to > "only" if private IPs are used > Require 389-ds-base >= 1.3.5.6 > DNS Locations: make ipa-ca record generation more robust > DNS: Support default TTL setting for master DNS zones > DNS: Warn about restart when default TTL setting DNS is changed > DNS: Fix realm domains integration with DNS zone add. > > Simo Sorce (6): > Use only AES enctypes by default > Always verify we have a valid ldap context. > Improve keytab code to select the right principal. > Convert ipa-sam to use the new getkeytab control > Allow admins to disable preauth for SPNs. > Allow to specify Kerberos authz data type per user > > Stanislav Laznicka (21): > Listing and cleaning RUV extended for CA suffix > Automatically detect and remove dangling RUVs > Cosmetic changes to the code > Fixes minor issues > replica-manage: fail nicely when DM psswd required > ipa-replica-manage refactoring > abort-clean/list/clean-ruv now work for both suffixes > Moved password check from clean_dangling_ruv > Fix to clean-dangling-ruv for single CA topologies > Added pyusb as a dependency > Added some attributes to Modify Users permission > Deprecated the domain-level option in ipa-server-install > Increased mod_wsgi socket-timeout > Added = mapping to krb5.conf > Decreased timeout for IO blocking for DS > fixes premature sys.exit in ipa-replica-manage del > Remove dangling RUVs even if replicas are offline > Added krb5.conf.d/ to included dirs in krb5.conf > Removed dead code from LDAP{Remove,Add}ReverseMember > Fixes CA always being presented as running > Increase nsslapd-db-locks to 50000 > > Sumit Bose (3): > ipa-kdb: get_authz_data_types() make sure entry can be NULL > ipa-kdb: map_groups() consider all results > extdom: add certificate request > > Thierry Bordaz (3): > configure DNA plugin shared config entries to allow connection > with GSSAPI > DS deadlock when memberof scopes topology plugin updates > Make sure ipapwd_extop takes precedence over passwd_modify_extop > > Thorsten Scherf (1): > Fixed typo in service-add > > Timo Aaltonen (6): > Use HTTPD_USER in dogtaginstance.py > Move freeipa certmonger helpers to libexecdir. > ipa_restore: Import only FQDN from ipalib.constants > ipaplatform: Move remaining user/group constants to > ipaplatform.constants. > Use ODS_USER/ODS_GROUP in opendnssec_conf.template > Fix kdc.conf.template to use ipaplatform.paths. > > Tom?? Babej (10): > py3: Remove py3 incompatible exception handling > logger: Use warning instead of warn > Loggger: Use warning instead of warn - dns plugin > ipa-getkeytab: Handle the possibility of not obtaining a result > ipa-adtrust-install: Allow dash in the NETBIOS name > spec: Bump required sssd version to 1.13.3-5 > adtrustinstance: Make sure smb.conf exists > l10n: Remove Transifex configuration > ipalib: Fix user certificate docstrings > idviews: Add user certificate attribute to user ID overrides > > Yuri Chornoivan (3): > Fix minor typo > Fix minor typos > Fix minor typos > -- > Petr Vobornik > > _______________________________________________ > Freeipa-interest mailing list > Freeipa-interest at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-interest -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From mbasti at redhat.com Thu Jun 23 07:49:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 09:49:31 +0200 Subject: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization In-Reply-To: References: <5612745A.2090805@redhat.com> <746db332-9b7c-1a1f-0e58-5dc99099eeee@redhat.com> <1466612819.9981.133.camel@redhat.com> <1466614611.9981.135.camel@redhat.com> Message-ID: <337a6e61-004e-5ddd-b307-6034ba50dcd7@redhat.com> On 23.06.2016 09:44, David Kupka wrote: > On 22/06/16 18:56, Simo Sorce wrote: >> On Wed, 2016-06-22 at 18:36 +0200, Martin Babinsky wrote: >>> On 06/22/2016 06:26 PM, Simo Sorce wrote: >>>> On Wed, 2016-06-22 at 09:46 +0200, Martin Babinsky wrote: >>>>> On 10/05/2015 03:00 PM, Martin Babinsky wrote: >>>>>> These patches implement the plumbing required to properly support >>>>>> canonicalization of Kerberos principals ( >>>>>> https://fedorahosted.org/freeipa/ticket/3864). >>>>>> >>>>>> Setting multiple principal aliases on hosts/services is beyond >>>>>> the scope >>>>>> of this patchset and should be done after these patches are pushed. >>>>>> >>>>>> I will try to send some tests for the patches later this week. >>>>>> >>>>>> Please review the hell out of them. >>>>>> >>>>>> >>>>>> >>>>> >>>>> Long time no see. >>>>> >>>>> I am attaching rebased infrastructure patches which were reviewed and >>>>> tested by David a year ago :). Now that all related DS bugs were >>>>> fixed >>>>> and the patches still work as expected, we may push them so that the >>>>> plumbing for further work (API for alias handling etc.) is in place. >>>>> >>>> >>>> If the patches were all reviewed and tested I say push them. >>>> >>>> Simo. >>>> >>> >>> There is one problem remaining, however, that when a user is kinit'ing >>> for the first name using his alias and has to change password, the >>> operation fails: >>> >>> """ >>> [root at master1 ~]# kinit -C talias >>> Password for talias at IPA.TEST: >>> kinit: KDC reply did not match expectations while getting initial >>> credentials >>> >>> """ >>> >>> This is the related snippet from KDC log: >>> >>> """ >>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >>> {18 17 16 23 25 26}) 192.168.122.100: CLIENT KEY EXPIRED: >>> talias at IPA.TEST for krbtgt/IPA.TEST at IPA.TEST, Password has expired >>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down >>> fd 12 >>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >>> {18 17 16 23 25 26}) 192.168.122.100: NEEDED_PREAUTH: talias at IPA.TEST >>> for kadmin/changepw at IPA.TEST, Additional pre-authentication required >>> Jun 22 16:29:24 master1.ipa.test krb5kdc[31003](info): closing down >>> fd 12 >>> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): AS_REQ (6 etypes >>> {18 17 16 23 25 26}) 192.168.122.100: ISSUE: authtime 1466612968, >>> etypes >>> {rep=18 tkt=18 ses=18}, talias at IPA.TEST for kadmin/changepw at IPA.TEST >>> Jun 22 16:29:28 master1.ipa.test krb5kdc[31003](info): closing down >>> fd 12 >>> >>> """ >>> >>> Here is the same command repeated with captured libkrb5 trace: >>> https://paste.fedoraproject.org/383358/14666131 >>> >>> If I use kinit with the canonical principal everything works as >>> expected, even with '-C' and '-'E' options. Subsequent kinits using >>> canonicalization work as expected. >>> >>> Frankly I have no idea why this happens and I do not know how much this >>> error blocks us. We may need to investigate this before pizza orders >>> arrive. >> >> I guess the password changing code is making a request without >> canonicalization flags set for the kpasswd service. >> As you can see the kpasswd case is special because we are making an AS >> REQ (not a TGS req) directly for that service, and that request needs to >> use canonicalization as well, it probably isn't. >> >> Simo. >> >> > > Hello! > > I've reviewed and tested the patches a year ago and now with current > master again. The only issue I've found is the problem Martin is > describing. User can not kinit with alias after password reset. > Since this is not regression I believe the patches can be pushed now. > and the issue can be solved together with the rest of missing > functionality. ACK! > pushed to master: * e43231456d8de954423582dbee439e330573d04b perform case-insensitive principal search when canonicalization is requested * 5f963e1ad18fdf52d0b41e143fd12f236b2a1ce7 mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema * 229ab40dd3d21346db8cd6dc65c03285f917271b add case-insensitive matching rule to krbprincipalname index * 3f93f805571c1b791f0c378053ae8ecf37126e7f add krbCanonicalName to attributes watched by MODRDN plugin * 7ed7a86511ec516c2f785968050f5d0a42978ba5 ipa-kdb: set krbCanonicalName when creating new principals * b169a72735fccb170adb5c84ec1bcc10a70e5494 ipa-enrollment: set krbCanonicalName attribute on enrolled host entry * 705f66f7490c64de1adc129221b31927616c485d IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities * 1bba2ed45df83684be1d50ef6e1ddb10f7a7d074 set krbcanonicalname on host entry during krbinstance configuration * 06d945a04607dc36e25af78688b4295420489fb9 account for added krbcanonicalname attribute during xmlrpc tests From pvomacka at redhat.com Thu Jun 23 07:57:23 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 23 Jun 2016 09:57:23 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command Message-ID: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> Hello, please review attached patch. Part of: https://fedorahosted.org/freeipa/ticket/5905 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0061-Add-button-for-dns_update_system_records-command.patch Type: text/x-patch Size: 4294 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 23 08:30:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 10:30:08 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <0a5ec8ab-6ec0-ee67-9fb0-4536705cf254@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> <0a5ec8ab-6ec0-ee67-9fb0-4536705cf254@redhat.com> Message-ID: <6f6f190e-028d-54a3-b6a2-7bbb4ef0d25d@redhat.com> On 23.06.2016 06:55, Lenka Doudova wrote: > > > > On 06/22/2016 05:11 PM, Lenka Doudova wrote: >> >> >> >> On 06/22/2016 04:37 PM, Lenka Doudova wrote: >>> >>> >>> >>> On 06/22/2016 08:33 AM, Martin Basti wrote: >>>> >>>> >>>> >>>> On 22.06.2016 07:37, Lenka Doudova wrote: >>>>> >>>>> >>>>> >>>>> On 06/21/2016 06:57 PM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>>>>> Hi, >>>>>>> >>>>>>> attaching patch for failing location tests >>>>>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> 1) >>>>>> + expected_updates={u'ipalocation_location': >>>>>> [location.idnsname_obj], >>>>>> + u'enabled_role_servrole': ( >>>>>> + u'CA server', u'DNS server', >>>>>> u'NTP server')}, >>>>>> >>>>>> This depends on services installed on server, so server without >>>>>> DNS will cause test failures. We probably should skip test id DNS >>>>>> isn't installed. >>>>>> Without DNS installed you get much more different warnings >>>>>> >>>>>> >>>>>> 2) >>>>>> + def update(self, updates, expected_updates=None, messages=None): >>>>>> .... >>>>>> + self.messages = messages >>>>>> >>>>>> Why is this needed? I'm puzzled by this >>>>>> >>>>>> It is defined outside __init__ what is wrong and it is never used. >>>>>> >>>>> Hi, thanks for review. >>>>> ad 1: will fix >>>>> ad 2: the 'messages' key is indeed used, because this key is >>>>> returned every time a server is attached to/removed from a >>>>> location. If the 'messages' is not supplied to the result >>>>> comparison, the test fails (see >>>>> https://paste.fedoraproject.org/382936/65732411/ for result of >>>>> test without applied patch). >>>>> >>>>> Lenka >>>> >>>> Please point me to the line where ServerTracker.messages is used, I >>>> still don't see it. In your fpaste, removed self.messages in that >>>> context is TestLocationsServer.messages not ServerTracker.messages >>>> >>>> Martin^2 >>> >>> Ah, right you are, my good sir. I fixed both issues, hopefully will >>> be fine now. Fixed patch attached. >>> Lenka >>> >>> >> Self NACK, will provide some more changes tomorrow. >> Lenka >> >> > And here it goes... > > Lenka > > This is really weird fuzzy_servrole = Fuzzy( type=list, test=lambda other: False not in set( item in (u'CA server', u'DNS server', u'NTP server') for item in other) and u'DNS server' in other) 1) Why is there special case 'DNS server' in other, IMO general fuzzy object should not enforce DNS server role 2) Several servroles related to AD trust are missing there, so if you are doing general fuzzy object for server roles it should contains all roles 3) I suggest something like lambda other: all(item in {u'CA server', u'DNS server', u'NTP server', ...} for item in other) 4) during yesterday's interactive review, I suggested to use just lambda other: True, as serveroles are tested in different test suite, but If you fix issues above, it can stay as it is Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu Jun 23 10:24:28 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 12:24:28 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install In-Reply-To: <541c5c87-6121-9ff5-1081-306fac42a123@redhat.com> References: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> <541c5c87-6121-9ff5-1081-306fac42a123@redhat.com> Message-ID: <3e7ad502-0370-6585-1973-4d3879ebcee8@redhat.com> On 23.06.2016 08:52, Stanislav Laznicka wrote: > On 06/23/2016 08:09 AM, Jan Cholasta wrote: >> On 22.6.2016 16:22, Stanislav Laznicka wrote: >>> Hello, >>> >>> Please see the patch attached that fixes the issue from >>> https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a >>> while to create as I thought something was wrong with the SshExec class >>> which actually was where the password was required. >> >> "The nss_db variable didn't go through the proper initialization" >> >> You are going to have to be more specific, because the variable is >> properly initialized right here: >> >> with certdb.NSSDatabase(nss_dir) as nss_db: >> >> And the nss_db.secdir attribute used in the api.bootstrap() call is >> properly initialized in NSSDatabase(): >> >> def __init__(self, nssdir=None): >> if nssdir is None: >> self.secdir = tempfile.mkdtemp() >> self._is_temporary = True >> else: >> self.secdir = nssdir >> self._is_temporary = False >> > You're right, the commit message was rather generic. Hopefully this > new one will be better. > > > Works for me, if Honza agree this can be pushed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Thu Jun 23 10:29:03 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 23 Jun 2016 12:29:03 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install In-Reply-To: <3e7ad502-0370-6585-1973-4d3879ebcee8@redhat.com> References: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> <541c5c87-6121-9ff5-1081-306fac42a123@redhat.com> <3e7ad502-0370-6585-1973-4d3879ebcee8@redhat.com> Message-ID: On 23.6.2016 12:24, Martin Basti wrote: > > > On 23.06.2016 08:52, Stanislav Laznicka wrote: >> On 06/23/2016 08:09 AM, Jan Cholasta wrote: >>> On 22.6.2016 16:22, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> Please see the patch attached that fixes the issue from >>>> https://fedorahosted.org/freeipa/ticket/5965. The patch took me quite a >>>> while to create as I thought something was wrong with the SshExec class >>>> which actually was where the password was required. >>> >>> "The nss_db variable didn't go through the proper initialization" >>> >>> You are going to have to be more specific, because the variable is >>> properly initialized right here: >>> >>> with certdb.NSSDatabase(nss_dir) as nss_db: >>> >>> And the nss_db.secdir attribute used in the api.bootstrap() call is >>> properly initialized in NSSDatabase(): >>> >>> def __init__(self, nssdir=None): >>> if nssdir is None: >>> self.secdir = tempfile.mkdtemp() >>> self._is_temporary = True >>> else: >>> self.secdir = nssdir >>> self._is_temporary = False >>> >> You're right, the commit message was rather generic. Hopefully this >> new one will be better. >> >> >> > Works for me, if Honza agree this can be pushed. Okay. -- Jan Cholasta From mbasti at redhat.com Thu Jun 23 10:27:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 12:27:22 +0200 Subject: [Freeipa-devel] [PATCH 0049] Fix host principal password required in ipa-ca-install In-Reply-To: References: <232753f8-de8c-a3cf-94a8-9752c3f80150@redhat.com> <541c5c87-6121-9ff5-1081-306fac42a123@redhat.com> <3e7ad502-0370-6585-1973-4d3879ebcee8@redhat.com> Message-ID: <25570891-dafb-7033-2101-ef088f0052f3@redhat.com> On 23.06.2016 12:29, Jan Cholasta wrote: > On 23.6.2016 12:24, Martin Basti wrote: >> >> >> On 23.06.2016 08:52, Stanislav Laznicka wrote: >>> On 06/23/2016 08:09 AM, Jan Cholasta wrote: >>>> On 22.6.2016 16:22, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> Please see the patch attached that fixes the issue from >>>>> https://fedorahosted.org/freeipa/ticket/5965. The patch took me >>>>> quite a >>>>> while to create as I thought something was wrong with the SshExec >>>>> class >>>>> which actually was where the password was required. >>>> >>>> "The nss_db variable didn't go through the proper initialization" >>>> >>>> You are going to have to be more specific, because the variable is >>>> properly initialized right here: >>>> >>>> with certdb.NSSDatabase(nss_dir) as nss_db: >>>> >>>> And the nss_db.secdir attribute used in the api.bootstrap() call is >>>> properly initialized in NSSDatabase(): >>>> >>>> def __init__(self, nssdir=None): >>>> if nssdir is None: >>>> self.secdir = tempfile.mkdtemp() >>>> self._is_temporary = True >>>> else: >>>> self.secdir = nssdir >>>> self._is_temporary = False >>>> >>> You're right, the commit message was rather generic. Hopefully this >>> new one will be better. >>> >>> >>> >> Works for me, if Honza agree this can be pushed. > > Okay. > Pushed to master: 0db48e4d04b3b8377667b388b88f2fe9f57bf4a3 From pspacek at redhat.com Thu Jun 23 10:33:10 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Jun 2016 12:33:10 +0200 Subject: [Freeipa-devel] [PATCH 0533] Server-del: fix system records removal In-Reply-To: <019eea02-4a5c-e196-667e-eefe9aaba149@redhat.com> References: <019eea02-4a5c-e196-667e-eefe9aaba149@redhat.com> Message-ID: On 20.6.2016 19:34, Martin Basti wrote: > Patch attached. > > Services must be removed before records are updated ACK -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 23 10:39:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 12:39:23 +0200 Subject: [Freeipa-devel] [PATCH 0533] Server-del: fix system records removal In-Reply-To: References: <019eea02-4a5c-e196-667e-eefe9aaba149@redhat.com> Message-ID: <0a9e2672-1e83-40c9-424a-a83018d76f28@redhat.com> On 23.06.2016 12:33, Petr Spacek wrote: > On 20.6.2016 19:34, Martin Basti wrote: >> Patch attached. >> >> Services must be removed before records are updated > ACK > Pushed to master: 926462d335ea49857732f1cf2fd2a1956c5b57d8 From mbasti at redhat.com Thu Jun 23 10:44:58 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 12:44:58 +0200 Subject: [Freeipa-devel] [PATCH 0537] CA replica promotion: add proper CA DNS records Message-ID: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> patch attached. https://fedorahosted.org/freeipa/ticket/5966 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4.3-mbasti-0537-CA-replica-promotion-add-proper-CA-DNS-records.patch Type: text/x-patch Size: 3973 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0537-CA-replica-promotion-add-proper-CA-DNS-records.patch Type: text/x-patch Size: 4054 bytes Desc: not available URL: From ldoudova at redhat.com Thu Jun 23 10:55:21 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 23 Jun 2016 12:55:21 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <6f6f190e-028d-54a3-b6a2-7bbb4ef0d25d@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> <0a5ec8ab-6ec0-ee67-9fb0-4536705cf254@redhat.com> <6f6f190e-028d-54a3-b6a2-7bbb4ef0d25d@redhat.com> Message-ID: <16b90e67-b6fd-24f0-76d2-42ed5d3fc198@redhat.com> On 06/23/2016 10:30 AM, Martin Basti wrote: > > > > On 23.06.2016 06:55, Lenka Doudova wrote: >> >> >> >> On 06/22/2016 05:11 PM, Lenka Doudova wrote: >>> >>> >>> >>> On 06/22/2016 04:37 PM, Lenka Doudova wrote: >>>> >>>> >>>> >>>> On 06/22/2016 08:33 AM, Martin Basti wrote: >>>>> >>>>> >>>>> >>>>> On 22.06.2016 07:37, Lenka Doudova wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 06/21/2016 06:57 PM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> attaching patch for failing location tests >>>>>>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>>>>>> >>>>>>>> Lenka >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> 1) >>>>>>> + expected_updates={u'ipalocation_location': >>>>>>> [location.idnsname_obj], >>>>>>> + u'enabled_role_servrole': ( >>>>>>> + u'CA server', u'DNS server', >>>>>>> u'NTP server')}, >>>>>>> >>>>>>> This depends on services installed on server, so server without >>>>>>> DNS will cause test failures. We probably should skip test id >>>>>>> DNS isn't installed. >>>>>>> Without DNS installed you get much more different warnings >>>>>>> >>>>>>> >>>>>>> 2) >>>>>>> + def update(self, updates, expected_updates=None, >>>>>>> messages=None): >>>>>>> .... >>>>>>> + self.messages = messages >>>>>>> >>>>>>> Why is this needed? I'm puzzled by this >>>>>>> >>>>>>> It is defined outside __init__ what is wrong and it is never used. >>>>>>> >>>>>> Hi, thanks for review. >>>>>> ad 1: will fix >>>>>> ad 2: the 'messages' key is indeed used, because this key is >>>>>> returned every time a server is attached to/removed from a >>>>>> location. If the 'messages' is not supplied to the result >>>>>> comparison, the test fails (see >>>>>> https://paste.fedoraproject.org/382936/65732411/ for result of >>>>>> test without applied patch). >>>>>> >>>>>> Lenka >>>>> >>>>> Please point me to the line where ServerTracker.messages is used, >>>>> I still don't see it. In your fpaste, removed self.messages in >>>>> that context is TestLocationsServer.messages not >>>>> ServerTracker.messages >>>>> >>>>> Martin^2 >>>> >>>> Ah, right you are, my good sir. I fixed both issues, hopefully will >>>> be fine now. Fixed patch attached. >>>> Lenka >>>> >>>> >>> Self NACK, will provide some more changes tomorrow. >>> Lenka >>> >>> >> And here it goes... >> >> Lenka >> >> > This is really weird > > fuzzy_servrole = Fuzzy( > type=list, > test=lambda other: False not in set( > item in (u'CA server', u'DNS server', u'NTP server') > for item in other) > and u'DNS server' in other) > > 1) Why is there special case 'DNS server' in other, IMO general fuzzy > object should not enforce DNS server role > > 2) Several servroles related to AD trust are missing there, so if you > are doing general fuzzy object for server roles it should contains all > roles > > 3) > I suggest something like > lambda other: all(item in {u'CA server', u'DNS server', u'NTP server', > ...} for item in other) > > 4) during yesterday's interactive review, I suggested to use just > lambda other: True, as serveroles are tested in different test suite, > but If you fix issues above, it can stay as it is > > Martin^2 Fixed according to suggestion from interactiove review. Attached. Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0019.4-Tests-Fix-for-failing-location-tests.patch Type: text/x-patch Size: 9729 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 23 13:17:02 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Jun 2016 15:17:02 +0200 Subject: [Freeipa-devel] [PATCH] 0018-0030, 52 webui: add support for more certificates In-Reply-To: References: <571F520B.2000501@redhat.com> <571F58E7.1070703@redhat.com> <571F79E2.2000106@redhat.com> Message-ID: comments inline On 06/20/2016 02:37 PM, Pavel Vomacka wrote: > > > On 06/14/2016 09:41 PM, Pavel Vomacka wrote: >> >> >> On 05/13/2016 06:56 PM, Petr Vobornik wrote: >>> On 04/26/2016 04:23 PM, Pavel Vomacka wrote: >>>> Self-NACK for patches 0027, 28, 29, 30 - used incorrect policy. I also attach >>>> all patches which were not changed - it is easier to get the whole patchset. >>>> >>>> On 04/26/2016 02:02 PM, Pavel Vomacka wrote: >>>>> I forgot to mention that my patches requires patches from : >>>>> https://www.redhat.com/archives/freeipa-devel/2016-April/msg00209.html >>>>> >>>>> >>>>> On 04/26/2016 01:33 PM, Pavel Vomacka wrote: >>>>>> Hello, >>>>>> >>>>>> the attached patches add support for more certificates and ability to add and >>>>>> remove certificates. Fixes these two tickets: >>>>>> https://fedorahosted.org/freeipa/ticket/5108 >>>>>> https://fedorahosted.org/freeipa/ticket/5381 >>>>>> >>>>>> These patches add ability to view, get, download, revoke, restore and delete >>>>>> each certificate directly from user/host/service details page. There is also >>>>>> button for adding new certificates. >>>>>> >>>>>> There is one known issue, that after page save action is performed some data >>>>>> disappear (includes certificates). This issue has a ticket already: >>>>>> https://fedorahosted.org/freeipa/ticket/5776 >>>>>> >>>>>> -- >>>>>> Pavel^3 Vomacka >>>>>> >>> Great stuff, couple comments below. >>> >>> We can discuss some items in person. Not everything needs to be done. >>> >>> I didn't run it, just reading the code. >>> >>> Patch 0018: >>> >>> 1. Nit pick: When a value should be boolean, then following method won't >>> make sure that dropdown_menu won't be e.g. an object. >>> + that.dropdown_menu = spec.dropdown_menu || false; >>> >>> I would prefer: >>> + that.dropdown_menu = !!spec.dropdown_menu; >>> >>> Which retypes it to boolean. If default should be true (not this case) then: >>> that.dropdown_menu = spec.dropdown_menu !== undefined ? >>> !!spec.dropdown_menu : true; >>> >>> Also the interface is very specific. It says that the child widget will >>> have dropdown menu. What if the actions won't be in dropdown menu but, >>> e.g., some overlay menu. >>> >>> Imho the interface should be: >>> >>> that.custom_actions = !!spec.custom_actions; >>> >>> Than the child object would have define,e.g., : >>> >>> action_object get_custom_actions() >>> >>> Interface of action_object would be e.g.: >>> get_items() >>> set_items(items) >>> enable_item(name) >>> disable_item(name) >>> >>> Dropdown menu would have to define these methods. It calls ,render on custom actions object. But this method is not part of the interface: + custom_actions.render(); IMHO it should be called internally in the widget as a result of set_items or disable_item, enable_item call. >>> >>> Patch 0019: >>> >>> 1. Shouldn't disable_item or enable_item automatically rerender the items? Same for set and get_items. As mentioned above. The render code in disable/enable_item should be executed only if this.ul_node exists. >>> >>> 2. The rerender, used in later patches. Imo it should do only: >>> >>> if (this.ul_node) { >>> construct.empty(this.ul_node); >>> this._render_items(this.items); >>> } >>> >>> Or just re-render the one item. >>> $( "li[data-name=" + item.name +"]", this.ul_node ).replaceWith( >>> this._render_item(item)); >>> >>> 3. in future for loops write: >>> for (var i=0, l=this.items.length; i>> instead of >>> for (var i=0; i>> >>> It's defensive style when you don't know if computing length is O(1) or >>> O(n) or how big is n. In this instance it doesn't probably matter. >>> >>> Patch 0020: >>> >>> 1. Working widgets inherits from IPA.widget so why do you redefine >>> 'name', 'facet', 'entity' >>> >>> 2. why to you introduce 'base_cls' and 'other_cls' when there are >>> 'base_css_class' and 'css_class'? >>> >>> 3. typo in comment 'opaciti' >>> >>> 4. We can ignore IE < 9, I'm not sure if you avoid using some features >>> because of IE9. >>> >>> 5. _normalize_bg_color_css could be moved to util.js But I wonder if we >>> need it. rgba is supported in 95% of browsers and definitely in all >>> supported by IPA (chrome, firefox). Patch 0020-2: ACK >>> >>> Patch 0021: >>> >>> 1. The original code is not great - RPC code should be agnostic to >>> display layer. Ideally it would not call methods like >>> IPA.hide_activity_icon(); and IPA.display_activity_icon(); >>> >>> I would rather avoid adding more of such things there and would refactor >>> now, when it is easy. >>> >>> IMO the rpc class could use Evented mixin and have: >>> 4 local events: start, end, success, error >>> 2 global topics: rpc-start, rpc-end >>> >>> Local events will be new - will replace the notify_activity_start and >>> notify_activity_end. For convenience, spec object could accept a >>> handlers in similar fashion as now. The handlers would be registered to >>> the events. >>> >>> Global topics would replace current IPA.hide_activity_icon(); and >>> IPA.display_activity_icon(); >>> >>> App class would subscribe to the global events and to stuff (hide|show) >>> accordingly. Example of such subscription: >>> topic.subscribe('phase-error', lang.hitch(this, this.on_phase_error)); >>> >>> Then hide_activity_icon could be something like notify_global with >>> default to true which can be suppressed by setting it to false. >>> >>> What do you think? OK, if addressed later then ACK for 0021-2 which is the same as 0021 >>> >>> Patch 0022: >>> >>> 1. Leftover line: >>> var sn = record[i].serial_number; 0022-2: ACK >>> >>> Patch 0023: >>> >>> 1. move the css code from ipa.css to layout.less? >>> >>> 2. Did you mean "display: table"? >>> display: cert-table; >>> >>> 3. Why are create_layout, create_row and create_cell private methods of >>> create_content? It would make sense to create a table dialog mixin >>> (similar as confirm mixin) and use the same code in all cert dialogs(if >>> applicable). >>> >>> 4. 'table-head' class is used in every cell. Why is it call 'head' when >>> it is in fact in all cells? 1. table mixin has prepared space for doc text but nothing is there 2. while at it(otherwise don't bother), remove empty line at the end of create_cell, create_row, create_header_cell 3. When I see a content of create_content on certificate.js:316, following is repeated many times, it can be changed into a reusable function. row = that.create_row().appendTo(table_layout); row.append(that .create_header_cell('@i18n:objects.cert.organizational_unit', ':')); row.append(that.create_cell(that.subject.ou, '', 'break-words')); create_cert_row(header, value).appendTo(table_layout); But I don't insist on this change. >>> >>> Patch 0024: >>> >>> Will require changes described in patch 21(rpc). >>> >>> 1. should the methods have rather params: serial_number and >>> revocation_reason, instead of certificate(maybe ok) and dialog(not ok)? >>> That way it would be more general/reusable. 1. buttons.restore should not be removed, it is still used on stageuser.js:309: label: '@i18n:buttons.restore', >>> >>> Patch 0025: ACK Why the new revision newly doesn't remove IPA.cert.view_action and IPA.cert.get_action implementation ? >>> >>> Patch 0026: >>> >>> 1. Add link use exactly the same code as in multivalued_widget. The code >>> should be moved to method: create_add_link(container) and then reused. >>> new_row would be overridedn and it would call open_addcert_dialog or >>> open_addcert_dialog renamed to new_row. >>> >>> 2. it can have a spec default: >>> spec.dropdown_menu = spec.dropdown_menu !== undefined ? true : >>> spec.dropdown_menu; >>> >>> And then it doesn't have to be defined in patches 28, 29, 30. 1. why is there a custom certs_field with: spec.adapter = spec.field_adapter || {}; field_adapter was supposed to be used only in section. In field IMHO, you can use 'adapter' spec property directly. We can use f.register('certs', field.field); Or am I missing something? 0027-4: ACK 0028-3: ACK Patch 0029-3 and 0030-3: If 0028 makes IPA.host.has_password_evaluator reusable, then it might be good to rename it/move so that it is not called "host". And then IPA.service.has_keytab_evaluator needs to be removed. >> >> > I moved big part of certs_widget code to more general > custom_command_multivalued_widget. This change will be useful in future. > > Updated patches attached. It would be nice to apply patch 57 between patches 25 > and 26, but it should be possible to apply it on the top. Patch 52-2: ACK Patch 57: ACK 1. I wonder if `entity: that.facet.entity.name` in create_add_command will be future-proof, but that can be improved later. In general: I don't like the fact that cert-find commands takes at least 1.2s which makes loading of user,host,service details page 6x slower than before. From access log, it seems it(or dogtag) does too many unnecessary things. -- Petr Vobornik From mkosek at redhat.com Thu Jun 23 13:22:54 2016 From: mkosek at redhat.com (Martin Kosek) Date: Thu, 23 Jun 2016 15:22:54 +0200 Subject: [Freeipa-devel] [PATCH] 498 Update Contributors.txt Message-ID: <38a9f232-8170-eb30-eedb-ba9fc473d878@redhat.com> Update .mailmap to fix wrong commit author and re-generate the Developer contributor list. -- Martin Kosek Manager, Software Engineering - Identity Management Team Red Hat, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkosek-498-update-contributors.txt.patch Type: text/x-patch Size: 1415 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 23 13:29:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 15:29:51 +0200 Subject: [Freeipa-devel] [PATCH 0019][Tests] Fix for failing location tests In-Reply-To: <16b90e67-b6fd-24f0-76d2-42ed5d3fc198@redhat.com> References: <6ff234ed-6cf3-7742-b388-d192f27e40a7@redhat.com> <5d0b933a-d96d-8dfa-a0f3-e59240618f67@redhat.com> <4ab90b76-0a95-40cd-8721-783d8908d37c@redhat.com> <33c965cf-ac80-5e8e-feae-81a48ba81fba@redhat.com> <8900bfe6-6495-aaa9-39ce-c201cb5b25a0@redhat.com> <0dc6726b-f597-ad9f-3cee-a78f96223cca@redhat.com> <0a5ec8ab-6ec0-ee67-9fb0-4536705cf254@redhat.com> <6f6f190e-028d-54a3-b6a2-7bbb4ef0d25d@redhat.com> <16b90e67-b6fd-24f0-76d2-42ed5d3fc198@redhat.com> Message-ID: <50e87188-5c5c-f906-3860-8c05a27aecf1@redhat.com> On 23.06.2016 12:55, Lenka Doudova wrote: > > > > On 06/23/2016 10:30 AM, Martin Basti wrote: >> >> >> >> On 23.06.2016 06:55, Lenka Doudova wrote: >>> >>> >>> >>> On 06/22/2016 05:11 PM, Lenka Doudova wrote: >>>> >>>> >>>> >>>> On 06/22/2016 04:37 PM, Lenka Doudova wrote: >>>>> >>>>> >>>>> >>>>> On 06/22/2016 08:33 AM, Martin Basti wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 22.06.2016 07:37, Lenka Doudova wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 06/21/2016 06:57 PM, Martin Basti wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 21.06.2016 15:39, Lenka Doudova wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> attaching patch for failing location tests >>>>>>>>> (ipatests/test_xmlrpc/test_location_plugin.py). >>>>>>>>> >>>>>>>>> Lenka >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> 1) >>>>>>>> + expected_updates={u'ipalocation_location': >>>>>>>> [location.idnsname_obj], >>>>>>>> + u'enabled_role_servrole': ( >>>>>>>> + u'CA server', u'DNS server', >>>>>>>> u'NTP server')}, >>>>>>>> >>>>>>>> This depends on services installed on server, so server without >>>>>>>> DNS will cause test failures. We probably should skip test id >>>>>>>> DNS isn't installed. >>>>>>>> Without DNS installed you get much more different warnings >>>>>>>> >>>>>>>> >>>>>>>> 2) >>>>>>>> + def update(self, updates, expected_updates=None, >>>>>>>> messages=None): >>>>>>>> .... >>>>>>>> + self.messages = messages >>>>>>>> >>>>>>>> Why is this needed? I'm puzzled by this >>>>>>>> >>>>>>>> It is defined outside __init__ what is wrong and it is never used. >>>>>>>> >>>>>>> Hi, thanks for review. >>>>>>> ad 1: will fix >>>>>>> ad 2: the 'messages' key is indeed used, because this key is >>>>>>> returned every time a server is attached to/removed from a >>>>>>> location. If the 'messages' is not supplied to the result >>>>>>> comparison, the test fails (see >>>>>>> https://paste.fedoraproject.org/382936/65732411/ for result of >>>>>>> test without applied patch). >>>>>>> >>>>>>> Lenka >>>>>> >>>>>> Please point me to the line where ServerTracker.messages is used, >>>>>> I still don't see it. In your fpaste, removed self.messages in >>>>>> that context is TestLocationsServer.messages not >>>>>> ServerTracker.messages >>>>>> >>>>>> Martin^2 >>>>> >>>>> Ah, right you are, my good sir. I fixed both issues, hopefully >>>>> will be fine now. Fixed patch attached. >>>>> Lenka >>>>> >>>>> >>>> Self NACK, will provide some more changes tomorrow. >>>> Lenka >>>> >>>> >>> And here it goes... >>> >>> Lenka >>> >>> >> This is really weird >> >> fuzzy_servrole = Fuzzy( >> type=list, >> test=lambda other: False not in set( >> item in (u'CA server', u'DNS server', u'NTP server') >> for item in other) >> and u'DNS server' in other) >> >> 1) Why is there special case 'DNS server' in other, IMO general fuzzy >> object should not enforce DNS server role >> >> 2) Several servroles related to AD trust are missing there, so if you >> are doing general fuzzy object for server roles it should contains >> all roles >> >> 3) >> I suggest something like >> lambda other: all(item in {u'CA server', u'DNS server', u'NTP >> server', ...} for item in other) >> >> 4) during yesterday's interactive review, I suggested to use just >> lambda other: True, as serveroles are tested in different test suite, >> but If you fix issues above, it can stay as it is >> >> Martin^2 > Fixed according to suggestion from interactiove review. Attached. > Lenka ACK Pushed to master: eec440b2d54a8247bb25c521c8603cb203171699 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ldoudova at redhat.com Thu Jun 23 13:51:53 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 23 Jun 2016 15:51:53 +0200 Subject: [Freeipa-devel] [PATCH 0020][Tests] Make ID views test reflect new krbcanonicalname attribute Message-ID: Patch attached. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0020-Tests-Make-ID-views-tests-reflect-new-krbcanonicalna.patch Type: text/x-patch Size: 3630 bytes Desc: not available URL: From slaznick at redhat.com Thu Jun 23 14:20:48 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 23 Jun 2016 16:20:48 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix Message-ID: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> Hello, attached are patches fixing the logic mentioned in https://fedorahosted.org/freeipa/ticket/5967. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0050-Raise-exception-on-incorrect-segment-addition.patch Type: text/x-patch Size: 2475 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0051-Fix-topologysuffix-verify-failing-connections.patch Type: text/x-patch Size: 1456 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 23 14:25:15 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Jun 2016 16:25:15 +0200 Subject: [Freeipa-devel] [PATCH] 0058 WebUI: certificate widget on ID override user page In-Reply-To: <8d5edba0-0b80-8ccf-6d71-13f977c4b94b@redhat.com> References: <8d5edba0-0b80-8ccf-6d71-13f977c4b94b@redhat.com> Message-ID: <60dc6971-d853-ad03-0272-77077dd251a6@redhat.com> On 06/20/2016 06:54 PM, Pavel Vomacka wrote: > Hello, > > please review attached patch. > > https://fedorahosted.org/freeipa/ticket/5926 > 1. I'm not sure whether to include the certificate field in the adder dialog. But if so then it is not good that it accepts different output then a cert widget. The difference is that cert widget is able to work also with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" values. Otherwise it works good. If we decided not to fix 1. in this patch then ACK. Push should wait on the other cert patches. -- Petr Vobornik From mbasti at redhat.com Thu Jun 23 14:34:43 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 16:34:43 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> Message-ID: On 23.06.2016 09:57, Pavel Vomacka wrote: > Hello, > > please review attached patch. > > Part of: https://fedorahosted.org/freeipa/ticket/5905 > > > Works for me -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jun 23 14:38:31 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Jun 2016 16:38:31 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> Message-ID: On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: > Hello, > > attached are patches fixing the logic mentioned in > https://fedorahosted.org/freeipa/ticket/5967. > > If server supports the suffix can be verified in validate_nodes call where masters are already fetched. -- Petr Vobornik From mbasti at redhat.com Thu Jun 23 14:38:47 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 16:38:47 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue Message-ID: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> Patches attached. https://fedorahosted.org/freeipa/ticket/2008 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch Type: text/x-patch Size: 2535 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch Type: text/x-patch Size: 4588 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch Type: text/x-patch Size: 1992 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch Type: text/x-patch Size: 10243 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 23 14:58:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Jun 2016 16:58:09 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> Message-ID: <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> On 06/23/2016 04:34 PM, Martin Basti wrote: > > > On 23.06.2016 09:57, Pavel Vomacka wrote: >> Hello, >> >> please review attached patch. >> >> Part of: https://fedorahosted.org/freeipa/ticket/5905 >> >> >> > Works for me > In this patch and also in some other(cert patches) the confirm message has following structure: To confirm your intention to $action, click the $button_name button. On other places of Web UI, more human and easier structure is used: Do you want to update DNS records? [Update] [Cancel] IMHO we should use it here as well. And the same for(separate path): remove_certificate_hold_confirmation revoke_confirmation" otherwise the patch is OK. -- Petr Vobornik From pvoborni at redhat.com Thu Jun 23 15:07:40 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 23 Jun 2016 17:07:40 +0200 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names Message-ID: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0959-mod_auth_gssapi-enable-unique-credential-caches-name.patch Type: text/x-patch Size: 1969 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 23 15:28:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 23 Jun 2016 17:28:00 +0200 Subject: [Freeipa-devel] [PATCH 0542] ipa-getkeytab: increase LDAP timeout Message-ID: https://fedorahosted.org/freeipa/ticket/5842 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0542-Increase-ipa-getkeytab-LDAP-timeout-to-100sec.patch Type: text/x-patch Size: 1001 bytes Desc: not available URL: From slaznick at redhat.com Thu Jun 23 15:30:31 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 23 Jun 2016 17:30:31 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> Message-ID: On 06/23/2016 04:38 PM, Petr Vobornik wrote: > On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: >> Hello, >> >> attached are patches fixing the logic mentioned in >> https://fedorahosted.org/freeipa/ticket/5967. >> >> > If server supports the suffix can be verified in validate_nodes call > where masters are already fetched. > Thank you for the suggestion, modified patch 50 attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0050-2-Raise-exception-on-incorrect-segment-addition.patch Type: text/x-patch Size: 3354 bytes Desc: not available URL: From rharwood at redhat.com Thu Jun 23 15:46:04 2016 From: rharwood at redhat.com (Robbie Harwood) Date: Thu, 23 Jun 2016 11:46:04 -0400 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names In-Reply-To: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> References: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> Message-ID: Petr Vobornik writes: > mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Excited to see this appear! Sessions are not in use so there's no need to worry about a sweeper. This looks correct to me. Thanks Petr! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 23 16:25:51 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Jun 2016 18:25:51 +0200 Subject: [Freeipa-devel] ipa-server-install and service restarts Message-ID: <6f109279-5db1-e62e-20b8-3ddac678d6de@redhat.com> Hello, For curious, here is list of service re/starts from ipa-server-install: It starts & restarts 29 services, most of them repeatedly. The last line probably restarts everything once again. # grep 'systemctl.*start' /var/log/ipaserver-install.log 2016-06-23T15:56:29Z DEBUG args=/bin/systemctl start ntpd.service 2016-06-23T15:56:37Z DEBUG args=/bin/systemctl restart dirsrv at DOM.service 2016-06-23T15:56:39Z DEBUG args=/bin/systemctl restart dirsrv at DOM.service 2016-06-23T15:56:46Z DEBUG args=/bin/systemctl restart dirsrv at DOM.service 2016-06-23T15:56:48Z DEBUG args=/bin/systemctl start ntpd.service systemctl restart pki-tomcatd at pki-tomcat.service 2016-06-23T15:58:39Z DEBUG args=/bin/systemctl start pki-tomcatd at pki-tomcat.service 2016-06-23T15:58:55Z DEBUG args=/bin/systemctl restart pki-tomcatd at pki-tomcat.service 2016-06-23T15:59:13Z DEBUG args=/bin/systemctl start messagebus.service 2016-06-23T15:59:13Z DEBUG args=/bin/systemctl start certmonger.service 2016-06-23T15:59:19Z DEBUG args=/bin/systemctl restart pki-tomcatd at pki-tomcat.service 2016-06-23T15:59:55Z DEBUG args=/bin/systemctl restart dirsrv at DOM.service 2016-06-23T16:00:02Z DEBUG args=/bin/systemctl start krb5kdc.service 2016-06-23T16:00:03Z DEBUG args=/bin/systemctl restart kadmin.service 2016-06-23T16:00:06Z DEBUG args=/bin/systemctl start pki-tomcatd at pki-tomcat.service 2016-06-23T16:00:25Z DEBUG args=/bin/systemctl restart ipa_memcached.service 2016-06-23T16:00:25Z DEBUG args=/bin/systemctl restart ipa-otpd.socket 2016-06-23T16:00:29Z DEBUG args=/bin/systemctl restart ipa-custodia.service 2016-06-23T16:00:37Z DEBUG args=/bin/systemctl restart httpd.service 2016-06-23T16:00:38Z DEBUG args=/bin/systemctl start oddjobd.service 2016-06-23T16:00:40Z DEBUG args=/bin/systemctl start dirsrv at DOM.service 2016-06-23T16:02:03Z DEBUG args=/bin/systemctl start dirsrv at DOM.service 2016-06-23T16:02:04Z DEBUG args=/bin/systemctl restart dirsrv at DOM.service 2016-06-23T16:02:10Z DEBUG args=/bin/systemctl restart krb5kdc.service 2016-06-23T16:02:10Z DEBUG args=/bin/systemctl restart pki-tomcatd at pki-tomcat.service 2016-06-23T16:02:38Z DEBUG args=/bin/systemctl restart ipa-dnskeysyncd.service 2016-06-23T16:02:38Z DEBUG args=/bin/systemctl restart named-pkcs11.service 2016-06-23T16:02:44Z DEBUG args=/bin/systemctl restart httpd.service 2016-06-23T16:03:09Z DEBUG args=/bin/systemctl restart ipa.service -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 23 16:26:16 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Jun 2016 18:26:16 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> Message-ID: <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> On 23.6.2016 16:38, Martin Basti wrote: > Patches attached. > > > https://fedorahosted.org/freeipa/ticket/2008 > > > freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch > > > From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Tue, 21 Jun 2016 18:04:13 +0200 > Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records > for unused locations" > > This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. > > After deeper investigation, we found out that empty locations are needed > for clients, because clients may have cached records for longer time for > that particular location. Only way how to remove location is to remove > it using location-del > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ipaserver/dns_data_management.py | 11 ++++------- > 1 file changed, 4 insertions(+), 7 deletions(-) > > diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py > index a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 100644 > --- a/ipaserver/dns_data_management.py > +++ b/ipaserver/dns_data_management.py > @@ -68,7 +68,6 @@ class IPASystemRecords(object): > self.api_instance = api_instance > self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute() > self.servers_data = {} > - self.used_locations = set() > self.__init_data() > > def reload_data(self): > @@ -92,7 +91,6 @@ class IPASystemRecords(object): > > def __init_data(self): > self.servers_data = {} > - self.used_locations = set() > > servers_result = self.api_instance.Command.server_find( > pkey_only=True)['result'] > @@ -104,8 +102,6 @@ class IPASystemRecords(object): > 'location': location, > 'roles': roles, > } > - if location: > - self.used_locations.add(location) > > def __add_srv_records( > self, zone_obj, hostname, rname_port_map, > @@ -353,12 +349,13 @@ class IPASystemRecords(object): > pkey_only=True)['result'] > servers = [s['cn'][0] for s in servers_result] > > - # generate only records for used location, records for unassigned > - # locations are useless > + locations_result = self.api_instance.Command.location_find()['result'] > + locations = [l['idnsname'][0] for l in locations_result] > + > for server in servers: > self._get_location_dns_records_for_server( > zone_obj, server, > - self.used_locations, roles=roles, > + locations, roles=roles, > include_master_role=include_master_role) > return zone_obj > > -- 2.5.5 > > > freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch > > > From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Tue, 21 Jun 2016 18:17:55 +0200 > Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install > > Since DNS location mechanism is active, this option has no effect, > because records are generate dynamically. > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/tools/ipa-adtrust-install | 10 +++++++--- > ipaserver/install/adtrustinstance.py | 21 ++++++++------------- > 2 files changed, 15 insertions(+), 16 deletions(-) > > diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install > index 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c 100755 > --- a/install/tools/ipa-adtrust-install > +++ b/install/tools/ipa-adtrust-install > @@ -29,6 +29,8 @@ import ldap > > import six > > +from optparse import SUPPRESS_HELP > + > from ipaserver.install import adtrustinstance > from ipaserver.install.installutils import ( > read_password, > @@ -54,9 +56,11 @@ def parse_options(): > default=False, help="print debugging information") > parser.add_option("--netbios-name", dest="netbios_name", > help="NetBIOS name of the IPA domain") > + > + # no-msdcs has not effect, option is here just for backward compatibility > parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", > - default=False, help="Do not create DNS service records " \ > - "for Windows in managed DNS server") > + default=False, help=SUPPRESS_HELP) > + > parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, > help="Start value for mapping UIDs and GIDs to RIDs") > parser.add_option("--secondary-rid-base", dest="secondary_rid_base", > @@ -390,7 +394,7 @@ def main(): > smb.setup(api.env.host, api.env.realm, > netbios_name, reset_netbios_name, > options.rid_base, options.secondary_rid_base, > - options.no_msdcs, options.add_sids, > + options.add_sids, > enable_compat = options.enable_compat) > smb.find_local_id_range() > smb.create_instance() > diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py > index 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 100644 > --- a/ipaserver/install/adtrustinstance.py > +++ b/ipaserver/install/adtrustinstance.py > @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): > def __init__(self, fstore=None): > self.netbios_name = None > self.reset_netbios_name = None > - self.no_msdcs = None > self.add_sids = None > self.smbd_user = None > self.smb_dn_pwd = None > @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): > > err_msg = None > > - if self.no_msdcs: > - err_msg = '--no-msdcs was given, special DNS service records ' \ > - 'are not added to local DNS server' > + ret = api.Command['dns_is_enabled']() > + if not ret['result']: > + err_msg = "DNS management was not enabled at install time." > else: > - ret = api.Command['dns_is_enabled']() > - if not ret['result']: > - err_msg = "DNS management was not enabled at install time." > - else: > - if not dns_zone_exists(zone): > - err_msg = "DNS zone %s cannot be managed " \ > - "as it is not defined in IPA" % zone > + if not dns_zone_exists(zone): > + err_msg = ( > + "DNS zone %s cannot be managed as it is not defined in " > + "IPA" % zone) > > if err_msg: > self.print_msg(err_msg) > @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): > > def setup(self, fqdn, realm_name, netbios_name, > reset_netbios_name, rid_base, secondary_rid_base, > - no_msdcs=False, add_sids=False, smbd_user="samba", > + add_sids=False, smbd_user="samba", > enable_compat=False): > self.fqdn = fqdn > self.realm = realm_name > @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): > self.reset_netbios_name = reset_netbios_name > self.rid_base = rid_base > self.secondary_rid_base = secondary_rid_base > - self.no_msdcs = no_msdcs > self.add_sids = add_sids > self.enable_compat = enable_compat > self.smbd_user = smbd_user > -- 2.5.5 > > > freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch > > > From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 22 Jun 2016 13:12:52 +0200 > Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get > information > > Because separated calls for of server-show, getting server data is quite > slow. This commit replaces several server-show with one server-find > command. There are future plans to improve speed of server-find that > will be beneficial for DNS locations. > > https://fedorahosted.org/freeipa/ticket/2008 > --- > ipaserver/dns_data_management.py | 10 ++++------ > 1 file changed, 4 insertions(+), 6 deletions(-) > > diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py > index eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 100644 > --- a/ipaserver/dns_data_management.py > +++ b/ipaserver/dns_data_management.py > @@ -78,8 +78,7 @@ class IPASystemRecords(object): > """ > self.__init_data() > > - def __get_server_attrs(self, hostname): > - server_result = self.api_instance.Command.server_show(hostname)['result'] > + def __get_server_attrs(self, server_result): > weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) > location = server_result.get('ipalocation_location', [None])[0] > roles = set(server_result.get('enabled_role_servrole', ())) > @@ -93,11 +92,10 @@ class IPASystemRecords(object): > self.servers_data = {} > > servers_result = self.api_instance.Command.server_find( > - pkey_only=True)['result'] > - servers = [s['cn'][0] for s in servers_result] > - for s in servers: > + no_members=False)['result'] > + for s in servers_result: > weight, location, roles = self.__get_server_attrs(s) > - self.servers_data[s] = { > + self.servers_data[s['cn'][0]] = { > 'weight': weight, > 'location': location, > 'roles': roles, > -- 2.5.5 > > > freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch > > > From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Thu, 23 Jun 2016 14:50:11 +0200 > Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance > > We don't need anymore: > * sample of zone file - list of all records required by IPa will be > provided > > * NTP related params - DNS records will be updated automatically, > based on LDAP values > > * CA related params - DNS records will be updated automatically based > * on LDAP values > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/share/bind.zone.db.template | 29 --------------- > ipaserver/dns_data_management.py | 9 +++++ > ipaserver/install/bindinstance.py | 58 ++++++++---------------------- > ipaserver/install/dns.py | 5 ++- > ipaserver/install/server/install.py | 8 ++--- > ipaserver/install/server/replicainstall.py | 4 +-- > 6 files changed, 30 insertions(+), 83 deletions(-) > delete mode 100644 install/share/bind.zone.db.template > > diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template > deleted file mode 100644 > index ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 > --- a/install/share/bind.zone.db.template > +++ /dev/null > @@ -1,29 +0,0 @@ > -$$ORIGIN $DOMAIN. > -$$TTL 86400 > -@ IN SOA $DOMAIN. $ZONEMGR ( > - 01 ; serial > - 3H ; refresh > - 15M ; retry > - 1W ; expiry > - 1D ) ; minimum > - > - IN NS $HOST > -$HOST IN A $IP > -; > -; ldap servers > -_ldap._tcp IN SRV 0 100 389 $HOST > - > -;kerberos realm > -_kerberos IN TXT $REALM > - > -; kerberos servers > -_kerberos._tcp IN SRV 0 100 88 $HOST > -_kerberos._udp IN SRV 0 100 88 $HOST > -_kerberos-master._tcp IN SRV 0 100 88 $HOST > -_kerberos-master._udp IN SRV 0 100 88 $HOST > -_kpasswd._tcp IN SRV 0 100 464 $HOST > -_kpasswd._udp IN SRV 0 100 464 $HOST > -$OPTIONAL_NTP > - > -; CNAME for IPA CA replicas (used for CRL, OCSP) > -$IPA_CA_RECORD > diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py > index e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b 100644 > --- a/ipaserver/dns_data_management.py > +++ b/ipaserver/dns_data_management.py > @@ -477,3 +477,12 @@ class IPASystemRecords(object): > ) > ) > return records > + > + @classmethod > + def records_list_from_zone(cls, zone_obj, sort=True): > + records = [] > + for name, node in zone_obj.items(): > + records.extend(IPASystemRecords.records_list_from_node(name, node)) > + if sort: > + records.sort() > + return records > diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py > index 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf 100644 > --- a/ipaserver/install/bindinstance.py > +++ b/ipaserver/install/bindinstance.py > @@ -623,9 +623,9 @@ class BindInstance(service.Service): > suffix = ipautil.dn_attribute_property('_suffix') > > def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, > - forward_policy, ntp, reverse_zones, > + forward_policy, reverse_zones, > named_user=constants.NAMED_USER, zonemgr=None, > - ca_configured=None, no_dnssec_validation=False): > + no_dnssec_validation=False): > self.named_user = named_user > self.fqdn = fqdn > self.ip_addresses = ip_addresses > @@ -635,9 +635,7 @@ class BindInstance(service.Service): > self.forward_policy = forward_policy > self.host = fqdn.split(".")[0] > self.suffix = ipautil.realm_to_suffix(self.realm) > - self.ntp = ntp > self.reverse_zones = reverse_zones > - self.ca_configured = ca_configured > self.no_dnssec_validation=no_dnssec_validation > > if not zonemgr: > @@ -666,12 +664,17 @@ class BindInstance(service.Service): > def host_in_default_domain(self): > return normalize_zone(self.host_domain) == normalize_zone(self.domain) > > - def create_sample_bind_zone(self): > - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) > - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") > - os.write(bind_fd, bind_txt) > - os.close(bind_fd) > - print("Sample zone file for bind has been created in "+bind_name) > + def create_file_with_system_records(self): > + system_records = IPASystemRecords(self.api) > + text = u'\n'.join( > + IPASystemRecords.records_list_from_zone( > + system_records.get_base_records() > + ) > + ) > + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") > + os.write(fd, text) > + os.close(fd) > + print("Please add records in this file to your DNS system:", name) > > def create_instance(self): > > @@ -761,41 +764,10 @@ class BindInstance(service.Service): > root_logger.debug("Unable to mask named (%s)", e) > > def __setup_sub_dict(self): > - if self.forwarders: > - fwds = "\n" > - for forwarder in self.forwarders: > - fwds += "\t\t%s;\n" % forwarder > - fwds += "\t" > - else: > - fwds = " " > - > - if self.ntp: > - optional_ntp = "\n;ntp server\n" > - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % self.host_in_rr > - else: > - optional_ntp = "" > - > - ipa_ca = "" > - for addr in self.ip_addresses: > - if addr.version in (4, 6): > - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( > - IPA_CA_RECORD, > - "A" if addr.version == 4 else "AAAA", > - str(addr)) > - > self.sub_dict = dict( > FQDN=self.fqdn, > - IP=[str(ip) for ip in self.ip_addresses], > - DOMAIN=self.domain, > - HOST=self.host, > - REALM=self.realm, > SERVER_ID=installutils.realm_to_serverid(self.realm), > - FORWARDERS=fwds, > - FORWARD_POLICY=self.forward_policy, > SUFFIX=self.suffix, > - OPTIONAL_NTP=optional_ntp, > - ZONEMGR=self.zonemgr, > - IPA_CA_RECORD=ipa_ca, > BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, > MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, > ROOT_KEY=paths.NAMED_ROOT_KEY, > @@ -1026,16 +998,14 @@ class BindInstance(service.Service): > ipautil.run([paths.GENERATE_RNDC_KEY]) > > def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name, > - reverse_zones, ntp=False, ca_configured=None): > + reverse_zones): > self.fqdn = fqdn > self.ip_addresses = ip_addresses > self.realm = realm_name > self.domain = domain_name > self.host = fqdn.split(".")[0] > self.suffix = ipautil.realm_to_suffix(self.realm) > - self.ntp = ntp > self.reverse_zones = reverse_zones > - self.ca_configured = ca_configured > self.first_instance = False > self.zonemgr = 'hostmaster.%s' % self.domain > > diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py > index 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 100644 > --- a/ipaserver/install/dns.py > +++ b/ipaserver/install/dns.py > @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): > bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, > autobind=AUTOBIND_ENABLED) > bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, > - options.forwarders, options.forward_policy, conf_ntp, > + options.forwarders, options.forward_policy, > reverse_zones, zonemgr=options.zonemgr, > - no_dnssec_validation=options.no_dnssec_validation, > - ca_configured=options.setup_ca) > + no_dnssec_validation=options.no_dnssec_validation) > > if standalone and not options.unattended: > print("") > diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py > index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 100644 > --- a/ipaserver/install/server/install.py > +++ b/ipaserver/install/server/install.py > @@ -848,17 +848,17 @@ def install(installer): > if setup_ca: > services.knownservices['pki_tomcatd'].restart('pki-tomcat') > > + api.Backend.ldap2.connect(autobind=True) > if options.setup_dns: > - api.Backend.ldap2.connect(autobind=True) > dns.install(False, False, options) > else: > # Create a BIND instance > bind = bindinstance.BindInstance(fstore, dm_password) > bind.setup(host_name, ip_addresses, realm_name, > - domain_name, (), 'first', not options.no_ntp, (), > - zonemgr=options.zonemgr, ca_configured=setup_ca, > + domain_name, (), 'first', (), > + zonemgr=options.zonemgr, > no_dnssec_validation=options.no_dnssec_validation) > - bind.create_sample_bind_zone() > + bind.create_file_with_system_records() > > # Restart httpd to pick up the new IPA configuration > service.print_msg("Restarting the web server") > diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py > index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 100644 > --- a/ipaserver/install/server/replicainstall.py > +++ b/ipaserver/install/server/replicainstall.py > @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): > str(ip), > config.realm_name, > config.domain_name, > - reverse_zone, > - not options.no_ntp, > - options.setup_ca) > + reverse_zone) > except errors.NotFound as e: > root_logger.debug('Replica DNS records could not be added ' > 'on master: %s', str(e)) > -- 2.5.5 While testing this patch I've found out that ipa-dns-install does not work idempotently anymore and explodes when re-run. I'm not sure what is the root cause yet. # ipa-dns-install --forwarder 10.34.78.1 WARNING: yacc table file version is out of date The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup DNS for the FreeIPA Server. This includes: * Configure DNS (bind) * Configure SoftHSM (required by DNSSEC) * Configure ipa-dnskeysyncd (required by DNSSEC) NOTE: DNSSEC zone signing is not enabled by default To accept the default shown in brackets, press the Enter key. Checking DNS forwarders, please wait ... Do you want to search for missing reverse zones? [yes]: The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring DNS (named) [1/8]: generating rndc key file [2/8]: setting up our own record ipa : ERROR DNS query for vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed out after 30.0012078285 seconds [error] DNSResolverError: The DNS operation timed out after 30.0012078285 seconds Unexpected error - see /var/log/ipaserver-install.log for details: DNSResolverError: The DNS operation timed out after 30.0012078285 seconds 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record 2016-06-23T15:41:54Z DEBUG raw: dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') 2016-06-23T15:41:54Z DEBUG dnszone_show(, rights=False, all=False, raw=False, version=u'2.199') 2016-06-23T15:42:24Z ERROR DNS query for vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed out after 30.0012078285 seconds 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 860, in __add_self self.__add_master_records(self.fqdn, self.ip_addresses) File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", line 843, in __add_master_records verify_host_resolvable(fqdn) File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in verify_host_resolvable raise errors.DNSResolverError(exception=ex) DNSResolverError: The DNS operation timed out after 30.0012078285 seconds I was not able to test replica installation because of some weird ACI problem somewhere, replica install is failing with ACIError while adding ldap/replica principal. This is probably a regression from some other patchset. https://fedorahosted.org/freeipa/ticket/5996 -- Petr^2 Spacek From pspacek at redhat.com Thu Jun 23 16:32:02 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 23 Jun 2016 18:32:02 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string Message-ID: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> Hello, replica-install: Compare domain names as DNS names and not strings This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" were not considered equivalent and installation was wrongly refused. https://fedorahosted.org/freeipa/ticket/5976 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0138-replica-install-Compare-domain-names-as-DNS-names-an.patch Type: text/x-patch Size: 2225 bytes Desc: not available URL: From lslebodn at redhat.com Thu Jun 23 17:39:11 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Thu, 23 Jun 2016 19:39:11 +0200 Subject: [Freeipa-devel] [PATCH] 498 Update Contributors.txt In-Reply-To: <38a9f232-8170-eb30-eedb-ba9fc473d878@redhat.com> References: <38a9f232-8170-eb30-eedb-ba9fc473d878@redhat.com> Message-ID: <20160623173911.GB12462@10.4.128.1> On (23/06/16 15:22), Martin Kosek wrote: >Update .mailmap to fix wrong commit author and re-generate >the Developer contributor list. > >-- >Martin Kosek >Manager, Software Engineering - Identity Management Team >Red Hat, Inc. >From 4271bdb36d111b90da3daf3f4312ec40d7db590f Mon Sep 17 00:00:00 2001 >From: Martin Kosek >Date: Thu, 23 Jun 2016 15:19:59 +0200 >Subject: [PATCH] Update Contributors.txt > >Update .mailmap to fix wrong commit author and re-generate >the Developer contributor list. >--- > .mailmap | 1 + > Contributors.txt | 1 + > 2 files changed, 2 insertions(+) > >diff --git a/.mailmap b/.mailmap >index 422a0089cc6f7de4aaed6a446a5d090bcee3fee8..4fe0587a4550b9ca4b89501a55d96540df4c10cf 100644 >--- a/.mailmap >+++ b/.mailmap >@@ -51,6 +51,7 @@ Sumit Bose > Thierry Bordaz > Thierry Bordaz > Thierry Bordaz >+Thierry Bordaz I know that it's autogenrated. But does Thierry need to be there 4 times? It is not a NACK LS > Tom?? Babej > Tom?? Babej > William Jon McCann >diff --git a/Contributors.txt b/Contributors.txt >index 71be27da5ab415deb11589d5bf82d684b2d85f9a..a003a3edb5c1f291b94402f6784b70fa7bcb1298 100644 >--- a/Contributors.txt >+++ b/Contributors.txt >@@ -10,6 +10,7 @@ Developers: > Tom?? Babej > Martin Babinsky > Kyle Baker >+ Jan Barta > Martin Ba?ti > Sylvain Baubeau > Florence Blanc-Renaud >-- >2.5.5 > >-- >Manage your subscription for the Freeipa-devel mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-devel >Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ftweedal at redhat.com Fri Jun 24 01:42:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jun 2016 11:42:03 +1000 Subject: [Freeipa-devel] [patch 0038-0040] Sub CA test patches In-Reply-To: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> References: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> Message-ID: <20160624014203.GO4200@dhcp-40-8.bne.redhat.com> On Tue, Jun 21, 2016 at 05:01:35PM +0200, Milan Kub?k wrote: > Hi Fraser and list, > > I have made changes to the test plan on the wiki [1] according to the > information in "[Testplan review] Sub CAs" thread. > > I also implemented the tests in the test plan: > > patch 0038 - CATracker and CA CRUD test > patch 0039 - extension to CA ACL test > patch 0040 - functional test with ACLs and certificate profile, reusing my > previous S/MIME based tests. This patch also tests for the cert-request > behavior when profile ID or CA cn are ommited. > > The tests ATM do not verify the Issuer name in the certificate itself, just > from the ipa entry of the certificate. > The approach you are using:: assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn is not quite as you describe (these are virtual attributes, not attributes of an actual entry); but the approach is valid. > Fraser, could you please verify my reasoning behind the test cases for > cert-request in the patch 40? > The tests look OK. With the default CA / default profiles, is there appropriate isolation between test cases to ensure that if, e.g. some other test case adds/modifies CA ACLs such that these expected-to-fail tests now pass, that this does not affect the TestCertSignMIMEwithSubCA test case? Thanks, Fraser > [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan > > Cheers > > -- > Milan Kubik > > From 83153e3c7c4a28ba170633054b59b2d6a70807c0 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Milan=20Kub=C3=ADk?= > Date: Fri, 17 Jun 2016 12:20:55 +0200 > Subject: [PATCH 1/3] ipatests: Tracker implementation for Sub CA feature > > The patch implements Tracker subclass for CA plugin > and the basic CRUD tests for the plugin entries. > > https://fedorahosted.org/freeipa/ticket/4559 > --- > ipatests/test_xmlrpc/objectclasses.py | 5 + > ipatests/test_xmlrpc/test_ca_plugin.py | 176 ++++++++++++++++++++++++++++++ > ipatests/test_xmlrpc/tracker/ca_plugin.py | 126 +++++++++++++++++++++ > ipatests/test_xmlrpc/xmlrpc_test.py | 3 + > 4 files changed, 310 insertions(+) > create mode 100644 ipatests/test_xmlrpc/test_ca_plugin.py > create mode 100644 ipatests/test_xmlrpc/tracker/ca_plugin.py > > diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py > index 134a08803f3abca1124c4d26274d9e3fc981b941..1ea020b18f975f717eb9d9d5399d8e9fb40264cb 100644 > --- a/ipatests/test_xmlrpc/objectclasses.py > +++ b/ipatests/test_xmlrpc/objectclasses.py > @@ -222,3 +222,8 @@ caacl = [ > u'ipaassociation', > u'ipacaacl' > ] > + > +ca = [ > + u'top', > + u'ipaca', > +] > diff --git a/ipatests/test_xmlrpc/test_ca_plugin.py b/ipatests/test_xmlrpc/test_ca_plugin.py > new file mode 100644 > index 0000000000000000000000000000000000000000..a638a0c9a5a611687d4ae707f4b067bef2ef2229 > --- /dev/null > +++ b/ipatests/test_xmlrpc/test_ca_plugin.py > @@ -0,0 +1,176 @@ > +# > +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license > +# > + > +""" > +Test the `ipalib.plugins.ca` module. > +""" > + > +import pytest > + > +from ipalib import errors > +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, fuzzy_issuer > + > +from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker > +from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker > +from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker > + > + > + at pytest.fixture(scope='module') > +def default_profile(request): > + name = 'caIPAserviceCert' > + desc = u'Standard profile for network services' > + tracker = CertprofileTracker(name, store=True, desc=desc) > + tracker.track_create() > + return tracker > + > + > + at pytest.fixture(scope='module') > +def default_acl(request): > + name = u'hosts_services_caIPAserviceCert' > + tracker = CAACLTracker(name, service_category=u'all', host_category=u'all') > + tracker.track_create() > + tracker.attrs.update( > + {u'ipamembercertprofile_certprofile': [u'caIPAserviceCert']}) > + return tracker > + > + > + at pytest.fixture(scope='module') > +def default_ca(request): > + name = u'ipa' > + desc = u'IPA CA' > + tracker = CATracker(name, fuzzy_issuer, desc=desc) > + tracker.track_create() > + return tracker > + > + > + at pytest.fixture(scope='class') > +def crud_subca(request): > + name = u'crud-subca' > + subject = u'CN=crud subca test,O=crud testing inc' > + tracker = CATracker(name, subject) > + > + return tracker.make_fixture(request) > + > + > + at pytest.fixture(scope='class') > +def subject_conflict_subca(request): > + name = u'crud-subca-2' > + subject = u'CN=crud subca test,O=crud testing inc' > + tracker = CATracker(name, subject) > + > + return tracker.make_fixture(request) > + > + > + at pytest.mark.tier0 > +class TestDefaultCA(XMLRPC_test): > + def test_default_ca_present(self, default_ca): > + default_ca.retrieve() > + > + def test_default_ca_delete(self, default_ca): > + with pytest.raises(errors.ProtectedEntryError): > + default_ca.delete() > + > + > + at pytest.mark.tier1 > +class TestCAbasicCRUD(XMLRPC_test): > + > + ATTR_ERROR_MSG = u'attribute is not configurable' > + > + def test_create(self, crud_subca): > + crud_subca.create() > + > + def test_retrieve(self, crud_subca): > + crud_subca.retrieve() > + > + def test_retrieve_all(self, crud_subca): > + crud_subca.retrieve(all=True) > + > + def test_delete(self, crud_subca): > + crud_subca.delete() > + > + def test_find(self, crud_subca): > + crud_subca.ensure_exists() > + crud_subca.find() > + > + def test_modify_description(self, crud_subca): > + new_desc = u'updated CA description' > + crud_subca.update( > + dict( > + description=new_desc, > + ), > + expected_updates=dict( > + description=[new_desc] > + ) > + ) > + > + def test_modify_issuerdn(self, crud_subca): > + bogus_issuer = u'ipacaissuerdn="cn=phony issuer,o=phony industries' > + cmd = crud_subca.make_update_command( > + updates=dict(setattr=bogus_issuer) > + ) > + > + with pytest.raises(errors.ValidationError) as error: > + cmd() > + > + assert self.ATTR_ERROR_MSG in str(error.value) > + > + def test_modify_subjectdn(self, crud_subca): > + bogus_subject = u'ipacasubjectdn="cn=phony subject,o=phony industries' > + cmd = crud_subca.make_update_command( > + updates=dict(setattr=bogus_subject) > + ) > + > + with pytest.raises(errors.ValidationError) as error: > + cmd() > + > + assert self.ATTR_ERROR_MSG in str(error.value) > + > + def test_delete_subjectdn(self, crud_subca): > + cmd = crud_subca.make_update_command( > + updates=dict(delattr=u'ipacasubjectdn=%s' > + % crud_subca.ipasubjectdn) > + ) > + > + with pytest.raises(errors.ValidationError) as error: > + cmd() > + > + assert self.ATTR_ERROR_MSG in str(error.value) > + > + def test_add_bogus_subjectdn(self, crud_subca): > + bogus_subject = u'ipacasubjectdn="cn=phony subject,o=phony industries' > + cmd = crud_subca.make_update_command( > + updates=dict(addattr=bogus_subject) > + ) > + > + with pytest.raises(errors.ValidationError) as error: > + cmd() > + > + assert self.ATTR_ERROR_MSG in str(error.value) > + > + def test_add_bogus_issuerdn(self, crud_subca): > + bogus_issuer = u'ipacaissuerdn="cn=phony issuer,o=phony industries' > + cmd = crud_subca.make_update_command( > + updates=dict(addattr=bogus_issuer) > + ) > + > + with pytest.raises(errors.ValidationError) as error: > + cmd() > + > + assert self.ATTR_ERROR_MSG in str(error.value) > + > + def test_create_subca_with_conflicting_name(self, crud_subca): > + crud_subca.ensure_exists() > + > + cmd = crud_subca.make_create_command() > + with pytest.raises(errors.DuplicateEntry): > + cmd() > + > + @pytest.mark.xfail(reason='https://fedorahosted.org/freeipa/ticket/5981', > + strict=True) > + def test_create_subca_with_subject_conflict( > + self, crud_subca, subject_conflict_subca): > + crud_subca.ensure_exists() > + > + with pytest.raises(errors.DuplicateEntry): > + subject_conflict_subca.create() > diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py > new file mode 100644 > index 0000000000000000000000000000000000000000..7586c771c028df9343bcf7fcdd538c19c494ed1a > --- /dev/null > +++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py > @@ -0,0 +1,126 @@ > +# > +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license > +# > +from __future__ import absolute_import > + > +import six > + > +from ipapython.dn import DN > +from ipatests.test_xmlrpc.tracker.base import Tracker > +from ipatests.util import assert_deepequal > +from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_issuer, fuzzy_caid > +from ipatests.test_xmlrpc import objectclasses > + > + > +if six.PY3: > + unicode = str > + > + > +class CATracker(Tracker): > + """Implementation of a Tracker class for CA plugin.""" > + > + retrieve_keys = { > + 'dn', 'cn', 'ipacaid', 'ipacasubjectdn', 'ipacaissuerdn', 'description' > + } > + retrieve_all_keys = {'objectclass'} | retrieve_keys > + create_keys = retrieve_all_keys > + update_keys = retrieve_keys - {'dn'} > + > + def __init__(self, name, subject, desc=u"Test generated CA", > + default_version=None): > + super(CATracker, self).__init__(default_version=default_version) > + self.attrs = {} > + self.ipasubjectdn = subject > + self.description = desc > + > + self.dn = DN(('cn', name), > + self.api.env.container_ca, > + self.api.env.basedn) > + > + def make_create_command(self, force=True): > + """Make function that creates the plugin entry object.""" > + return self.make_command( > + 'ca_add', self.name, ipacasubjectdn=self.ipasubjectdn, > + description=self.description > + ) > + > + def check_create(self, result): > + assert_deepequal(dict( > + value=self.name, > + summary=u'Created CA "{}"'.format(self.name), > + result=dict(self.filter_attrs(self.create_keys)) > + ), result) > + > + def track_create(self): > + self.attrs = dict( > + dn=unicode(self.dn), > + cn=[self.name], > + description=[self.description], > + ipacasubjectdn=[self.ipasubjectdn], > + ipacaissuerdn=[fuzzy_issuer], > + ipacaid=[fuzzy_caid], > + objectclass=objectclasses.ca > + ) > + self.exists = True > + > + def make_delete_command(self): > + """Make function that deletes the plugin entry object.""" > + return self.make_command('ca_del', self.name) > + > + def check_delete(self, result): > + assert_deepequal(dict( > + value=[self.name], > + summary=u'Deleted CA "{}"'.format(self.name), > + result=dict(failed=[]) > + ), result) > + > + def make_retrieve_command(self, all=False, raw=False): > + """Make function that retrieves the entry using ${CMD}_show""" > + return self.make_command('ca_show', self.name, all=all, raw=raw) > + > + def check_retrieve(self, result, all=False, raw=False): > + """Check the plugin's `show` command result""" > + if all: > + expected = self.filter_attrs(self.retrieve_all_keys) > + else: > + expected = self.filter_attrs(self.retrieve_keys) > + > + assert_deepequal(dict( > + value=self.name, > + summary=None, > + result=expected > + ), result) > + > + def make_find_command(self, *args, **kwargs): > + """Make function that finds the entry using ${CMD}_find > + > + Note that the name (or other search terms) needs to be specified > + in arguments. > + """ > + return self.make_command('ca_find', *args, **kwargs) > + > + def check_find(self, result, all=False, raw=False): > + """Check the plugin's `find` command result""" > + if all: > + expected = self.filter_attrs(self.retrieve_all_keys) > + else: > + expected = self.filter_attrs(self.retrieve_keys) > + > + assert_deepequal(dict( > + count=1, > + truncated=False, > + summary=u'1 CA matched', > + result=[expected] > + ), result) > + > + def make_update_command(self, updates): > + """Make function that modifies the entry using ${CMD}_mod""" > + return self.make_command('ca_mod', self.name, **updates) > + > + def check_update(self, result, extra_keys=()): > + """Check the plugin's `find` command result""" > + assert_deepequal(dict( > + value=self.name, > + summary=u'Modified CA "{}"'.format(self.name), > + result=self.filter_attrs(self.update_keys | set(extra_keys)) > + ), result) > diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py > index c3bba9abf1079469126d4423425a32c74f886895..ddfe9c17c5ca110bc5eb66dead618383b861eda9 100644 > --- a/ipatests/test_xmlrpc/xmlrpc_test.py > +++ b/ipatests/test_xmlrpc/xmlrpc_test.py > @@ -81,6 +81,9 @@ fuzzy_caacldn = Fuzzy( > '(?i)ipauniqueid=%s,cn=caacls,cn=ca,%s' % (uuid_re, api.env.basedn) > ) > > +# Matches internal CA ID > +fuzzy_caid = fuzzy_uuid > + > # Matches fuzzy ipaUniqueID DN group (RDN) > fuzzy_ipauniqueid = Fuzzy('(?i)ipauniqueid=%s' % uuid_re) > > -- > 2.9.0 > > From e81e5074c439071019fb12627ff8f0945ba2f9d1 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Milan=20Kub=C3=ADk?= > Date: Tue, 21 Jun 2016 13:45:54 +0200 > Subject: [PATCH 2/3] ipatests: Extend CAACL suite to cover Sub CA members > > https://fedorahosted.org/freeipa/ticket/4559 > --- > ipatests/test_xmlrpc/test_caacl_plugin.py | 26 ++++++++++++++++++++++++-- > ipatests/test_xmlrpc/tracker/caacl_plugin.py | 26 +++++++++++++++++++++----- > 2 files changed, 45 insertions(+), 7 deletions(-) > > diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py > index f20b02b295024313008be7b75bdcae2ade70b4ff..dce12e484e4fa3a57fcd54fd9ffb60419fd161a4 100644 > --- a/ipatests/test_xmlrpc/test_caacl_plugin.py > +++ b/ipatests/test_xmlrpc/test_caacl_plugin.py > @@ -14,6 +14,7 @@ from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test > from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker > from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker > from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker > +from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker > > > @pytest.fixture(scope='class') > @@ -48,12 +49,19 @@ def category_acl(request): > name = u'category_acl' > tracker = CAACLTracker(name, ipacertprofile_category=u'all', > user_category=u'all', service_category=u'all', > - host_category=u'all') > + host_category=u'all', ipaca_category=u'all') > > return tracker.make_fixture(request) > > > @pytest.fixture(scope='class') > +def caacl_test_ca(request): > + name = u'caacl-test-ca' > + subject = u'CN=caacl test subca,O=test industries inc.' > + return CATracker(name, subject).make_fixture(request) > + > + > + at pytest.fixture(scope='class') > def staged_user(request): > name = u'st-user' > tracker = StageUserTracker(name, u'stage', u'test') > @@ -109,7 +117,8 @@ class TestCAACLMembers(XMLRPC_test): > hostcategory=None, > servicecategory=None, > ipacertprofilecategory=None, > - usercategory=None) > + usercategory=None, > + ipacacategory=None) > category_acl.update(updates) > > def test_add_profile(self, category_acl, default_profile): > @@ -120,6 +129,15 @@ class TestCAACLMembers(XMLRPC_test): > category_acl.remove_profile(certprofile=default_profile.name) > category_acl.retrieve() > > + def test_add_ca(self, category_acl, caacl_test_ca): > + caacl_test_ca.ensure_exists() > + category_acl.add_ca(ca=caacl_test_ca.name) > + category_acl.retrieve() > + > + def test_remove_ca(self, category_acl, caacl_test_ca): > + category_acl.remove_ca(ca=caacl_test_ca.name) > + category_acl.retrieve() > + > def test_add_invalid_value_service(self, category_acl, default_profile): > res = category_acl.add_service(service=default_profile.name, track=False) > assert len(res['failed']) == 1 > @@ -144,6 +162,10 @@ class TestCAACLMembers(XMLRPC_test): > res = category_acl.add_profile(certprofile=category_acl.name, track=False) > assert len(res['failed']) == 1 > > + def test_add_invalid_value_ca(self, category_acl): > + res = category_acl.add_ca(ca=category_acl.name, track=False) > + assert len(res['failed']) == 1 > + > def test_add_staged_user_to_acl(self, category_acl, staged_user): > res = category_acl.add_user(user=staged_user.name, track=False) > assert len(res['failed']) == 1 > diff --git a/ipatests/test_xmlrpc/tracker/caacl_plugin.py b/ipatests/test_xmlrpc/tracker/caacl_plugin.py > index afe7ee0c071b6346d9a21337d8e486ff8b2891cc..79c892d27e88b3b263915cc0bf843a1235b4836e 100644 > --- a/ipatests/test_xmlrpc/tracker/caacl_plugin.py > +++ b/ipatests/test_xmlrpc/tracker/caacl_plugin.py > @@ -35,10 +35,11 @@ class CAACLTracker(Tracker): > u'memberuser_user', u'memberuser_group', > u'memberhost_host', u'memberhost_hostgroup', > u'memberservice_service', > - u'ipamembercertprofile_certprofile'} > + u'ipamembercertprofile_certprofile', > + u'ipamemberca_ca'} > category_keys = { > u'ipacacategory', u'ipacertprofilecategory', u'usercategory', > - u'hostcategory', u'servicecategory'} > + u'hostcategory', u'servicecategory', u'ipacacategory'} > retrieve_keys = { > u'dn', u'cn', u'description', u'ipaenabledflag', > u'ipamemberca', u'ipamembercertprofile', u'memberuser', > @@ -51,14 +52,15 @@ class CAACLTracker(Tracker): > update_keys = create_keys - {u'dn'} > > def __init__(self, name, ipacertprofile_category=None, user_category=None, > - service_category=None, host_category=None, description=None, > - default_version=None): > + service_category=None, host_category=None, > + ipaca_category=None, description=None, default_version=None): > super(CAACLTracker, self).__init__(default_version=default_version) > > self._name = name > self.description = description > self._categories = dict( > ipacertprofilecategory=ipacertprofile_category, > + ipacacategory=ipaca_category, > usercategory=user_category, > servicecategory=service_category, > hostcategory=host_category) > @@ -200,7 +202,7 @@ class CAACLTracker(Tracker): > # implemented in standalone test > # > # The methods implemented here will be: > - # caacl_{add,remove}_{host, service, certprofile, user [, subca]} > + # caacl_{add,remove}_{host, service, certprofile, user, ca} > > def _add_acl_component(self, command_name, keys, track): > """ Add a resource into ACL rule and track it. > @@ -356,6 +358,20 @@ class CAACLTracker(Tracker): > > return self._remove_acl_component(u'caacl_remove_profile', options, track) > > + def add_ca(self, ca=None, track=True): > + options = { > + u'ipamemberca_ca': > + {u'ca': ca}} > + > + return self._add_acl_component(u'caacl_add_ca', options, track) > + > + def remove_ca(self, ca=None, track=True): > + options = { > + u'ipamemberca_ca': > + {u'ca': ca}} > + > + return self._remove_acl_component(u'caacl_remove_ca', options, track) > + > def enable(self): > command = self.make_command(u'caacl_enable', self.name) > self.attrs.update({u'ipaenabledflag': [u'TRUE']}) > -- > 2.9.0 > > From b3e43108f1822fd83c602a7eecec933889531d1b Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Milan=20Kub=C3=ADk?= > Date: Tue, 21 Jun 2016 15:57:58 +0200 > Subject: [PATCH 3/3] ipatests: Test Sub CA with CAACL and certificate profile > > Test the Sub CA feature by signing a CSR with custom > certificate profile. > > The test also covers 'cert-request' fallback behaviour > for missing 'cacn' and 'profile-id' options by reusing > the fixtures from the module. > > https://fedorahosted.org/freeipa/ticket/4559 > --- > .../test_xmlrpc/test_caacl_profile_enforcement.py | 110 +++++++++++++++++++++ > 1 file changed, 110 insertions(+) > > diff --git a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py > index 11c040966003e2ea86149359c8aacb953e9fdd37..a70d81d885cdf0b4c8bbbdaa7d6f69bfbd84719c 100644 > --- a/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py > +++ b/ipatests/test_xmlrpc/test_caacl_profile_enforcement.py > @@ -15,6 +15,7 @@ from ipatests.util import ( > from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test > from ipatests.test_xmlrpc.tracker.certprofile_plugin import CertprofileTracker > from ipatests.test_xmlrpc.tracker.caacl_plugin import CAACLTracker > +from ipatests.test_xmlrpc.tracker.ca_plugin import CATracker > > from ipapython.ipautil import run > > @@ -250,3 +251,112 @@ class TestSignWithChangedProfile(XMLRPC_test): > with pytest.raises(errors.CertificateOperationError): > api.Command.cert_request(csr, principal=smime_user, > profile_id=smime_profile.name) > + > + > + at pytest.fixture(scope='class') > +def smime_signing_ca(request): > + name = u'smime-signing-ca' > + subject = u'CN=SMIME CA,O=test industries Inc.' > + return CATracker(name, subject).make_fixture(request) > + > + > + at pytest.mark.tier1 > +class TestCertSignMIMEwithSubCA(XMLRPC_test): > + """ Test Certificate Signing with Sub CA > + > + The test covers following areas: > + > + * signing a CSR with custom certificate profile > + using a designated Sub CA > + * Verify that the Issuer of the signed certificate > + is the reqested CA > + * Verify that when not set, cert-request uses the default CA. > + This it verified by violating an ACL > + * Verify that when not set, cert-request uses the default > + certificate profile. > + > + The latter two test cases are implemented in this module > + as not to replicate the fixtures to cert plugin test module. > + """ > + > + def test_cert_import(self, smime_profile): > + smime_profile.ensure_exists() > + > + def test_create_acl(self, smime_acl): > + smime_acl.ensure_exists() > + > + def test_create_subca(self, smime_signing_ca): > + smime_signing_ca.ensure_exists() > + > + def test_add_profile_to_acl(self, smime_acl, smime_profile): > + smime_acl.add_profile(certprofile=smime_profile.name) > + > + def test_add_subca_to_acl(self, smime_acl, smime_signing_ca): > + smime_acl.add_ca(smime_signing_ca.name) > + > + # rewrite to trackers, prepare elsewhere > + def test_add_user_to_group(self, smime_group, smime_user): > + api.Command.group_add_member(smime_group, user=smime_user) > + > + def test_add_group_to_acl(self, smime_group, smime_acl): > + smime_acl.add_user(group=smime_group) > + > + def test_sign_smime_csr(self, smime_profile, smime_user, smime_signing_ca): > + csr = generate_user_csr(smime_user) > + with change_principal(smime_user, SMIME_USER_PW): > + api.Command.cert_request(csr, principal=smime_user, > + profile_id=smime_profile.name, > + cacn=smime_signing_ca.name) > + > + def test_sign_smime_csr_full_principal( > + self, smime_profile, smime_user, smime_signing_ca): > + csr = generate_user_csr(smime_user) > + smime_user_principal = '@'.join((smime_user, api.env.realm)) > + with change_principal(smime_user, SMIME_USER_PW): > + api.Command.cert_request(csr, principal=smime_user_principal, > + profile_id=smime_profile.name, > + cacn=smime_signing_ca.name) > + > + def test_verify_cert_issuer_dn_is_subca( > + self, smime_profile, smime_user, smime_signing_ca): > + csr = generate_user_csr(smime_user) > + smime_user_principal = '@'.join((smime_user, api.env.realm)) > + with change_principal(smime_user, SMIME_USER_PW): > + cert_info = api.Command.cert_request( > + csr, principal=smime_user_principal, > + profile_id=smime_profile.name, cacn=smime_signing_ca.name) > + > + assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn > + > + def test_sign_smime_csr_fallback_to_default_CA( > + self, smime_profile, smime_user, smime_signing_ca): > + """ Attempt to sign a CSR without CA specified. > + > + The request will satisfy SMIME_ACL via the profile ID, > + however not specifying the CA will fallback to the IPA CA > + for which SMIME profile isn't enabled, thus violating ACL. > + """ > + csr = generate_user_csr(smime_user) > + smime_user_principal = '@'.join((smime_user, api.env.realm)) > + > + with pytest.raises(errors.ACIError): > + with change_principal(smime_user, SMIME_USER_PW): > + api.Command.cert_request(csr, principal=smime_user_principal, > + profile_id=smime_profile.name) > + > + def test_sign_smime_csr_fallback_to_default_cert_profile( > + self, smime_profile, smime_user, smime_signing_ca): > + """ Attempt to sign a CSR without certificate profile specified. > + > + Similar to previous test case. > + By specifying only the CA to use, profile will fallback to > + the default caIPAserviceCert profile which is not enabled > + via ACL to be used with the CA, thus failing the request. > + """ > + csr = generate_user_csr(smime_user) > + smime_user_principal = '@'.join((smime_user, api.env.realm)) > + > + with pytest.raises(errors.ACIError): > + with change_principal(smime_user, SMIME_USER_PW): > + api.Command.cert_request(csr, principal=smime_user_principal, > + cacn=smime_signing_ca.name) > -- > 2.9.0 > From mkosek at redhat.com Fri Jun 24 06:24:56 2016 From: mkosek at redhat.com (Martin Kosek) Date: Fri, 24 Jun 2016 08:24:56 +0200 Subject: [Freeipa-devel] [PATCH] 498 Update Contributors.txt In-Reply-To: <20160623173911.GB12462@10.4.128.1> References: <38a9f232-8170-eb30-eedb-ba9fc473d878@redhat.com> <20160623173911.GB12462@10.4.128.1> Message-ID: <6d01ce83-b398-2581-a68c-3cde5a1b7bd3@redhat.com> On 06/23/2016 07:39 PM, Lukas Slebodnik wrote: > On (23/06/16 15:22), Martin Kosek wrote: >> Update .mailmap to fix wrong commit author and re-generate >> the Developer contributor list. >> >> -- >> Martin Kosek >> Manager, Software Engineering - Identity Management Team >> Red Hat, Inc. > >>From 4271bdb36d111b90da3daf3f4312ec40d7db590f Mon Sep 17 00:00:00 2001 >> From: Martin Kosek >> Date: Thu, 23 Jun 2016 15:19:59 +0200 >> Subject: [PATCH] Update Contributors.txt >> >> Update .mailmap to fix wrong commit author and re-generate >> the Developer contributor list. >> --- >> .mailmap | 1 + >> Contributors.txt | 1 + >> 2 files changed, 2 insertions(+) >> >> diff --git a/.mailmap b/.mailmap >> index 422a0089cc6f7de4aaed6a446a5d090bcee3fee8..4fe0587a4550b9ca4b89501a55d96540df4c10cf 100644 >> --- a/.mailmap >> +++ b/.mailmap >> @@ -51,6 +51,7 @@ Sumit Bose >> Thierry Bordaz >> Thierry Bordaz >> Thierry Bordaz >> +Thierry Bordaz > I know that it's autogenrated. > But does Thierry need to be there 4 times? This is not autogenerated, I had to add a correct author mapping for every patch that was send and commited with a wrong author. > >> Tom?? Babej >> Tom?? Babej >> William Jon McCann >> diff --git a/Contributors.txt b/Contributors.txt >> index 71be27da5ab415deb11589d5bf82d684b2d85f9a..a003a3edb5c1f291b94402f6784b70fa7bcb1298 100644 >> --- a/Contributors.txt >> +++ b/Contributors.txt >> @@ -10,6 +10,7 @@ Developers: >> Tom?? Babej >> Martin Babinsky >> Kyle Baker >> + Jan Barta >> Martin Ba?ti >> Sylvain Baubeau >> Florence Blanc-Renaud >> -- >> 2.5.5 >> > >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From ftweedal at redhat.com Fri Jun 24 06:49:43 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jun 2016 16:49:43 +1000 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal In-Reply-To: <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> References: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> Message-ID: <20160624064943.GP4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote: > Hi, > > On 21.6.2016 08:24, Fraser Tweedale wrote: > > The attached patches add lightweight CA renewal. There are two > > substantive aspects: > > > > 1. The renew_ca_cert updates the serial number in the lightweight > > CA's entry in the Dogtag database. This causes CA clones to observe > > the renewal and update the certs in their own NSSDBs. > > > > 2. The ipa-certupdate command adds Certmonger tracking requests for > > lightweight CAs (on the renewal master only). > > > > Correct behaviour also depends on my patch 0069 (in-server API for > > renew_ca_cert script). > > Patch 0072-0074: LGTM > > Patch 0075: > > 1) Lightweight CA certs should be tracked by certmonger on all CA servers, > not just on the renewal master. The behavior should be the same as for the > main CA cert, i.e. the actual renewal is done only on the renewal master, > other CA servers only update their NSS DBs (this is handled in > dogtag-ipa-ca-renew-agent-submit). > > This is important because CA renewal master can change at any time, and > without all CA certs being tracked on all CA servers, there is no guarantee > the renewal would happen. > > 2) Since CA clones update their NSS DBs on their own, > dogtag-ipa-ca-renew-agent should be updated not to put them in > cn=ca_renewal,cn=ipa,cn=etc. > Thanks for the review, Honza. Updated patch 0075-2 attached. -------------- next part -------------- From 9256f36d8df206642a51964ae2f40f4905e0c0bc Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 21 Jun 2016 15:01:41 +1000 Subject: [PATCH] ipa-certupdate: track lightweight CA certificates Enhance the ipa-certupdate program to add Certmonger tracking requests for lightweight CA certificates. Also update the dogtag-ipa-ca-renew-agent-submit to not store or retrieve lightweight CA certificates, becaues Dogtag clones observe renewals and update their NSSDBs on their own, and allow the helper to request non-self-signed certificates. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- .../certmonger/dogtag-ipa-ca-renew-agent-submit | 39 +++++++++++++--- ipaclient/ipa_certupdate.py | 52 ++++++++++++++++++++-- 2 files changed, 82 insertions(+), 9 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 3f7333c0e0bb6059e8b3791ef5230c7e5663d2eb..7ab3ec15db37894ed443aa16b7edcf85d69c8192 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -62,6 +62,24 @@ if six.PY3: unicode = str +IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' + +def get_nickname(): + csr = os.environ.get('CERTMONGER_CSR') + return pkcs10.get_friendlyname(csr) if csr else None + +def is_lightweight_ca(): + nickname = get_nickname() or '' + return nickname != IPA_CA_NICKNAME and nickname.startswith(IPA_CA_NICKNAME) + +def is_renewable(): + cert = os.environ.get('CERTMONGER_CERTIFICATE') + if not cert: + return False + else: + return x509.is_self_signed(cert) or is_lightweight_ca() + + @contextlib.contextmanager def ldap_connect(): conn = None @@ -210,6 +228,11 @@ def store_cert(): if not cert: return (REJECTED, "New certificate requests not supported") + if is_lightweight_ca(): + # Lightweight CAs are updated in Dogtag's NSSDB + # by Dogtag itself, so do not store it + return (ISSUED, cert) + dercert = x509.normalize_certificate(cert) dn = DN(('cn', nickname), ('cn', 'ca_renewal'), @@ -338,6 +361,12 @@ def retrieve_cert_continuous(): if old_cert: old_cert = x509.normalize_certificate(old_cert) + if is_lightweight_ca(): + # Lightweight CAs are updated in Dogtag's NSSDB + # by Dogtag itself, so do not try to retrieve it. + # Everything is fine as is. + return (ISSUED, os.environ.get('CERTMONGER_CERTIFICATE')) + result = call_handler(retrieve_or_reuse_cert) if result[0] != ISSUED: return result @@ -393,13 +422,12 @@ def renew_ca_cert(): cert = os.environ.get('CERTMONGER_CERTIFICATE') if not cert: return (REJECTED, "New certificate requests not supported") - is_self_signed = x509.is_self_signed(cert) operation = os.environ.get('CERTMONGER_OPERATION') if operation == 'SUBMIT': state = 'retrieve' - if is_self_signed: + if is_renewable(): ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) if ca.is_renewal_master(): state = 'request' @@ -419,10 +447,11 @@ def renew_ca_cert(): if state == 'retrieve': result = call_handler(retrieve_cert) - if result[0] == REJECTED and not is_self_signed: + if result[0] == REJECTED and not is_renewable(): syslog.syslog(syslog.LOG_ALERT, - "IPA CA certificate is about to expire, " - "use ipa-cacert-manage to renew it") + "Certificate with subject '%s' is about to expire, " + "use ipa-cacert-manage to renew it" + % (os.environ.get("CERTMONGER_REQ_SUBJECT"),)) elif state == 'request': profile = os.environ['CERTMONGER_CA_PROFILE'] os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert' diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py index b9572196c0eab3b35aa62790eed4ce8a21e3c130..e59047a2705eb8ccb98b5213c4c8771f55a29bc5 100644 --- a/ipaclient/ipa_certupdate.py +++ b/ipaclient/ipa_certupdate.py @@ -29,7 +29,10 @@ from ipaplatform import services from ipaplatform.paths import paths from ipaplatform.tasks import tasks from ipalib import api, errors, x509, certstore +from ipalib.constants import IPA_CA_CN +IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' +RENEWAL_CA_NAME = 'dogtag-ipa-ca-renew-agent' class CertUpdate(admintool.AdminTool): command_name = 'ipa-certupdate' @@ -76,18 +79,27 @@ class CertUpdate(admintool.AdminTool): version=u'2.0', ) ca_enabled = result['result']['enable_ra'] - api.Backend.rpcclient.disconnect() ldap.do_sasl_gssapi_bind() certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) + + # find lightweight CAs (on renewal master only) + lwcas = [] + for ca_obj in api.Command.ca_find()['result']: + if IPA_CA_CN not in ca_obj['cn']: + lwcas.append(ca_obj) + + api.Backend.rpcclient.disconnect() finally: shutil.rmtree(tmpdir) server_fstore = sysrestore.FileStore(paths.SYSRESTORE) if server_fstore.has_files(): self.update_server(certs) + for entry in lwcas: + self.server_track_lightweight_ca(entry) self.update_client(certs) @@ -122,11 +134,10 @@ class CertUpdate(admintool.AdminTool): if services.knownservices.httpd.is_running(): services.knownservices.httpd.restart() - nickname = 'caSigningCert cert-pki-ca' criteria = { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, - 'cert-nickname': nickname, - 'ca-name': 'dogtag-ipa-ca-renew-agent', + 'cert-nickname': IPA_CA_NICKNAME, + 'ca-name': RENEWAL_CA_NAME } request_id = certmonger.get_request_id(criteria) if request_id is not None: @@ -152,6 +163,39 @@ class CertUpdate(admintool.AdminTool): self.update_file(paths.CA_CRT, certs) + def server_track_lightweight_ca(self, entry): + nickname = "{} {}".format(IPA_CA_NICKNAME, entry['ipacaid'][0]) + criteria = { + 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, + 'cert-nickname': nickname, + 'ca-name': RENEWAL_CA_NAME, + } + request_id = certmonger.get_request_id(criteria) + if request_id is None: + try: + certmonger.dogtag_start_tracking( + secdir=paths.PKI_TOMCAT_ALIAS_DIR, + pin=certmonger.get_pin('internal'), + pinfile=None, + nickname=nickname, + ca=RENEWAL_CA_NAME, + pre_command='stop_pkicad', + post_command='renew_ca_cert "%s"' % nickname, + ) + request_id = certmonger.get_request_id(criteria) + certmonger.modify(request_id, profile='ipaCACertRenewal') + self.log.debug( + 'Lightweight CA renewal: ' + 'added tracking request for "%s"', nickname) + except RuntimeError as e: + self.log.error( + 'Lightweight CA renewal: Certmonger failed to ' + 'start tracking certificate: %s', e) + else: + self.log.debug( + 'Lightweight CA renewal: ' + 'already tracking certificate "%s"', nickname) + def update_file(self, filename, certs, mode=0o444): certs = (c[0] for c in certs if c[2] is not False) try: -- 2.5.5 From ftweedal at redhat.com Fri Jun 24 07:34:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 24 Jun 2016 17:34:34 +1000 Subject: [Freeipa-devel] [PATCH] 0077 Check for CA subject name collision before attempting creation Message-ID: <20160624073434.GQ4200@dhcp-40-8.bne.redhat.com> Hi, Attached patch fixes https://fedorahosted.org/freeipa/ticket/5981. Cheers, Fraser -------------- next part -------------- From 905bef9ca787cea6ae66e2dbe3df33a2420bbd8b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 24 Jun 2016 17:29:51 +1000 Subject: [PATCH] Check for CA subject name collision before attempting creation Lightweight CA subject name collisions are prevented by Dogtag (response code 409 Conflict), however, we do not want to expose the Dogtag error. Perform the check in the IPA framework as well, raising DuplicateEntry on collision. Fixes: https://fedorahosted.org/freeipa/ticket/5981 --- ipaserver/plugins/ca.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index ee98f0a2a9dc469d67676a3123d82ce519ba6d59..966ae2b1bdb4bb0207dfa58f0e9c951bc930f766 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -163,6 +163,13 @@ class ca_add(LDAPCreate): except errors.NotFound: pass + # check for subject collision before creating CA in Dogtag + result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn']) + if result['count'] > 0: + raise errors.DuplicateEntry(message=_( + "Subject DN is already used by CA '%s'" + ) % result['result'][0]['cn'][0]) + # Create the CA in Dogtag. with self.api.Backend.ra_lightweight_ca as ca_api: resp = ca_api.create_ca(options['ipacasubjectdn']) -- 2.5.5 From mbabinsk at redhat.com Fri Jun 24 07:52:25 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Jun 2016 09:52:25 +0200 Subject: [Freeipa-devel] [WIP] Kerberos principal aliases pt. 2 Message-ID: Hi list, I am furiously working on tickets related to the proper support and API for managing kerberos principal aliases for hosts, users, and services[1-5]. To better track and comment on my progress, I have forked freeipa on git and created a branch for you to test and review. The link is here: https://github.com/martbab/freeipa/tree/krb5-principal-aliases Please be aware that I may force-push into the branch without warning when fixing issues we will discover during testing/review. [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases [2] https://fedorahosted.org/freeipa/ticket/3864 [3] https://fedorahosted.org/freeipa/ticket/3961 [4] https://fedorahosted.org/freeipa/ticket/1365 [5] https://fedorahosted.org/freeipa/ticket/5413 -- Martin^3 Babinsky From ldoudova at redhat.com Fri Jun 24 08:29:35 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Fri, 24 Jun 2016 10:29:35 +0200 Subject: [Freeipa-devel] [PATCH 0021][Tests] Fix failing ipatests/test_ipaserver/test_rpcserver.py Message-ID: <3ce945e1-bca5-3519-3898-c937ff8998a1@redhat.com> Hi, attaching patch for one of the failing tests. Failure caused by an assertion that was no longer valid. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0021-Tests-Fix-ipatests-test_ipaserver-test_rpcserver.patch Type: text/x-patch Size: 967 bytes Desc: not available URL: From mkubik at redhat.com Fri Jun 24 08:34:09 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 24 Jun 2016 10:34:09 +0200 Subject: [Freeipa-devel] [PATCH] 0077 Check for CA subject name collision before attempting creation In-Reply-To: <20160624073434.GQ4200@dhcp-40-8.bne.redhat.com> References: <20160624073434.GQ4200@dhcp-40-8.bne.redhat.com> Message-ID: On 06/24/2016 09:34 AM, Fraser Tweedale wrote: > Hi, > > Attached patch fixes https://fedorahosted.org/freeipa/ticket/5981. > > Cheers, > Fraser Thanks for the patch, ACK. -- Milan Kubik From mbabinsk at redhat.com Fri Jun 24 08:36:31 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Jun 2016 10:36:31 +0200 Subject: [Freeipa-devel] [PATCH 0164] Fix incorrect construction of service principal during replica cleanup Message-ID: https://fedorahosted.org/freeipa/ticket/5985 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0164-Fix-incorrect-construction-of-service-principal-duri.patch Type: text/x-patch Size: 985 bytes Desc: not available URL: From pvoborni at redhat.com Fri Jun 24 09:30:55 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Jun 2016 11:30:55 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> Message-ID: On 06/23/2016 05:30 PM, Stanislav Laznicka wrote: > On 06/23/2016 04:38 PM, Petr Vobornik wrote: >> On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: >>> Hello, >>> >>> attached are patches fixing the logic mentioned in >>> https://fedorahosted.org/freeipa/ticket/5967. >>> >>> >> If server supports the suffix can be verified in validate_nodes call >> where masters are already fetched. >> > Thank you for the suggestion, modified patch 50 attached. > Maybe it's just me, but the code is hard to ready. Check the attached version - speeding up review process. I've also change the first commit message line it was too generic. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0050-3-Raise-exception-on-incorrect-segment-addition.patch Type: text/x-patch Size: 1083 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0051-2-Fix-topologysuffix-verify-failing-connections.patch Type: text/x-patch Size: 3283 bytes Desc: not available URL: From mbabinsk at redhat.com Fri Jun 24 09:52:52 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Jun 2016 11:52:52 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> Message-ID: <71282847-31b2-0a10-0cf3-6694b3572b5b@redhat.com> On 06/24/2016 11:30 AM, Petr Vobornik wrote: > On 06/23/2016 05:30 PM, Stanislav Laznicka wrote: >> On 06/23/2016 04:38 PM, Petr Vobornik wrote: >>> On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: >>>> Hello, >>>> >>>> attached are patches fixing the logic mentioned in >>>> https://fedorahosted.org/freeipa/ticket/5967. >>>> >>>> >>> If server supports the suffix can be verified in validate_nodes call >>> where masters are already fetched. >>> >> Thank you for the suggestion, modified patch 50 attached. >> > > Maybe it's just me, but the code is hard to ready. Check the attached > version - speeding up review process. > > I've also change the first commit message line it was too generic. > > > If you intend to use that internal function in other modules, please remove the leading underscore from its name. Otherwise pylint/IDEs may complain about import of private module member. -- Martin^3 Babinsky From mkubik at redhat.com Fri Jun 24 10:08:24 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Fri, 24 Jun 2016 12:08:24 +0200 Subject: [Freeipa-devel] [patch 0038-0040] Sub CA test patches In-Reply-To: <20160624014203.GO4200@dhcp-40-8.bne.redhat.com> References: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> <20160624014203.GO4200@dhcp-40-8.bne.redhat.com> Message-ID: <0e08d68d-cc4e-3f8c-de7f-be8d21ee91f7@redhat.com> On 06/24/2016 03:42 AM, Fraser Tweedale wrote: > On Tue, Jun 21, 2016 at 05:01:35PM +0200, Milan Kub?k wrote: >> Hi Fraser and list, >> >> I have made changes to the test plan on the wiki [1] according to the >> information in "[Testplan review] Sub CAs" thread. >> >> I also implemented the tests in the test plan: >> >> patch 0038 - CATracker and CA CRUD test >> patch 0039 - extension to CA ACL test >> patch 0040 - functional test with ACLs and certificate profile, reusing my >> previous S/MIME based tests. This patch also tests for the cert-request >> behavior when profile ID or CA cn are ommited. >> >> The tests ATM do not verify the Issuer name in the certificate itself, just >> from the ipa entry of the certificate. >> > The approach you are using:: > > assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn > > is not quite as you describe (these are virtual attributes, not > attributes of an actual entry); but the approach is valid. The issue then is in the wording? The other approach I could have used here is to retrieve the two certificates and compare the fields manually. Are these virtual attributes created from the certificate itself? > >> Fraser, could you please verify my reasoning behind the test cases for >> cert-request in the patch 40? >> > The tests look OK. With the default CA / default profiles, is there > appropriate isolation between test cases to ensure that if, e.g. > some other test case adds/modifies CA ACLs such that these > expected-to-fail tests now pass, that this does not affect the > TestCertSignMIMEwithSubCA test case? > > Thanks, > Fraser The ACL, SMIME CA and S/MIME profile lifetime is constrained by the class scope enforced by pytest. The two test cases depend on the fact documented in the designs and that is what cert-request fallbacks to when CA or profile ID are not provided. Unless something changes caIPAserviceCert profile or affiliated ACL, then the test cases are safe. I will try to think more about corner cases here. >> [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan >> >> Cheers >> >> -- >> Milan Kubik >> Attaching rebased patches and removing the expected fail from one of the tests as ticket 5981 has fix posted. -- Milan Kubik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0038-1-ipatests-Tracker-implementation-for-Sub-CA-feature.patch Type: text/x-patch Size: 11816 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0039-1-ipatests-Extend-CAACL-suite-to-cover-Sub-CA-members.patch Type: text/x-patch Size: 6442 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mkubik-0040-1-ipatests-Test-Sub-CA-with-CAACL-and-certificate-prof.patch Type: text/x-patch Size: 6341 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 24 10:25:02 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 12:25:02 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> Message-ID: <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> On 23.06.2016 18:26, Petr Spacek wrote: > On 23.6.2016 16:38, Martin Basti wrote: >> Patches attached. >> >> >> https://fedorahosted.org/freeipa/ticket/2008 >> >> >> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >> >> >> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Tue, 21 Jun 2016 18:04:13 +0200 >> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >> for unused locations" >> >> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >> >> After deeper investigation, we found out that empty locations are needed >> for clients, because clients may have cached records for longer time for >> that particular location. Only way how to remove location is to remove >> it using location-del >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ipaserver/dns_data_management.py | 11 ++++------- >> 1 file changed, 4 insertions(+), 7 deletions(-) >> >> diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py >> index a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 100644 >> --- a/ipaserver/dns_data_management.py >> +++ b/ipaserver/dns_data_management.py >> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >> self.api_instance = api_instance >> self.domain_abs = DNSName(self.api_instance.env.domain).make_absolute() >> self.servers_data = {} >> - self.used_locations = set() >> self.__init_data() >> >> def reload_data(self): >> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >> >> def __init_data(self): >> self.servers_data = {} >> - self.used_locations = set() >> >> servers_result = self.api_instance.Command.server_find( >> pkey_only=True)['result'] >> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >> 'location': location, >> 'roles': roles, >> } >> - if location: >> - self.used_locations.add(location) >> >> def __add_srv_records( >> self, zone_obj, hostname, rname_port_map, >> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >> pkey_only=True)['result'] >> servers = [s['cn'][0] for s in servers_result] >> >> - # generate only records for used location, records for unassigned >> - # locations are useless >> + locations_result = self.api_instance.Command.location_find()['result'] >> + locations = [l['idnsname'][0] for l in locations_result] >> + >> for server in servers: >> self._get_location_dns_records_for_server( >> zone_obj, server, >> - self.used_locations, roles=roles, >> + locations, roles=roles, >> include_master_role=include_master_role) >> return zone_obj >> >> -- 2.5.5 >> >> >> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >> >> >> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Tue, 21 Jun 2016 18:17:55 +0200 >> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install >> >> Since DNS location mechanism is active, this option has no effect, >> because records are generate dynamically. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/tools/ipa-adtrust-install | 10 +++++++--- >> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >> 2 files changed, 15 insertions(+), 16 deletions(-) >> >> diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install >> index 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c 100755 >> --- a/install/tools/ipa-adtrust-install >> +++ b/install/tools/ipa-adtrust-install >> @@ -29,6 +29,8 @@ import ldap >> >> import six >> >> +from optparse import SUPPRESS_HELP >> + >> from ipaserver.install import adtrustinstance >> from ipaserver.install.installutils import ( >> read_password, >> @@ -54,9 +56,11 @@ def parse_options(): >> default=False, help="print debugging information") >> parser.add_option("--netbios-name", dest="netbios_name", >> help="NetBIOS name of the IPA domain") >> + >> + # no-msdcs has not effect, option is here just for backward compatibility >> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >> - default=False, help="Do not create DNS service records " \ >> - "for Windows in managed DNS server") >> + default=False, help=SUPPRESS_HELP) >> + >> parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, >> help="Start value for mapping UIDs and GIDs to RIDs") >> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >> @@ -390,7 +394,7 @@ def main(): >> smb.setup(api.env.host, api.env.realm, >> netbios_name, reset_netbios_name, >> options.rid_base, options.secondary_rid_base, >> - options.no_msdcs, options.add_sids, >> + options.add_sids, >> enable_compat = options.enable_compat) >> smb.find_local_id_range() >> smb.create_instance() >> diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py >> index 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 100644 >> --- a/ipaserver/install/adtrustinstance.py >> +++ b/ipaserver/install/adtrustinstance.py >> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >> def __init__(self, fstore=None): >> self.netbios_name = None >> self.reset_netbios_name = None >> - self.no_msdcs = None >> self.add_sids = None >> self.smbd_user = None >> self.smb_dn_pwd = None >> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >> >> err_msg = None >> >> - if self.no_msdcs: >> - err_msg = '--no-msdcs was given, special DNS service records ' \ >> - 'are not added to local DNS server' >> + ret = api.Command['dns_is_enabled']() >> + if not ret['result']: >> + err_msg = "DNS management was not enabled at install time." >> else: >> - ret = api.Command['dns_is_enabled']() >> - if not ret['result']: >> - err_msg = "DNS management was not enabled at install time." >> - else: >> - if not dns_zone_exists(zone): >> - err_msg = "DNS zone %s cannot be managed " \ >> - "as it is not defined in IPA" % zone >> + if not dns_zone_exists(zone): >> + err_msg = ( >> + "DNS zone %s cannot be managed as it is not defined in " >> + "IPA" % zone) >> >> if err_msg: >> self.print_msg(err_msg) >> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >> >> def setup(self, fqdn, realm_name, netbios_name, >> reset_netbios_name, rid_base, secondary_rid_base, >> - no_msdcs=False, add_sids=False, smbd_user="samba", >> + add_sids=False, smbd_user="samba", >> enable_compat=False): >> self.fqdn = fqdn >> self.realm = realm_name >> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >> self.reset_netbios_name = reset_netbios_name >> self.rid_base = rid_base >> self.secondary_rid_base = secondary_rid_base >> - self.no_msdcs = no_msdcs >> self.add_sids = add_sids >> self.enable_compat = enable_compat >> self.smbd_user = smbd_user >> -- 2.5.5 >> >> >> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >> >> >> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 22 Jun 2016 13:12:52 +0200 >> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >> information >> >> Because separated calls for of server-show, getting server data is quite >> slow. This commit replaces several server-show with one server-find >> command. There are future plans to improve speed of server-find that >> will be beneficial for DNS locations. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> ipaserver/dns_data_management.py | 10 ++++------ >> 1 file changed, 4 insertions(+), 6 deletions(-) >> >> diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py >> index eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 100644 >> --- a/ipaserver/dns_data_management.py >> +++ b/ipaserver/dns_data_management.py >> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >> """ >> self.__init_data() >> >> - def __get_server_attrs(self, hostname): >> - server_result = self.api_instance.Command.server_show(hostname)['result'] >> + def __get_server_attrs(self, server_result): >> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >> location = server_result.get('ipalocation_location', [None])[0] >> roles = set(server_result.get('enabled_role_servrole', ())) >> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >> self.servers_data = {} >> >> servers_result = self.api_instance.Command.server_find( >> - pkey_only=True)['result'] >> - servers = [s['cn'][0] for s in servers_result] >> - for s in servers: >> + no_members=False)['result'] >> + for s in servers_result: >> weight, location, roles = self.__get_server_attrs(s) >> - self.servers_data[s] = { >> + self.servers_data[s['cn'][0]] = { >> 'weight': weight, >> 'location': location, >> 'roles': roles, >> -- 2.5.5 >> >> >> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >> >> >> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Thu, 23 Jun 2016 14:50:11 +0200 >> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >> >> We don't need anymore: >> * sample of zone file - list of all records required by IPa will be >> provided >> >> * NTP related params - DNS records will be updated automatically, >> based on LDAP values >> >> * CA related params - DNS records will be updated automatically based >> * on LDAP values >> >> https://fedorahosted.org/freeipa/ticket/2008 >> --- >> install/share/bind.zone.db.template | 29 --------------- >> ipaserver/dns_data_management.py | 9 +++++ >> ipaserver/install/bindinstance.py | 58 ++++++++---------------------- >> ipaserver/install/dns.py | 5 ++- >> ipaserver/install/server/install.py | 8 ++--- >> ipaserver/install/server/replicainstall.py | 4 +-- >> 6 files changed, 30 insertions(+), 83 deletions(-) >> delete mode 100644 install/share/bind.zone.db.template >> >> diff --git a/install/share/bind.zone.db.template b/install/share/bind.zone.db.template >> deleted file mode 100644 >> index ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >> --- a/install/share/bind.zone.db.template >> +++ /dev/null >> @@ -1,29 +0,0 @@ >> -$$ORIGIN $DOMAIN. >> -$$TTL 86400 >> -@ IN SOA $DOMAIN. $ZONEMGR ( >> - 01 ; serial >> - 3H ; refresh >> - 15M ; retry >> - 1W ; expiry >> - 1D ) ; minimum >> - >> - IN NS $HOST >> -$HOST IN A $IP >> -; >> -; ldap servers >> -_ldap._tcp IN SRV 0 100 389 $HOST >> - >> -;kerberos realm >> -_kerberos IN TXT $REALM >> - >> -; kerberos servers >> -_kerberos._tcp IN SRV 0 100 88 $HOST >> -_kerberos._udp IN SRV 0 100 88 $HOST >> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >> -_kerberos-master._udp IN SRV 0 100 88 $HOST >> -_kpasswd._tcp IN SRV 0 100 464 $HOST >> -_kpasswd._udp IN SRV 0 100 464 $HOST >> -$OPTIONAL_NTP >> - >> -; CNAME for IPA CA replicas (used for CRL, OCSP) >> -$IPA_CA_RECORD >> diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py >> index e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b 100644 >> --- a/ipaserver/dns_data_management.py >> +++ b/ipaserver/dns_data_management.py >> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >> ) >> ) >> return records >> + >> + @classmethod >> + def records_list_from_zone(cls, zone_obj, sort=True): >> + records = [] >> + for name, node in zone_obj.items(): >> + records.extend(IPASystemRecords.records_list_from_node(name, node)) >> + if sort: >> + records.sort() >> + return records >> diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py >> index 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf 100644 >> --- a/ipaserver/install/bindinstance.py >> +++ b/ipaserver/install/bindinstance.py >> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >> suffix = ipautil.dn_attribute_property('_suffix') >> >> def setup(self, fqdn, ip_addresses, realm_name, domain_name, forwarders, >> - forward_policy, ntp, reverse_zones, >> + forward_policy, reverse_zones, >> named_user=constants.NAMED_USER, zonemgr=None, >> - ca_configured=None, no_dnssec_validation=False): >> + no_dnssec_validation=False): >> self.named_user = named_user >> self.fqdn = fqdn >> self.ip_addresses = ip_addresses >> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >> self.forward_policy = forward_policy >> self.host = fqdn.split(".")[0] >> self.suffix = ipautil.realm_to_suffix(self.realm) >> - self.ntp = ntp >> self.reverse_zones = reverse_zones >> - self.ca_configured = ca_configured >> self.no_dnssec_validation=no_dnssec_validation >> >> if not zonemgr: >> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >> def host_in_default_domain(self): >> return normalize_zone(self.host_domain) == normalize_zone(self.domain) >> >> - def create_sample_bind_zone(self): >> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict) >> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >> - os.write(bind_fd, bind_txt) >> - os.close(bind_fd) >> - print("Sample zone file for bind has been created in "+bind_name) >> + def create_file_with_system_records(self): >> + system_records = IPASystemRecords(self.api) >> + text = u'\n'.join( >> + IPASystemRecords.records_list_from_zone( >> + system_records.get_base_records() >> + ) >> + ) >> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >> + os.write(fd, text) >> + os.close(fd) >> + print("Please add records in this file to your DNS system:", name) >> >> def create_instance(self): >> >> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >> root_logger.debug("Unable to mask named (%s)", e) >> >> def __setup_sub_dict(self): >> - if self.forwarders: >> - fwds = "\n" >> - for forwarder in self.forwarders: >> - fwds += "\t\t%s;\n" % forwarder >> - fwds += "\t" >> - else: >> - fwds = " " >> - >> - if self.ntp: >> - optional_ntp = "\n;ntp server\n" >> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % self.host_in_rr >> - else: >> - optional_ntp = "" >> - >> - ipa_ca = "" >> - for addr in self.ip_addresses: >> - if addr.version in (4, 6): >> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >> - IPA_CA_RECORD, >> - "A" if addr.version == 4 else "AAAA", >> - str(addr)) >> - >> self.sub_dict = dict( >> FQDN=self.fqdn, >> - IP=[str(ip) for ip in self.ip_addresses], >> - DOMAIN=self.domain, >> - HOST=self.host, >> - REALM=self.realm, >> SERVER_ID=installutils.realm_to_serverid(self.realm), >> - FORWARDERS=fwds, >> - FORWARD_POLICY=self.forward_policy, >> SUFFIX=self.suffix, >> - OPTIONAL_NTP=optional_ntp, >> - ZONEMGR=self.zonemgr, >> - IPA_CA_RECORD=ipa_ca, >> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >> ROOT_KEY=paths.NAMED_ROOT_KEY, >> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >> ipautil.run([paths.GENERATE_RNDC_KEY]) >> >> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name, >> - reverse_zones, ntp=False, ca_configured=None): >> + reverse_zones): >> self.fqdn = fqdn >> self.ip_addresses = ip_addresses >> self.realm = realm_name >> self.domain = domain_name >> self.host = fqdn.split(".")[0] >> self.suffix = ipautil.realm_to_suffix(self.realm) >> - self.ntp = ntp >> self.reverse_zones = reverse_zones >> - self.ca_configured = ca_configured >> self.first_instance = False >> self.zonemgr = 'hostmaster.%s' % self.domain >> >> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >> index 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 100644 >> --- a/ipaserver/install/dns.py >> +++ b/ipaserver/install/dns.py >> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >> autobind=AUTOBIND_ENABLED) >> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >> - options.forwarders, options.forward_policy, conf_ntp, >> + options.forwarders, options.forward_policy, >> reverse_zones, zonemgr=options.zonemgr, >> - no_dnssec_validation=options.no_dnssec_validation, >> - ca_configured=options.setup_ca) >> + no_dnssec_validation=options.no_dnssec_validation) >> >> if standalone and not options.unattended: >> print("") >> diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py >> index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 100644 >> --- a/ipaserver/install/server/install.py >> +++ b/ipaserver/install/server/install.py >> @@ -848,17 +848,17 @@ def install(installer): >> if setup_ca: >> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >> >> + api.Backend.ldap2.connect(autobind=True) >> if options.setup_dns: >> - api.Backend.ldap2.connect(autobind=True) >> dns.install(False, False, options) >> else: >> # Create a BIND instance >> bind = bindinstance.BindInstance(fstore, dm_password) >> bind.setup(host_name, ip_addresses, realm_name, >> - domain_name, (), 'first', not options.no_ntp, (), >> - zonemgr=options.zonemgr, ca_configured=setup_ca, >> + domain_name, (), 'first', (), >> + zonemgr=options.zonemgr, >> no_dnssec_validation=options.no_dnssec_validation) >> - bind.create_sample_bind_zone() >> + bind.create_file_with_system_records() >> >> # Restart httpd to pick up the new IPA configuration >> service.print_msg("Restarting the web server") >> diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py >> index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 100644 >> --- a/ipaserver/install/server/replicainstall.py >> +++ b/ipaserver/install/server/replicainstall.py >> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >> str(ip), >> config.realm_name, >> config.domain_name, >> - reverse_zone, >> - not options.no_ntp, >> - options.setup_ca) >> + reverse_zone) >> except errors.NotFound as e: >> root_logger.debug('Replica DNS records could not be added ' >> 'on master: %s', str(e)) >> -- 2.5.5 > While testing this patch I've found out that ipa-dns-install does not work > idempotently anymore and explodes when re-run. > > I'm not sure what is the root cause yet. > > # ipa-dns-install --forwarder 10.34.78.1 > > WARNING: yacc table file version is out of date > > The log file for this installation can be found in /var/log/ipaserver-install.log > ============================================================================== > This program will setup DNS for the FreeIPA Server. > > This includes: > * Configure DNS (bind) > * Configure SoftHSM (required by DNSSEC) > * Configure ipa-dnskeysyncd (required by DNSSEC) > > NOTE: DNSSEC zone signing is not enabled by default > > > To accept the default shown in brackets, press the Enter key. > > Checking DNS forwarders, please wait ... > Do you want to search for missing reverse zones? [yes]: > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring DNS (named) > [1/8]: generating rndc key file > [2/8]: setting up our own record > ipa : ERROR DNS query for > vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed > out after 30.0012078285 seconds > [error] DNSResolverError: The DNS operation timed out after 30.0012078285 > seconds > Unexpected error - see /var/log/ipaserver-install.log for details: > DNSResolverError: The DNS operation timed out after 30.0012078285 seconds > > 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record > 2016-06-23T15:41:54Z DEBUG raw: > dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') > 2016-06-23T15:41:54Z DEBUG dnszone_show( abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, > version=u'2.199') > 2016-06-23T15:42:24Z ERROR DNS query for > vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed > out after 30.0012078285 seconds > 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 448, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line > 438, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", > line 860, in __add_self > self.__add_master_records(self.fqdn, self.ip_addresses) > File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", > line 843, in __add_master_records > verify_host_resolvable(fqdn) > File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in > verify_host_resolvable > raise errors.DNSResolverError(exception=ex) > DNSResolverError: The DNS operation timed out after 30.0012078285 seconds IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we changed resolving of server hostname from gethosbyname() to pure DNS Workaround is to set nameserver to /etc/resolv.conf > > > > I was not able to test replica installation because of some weird ACI problem > somewhere, replica install is failing with ACIError while adding ldap/replica > principal. This is probably a regression from some other patchset. > > https://fedorahosted.org/freeipa/ticket/5996 > From pvomacka at redhat.com Fri Jun 24 10:40:40 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 24 Jun 2016 12:40:40 +0200 Subject: [Freeipa-devel] [PATCH] 0062, 63: webui: Add button for 'server-del' command Message-ID: <0836f330-b7fb-a541-d13a-8ea9b4711021@redhat.com> Hello, please review attached patches, they add 'Delete Server' button. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0062-Add-support-to-change-button-css-class-on-confirm-di.patch Type: text/x-patch Size: 2531 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0063-Add-button-for-server-del-command.patch Type: text/x-patch Size: 5987 bytes Desc: not available URL: From slaznick at redhat.com Fri Jun 24 10:47:21 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 24 Jun 2016 12:47:21 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: <71282847-31b2-0a10-0cf3-6694b3572b5b@redhat.com> References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> <71282847-31b2-0a10-0cf3-6694b3572b5b@redhat.com> Message-ID: <578f8489-b03c-43f3-8fa1-374f2a4042f9@redhat.com> On 06/24/2016 11:52 AM, Martin Babinsky wrote: > On 06/24/2016 11:30 AM, Petr Vobornik wrote: >> On 06/23/2016 05:30 PM, Stanislav Laznicka wrote: >>> On 06/23/2016 04:38 PM, Petr Vobornik wrote: >>>> On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: >>>>> Hello, >>>>> >>>>> attached are patches fixing the logic mentioned in >>>>> https://fedorahosted.org/freeipa/ticket/5967. >>>>> >>>>> >>>> If server supports the suffix can be verified in validate_nodes call >>>> where masters are already fetched. >>>> >>> Thank you for the suggestion, modified patch 50 attached. >>> >> >> Maybe it's just me, but the code is hard to ready. Check the attached >> version - speeding up review process. >> >> I've also change the first commit message line it was too generic. >> >> >> > > If you intend to use that internal function in other modules, please > remove the leading underscore from its name. Otherwise pylint/IDEs may > complain about import of private module member. > Thank you for the review/update. You went the other way around it which indeed does seem much more readable. Not sure if you meant to change the order of the patches which in order 50 -> 51 would make 50 alone not work because of missing import but I did change the order and fixed that. I also included the objection from Martin in the patches and removed the leading underscore from the imported function. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0050-4-Fix-topologysuffix-verify-failing-connections.patch Type: text/x-patch Size: 2250 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0051-3-topo-segment-add-validate-that-both-masters-support-.patch Type: text/x-patch Size: 3223 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 24 10:50:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 12:50:12 +0200 Subject: [Freeipa-devel] [PATCH] 498 Update Contributors.txt In-Reply-To: <6d01ce83-b398-2581-a68c-3cde5a1b7bd3@redhat.com> References: <38a9f232-8170-eb30-eedb-ba9fc473d878@redhat.com> <20160623173911.GB12462@10.4.128.1> <6d01ce83-b398-2581-a68c-3cde5a1b7bd3@redhat.com> Message-ID: <41526d1b-5e98-a7b5-ef32-ea4359254ea6@redhat.com> On 24.06.2016 08:24, Martin Kosek wrote: > On 06/23/2016 07:39 PM, Lukas Slebodnik wrote: >> On (23/06/16 15:22), Martin Kosek wrote: >>> Update .mailmap to fix wrong commit author and re-generate >>> the Developer contributor list. >>> >>> -- >>> Martin Kosek >>> Manager, Software Engineering - Identity Management Team >>> Red Hat, Inc. >> >From 4271bdb36d111b90da3daf3f4312ec40d7db590f Mon Sep 17 00:00:00 2001 >>> From: Martin Kosek >>> Date: Thu, 23 Jun 2016 15:19:59 +0200 >>> Subject: [PATCH] Update Contributors.txt >>> >>> Update .mailmap to fix wrong commit author and re-generate >>> the Developer contributor list. >>> --- >>> .mailmap | 1 + >>> Contributors.txt | 1 + >>> 2 files changed, 2 insertions(+) >>> >>> diff --git a/.mailmap b/.mailmap >>> index 422a0089cc6f7de4aaed6a446a5d090bcee3fee8..4fe0587a4550b9ca4b89501a55d96540df4c10cf 100644 >>> --- a/.mailmap >>> +++ b/.mailmap >>> @@ -51,6 +51,7 @@ Sumit Bose >>> Thierry Bordaz >>> Thierry Bordaz >>> Thierry Bordaz >>> +Thierry Bordaz >> I know that it's autogenrated. >> But does Thierry need to be there 4 times? > This is not autogenerated, I had to add a correct author mapping for every > patch that was send and commited with a wrong author. > >>> Tom?? Babej >>> Tom?? Babej >>> William Jon McCann >>> diff --git a/Contributors.txt b/Contributors.txt >>> index 71be27da5ab415deb11589d5bf82d684b2d85f9a..a003a3edb5c1f291b94402f6784b70fa7bcb1298 100644 >>> --- a/Contributors.txt >>> +++ b/Contributors.txt >>> @@ -10,6 +10,7 @@ Developers: >>> Tom?? Babej >>> Martin Babinsky >>> Kyle Baker >>> + Jan Barta >>> Martin Ba?ti >>> Sylvain Baubeau >>> Florence Blanc-Renaud >>> -- >>> 2.5.5 >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code ACK Pushed to master: b081023c3af8e001a16377d129f41c5a201d56be From pvoborni at redhat.com Fri Jun 24 11:33:38 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Fri, 24 Jun 2016 13:33:38 +0200 Subject: [Freeipa-devel] [PATCH 0050-0051] Topology fixes for CA suffix In-Reply-To: <578f8489-b03c-43f3-8fa1-374f2a4042f9@redhat.com> References: <2c69556f-4922-adfd-16e6-0bacb68900a3@redhat.com> <71282847-31b2-0a10-0cf3-6694b3572b5b@redhat.com> <578f8489-b03c-43f3-8fa1-374f2a4042f9@redhat.com> Message-ID: <0d54ef54-cd8d-1031-a2b5-b5ca04c41b43@redhat.com> On 06/24/2016 12:47 PM, Stanislav Laznicka wrote: > On 06/24/2016 11:52 AM, Martin Babinsky wrote: >> On 06/24/2016 11:30 AM, Petr Vobornik wrote: >>> On 06/23/2016 05:30 PM, Stanislav Laznicka wrote: >>>> On 06/23/2016 04:38 PM, Petr Vobornik wrote: >>>>> On 06/23/2016 04:20 PM, Stanislav Laznicka wrote: >>>>>> Hello, >>>>>> >>>>>> attached are patches fixing the logic mentioned in >>>>>> https://fedorahosted.org/freeipa/ticket/5967. >>>>>> >>>>>> >>>>> If server supports the suffix can be verified in validate_nodes call >>>>> where masters are already fetched. >>>>> >>>> Thank you for the suggestion, modified patch 50 attached. >>>> >>> >>> Maybe it's just me, but the code is hard to ready. Check the attached >>> version - speeding up review process. >>> >>> I've also change the first commit message line it was too generic. >>> >>> >>> >> >> If you intend to use that internal function in other modules, please >> remove the leading underscore from its name. Otherwise pylint/IDEs may >> complain about import of private module member. >> > Thank you for the review/update. You went the other way around it which > indeed does seem much more readable. Not sure if you meant to change the > order of the patches which in order 50 -> 51 would make 50 alone not > work because of missing import but I did change the order and fixed that. > > I also included the objection from Martin in the patches and removed the > leading underscore from the imported function. > ACK (after consultation with Standa, I've removed accidental removal of doc string). master: * 5b5258b01081aa9ad4bf83907941c1c2d8a47722 Fix topologysuffix-verify failing connections * 13328bc7518a9e536d26562a738b4591c0494b75 topo segment-add: validate that both masters support target suffix -- Petr Vobornik From mbasti at redhat.com Fri Jun 24 12:00:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 14:00:24 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160622212039.GA5410@10.4.128.1> References: <20160520192346.GH11015@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> Message-ID: <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> On 22.06.2016 23:20, Lukas Slebodnik wrote: > On (22/06/16 11:57), Martin Basti wrote: >> >> On 09.06.2016 21:02, Martin Basti wrote: >>> >>> On 09.06.2016 14:45, Martin Basti wrote: >>>> >>>> On 09.06.2016 14:42, Martin Basti wrote: >>>>> >>>>> On 09.06.2016 14:38, Lukas Slebodnik wrote: >>>>>> On (09/06/16 14:29), Martin Basti wrote: >>>>>>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>>>>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>>>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> this patch allows the extom plugin to lookup >>>>>>>>>> users by certificate which >>>>>>>>>> is needed in the case where a IPA client >>>>>>>>>> wants to lookup an AD user who >>>>>>>>>> has the certificate stored in AD. To make >>>>>>>>>> this work the related patches >>>>>>>>>> I just send to sssd-devel are needed as well. >>>>>>>>>> >>>>>>>>>> Currently the patches miss the change in the >>>>>>>>>> required version of SSSD. >>>>>>>>>> since the SSSD patches are not committed. But >>>>>>>>>> the patches are needed to >>>>>>>>>> fully test the SSSD patches. I will send a >>>>>>>>>> new version with the needed >>>>>>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>>>>>> committed. >>>>>>>>>> >>>>>>>>>> bye, >>>>>>>>>> Sumit >>>>>>>>> The patch works fine (tested together with the corresponding SSSD >>>>>>>>> patches), so ACK from me. The code also looks >>>>>>>>> good to me, but I'm not >>>>>>>>> sure if reviewing an IPA patch requires something >>>>>>>>> more (CI? Coverity?) >>>>>>>> ACK from me as well, I forgot to send email about it, >>>>>>>> though I reviewed >>>>>>>> this patch a week ago. >>>>>>>> >>>>>>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>>>>>> >>>>>> It's very likey that this commit will break build of >>>>>> freeipa-master. I didn't try. >>>>>> >>>>>> Because it uses new function sss_nss_getnamebycert >>>>>> from the library libsss_nss_idmap which is not in fedora. >>>>>> It was pushed to sssd master just today. >>>>>> >>>>>> LS >>>>> If this is true, can you/somebody provide the SRPM of SSSD with >>>>> the required functionality please? We may need to add it to >>>>> @freeipa/freeipa-master copr and bump required version of SSSD. >>>>> >>>>> Martin^2 >>>>> >>>> Yes, you were right, master build is broken. >>>> Martin^2 >>>> >>> SSSD master build has been added to @freeipa/freeipa-master copr as a >>> workaround (to unblock automatic testing an developers) >>> >>> Please bump version in specfile accordingly (I don't know in which >>> version of SSSD will be required function) >>> >>> Martin^2 >>> >> Bumping SSSD version in requires and buildrequires >> Patch attached > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 22 Jun 2016 10:49:39 +0200 >> Subject: [PATCH] Bump SSSD requires >> >> https://fedorahosted.org/freeipa/ticket/4955 >> --- >> freeipa.spec.in | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> BuildRequires: python-qrcode-core >= 5.0.0 >> BuildRequires: python-dns >= 1.11.1 >> BuildRequires: libsss_idmap-devel >> -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> BuildRequires: java-headless >> BuildRequires: rhino >> BuildRequires: libverto-devel >> @@ -327,7 +327,7 @@ Requires: pam_krb5 >> Requires: curl >> Requires: libcurl >= 7.21.7-2 >> Requires: xmlrpc-c >= 1.27.4 >> -Requires: sssd >= 1.13.3-5 >> +Requires: sssd >= 1.14.0 > NACK Thank you. > > A) It's not explained in commit message why you need to bump Requires for sssd. > IIRC, you need just new libsss_nss_idmap-devel. I don't know actually, would be nice if author of the original patch can confirm if newer SSSD is required or not > B) You forgot add detection for newer version of libsss_nss_idmap at configure > time > Hint: * daemons/configure.ac > * https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification Fixed > > LS Updated patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0536.2-Bump-libsss_nss_idmap-devel.patch Type: text/x-patch Size: 1640 bytes Desc: not available URL: From ofayans at redhat.com Fri Jun 24 12:11:57 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Fri, 24 Jun 2016 14:11:57 +0200 Subject: [Freeipa-devel] [PATCH 0021][Tests] Fix failing ipatests/test_ipaserver/test_rpcserver.py In-Reply-To: <3ce945e1-bca5-3519-3898-c937ff8998a1@redhat.com> References: <3ce945e1-bca5-3519-3898-c937ff8998a1@redhat.com> Message-ID: <576D238D.4030508@redhat.com> ACK On 06/24/2016 10:29 AM, Lenka Doudova wrote: > Hi, > > attaching patch for one of the failing tests. Failure caused by an > assertion that was no longer valid. > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From mbasti at redhat.com Fri Jun 24 12:23:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 14:23:17 +0200 Subject: [Freeipa-devel] [PATCH 0021][Tests] Fix failing ipatests/test_ipaserver/test_rpcserver.py In-Reply-To: <576D238D.4030508@redhat.com> References: <3ce945e1-bca5-3519-3898-c937ff8998a1@redhat.com> <576D238D.4030508@redhat.com> Message-ID: On 24.06.2016 14:11, Oleg Fayans wrote: > ACK > > On 06/24/2016 10:29 AM, Lenka Doudova wrote: >> Hi, >> >> attaching patch for one of the failing tests. Failure caused by an >> assertion that was no longer valid. >> >> Lenka >> >> >> Pushed to master: d64513f1ff89f49d216d229cd4f988a485f0acc4 From slaznick at redhat.com Fri Jun 24 12:24:22 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 24 Jun 2016 14:24:22 +0200 Subject: [Freeipa-devel] [PATCH 0052] Added missing nsSystemIndex attributes to .update file Message-ID: <531c9d11-b944-4183-f323-7988841bd183@redhat.com> https://fedorahosted.org/freeipa/ticket/5947 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0052-Add-missing-nsSystemIndex-attributes.patch Type: text/x-patch Size: 1124 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 24 12:59:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 14:59:25 +0200 Subject: [Freeipa-devel] [PATCH] 0020 Enable password change extop to apply on virtual entry like the entry in compat tree In-Reply-To: <20160622170230.ms7hatqvewwwclgq@redhat.com> References: <575EC4C9.7070901@redhat.com> <20160613150651.qppi3qwlajuscxbg@redhat.com> <575FDDC0.70105@redhat.com> <20160620182707.ay7lmfjixlbcrzbx@redhat.com> <576AC110.90307@redhat.com> <20160622170230.ms7hatqvewwwclgq@redhat.com> Message-ID: <79bcc5a5-4eba-8d01-7f0e-f58e631c6316@redhat.com> On 22.06.2016 19:02, Alexander Bokovoy wrote: > On Wed, 22 Jun 2016, thierry bordaz wrote: >>> I think FreeIPA also needs to raise dependency to slapi-nis >= 0.56.0 >>> for this. >>> >> >> Testing with slapi-nis 0.56.0-2, successful update of password from >> compat tree users. > > Great, ACK! Pushed to master: 1ce8d32fd6c09b0bfcb1593e2e5ad8e47eef3670 >> >> >> > >> From 034a07211de4d11c6cb998676cc5f7439af981c6 Mon Sep 17 00:00:00 2001 >> From: Thierry Bordaz >> Date: Fri, 10 Jun 2016 15:34:40 +0200 >> Subject: [PATCH] ipapwd_extop should use TARGET_DN defined by a >> pre-extop >> plugin >> >> ipapwd_extop allows to update the password on a specific entry, >> identified by its DN. >> It can be usefull to support virtual DN in the extop so that update >> of a virtual entry >> would land into the proper real entry. >> >> If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with >> the value >> of TARGET_DN, instead of using the original one (in the ber req) >> There is a dependency on slapi-nis >= 0.56-0.1 >> (https://fedorahosted.org/freeipa/ticket/5955) >> >> https://fedorahosted.org/freeipa/ticket/5946 >> --- >> .../ipa-pwd-extop/ipa_pwd_extop.c | 36 >> +++++++++++++++++----- >> freeipa.spec.in | 2 +- >> 2 files changed, 29 insertions(+), 9 deletions(-) >> >> diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> index 440e221..3c2c44f 100644 >> --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c >> @@ -207,8 +207,10 @@ static int ipapwd_chpwop(Slapi_PBlock *pb, >> struct ipapwd_krbcfg *krbcfg) >> char *attrlist[] = {"*", "passwordHistory", NULL }; >> struct ipapwd_data pwdata; >> int is_krb, is_smb, is_ipant; >> - char *principal = NULL; >> + char *principal = NULL; >> Slapi_PBlock *chpwop_pb = NULL; >> + Slapi_DN *target_sdn = NULL; >> + char *target_dn = NULL; >> >> /* Get the ber value of the extended operation */ >> slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); >> @@ -327,14 +329,32 @@ parse_req_done: >> } >> } >> >> - /* Determine the target DN for this operation */ >> - /* Did they give us a DN ? */ >> - if (dn == NULL || *dn == '\0') { >> - /* Get the DN from the bind identity on this connection */ >> - dn = slapi_ch_strdup(bindDN); >> - LOG_TRACE("Missing userIdentity in request, " >> - "using the bind DN instead.\n"); >> + /* Determine the target DN for this operation */ >> + slapi_pblock_get(pb, SLAPI_TARGET_SDN, &target_sdn); >> + if (target_sdn != NULL) { >> + /* If there is a TARGET_DN we are consuming it */ >> + slapi_pblock_set(pb, SLAPI_TARGET_SDN, NULL); >> + target_dn = slapi_sdn_get_ndn(target_sdn); >> } >> + if (target_dn == NULL || *target_dn == '\0') { >> + /* Did they give us a DN ? */ >> + if (dn == NULL || *dn == '\0') { >> + /* Get the DN from the bind identity on this connection */ >> + dn = slapi_ch_strdup(bindDN); >> + LOG_TRACE("Missing userIdentity in request, " >> + "using the bind DN instead.\n"); >> + } >> + LOG_TRACE("extop dn %s (from ber)\n", dn ? dn : ""); >> + } else { >> + /* At this point if SLAPI_TARGET_SDN was set that means >> + * that a SLAPI_PLUGIN_PRE_EXTOP_FN plugin sets it >> + * So take this one rather that the raw one that is in the ber >> + */ >> + LOG_TRACE("extop dn %s was translated to %s\n", dn ? dn : >> "", target_dn); >> + slapi_ch_free_string(&dn); >> + dn = slapi_ch_strdup(target_dn); >> + } >> + slapi_sdn_free(&target_sdn); >> >> if (slapi_pblock_set( pb, SLAPI_ORIGINAL_TARGET, dn )) { >> LOG_FATAL("slapi_pblock_set failed!\n"); >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index 0d5c745..84a1d65 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -154,7 +154,7 @@ Requires(pre): systemd-units >> Requires(post): systemd-units >> Requires: selinux-policy >= %{selinux_policy_version} >> Requires(post): selinux-policy-base >= %{selinux_policy_version} >> -Requires: slapi-nis >= 0.55-1 >> +Requires: slapi-nis >= 0.56.0 >> Requires: pki-ca >= 10.3.2 >> Requires: pki-kra >= 10.3.2 >> Requires(preun): python systemd-units >> -- >> 2.5.0 >> > > From sbose at redhat.com Fri Jun 24 12:59:55 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Jun 2016 14:59:55 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> References: <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> Message-ID: <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: > > On (22/06/16 11:57), Martin Basti wrote: > > > > > > On 09.06.2016 21:02, Martin Basti wrote: > > > > > > > > On 09.06.2016 14:45, Martin Basti wrote: > > > > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: > > > > > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: > > > > > > > On (09/06/16 14:29), Martin Basti wrote: > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > this patch allows the extom plugin to lookup > > > > > > > > > > > users by certificate which > > > > > > > > > > > is needed in the case where a IPA client > > > > > > > > > > > wants to lookup an AD user who > > > > > > > > > > > has the certificate stored in AD. To make > > > > > > > > > > > this work the related patches > > > > > > > > > > > I just send to sssd-devel are needed as well. > > > > > > > > > > > > > > > > > > > > > > Currently the patches miss the change in the > > > > > > > > > > > required version of SSSD. > > > > > > > > > > > since the SSSD patches are not committed. But > > > > > > > > > > > the patches are needed to > > > > > > > > > > > fully test the SSSD patches. I will send a > > > > > > > > > > > new version with the needed > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are > > > > > > > > > > > committed. > > > > > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > > > Sumit > > > > > > > > > > The patch works fine (tested together with the corresponding SSSD > > > > > > > > > > patches), so ACK from me. The code also looks > > > > > > > > > > good to me, but I'm not > > > > > > > > > > sure if reviewing an IPA patch requires something > > > > > > > > > > more (CI? Coverity?) > > > > > > > > > ACK from me as well, I forgot to send email about it, > > > > > > > > > though I reviewed > > > > > > > > > this patch a week ago. > > > > > > > > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 > > > > > > > > > > > > > > > It's very likey that this commit will break build of > > > > > > > freeipa-master. I didn't try. > > > > > > > > > > > > > > Because it uses new function sss_nss_getnamebycert > > > > > > > from the library libsss_nss_idmap which is not in fedora. > > > > > > > It was pushed to sssd master just today. > > > > > > > > > > > > > > LS > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with > > > > > > the required functionality please? We may need to add it to > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. > > > > > > > > > > > > Martin^2 > > > > > > > > > > > Yes, you were right, master build is broken. > > > > > Martin^2 > > > > > > > > > SSSD master build has been added to @freeipa/freeipa-master copr as a > > > > workaround (to unblock automatic testing an developers) > > > > > > > > Please bump version in specfile accordingly (I don't know in which > > > > version of SSSD will be required function) > > > > > > > > Martin^2 > > > > > > > Bumping SSSD version in requires and buildrequires > > > Patch attached > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 00:00:00 2001 > > > From: Martin Basti > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 > > > Subject: [PATCH] Bump SSSD requires > > > > > > https://fedorahosted.org/freeipa/ticket/4955 > > > --- > > > freeipa.spec.in | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 100644 > > > --- a/freeipa.spec.in > > > +++ b/freeipa.spec.in > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a > > > BuildRequires: python-qrcode-core >= 5.0.0 > > > BuildRequires: python-dns >= 1.11.1 > > > BuildRequires: libsss_idmap-devel > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 > > > BuildRequires: java-headless > > > BuildRequires: rhino > > > BuildRequires: libverto-devel > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 > > > Requires: curl > > > Requires: libcurl >= 7.21.7-2 > > > Requires: xmlrpc-c >= 1.27.4 > > > -Requires: sssd >= 1.13.3-5 > > > +Requires: sssd >= 1.14.0 > > NACK > Thank you. > > > > A) It's not explained in commit message why you need to bump Requires for sssd. > > IIRC, you need just new libsss_nss_idmap-devel. > I don't know actually, would be nice if author of the original patch can > confirm if newer SSSD is required or not Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= 1.14.0' is needed for the build because the new call sss_nss_getnamebycert() is needed to look up trusted users by certificate. At runtime 'Requires: sssd >= 1.14.0' is needed because currently libsss_nss_idmap does not have a dependency to sssd. If only the libsss_nss_idmap would be updated and not SSSD the sss_nss_getnamebycert() would just return a not implemented error code because the older versions of SSSD cannot handle the request. HTH bye, Sumit > > B) You forgot add detection for newer version of libsss_nss_idmap at configure > > time > > Hint: * daemons/configure.ac > > * https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification > Fixed > > > > LS > > Updated patch attached. > From 34c63f8ba5c478cd95a62bc3dffc6bfc7be3384b Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 22 Jun 2016 10:49:39 +0200 > Subject: [PATCH] Bump libsss_nss_idmap-devel > > This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 > > https://fedorahosted.org/freeipa/ticket/4955 > --- > daemons/configure.ac | 2 +- > freeipa.spec.in | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/daemons/configure.ac b/daemons/configure.ac > index 2906def285a0f6ad9553fc07cbc59f7a7f7fd426..fa5eab829cad6718f21ec3d5569ffe1b0168e518 100644 > --- a/daemons/configure.ac > +++ b/daemons/configure.ac > @@ -253,7 +253,7 @@ dnl -- dirsrv is needed for the extdom unit tests -- > PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) > dnl -- sss_idmap is needed by the extdom exop -- > PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) > -PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) > +PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.14.0]) > > dnl --------------------------------------------------------------------------- > dnl - Check for systemd unit directory > diff --git a/freeipa.spec.in b/freeipa.spec.in > index d31ddfaf78a455f4e4d65724bbbe23461e1336e0..e82950d7f82fb5018d893a0644dd1a5931656e2d 100644 > --- a/freeipa.spec.in > +++ b/freeipa.spec.in > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a > BuildRequires: python-qrcode-core >= 5.0.0 > BuildRequires: python-dns >= 1.11.1 > BuildRequires: libsss_idmap-devel > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 > BuildRequires: java-headless > BuildRequires: rhino > BuildRequires: libverto-devel > -- > 2.5.5 > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From mbasti at redhat.com Fri Jun 24 13:09:46 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 15:09:46 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> On 24.06.2016 14:59, Sumit Bose wrote: > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >> >> On 22.06.2016 23:20, Lukas Slebodnik wrote: >>> On (22/06/16 11:57), Martin Basti wrote: >>>> On 09.06.2016 21:02, Martin Basti wrote: >>>>> On 09.06.2016 14:45, Martin Basti wrote: >>>>>> On 09.06.2016 14:42, Martin Basti wrote: >>>>>>> On 09.06.2016 14:38, Lukas Slebodnik wrote: >>>>>>>> On (09/06/16 14:29), Martin Basti wrote: >>>>>>>>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>>>>>>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>>>>>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> this patch allows the extom plugin to lookup >>>>>>>>>>>> users by certificate which >>>>>>>>>>>> is needed in the case where a IPA client >>>>>>>>>>>> wants to lookup an AD user who >>>>>>>>>>>> has the certificate stored in AD. To make >>>>>>>>>>>> this work the related patches >>>>>>>>>>>> I just send to sssd-devel are needed as well. >>>>>>>>>>>> >>>>>>>>>>>> Currently the patches miss the change in the >>>>>>>>>>>> required version of SSSD. >>>>>>>>>>>> since the SSSD patches are not committed. But >>>>>>>>>>>> the patches are needed to >>>>>>>>>>>> fully test the SSSD patches. I will send a >>>>>>>>>>>> new version with the needed >>>>>>>>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>>>>>>>> committed. >>>>>>>>>>>> >>>>>>>>>>>> bye, >>>>>>>>>>>> Sumit >>>>>>>>>>> The patch works fine (tested together with the corresponding SSSD >>>>>>>>>>> patches), so ACK from me. The code also looks >>>>>>>>>>> good to me, but I'm not >>>>>>>>>>> sure if reviewing an IPA patch requires something >>>>>>>>>>> more (CI? Coverity?) >>>>>>>>>> ACK from me as well, I forgot to send email about it, >>>>>>>>>> though I reviewed >>>>>>>>>> this patch a week ago. >>>>>>>>>> >>>>>>>>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>>>>>>>> >>>>>>>> It's very likey that this commit will break build of >>>>>>>> freeipa-master. I didn't try. >>>>>>>> >>>>>>>> Because it uses new function sss_nss_getnamebycert >>>>>>>> from the library libsss_nss_idmap which is not in fedora. >>>>>>>> It was pushed to sssd master just today. >>>>>>>> >>>>>>>> LS >>>>>>> If this is true, can you/somebody provide the SRPM of SSSD with >>>>>>> the required functionality please? We may need to add it to >>>>>>> @freeipa/freeipa-master copr and bump required version of SSSD. >>>>>>> >>>>>>> Martin^2 >>>>>>> >>>>>> Yes, you were right, master build is broken. >>>>>> Martin^2 >>>>>> >>>>> SSSD master build has been added to @freeipa/freeipa-master copr as a >>>>> workaround (to unblock automatic testing an developers) >>>>> >>>>> Please bump version in specfile accordingly (I don't know in which >>>>> version of SSSD will be required function) >>>>> >>>>> Martin^2 >>>>> >>>> Bumping SSSD version in requires and buildrequires >>>> Patch attached >>> >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 22 Jun 2016 10:49:39 +0200 >>>> Subject: [PATCH] Bump SSSD requires >>>> >>>> https://fedorahosted.org/freeipa/ticket/4955 >>>> --- >>>> freeipa.spec.in | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>> index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 100644 >>>> --- a/freeipa.spec.in >>>> +++ b/freeipa.spec.in >>>> @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >>>> BuildRequires: python-qrcode-core >= 5.0.0 >>>> BuildRequires: python-dns >= 1.11.1 >>>> BuildRequires: libsss_idmap-devel >>>> -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >>>> +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >>>> BuildRequires: java-headless >>>> BuildRequires: rhino >>>> BuildRequires: libverto-devel >>>> @@ -327,7 +327,7 @@ Requires: pam_krb5 >>>> Requires: curl >>>> Requires: libcurl >= 7.21.7-2 >>>> Requires: xmlrpc-c >= 1.27.4 >>>> -Requires: sssd >= 1.13.3-5 >>>> +Requires: sssd >= 1.14.0 >>> NACK >> Thank you. >>> A) It's not explained in commit message why you need to bump Requires for sssd. >>> IIRC, you need just new libsss_nss_idmap-devel. >> I don't know actually, would be nice if author of the original patch can >> confirm if newer SSSD is required or not > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= > 1.14.0' is needed for the build because the new call > sss_nss_getnamebycert() is needed to look up trusted users by > certificate. > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently > libsss_nss_idmap does not have a dependency to sssd. If only the > libsss_nss_idmap would be updated and not SSSD the > sss_nss_getnamebycert() would just return a not implemented error code > because the older versions of SSSD cannot handle the request. > > HTH > > bye, > Sumit Thank you for explanation, updated patch attached. Martin^2 >>> B) You forgot add detection for newer version of libsss_nss_idmap at configure >>> time >>> Hint: * daemons/configure.ac >>> * https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification >> Fixed >>> LS >> Updated patch attached. >> From 34c63f8ba5c478cd95a62bc3dffc6bfc7be3384b Mon Sep 17 00:00:00 2001 >> From: Martin Basti >> Date: Wed, 22 Jun 2016 10:49:39 +0200 >> Subject: [PATCH] Bump libsss_nss_idmap-devel >> >> This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 >> >> https://fedorahosted.org/freeipa/ticket/4955 >> --- >> daemons/configure.ac | 2 +- >> freeipa.spec.in | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/daemons/configure.ac b/daemons/configure.ac >> index 2906def285a0f6ad9553fc07cbc59f7a7f7fd426..fa5eab829cad6718f21ec3d5569ffe1b0168e518 100644 >> --- a/daemons/configure.ac >> +++ b/daemons/configure.ac >> @@ -253,7 +253,7 @@ dnl -- dirsrv is needed for the extdom unit tests -- >> PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) >> dnl -- sss_idmap is needed by the extdom exop -- >> PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) >> -PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) >> +PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.14.0]) >> >> dnl --------------------------------------------------------------------------- >> dnl - Check for systemd unit directory >> diff --git a/freeipa.spec.in b/freeipa.spec.in >> index d31ddfaf78a455f4e4d65724bbbe23461e1336e0..e82950d7f82fb5018d893a0644dd1a5931656e2d 100644 >> --- a/freeipa.spec.in >> +++ b/freeipa.spec.in >> @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> BuildRequires: python-qrcode-core >= 5.0.0 >> BuildRequires: python-dns >= 1.11.1 >> BuildRequires: libsss_idmap-devel >> -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> BuildRequires: java-headless >> BuildRequires: rhino >> BuildRequires: libverto-devel >> -- >> 2.5.5 >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0536.3-Bump-SSSD-version-in-requires.patch Type: text/x-patch Size: 1931 bytes Desc: not available URL: From sbose at redhat.com Fri Jun 24 13:11:36 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Jun 2016 15:11:36 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <1466533549.17252.2.camel@redhat.com> References: <1466533549.17252.2.camel@redhat.com> Message-ID: <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: > https://fedorahosted.org/freeipa/ticket/433 The patch works for me as expected, but the API.txt update is missing in the patch. bye, Sumit > From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001 > From: Nathaniel McCallum > Date: Tue, 21 Jun 2016 14:19:03 -0400 > Subject: [PATCH] Add authentication indicators support to Host objects > > https://fedorahosted.org/freeipa/ticket/433 > --- > ipaserver/plugins/host.py | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py > index 15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d 100644 > --- a/ipaserver/plugins/host.py > +++ b/ipaserver/plugins/host.py > @@ -294,7 +294,7 @@ class host(LDAPObject): > 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', > 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', > 'managedby', 'memberofindirect', 'macaddress', > - 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', > + 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind' > ] > uuid_attribute = 'ipauniqueid' > attribute_members = { > @@ -529,6 +529,14 @@ class host(LDAPObject): > label=_('Assigned ID View'), > flags=['no_option'], > ), > + Str('krbprincipalauthind*', > + cli_name='auth_ind', > + label=_('Authentication Indicators'), > + doc=_("Defines a whitelist for Authentication Indicators." > + " Use 'otp' to allow OTP-based 2FA authentications." > + " Use 'radius' to allow RADIUS-based 2FA authentications." > + " Other values may be used for custom configurations."), > + ), > ) + ticket_flags_params > > def get_dn(self, *keys, **options): > @@ -910,6 +918,13 @@ class host_mod(LDAPUpdate): > if 'krbticketpolicyaux' not in entry_attrs['objectclass']: > entry_attrs['objectclass'].append('krbticketpolicyaux') > > + if 'krbprincipalauthind' in entry_attrs: > + if 'objectclass' not in entry_attrs: > + entry_attrs_old = ldap.get_entry(dn, ['objectclass']) > + entry_attrs['objectclass'] = entry_attrs_old['objectclass'] > + if 'krbprincipalaux' not in entry_attrs['objectclass']: > + entry_attrs['objectclass'].append('krbprincipalaux') > + > add_sshpubkey_to_attrs_pre(self.context, attrs_list) > > return dn > -- > 2.9.0 > From mbasti at redhat.com Fri Jun 24 13:11:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 15:11:59 +0200 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names In-Reply-To: References: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> Message-ID: On 23.06.2016 17:46, Robbie Harwood wrote: > Petr Vobornik writes: > >> mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. > Excited to see this appear! Sessions are not in use so there's no need > to worry about a sweeper. This looks correct to me. Thanks Petr! > > Is this ACK? -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 24 13:14:59 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 15:14:59 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> On 24.06.2016 15:11, Sumit Bose wrote: > On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >> https://fedorahosted.org/freeipa/ticket/433 > The patch works for me as expected, but the API.txt update is missing in > the patch. > > bye, > Sumit There are no updated managed permissions for krbprincipalauthind attribute in hosts.py, is this omitted on purpose? Martin^2 > >> From c7254a9dd182b34665b50c45c5ece42a3cbc56e2 Mon Sep 17 00:00:00 2001 >> From: Nathaniel McCallum >> Date: Tue, 21 Jun 2016 14:19:03 -0400 >> Subject: [PATCH] Add authentication indicators support to Host objects >> >> https://fedorahosted.org/freeipa/ticket/433 >> --- >> ipaserver/plugins/host.py | 17 ++++++++++++++++- >> 1 file changed, 16 insertions(+), 1 deletion(-) >> >> diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py >> index 15805a3d2292dcf176ec52afdd3885563eea1210..905116e9c4d12c9e35bb82a5ff2c7bd8b920e80d 100644 >> --- a/ipaserver/plugins/host.py >> +++ b/ipaserver/plugins/host.py >> @@ -294,7 +294,7 @@ class host(LDAPObject): >> 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', >> 'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof', >> 'managedby', 'memberofindirect', 'macaddress', >> - 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', >> + 'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind' >> ] >> uuid_attribute = 'ipauniqueid' >> attribute_members = { >> @@ -529,6 +529,14 @@ class host(LDAPObject): >> label=_('Assigned ID View'), >> flags=['no_option'], >> ), >> + Str('krbprincipalauthind*', >> + cli_name='auth_ind', >> + label=_('Authentication Indicators'), >> + doc=_("Defines a whitelist for Authentication Indicators." >> + " Use 'otp' to allow OTP-based 2FA authentications." >> + " Use 'radius' to allow RADIUS-based 2FA authentications." >> + " Other values may be used for custom configurations."), >> + ), >> ) + ticket_flags_params >> >> def get_dn(self, *keys, **options): >> @@ -910,6 +918,13 @@ class host_mod(LDAPUpdate): >> if 'krbticketpolicyaux' not in entry_attrs['objectclass']: >> entry_attrs['objectclass'].append('krbticketpolicyaux') >> >> + if 'krbprincipalauthind' in entry_attrs: >> + if 'objectclass' not in entry_attrs: >> + entry_attrs_old = ldap.get_entry(dn, ['objectclass']) >> + entry_attrs['objectclass'] = entry_attrs_old['objectclass'] >> + if 'krbprincipalaux' not in entry_attrs['objectclass']: >> + entry_attrs['objectclass'].append('krbprincipalaux') >> + >> add_sshpubkey_to_attrs_pre(self.context, attrs_list) >> >> return dn >> -- >> 2.9.0 >> From slaznick at redhat.com Fri Jun 24 13:50:41 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 24 Jun 2016 15:50:41 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <1a670c65-4ad8-bcd9-e7b3-86ab0077e287@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> <1a670c65-4ad8-bcd9-e7b3-86ab0077e287@redhat.com> Message-ID: <0f37c673-a6b8-5562-bf0b-1725e1ae53ef@redhat.com> On 06/21/2016 04:39 PM, Martin Basti wrote: > > > On 14.06.2016 17:26, Stanislav Laznicka wrote: >> - signerd_service.start() >> + try: >> + signerd_service.start() >> + except Exception as e: >> + root_logger.error("Unable to start '{svcname}': {err}" >> + .format(svcname=signerd_service.service_name, >> + err=e)) > > why is signerd so special? > > Martin^2 > From ODSExporterInstance.uninstall(): signerd_service = services.knownservices.ods_signerd This means that signerd_service here is not an instance of the service.Service class or of its child class but is rather an instance of the RedHatService class, a child class of the services.SystemdService class. Thus it has to be treated with special care. From slaznick at redhat.com Fri Jun 24 14:03:28 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 24 Jun 2016 16:03:28 +0200 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names In-Reply-To: References: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> Message-ID: <46f67e92-834e-34a5-3a38-f1699aef5076@redhat.com> On 06/24/2016 03:11 PM, Martin Basti wrote: > On 23.06.2016 17:46, Robbie Harwood wrote: >> Petr Vobornik writes: >> >>> mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. >> Excited to see this appear! Sessions are not in use so there's no need >> to worry about a sweeper. This looks correct to me. Thanks Petr! >> >> > Is this ACK? > > This seems to work for me so ACK. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 24 14:04:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 16:04:48 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <0f37c673-a6b8-5562-bf0b-1725e1ae53ef@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> <1a670c65-4ad8-bcd9-e7b3-86ab0077e287@redhat.com> <0f37c673-a6b8-5562-bf0b-1725e1ae53ef@redhat.com> Message-ID: <124f8359-5bc9-64f6-1ea9-00f572195a3b@redhat.com> On 24.06.2016 15:50, Stanislav Laznicka wrote: > On 06/21/2016 04:39 PM, Martin Basti wrote: >> >> >> On 14.06.2016 17:26, Stanislav Laznicka wrote: >>> - signerd_service.start() >>> + try: >>> + signerd_service.start() >>> + except Exception as e: >>> + root_logger.error("Unable to start '{svcname}': {err}" >>> + .format(svcname=signerd_service.service_name, >>> + err=e)) >> >> why is signerd so special? >> >> Martin^2 >> > From ODSExporterInstance.uninstall(): > > signerd_service = services.knownservices.ods_signerd > > This means that signerd_service here is not an instance of the > service.Service class or of its child class but is rather an instance > of the RedHatService class, a child class of the > services.SystemdService class. Thus it has to be treated with special > care. > Well then I prefer to put this option to systemdservice, and only pass it from service.restart() to systemdService.restart() You forgot to handle regular_named service, which is the same as ods_signerd Martin^2 From mbabinsk at redhat.com Fri Jun 24 14:07:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Fri, 24 Jun 2016 16:07:15 +0200 Subject: [Freeipa-devel] [PATCH 0165] IPA API: Do not force setting krbCanonicalName on newly created entries Message-ID: This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and 06d945a04607dc36e25af78688b4295420489fb9 responsible for https://fedorahosted.org/freeipa/ticket/5996 This should unblock replica promotion. -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0165-IPA-API-Do-not-force-setting-krbCanonicalName-on-new.patch Type: text/x-patch Size: 15187 bytes Desc: not available URL: From mbasti at redhat.com Fri Jun 24 14:13:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 16:13:18 +0200 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names In-Reply-To: <46f67e92-834e-34a5-3a38-f1699aef5076@redhat.com> References: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> <46f67e92-834e-34a5-3a38-f1699aef5076@redhat.com> Message-ID: On 24.06.2016 16:03, Stanislav Laznicka wrote: > On 06/24/2016 03:11 PM, Martin Basti wrote: >> On 23.06.2016 17:46, Robbie Harwood wrote: >>> Petr Vobornik writes: >>> >>>> mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. >>> Excited to see this appear! Sessions are not in use so there's no need >>> to worry about a sweeper. This looks correct to me. Thanks Petr! >>> >>> >> Is this ACK? >> >> > This seems to work for me so ACK. > Rebased on ipa-4-3 and pushed master: * fd840a9cd7974c735ab7b0f6773fd5cda8638585 mod_auth_gssapi: enable unique credential caches names ipa-4-3: * 59c1e6988ea56e2c04dbc065bc9780516435bd0c mod_auth_gssapi: enable unique credential caches names -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Fri Jun 24 14:27:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 16:27:03 +0200 Subject: [Freeipa-devel] [PATCH] 959 mod_auth_gssapi: enable unique credential caches names In-Reply-To: References: <6b31984b-c10a-f7cd-702a-5e9ba09370a9@redhat.com> <46f67e92-834e-34a5-3a38-f1699aef5076@redhat.com> Message-ID: On 24.06.2016 16:13, Martin Basti wrote: > > > > On 24.06.2016 16:03, Stanislav Laznicka wrote: >> On 06/24/2016 03:11 PM, Martin Basti wrote: >>> On 23.06.2016 17:46, Robbie Harwood wrote: >>>> Petr Vobornik writes: >>>> >>>>> mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. >>>> Excited to see this appear! Sessions are not in use so there's no need >>>> to worry about a sweeper. This looks correct to me. Thanks Petr! >>>> >>>> >>> Is this ACK? >>> >>> >> This seems to work for me so ACK. >> > Rebased on ipa-4-3 and pushed > > master: > * fd840a9cd7974c735ab7b0f6773fd5cda8638585 mod_auth_gssapi: enable > unique credential caches names > ipa-4-3: > * 59c1e6988ea56e2c04dbc065bc9780516435bd0c mod_auth_gssapi: enable > unique credential caches names > > > and rebased on ipa-4-2 and pushed ipa-4-2: * 6683442bd037eaf7515585e83934c83168b0a19e mod_auth_gssapi: enable unique credential caches names -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Fri Jun 24 14:34:50 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Fri, 24 Jun 2016 16:34:50 +0200 Subject: [Freeipa-devel] [PATCH 0043] Stop uninstaller from failing if a service can't be started In-Reply-To: <124f8359-5bc9-64f6-1ea9-00f572195a3b@redhat.com> References: <2173eb1e-cf4d-852c-77a5-23ffe832d0ad@redhat.com> <9f809d24-a845-9de1-7592-7053512b671b@redhat.com> <1a670c65-4ad8-bcd9-e7b3-86ab0077e287@redhat.com> <0f37c673-a6b8-5562-bf0b-1725e1ae53ef@redhat.com> <124f8359-5bc9-64f6-1ea9-00f572195a3b@redhat.com> Message-ID: On 06/24/2016 04:04 PM, Martin Basti wrote: > On 24.06.2016 15:50, Stanislav Laznicka wrote: >> On 06/21/2016 04:39 PM, Martin Basti wrote: >>> >>> >>> On 14.06.2016 17:26, Stanislav Laznicka wrote: >>>> - signerd_service.start() >>>> + try: >>>> + signerd_service.start() >>>> + except Exception as e: >>>> + root_logger.error("Unable to start '{svcname}': >>>> {err}" >>>> + .format(svcname=signerd_service.service_name, >>>> + err=e)) >>> >>> why is signerd so special? >>> >>> Martin^2 >>> >> From ODSExporterInstance.uninstall(): >> >> signerd_service = services.knownservices.ods_signerd >> >> This means that signerd_service here is not an instance of the >> service.Service class or of its child class but is rather an instance >> of the RedHatService class, a child class of the >> services.SystemdService class. Thus it has to be treated with special >> care. >> > > Well then I prefer to put this option to systemdservice, and only pass > it from service.restart() to systemdService.restart() > > You forgot to handle regular_named service, which is the same as > ods_signerd The passing of the option is not as easy as it may seem. The service.restart() method calls self.service.restart(). However, self.service is not directly of SystemdService class but rather of one of RedHat*Service classes, some of which override the SystemdService.restart() method (and call it somewhere in the process of their overridden method). Would you then suggest: 1) Adding the option to all the methods on the way from Service to SystemdService classes just for the sake of passing => exceptions still may occur and suppress_errors option therefore does not do what you'd expect it to do 2) Adding the option to all the methods and treat all the possible exceptions on the way with a try: .. except: .. blocks ===> veeery ugly copy-pasta. 3) Leaving it as is => some .restart() calls offer suppress_errors option, some don't. From mbasti at redhat.com Fri Jun 24 15:53:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 24 Jun 2016 17:53:27 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> References: <20160609120203.GF3271@hendrix> <20160609122221.6lzzv4zgusc72wfx@redhat.com> <6ddc2ec2-ea1b-a78a-844b-7d6936a0a02e@redhat.com> <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> Message-ID: <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> On 24.06.2016 15:09, Martin Basti wrote: > > > On 24.06.2016 14:59, Sumit Bose wrote: >> On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >>> >>> On 22.06.2016 23:20, Lukas Slebodnik wrote: >>>> On (22/06/16 11:57), Martin Basti wrote: >>>>> On 09.06.2016 21:02, Martin Basti wrote: >>>>>> On 09.06.2016 14:45, Martin Basti wrote: >>>>>>> On 09.06.2016 14:42, Martin Basti wrote: >>>>>>>> On 09.06.2016 14:38, Lukas Slebodnik wrote: >>>>>>>>> On (09/06/16 14:29), Martin Basti wrote: >>>>>>>>>> On 09.06.2016 14:22, Alexander Bokovoy wrote: >>>>>>>>>>> On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>>>>>>>>>>> On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>>>>>>>>>>>> Hi, >>>>>>>>>>>>> >>>>>>>>>>>>> this patch allows the extom plugin to lookup >>>>>>>>>>>>> users by certificate which >>>>>>>>>>>>> is needed in the case where a IPA client >>>>>>>>>>>>> wants to lookup an AD user who >>>>>>>>>>>>> has the certificate stored in AD. To make >>>>>>>>>>>>> this work the related patches >>>>>>>>>>>>> I just send to sssd-devel are needed as well. >>>>>>>>>>>>> >>>>>>>>>>>>> Currently the patches miss the change in the >>>>>>>>>>>>> required version of SSSD. >>>>>>>>>>>>> since the SSSD patches are not committed. But >>>>>>>>>>>>> the patches are needed to >>>>>>>>>>>>> fully test the SSSD patches. I will send a >>>>>>>>>>>>> new version with the needed >>>>>>>>>>>>> changes to the minimal SSSD version when the SSSD patches are >>>>>>>>>>>>> committed. >>>>>>>>>>>>> >>>>>>>>>>>>> bye, >>>>>>>>>>>>> Sumit >>>>>>>>>>>> The patch works fine (tested together with the >>>>>>>>>>>> corresponding SSSD >>>>>>>>>>>> patches), so ACK from me. The code also looks >>>>>>>>>>>> good to me, but I'm not >>>>>>>>>>>> sure if reviewing an IPA patch requires something >>>>>>>>>>>> more (CI? Coverity?) >>>>>>>>>>> ACK from me as well, I forgot to send email about it, >>>>>>>>>>> though I reviewed >>>>>>>>>>> this patch a week ago. >>>>>>>>>>> >>>>>>>>>> Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>>>>>>>>> >>>>>>>>> It's very likey that this commit will break build of >>>>>>>>> freeipa-master. I didn't try. >>>>>>>>> >>>>>>>>> Because it uses new function sss_nss_getnamebycert >>>>>>>>> from the library libsss_nss_idmap which is not in fedora. >>>>>>>>> It was pushed to sssd master just today. >>>>>>>>> >>>>>>>>> LS >>>>>>>> If this is true, can you/somebody provide the SRPM of SSSD with >>>>>>>> the required functionality please? We may need to add it to >>>>>>>> @freeipa/freeipa-master copr and bump required version of SSSD. >>>>>>>> >>>>>>>> Martin^2 >>>>>>>> >>>>>>> Yes, you were right, master build is broken. >>>>>>> Martin^2 >>>>>>> >>>>>> SSSD master build has been added to @freeipa/freeipa-master copr >>>>>> as a >>>>>> workaround (to unblock automatic testing an developers) >>>>>> >>>>>> Please bump version in specfile accordingly (I don't know in which >>>>>> version of SSSD will be required function) >>>>>> >>>>>> Martin^2 >>>>>> >>>>> Bumping SSSD version in requires and buildrequires >>>>> Patch attached >>>> >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 00:00:00 >>>> 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 22 Jun 2016 10:49:39 +0200 >>>>> Subject: [PATCH] Bump SSSD requires >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/4955 >>>>> --- >>>>> freeipa.spec.in | 4 ++-- >>>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>>>> index >>>>> 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >>>>> 100644 >>>>> --- a/freeipa.spec.in >>>>> +++ b/freeipa.spec.in >>>>> @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >>>>> BuildRequires: python-qrcode-core >= 5.0.0 >>>>> BuildRequires: python-dns >= 1.11.1 >>>>> BuildRequires: libsss_idmap-devel >>>>> -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >>>>> +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >>>>> BuildRequires: java-headless >>>>> BuildRequires: rhino >>>>> BuildRequires: libverto-devel >>>>> @@ -327,7 +327,7 @@ Requires: pam_krb5 >>>>> Requires: curl >>>>> Requires: libcurl >= 7.21.7-2 >>>>> Requires: xmlrpc-c >= 1.27.4 >>>>> -Requires: sssd >= 1.13.3-5 >>>>> +Requires: sssd >= 1.14.0 >>>> NACK >>> Thank you. >>>> A) It's not explained in commit message why you need to bump >>>> Requires for sssd. >>>> IIRC, you need just new libsss_nss_idmap-devel. >>> I don't know actually, would be nice if author of the original patch >>> can >>> confirm if newer SSSD is required or not >> Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >> 1.14.0' is needed for the build because the new call >> sss_nss_getnamebycert() is needed to look up trusted users by >> certificate. >> >> At runtime 'Requires: sssd >= 1.14.0' is needed because currently >> libsss_nss_idmap does not have a dependency to sssd. If only the >> libsss_nss_idmap would be updated and not SSSD the >> sss_nss_getnamebycert() would just return a not implemented error code >> because the older versions of SSSD cannot handle the request. >> >> HTH >> >> bye, >> Sumit > Thank you for explanation, updated patch attached. > > Martin^2 Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 Is it possible that you forgot to increment this version on SSSD side, or it is my failure? Martin^2 >>>> B) You forgot add detection for newer version of libsss_nss_idmap >>>> at configure >>>> time >>>> Hint: * daemons/configure.ac >>>> * >>>> https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification >>> Fixed >>>> LS >>> Updated patch attached. >>> From 34c63f8ba5c478cd95a62bc3dffc6bfc7be3384b Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 22 Jun 2016 10:49:39 +0200 >>> Subject: [PATCH] Bump libsss_nss_idmap-devel >>> >>> This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 >>> >>> https://fedorahosted.org/freeipa/ticket/4955 >>> --- >>> daemons/configure.ac | 2 +- >>> freeipa.spec.in | 2 +- >>> 2 files changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/daemons/configure.ac b/daemons/configure.ac >>> index >>> 2906def285a0f6ad9553fc07cbc59f7a7f7fd426..fa5eab829cad6718f21ec3d5569ffe1b0168e518 >>> 100644 >>> --- a/daemons/configure.ac >>> +++ b/daemons/configure.ac >>> @@ -253,7 +253,7 @@ dnl -- dirsrv is needed for the extdom unit >>> tests -- >>> PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) >>> dnl -- sss_idmap is needed by the extdom exop -- >>> PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) >>> -PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) >>> +PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.14.0]) >>> dnl >>> --------------------------------------------------------------------------- >>> dnl - Check for systemd unit directory >>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>> index >>> d31ddfaf78a455f4e4d65724bbbe23461e1336e0..e82950d7f82fb5018d893a0644dd1a5931656e2d >>> 100644 >>> --- a/freeipa.spec.in >>> +++ b/freeipa.spec.in >>> @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >>> BuildRequires: python-qrcode-core >= 5.0.0 >>> BuildRequires: python-dns >= 1.11.1 >>> BuildRequires: libsss_idmap-devel >>> -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >>> +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >>> BuildRequires: java-headless >>> BuildRequires: rhino >>> BuildRequires: libverto-devel >>> -- >>> 2.5.5 >>> >>> -- >>> Manage your subscription for the Freeipa-devel mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Jun 24 16:24:59 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 24 Jun 2016 18:24:59 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> References: <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> Message-ID: <20160624162459.GA4873@10.4.128.1> On (24/06/16 17:53), Martin Basti wrote: > > >On 24.06.2016 15:09, Martin Basti wrote: >> >> >> On 24.06.2016 14:59, Sumit Bose wrote: >> > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >> > > >> > > On 22.06.2016 23:20, Lukas Slebodnik wrote: >> > > > On (22/06/16 11:57), Martin Basti wrote: >> > > > > On 09.06.2016 21:02, Martin Basti wrote: >> > > > > > On 09.06.2016 14:45, Martin Basti wrote: >> > > > > > > On 09.06.2016 14:42, Martin Basti wrote: >> > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: >> > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >> > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > > > > > > > > > > > Hi, >> > > > > > > > > > > > > >> > > > > > > > > > > > > this patch allows the extom plugin to lookup >> > > > > > > > > > > > > users by certificate which >> > > > > > > > > > > > > is needed in the case where a IPA client >> > > > > > > > > > > > > wants to lookup an AD user who >> > > > > > > > > > > > > has the certificate stored in AD. To make >> > > > > > > > > > > > > this work the related patches >> > > > > > > > > > > > > I just send to sssd-devel are needed as well. >> > > > > > > > > > > > > >> > > > > > > > > > > > > Currently the patches miss the change in the >> > > > > > > > > > > > > required version of SSSD. >> > > > > > > > > > > > > since the SSSD patches are not committed. But >> > > > > > > > > > > > > the patches are needed to >> > > > > > > > > > > > > fully test the SSSD patches. I will send a >> > > > > > > > > > > > > new version with the needed >> > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are >> > > > > > > > > > > > > committed. >> > > > > > > > > > > > > >> > > > > > > > > > > > > bye, >> > > > > > > > > > > > > Sumit >> > > > > > > > > > > > The patch works fine (tested >> > > > > > > > > > > > together with the >> > > > > > > > > > > > corresponding SSSD >> > > > > > > > > > > > patches), so ACK from me. The code also looks >> > > > > > > > > > > > good to me, but I'm not >> > > > > > > > > > > > sure if reviewing an IPA patch requires something >> > > > > > > > > > > > more (CI? Coverity?) >> > > > > > > > > > > ACK from me as well, I forgot to send email about it, >> > > > > > > > > > > though I reviewed >> > > > > > > > > > > this patch a week ago. >> > > > > > > > > > > >> > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > > > > > > > > > >> > > > > > > > > It's very likey that this commit will break build of >> > > > > > > > > freeipa-master. I didn't try. >> > > > > > > > > >> > > > > > > > > Because it uses new function sss_nss_getnamebycert >> > > > > > > > > from the library libsss_nss_idmap which is not in fedora. >> > > > > > > > > It was pushed to sssd master just today. >> > > > > > > > > >> > > > > > > > > LS >> > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with >> > > > > > > > the required functionality please? We may need to add it to >> > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. >> > > > > > > > >> > > > > > > > Martin^2 >> > > > > > > > >> > > > > > > Yes, you were right, master build is broken. >> > > > > > > Martin^2 >> > > > > > > >> > > > > > SSSD master build has been added to >> > > > > > @freeipa/freeipa-master copr as a >> > > > > > workaround (to unblock automatic testing an developers) >> > > > > > >> > > > > > Please bump version in specfile accordingly (I don't know in which >> > > > > > version of SSSD will be required function) >> > > > > > >> > > > > > Martin^2 >> > > > > > >> > > > > Bumping SSSD version in requires and buildrequires >> > > > > Patch attached >> > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 >> > > > 00:00:00 2001 >> > > > > From: Martin Basti >> > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 >> > > > > Subject: [PATCH] Bump SSSD requires >> > > > > >> > > > > https://fedorahosted.org/freeipa/ticket/4955 >> > > > > --- >> > > > > freeipa.spec.in | 4 ++-- >> > > > > 1 file changed, 2 insertions(+), 2 deletions(-) >> > > > > >> > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in >> > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >> > > > > 100644 >> > > > > --- a/freeipa.spec.in >> > > > > +++ b/freeipa.spec.in >> > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> > > > > BuildRequires: python-qrcode-core >= 5.0.0 >> > > > > BuildRequires: python-dns >= 1.11.1 >> > > > > BuildRequires: libsss_idmap-devel >> > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> > > > > BuildRequires: java-headless >> > > > > BuildRequires: rhino >> > > > > BuildRequires: libverto-devel >> > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 >> > > > > Requires: curl >> > > > > Requires: libcurl >= 7.21.7-2 >> > > > > Requires: xmlrpc-c >= 1.27.4 >> > > > > -Requires: sssd >= 1.13.3-5 >> > > > > +Requires: sssd >= 1.14.0 >> > > > NACK >> > > Thank you. >> > > > A) It's not explained in commit message why you need to bump >> > > > Requires for sssd. >> > > > IIRC, you need just new libsss_nss_idmap-devel. >> > > I don't know actually, would be nice if author of the original >> > > patch can >> > > confirm if newer SSSD is required or not >> > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >> > 1.14.0' is needed for the build because the new call >> > sss_nss_getnamebycert() is needed to look up trusted users by >> > certificate. >> > >> > At runtime 'Requires: sssd >= 1.14.0' is needed because currently >> > libsss_nss_idmap does not have a dependency to sssd. If only the >> > libsss_nss_idmap would be updated and not SSSD the >> > sss_nss_getnamebycert() would just return a not implemented error code >> > because the older versions of SSSD cannot handle the request. >> > >> > HTH >> > >> > bye, >> > Sumit >> Thank you for explanation, updated patch attached. >> >> Martin^2 > >Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 >You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ > >libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 > >Is it possible that you forgot to increment this version on SSSD side, or it >is my failure? > No, it is how we release alpha version. beta will be 1.13.91 libsss_nss_idmap-devel-1.14.0 is just fake version changed in spec file. You might still want to wait for 1.14.0 for this patch. LS From sbose at redhat.com Fri Jun 24 16:31:09 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 24 Jun 2016 18:31:09 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> References: <20160609123829.GN19915@10.4.128.1> <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> Message-ID: <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> On Fri, Jun 24, 2016 at 05:53:27PM +0200, Martin Basti wrote: > > > On 24.06.2016 15:09, Martin Basti wrote: > > > > > > On 24.06.2016 14:59, Sumit Bose wrote: > > > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: > > > > > > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: > > > > > On (22/06/16 11:57), Martin Basti wrote: > > > > > > On 09.06.2016 21:02, Martin Basti wrote: > > > > > > > On 09.06.2016 14:45, Martin Basti wrote: > > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: > > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: > > > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: > > > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: > > > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: > > > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > > > > > > > > > > > this patch allows the extom plugin to lookup > > > > > > > > > > > > > > users by certificate which > > > > > > > > > > > > > > is needed in the case where a IPA client > > > > > > > > > > > > > > wants to lookup an AD user who > > > > > > > > > > > > > > has the certificate stored in AD. To make > > > > > > > > > > > > > > this work the related patches > > > > > > > > > > > > > > I just send to sssd-devel are needed as well. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Currently the patches miss the change in the > > > > > > > > > > > > > > required version of SSSD. > > > > > > > > > > > > > > since the SSSD patches are not committed. But > > > > > > > > > > > > > > the patches are needed to > > > > > > > > > > > > > > fully test the SSSD patches. I will send a > > > > > > > > > > > > > > new version with the needed > > > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are > > > > > > > > > > > > > > committed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > bye, > > > > > > > > > > > > > > Sumit > > > > > > > > > > > > > The patch works fine (tested > > > > > > > > > > > > > together with the > > > > > > > > > > > > > corresponding SSSD > > > > > > > > > > > > > patches), so ACK from me. The code also looks > > > > > > > > > > > > > good to me, but I'm not > > > > > > > > > > > > > sure if reviewing an IPA patch requires something > > > > > > > > > > > > > more (CI? Coverity?) > > > > > > > > > > > > ACK from me as well, I forgot to send email about it, > > > > > > > > > > > > though I reviewed > > > > > > > > > > > > this patch a week ago. > > > > > > > > > > > > > > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 > > > > > > > > > > > > > > > > > > > > > It's very likey that this commit will break build of > > > > > > > > > > freeipa-master. I didn't try. > > > > > > > > > > > > > > > > > > > > Because it uses new function sss_nss_getnamebycert > > > > > > > > > > from the library libsss_nss_idmap which is not in fedora. > > > > > > > > > > It was pushed to sssd master just today. > > > > > > > > > > > > > > > > > > > > LS > > > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with > > > > > > > > > the required functionality please? We may need to add it to > > > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. > > > > > > > > > > > > > > > > > > Martin^2 > > > > > > > > > > > > > > > > > Yes, you were right, master build is broken. > > > > > > > > Martin^2 > > > > > > > > > > > > > > > SSSD master build has been added to > > > > > > > @freeipa/freeipa-master copr as a > > > > > > > workaround (to unblock automatic testing an developers) > > > > > > > > > > > > > > Please bump version in specfile accordingly (I don't know in which > > > > > > > version of SSSD will be required function) > > > > > > > > > > > > > > Martin^2 > > > > > > > > > > > > > Bumping SSSD version in requires and buildrequires > > > > > > Patch attached > > > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 > > > > > 00:00:00 2001 > > > > > > From: Martin Basti > > > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 > > > > > > Subject: [PATCH] Bump SSSD requires > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/4955 > > > > > > --- > > > > > > freeipa.spec.in | 4 ++-- > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > > > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in > > > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 > > > > > > 100644 > > > > > > --- a/freeipa.spec.in > > > > > > +++ b/freeipa.spec.in > > > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a > > > > > > BuildRequires: python-qrcode-core >= 5.0.0 > > > > > > BuildRequires: python-dns >= 1.11.1 > > > > > > BuildRequires: libsss_idmap-devel > > > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 > > > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 > > > > > > BuildRequires: java-headless > > > > > > BuildRequires: rhino > > > > > > BuildRequires: libverto-devel > > > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 > > > > > > Requires: curl > > > > > > Requires: libcurl >= 7.21.7-2 > > > > > > Requires: xmlrpc-c >= 1.27.4 > > > > > > -Requires: sssd >= 1.13.3-5 > > > > > > +Requires: sssd >= 1.14.0 > > > > > NACK > > > > Thank you. > > > > > A) It's not explained in commit message why you need to bump > > > > > Requires for sssd. > > > > > IIRC, you need just new libsss_nss_idmap-devel. > > > > I don't know actually, would be nice if author of the original > > > > patch can > > > > confirm if newer SSSD is required or not > > > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= > > > 1.14.0' is needed for the build because the new call > > > sss_nss_getnamebycert() is needed to look up trusted users by > > > certificate. > > > > > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently > > > libsss_nss_idmap does not have a dependency to sssd. If only the > > > libsss_nss_idmap would be updated and not SSSD the > > > sss_nss_getnamebycert() would just return a not implemented error code > > > because the older versions of SSSD cannot handle the request. > > > > > > HTH > > > > > > bye, > > > Sumit > > Thank you for explanation, updated patch attached. > > > > Martin^2 > > Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 > You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ > > libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 > > Is it possible that you forgot to increment this version on SSSD side, or it > is my failure? ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the alpha and beta releases and still have incrementing version numbers. So, it might be better to use '>= 1.13.90' in the spec file instead of '1.14.0'. bye, Sumit > > Martin^2 > > > > > B) You forgot add detection for newer version of > > > > > libsss_nss_idmap at configure > > > > > time > > > > > Hint: * daemons/configure.ac > > > > > * https://autotools.io/pkgconfig/pkg_check_modules.html#pkgconfig.pkg_check_modules.specification > > > > Fixed > > > > > LS > > > > Updated patch attached. > > > > From 34c63f8ba5c478cd95a62bc3dffc6bfc7be3384b Mon Sep 17 00:00:00 2001 > > > > From: Martin Basti > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 > > > > Subject: [PATCH] Bump libsss_nss_idmap-devel > > > > > > > > This is required by commit aa734da49440c5d12c0f8d4566505adaeef254e8 > > > > > > > > https://fedorahosted.org/freeipa/ticket/4955 > > > > --- > > > > daemons/configure.ac | 2 +- > > > > freeipa.spec.in | 2 +- > > > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/daemons/configure.ac b/daemons/configure.ac > > > > index 2906def285a0f6ad9553fc07cbc59f7a7f7fd426..fa5eab829cad6718f21ec3d5569ffe1b0168e518 > > > > 100644 > > > > --- a/daemons/configure.ac > > > > +++ b/daemons/configure.ac > > > > @@ -253,7 +253,7 @@ dnl -- dirsrv is needed for the extdom unit > > > > tests -- > > > > PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) > > > > dnl -- sss_idmap is needed by the extdom exop -- > > > > PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) > > > > -PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap]) > > > > +PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.14.0]) > > > > dnl --------------------------------------------------------------------------- > > > > dnl - Check for systemd unit directory > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in > > > > index d31ddfaf78a455f4e4d65724bbbe23461e1336e0..e82950d7f82fb5018d893a0644dd1a5931656e2d > > > > 100644 > > > > --- a/freeipa.spec.in > > > > +++ b/freeipa.spec.in > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a > > > > BuildRequires: python-qrcode-core >= 5.0.0 > > > > BuildRequires: python-dns >= 1.11.1 > > > > BuildRequires: libsss_idmap-devel > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 > > > > BuildRequires: java-headless > > > > BuildRequires: rhino > > > > BuildRequires: libverto-devel > > > > -- > > > > 2.5.5 > > > > > > > > -- > > > > Manage your subscription for the Freeipa-devel mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > > > > From abokovoy at redhat.com Fri Jun 24 17:00:25 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Jun 2016 20:00:25 +0300 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <3b56943e-9809-7184-8849-6c88c526cec9@redhat.com> <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> On Fri, 24 Jun 2016, Sumit Bose wrote: >On Fri, Jun 24, 2016 at 05:53:27PM +0200, Martin Basti wrote: >> >> >> On 24.06.2016 15:09, Martin Basti wrote: >> > >> > >> > On 24.06.2016 14:59, Sumit Bose wrote: >> > > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >> > > > >> > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: >> > > > > On (22/06/16 11:57), Martin Basti wrote: >> > > > > > On 09.06.2016 21:02, Martin Basti wrote: >> > > > > > > On 09.06.2016 14:45, Martin Basti wrote: >> > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: >> > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> > > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: >> > > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >> > > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > > > > > > > > > > > > Hi, >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > this patch allows the extom plugin to lookup >> > > > > > > > > > > > > > users by certificate which >> > > > > > > > > > > > > > is needed in the case where a IPA client >> > > > > > > > > > > > > > wants to lookup an AD user who >> > > > > > > > > > > > > > has the certificate stored in AD. To make >> > > > > > > > > > > > > > this work the related patches >> > > > > > > > > > > > > > I just send to sssd-devel are needed as well. >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > Currently the patches miss the change in the >> > > > > > > > > > > > > > required version of SSSD. >> > > > > > > > > > > > > > since the SSSD patches are not committed. But >> > > > > > > > > > > > > > the patches are needed to >> > > > > > > > > > > > > > fully test the SSSD patches. I will send a >> > > > > > > > > > > > > > new version with the needed >> > > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are >> > > > > > > > > > > > > > committed. >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > bye, >> > > > > > > > > > > > > > Sumit >> > > > > > > > > > > > > The patch works fine (tested >> > > > > > > > > > > > > together with the >> > > > > > > > > > > > > corresponding SSSD >> > > > > > > > > > > > > patches), so ACK from me. The code also looks >> > > > > > > > > > > > > good to me, but I'm not >> > > > > > > > > > > > > sure if reviewing an IPA patch requires something >> > > > > > > > > > > > > more (CI? Coverity?) >> > > > > > > > > > > > ACK from me as well, I forgot to send email about it, >> > > > > > > > > > > > though I reviewed >> > > > > > > > > > > > this patch a week ago. >> > > > > > > > > > > > >> > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > > > > > > > > > > >> > > > > > > > > > It's very likey that this commit will break build of >> > > > > > > > > > freeipa-master. I didn't try. >> > > > > > > > > > >> > > > > > > > > > Because it uses new function sss_nss_getnamebycert >> > > > > > > > > > from the library libsss_nss_idmap which is not in fedora. >> > > > > > > > > > It was pushed to sssd master just today. >> > > > > > > > > > >> > > > > > > > > > LS >> > > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with >> > > > > > > > > the required functionality please? We may need to add it to >> > > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. >> > > > > > > > > >> > > > > > > > > Martin^2 >> > > > > > > > > >> > > > > > > > Yes, you were right, master build is broken. >> > > > > > > > Martin^2 >> > > > > > > > >> > > > > > > SSSD master build has been added to >> > > > > > > @freeipa/freeipa-master copr as a >> > > > > > > workaround (to unblock automatic testing an developers) >> > > > > > > >> > > > > > > Please bump version in specfile accordingly (I don't know in which >> > > > > > > version of SSSD will be required function) >> > > > > > > >> > > > > > > Martin^2 >> > > > > > > >> > > > > > Bumping SSSD version in requires and buildrequires >> > > > > > Patch attached >> > > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 >> > > > > 00:00:00 2001 >> > > > > > From: Martin Basti >> > > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 >> > > > > > Subject: [PATCH] Bump SSSD requires >> > > > > > >> > > > > > https://fedorahosted.org/freeipa/ticket/4955 >> > > > > > --- >> > > > > > freeipa.spec.in | 4 ++-- >> > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) >> > > > > > >> > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in >> > > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >> > > > > > 100644 >> > > > > > --- a/freeipa.spec.in >> > > > > > +++ b/freeipa.spec.in >> > > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> > > > > > BuildRequires: python-qrcode-core >= 5.0.0 >> > > > > > BuildRequires: python-dns >= 1.11.1 >> > > > > > BuildRequires: libsss_idmap-devel >> > > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> > > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> > > > > > BuildRequires: java-headless >> > > > > > BuildRequires: rhino >> > > > > > BuildRequires: libverto-devel >> > > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 >> > > > > > Requires: curl >> > > > > > Requires: libcurl >= 7.21.7-2 >> > > > > > Requires: xmlrpc-c >= 1.27.4 >> > > > > > -Requires: sssd >= 1.13.3-5 >> > > > > > +Requires: sssd >= 1.14.0 >> > > > > NACK >> > > > Thank you. >> > > > > A) It's not explained in commit message why you need to bump >> > > > > Requires for sssd. >> > > > > IIRC, you need just new libsss_nss_idmap-devel. >> > > > I don't know actually, would be nice if author of the original >> > > > patch can >> > > > confirm if newer SSSD is required or not >> > > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >> > > 1.14.0' is needed for the build because the new call >> > > sss_nss_getnamebycert() is needed to look up trusted users by >> > > certificate. >> > > >> > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently >> > > libsss_nss_idmap does not have a dependency to sssd. If only the >> > > libsss_nss_idmap would be updated and not SSSD the >> > > sss_nss_getnamebycert() would just return a not implemented error code >> > > because the older versions of SSSD cannot handle the request. >> > > >> > > HTH >> > > >> > > bye, >> > > Sumit >> > Thank you for explanation, updated patch attached. >> > >> > Martin^2 >> >> Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 >> You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ >> >> libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 >> >> Is it possible that you forgot to increment this version on SSSD side, or it >> is my failure? > >ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >alpha and beta releases and still have incrementing version numbers. So, >it might be better to use '>= 1.13.90' in the spec file instead of >'1.14.0'. +1, At this point '>= 1.13.90' should be safe. -- / Alexander Bokovoy From lslebodn at redhat.com Fri Jun 24 17:28:36 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 24 Jun 2016 19:28:36 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> References: <13066d74-9e55-0f2c-4cee-11c583ccfd13@redhat.com> <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> Message-ID: <20160624172834.GB4873@10.4.128.1> On (24/06/16 20:00), Alexander Bokovoy wrote: >On Fri, 24 Jun 2016, Sumit Bose wrote: >> On Fri, Jun 24, 2016 at 05:53:27PM +0200, Martin Basti wrote: >> > >> > >> > On 24.06.2016 15:09, Martin Basti wrote: >> > > >> > > >> > > On 24.06.2016 14:59, Sumit Bose wrote: >> > > > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >> > > > > >> > > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: >> > > > > > On (22/06/16 11:57), Martin Basti wrote: >> > > > > > > On 09.06.2016 21:02, Martin Basti wrote: >> > > > > > > > On 09.06.2016 14:45, Martin Basti wrote: >> > > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: >> > > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> > > > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: >> > > > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >> > > > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > > > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > > > > > > > > > > > > > Hi, >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > this patch allows the extom plugin to lookup >> > > > > > > > > > > > > > > users by certificate which >> > > > > > > > > > > > > > > is needed in the case where a IPA client >> > > > > > > > > > > > > > > wants to lookup an AD user who >> > > > > > > > > > > > > > > has the certificate stored in AD. To make >> > > > > > > > > > > > > > > this work the related patches >> > > > > > > > > > > > > > > I just send to sssd-devel are needed as well. >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Currently the patches miss the change in the >> > > > > > > > > > > > > > > required version of SSSD. >> > > > > > > > > > > > > > > since the SSSD patches are not committed. But >> > > > > > > > > > > > > > > the patches are needed to >> > > > > > > > > > > > > > > fully test the SSSD patches. I will send a >> > > > > > > > > > > > > > > new version with the needed >> > > > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are >> > > > > > > > > > > > > > > committed. >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > bye, >> > > > > > > > > > > > > > > Sumit >> > > > > > > > > > > > > > The patch works fine (tested >> > > > > > > > > > > > > > together with the >> > > > > > > > > > > > > > corresponding SSSD >> > > > > > > > > > > > > > patches), so ACK from me. The code also looks >> > > > > > > > > > > > > > good to me, but I'm not >> > > > > > > > > > > > > > sure if reviewing an IPA patch requires something >> > > > > > > > > > > > > > more (CI? Coverity?) >> > > > > > > > > > > > > ACK from me as well, I forgot to send email about it, >> > > > > > > > > > > > > though I reviewed >> > > > > > > > > > > > > this patch a week ago. >> > > > > > > > > > > > > >> > > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > > > > > > > > > > > >> > > > > > > > > > > It's very likey that this commit will break build of >> > > > > > > > > > > freeipa-master. I didn't try. >> > > > > > > > > > > >> > > > > > > > > > > Because it uses new function sss_nss_getnamebycert >> > > > > > > > > > > from the library libsss_nss_idmap which is not in fedora. >> > > > > > > > > > > It was pushed to sssd master just today. >> > > > > > > > > > > >> > > > > > > > > > > LS >> > > > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with >> > > > > > > > > > the required functionality please? We may need to add it to >> > > > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. >> > > > > > > > > > >> > > > > > > > > > Martin^2 >> > > > > > > > > > >> > > > > > > > > Yes, you were right, master build is broken. >> > > > > > > > > Martin^2 >> > > > > > > > > >> > > > > > > > SSSD master build has been added to >> > > > > > > > @freeipa/freeipa-master copr as a >> > > > > > > > workaround (to unblock automatic testing an developers) >> > > > > > > > >> > > > > > > > Please bump version in specfile accordingly (I don't know in which >> > > > > > > > version of SSSD will be required function) >> > > > > > > > >> > > > > > > > Martin^2 >> > > > > > > > >> > > > > > > Bumping SSSD version in requires and buildrequires >> > > > > > > Patch attached >> > > > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 >> > > > > > 00:00:00 2001 >> > > > > > > From: Martin Basti >> > > > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 >> > > > > > > Subject: [PATCH] Bump SSSD requires >> > > > > > > >> > > > > > > https://fedorahosted.org/freeipa/ticket/4955 >> > > > > > > --- >> > > > > > > freeipa.spec.in | 4 ++-- >> > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) >> > > > > > > >> > > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in >> > > > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >> > > > > > > 100644 >> > > > > > > --- a/freeipa.spec.in >> > > > > > > +++ b/freeipa.spec.in >> > > > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> > > > > > > BuildRequires: python-qrcode-core >= 5.0.0 >> > > > > > > BuildRequires: python-dns >= 1.11.1 >> > > > > > > BuildRequires: libsss_idmap-devel >> > > > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> > > > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> > > > > > > BuildRequires: java-headless >> > > > > > > BuildRequires: rhino >> > > > > > > BuildRequires: libverto-devel >> > > > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 >> > > > > > > Requires: curl >> > > > > > > Requires: libcurl >= 7.21.7-2 >> > > > > > > Requires: xmlrpc-c >= 1.27.4 >> > > > > > > -Requires: sssd >= 1.13.3-5 >> > > > > > > +Requires: sssd >= 1.14.0 >> > > > > > NACK >> > > > > Thank you. >> > > > > > A) It's not explained in commit message why you need to bump >> > > > > > Requires for sssd. >> > > > > > IIRC, you need just new libsss_nss_idmap-devel. >> > > > > I don't know actually, would be nice if author of the original >> > > > > patch can >> > > > > confirm if newer SSSD is required or not >> > > > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >> > > > 1.14.0' is needed for the build because the new call >> > > > sss_nss_getnamebycert() is needed to look up trusted users by >> > > > certificate. >> > > > >> > > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently >> > > > libsss_nss_idmap does not have a dependency to sssd. If only the >> > > > libsss_nss_idmap would be updated and not SSSD the >> > > > sss_nss_getnamebycert() would just return a not implemented error code >> > > > because the older versions of SSSD cannot handle the request. >> > > > >> > > > HTH >> > > > >> > > > bye, >> > > > Sumit >> > > Thank you for explanation, updated patch attached. >> > > >> > > Martin^2 >> > >> > Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 >> > You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ >> > >> > libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 >> > >> > Is it possible that you forgot to increment this version on SSSD side, or it >> > is my failure? >> >> ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >> alpha and beta releases and still have incrementing version numbers. So, >> it might be better to use '>= 1.13.90' in the spec file instead of >> '1.14.0'. >+1, At this point '>= 1.13.90' should be safe. -1 I vote for official release. I cannot see a reason why this patch should be pushed immediately. 1.13.90 is just a sssd convention for alpha release and it can be confusing for others whyt there isn't tarball for 1.13.90 LS From abokovoy at redhat.com Fri Jun 24 17:43:37 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Jun 2016 20:43:37 +0300 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624172834.GB4873@10.4.128.1> References: <3ae64255-7986-0a8d-7481-e6d86d87b3c9@redhat.com> <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> <20160624172834.GB4873@10.4.128.1> Message-ID: <20160624174337.alcw2u5mcxiablwt@redhat.com> On Fri, 24 Jun 2016, Lukas Slebodnik wrote: >On (24/06/16 20:00), Alexander Bokovoy wrote: >>On Fri, 24 Jun 2016, Sumit Bose wrote: >>> On Fri, Jun 24, 2016 at 05:53:27PM +0200, Martin Basti wrote: >>> > >>> > >>> > On 24.06.2016 15:09, Martin Basti wrote: >>> > > >>> > > >>> > > On 24.06.2016 14:59, Sumit Bose wrote: >>> > > > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >>> > > > > >>> > > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: >>> > > > > > On (22/06/16 11:57), Martin Basti wrote: >>> > > > > > > On 09.06.2016 21:02, Martin Basti wrote: >>> > > > > > > > On 09.06.2016 14:45, Martin Basti wrote: >>> > > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: >>> > > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >>> > > > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: >>> > > > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >>> > > > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >>> > > > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >>> > > > > > > > > > > > > > > Hi, >>> > > > > > > > > > > > > > > >>> > > > > > > > > > > > > > > this patch allows the extom plugin to lookup >>> > > > > > > > > > > > > > > users by certificate which >>> > > > > > > > > > > > > > > is needed in the case where a IPA client >>> > > > > > > > > > > > > > > wants to lookup an AD user who >>> > > > > > > > > > > > > > > has the certificate stored in AD. To make >>> > > > > > > > > > > > > > > this work the related patches >>> > > > > > > > > > > > > > > I just send to sssd-devel are needed as well. >>> > > > > > > > > > > > > > > >>> > > > > > > > > > > > > > > Currently the patches miss the change in the >>> > > > > > > > > > > > > > > required version of SSSD. >>> > > > > > > > > > > > > > > since the SSSD patches are not committed. But >>> > > > > > > > > > > > > > > the patches are needed to >>> > > > > > > > > > > > > > > fully test the SSSD patches. I will send a >>> > > > > > > > > > > > > > > new version with the needed >>> > > > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are >>> > > > > > > > > > > > > > > committed. >>> > > > > > > > > > > > > > > >>> > > > > > > > > > > > > > > bye, >>> > > > > > > > > > > > > > > Sumit >>> > > > > > > > > > > > > > The patch works fine (tested >>> > > > > > > > > > > > > > together with the >>> > > > > > > > > > > > > > corresponding SSSD >>> > > > > > > > > > > > > > patches), so ACK from me. The code also looks >>> > > > > > > > > > > > > > good to me, but I'm not >>> > > > > > > > > > > > > > sure if reviewing an IPA patch requires something >>> > > > > > > > > > > > > > more (CI? Coverity?) >>> > > > > > > > > > > > > ACK from me as well, I forgot to send email about it, >>> > > > > > > > > > > > > though I reviewed >>> > > > > > > > > > > > > this patch a week ago. >>> > > > > > > > > > > > > >>> > > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >>> > > > > > > > > > > > >>> > > > > > > > > > > It's very likey that this commit will break build of >>> > > > > > > > > > > freeipa-master. I didn't try. >>> > > > > > > > > > > >>> > > > > > > > > > > Because it uses new function sss_nss_getnamebycert >>> > > > > > > > > > > from the library libsss_nss_idmap which is not in fedora. >>> > > > > > > > > > > It was pushed to sssd master just today. >>> > > > > > > > > > > >>> > > > > > > > > > > LS >>> > > > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with >>> > > > > > > > > > the required functionality please? We may need to add it to >>> > > > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. >>> > > > > > > > > > >>> > > > > > > > > > Martin^2 >>> > > > > > > > > > >>> > > > > > > > > Yes, you were right, master build is broken. >>> > > > > > > > > Martin^2 >>> > > > > > > > > >>> > > > > > > > SSSD master build has been added to >>> > > > > > > > @freeipa/freeipa-master copr as a >>> > > > > > > > workaround (to unblock automatic testing an developers) >>> > > > > > > > >>> > > > > > > > Please bump version in specfile accordingly (I don't know in which >>> > > > > > > > version of SSSD will be required function) >>> > > > > > > > >>> > > > > > > > Martin^2 >>> > > > > > > > >>> > > > > > > Bumping SSSD version in requires and buildrequires >>> > > > > > > Patch attached >>> > > > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 >>> > > > > > 00:00:00 2001 >>> > > > > > > From: Martin Basti >>> > > > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 >>> > > > > > > Subject: [PATCH] Bump SSSD requires >>> > > > > > > >>> > > > > > > https://fedorahosted.org/freeipa/ticket/4955 >>> > > > > > > --- >>> > > > > > > freeipa.spec.in | 4 ++-- >>> > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) >>> > > > > > > >>> > > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in >>> > > > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >>> > > > > > > 100644 >>> > > > > > > --- a/freeipa.spec.in >>> > > > > > > +++ b/freeipa.spec.in >>> > > > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >>> > > > > > > BuildRequires: python-qrcode-core >= 5.0.0 >>> > > > > > > BuildRequires: python-dns >= 1.11.1 >>> > > > > > > BuildRequires: libsss_idmap-devel >>> > > > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >>> > > > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >>> > > > > > > BuildRequires: java-headless >>> > > > > > > BuildRequires: rhino >>> > > > > > > BuildRequires: libverto-devel >>> > > > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 >>> > > > > > > Requires: curl >>> > > > > > > Requires: libcurl >= 7.21.7-2 >>> > > > > > > Requires: xmlrpc-c >= 1.27.4 >>> > > > > > > -Requires: sssd >= 1.13.3-5 >>> > > > > > > +Requires: sssd >= 1.14.0 >>> > > > > > NACK >>> > > > > Thank you. >>> > > > > > A) It's not explained in commit message why you need to bump >>> > > > > > Requires for sssd. >>> > > > > > IIRC, you need just new libsss_nss_idmap-devel. >>> > > > > I don't know actually, would be nice if author of the original >>> > > > > patch can >>> > > > > confirm if newer SSSD is required or not >>> > > > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >>> > > > 1.14.0' is needed for the build because the new call >>> > > > sss_nss_getnamebycert() is needed to look up trusted users by >>> > > > certificate. >>> > > > >>> > > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently >>> > > > libsss_nss_idmap does not have a dependency to sssd. If only the >>> > > > libsss_nss_idmap would be updated and not SSSD the >>> > > > sss_nss_getnamebycert() would just return a not implemented error code >>> > > > because the older versions of SSSD cannot handle the request. >>> > > > >>> > > > HTH >>> > > > >>> > > > bye, >>> > > > Sumit >>> > > Thank you for explanation, updated patch attached. >>> > > >>> > > Martin^2 >>> > >>> > Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 >>> > You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ >>> > >>> > libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 >>> > >>> > Is it possible that you forgot to increment this version on SSSD side, or it >>> > is my failure? >>> >>> ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >>> alpha and beta releases and still have incrementing version numbers. So, >>> it might be better to use '>= 1.13.90' in the spec file instead of >>> '1.14.0'. >>+1, At this point '>= 1.13.90' should be safe. >-1 >I vote for official release. >I cannot see a reason why this patch should be pushed immediately. >1.13.90 is just a sssd convention for alpha release and it can be confusing for >others whyt there isn't tarball for 1.13.90 It would allow git master to be built against sssd git master without additional problems. It is consistency here that I'm after. -- / Alexander Bokovoy From lslebodn at redhat.com Fri Jun 24 17:55:22 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 24 Jun 2016 19:55:22 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624174337.alcw2u5mcxiablwt@redhat.com> References: <86ae3b1a-a90c-7fac-abf7-afa219b699a4@redhat.com> <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> <20160624172834.GB4873@10.4.128.1> <20160624174337.alcw2u5mcxiablwt@redhat.com> Message-ID: <20160624175521.GC4873@10.4.128.1> On (24/06/16 20:43), Alexander Bokovoy wrote: >On Fri, 24 Jun 2016, Lukas Slebodnik wrote: >> On (24/06/16 20:00), Alexander Bokovoy wrote: >> > On Fri, 24 Jun 2016, Sumit Bose wrote: >> > > On Fri, Jun 24, 2016 at 05:53:27PM +0200, Martin Basti wrote: >> > > > >> > > > >> > > > On 24.06.2016 15:09, Martin Basti wrote: >> > > > > >> > > > > >> > > > > On 24.06.2016 14:59, Sumit Bose wrote: >> > > > > > On Fri, Jun 24, 2016 at 02:00:24PM +0200, Martin Basti wrote: >> > > > > > > >> > > > > > > On 22.06.2016 23:20, Lukas Slebodnik wrote: >> > > > > > > > On (22/06/16 11:57), Martin Basti wrote: >> > > > > > > > > On 09.06.2016 21:02, Martin Basti wrote: >> > > > > > > > > > On 09.06.2016 14:45, Martin Basti wrote: >> > > > > > > > > > > On 09.06.2016 14:42, Martin Basti wrote: >> > > > > > > > > > > > On 09.06.2016 14:38, Lukas Slebodnik wrote: >> > > > > > > > > > > > > On (09/06/16 14:29), Martin Basti wrote: >> > > > > > > > > > > > > > On 09.06.2016 14:22, Alexander Bokovoy wrote: >> > > > > > > > > > > > > > > On Thu, 09 Jun 2016, Jakub Hrozek wrote: >> > > > > > > > > > > > > > > > On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: >> > > > > > > > > > > > > > > > > Hi, >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > this patch allows the extom plugin to lookup >> > > > > > > > > > > > > > > > > users by certificate which >> > > > > > > > > > > > > > > > > is needed in the case where a IPA client >> > > > > > > > > > > > > > > > > wants to lookup an AD user who >> > > > > > > > > > > > > > > > > has the certificate stored in AD. To make >> > > > > > > > > > > > > > > > > this work the related patches >> > > > > > > > > > > > > > > > > I just send to sssd-devel are needed as well. >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > Currently the patches miss the change in the >> > > > > > > > > > > > > > > > > required version of SSSD. >> > > > > > > > > > > > > > > > > since the SSSD patches are not committed. But >> > > > > > > > > > > > > > > > > the patches are needed to >> > > > > > > > > > > > > > > > > fully test the SSSD patches. I will send a >> > > > > > > > > > > > > > > > > new version with the needed >> > > > > > > > > > > > > > > > > changes to the minimal SSSD version when the SSSD patches are >> > > > > > > > > > > > > > > > > committed. >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > bye, >> > > > > > > > > > > > > > > > > Sumit >> > > > > > > > > > > > > > > > The patch works fine (tested >> > > > > > > > > > > > > > > > together with the >> > > > > > > > > > > > > > > > corresponding SSSD >> > > > > > > > > > > > > > > > patches), so ACK from me. The code also looks >> > > > > > > > > > > > > > > > good to me, but I'm not >> > > > > > > > > > > > > > > > sure if reviewing an IPA patch requires something >> > > > > > > > > > > > > > > > more (CI? Coverity?) >> > > > > > > > > > > > > > > ACK from me as well, I forgot to send email about it, >> > > > > > > > > > > > > > > though I reviewed >> > > > > > > > > > > > > > > this patch a week ago. >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Pushed to master: aa734da49440c5d12c0f8d4566505adaeef254e8 >> > > > > > > > > > > > > > >> > > > > > > > > > > > > It's very likey that this commit will break build of >> > > > > > > > > > > > > freeipa-master. I didn't try. >> > > > > > > > > > > > > >> > > > > > > > > > > > > Because it uses new function sss_nss_getnamebycert >> > > > > > > > > > > > > from the library libsss_nss_idmap which is not in fedora. >> > > > > > > > > > > > > It was pushed to sssd master just today. >> > > > > > > > > > > > > >> > > > > > > > > > > > > LS >> > > > > > > > > > > > If this is true, can you/somebody provide the SRPM of SSSD with >> > > > > > > > > > > > the required functionality please? We may need to add it to >> > > > > > > > > > > > @freeipa/freeipa-master copr and bump required version of SSSD. >> > > > > > > > > > > > >> > > > > > > > > > > > Martin^2 >> > > > > > > > > > > > >> > > > > > > > > > > Yes, you were right, master build is broken. >> > > > > > > > > > > Martin^2 >> > > > > > > > > > > >> > > > > > > > > > SSSD master build has been added to >> > > > > > > > > > @freeipa/freeipa-master copr as a >> > > > > > > > > > workaround (to unblock automatic testing an developers) >> > > > > > > > > > >> > > > > > > > > > Please bump version in specfile accordingly (I don't know in which >> > > > > > > > > > version of SSSD will be required function) >> > > > > > > > > > >> > > > > > > > > > Martin^2 >> > > > > > > > > > >> > > > > > > > > Bumping SSSD version in requires and buildrequires >> > > > > > > > > Patch attached >> > > > > > > > >From f2b394085157954768bc93a73b854778c65bfdcd Mon Sep 17 >> > > > > > > > 00:00:00 2001 >> > > > > > > > > From: Martin Basti >> > > > > > > > > Date: Wed, 22 Jun 2016 10:49:39 +0200 >> > > > > > > > > Subject: [PATCH] Bump SSSD requires >> > > > > > > > > >> > > > > > > > > https://fedorahosted.org/freeipa/ticket/4955 >> > > > > > > > > --- >> > > > > > > > > freeipa.spec.in | 4 ++-- >> > > > > > > > > 1 file changed, 2 insertions(+), 2 deletions(-) >> > > > > > > > > >> > > > > > > > > diff --git a/freeipa.spec.in b/freeipa.spec.in >> > > > > > > > > index 0d5c745d5306cd7141c573454bd1c1e6a78c7e7f..befc7af9ee2ceefa41b1b999df4bdb1c6607bea8 >> > > > > > > > > 100644 >> > > > > > > > > --- a/freeipa.spec.in >> > > > > > > > > +++ b/freeipa.spec.in >> > > > > > > > > @@ -85,7 +85,7 @@ BuildRequires: python-pyasn1 >= 0.0.9a >> > > > > > > > > BuildRequires: python-qrcode-core >= 5.0.0 >> > > > > > > > > BuildRequires: python-dns >= 1.11.1 >> > > > > > > > > BuildRequires: libsss_idmap-devel >> > > > > > > > > -BuildRequires: libsss_nss_idmap-devel >= 1.12.2 >> > > > > > > > > +BuildRequires: libsss_nss_idmap-devel >= 1.14.0 >> > > > > > > > > BuildRequires: java-headless >> > > > > > > > > BuildRequires: rhino >> > > > > > > > > BuildRequires: libverto-devel >> > > > > > > > > @@ -327,7 +327,7 @@ Requires: pam_krb5 >> > > > > > > > > Requires: curl >> > > > > > > > > Requires: libcurl >= 7.21.7-2 >> > > > > > > > > Requires: xmlrpc-c >= 1.27.4 >> > > > > > > > > -Requires: sssd >= 1.13.3-5 >> > > > > > > > > +Requires: sssd >= 1.14.0 >> > > > > > > > NACK >> > > > > > > Thank you. >> > > > > > > > A) It's not explained in commit message why you need to bump >> > > > > > > > Requires for sssd. >> > > > > > > > IIRC, you need just new libsss_nss_idmap-devel. >> > > > > > > I don't know actually, would be nice if author of the original >> > > > > > > patch can >> > > > > > > confirm if newer SSSD is required or not >> > > > > > Currently both are required. 'BuildRequires: libsss_nss_idmap-devel >= >> > > > > > 1.14.0' is needed for the build because the new call >> > > > > > sss_nss_getnamebycert() is needed to look up trusted users by >> > > > > > certificate. >> > > > > > >> > > > > > At runtime 'Requires: sssd >= 1.14.0' is needed because currently >> > > > > > libsss_nss_idmap does not have a dependency to sssd. If only the >> > > > > > libsss_nss_idmap would be updated and not SSSD the >> > > > > > sss_nss_getnamebycert() would just return a not implemented error code >> > > > > > because the older versions of SSSD cannot handle the request. >> > > > > > >> > > > > > HTH >> > > > > > >> > > > > > bye, >> > > > > > Sumit >> > > > > Thank you for explanation, updated patch attached. >> > > > > >> > > > > Martin^2 >> > > > >> > > > Requested 'sss_nss_idmap >= 1.14.0' but version of sss_nss_idmap is 1.13.90 >> > > > You may find new versions of sss_nss_idmap at http://fedorahosted.org/sssd/ >> > > > >> > > > libsss_nss_idmap-devel-1.14.0-1.fc24.alpha.x86_64 >> > > > >> > > > Is it possible that you forgot to increment this version on SSSD side, or it >> > > > is my failure? >> > > >> > > ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >> > > alpha and beta releases and still have incrementing version numbers. So, >> > > it might be better to use '>= 1.13.90' in the spec file instead of >> > > '1.14.0'. >> > +1, At this point '>= 1.13.90' should be safe. >> -1 >> I vote for official release. >> I cannot see a reason why this patch should be pushed immediately. >> 1.13.90 is just a sssd convention for alpha release and it can be confusing for >> others whyt there isn't tarball for 1.13.90 >It would allow git master to be built against sssd git master without >additional problems. It is consistency here that I'm after. > It allows it even now and without this patch. I'm sorry I miss a logic here. LS From abokovoy at redhat.com Fri Jun 24 18:09:08 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 24 Jun 2016 21:09:08 +0300 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624175521.GC4873@10.4.128.1> References: <20160622212039.GA5410@10.4.128.1> <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> <20160624172834.GB4873@10.4.128.1> <20160624174337.alcw2u5mcxiablwt@redhat.com> <20160624175521.GC4873@10.4.128.1> Message-ID: <20160624180908.xojks7cmx4htyz6z@redhat.com> On Fri, 24 Jun 2016, Lukas Slebodnik wrote: >>> > > ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >>> > > alpha and beta releases and still have incrementing version numbers. So, >>> > > it might be better to use '>= 1.13.90' in the spec file instead of >>> > > '1.14.0'. >>> > +1, At this point '>= 1.13.90' should be safe. >>> -1 >>> I vote for official release. >>> I cannot see a reason why this patch should be pushed immediately. >>> 1.13.90 is just a sssd convention for alpha release and it can be confusing for >>> others whyt there isn't tarball for 1.13.90 >>It would allow git master to be built against sssd git master without >>additional problems. It is consistency here that I'm after. >> >It allows it even now and without this patch. >I'm sorry I miss a logic here. No, it does not prevent you from running with the code that does not have needed support. 1.13.4 has no extdom certificate request support so you would need to make sure you are actually installing the correct SSSD packages manually while changing the version to 1.13.90 would make clear we demand a specific functionality. It is a very small thing, of course, but helpful to those who have to deal with rebases/updates of their distribution packages and have not been following freeipa-devel@ list in detail. At the very least the inability to find 1.13.90 in a regular place would cause question being asked. Of course, 1.14.0 as a requirement wouldn't be necessarily worse too but keeping it as 1.13.90 would make freeipa working with packages from sssd git without any other changes. -- / Alexander Bokovoy From lslebodn at redhat.com Fri Jun 24 18:41:01 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 24 Jun 2016 20:41:01 +0200 Subject: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request In-Reply-To: <20160624180908.xojks7cmx4htyz6z@redhat.com> References: <2912b62b-c68c-9800-b6b1-441c71ad89e9@redhat.com> <20160624125955.GF14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <3e3a6cae-594e-5c0f-8777-42e8fcf17dee@redhat.com> <09c4491d-b5cc-be69-81d0-9b54e0248470@redhat.com> <20160624163109.GB3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <20160624170025.wu5zt7s3yl2nwn5l@redhat.com> <20160624172834.GB4873@10.4.128.1> <20160624174337.alcw2u5mcxiablwt@redhat.com> <20160624175521.GC4873@10.4.128.1> <20160624180908.xojks7cmx4htyz6z@redhat.com> Message-ID: <20160624184101.GD4873@10.4.128.1> On (24/06/16 21:09), Alexander Bokovoy wrote: >On Fri, 24 Jun 2016, Lukas Slebodnik wrote: >> > > > > ah sorry, since 1.14.0 is not release yet we use 1.13.9x to track the >> > > > > alpha and beta releases and still have incrementing version numbers. So, >> > > > > it might be better to use '>= 1.13.90' in the spec file instead of >> > > > > '1.14.0'. >> > > > +1, At this point '>= 1.13.90' should be safe. >> > > -1 >> > > I vote for official release. >> > > I cannot see a reason why this patch should be pushed immediately. >> > > 1.13.90 is just a sssd convention for alpha release and it can be confusing for >> > > others whyt there isn't tarball for 1.13.90 >> > It would allow git master to be built against sssd git master without >> > additional problems. It is consistency here that I'm after. >> > >> It allows it even now and without this patch. >> I'm sorry I miss a logic here. >No, That's not true. You wrote: "It would allow git master to be built" against sssd git master" ^^^^^^^^^^^^^^ One more time. This patch will not change that because you can build freeipa git master against "sssd git master" even now. It's not my problem that freeipa requires git master of other project. But it does not mean that you need to officialy requires some weird version "1.13.90". It is really confusing. >it does not prevent you from running with the code that does not >have needed support. 1.13.4 has no extdom certificate request support >so you would need to make sure you are actually installing the correct >SSSD packages manually while changing the version to 1.13.90 would make >clear we demand a specific functionality. Building freeipa and installing are two different things. If you need to install freeipa git master then you need to use extra copr anyway because: A) you cannot install freeipa master in rawhide because there isn't pki-core-10.3.3-1.fc25 b) you cannot install freeipa master on fedora 24 due lots of missing dependencies (including libsss_nss_idmap-1.14.0) If one would like to install freeipa git master rpms without copr then he/she will not able to do it on fedora 24 without new libsss_nss_idmap because dnf will not be able to find dependency "libsss_nss_idmap.so.0(SSS_NSS_IDMAP_0.2.0)(64bit)" >It is a very small thing, of >course, but helpful to those who have to deal with rebases/updates of >their distribution packages and have not been following freeipa-devel@ >list in detail. At the very least the inability to find 1.13.90 in a >regular place would cause question being asked. > It's helpful but confusing. That's the reason why we should avoid using 1.13.90. I doubt that anyone will try to use alpha version of sssd or freeipa on other distributions (debian, ubuntu) especially if they do not work reliably on fedora. So there's no reason for a rush. LS From ftweedal at redhat.com Mon Jun 27 00:57:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 27 Jun 2016 10:57:34 +1000 Subject: [Freeipa-devel] [patch 0038-0040] Sub CA test patches In-Reply-To: <0e08d68d-cc4e-3f8c-de7f-be8d21ee91f7@redhat.com> References: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> <20160624014203.GO4200@dhcp-40-8.bne.redhat.com> <0e08d68d-cc4e-3f8c-de7f-be8d21ee91f7@redhat.com> Message-ID: <20160627005734.GR4200@dhcp-40-8.bne.redhat.com> On Fri, Jun 24, 2016 at 12:08:24PM +0200, Milan Kub?k wrote: > On 06/24/2016 03:42 AM, Fraser Tweedale wrote: > > On Tue, Jun 21, 2016 at 05:01:35PM +0200, Milan Kub?k wrote: > > > Hi Fraser and list, > > > > > > I have made changes to the test plan on the wiki [1] according to the > > > information in "[Testplan review] Sub CAs" thread. > > > > > > I also implemented the tests in the test plan: > > > > > > patch 0038 - CATracker and CA CRUD test > > > patch 0039 - extension to CA ACL test > > > patch 0040 - functional test with ACLs and certificate profile, reusing my > > > previous S/MIME based tests. This patch also tests for the cert-request > > > behavior when profile ID or CA cn are ommited. > > > > > > The tests ATM do not verify the Issuer name in the certificate itself, just > > > from the ipa entry of the certificate. > > > > > The approach you are using:: > > > > assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn > > > > is not quite as you describe (these are virtual attributes, not > > attributes of an actual entry); but the approach is valid. > The issue then is in the wording? The other approach I could have used here > is to retrieve the two certificates and compare the fields manually. > Are these virtual attributes created from the certificate itself? > That's correct. > > > > > Fraser, could you please verify my reasoning behind the test cases for > > > cert-request in the patch 40? > > > > > The tests look OK. With the default CA / default profiles, is there > > appropriate isolation between test cases to ensure that if, e.g. > > some other test case adds/modifies CA ACLs such that these > > expected-to-fail tests now pass, that this does not affect the > > TestCertSignMIMEwithSubCA test case? > > > > Thanks, > > Fraser > > The ACL, SMIME CA and S/MIME profile lifetime is constrained by the class > scope > enforced by pytest. > The two test cases depend on the fact documented in the designs and that is > what > cert-request fallbacks to when CA or profile ID are not provided. > Unless something changes caIPAserviceCert profile or affiliated ACL, then > the test cases > are safe. > If you have thought about possible interference from other tests, I am happy. Note another problematic scenario: what if a different (preceding) test adds a CA ACL that would allow the requests that you expect to fail? Just something to think about :) Thanks, Fraser > I will try to think more about corner cases here. > > > [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan > > > > > > Cheers > > > > > > -- > > > Milan Kubik > > > > Attaching rebased patches and removing the expected fail from one of the > tests as ticket 5981 has fix posted. > > -- > Milan Kubik > From mbabinsk at redhat.com Mon Jun 27 05:56:51 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 07:56:51 +0200 Subject: [Freeipa-devel] [PATCH 0165] IPA API: Do not force setting krbCanonicalName on newly created entries In-Reply-To: References: Message-ID: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> On 06/24/2016 04:07 PM, Martin Babinsky wrote: > This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and > 06d945a04607dc36e25af78688b4295420489fb9 responsible for > https://fedorahosted.org/freeipa/ticket/5996 > > This should unblock replica promotion. > > > self-NACK, disregard this patch, it should not be necessary to revert the whole commit -- Martin^3 Babinsky From mbasti at redhat.com Mon Jun 27 06:34:11 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 08:34:11 +0200 Subject: [Freeipa-devel] DNS Locations: fix an issue found by coverity Message-ID: Shame, shame, shame on me. I forgot how to python when I was writing that originally. Patch attached. https://fedorahosted.org/freeipa/ticket/2008 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0543-DNS-Locations-server-mod-fix-if-statement.patch Type: text/x-patch Size: 1135 bytes Desc: not available URL: From ftweedal at redhat.com Mon Jun 27 06:34:55 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 27 Jun 2016 16:34:55 +1000 Subject: [Freeipa-devel] [PATCH] 0078 Fix IssuerDN presence check in cert search result Message-ID: <20160627063455.GS4200@dhcp-40-8.bne.redhat.com> Attached patch fixes a problem with check for IssuerDN in Dogtag cert search results (found by Coverity; thanks to mbasti for brining to my attention). Cheers, Fraser -------------- next part -------------- From 6865c3fd0a2be19f247b0dabafc3688587af1b97 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 27 Jun 2016 16:26:24 +1000 Subject: [PATCH] Fix IssuerDN presence check in cert search result When checking for presence of IssuerDN in certificate search result, we mistakenly check for the presence of the SubjectDN field, then unsafely index into the IssuerDN field. Check the presence of IssuerDN correctly. Part of: https://fedorahosted.org/freeipa/ticket/4559 --- ipaserver/plugins/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 919ecfeaca6c3ca41040152157e5d275f230704a..aef1e888eb1b6c273c1fd12cbf4912407f8f8132 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1903,7 +1903,7 @@ class ra(rabase.rabase): response_request['subject'] = unicode(dn[0].text) issuer_dn = cert.xpath('IssuerDN') - if len(dn) == 1: + if len(issuer_dn) == 1: response_request['issuer'] = unicode(issuer_dn[0].text) status = cert.xpath('Status') -- 2.5.5 From mbasti at redhat.com Mon Jun 27 06:36:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 08:36:12 +0200 Subject: [Freeipa-devel] [PATCH 0544] ipa-rmkeytab, ipa-join: dont fail if gettext cannot be initialized Message-ID: https://fedorahosted.org/freeipa/ticket/5973 Patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0544-ipa-rmkeytab-ipa-join-don-t-fail-if-init-of-gettext-.patch Type: text/x-patch Size: 1475 bytes Desc: not available URL: From frenaud at redhat.com Mon Jun 27 06:38:36 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Mon, 27 Jun 2016 08:38:36 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode Message-ID: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> Hi, this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client installation in a FIPS-140 mode It prevents installation of FreeIPA if the host is fips-enabled. https://fedorahosted.org/freeipa/ticket/5761 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch Type: text/x-patch Size: 3411 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 27 07:16:12 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 09:16:12 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> Message-ID: <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> On 27.6.2016 08:38, Florence Blanc-Renaud wrote: > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client > installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > > freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch > > >>From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 > From: Florence Blanc-Renaud > Date: Fri, 24 Jun 2016 16:16:22 +0200 > Subject: [PATCH] Do not allow installation in FIPS mode > > https://fedorahosted.org/freeipa/ticket/5761 > --- > client/ipa-client-install | 4 ++++ > install/tools/ipactl | 6 ++++++ > ipaserver/install/server/install.py | 5 +++++ > ipaserver/install/server/replicainstall.py | 5 +++++ > 4 files changed, 20 insertions(+) > > diff --git a/client/ipa-client-install b/client/ipa-client-install > index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755 > --- a/client/ipa-client-install > +++ b/client/ipa-client-install > @@ -3064,6 +3064,10 @@ def main(): > > if not os.getegid() == 0: > sys.exit("\nYou must be root to run ipa-client-install.\n") > + if os.path.exists('/proc/sys/crypto/fips_enabled'): > + with open('/proc/sys/crypto/fips_enabled', 'r') as f: Usually it is safer to call open() and catch exception if the file does not exist. The code above has inherent problem with race-conditions between time of check (path.exists) and time of use (open). Of course it is not a problem here because this file is part of kernel's interface but in general please use the try: open() except: form. > + if f.read().strip() != '0': > + sys.exit("Cannot install IPA client in FIPS mode") Personally I would like to see more informative messages. I would recommend something like " is not supported in FIPS mode". In my eyes it is difference between "How do I ...? You dont!" vs "How do I ...? Sorry, we do not support that right now." Sorry for nitpicking! :-) Petr^2 Spacek > tasks.check_selinux_status() > logging_setup(options) > root_logger.debug( > diff --git a/install/tools/ipactl b/install/tools/ipactl > index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755 > --- a/install/tools/ipactl > +++ b/install/tools/ipactl > @@ -545,6 +545,12 @@ def main(): > elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": > raise IpactlError("Unrecognized action [" + args[0] + "]", 2) > > + if (args[0] in ('start', 'restart') and > + os.path.exists('/proc/sys/crypto/fips_enabled')): > + with open('/proc/sys/crypto/fips_enabled', 'r') as f: > + if f.read().strip() != '0': > + raise IpactlError("Cannot start IPA server in FIPS mode") > + > # check if IPA is configured at all > try: > check_IPA_configuration() > diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py > index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644 > --- a/ipaserver/install/server/install.py > +++ b/ipaserver/install/server/install.py > @@ -319,6 +319,11 @@ def install_check(installer): > external_ca_file = installer._external_ca_file > http_ca_cert = installer._ca_cert > > + if os.path.exists('/proc/sys/crypto/fips_enabled'): > + with open('/proc/sys/crypto/fips_enabled', 'r') as f: > + if f.read().strip() != '0': > + sys.exit("Cannot install IPA server in FIPS mode") > + > tasks.check_selinux_status() > > if options.master_password: > diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py > index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644 > --- a/ipaserver/install/server/replicainstall.py > +++ b/ipaserver/install/server/replicainstall.py > @@ -485,6 +485,11 @@ def install_check(installer): > options = installer > filename = installer.replica_file > > + if os.path.exists('/proc/sys/crypto/fips_enabled'): > + with open('/proc/sys/crypto/fips_enabled', 'r') as f: > + if f.read().strip() != '0': > + sys.exit("Cannot install IPA server in FIPS mode") > + > tasks.check_selinux_status() > > if is_ipa_configured(): > -- 2.7.4 From pspacek at redhat.com Mon Jun 27 07:31:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 09:31:59 +0200 Subject: [Freeipa-devel] [PATCH 0542] ipa-getkeytab: increase LDAP timeout In-Reply-To: References: Message-ID: <927fcde3-e266-5bf6-80a4-e84d364c6c80@redhat.com> On 23.6.2016 17:28, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5842 > > > Patch attached. I do not have reproducer but it seems reasonable. ACK. -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 27 07:34:04 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 09:34:04 +0200 Subject: [Freeipa-devel] [PATCH 0542] ipa-getkeytab: increase LDAP timeout In-Reply-To: <927fcde3-e266-5bf6-80a4-e84d364c6c80@redhat.com> References: <927fcde3-e266-5bf6-80a4-e84d364c6c80@redhat.com> Message-ID: <25279b09-d4fa-0e8b-5804-90aa6eadbb1b@redhat.com> On 27.06.2016 09:31, Petr Spacek wrote: > On 23.6.2016 17:28, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5842 >> >> >> Patch attached. > I do not have reproducer but it seems reasonable. ACK. > Pushed to master: deb99c11d4c0f7c5f68ed36b183f69281b2222f6 From mbabinsk at redhat.com Mon Jun 27 07:39:04 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 09:39:04 +0200 Subject: [Freeipa-devel] [PATCH 0165] keep setting ipakrbprincipal objectclass on new service entries In-Reply-To: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> References: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> Message-ID: <5086867c-d626-f882-1dfc-d71c705dae0c@redhat.com> On 06/27/2016 07:56 AM, Martin Babinsky wrote: > On 06/24/2016 04:07 PM, Martin Babinsky wrote: >> This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and >> 06d945a04607dc36e25af78688b4295420489fb9 responsible for >> https://fedorahosted.org/freeipa/ticket/5996 >> >> This should unblock replica promotion. >> >> >> > self-NACK, disregard this patch, it should not be necessary to revert > the whole commit > This version only reverts the change that actually breaks stuff. https://fedorahosted.org/freeipa/ticket/5996 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0165-2-keep-setting-ipakrbprincipal-objectclass-on-new-serv.patch Type: text/x-patch Size: 3271 bytes Desc: not available URL: From ldoudova at redhat.com Mon Jun 27 07:42:25 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jun 2016 09:42:25 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone Message-ID: Hi! With newly created AD machines in Brno lab, existing trust tests fail on 'ipa dnsforwardzone-add' command claiming the zone is already present, as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. To prevent these failures I prepared attached patch, that will still attempt to add the forward zone, but in case of non-zero return code will check the message if it says that the forward zone is already configured, and lets the tests continue, if it is so. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0022-Tests-Prevent-trust-test-failures-caused-by-adding-d.patch Type: text/x-patch Size: 1781 bytes Desc: not available URL: From mbabinsk at redhat.com Mon Jun 27 07:46:22 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 09:46:22 +0200 Subject: [Freeipa-devel] [PATCH 0166] test-{service, host}-plugin: only expect krbcanonicalname when all=True Message-ID: <3ca56eae-5a4c-4cb9-cd86-73f37ee9e1d4@redhat.com> https://fedorahosted.org/freeipa/ticket/3864 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0166-test-service-host-plugin-only-expect-krbcanonicalnam.patch Type: text/x-patch Size: 3266 bytes Desc: not available URL: From pvoborni at redhat.com Mon Jun 27 08:04:03 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 27 Jun 2016 10:04:03 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: Message-ID: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> On 06/27/2016 09:42 AM, Lenka Doudova wrote: > Hi! > > With newly created AD machines in Brno lab, existing trust tests fail on > 'ipa dnsforwardzone-add' command claiming the zone is already present, > as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. > > To prevent these failures I prepared attached patch, that will still > attempt to add the forward zone, but in case of non-zero return code > will check the message if it says that the forward zone is already > configured, and lets the tests continue, if it is so. > > > Lenka > Current approach expects that every error of ipa dnsforward-add here will mean that the zone exists. So it might hide other issues - not very good. On the other hand it is not very robust to parse error message. Question for general audience: What do you think if IPA client's exit status would be the IPA error code instead of "1" for every error. E.g. in DuplicateEntry case it's 4002. Btw, this is not a NACK. -- Petr Vobornik From ofayans at redhat.com Mon Jun 27 08:06:23 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 27 Jun 2016 10:06:23 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides In-Reply-To: <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <575981D9.2040305@redhat.com> <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <5770DE7F.4060104@redhat.com> Hi Sumit, I've updated the testplan. (Thank you for the link to Fraser's blogpost, it was really very useful!). All the operations described were performed manually and succeed. Could you please review it again in case I forgot something? On 06/09/2016 05:06 PM, Sumit Bose wrote: > On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: >> Hi guys, >> >> Here is the first somewhat skeletal and pretty short version of the >> testplan. Could you please review it anyone? >> >> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan > > Hi Oleg, > > 'Make sure the id view is applied to ipa master host' the IPA > masters/servers will always and only have the 'Default Trust View'. But > it is ok to use the 'Default Trust View' for testing the certificates in > the ID override. > > The 'openssl req ...' call will only generate a certificate request and > not the certificate itself. The request must still be signed by e.g. the > IPA CA. Please see the blog posts of Fraser > (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) > and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. > > Since you want to test certificates in overrides you should use > idoverrideuser-add-cert and idoverrideuser-remove-cert instead of > user-add-cert and user-remove-cert. > > bye, > Sumit > >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ldoudova at redhat.com Mon Jun 27 08:10:55 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jun 2016 10:10:55 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> Message-ID: <61d2ee7a-57be-04a4-ff3e-d2c3a10727d2@redhat.com> On 06/27/2016 10:04 AM, Petr Vobornik wrote: > On 06/27/2016 09:42 AM, Lenka Doudova wrote: >> Hi! >> >> With newly created AD machines in Brno lab, existing trust tests fail on >> 'ipa dnsforwardzone-add' command claiming the zone is already present, >> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >> >> To prevent these failures I prepared attached patch, that will still >> attempt to add the forward zone, but in case of non-zero return code >> will check the message if it says that the forward zone is already >> configured, and lets the tests continue, if it is so. >> >> >> Lenka >> > > Current approach expects that every error of ipa dnsforward-add here > will mean that the zone exists. So it might hide other issues - not very > good. If I understand your comment correctly, you think that the patch would pass ANY dnsforwardzone-add error and being OK and continue, right? That's not intended behaviour - I have an assertion there that checks that it's really the 'correct' error: assert "already exists in DNS" in result.stderr_text So any other error should still prevent continuing in tests. > > On the other hand it is not very robust to parse error message. > > Question for general audience: What do you think if IPA client's exit > status would be the IPA error code instead of "1" for every error. E.g. > in DuplicateEntry case it's 4002. Personally I think it would be nice to have DuplicateEntry error rather the just "1" in this case. Even for testing purposes I believe it would be better than bunch of asserts. > > Btw, this is not a NACK. From mbabinsk at redhat.com Mon Jun 27 08:18:24 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 10:18:24 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> Message-ID: <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> On 06/27/2016 10:04 AM, Petr Vobornik wrote: > On 06/27/2016 09:42 AM, Lenka Doudova wrote: >> Hi! >> >> With newly created AD machines in Brno lab, existing trust tests fail on >> 'ipa dnsforwardzone-add' command claiming the zone is already present, >> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >> >> To prevent these failures I prepared attached patch, that will still >> attempt to add the forward zone, but in case of non-zero return code >> will check the message if it says that the forward zone is already >> configured, and lets the tests continue, if it is so. >> >> >> Lenka >> > > > Current approach expects that every error of ipa dnsforward-add here > will mean that the zone exists. So it might hide other issues - not very > good. > > On the other hand it is not very robust to parse error message. > > Question for general audience: What do you think if IPA client's exit > status would be the IPA error code instead of "1" for every error. E.g. > in DuplicateEntry case it's 4002. > > Btw, this is not a NACK. > Well AFAIK the exit status on POSIX systems is encoded into a single byte so you cannot have the return value greater that 255. We would have to devise some mapping between our XMLRPC status codes and subprocess return codes. Some of our exceptions have defined return values outside plain '1', e.g. NotFound has return value of 2. It would be possible to extend this concept on other common errors. -- Martin^3 Babinsky From mbabinsk at redhat.com Mon Jun 27 08:21:44 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 10:21:44 +0200 Subject: [Freeipa-devel] DNS Locations: fix an issue found by coverity In-Reply-To: References: Message-ID: <87b84e5a-4404-8f7a-547d-99188ec5afb7@redhat.com> On 06/27/2016 08:34 AM, Martin Basti wrote: > Shame, shame, shame on me. I forgot how to python when I was writing > that originally. > > > Patch attached. > > https://fedorahosted.org/freeipa/ticket/2008 > > > ACK. -- Martin^3 Babinsky From pvoborni at redhat.com Mon Jun 27 08:23:34 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Mon, 27 Jun 2016 10:23:34 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <61d2ee7a-57be-04a4-ff3e-d2c3a10727d2@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <61d2ee7a-57be-04a4-ff3e-d2c3a10727d2@redhat.com> Message-ID: <89591cad-382b-41f0-d4c0-e448056b8e74@redhat.com> On 06/27/2016 10:10 AM, Lenka Doudova wrote: > > > On 06/27/2016 10:04 AM, Petr Vobornik wrote: >> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>> Hi! >>> >>> With newly created AD machines in Brno lab, existing trust tests fail on >>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>> >>> To prevent these failures I prepared attached patch, that will still >>> attempt to add the forward zone, but in case of non-zero return code >>> will check the message if it says that the forward zone is already >>> configured, and lets the tests continue, if it is so. >>> >>> >>> Lenka >>> >> >> Current approach expects that every error of ipa dnsforward-add here >> will mean that the zone exists. So it might hide other issues - not very >> good. > If I understand your comment correctly, you think that the patch would > pass ANY dnsforwardzone-add error and being OK and continue, right? > That's not intended behaviour - I have an assertion there that checks > that it's really the 'correct' error: > > assert "already exists in DNS" in result.stderr_text > > So any other error should still prevent continuing in tests. > Ah, good, I've overlooked that. -- Petr Vobornik From mbasti at redhat.com Mon Jun 27 08:23:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 10:23:37 +0200 Subject: [Freeipa-devel] DNS Locations: fix an issue found by coverity In-Reply-To: <87b84e5a-4404-8f7a-547d-99188ec5afb7@redhat.com> References: <87b84e5a-4404-8f7a-547d-99188ec5afb7@redhat.com> Message-ID: <2aaba6e7-f911-0733-14f2-f4964e9df237@redhat.com> On 27.06.2016 10:21, Martin Babinsky wrote: > On 06/27/2016 08:34 AM, Martin Basti wrote: >> Shame, shame, shame on me. I forgot how to python when I was writing >> that originally. >> >> >> Patch attached. >> >> https://fedorahosted.org/freeipa/ticket/2008 >> >> >> > ACK. > master: * c6f7d94d5b39c213483909de34c61016b8eba0ac DNS Locations: server-mod: fix if statement From pspacek at redhat.com Mon Jun 27 08:26:00 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 10:26:00 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> Message-ID: On 27.6.2016 10:18, Martin Babinsky wrote: > On 06/27/2016 10:04 AM, Petr Vobornik wrote: >> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>> Hi! >>> >>> With newly created AD machines in Brno lab, existing trust tests fail on >>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>> >>> To prevent these failures I prepared attached patch, that will still >>> attempt to add the forward zone, but in case of non-zero return code >>> will check the message if it says that the forward zone is already >>> configured, and lets the tests continue, if it is so. >>> >>> >>> Lenka >>> >> >> >> Current approach expects that every error of ipa dnsforward-add here >> will mean that the zone exists. So it might hide other issues - not very >> good. >> >> On the other hand it is not very robust to parse error message. >> >> Question for general audience: What do you think if IPA client's exit >> status would be the IPA error code instead of "1" for every error. E.g. >> in DuplicateEntry case it's 4002. >> >> Btw, this is not a NACK. >> > > Well AFAIK the exit status on POSIX systems is encoded into a single byte so > you cannot have the return value greater that 255. We would have to devise > some mapping between our XMLRPC status codes and subprocess return codes. > > Some of our exceptions have defined return values outside plain '1', e.g. > NotFound has return value of 2. It would be possible to extend this concept on > other common errors. Even more importantly, the forward zone is completely unnecessary because DNS when DNS is set up properly. I would simply remove the dnsforwardzone-add. -- Petr^2 Spacek From mbabinsk at redhat.com Mon Jun 27 08:26:28 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 10:26:28 +0200 Subject: [Freeipa-devel] [PATCH 0020][Tests] Make ID views test reflect new krbcanonicalname attribute In-Reply-To: References: Message-ID: <83a969ef-94ca-be4f-da91-e83b4f91174c@redhat.com> On 06/23/2016 03:51 PM, Lenka Doudova wrote: > Patch attached. > > Lenka > > > Thanks for catching this. conditional ACK if you add https://fedorahosted.org/freeipa/ticket/3864 to the commit message. -- Martin^3 Babinsky From sbose at redhat.com Mon Jun 27 08:28:08 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 27 Jun 2016 10:28:08 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides In-Reply-To: <5770DE7F.4060104@redhat.com> References: <575981D9.2040305@redhat.com> <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <5770DE7F.4060104@redhat.com> Message-ID: <20160627082808.GG3346@p.Speedport_W_724V_Typ_A_05011603_00_009> On Mon, Jun 27, 2016 at 10:06:23AM +0200, Oleg Fayans wrote: > Hi Sumit, > > I've updated the testplan. (Thank you for the link to Fraser's blogpost, > it was really very useful!). All the operations described were > performed manually and succeed. Could you please review it again in case > I forgot something? Thank you, the tests are looking good. I have two comments. First, for your information, I#m not sure if WebUI is in the scope of this tests, Pavel already send '0058 WebUI: certificate widget on ID override user page' to the freeipa-devel list, so adding certificates to idoverrides with the WebUI should work soon as well. Second, the LDAP attribute used to store the certificates is a multi-value attribute. Adding a test where a second certificate is added to the override and removed (without deleting the other certificate) might be useful here. bye, Sumit > > > On 06/09/2016 05:06 PM, Sumit Bose wrote: > > On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: > >> Hi guys, > >> > >> Here is the first somewhat skeletal and pretty short version of the > >> testplan. Could you please review it anyone? > >> > >> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan > > > > Hi Oleg, > > > > 'Make sure the id view is applied to ipa master host' the IPA > > masters/servers will always and only have the 'Default Trust View'. But > > it is ok to use the 'Default Trust View' for testing the certificates in > > the ID override. > > > > The 'openssl req ...' call will only generate a certificate request and > > not the certificate itself. The request must still be signed by e.g. the > > IPA CA. Please see the blog posts of Fraser > > (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) > > and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. > > > > Since you want to test certificates in overrides you should use > > idoverrideuser-add-cert and idoverrideuser-remove-cert instead of > > user-add-cert and user-remove-cert. > > > > bye, > > Sumit > > > >> -- > >> Oleg Fayans > >> Quality Engineer > >> FreeIPA team > >> RedHat. > >> > >> -- > >> Manage your subscription for the Freeipa-devel mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. From pspacek at redhat.com Mon Jun 27 08:28:22 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 10:28:22 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> Message-ID: <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> On 27.6.2016 10:26, Petr Spacek wrote: > On 27.6.2016 10:18, Martin Babinsky wrote: >> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>> Hi! >>>> >>>> With newly created AD machines in Brno lab, existing trust tests fail on >>>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>> >>>> To prevent these failures I prepared attached patch, that will still >>>> attempt to add the forward zone, but in case of non-zero return code >>>> will check the message if it says that the forward zone is already >>>> configured, and lets the tests continue, if it is so. >>>> >>>> >>>> Lenka >>>> >>> >>> >>> Current approach expects that every error of ipa dnsforward-add here >>> will mean that the zone exists. So it might hide other issues - not very >>> good. >>> >>> On the other hand it is not very robust to parse error message. >>> >>> Question for general audience: What do you think if IPA client's exit >>> status would be the IPA error code instead of "1" for every error. E.g. >>> in DuplicateEntry case it's 4002. >>> >>> Btw, this is not a NACK. >>> >> >> Well AFAIK the exit status on POSIX systems is encoded into a single byte so >> you cannot have the return value greater that 255. We would have to devise >> some mapping between our XMLRPC status codes and subprocess return codes. >> >> Some of our exceptions have defined return values outside plain '1', e.g. >> NotFound has return value of 2. It would be possible to extend this concept on >> other common errors. > > Even more importantly, the forward zone is completely unnecessary because DNS > when DNS is set up properly. I would simply remove the dnsforwardzone-add. > Grr, I meant this: Even more importantly, the forward zone is completely unnecessary when DNS is set up properly. I would simply remove the dnsforwardzone-add. -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 27 08:30:35 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 10:30:35 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string In-Reply-To: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> References: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> Message-ID: <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> On 23.06.2016 18:32, Petr Spacek wrote: > Hello, > > replica-install: Compare domain names as DNS names and not strings > > This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" > were not considered equivalent and installation was wrongly refused. > > https://fedorahosted.org/freeipa/ticket/5976 > NACK, client installer should normalize domain name as host-add does, because it will blow up in different places, we cannot compare this part as DNS name when other parts works with it as strings ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this client to a replica. Local domain 'ipa.example.COM' does not match IPA domain 'ipa.example.com'. Martin^2 From mbabinsk at redhat.com Mon Jun 27 08:33:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 10:33:15 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> Message-ID: <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> On 06/27/2016 10:28 AM, Petr Spacek wrote: > On 27.6.2016 10:26, Petr Spacek wrote: >> On 27.6.2016 10:18, Martin Babinsky wrote: >>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>> Hi! >>>>> >>>>> With newly created AD machines in Brno lab, existing trust tests fail on >>>>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>> >>>>> To prevent these failures I prepared attached patch, that will still >>>>> attempt to add the forward zone, but in case of non-zero return code >>>>> will check the message if it says that the forward zone is already >>>>> configured, and lets the tests continue, if it is so. >>>>> >>>>> >>>>> Lenka >>>>> >>>> >>>> >>>> Current approach expects that every error of ipa dnsforward-add here >>>> will mean that the zone exists. So it might hide other issues - not very >>>> good. >>>> >>>> On the other hand it is not very robust to parse error message. >>>> >>>> Question for general audience: What do you think if IPA client's exit >>>> status would be the IPA error code instead of "1" for every error. E.g. >>>> in DuplicateEntry case it's 4002. >>>> >>>> Btw, this is not a NACK. >>>> >>> >>> Well AFAIK the exit status on POSIX systems is encoded into a single byte so >>> you cannot have the return value greater that 255. We would have to devise >>> some mapping between our XMLRPC status codes and subprocess return codes. >>> >>> Some of our exceptions have defined return values outside plain '1', e.g. >>> NotFound has return value of 2. It would be possible to extend this concept on >>> other common errors. >> >> Even more importantly, the forward zone is completely unnecessary because DNS >> when DNS is set up properly. I would simply remove the dnsforwardzone-add. >> > Grr, I meant this: > Even more importantly, the forward zone is completely unnecessary when DNS is > set up properly. I would simply remove the dnsforwardzone-add. > +1, our tests should not fiddle with the provisioned environment as much as they sometimes do. -- Martin^3 Babinsky From mbasti at redhat.com Mon Jun 27 08:51:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 10:51:30 +0200 Subject: [Freeipa-devel] [PATCH 0052] Added missing nsSystemIndex attributes to .update file In-Reply-To: <531c9d11-b944-4183-f323-7988841bd183@redhat.com> References: <531c9d11-b944-4183-f323-7988841bd183@redhat.com> Message-ID: On 24.06.2016 14:24, Stanislav Laznicka wrote: > https://fedorahosted.org/freeipa/ticket/5947 > > > ACK Pushed to master: e136db019210e3e373fe96fe8331976c93b166f3 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 27 08:56:35 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 10:56:35 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> Message-ID: <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> On 24.6.2016 12:25, Martin Basti wrote: > > > On 23.06.2016 18:26, Petr Spacek wrote: >> On 23.6.2016 16:38, Martin Basti wrote: >>> Patches attached. >>> >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> >>> >>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>> >>> >>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>> for unused locations" >>> >>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>> >>> After deeper investigation, we found out that empty locations are needed >>> for clients, because clients may have cached records for longer time for >>> that particular location. Only way how to remove location is to remove >>> it using location-del >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> ipaserver/dns_data_management.py | 11 ++++------- >>> 1 file changed, 4 insertions(+), 7 deletions(-) >>> >>> diff --git a/ipaserver/dns_data_management.py >>> b/ipaserver/dns_data_management.py >>> index >>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>> 100644 >>> --- a/ipaserver/dns_data_management.py >>> +++ b/ipaserver/dns_data_management.py >>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>> self.api_instance = api_instance >>> self.domain_abs = >>> DNSName(self.api_instance.env.domain).make_absolute() >>> self.servers_data = {} >>> - self.used_locations = set() >>> self.__init_data() >>> def reload_data(self): >>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>> def __init_data(self): >>> self.servers_data = {} >>> - self.used_locations = set() >>> servers_result = self.api_instance.Command.server_find( >>> pkey_only=True)['result'] >>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>> 'location': location, >>> 'roles': roles, >>> } >>> - if location: >>> - self.used_locations.add(location) >>> def __add_srv_records( >>> self, zone_obj, hostname, rname_port_map, >>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>> pkey_only=True)['result'] >>> servers = [s['cn'][0] for s in servers_result] >>> - # generate only records for used location, records for unassigned >>> - # locations are useless >>> + locations_result = >>> self.api_instance.Command.location_find()['result'] >>> + locations = [l['idnsname'][0] for l in locations_result] >>> + >>> for server in servers: >>> self._get_location_dns_records_for_server( >>> zone_obj, server, >>> - self.used_locations, roles=roles, >>> + locations, roles=roles, >>> include_master_role=include_master_role) >>> return zone_obj >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>> >>> >>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install >>> >>> Since DNS location mechanism is active, this option has no effect, >>> because records are generate dynamically. >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/tools/ipa-adtrust-install | 10 +++++++--- >>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>> 2 files changed, 15 insertions(+), 16 deletions(-) >>> >>> diff --git a/install/tools/ipa-adtrust-install >>> b/install/tools/ipa-adtrust-install >>> index >>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>> 100755 >>> --- a/install/tools/ipa-adtrust-install >>> +++ b/install/tools/ipa-adtrust-install >>> @@ -29,6 +29,8 @@ import ldap >>> import six >>> +from optparse import SUPPRESS_HELP >>> + >>> from ipaserver.install import adtrustinstance >>> from ipaserver.install.installutils import ( >>> read_password, >>> @@ -54,9 +56,11 @@ def parse_options(): >>> default=False, help="print debugging information") >>> parser.add_option("--netbios-name", dest="netbios_name", >>> help="NetBIOS name of the IPA domain") >>> + >>> + # no-msdcs has not effect, option is here just for backward compatibility >>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>> - default=False, help="Do not create DNS service >>> records " \ >>> - "for Windows in managed DNS >>> server") >>> + default=False, help=SUPPRESS_HELP) >>> + >>> parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, >>> help="Start value for mapping UIDs and GIDs to RIDs") >>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>> @@ -390,7 +394,7 @@ def main(): >>> smb.setup(api.env.host, api.env.realm, >>> netbios_name, reset_netbios_name, >>> options.rid_base, options.secondary_rid_base, >>> - options.no_msdcs, options.add_sids, >>> + options.add_sids, >>> enable_compat = options.enable_compat) >>> smb.find_local_id_range() >>> smb.create_instance() >>> diff --git a/ipaserver/install/adtrustinstance.py >>> b/ipaserver/install/adtrustinstance.py >>> index >>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>> 100644 >>> --- a/ipaserver/install/adtrustinstance.py >>> +++ b/ipaserver/install/adtrustinstance.py >>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>> def __init__(self, fstore=None): >>> self.netbios_name = None >>> self.reset_netbios_name = None >>> - self.no_msdcs = None >>> self.add_sids = None >>> self.smbd_user = None >>> self.smb_dn_pwd = None >>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>> err_msg = None >>> - if self.no_msdcs: >>> - err_msg = '--no-msdcs was given, special DNS service records ' \ >>> - 'are not added to local DNS server' >>> + ret = api.Command['dns_is_enabled']() >>> + if not ret['result']: >>> + err_msg = "DNS management was not enabled at install time." >>> else: >>> - ret = api.Command['dns_is_enabled']() >>> - if not ret['result']: >>> - err_msg = "DNS management was not enabled at install time." >>> - else: >>> - if not dns_zone_exists(zone): >>> - err_msg = "DNS zone %s cannot be managed " \ >>> - "as it is not defined in IPA" % zone >>> + if not dns_zone_exists(zone): >>> + err_msg = ( >>> + "DNS zone %s cannot be managed as it is not defined in " >>> + "IPA" % zone) >>> if err_msg: >>> self.print_msg(err_msg) >>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>> def setup(self, fqdn, realm_name, netbios_name, >>> reset_netbios_name, rid_base, secondary_rid_base, >>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>> + add_sids=False, smbd_user="samba", >>> enable_compat=False): >>> self.fqdn = fqdn >>> self.realm = realm_name >>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>> self.reset_netbios_name = reset_netbios_name >>> self.rid_base = rid_base >>> self.secondary_rid_base = secondary_rid_base >>> - self.no_msdcs = no_msdcs >>> self.add_sids = add_sids >>> self.enable_compat = enable_compat >>> self.smbd_user = smbd_user >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>> >>> >>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>> information >>> >>> Because separated calls for of server-show, getting server data is quite >>> slow. This commit replaces several server-show with one server-find >>> command. There are future plans to improve speed of server-find that >>> will be beneficial for DNS locations. >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> ipaserver/dns_data_management.py | 10 ++++------ >>> 1 file changed, 4 insertions(+), 6 deletions(-) >>> >>> diff --git a/ipaserver/dns_data_management.py >>> b/ipaserver/dns_data_management.py >>> index >>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>> 100644 >>> --- a/ipaserver/dns_data_management.py >>> +++ b/ipaserver/dns_data_management.py >>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>> """ >>> self.__init_data() >>> - def __get_server_attrs(self, hostname): >>> - server_result = >>> self.api_instance.Command.server_show(hostname)['result'] >>> + def __get_server_attrs(self, server_result): >>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>> location = server_result.get('ipalocation_location', [None])[0] >>> roles = set(server_result.get('enabled_role_servrole', ())) >>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>> self.servers_data = {} >>> servers_result = self.api_instance.Command.server_find( >>> - pkey_only=True)['result'] >>> - servers = [s['cn'][0] for s in servers_result] >>> - for s in servers: >>> + no_members=False)['result'] >>> + for s in servers_result: >>> weight, location, roles = self.__get_server_attrs(s) >>> - self.servers_data[s] = { >>> + self.servers_data[s['cn'][0]] = { >>> 'weight': weight, >>> 'location': location, >>> 'roles': roles, >>> -- 2.5.5 >>> >>> >>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>> >>> >>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>> >>> We don't need anymore: >>> * sample of zone file - list of all records required by IPa will be >>> provided >>> >>> * NTP related params - DNS records will be updated automatically, >>> based on LDAP values >>> >>> * CA related params - DNS records will be updated automatically based >>> * on LDAP values >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/bind.zone.db.template | 29 --------------- >>> ipaserver/dns_data_management.py | 9 +++++ >>> ipaserver/install/bindinstance.py | 58 >>> ++++++++---------------------- >>> ipaserver/install/dns.py | 5 ++- >>> ipaserver/install/server/install.py | 8 ++--- >>> ipaserver/install/server/replicainstall.py | 4 +-- >>> 6 files changed, 30 insertions(+), 83 deletions(-) >>> delete mode 100644 install/share/bind.zone.db.template >>> >>> diff --git a/install/share/bind.zone.db.template >>> b/install/share/bind.zone.db.template >>> deleted file mode 100644 >>> index >>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>> >>> --- a/install/share/bind.zone.db.template >>> +++ /dev/null >>> @@ -1,29 +0,0 @@ >>> -$$ORIGIN $DOMAIN. >>> -$$TTL 86400 >>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>> - 01 ; serial >>> - 3H ; refresh >>> - 15M ; retry >>> - 1W ; expiry >>> - 1D ) ; minimum >>> - >>> - IN NS $HOST >>> -$HOST IN A $IP >>> -; >>> -; ldap servers >>> -_ldap._tcp IN SRV 0 100 389 $HOST >>> - >>> -;kerberos realm >>> -_kerberos IN TXT $REALM >>> - >>> -; kerberos servers >>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>> -_kerberos._udp IN SRV 0 100 88 $HOST >>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>> -$OPTIONAL_NTP >>> - >>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>> -$IPA_CA_RECORD >>> diff --git a/ipaserver/dns_data_management.py >>> b/ipaserver/dns_data_management.py >>> index >>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>> 100644 >>> --- a/ipaserver/dns_data_management.py >>> +++ b/ipaserver/dns_data_management.py >>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>> ) >>> ) >>> return records >>> + >>> + @classmethod >>> + def records_list_from_zone(cls, zone_obj, sort=True): >>> + records = [] >>> + for name, node in zone_obj.items(): >>> + records.extend(IPASystemRecords.records_list_from_node(name, >>> node)) >>> + if sort: >>> + records.sort() >>> + return records >>> diff --git a/ipaserver/install/bindinstance.py >>> b/ipaserver/install/bindinstance.py >>> index >>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>> 100644 >>> --- a/ipaserver/install/bindinstance.py >>> +++ b/ipaserver/install/bindinstance.py >>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>> suffix = ipautil.dn_attribute_property('_suffix') >>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>> forwarders, >>> - forward_policy, ntp, reverse_zones, >>> + forward_policy, reverse_zones, >>> named_user=constants.NAMED_USER, zonemgr=None, >>> - ca_configured=None, no_dnssec_validation=False): >>> + no_dnssec_validation=False): >>> self.named_user = named_user >>> self.fqdn = fqdn >>> self.ip_addresses = ip_addresses >>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>> self.forward_policy = forward_policy >>> self.host = fqdn.split(".")[0] >>> self.suffix = ipautil.realm_to_suffix(self.realm) >>> - self.ntp = ntp >>> self.reverse_zones = reverse_zones >>> - self.ca_configured = ca_configured >>> self.no_dnssec_validation=no_dnssec_validation >>> if not zonemgr: >>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>> def host_in_default_domain(self): >>> return normalize_zone(self.host_domain) == >>> normalize_zone(self.domain) >>> - def create_sample_bind_zone(self): >>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>> "bind.zone.db.template", self.sub_dict) >>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>> - os.write(bind_fd, bind_txt) >>> - os.close(bind_fd) >>> - print("Sample zone file for bind has been created in "+bind_name) >>> + def create_file_with_system_records(self): >>> + system_records = IPASystemRecords(self.api) >>> + text = u'\n'.join( >>> + IPASystemRecords.records_list_from_zone( >>> + system_records.get_base_records() >>> + ) >>> + ) >>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>> + os.write(fd, text) >>> + os.close(fd) >>> + print("Please add records in this file to your DNS system:", name) >>> def create_instance(self): >>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>> root_logger.debug("Unable to mask named (%s)", e) >>> def __setup_sub_dict(self): >>> - if self.forwarders: >>> - fwds = "\n" >>> - for forwarder in self.forwarders: >>> - fwds += "\t\t%s;\n" % forwarder >>> - fwds += "\t" >>> - else: >>> - fwds = " " >>> - >>> - if self.ntp: >>> - optional_ntp = "\n;ntp server\n" >>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>> self.host_in_rr >>> - else: >>> - optional_ntp = "" >>> - >>> - ipa_ca = "" >>> - for addr in self.ip_addresses: >>> - if addr.version in (4, 6): >>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>> - IPA_CA_RECORD, >>> - "A" if addr.version == 4 else "AAAA", >>> - str(addr)) >>> - >>> self.sub_dict = dict( >>> FQDN=self.fqdn, >>> - IP=[str(ip) for ip in self.ip_addresses], >>> - DOMAIN=self.domain, >>> - HOST=self.host, >>> - REALM=self.realm, >>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>> - FORWARDERS=fwds, >>> - FORWARD_POLICY=self.forward_policy, >>> SUFFIX=self.suffix, >>> - OPTIONAL_NTP=optional_ntp, >>> - ZONEMGR=self.zonemgr, >>> - IPA_CA_RECORD=ipa_ca, >>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>> domain_name, >>> - reverse_zones, ntp=False, ca_configured=None): >>> + reverse_zones): >>> self.fqdn = fqdn >>> self.ip_addresses = ip_addresses >>> self.realm = realm_name >>> self.domain = domain_name >>> self.host = fqdn.split(".")[0] >>> self.suffix = ipautil.realm_to_suffix(self.realm) >>> - self.ntp = ntp >>> self.reverse_zones = reverse_zones >>> - self.ca_configured = ca_configured >>> self.first_instance = False >>> self.zonemgr = 'hostmaster.%s' % self.domain >>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>> index >>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>> 100644 >>> --- a/ipaserver/install/dns.py >>> +++ b/ipaserver/install/dns.py >>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>> autobind=AUTOBIND_ENABLED) >>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>> - options.forwarders, options.forward_policy, conf_ntp, >>> + options.forwarders, options.forward_policy, >>> reverse_zones, zonemgr=options.zonemgr, >>> - no_dnssec_validation=options.no_dnssec_validation, >>> - ca_configured=options.setup_ca) >>> + no_dnssec_validation=options.no_dnssec_validation) >>> if standalone and not options.unattended: >>> print("") >>> diff --git a/ipaserver/install/server/install.py >>> b/ipaserver/install/server/install.py >>> index >>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>> 100644 >>> --- a/ipaserver/install/server/install.py >>> +++ b/ipaserver/install/server/install.py >>> @@ -848,17 +848,17 @@ def install(installer): >>> if setup_ca: >>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>> + api.Backend.ldap2.connect(autobind=True) >>> if options.setup_dns: >>> - api.Backend.ldap2.connect(autobind=True) >>> dns.install(False, False, options) >>> else: >>> # Create a BIND instance >>> bind = bindinstance.BindInstance(fstore, dm_password) >>> bind.setup(host_name, ip_addresses, realm_name, >>> - domain_name, (), 'first', not options.no_ntp, (), >>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>> + domain_name, (), 'first', (), >>> + zonemgr=options.zonemgr, >>> no_dnssec_validation=options.no_dnssec_validation) >>> - bind.create_sample_bind_zone() >>> + bind.create_file_with_system_records() >>> # Restart httpd to pick up the new IPA configuration >>> service.print_msg("Restarting the web server") >>> diff --git a/ipaserver/install/server/replicainstall.py >>> b/ipaserver/install/server/replicainstall.py >>> index >>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>> 100644 >>> --- a/ipaserver/install/server/replicainstall.py >>> +++ b/ipaserver/install/server/replicainstall.py >>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>> str(ip), >>> config.realm_name, >>> config.domain_name, >>> - reverse_zone, >>> - not options.no_ntp, >>> - options.setup_ca) >>> + reverse_zone) >>> except errors.NotFound as e: >>> root_logger.debug('Replica DNS records could not be added ' >>> 'on master: %s', str(e)) >>> -- 2.5.5 >> While testing this patch I've found out that ipa-dns-install does not work >> idempotently anymore and explodes when re-run. >> >> I'm not sure what is the root cause yet. >> >> # ipa-dns-install --forwarder 10.34.78.1 >> >> WARNING: yacc table file version is out of date >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> ============================================================================== >> This program will setup DNS for the FreeIPA Server. >> >> This includes: >> * Configure DNS (bind) >> * Configure SoftHSM (required by DNSSEC) >> * Configure ipa-dnskeysyncd (required by DNSSEC) >> >> NOTE: DNSSEC zone signing is not enabled by default >> >> >> To accept the default shown in brackets, press the Enter key. >> >> Checking DNS forwarders, please wait ... >> Do you want to search for missing reverse zones? [yes]: >> >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring DNS (named) >> [1/8]: generating rndc key file >> [2/8]: setting up our own record >> ipa : ERROR DNS query for >> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >> out after 30.0012078285 seconds >> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >> seconds >> Unexpected error - see /var/log/ipaserver-install.log for details: >> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >> >> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >> 2016-06-23T15:41:54Z DEBUG raw: >> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >> 2016-06-23T15:41:54Z DEBUG dnszone_show(> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >> version=u'2.199') >> 2016-06-23T15:42:24Z ERROR DNS query for >> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >> out after 30.0012078285 seconds >> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 448, in start_creation >> run_step(full_msg, method) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >> 438, in run_step >> method() >> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >> line 860, in __add_self >> self.__add_master_records(self.fqdn, self.ip_addresses) >> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >> line 843, in __add_master_records >> verify_host_resolvable(fqdn) >> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >> verify_host_resolvable >> raise errors.DNSResolverError(exception=ex) >> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds > IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we > changed resolving of server hostname from gethosbyname() to pure DNS > > Workaround is to set nameserver to /etc/resolv.conf >> >> >> >> I was not able to test replica installation because of some weird ACI problem >> somewhere, replica install is failing with ACIError while adding ldap/replica >> principal. This is probably a regression from some other patchset. >> >> https://fedorahosted.org/freeipa/ticket/5996 NACK make[5]: *** No rule to make target 'bind.zone.db.template', needed by 'all-am'. Stop. I'm not exactly sure how I missed this before, possibly git clean -xdf was missing ... -- Petr^2 Spacek From ldoudova at redhat.com Mon Jun 27 09:05:50 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jun 2016 11:05:50 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> Message-ID: <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> On 06/27/2016 10:33 AM, Martin Babinsky wrote: > On 06/27/2016 10:28 AM, Petr Spacek wrote: >> On 27.6.2016 10:26, Petr Spacek wrote: >>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>> Hi! >>>>>> >>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>> fail on >>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already >>>>>> present, >>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>> >>>>>> To prevent these failures I prepared attached patch, that will still >>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>> will check the message if it says that the forward zone is already >>>>>> configured, and lets the tests continue, if it is so. >>>>>> >>>>>> >>>>>> Lenka >>>>>> >>>>> >>>>> >>>>> Current approach expects that every error of ipa dnsforward-add here >>>>> will mean that the zone exists. So it might hide other issues - >>>>> not very >>>>> good. >>>>> >>>>> On the other hand it is not very robust to parse error message. >>>>> >>>>> Question for general audience: What do you think if IPA client's exit >>>>> status would be the IPA error code instead of "1" for every error. >>>>> E.g. >>>>> in DuplicateEntry case it's 4002. >>>>> >>>>> Btw, this is not a NACK. >>>>> >>>> >>>> Well AFAIK the exit status on POSIX systems is encoded into a >>>> single byte so >>>> you cannot have the return value greater that 255. We would have to >>>> devise >>>> some mapping between our XMLRPC status codes and subprocess return >>>> codes. >>>> >>>> Some of our exceptions have defined return values outside plain >>>> '1', e.g. >>>> NotFound has return value of 2. It would be possible to extend this >>>> concept on >>>> other common errors. >>> >>> Even more importantly, the forward zone is completely unnecessary >>> because DNS >>> when DNS is set up properly. I would simply remove the >>> dnsforwardzone-add. >>> >> Grr, I meant this: >> Even more importantly, the forward zone is completely unnecessary >> when DNS is >> set up properly. I would simply remove the dnsforwardzone-add. >> > +1, our tests should not fiddle with the provisioned environment as > much as they sometimes do. > Well, I have nothing against removing it completely, but left it there just because with previous AD machines with "wild" domains it was necessary. Looking at the code, your suggestion would probably mean to entirely remove method configure_dns_for_trust from ipatests/test_integration/tasks.py, right? I'll have to verify this won't break anything else. Lenka From ldoudova at redhat.com Mon Jun 27 09:10:38 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jun 2016 11:10:38 +0200 Subject: [Freeipa-devel] [PATCH 0020][Tests] Make ID views test reflect new krbcanonicalname attribute In-Reply-To: <83a969ef-94ca-be4f-da91-e83b4f91174c@redhat.com> References: <83a969ef-94ca-be4f-da91-e83b4f91174c@redhat.com> Message-ID: On 06/27/2016 10:26 AM, Martin Babinsky wrote: > On 06/23/2016 03:51 PM, Lenka Doudova wrote: >> Patch attached. >> >> Lenka >> >> >> > > Thanks for catching this. > > conditional ACK if you add > https://fedorahosted.org/freeipa/ticket/3864 to the commit message. > Ah, yes. New patch with fixed commit message attached. Thanks, Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0020.2-Tests-Make-ID-views-tests-reflect-new-krbcanonicalna.patch Type: text/x-patch Size: 3675 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 27 09:20:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 11:20:44 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string In-Reply-To: <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> References: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> Message-ID: On 27.6.2016 10:30, Martin Basti wrote: > > > On 23.06.2016 18:32, Petr Spacek wrote: >> Hello, >> >> replica-install: Compare domain names as DNS names and not strings >> >> This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" >> were not considered equivalent and installation was wrongly refused. >> >> https://fedorahosted.org/freeipa/ticket/5976 >> > > NACK, client installer should normalize domain name as host-add does, because > it will blow up in different places, we cannot compare this part as DNS name > when other parts works with it as strings > > ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this > client to a replica. Local domain 'ipa.example.COM' does not match IPA domain > 'ipa.example.com'. Okay, I will use the same validator as ipa-server-install and normalize it as you suggested. -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 27 09:43:03 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 11:43:03 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> Message-ID: On 27.06.2016 10:56, Petr Spacek wrote: > On 24.6.2016 12:25, Martin Basti wrote: >> >> On 23.06.2016 18:26, Petr Spacek wrote: >>> On 23.6.2016 16:38, Martin Basti wrote: >>>> Patches attached. >>>> >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> >>>> >>>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>>> >>>> >>>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>>> for unused locations" >>>> >>>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>>> >>>> After deeper investigation, we found out that empty locations are needed >>>> for clients, because clients may have cached records for longer time for >>>> that particular location. Only way how to remove location is to remove >>>> it using location-del >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> ipaserver/dns_data_management.py | 11 ++++------- >>>> 1 file changed, 4 insertions(+), 7 deletions(-) >>>> >>>> diff --git a/ipaserver/dns_data_management.py >>>> b/ipaserver/dns_data_management.py >>>> index >>>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>>> 100644 >>>> --- a/ipaserver/dns_data_management.py >>>> +++ b/ipaserver/dns_data_management.py >>>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>>> self.api_instance = api_instance >>>> self.domain_abs = >>>> DNSName(self.api_instance.env.domain).make_absolute() >>>> self.servers_data = {} >>>> - self.used_locations = set() >>>> self.__init_data() >>>> def reload_data(self): >>>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>>> def __init_data(self): >>>> self.servers_data = {} >>>> - self.used_locations = set() >>>> servers_result = self.api_instance.Command.server_find( >>>> pkey_only=True)['result'] >>>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>>> 'location': location, >>>> 'roles': roles, >>>> } >>>> - if location: >>>> - self.used_locations.add(location) >>>> def __add_srv_records( >>>> self, zone_obj, hostname, rname_port_map, >>>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>>> pkey_only=True)['result'] >>>> servers = [s['cn'][0] for s in servers_result] >>>> - # generate only records for used location, records for unassigned >>>> - # locations are useless >>>> + locations_result = >>>> self.api_instance.Command.location_find()['result'] >>>> + locations = [l['idnsname'][0] for l in locations_result] >>>> + >>>> for server in servers: >>>> self._get_location_dns_records_for_server( >>>> zone_obj, server, >>>> - self.used_locations, roles=roles, >>>> + locations, roles=roles, >>>> include_master_role=include_master_role) >>>> return zone_obj >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>>> >>>> >>>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in adtrust-install >>>> >>>> Since DNS location mechanism is active, this option has no effect, >>>> because records are generate dynamically. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/tools/ipa-adtrust-install | 10 +++++++--- >>>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>>> 2 files changed, 15 insertions(+), 16 deletions(-) >>>> >>>> diff --git a/install/tools/ipa-adtrust-install >>>> b/install/tools/ipa-adtrust-install >>>> index >>>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>>> 100755 >>>> --- a/install/tools/ipa-adtrust-install >>>> +++ b/install/tools/ipa-adtrust-install >>>> @@ -29,6 +29,8 @@ import ldap >>>> import six >>>> +from optparse import SUPPRESS_HELP >>>> + >>>> from ipaserver.install import adtrustinstance >>>> from ipaserver.install.installutils import ( >>>> read_password, >>>> @@ -54,9 +56,11 @@ def parse_options(): >>>> default=False, help="print debugging information") >>>> parser.add_option("--netbios-name", dest="netbios_name", >>>> help="NetBIOS name of the IPA domain") >>>> + >>>> + # no-msdcs has not effect, option is here just for backward compatibility >>>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>>> - default=False, help="Do not create DNS service >>>> records " \ >>>> - "for Windows in managed DNS >>>> server") >>>> + default=False, help=SUPPRESS_HELP) >>>> + >>>> parser.add_option("--rid-base", dest="rid_base", type=int, default=1000, >>>> help="Start value for mapping UIDs and GIDs to RIDs") >>>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>>> @@ -390,7 +394,7 @@ def main(): >>>> smb.setup(api.env.host, api.env.realm, >>>> netbios_name, reset_netbios_name, >>>> options.rid_base, options.secondary_rid_base, >>>> - options.no_msdcs, options.add_sids, >>>> + options.add_sids, >>>> enable_compat = options.enable_compat) >>>> smb.find_local_id_range() >>>> smb.create_instance() >>>> diff --git a/ipaserver/install/adtrustinstance.py >>>> b/ipaserver/install/adtrustinstance.py >>>> index >>>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>>> 100644 >>>> --- a/ipaserver/install/adtrustinstance.py >>>> +++ b/ipaserver/install/adtrustinstance.py >>>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>>> def __init__(self, fstore=None): >>>> self.netbios_name = None >>>> self.reset_netbios_name = None >>>> - self.no_msdcs = None >>>> self.add_sids = None >>>> self.smbd_user = None >>>> self.smb_dn_pwd = None >>>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>>> err_msg = None >>>> - if self.no_msdcs: >>>> - err_msg = '--no-msdcs was given, special DNS service records ' \ >>>> - 'are not added to local DNS server' >>>> + ret = api.Command['dns_is_enabled']() >>>> + if not ret['result']: >>>> + err_msg = "DNS management was not enabled at install time." >>>> else: >>>> - ret = api.Command['dns_is_enabled']() >>>> - if not ret['result']: >>>> - err_msg = "DNS management was not enabled at install time." >>>> - else: >>>> - if not dns_zone_exists(zone): >>>> - err_msg = "DNS zone %s cannot be managed " \ >>>> - "as it is not defined in IPA" % zone >>>> + if not dns_zone_exists(zone): >>>> + err_msg = ( >>>> + "DNS zone %s cannot be managed as it is not defined in " >>>> + "IPA" % zone) >>>> if err_msg: >>>> self.print_msg(err_msg) >>>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>>> def setup(self, fqdn, realm_name, netbios_name, >>>> reset_netbios_name, rid_base, secondary_rid_base, >>>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>>> + add_sids=False, smbd_user="samba", >>>> enable_compat=False): >>>> self.fqdn = fqdn >>>> self.realm = realm_name >>>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>>> self.reset_netbios_name = reset_netbios_name >>>> self.rid_base = rid_base >>>> self.secondary_rid_base = secondary_rid_base >>>> - self.no_msdcs = no_msdcs >>>> self.add_sids = add_sids >>>> self.enable_compat = enable_compat >>>> self.smbd_user = smbd_user >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>>> >>>> >>>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>>> information >>>> >>>> Because separated calls for of server-show, getting server data is quite >>>> slow. This commit replaces several server-show with one server-find >>>> command. There are future plans to improve speed of server-find that >>>> will be beneficial for DNS locations. >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> ipaserver/dns_data_management.py | 10 ++++------ >>>> 1 file changed, 4 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/ipaserver/dns_data_management.py >>>> b/ipaserver/dns_data_management.py >>>> index >>>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>>> 100644 >>>> --- a/ipaserver/dns_data_management.py >>>> +++ b/ipaserver/dns_data_management.py >>>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>>> """ >>>> self.__init_data() >>>> - def __get_server_attrs(self, hostname): >>>> - server_result = >>>> self.api_instance.Command.server_show(hostname)['result'] >>>> + def __get_server_attrs(self, server_result): >>>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>>> location = server_result.get('ipalocation_location', [None])[0] >>>> roles = set(server_result.get('enabled_role_servrole', ())) >>>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>>> self.servers_data = {} >>>> servers_result = self.api_instance.Command.server_find( >>>> - pkey_only=True)['result'] >>>> - servers = [s['cn'][0] for s in servers_result] >>>> - for s in servers: >>>> + no_members=False)['result'] >>>> + for s in servers_result: >>>> weight, location, roles = self.__get_server_attrs(s) >>>> - self.servers_data[s] = { >>>> + self.servers_data[s['cn'][0]] = { >>>> 'weight': weight, >>>> 'location': location, >>>> 'roles': roles, >>>> -- 2.5.5 >>>> >>>> >>>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>>> >>>> >>>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>>> From: Martin Basti >>>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>>> >>>> We don't need anymore: >>>> * sample of zone file - list of all records required by IPa will be >>>> provided >>>> >>>> * NTP related params - DNS records will be updated automatically, >>>> based on LDAP values >>>> >>>> * CA related params - DNS records will be updated automatically based >>>> * on LDAP values >>>> >>>> https://fedorahosted.org/freeipa/ticket/2008 >>>> --- >>>> install/share/bind.zone.db.template | 29 --------------- >>>> ipaserver/dns_data_management.py | 9 +++++ >>>> ipaserver/install/bindinstance.py | 58 >>>> ++++++++---------------------- >>>> ipaserver/install/dns.py | 5 ++- >>>> ipaserver/install/server/install.py | 8 ++--- >>>> ipaserver/install/server/replicainstall.py | 4 +-- >>>> 6 files changed, 30 insertions(+), 83 deletions(-) >>>> delete mode 100644 install/share/bind.zone.db.template >>>> >>>> diff --git a/install/share/bind.zone.db.template >>>> b/install/share/bind.zone.db.template >>>> deleted file mode 100644 >>>> index >>>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>>> >>>> --- a/install/share/bind.zone.db.template >>>> +++ /dev/null >>>> @@ -1,29 +0,0 @@ >>>> -$$ORIGIN $DOMAIN. >>>> -$$TTL 86400 >>>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>>> - 01 ; serial >>>> - 3H ; refresh >>>> - 15M ; retry >>>> - 1W ; expiry >>>> - 1D ) ; minimum >>>> - >>>> - IN NS $HOST >>>> -$HOST IN A $IP >>>> -; >>>> -; ldap servers >>>> -_ldap._tcp IN SRV 0 100 389 $HOST >>>> - >>>> -;kerberos realm >>>> -_kerberos IN TXT $REALM >>>> - >>>> -; kerberos servers >>>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>>> -_kerberos._udp IN SRV 0 100 88 $HOST >>>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>>> -$OPTIONAL_NTP >>>> - >>>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>>> -$IPA_CA_RECORD >>>> diff --git a/ipaserver/dns_data_management.py >>>> b/ipaserver/dns_data_management.py >>>> index >>>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>>> 100644 >>>> --- a/ipaserver/dns_data_management.py >>>> +++ b/ipaserver/dns_data_management.py >>>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>>> ) >>>> ) >>>> return records >>>> + >>>> + @classmethod >>>> + def records_list_from_zone(cls, zone_obj, sort=True): >>>> + records = [] >>>> + for name, node in zone_obj.items(): >>>> + records.extend(IPASystemRecords.records_list_from_node(name, >>>> node)) >>>> + if sort: >>>> + records.sort() >>>> + return records >>>> diff --git a/ipaserver/install/bindinstance.py >>>> b/ipaserver/install/bindinstance.py >>>> index >>>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>>> 100644 >>>> --- a/ipaserver/install/bindinstance.py >>>> +++ b/ipaserver/install/bindinstance.py >>>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>>> suffix = ipautil.dn_attribute_property('_suffix') >>>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>>> forwarders, >>>> - forward_policy, ntp, reverse_zones, >>>> + forward_policy, reverse_zones, >>>> named_user=constants.NAMED_USER, zonemgr=None, >>>> - ca_configured=None, no_dnssec_validation=False): >>>> + no_dnssec_validation=False): >>>> self.named_user = named_user >>>> self.fqdn = fqdn >>>> self.ip_addresses = ip_addresses >>>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>>> self.forward_policy = forward_policy >>>> self.host = fqdn.split(".")[0] >>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>> - self.ntp = ntp >>>> self.reverse_zones = reverse_zones >>>> - self.ca_configured = ca_configured >>>> self.no_dnssec_validation=no_dnssec_validation >>>> if not zonemgr: >>>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>>> def host_in_default_domain(self): >>>> return normalize_zone(self.host_domain) == >>>> normalize_zone(self.domain) >>>> - def create_sample_bind_zone(self): >>>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>>> "bind.zone.db.template", self.sub_dict) >>>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>>> - os.write(bind_fd, bind_txt) >>>> - os.close(bind_fd) >>>> - print("Sample zone file for bind has been created in "+bind_name) >>>> + def create_file_with_system_records(self): >>>> + system_records = IPASystemRecords(self.api) >>>> + text = u'\n'.join( >>>> + IPASystemRecords.records_list_from_zone( >>>> + system_records.get_base_records() >>>> + ) >>>> + ) >>>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>>> + os.write(fd, text) >>>> + os.close(fd) >>>> + print("Please add records in this file to your DNS system:", name) >>>> def create_instance(self): >>>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>>> root_logger.debug("Unable to mask named (%s)", e) >>>> def __setup_sub_dict(self): >>>> - if self.forwarders: >>>> - fwds = "\n" >>>> - for forwarder in self.forwarders: >>>> - fwds += "\t\t%s;\n" % forwarder >>>> - fwds += "\t" >>>> - else: >>>> - fwds = " " >>>> - >>>> - if self.ntp: >>>> - optional_ntp = "\n;ntp server\n" >>>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>>> self.host_in_rr >>>> - else: >>>> - optional_ntp = "" >>>> - >>>> - ipa_ca = "" >>>> - for addr in self.ip_addresses: >>>> - if addr.version in (4, 6): >>>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>>> - IPA_CA_RECORD, >>>> - "A" if addr.version == 4 else "AAAA", >>>> - str(addr)) >>>> - >>>> self.sub_dict = dict( >>>> FQDN=self.fqdn, >>>> - IP=[str(ip) for ip in self.ip_addresses], >>>> - DOMAIN=self.domain, >>>> - HOST=self.host, >>>> - REALM=self.realm, >>>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>>> - FORWARDERS=fwds, >>>> - FORWARD_POLICY=self.forward_policy, >>>> SUFFIX=self.suffix, >>>> - OPTIONAL_NTP=optional_ntp, >>>> - ZONEMGR=self.zonemgr, >>>> - IPA_CA_RECORD=ipa_ca, >>>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>>> domain_name, >>>> - reverse_zones, ntp=False, ca_configured=None): >>>> + reverse_zones): >>>> self.fqdn = fqdn >>>> self.ip_addresses = ip_addresses >>>> self.realm = realm_name >>>> self.domain = domain_name >>>> self.host = fqdn.split(".")[0] >>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>> - self.ntp = ntp >>>> self.reverse_zones = reverse_zones >>>> - self.ca_configured = ca_configured >>>> self.first_instance = False >>>> self.zonemgr = 'hostmaster.%s' % self.domain >>>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>>> index >>>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>>> 100644 >>>> --- a/ipaserver/install/dns.py >>>> +++ b/ipaserver/install/dns.py >>>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>>> autobind=AUTOBIND_ENABLED) >>>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>>> - options.forwarders, options.forward_policy, conf_ntp, >>>> + options.forwarders, options.forward_policy, >>>> reverse_zones, zonemgr=options.zonemgr, >>>> - no_dnssec_validation=options.no_dnssec_validation, >>>> - ca_configured=options.setup_ca) >>>> + no_dnssec_validation=options.no_dnssec_validation) >>>> if standalone and not options.unattended: >>>> print("") >>>> diff --git a/ipaserver/install/server/install.py >>>> b/ipaserver/install/server/install.py >>>> index >>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>>> 100644 >>>> --- a/ipaserver/install/server/install.py >>>> +++ b/ipaserver/install/server/install.py >>>> @@ -848,17 +848,17 @@ def install(installer): >>>> if setup_ca: >>>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>>> + api.Backend.ldap2.connect(autobind=True) >>>> if options.setup_dns: >>>> - api.Backend.ldap2.connect(autobind=True) >>>> dns.install(False, False, options) >>>> else: >>>> # Create a BIND instance >>>> bind = bindinstance.BindInstance(fstore, dm_password) >>>> bind.setup(host_name, ip_addresses, realm_name, >>>> - domain_name, (), 'first', not options.no_ntp, (), >>>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>>> + domain_name, (), 'first', (), >>>> + zonemgr=options.zonemgr, >>>> no_dnssec_validation=options.no_dnssec_validation) >>>> - bind.create_sample_bind_zone() >>>> + bind.create_file_with_system_records() >>>> # Restart httpd to pick up the new IPA configuration >>>> service.print_msg("Restarting the web server") >>>> diff --git a/ipaserver/install/server/replicainstall.py >>>> b/ipaserver/install/server/replicainstall.py >>>> index >>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>>> 100644 >>>> --- a/ipaserver/install/server/replicainstall.py >>>> +++ b/ipaserver/install/server/replicainstall.py >>>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>>> str(ip), >>>> config.realm_name, >>>> config.domain_name, >>>> - reverse_zone, >>>> - not options.no_ntp, >>>> - options.setup_ca) >>>> + reverse_zone) >>>> except errors.NotFound as e: >>>> root_logger.debug('Replica DNS records could not be added ' >>>> 'on master: %s', str(e)) >>>> -- 2.5.5 >>> While testing this patch I've found out that ipa-dns-install does not work >>> idempotently anymore and explodes when re-run. >>> >>> I'm not sure what is the root cause yet. >>> >>> # ipa-dns-install --forwarder 10.34.78.1 >>> >>> WARNING: yacc table file version is out of date >>> >>> The log file for this installation can be found in >>> /var/log/ipaserver-install.log >>> ============================================================================== >>> This program will setup DNS for the FreeIPA Server. >>> >>> This includes: >>> * Configure DNS (bind) >>> * Configure SoftHSM (required by DNSSEC) >>> * Configure ipa-dnskeysyncd (required by DNSSEC) >>> >>> NOTE: DNSSEC zone signing is not enabled by default >>> >>> >>> To accept the default shown in brackets, press the Enter key. >>> >>> Checking DNS forwarders, please wait ... >>> Do you want to search for missing reverse zones? [yes]: >>> >>> The following operations may take some minutes to complete. >>> Please wait until the prompt is returned. >>> >>> Configuring DNS (named) >>> [1/8]: generating rndc key file >>> [2/8]: setting up our own record >>> ipa : ERROR DNS query for >>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>> out after 30.0012078285 seconds >>> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >>> seconds >>> Unexpected error - see /var/log/ipaserver-install.log for details: >>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>> >>> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >>> 2016-06-23T15:41:54Z DEBUG raw: >>> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >>> 2016-06-23T15:41:54Z DEBUG dnszone_show(>> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >>> version=u'2.199') >>> 2016-06-23T15:42:24Z ERROR DNS query for >>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>> out after 30.0012078285 seconds >>> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 448, in start_creation >>> run_step(full_msg, method) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line >>> 438, in run_step >>> method() >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>> line 860, in __add_self >>> self.__add_master_records(self.fqdn, self.ip_addresses) >>> File "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>> line 843, in __add_master_records >>> verify_host_resolvable(fqdn) >>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >>> verify_host_resolvable >>> raise errors.DNSResolverError(exception=ex) >>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >> IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we >> changed resolving of server hostname from gethosbyname() to pure DNS >> >> Workaround is to set nameserver to /etc/resolv.conf >>> >>> >>> I was not able to test replica installation because of some weird ACI problem >>> somewhere, replica install is failing with ACIError while adding ldap/replica >>> principal. This is probably a regression from some other patchset. >>> >>> https://fedorahosted.org/freeipa/ticket/5996 > NACK > > make[5]: *** No rule to make target 'bind.zone.db.template', needed by > 'all-am'. Stop. > > I'm not exactly sure how I missed this before, possibly git clean -xdf was > missing ... > My bad updated patches attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0538.2-Revert-DNS-Locations-do-not-generate-location-record.patch Type: text/x-patch Size: 2535 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0539.2-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch Type: text/x-patch Size: 4588 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0540.2-DNS-Locations-optimization-use-server-find-to-get-in.patch Type: text/x-patch Size: 1992 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0541.2-DNS-Locations-cleanup-of-bininstance.patch Type: text/x-patch Size: 10729 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 27 09:48:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 11:48:59 +0200 Subject: [Freeipa-devel] [PATCH 0139] DNS: Fix tests for realm domains integration with DNS zone ad Message-ID: Hello, DNS: Fix tests for realm domains integration with DNS zone add We forgot to update tests after change in 22f4045f72daf182c44ce574291c0d8a7733713b. https://fedorahosted.org/freeipa/ticket/5980 It should go to master, 4-3, and 4-2 as well (as the original change). -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0139-DNS-Fix-tests-for-realm-domains-integration-with-DNS.patch Type: text/x-patch Size: 1824 bytes Desc: not available URL: From pspacek at redhat.com Mon Jun 27 10:22:34 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 12:22:34 +0200 Subject: [Freeipa-devel] [PATCH 0544] ipa-rmkeytab, ipa-join: dont fail if gettext cannot be initialized In-Reply-To: References: Message-ID: <69847ab4-2e1e-dc68-33d6-1b4b93b93246@redhat.com> On 27.6.2016 08:36, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5973 > > Patch attached. ACK for this patch set. Interestingly it does not fix https://fedorahosted.org/freeipa/ticket/5978 On my broken IPA client it prints following message: # /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-046.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Failed to load translations realm not found # echo $? 5 -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 27 10:35:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 12:35:40 +0200 Subject: [Freeipa-devel] [PATCH 0544] ipa-rmkeytab, ipa-join: dont fail if gettext cannot be initialized In-Reply-To: <69847ab4-2e1e-dc68-33d6-1b4b93b93246@redhat.com> References: <69847ab4-2e1e-dc68-33d6-1b4b93b93246@redhat.com> Message-ID: <9622e95f-5c37-299c-823f-2d8b66b0d0ef@redhat.com> On 27.06.2016 12:22, Petr Spacek wrote: > On 27.6.2016 08:36, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5973 >> >> Patch attached. > ACK for this patch set. > > Interestingly it does not fix > https://fedorahosted.org/freeipa/ticket/5978 > > > On my broken IPA client it prints following message: > # /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r > DOM-046.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM > Failed to load translations > realm not found > > # echo $? > 5 > Maybe your client is broken too much, I tried reproducer from ticket and it is working, I don't have to do rm /etc/krb5.keytab anymore (tried twice) Pushed to master: a07030f3867168969d32f0f46e792ae0697529bc From mbasti at redhat.com Mon Jun 27 10:42:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 12:42:16 +0200 Subject: [Freeipa-devel] [PATCH 0165] keep setting ipakrbprincipal objectclass on new service entries In-Reply-To: <5086867c-d626-f882-1dfc-d71c705dae0c@redhat.com> References: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> <5086867c-d626-f882-1dfc-d71c705dae0c@redhat.com> Message-ID: <779707ef-4e90-909d-d072-a85fcc0ebb3b@redhat.com> On 27.06.2016 09:39, Martin Babinsky wrote: > On 06/27/2016 07:56 AM, Martin Babinsky wrote: >> On 06/24/2016 04:07 PM, Martin Babinsky wrote: >>> This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and >>> 06d945a04607dc36e25af78688b4295420489fb9 responsible for >>> https://fedorahosted.org/freeipa/ticket/5996 >>> >>> This should unblock replica promotion. >>> >>> >>> >> self-NACK, disregard this patch, it should not be necessary to revert >> the whole commit >> > > This version only reverts the change that actually breaks stuff. > > https://fedorahosted.org/freeipa/ticket/5996 > > > Works for me -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Mon Jun 27 11:01:55 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 13:01:55 +0200 Subject: [Freeipa-devel] [PATCH 0164] Fix incorrect construction of service principal during replica cleanup In-Reply-To: References: Message-ID: On 24.06.2016 10:36, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5985 > > > ACK Pushed to master: 9392b212719032a694ff47ae8802b46f9f58e718 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 27 11:02:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 13:02:50 +0200 Subject: [Freeipa-devel] [PATCH 0165] keep setting ipakrbprincipal objectclass on new service entries In-Reply-To: <779707ef-4e90-909d-d072-a85fcc0ebb3b@redhat.com> References: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> <5086867c-d626-f882-1dfc-d71c705dae0c@redhat.com> <779707ef-4e90-909d-d072-a85fcc0ebb3b@redhat.com> Message-ID: <00847149-9389-7f55-14fa-a27749207dc6@redhat.com> On 27.6.2016 12:42, Martin Basti wrote: > > > On 27.06.2016 09:39, Martin Babinsky wrote: >> On 06/27/2016 07:56 AM, Martin Babinsky wrote: >>> On 06/24/2016 04:07 PM, Martin Babinsky wrote: >>>> This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and >>>> 06d945a04607dc36e25af78688b4295420489fb9 responsible for >>>> https://fedorahosted.org/freeipa/ticket/5996 >>>> >>>> This should unblock replica promotion. >>>> >>>> >>>> >>> self-NACK, disregard this patch, it should not be necessary to revert >>> the whole commit >>> >> >> This version only reverts the change that actually breaks stuff. >> >> https://fedorahosted.org/freeipa/ticket/5996 >> >> >> > > Works for me Worked for me too, I tried to install replica using admin credentials against master which was upgraded from 4.3.1 to latest master. -- Petr^2 Spacek From mbasti at redhat.com Mon Jun 27 11:14:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 13:14:17 +0200 Subject: [Freeipa-devel] [PATCH] 0078 Fix IssuerDN presence check in cert search result In-Reply-To: <20160627063455.GS4200@dhcp-40-8.bne.redhat.com> References: <20160627063455.GS4200@dhcp-40-8.bne.redhat.com> Message-ID: On 27.06.2016 08:34, Fraser Tweedale wrote: > Attached patch fixes a problem with check for IssuerDN in Dogtag > cert search results (found by Coverity; thanks to mbasti for brining > to my attention). > > Cheers, > Fraser > > ACK master: * 47d33f36507d7af16daff5b9f7e4b4acfc6d963b Fix IssuerDN presence check in cert search result -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 27 11:25:51 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 13:25:51 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> Message-ID: On 27.6.2016 11:43, Martin Basti wrote: > > > On 27.06.2016 10:56, Petr Spacek wrote: >> On 24.6.2016 12:25, Martin Basti wrote: >>> >>> On 23.06.2016 18:26, Petr Spacek wrote: >>>> On 23.6.2016 16:38, Martin Basti wrote: >>>>> Patches attached. >>>>> >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> >>>>> >>>>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>>>> >>>>> >>>>> >>>>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>>>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>>>> for unused locations" >>>>> >>>>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>>>> >>>>> After deeper investigation, we found out that empty locations are needed >>>>> for clients, because clients may have cached records for longer time for >>>>> that particular location. Only way how to remove location is to remove >>>>> it using location-del >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ipaserver/dns_data_management.py | 11 ++++------- >>>>> 1 file changed, 4 insertions(+), 7 deletions(-) >>>>> >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>>>> self.api_instance = api_instance >>>>> self.domain_abs = >>>>> DNSName(self.api_instance.env.domain).make_absolute() >>>>> self.servers_data = {} >>>>> - self.used_locations = set() >>>>> self.__init_data() >>>>> def reload_data(self): >>>>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>>>> def __init_data(self): >>>>> self.servers_data = {} >>>>> - self.used_locations = set() >>>>> servers_result = self.api_instance.Command.server_find( >>>>> pkey_only=True)['result'] >>>>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>>>> 'location': location, >>>>> 'roles': roles, >>>>> } >>>>> - if location: >>>>> - self.used_locations.add(location) >>>>> def __add_srv_records( >>>>> self, zone_obj, hostname, rname_port_map, >>>>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>>>> pkey_only=True)['result'] >>>>> servers = [s['cn'][0] for s in servers_result] >>>>> - # generate only records for used location, records for >>>>> unassigned >>>>> - # locations are useless >>>>> + locations_result = >>>>> self.api_instance.Command.location_find()['result'] >>>>> + locations = [l['idnsname'][0] for l in locations_result] >>>>> + >>>>> for server in servers: >>>>> self._get_location_dns_records_for_server( >>>>> zone_obj, server, >>>>> - self.used_locations, roles=roles, >>>>> + locations, roles=roles, >>>>> include_master_role=include_master_role) >>>>> return zone_obj >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>>>> >>>>> >>>>> >>>>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>>>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in >>>>> adtrust-install >>>>> >>>>> Since DNS location mechanism is active, this option has no effect, >>>>> because records are generate dynamically. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/tools/ipa-adtrust-install | 10 +++++++--- >>>>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>>>> 2 files changed, 15 insertions(+), 16 deletions(-) >>>>> >>>>> diff --git a/install/tools/ipa-adtrust-install >>>>> b/install/tools/ipa-adtrust-install >>>>> index >>>>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>>>> >>>>> 100755 >>>>> --- a/install/tools/ipa-adtrust-install >>>>> +++ b/install/tools/ipa-adtrust-install >>>>> @@ -29,6 +29,8 @@ import ldap >>>>> import six >>>>> +from optparse import SUPPRESS_HELP >>>>> + >>>>> from ipaserver.install import adtrustinstance >>>>> from ipaserver.install.installutils import ( >>>>> read_password, >>>>> @@ -54,9 +56,11 @@ def parse_options(): >>>>> default=False, help="print debugging information") >>>>> parser.add_option("--netbios-name", dest="netbios_name", >>>>> help="NetBIOS name of the IPA domain") >>>>> + >>>>> + # no-msdcs has not effect, option is here just for backward >>>>> compatibility >>>>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>>>> - default=False, help="Do not create DNS service >>>>> records " \ >>>>> - "for Windows in managed DNS >>>>> server") >>>>> + default=False, help=SUPPRESS_HELP) >>>>> + >>>>> parser.add_option("--rid-base", dest="rid_base", type=int, >>>>> default=1000, >>>>> help="Start value for mapping UIDs and GIDs to >>>>> RIDs") >>>>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>>>> @@ -390,7 +394,7 @@ def main(): >>>>> smb.setup(api.env.host, api.env.realm, >>>>> netbios_name, reset_netbios_name, >>>>> options.rid_base, options.secondary_rid_base, >>>>> - options.no_msdcs, options.add_sids, >>>>> + options.add_sids, >>>>> enable_compat = options.enable_compat) >>>>> smb.find_local_id_range() >>>>> smb.create_instance() >>>>> diff --git a/ipaserver/install/adtrustinstance.py >>>>> b/ipaserver/install/adtrustinstance.py >>>>> index >>>>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/adtrustinstance.py >>>>> +++ b/ipaserver/install/adtrustinstance.py >>>>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>>>> def __init__(self, fstore=None): >>>>> self.netbios_name = None >>>>> self.reset_netbios_name = None >>>>> - self.no_msdcs = None >>>>> self.add_sids = None >>>>> self.smbd_user = None >>>>> self.smb_dn_pwd = None >>>>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>>>> err_msg = None >>>>> - if self.no_msdcs: >>>>> - err_msg = '--no-msdcs was given, special DNS service records >>>>> ' \ >>>>> - 'are not added to local DNS server' >>>>> + ret = api.Command['dns_is_enabled']() >>>>> + if not ret['result']: >>>>> + err_msg = "DNS management was not enabled at install time." >>>>> else: >>>>> - ret = api.Command['dns_is_enabled']() >>>>> - if not ret['result']: >>>>> - err_msg = "DNS management was not enabled at install time." >>>>> - else: >>>>> - if not dns_zone_exists(zone): >>>>> - err_msg = "DNS zone %s cannot be managed " \ >>>>> - "as it is not defined in IPA" % zone >>>>> + if not dns_zone_exists(zone): >>>>> + err_msg = ( >>>>> + "DNS zone %s cannot be managed as it is not defined >>>>> in " >>>>> + "IPA" % zone) >>>>> if err_msg: >>>>> self.print_msg(err_msg) >>>>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>>>> def setup(self, fqdn, realm_name, netbios_name, >>>>> reset_netbios_name, rid_base, secondary_rid_base, >>>>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>>>> + add_sids=False, smbd_user="samba", >>>>> enable_compat=False): >>>>> self.fqdn = fqdn >>>>> self.realm = realm_name >>>>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>>>> self.reset_netbios_name = reset_netbios_name >>>>> self.rid_base = rid_base >>>>> self.secondary_rid_base = secondary_rid_base >>>>> - self.no_msdcs = no_msdcs >>>>> self.add_sids = add_sids >>>>> self.enable_compat = enable_compat >>>>> self.smbd_user = smbd_user >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>>>> >>>>> >>>>> >>>>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>>>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>>>> information >>>>> >>>>> Because separated calls for of server-show, getting server data is quite >>>>> slow. This commit replaces several server-show with one server-find >>>>> command. There are future plans to improve speed of server-find that >>>>> will be beneficial for DNS locations. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ipaserver/dns_data_management.py | 10 ++++------ >>>>> 1 file changed, 4 insertions(+), 6 deletions(-) >>>>> >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>>>> """ >>>>> self.__init_data() >>>>> - def __get_server_attrs(self, hostname): >>>>> - server_result = >>>>> self.api_instance.Command.server_show(hostname)['result'] >>>>> + def __get_server_attrs(self, server_result): >>>>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>>>> location = server_result.get('ipalocation_location', [None])[0] >>>>> roles = set(server_result.get('enabled_role_servrole', ())) >>>>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>>>> self.servers_data = {} >>>>> servers_result = self.api_instance.Command.server_find( >>>>> - pkey_only=True)['result'] >>>>> - servers = [s['cn'][0] for s in servers_result] >>>>> - for s in servers: >>>>> + no_members=False)['result'] >>>>> + for s in servers_result: >>>>> weight, location, roles = self.__get_server_attrs(s) >>>>> - self.servers_data[s] = { >>>>> + self.servers_data[s['cn'][0]] = { >>>>> 'weight': weight, >>>>> 'location': location, >>>>> 'roles': roles, >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>>>> >>>>> >>>>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>>>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>>>> >>>>> We don't need anymore: >>>>> * sample of zone file - list of all records required by IPa will be >>>>> provided >>>>> >>>>> * NTP related params - DNS records will be updated automatically, >>>>> based on LDAP values >>>>> >>>>> * CA related params - DNS records will be updated automatically based >>>>> * on LDAP values >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/bind.zone.db.template | 29 --------------- >>>>> ipaserver/dns_data_management.py | 9 +++++ >>>>> ipaserver/install/bindinstance.py | 58 >>>>> ++++++++---------------------- >>>>> ipaserver/install/dns.py | 5 ++- >>>>> ipaserver/install/server/install.py | 8 ++--- >>>>> ipaserver/install/server/replicainstall.py | 4 +-- >>>>> 6 files changed, 30 insertions(+), 83 deletions(-) >>>>> delete mode 100644 install/share/bind.zone.db.template >>>>> >>>>> diff --git a/install/share/bind.zone.db.template >>>>> b/install/share/bind.zone.db.template >>>>> deleted file mode 100644 >>>>> index >>>>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>>>> >>>>> >>>>> --- a/install/share/bind.zone.db.template >>>>> +++ /dev/null >>>>> @@ -1,29 +0,0 @@ >>>>> -$$ORIGIN $DOMAIN. >>>>> -$$TTL 86400 >>>>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>>>> - 01 ; serial >>>>> - 3H ; refresh >>>>> - 15M ; retry >>>>> - 1W ; expiry >>>>> - 1D ) ; minimum >>>>> - >>>>> - IN NS $HOST >>>>> -$HOST IN A $IP >>>>> -; >>>>> -; ldap servers >>>>> -_ldap._tcp IN SRV 0 100 389 $HOST >>>>> - >>>>> -;kerberos realm >>>>> -_kerberos IN TXT $REALM >>>>> - >>>>> -; kerberos servers >>>>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>>>> -_kerberos._udp IN SRV 0 100 88 $HOST >>>>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>>>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>>>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>>>> -$OPTIONAL_NTP >>>>> - >>>>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>>>> -$IPA_CA_RECORD >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>>>> ) >>>>> ) >>>>> return records >>>>> + >>>>> + @classmethod >>>>> + def records_list_from_zone(cls, zone_obj, sort=True): >>>>> + records = [] >>>>> + for name, node in zone_obj.items(): >>>>> + records.extend(IPASystemRecords.records_list_from_node(name, >>>>> node)) >>>>> + if sort: >>>>> + records.sort() >>>>> + return records >>>>> diff --git a/ipaserver/install/bindinstance.py >>>>> b/ipaserver/install/bindinstance.py >>>>> index >>>>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/bindinstance.py >>>>> +++ b/ipaserver/install/bindinstance.py >>>>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>>>> suffix = ipautil.dn_attribute_property('_suffix') >>>>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>>>> forwarders, >>>>> - forward_policy, ntp, reverse_zones, >>>>> + forward_policy, reverse_zones, >>>>> named_user=constants.NAMED_USER, zonemgr=None, >>>>> - ca_configured=None, no_dnssec_validation=False): >>>>> + no_dnssec_validation=False): >>>>> self.named_user = named_user >>>>> self.fqdn = fqdn >>>>> self.ip_addresses = ip_addresses >>>>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>>>> self.forward_policy = forward_policy >>>>> self.host = fqdn.split(".")[0] >>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>> - self.ntp = ntp >>>>> self.reverse_zones = reverse_zones >>>>> - self.ca_configured = ca_configured >>>>> self.no_dnssec_validation=no_dnssec_validation >>>>> if not zonemgr: >>>>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>>>> def host_in_default_domain(self): >>>>> return normalize_zone(self.host_domain) == >>>>> normalize_zone(self.domain) >>>>> - def create_sample_bind_zone(self): >>>>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>>>> "bind.zone.db.template", self.sub_dict) >>>>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>>>> - os.write(bind_fd, bind_txt) >>>>> - os.close(bind_fd) >>>>> - print("Sample zone file for bind has been created in "+bind_name) >>>>> + def create_file_with_system_records(self): >>>>> + system_records = IPASystemRecords(self.api) >>>>> + text = u'\n'.join( >>>>> + IPASystemRecords.records_list_from_zone( >>>>> + system_records.get_base_records() >>>>> + ) >>>>> + ) >>>>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>>>> + os.write(fd, text) >>>>> + os.close(fd) >>>>> + print("Please add records in this file to your DNS system:", name) >>>>> def create_instance(self): >>>>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>>>> root_logger.debug("Unable to mask named (%s)", e) >>>>> def __setup_sub_dict(self): >>>>> - if self.forwarders: >>>>> - fwds = "\n" >>>>> - for forwarder in self.forwarders: >>>>> - fwds += "\t\t%s;\n" % forwarder >>>>> - fwds += "\t" >>>>> - else: >>>>> - fwds = " " >>>>> - >>>>> - if self.ntp: >>>>> - optional_ntp = "\n;ntp server\n" >>>>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>>>> self.host_in_rr >>>>> - else: >>>>> - optional_ntp = "" >>>>> - >>>>> - ipa_ca = "" >>>>> - for addr in self.ip_addresses: >>>>> - if addr.version in (4, 6): >>>>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>>>> - IPA_CA_RECORD, >>>>> - "A" if addr.version == 4 else "AAAA", >>>>> - str(addr)) >>>>> - >>>>> self.sub_dict = dict( >>>>> FQDN=self.fqdn, >>>>> - IP=[str(ip) for ip in self.ip_addresses], >>>>> - DOMAIN=self.domain, >>>>> - HOST=self.host, >>>>> - REALM=self.realm, >>>>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>>>> - FORWARDERS=fwds, >>>>> - FORWARD_POLICY=self.forward_policy, >>>>> SUFFIX=self.suffix, >>>>> - OPTIONAL_NTP=optional_ntp, >>>>> - ZONEMGR=self.zonemgr, >>>>> - IPA_CA_RECORD=ipa_ca, >>>>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>>>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>>>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>>>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>>>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>>>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>>>> domain_name, >>>>> - reverse_zones, ntp=False, >>>>> ca_configured=None): >>>>> + reverse_zones): >>>>> self.fqdn = fqdn >>>>> self.ip_addresses = ip_addresses >>>>> self.realm = realm_name >>>>> self.domain = domain_name >>>>> self.host = fqdn.split(".")[0] >>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>> - self.ntp = ntp >>>>> self.reverse_zones = reverse_zones >>>>> - self.ca_configured = ca_configured >>>>> self.first_instance = False >>>>> self.zonemgr = 'hostmaster.%s' % self.domain >>>>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>>>> index >>>>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/dns.py >>>>> +++ b/ipaserver/install/dns.py >>>>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>>>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>>>> autobind=AUTOBIND_ENABLED) >>>>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>>>> - options.forwarders, options.forward_policy, conf_ntp, >>>>> + options.forwarders, options.forward_policy, >>>>> reverse_zones, zonemgr=options.zonemgr, >>>>> - no_dnssec_validation=options.no_dnssec_validation, >>>>> - ca_configured=options.setup_ca) >>>>> + no_dnssec_validation=options.no_dnssec_validation) >>>>> if standalone and not options.unattended: >>>>> print("") >>>>> diff --git a/ipaserver/install/server/install.py >>>>> b/ipaserver/install/server/install.py >>>>> index >>>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/server/install.py >>>>> +++ b/ipaserver/install/server/install.py >>>>> @@ -848,17 +848,17 @@ def install(installer): >>>>> if setup_ca: >>>>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>>>> + api.Backend.ldap2.connect(autobind=True) >>>>> if options.setup_dns: >>>>> - api.Backend.ldap2.connect(autobind=True) >>>>> dns.install(False, False, options) >>>>> else: >>>>> # Create a BIND instance >>>>> bind = bindinstance.BindInstance(fstore, dm_password) >>>>> bind.setup(host_name, ip_addresses, realm_name, >>>>> - domain_name, (), 'first', not options.no_ntp, (), >>>>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>>>> + domain_name, (), 'first', (), >>>>> + zonemgr=options.zonemgr, >>>>> no_dnssec_validation=options.no_dnssec_validation) >>>>> - bind.create_sample_bind_zone() >>>>> + bind.create_file_with_system_records() >>>>> # Restart httpd to pick up the new IPA configuration >>>>> service.print_msg("Restarting the web server") >>>>> diff --git a/ipaserver/install/server/replicainstall.py >>>>> b/ipaserver/install/server/replicainstall.py >>>>> index >>>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/server/replicainstall.py >>>>> +++ b/ipaserver/install/server/replicainstall.py >>>>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>>>> str(ip), >>>>> config.realm_name, >>>>> config.domain_name, >>>>> - reverse_zone, >>>>> - not options.no_ntp, >>>>> - options.setup_ca) >>>>> + reverse_zone) >>>>> except errors.NotFound as e: >>>>> root_logger.debug('Replica DNS records could not be added ' >>>>> 'on master: %s', str(e)) >>>>> -- 2.5.5 >>>> While testing this patch I've found out that ipa-dns-install does not work >>>> idempotently anymore and explodes when re-run. >>>> >>>> I'm not sure what is the root cause yet. >>>> >>>> # ipa-dns-install --forwarder 10.34.78.1 >>>> >>>> WARNING: yacc table file version is out of date >>>> >>>> The log file for this installation can be found in >>>> /var/log/ipaserver-install.log >>>> ============================================================================== >>>> >>>> This program will setup DNS for the FreeIPA Server. >>>> >>>> This includes: >>>> * Configure DNS (bind) >>>> * Configure SoftHSM (required by DNSSEC) >>>> * Configure ipa-dnskeysyncd (required by DNSSEC) >>>> >>>> NOTE: DNSSEC zone signing is not enabled by default >>>> >>>> >>>> To accept the default shown in brackets, press the Enter key. >>>> >>>> Checking DNS forwarders, please wait ... >>>> Do you want to search for missing reverse zones? [yes]: >>>> >>>> The following operations may take some minutes to complete. >>>> Please wait until the prompt is returned. >>>> >>>> Configuring DNS (named) >>>> [1/8]: generating rndc key file >>>> [2/8]: setting up our own record >>>> ipa : ERROR DNS query for >>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>> out after 30.0012078285 seconds >>>> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >>>> seconds >>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>> >>>> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >>>> 2016-06-23T15:41:54Z DEBUG raw: >>>> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >>>> 2016-06-23T15:41:54Z DEBUG dnszone_show(>>> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >>>> version=u'2.199') >>>> 2016-06-23T15:42:24Z ERROR DNS query for >>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>> out after 30.0012078285 seconds >>>> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 448, in start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 438, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>> line 860, in __add_self >>>> self.__add_master_records(self.fqdn, self.ip_addresses) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>> line 843, in __add_master_records >>>> verify_host_resolvable(fqdn) >>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >>>> verify_host_resolvable >>>> raise errors.DNSResolverError(exception=ex) >>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>> IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we >>> changed resolving of server hostname from gethosbyname() to pure DNS >>> >>> Workaround is to set nameserver to /etc/resolv.conf >>>> >>>> >>>> I was not able to test replica installation because of some weird ACI problem >>>> somewhere, replica install is failing with ACIError while adding ldap/replica >>>> principal. This is probably a regression from some other patchset. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5996 >> NACK >> >> make[5]: *** No rule to make target 'bind.zone.db.template', needed by >> 'all-am'. Stop. >> >> I'm not exactly sure how I missed this before, possibly git clean -xdf was >> missing ... >> > My bad > > updated patches attached. ACK to patches 0538-0540, I will test the last patch separately. -- Petr^2 Spacek From mkubik at redhat.com Mon Jun 27 11:31:16 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 27 Jun 2016 13:31:16 +0200 Subject: [Freeipa-devel] [patch 0038-0040] Sub CA test patches In-Reply-To: <20160627005734.GR4200@dhcp-40-8.bne.redhat.com> References: <072dcce1-3a76-9f26-62d7-a70e403239af@redhat.com> <20160624014203.GO4200@dhcp-40-8.bne.redhat.com> <0e08d68d-cc4e-3f8c-de7f-be8d21ee91f7@redhat.com> <20160627005734.GR4200@dhcp-40-8.bne.redhat.com> Message-ID: On 06/27/2016 02:57 AM, Fraser Tweedale wrote: > On Fri, Jun 24, 2016 at 12:08:24PM +0200, Milan Kub?k wrote: >> On 06/24/2016 03:42 AM, Fraser Tweedale wrote: >>> On Tue, Jun 21, 2016 at 05:01:35PM +0200, Milan Kub?k wrote: >>>> Hi Fraser and list, >>>> >>>> I have made changes to the test plan on the wiki [1] according to the >>>> information in "[Testplan review] Sub CAs" thread. >>>> >>>> I also implemented the tests in the test plan: >>>> >>>> patch 0038 - CATracker and CA CRUD test >>>> patch 0039 - extension to CA ACL test >>>> patch 0040 - functional test with ACLs and certificate profile, reusing my >>>> previous S/MIME based tests. This patch also tests for the cert-request >>>> behavior when profile ID or CA cn are ommited. >>>> >>>> The tests ATM do not verify the Issuer name in the certificate itself, just >>>> from the ipa entry of the certificate. >>>> >>> The approach you are using:: >>> >>> assert cert_info['result']['issuer'] == smime_signing_ca.ipasubjectdn >>> >>> is not quite as you describe (these are virtual attributes, not >>> attributes of an actual entry); but the approach is valid. >> The issue then is in the wording? The other approach I could have used here >> is to retrieve the two certificates and compare the fields manually. >> Are these virtual attributes created from the certificate itself? >> > That's correct. > >>>> Fraser, could you please verify my reasoning behind the test cases for >>>> cert-request in the patch 40? >>>> >>> The tests look OK. With the default CA / default profiles, is there >>> appropriate isolation between test cases to ensure that if, e.g. >>> some other test case adds/modifies CA ACLs such that these >>> expected-to-fail tests now pass, that this does not affect the >>> TestCertSignMIMEwithSubCA test case? >>> >>> Thanks, >>> Fraser >> The ACL, SMIME CA and S/MIME profile lifetime is constrained by the class >> scope >> enforced by pytest. >> The two test cases depend on the fact documented in the designs and that is >> what >> cert-request fallbacks to when CA or profile ID are not provided. >> Unless something changes caIPAserviceCert profile or affiliated ACL, then >> the test cases >> are safe. >> > If you have thought about possible interference from other tests, I > am happy. > > Note another problematic scenario: what if a different (preceding) > test adds a CA ACL that would allow the requests that you expect to > fail? Just something to think about :) > > Thanks, > Fraser Then the failure would be problem of the preceding test and we would need to fix it. We are dealing with test side effects in other parts of the execution already... The test is constructed in a way that isolates it (to a certain degree) by the mechanisms available in pytest. Of course I cannot make the test future-proof or guarantee that a bug in some other test will not affect the execution of other tests as they all run against one IPA instance. I do not think, however, that potential misbehaving test case that will interfere should prevent us from implementing this and similar test cases. If you have some specific issue that is in the patch, I'm happy to fix them. >> I will try to think more about corner cases here. >>>> [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan >>>> >>>> Cheers >>>> >>>> -- >>>> Milan Kubik >>>> >> Attaching rebased patches and removing the expected fail from one of the >> tests as ticket 5981 has fix posted. >> >> -- >> Milan Kubik >> -- Milan Kubik From mbasti at redhat.com Mon Jun 27 11:36:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 13:36:00 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> Message-ID: <393c93c3-9662-80bf-4e02-15b575379b05@redhat.com> On 27.06.2016 13:25, Petr Spacek wrote: > On 27.6.2016 11:43, Martin Basti wrote: >> >> On 27.06.2016 10:56, Petr Spacek wrote: >>> On 24.6.2016 12:25, Martin Basti wrote: >>>> On 23.06.2016 18:26, Petr Spacek wrote: >>>>> On 23.6.2016 16:38, Martin Basti wrote: >>>>>> Patches attached. >>>>>> >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>>>>> >>>>>> >>>>>> >>>>>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>>>>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>>>>> for unused locations" >>>>>> >>>>>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>>>>> >>>>>> After deeper investigation, we found out that empty locations are needed >>>>>> for clients, because clients may have cached records for longer time for >>>>>> that particular location. Only way how to remove location is to remove >>>>>> it using location-del >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> ipaserver/dns_data_management.py | 11 ++++------- >>>>>> 1 file changed, 4 insertions(+), 7 deletions(-) >>>>>> >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>>>>> self.api_instance = api_instance >>>>>> self.domain_abs = >>>>>> DNSName(self.api_instance.env.domain).make_absolute() >>>>>> self.servers_data = {} >>>>>> - self.used_locations = set() >>>>>> self.__init_data() >>>>>> def reload_data(self): >>>>>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>>>>> def __init_data(self): >>>>>> self.servers_data = {} >>>>>> - self.used_locations = set() >>>>>> servers_result = self.api_instance.Command.server_find( >>>>>> pkey_only=True)['result'] >>>>>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>>>>> 'location': location, >>>>>> 'roles': roles, >>>>>> } >>>>>> - if location: >>>>>> - self.used_locations.add(location) >>>>>> def __add_srv_records( >>>>>> self, zone_obj, hostname, rname_port_map, >>>>>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>>>>> pkey_only=True)['result'] >>>>>> servers = [s['cn'][0] for s in servers_result] >>>>>> - # generate only records for used location, records for >>>>>> unassigned >>>>>> - # locations are useless >>>>>> + locations_result = >>>>>> self.api_instance.Command.location_find()['result'] >>>>>> + locations = [l['idnsname'][0] for l in locations_result] >>>>>> + >>>>>> for server in servers: >>>>>> self._get_location_dns_records_for_server( >>>>>> zone_obj, server, >>>>>> - self.used_locations, roles=roles, >>>>>> + locations, roles=roles, >>>>>> include_master_role=include_master_role) >>>>>> return zone_obj >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>>>>> >>>>>> >>>>>> >>>>>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>>>>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in >>>>>> adtrust-install >>>>>> >>>>>> Since DNS location mechanism is active, this option has no effect, >>>>>> because records are generate dynamically. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> install/tools/ipa-adtrust-install | 10 +++++++--- >>>>>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>>>>> 2 files changed, 15 insertions(+), 16 deletions(-) >>>>>> >>>>>> diff --git a/install/tools/ipa-adtrust-install >>>>>> b/install/tools/ipa-adtrust-install >>>>>> index >>>>>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>>>>> >>>>>> 100755 >>>>>> --- a/install/tools/ipa-adtrust-install >>>>>> +++ b/install/tools/ipa-adtrust-install >>>>>> @@ -29,6 +29,8 @@ import ldap >>>>>> import six >>>>>> +from optparse import SUPPRESS_HELP >>>>>> + >>>>>> from ipaserver.install import adtrustinstance >>>>>> from ipaserver.install.installutils import ( >>>>>> read_password, >>>>>> @@ -54,9 +56,11 @@ def parse_options(): >>>>>> default=False, help="print debugging information") >>>>>> parser.add_option("--netbios-name", dest="netbios_name", >>>>>> help="NetBIOS name of the IPA domain") >>>>>> + >>>>>> + # no-msdcs has not effect, option is here just for backward >>>>>> compatibility >>>>>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>>>>> - default=False, help="Do not create DNS service >>>>>> records " \ >>>>>> - "for Windows in managed DNS >>>>>> server") >>>>>> + default=False, help=SUPPRESS_HELP) >>>>>> + >>>>>> parser.add_option("--rid-base", dest="rid_base", type=int, >>>>>> default=1000, >>>>>> help="Start value for mapping UIDs and GIDs to >>>>>> RIDs") >>>>>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>>>>> @@ -390,7 +394,7 @@ def main(): >>>>>> smb.setup(api.env.host, api.env.realm, >>>>>> netbios_name, reset_netbios_name, >>>>>> options.rid_base, options.secondary_rid_base, >>>>>> - options.no_msdcs, options.add_sids, >>>>>> + options.add_sids, >>>>>> enable_compat = options.enable_compat) >>>>>> smb.find_local_id_range() >>>>>> smb.create_instance() >>>>>> diff --git a/ipaserver/install/adtrustinstance.py >>>>>> b/ipaserver/install/adtrustinstance.py >>>>>> index >>>>>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/adtrustinstance.py >>>>>> +++ b/ipaserver/install/adtrustinstance.py >>>>>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>>>>> def __init__(self, fstore=None): >>>>>> self.netbios_name = None >>>>>> self.reset_netbios_name = None >>>>>> - self.no_msdcs = None >>>>>> self.add_sids = None >>>>>> self.smbd_user = None >>>>>> self.smb_dn_pwd = None >>>>>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>>>>> err_msg = None >>>>>> - if self.no_msdcs: >>>>>> - err_msg = '--no-msdcs was given, special DNS service records >>>>>> ' \ >>>>>> - 'are not added to local DNS server' >>>>>> + ret = api.Command['dns_is_enabled']() >>>>>> + if not ret['result']: >>>>>> + err_msg = "DNS management was not enabled at install time." >>>>>> else: >>>>>> - ret = api.Command['dns_is_enabled']() >>>>>> - if not ret['result']: >>>>>> - err_msg = "DNS management was not enabled at install time." >>>>>> - else: >>>>>> - if not dns_zone_exists(zone): >>>>>> - err_msg = "DNS zone %s cannot be managed " \ >>>>>> - "as it is not defined in IPA" % zone >>>>>> + if not dns_zone_exists(zone): >>>>>> + err_msg = ( >>>>>> + "DNS zone %s cannot be managed as it is not defined >>>>>> in " >>>>>> + "IPA" % zone) >>>>>> if err_msg: >>>>>> self.print_msg(err_msg) >>>>>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>>>>> def setup(self, fqdn, realm_name, netbios_name, >>>>>> reset_netbios_name, rid_base, secondary_rid_base, >>>>>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>>>>> + add_sids=False, smbd_user="samba", >>>>>> enable_compat=False): >>>>>> self.fqdn = fqdn >>>>>> self.realm = realm_name >>>>>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>>>>> self.reset_netbios_name = reset_netbios_name >>>>>> self.rid_base = rid_base >>>>>> self.secondary_rid_base = secondary_rid_base >>>>>> - self.no_msdcs = no_msdcs >>>>>> self.add_sids = add_sids >>>>>> self.enable_compat = enable_compat >>>>>> self.smbd_user = smbd_user >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>>>>> >>>>>> >>>>>> >>>>>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>>>>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>>>>> information >>>>>> >>>>>> Because separated calls for of server-show, getting server data is quite >>>>>> slow. This commit replaces several server-show with one server-find >>>>>> command. There are future plans to improve speed of server-find that >>>>>> will be beneficial for DNS locations. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> ipaserver/dns_data_management.py | 10 ++++------ >>>>>> 1 file changed, 4 insertions(+), 6 deletions(-) >>>>>> >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>>>>> """ >>>>>> self.__init_data() >>>>>> - def __get_server_attrs(self, hostname): >>>>>> - server_result = >>>>>> self.api_instance.Command.server_show(hostname)['result'] >>>>>> + def __get_server_attrs(self, server_result): >>>>>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>>>>> location = server_result.get('ipalocation_location', [None])[0] >>>>>> roles = set(server_result.get('enabled_role_servrole', ())) >>>>>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>>>>> self.servers_data = {} >>>>>> servers_result = self.api_instance.Command.server_find( >>>>>> - pkey_only=True)['result'] >>>>>> - servers = [s['cn'][0] for s in servers_result] >>>>>> - for s in servers: >>>>>> + no_members=False)['result'] >>>>>> + for s in servers_result: >>>>>> weight, location, roles = self.__get_server_attrs(s) >>>>>> - self.servers_data[s] = { >>>>>> + self.servers_data[s['cn'][0]] = { >>>>>> 'weight': weight, >>>>>> 'location': location, >>>>>> 'roles': roles, >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>>>>> >>>>>> >>>>>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>>>>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>>>>> >>>>>> We don't need anymore: >>>>>> * sample of zone file - list of all records required by IPa will be >>>>>> provided >>>>>> >>>>>> * NTP related params - DNS records will be updated automatically, >>>>>> based on LDAP values >>>>>> >>>>>> * CA related params - DNS records will be updated automatically based >>>>>> * on LDAP values >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> install/share/bind.zone.db.template | 29 --------------- >>>>>> ipaserver/dns_data_management.py | 9 +++++ >>>>>> ipaserver/install/bindinstance.py | 58 >>>>>> ++++++++---------------------- >>>>>> ipaserver/install/dns.py | 5 ++- >>>>>> ipaserver/install/server/install.py | 8 ++--- >>>>>> ipaserver/install/server/replicainstall.py | 4 +-- >>>>>> 6 files changed, 30 insertions(+), 83 deletions(-) >>>>>> delete mode 100644 install/share/bind.zone.db.template >>>>>> >>>>>> diff --git a/install/share/bind.zone.db.template >>>>>> b/install/share/bind.zone.db.template >>>>>> deleted file mode 100644 >>>>>> index >>>>>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>>>>> >>>>>> >>>>>> --- a/install/share/bind.zone.db.template >>>>>> +++ /dev/null >>>>>> @@ -1,29 +0,0 @@ >>>>>> -$$ORIGIN $DOMAIN. >>>>>> -$$TTL 86400 >>>>>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>>>>> - 01 ; serial >>>>>> - 3H ; refresh >>>>>> - 15M ; retry >>>>>> - 1W ; expiry >>>>>> - 1D ) ; minimum >>>>>> - >>>>>> - IN NS $HOST >>>>>> -$HOST IN A $IP >>>>>> -; >>>>>> -; ldap servers >>>>>> -_ldap._tcp IN SRV 0 100 389 $HOST >>>>>> - >>>>>> -;kerberos realm >>>>>> -_kerberos IN TXT $REALM >>>>>> - >>>>>> -; kerberos servers >>>>>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>>>>> -_kerberos._udp IN SRV 0 100 88 $HOST >>>>>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>>>>> -$OPTIONAL_NTP >>>>>> - >>>>>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>>>>> -$IPA_CA_RECORD >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>>>>> ) >>>>>> ) >>>>>> return records >>>>>> + >>>>>> + @classmethod >>>>>> + def records_list_from_zone(cls, zone_obj, sort=True): >>>>>> + records = [] >>>>>> + for name, node in zone_obj.items(): >>>>>> + records.extend(IPASystemRecords.records_list_from_node(name, >>>>>> node)) >>>>>> + if sort: >>>>>> + records.sort() >>>>>> + return records >>>>>> diff --git a/ipaserver/install/bindinstance.py >>>>>> b/ipaserver/install/bindinstance.py >>>>>> index >>>>>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/bindinstance.py >>>>>> +++ b/ipaserver/install/bindinstance.py >>>>>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>>>>> suffix = ipautil.dn_attribute_property('_suffix') >>>>>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>>>>> forwarders, >>>>>> - forward_policy, ntp, reverse_zones, >>>>>> + forward_policy, reverse_zones, >>>>>> named_user=constants.NAMED_USER, zonemgr=None, >>>>>> - ca_configured=None, no_dnssec_validation=False): >>>>>> + no_dnssec_validation=False): >>>>>> self.named_user = named_user >>>>>> self.fqdn = fqdn >>>>>> self.ip_addresses = ip_addresses >>>>>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>>>>> self.forward_policy = forward_policy >>>>>> self.host = fqdn.split(".")[0] >>>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>>> - self.ntp = ntp >>>>>> self.reverse_zones = reverse_zones >>>>>> - self.ca_configured = ca_configured >>>>>> self.no_dnssec_validation=no_dnssec_validation >>>>>> if not zonemgr: >>>>>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>>>>> def host_in_default_domain(self): >>>>>> return normalize_zone(self.host_domain) == >>>>>> normalize_zone(self.domain) >>>>>> - def create_sample_bind_zone(self): >>>>>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>>>>> "bind.zone.db.template", self.sub_dict) >>>>>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>>>>> - os.write(bind_fd, bind_txt) >>>>>> - os.close(bind_fd) >>>>>> - print("Sample zone file for bind has been created in "+bind_name) >>>>>> + def create_file_with_system_records(self): >>>>>> + system_records = IPASystemRecords(self.api) >>>>>> + text = u'\n'.join( >>>>>> + IPASystemRecords.records_list_from_zone( >>>>>> + system_records.get_base_records() >>>>>> + ) >>>>>> + ) >>>>>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>>>>> + os.write(fd, text) >>>>>> + os.close(fd) >>>>>> + print("Please add records in this file to your DNS system:", name) >>>>>> def create_instance(self): >>>>>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>>>>> root_logger.debug("Unable to mask named (%s)", e) >>>>>> def __setup_sub_dict(self): >>>>>> - if self.forwarders: >>>>>> - fwds = "\n" >>>>>> - for forwarder in self.forwarders: >>>>>> - fwds += "\t\t%s;\n" % forwarder >>>>>> - fwds += "\t" >>>>>> - else: >>>>>> - fwds = " " >>>>>> - >>>>>> - if self.ntp: >>>>>> - optional_ntp = "\n;ntp server\n" >>>>>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>>>>> self.host_in_rr >>>>>> - else: >>>>>> - optional_ntp = "" >>>>>> - >>>>>> - ipa_ca = "" >>>>>> - for addr in self.ip_addresses: >>>>>> - if addr.version in (4, 6): >>>>>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>>>>> - IPA_CA_RECORD, >>>>>> - "A" if addr.version == 4 else "AAAA", >>>>>> - str(addr)) >>>>>> - >>>>>> self.sub_dict = dict( >>>>>> FQDN=self.fqdn, >>>>>> - IP=[str(ip) for ip in self.ip_addresses], >>>>>> - DOMAIN=self.domain, >>>>>> - HOST=self.host, >>>>>> - REALM=self.realm, >>>>>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>>>>> - FORWARDERS=fwds, >>>>>> - FORWARD_POLICY=self.forward_policy, >>>>>> SUFFIX=self.suffix, >>>>>> - OPTIONAL_NTP=optional_ntp, >>>>>> - ZONEMGR=self.zonemgr, >>>>>> - IPA_CA_RECORD=ipa_ca, >>>>>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>>>>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>>>>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>>>>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>>>>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>>>>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>>>>> domain_name, >>>>>> - reverse_zones, ntp=False, >>>>>> ca_configured=None): >>>>>> + reverse_zones): >>>>>> self.fqdn = fqdn >>>>>> self.ip_addresses = ip_addresses >>>>>> self.realm = realm_name >>>>>> self.domain = domain_name >>>>>> self.host = fqdn.split(".")[0] >>>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>>> - self.ntp = ntp >>>>>> self.reverse_zones = reverse_zones >>>>>> - self.ca_configured = ca_configured >>>>>> self.first_instance = False >>>>>> self.zonemgr = 'hostmaster.%s' % self.domain >>>>>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>>>>> index >>>>>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/dns.py >>>>>> +++ b/ipaserver/install/dns.py >>>>>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>>>>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>>>>> autobind=AUTOBIND_ENABLED) >>>>>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>>>>> - options.forwarders, options.forward_policy, conf_ntp, >>>>>> + options.forwarders, options.forward_policy, >>>>>> reverse_zones, zonemgr=options.zonemgr, >>>>>> - no_dnssec_validation=options.no_dnssec_validation, >>>>>> - ca_configured=options.setup_ca) >>>>>> + no_dnssec_validation=options.no_dnssec_validation) >>>>>> if standalone and not options.unattended: >>>>>> print("") >>>>>> diff --git a/ipaserver/install/server/install.py >>>>>> b/ipaserver/install/server/install.py >>>>>> index >>>>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/server/install.py >>>>>> +++ b/ipaserver/install/server/install.py >>>>>> @@ -848,17 +848,17 @@ def install(installer): >>>>>> if setup_ca: >>>>>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>>>>> + api.Backend.ldap2.connect(autobind=True) >>>>>> if options.setup_dns: >>>>>> - api.Backend.ldap2.connect(autobind=True) >>>>>> dns.install(False, False, options) >>>>>> else: >>>>>> # Create a BIND instance >>>>>> bind = bindinstance.BindInstance(fstore, dm_password) >>>>>> bind.setup(host_name, ip_addresses, realm_name, >>>>>> - domain_name, (), 'first', not options.no_ntp, (), >>>>>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>>>>> + domain_name, (), 'first', (), >>>>>> + zonemgr=options.zonemgr, >>>>>> no_dnssec_validation=options.no_dnssec_validation) >>>>>> - bind.create_sample_bind_zone() >>>>>> + bind.create_file_with_system_records() >>>>>> # Restart httpd to pick up the new IPA configuration >>>>>> service.print_msg("Restarting the web server") >>>>>> diff --git a/ipaserver/install/server/replicainstall.py >>>>>> b/ipaserver/install/server/replicainstall.py >>>>>> index >>>>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/server/replicainstall.py >>>>>> +++ b/ipaserver/install/server/replicainstall.py >>>>>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>>>>> str(ip), >>>>>> config.realm_name, >>>>>> config.domain_name, >>>>>> - reverse_zone, >>>>>> - not options.no_ntp, >>>>>> - options.setup_ca) >>>>>> + reverse_zone) >>>>>> except errors.NotFound as e: >>>>>> root_logger.debug('Replica DNS records could not be added ' >>>>>> 'on master: %s', str(e)) >>>>>> -- 2.5.5 >>>>> While testing this patch I've found out that ipa-dns-install does not work >>>>> idempotently anymore and explodes when re-run. >>>>> >>>>> I'm not sure what is the root cause yet. >>>>> >>>>> # ipa-dns-install --forwarder 10.34.78.1 >>>>> >>>>> WARNING: yacc table file version is out of date >>>>> >>>>> The log file for this installation can be found in >>>>> /var/log/ipaserver-install.log >>>>> ============================================================================== >>>>> >>>>> This program will setup DNS for the FreeIPA Server. >>>>> >>>>> This includes: >>>>> * Configure DNS (bind) >>>>> * Configure SoftHSM (required by DNSSEC) >>>>> * Configure ipa-dnskeysyncd (required by DNSSEC) >>>>> >>>>> NOTE: DNSSEC zone signing is not enabled by default >>>>> >>>>> >>>>> To accept the default shown in brackets, press the Enter key. >>>>> >>>>> Checking DNS forwarders, please wait ... >>>>> Do you want to search for missing reverse zones? [yes]: >>>>> >>>>> The following operations may take some minutes to complete. >>>>> Please wait until the prompt is returned. >>>>> >>>>> Configuring DNS (named) >>>>> [1/8]: generating rndc key file >>>>> [2/8]: setting up our own record >>>>> ipa : ERROR DNS query for >>>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>>> out after 30.0012078285 seconds >>>>> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >>>>> seconds >>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>>> >>>>> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >>>>> 2016-06-23T15:41:54Z DEBUG raw: >>>>> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >>>>> 2016-06-23T15:41:54Z DEBUG dnszone_show(>>>> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >>>>> version=u'2.199') >>>>> 2016-06-23T15:42:24Z ERROR DNS query for >>>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>>> out after 30.0012078285 seconds >>>>> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line >>>>> 448, in start_creation >>>>> run_step(full_msg, method) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line >>>>> 438, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>>> line 860, in __add_self >>>>> self.__add_master_records(self.fqdn, self.ip_addresses) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>>> line 843, in __add_master_records >>>>> verify_host_resolvable(fqdn) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >>>>> verify_host_resolvable >>>>> raise errors.DNSResolverError(exception=ex) >>>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>> IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we >>>> changed resolving of server hostname from gethosbyname() to pure DNS >>>> >>>> Workaround is to set nameserver to /etc/resolv.conf >>>>> >>>>> I was not able to test replica installation because of some weird ACI problem >>>>> somewhere, replica install is failing with ACIError while adding ldap/replica >>>>> principal. This is probably a regression from some other patchset. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5996 >>> NACK >>> >>> make[5]: *** No rule to make target 'bind.zone.db.template', needed by >>> 'all-am'. Stop. >>> >>> I'm not exactly sure how I missed this before, possibly git clean -xdf was >>> missing ... >>> >> My bad >> >> updated patches attached. > ACK to patches 0538-0540, I will test the last patch separately. > master: * e42f662b78d9a9d9c0ca786e69d7c203e6863462 Revert "DNS Locations: do not generate location records for unused locations" * 218734ba5ac3326daaf1097ef98217f6c86f526c DNS Locations: hide option --no-msdcs in adtrust-install * 7bf3b1d546f22eeb61dce58cb69d471f834b8aac DNS Locations: optimization: use server-find to get information From mbasti at redhat.com Mon Jun 27 11:39:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 13:39:53 +0200 Subject: [Freeipa-devel] [PATCH 0165] keep setting ipakrbprincipal objectclass on new service entries In-Reply-To: <00847149-9389-7f55-14fa-a27749207dc6@redhat.com> References: <3fc0a404-87e8-9a60-8dfc-085cb5bd96fc@redhat.com> <5086867c-d626-f882-1dfc-d71c705dae0c@redhat.com> <779707ef-4e90-909d-d072-a85fcc0ebb3b@redhat.com> <00847149-9389-7f55-14fa-a27749207dc6@redhat.com> Message-ID: On 27.06.2016 13:02, Petr Spacek wrote: > On 27.6.2016 12:42, Martin Basti wrote: >> >> On 27.06.2016 09:39, Martin Babinsky wrote: >>> On 06/27/2016 07:56 AM, Martin Babinsky wrote: >>>> On 06/24/2016 04:07 PM, Martin Babinsky wrote: >>>>> This patch reverts commits 705f66f7490c64de1adc129221b31927616c485 and >>>>> 06d945a04607dc36e25af78688b4295420489fb9 responsible for >>>>> https://fedorahosted.org/freeipa/ticket/5996 >>>>> >>>>> This should unblock replica promotion. >>>>> >>>>> >>>>> >>>> self-NACK, disregard this patch, it should not be necessary to revert >>>> the whole commit >>>> >>> This version only reverts the change that actually breaks stuff. >>> >>> https://fedorahosted.org/freeipa/ticket/5996 >>> >>> >>> >> Works for me > > Worked for me too, I tried to install replica using admin credentials against > master which was upgraded from 4.3.1 to latest master. > ACK Pushed to master: 7b8247a485081a6f1f5201e286ac17228f976355 From ofayans at redhat.com Mon Jun 27 11:53:22 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Mon, 27 Jun 2016 13:53:22 +0200 Subject: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964 In-Reply-To: <5763C073.5020503@redhat.com> References: <5762BBDD.4010502@redhat.com> <5763AA17.60207@redhat.com> <5763C073.5020503@redhat.com> Message-ID: <577113B2.1080904@redhat.com> Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: > One more test was added to the patch-0048 > > On 06/17/2016 09:43 AM, Oleg Fayans wrote: >> Fixed a bug in the previous patch, automated 2 more testcases from >> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan >> >> On 06/16/2016 04:46 PM, Oleg Fayans wrote: >>> >>> >>> >> >> >> > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ftweedal at redhat.com Mon Jun 27 11:58:20 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 27 Jun 2016 21:58:20 +1000 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade Message-ID: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> Hi all, The attached patch fixes the OCSP URI in the Dogtag CA and system certificates (https://fedorahosted.org/freeipa/ticket/5956). It depends on a patch[1] for Dogtag which is expected to be released in v10.3.4. In the meantime, you can test with the build of v10.3.4 from my COPR[2]. [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ Cheers, Fraser -------------- next part -------------- From f1a08357deeeb0012eb1a00f13934f8a0522fc36 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 27 Jun 2016 15:49:30 +1000 Subject: [PATCH] Set default OCSP URI on install and upgrade Dogtag has been updated to support a default OCSP URI when the profile includes AuthInfoAccess with URI method but does not specify the URI (instead of constructing one based on Dogtag's hostname and port). Add the pkispawn config to ensure that the OCSP URI is set before issuing CA and system certificates, and add the config to existing CA instances on upgrade. Fixes: https://fedorahosted.org/freeipa/ticket/5956 --- freeipa.spec.in | 6 +++--- ipaserver/install/cainstance.py | 3 +++ ipaserver/install/server/upgrade.py | 23 +++++++++++++++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index c86fc3157920f77e66f38241692c3cf45c637ebb..a4d3c067c6c2c0cf911476d950257170fa74e059 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -94,7 +94,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3 +BuildRequires: pki-base >= 10.3.4 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder BuildRequires: python-kdcproxy >= 0.3 @@ -155,8 +155,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.56.0 -Requires: pki-ca >= 10.3.3 -Requires: pki-kra >= 10.3.3 +Requires: pki-ca >= 10.3.4 +Requires: pki-kra >= 10.3.4 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8dfb71528d2dc020e05ccd7ff42199218a1c0839..a575f02677112258b8cf5aed56b33898bb5fd8c0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -463,6 +463,9 @@ class CAInstance(DogtagInstance): config.set("CA", "pki_backup_keys", "True") config.set("CA", "pki_backup_password", self.admin_password) config.set("CA", "pki_profiles_in_ldap", "True") + config.set("CA", "pki_default_ocsp_uri", + "http://{}.{}/ca/ocsp".format( + IPA_CA_RECORD, ipautil.format_netloc(api.env.domain))) # Client security database config.set("CA", "pki_client_database_dir", self.agent_db) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index b4b6243ac19c40f7216a898607d28db52822170f..3955a8cb9faf8e5c3350fc3912ea9f05a4b97719 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -356,6 +356,28 @@ def ca_ensure_lightweight_cas_container(ca): return cainstance.ensure_lightweight_cas_container() +def ca_add_default_ocsp_uri(ca): + root_logger.info('[Adding default OCSP URI configuration]') + if not ca.is_configured(): + root_logger.info('CA is not configured') + return False + + value = installutils.get_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + separator='=') + if value: + return False # already set; restart not needed + + installutils.set_directive( + paths.CA_CS_CFG_PATH, + 'ca.defaultOcspUri', + 'http://ipa-ca.%s/ca/ocsp' % ipautil.format_netloc(api.env.domain), + quotes=False, + separator='=') + return True # restart needed + + def upgrade_ca_audit_cert_validity(ca): """ Update the Dogtag audit signing certificate. @@ -1725,6 +1747,7 @@ def upgrade_configuration(): ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), + ca_add_default_ocsp_uri(ca), ]) if ca_restart: -- 2.5.5 From mbasti at redhat.com Mon Jun 27 12:02:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 14:02:15 +0200 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> Message-ID: On 27.06.2016 13:58, Fraser Tweedale wrote: > Hi all, > > The attached patch fixes the OCSP URI in the Dogtag CA and system > certificates (https://fedorahosted.org/freeipa/ticket/5956). It > depends on a patch[1] for Dogtag which is expected to be released in > v10.3.4. In the meantime, you can test with the build of v10.3.4 > from my COPR[2]. > > [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html > [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > Cheers, > Fraser > > Hello, this upgrade is executed always, is it on purpose? If not please use sysupgrade and run upgrade only once Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Mon Jun 27 12:02:30 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 27 Jun 2016 14:02:30 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string In-Reply-To: References: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> Message-ID: <7797a6c8-163b-2047-bbcc-79dd2883e01b@redhat.com> On 27.6.2016 11:20, Petr Spacek wrote: > On 27.6.2016 10:30, Martin Basti wrote: >> > >> > >> > On 23.06.2016 18:32, Petr Spacek wrote: >>> >> Hello, >>> >> >>> >> replica-install: Compare domain names as DNS names and not strings >>> >> >>> >> This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" >>> >> were not considered equivalent and installation was wrongly refused. >>> >> >>> >> https://fedorahosted.org/freeipa/ticket/5976 >>> >> >> > >> > NACK, client installer should normalize domain name as host-add does, because >> > it will blow up in different places, we cannot compare this part as DNS name >> > when other parts works with it as strings >> > >> > ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this >> > client to a replica. Local domain 'ipa.example.COM' does not match IPA domain >> > 'ipa.example.com'. > Okay, I will use the same validator as ipa-server-install and normalize it as > you suggested. Here you go. I was not able to find a corner case which would break this. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0138-2-client-Share-validator-and-domain-name-normalization.patch Type: text/x-patch Size: 1588 bytes Desc: not available URL: From mbasti at redhat.com Mon Jun 27 12:03:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 14:03:30 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string In-Reply-To: <7797a6c8-163b-2047-bbcc-79dd2883e01b@redhat.com> References: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> <7797a6c8-163b-2047-bbcc-79dd2883e01b@redhat.com> Message-ID: <5cbac6aa-7a72-585b-e180-ce0a49073691@redhat.com> On 27.06.2016 14:02, Petr Spacek wrote: > On 27.6.2016 11:20, Petr Spacek wrote: >> On 27.6.2016 10:30, Martin Basti wrote: >>>> >>>> On 23.06.2016 18:32, Petr Spacek wrote: >>>>>> Hello, >>>>>> >>>>>> replica-install: Compare domain names as DNS names and not strings >>>>>> >>>>>> This fixes false possitive where user inputs "example.com" and "EXAMPLE.COM" >>>>>> were not considered equivalent and installation was wrongly refused. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/5976 >>>>>> >>>> NACK, client installer should normalize domain name as host-add does, because >>>> it will blow up in different places, we cannot compare this part as DNS name >>>> when other parts works with it as strings >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot promote this >>>> client to a replica. Local domain 'ipa.example.COM' does not match IPA domain >>>> 'ipa.example.com'. >> Okay, I will use the same validator as ipa-server-install and normalize it as >> you suggested. > Here you go. I was not able to find a corner case which would break this. > LGTM From mbabinsk at redhat.com Mon Jun 27 12:04:16 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Mon, 27 Jun 2016 14:04:16 +0200 Subject: [Freeipa-devel] [PATCH 0167] test_serverroles: ensure that test API is initialized with correct ldap_uri Message-ID: <0ea54227-a56c-7894-20e7-a74240770926@redhat.com> Makes the test suite play nice with others during CI. https://fedorahosted.org/freeipa/ticket/6000 -- Martin^3 Babinsky -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbabinsk-0167-test_serverroles-ensure-that-test-API-is-initialized.patch Type: text/x-patch Size: 1339 bytes Desc: not available URL: From ftweedal at redhat.com Mon Jun 27 12:10:08 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 27 Jun 2016 22:10:08 +1000 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> Message-ID: <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> On Mon, Jun 27, 2016 at 02:02:15PM +0200, Martin Basti wrote: > > > On 27.06.2016 13:58, Fraser Tweedale wrote: > > Hi all, > > > > The attached patch fixes the OCSP URI in the Dogtag CA and system > > certificates (https://fedorahosted.org/freeipa/ticket/5956). It > > depends on a patch[1] for Dogtag which is expected to be released in > > v10.3.4. In the meantime, you can test with the build of v10.3.4 > > from my COPR[2]. > > > > [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html > > [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ > > > > Cheers, > > Fraser > > > > > Hello, > > this upgrade is executed always, is it on purpose? > If not please use sysupgrade and run upgrade only once > It is intentional; the directive only gets added if it is missing. I do not see any benefit in gating it with the sysupgrade mechanism. Thanks, Fraser From mbasti at redhat.com Mon Jun 27 12:22:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Mon, 27 Jun 2016 14:22:42 +0200 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> Message-ID: <645867b1-4296-29b2-c904-40ba1c61650c@redhat.com> On 27.06.2016 14:10, Fraser Tweedale wrote: > On Mon, Jun 27, 2016 at 02:02:15PM +0200, Martin Basti wrote: >> >> On 27.06.2016 13:58, Fraser Tweedale wrote: >>> Hi all, >>> >>> The attached patch fixes the OCSP URI in the Dogtag CA and system >>> certificates (https://fedorahosted.org/freeipa/ticket/5956). It >>> depends on a patch[1] for Dogtag which is expected to be released in >>> v10.3.4. In the meantime, you can test with the build of v10.3.4 >>> from my COPR[2]. >>> >>> [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html >>> [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>> >>> Cheers, >>> Fraser >>> >>> >> Hello, >> >> this upgrade is executed always, is it on purpose? >> If not please use sysupgrade and run upgrade only once >> > It is intentional; the directive only gets added if it is missing. > I do not see any benefit in gating it with the sysupgrade mechanism. > > Thanks, > Fraser Ok From dkupka at redhat.com Mon Jun 27 12:55:08 2016 From: dkupka at redhat.com (David Kupka) Date: Mon, 27 Jun 2016 14:55:08 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <16fe8df8-0ee1-c68a-f444-784d298ce289@redhat.com> On 28/04/16 14:45, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Patch set: schema: client-side cleanup automember: fix automember to work with thin client schema: do not crash in command_defaults if argument is None schema: fix param default value handling works* for me, ACK. *) xmlrpc test for automember_plugin test started failing with automember patch. Fix for test attached. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0106.0-test-automember-Fix-expected-exception-message.patch Type: text/x-patch Size: 1449 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 27 12:55:10 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 27 Jun 2016 14:55:10 +0200 Subject: [Freeipa-devel] [PATCH] 0018-0030, 52 webui: add support for more certificates In-Reply-To: References: <571F520B.2000501@redhat.com> <571F58E7.1070703@redhat.com> <571F79E2.2000106@redhat.com> Message-ID: <83f3f3a3-4521-1663-26e5-735060970b3a@redhat.com> On 06/23/2016 03:17 PM, Petr Vobornik wrote: > comments inline > > On 06/20/2016 02:37 PM, Pavel Vomacka wrote: >> >> On 06/14/2016 09:41 PM, Pavel Vomacka wrote: >>> >>> On 05/13/2016 06:56 PM, Petr Vobornik wrote: >>>> On 04/26/2016 04:23 PM, Pavel Vomacka wrote: >>>>> Self-NACK for patches 0027, 28, 29, 30 - used incorrect policy. I also attach >>>>> all patches which were not changed - it is easier to get the whole patchset. >>>>> >>>>> On 04/26/2016 02:02 PM, Pavel Vomacka wrote: >>>>>> I forgot to mention that my patches requires patches from : >>>>>> https://www.redhat.com/archives/freeipa-devel/2016-April/msg00209.html >>>>>> >>>>>> >>>>>> On 04/26/2016 01:33 PM, Pavel Vomacka wrote: >>>>>>> Hello, >>>>>>> >>>>>>> the attached patches add support for more certificates and ability to add and >>>>>>> remove certificates. Fixes these two tickets: >>>>>>> https://fedorahosted.org/freeipa/ticket/5108 >>>>>>> https://fedorahosted.org/freeipa/ticket/5381 >>>>>>> >>>>>>> These patches add ability to view, get, download, revoke, restore and delete >>>>>>> each certificate directly from user/host/service details page. There is also >>>>>>> button for adding new certificates. >>>>>>> >>>>>>> There is one known issue, that after page save action is performed some data >>>>>>> disappear (includes certificates). This issue has a ticket already: >>>>>>> https://fedorahosted.org/freeipa/ticket/5776 >>>>>>> >>>>>>> -- >>>>>>> Pavel^3 Vomacka >>>>>>> >>>> Great stuff, couple comments below. >>>> >>>> We can discuss some items in person. Not everything needs to be done. >>>> >>>> I didn't run it, just reading the code. >>>> >>>> Patch 0018: >>>> >>>> 1. Nit pick: When a value should be boolean, then following method won't >>>> make sure that dropdown_menu won't be e.g. an object. >>>> + that.dropdown_menu = spec.dropdown_menu || false; >>>> >>>> I would prefer: >>>> + that.dropdown_menu = !!spec.dropdown_menu; >>>> >>>> Which retypes it to boolean. If default should be true (not this case) then: >>>> that.dropdown_menu = spec.dropdown_menu !== undefined ? >>>> !!spec.dropdown_menu : true; >>>> >>>> Also the interface is very specific. It says that the child widget will >>>> have dropdown menu. What if the actions won't be in dropdown menu but, >>>> e.g., some overlay menu. >>>> >>>> Imho the interface should be: >>>> >>>> that.custom_actions = !!spec.custom_actions; >>>> >>>> Than the child object would have define,e.g., : >>>> >>>> action_object get_custom_actions() >>>> >>>> Interface of action_object would be e.g.: >>>> get_items() >>>> set_items(items) >>>> enable_item(name) >>>> disable_item(name) >>>> >>>> Dropdown menu would have to define these methods. > > It calls ,render on custom actions object. But this method is not part > of the interface: > + custom_actions.render(); > > IMHO it should be called internally in the widget as a result of > set_items or disable_item, enable_item call. Fixed. >>>> Patch 0019: >>>> >>>> 1. Shouldn't disable_item or enable_item automatically rerender the items? > Same for set and get_items. As mentioned above. > > The render code in disable/enable_item should be executed only if > this.ul_node exists. > Fixed. >>>> 2. The rerender, used in later patches. Imo it should do only: >>>> >>>> if (this.ul_node) { >>>> construct.empty(this.ul_node); >>>> this._render_items(this.items); >>>> } >>>> >>>> Or just re-render the one item. >>>> $( "li[data-name=" + item.name +"]", this.ul_node ).replaceWith( >>>> this._render_item(item)); >>>> >>>> 3. in future for loops write: >>>> for (var i=0, l=this.items.length; i>>> instead of >>>> for (var i=0; i>>> >>>> It's defensive style when you don't know if computing length is O(1) or >>>> O(n) or how big is n. In this instance it doesn't probably matter. >>>> >>>> Patch 0020: >>>> >>>> 1. Working widgets inherits from IPA.widget so why do you redefine >>>> 'name', 'facet', 'entity' >>>> >>>> 2. why to you introduce 'base_cls' and 'other_cls' when there are >>>> 'base_css_class' and 'css_class'? >>>> >>>> 3. typo in comment 'opaciti' >>>> >>>> 4. We can ignore IE < 9, I'm not sure if you avoid using some features >>>> because of IE9. >>>> >>>> 5. _normalize_bg_color_css could be moved to util.js But I wonder if we >>>> need it. rgba is supported in 95% of browsers and definitely in all >>>> supported by IPA (chrome, firefox). > Patch 0020-2: ACK > >>>> Patch 0021: >>>> >>>> 1. The original code is not great - RPC code should be agnostic to >>>> display layer. Ideally it would not call methods like >>>> IPA.hide_activity_icon(); and IPA.display_activity_icon(); >>>> >>>> I would rather avoid adding more of such things there and would refactor >>>> now, when it is easy. >>>> >>>> IMO the rpc class could use Evented mixin and have: >>>> 4 local events: start, end, success, error >>>> 2 global topics: rpc-start, rpc-end >>>> >>>> Local events will be new - will replace the notify_activity_start and >>>> notify_activity_end. For convenience, spec object could accept a >>>> handlers in similar fashion as now. The handlers would be registered to >>>> the events. >>>> >>>> Global topics would replace current IPA.hide_activity_icon(); and >>>> IPA.display_activity_icon(); >>>> >>>> App class would subscribe to the global events and to stuff (hide|show) >>>> accordingly. Example of such subscription: >>>> topic.subscribe('phase-error', lang.hitch(this, this.on_phase_error)); >>>> >>>> Then hide_activity_icon could be something like notify_global with >>>> default to true which can be suppressed by setting it to false. >>>> >>>> What do you think? > OK, if addressed later then ACK for 0021-2 which is the same as 0021 > >>>> Patch 0022: >>>> >>>> 1. Leftover line: >>>> var sn = record[i].serial_number; > 0022-2: ACK > >>>> Patch 0023: >>>> >>>> 1. move the css code from ipa.css to layout.less? >>>> >>>> 2. Did you mean "display: table"? >>>> display: cert-table; >>>> >>>> 3. Why are create_layout, create_row and create_cell private methods of >>>> create_content? It would make sense to create a table dialog mixin >>>> (similar as confirm mixin) and use the same code in all cert dialogs(if >>>> applicable). >>>> >>>> 4. 'table-head' class is used in every cell. Why is it call 'head' when >>>> it is in fact in all cells? > 1. table mixin has prepared space for doc text but nothing is there > 2. while at it(otherwise don't bother), remove empty line at the end of > create_cell, create_row, create_header_cell > > 3. When I see a content of create_content on certificate.js:316, > following is repeated many times, it can be changed into a reusable > function. > > row = that.create_row().appendTo(table_layout); > row.append(that > .create_header_cell('@i18n:objects.cert.organizational_unit', ':')); > row.append(that.create_cell(that.subject.ou, '', 'break-words')); > > create_cert_row(header, value).appendTo(table_layout); > > But I don't insist on this change. Changed. > >>>> Patch 0024: >>>> >>>> Will require changes described in patch 21(rpc). >>>> >>>> 1. should the methods have rather params: serial_number and >>>> revocation_reason, instead of certificate(maybe ok) and dialog(not ok)? >>>> That way it would be more general/reusable. > 1. buttons.restore should not be removed, it is still used on > stageuser.js:309: label: '@i18n:buttons.restore', The label is returned back. > >>>> Patch 0025: ACK > Why the new revision newly doesn't remove IPA.cert.view_action and > IPA.cert.get_action implementation ? I accidentally removed it. Returned back in new revision. > >>>> Patch 0026: >>>> >>>> 1. Add link use exactly the same code as in multivalued_widget. The code >>>> should be moved to method: create_add_link(container) and then reused. >>>> new_row would be overridedn and it would call open_addcert_dialog or >>>> open_addcert_dialog renamed to new_row. >>>> >>>> 2. it can have a spec default: >>>> spec.dropdown_menu = spec.dropdown_menu !== undefined ? true : >>>> spec.dropdown_menu; >>>> >>>> And then it doesn't have to be defined in patches 28, 29, 30. > 1. why is there a custom certs_field with: > spec.adapter = spec.field_adapter || {}; > > field_adapter was supposed to be used only in section. In field IMHO, > you can use 'adapter' spec property directly. We can use > f.register('certs', field.field); > > Or am I missing something? No, you are not. Changed from field_adapter to adapter. > > 0027-4: ACK > > 0028-3: ACK Because of change above there is a new revision of patch 0028. > > > Patch 0029-3 and 0030-3: > > If 0028 makes IPA.host.has_password_evaluator reusable, then it might be > good to rename it/move so that it is not called "host". > > And then IPA.service.has_keytab_evaluator needs to be removed. > I guess that you meant IPA.host.has_keytab_evaluator in first sentence too. So I hope that this is fixed. > >>> >> I moved big part of certs_widget code to more general >> custom_command_multivalued_widget. This change will be useful in future. >> >> Updated patches attached. It would be nice to apply patch 57 between patches 25 >> and 26, but it should be possible to apply it on the top. > Patch 52-2: ACK > > Patch 57: ACK > > 1. I wonder if `entity: that.facet.entity.name` in create_add_command > will be future-proof, but that can be improved later. I'm not sure why it is not future-proof. We can discuss it later. > > > In general: I don't like the fact that cert-find commands takes at least > 1.2s which makes loading of user,host,service details page 6x slower > than before. From access log, it seems it(or dogtag) does too many > unnecessary things. Yes that's true, I'm adding jcholast to CC, I think that he should know about it. Updated patches attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0018-3-Add-support-for-custom-menu-in-multivalued-widget.patch Type: text/x-patch Size: 4603 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0019-3-Extends-functionality-of-DropdownWidget.patch Type: text/x-patch Size: 2227 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0023-3-Refactored-certificate-view-and-remove-hold-dialog.patch Type: text/x-patch Size: 14593 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0024-3-Changed-the-way-how-to-handle-remove-hold-and-revoke.patch Type: text/x-patch Size: 3513 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0025-3-Remove-old-useless-actions-get-and-view.patch Type: text/x-patch Size: 3399 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0026-4-Add-widget-for-showing-multiple-certificates.patch Type: text/x-patch Size: 9868 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0028-4-Add-new-certificates-widget-to-the-user-details-page.patch Type: text/x-patch Size: 2405 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0029-4-Add-new-certificates-widget-to-the-host-details-page.patch Type: text/x-patch Size: 6607 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0030-4-Add-new-certificates-widget-to-the-service-details-p.patch Type: text/x-patch Size: 3640 bytes Desc: not available URL: From redhatrises at gmail.com Mon Jun 27 13:01:32 2016 From: redhatrises at gmail.com (Gabe Alford) Date: Mon, 27 Jun 2016 07:01:32 -0600 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> Message-ID: On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud wrote: > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client > installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > Shouldn't this be about fixing FreeIPA to allow installation/operation in FIPS mode rather than disabling it? There are many environments where FIPS is required, and FreeIPA should support it. Gabe -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Jun 27 13:55:20 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2016 09:55:20 -0400 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> Message-ID: <57713048.6020201@redhat.com> Petr Spacek wrote: > On 27.6.2016 08:38, Florence Blanc-Renaud wrote: >> Hi, >> >> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client >> installation in a FIPS-140 mode >> It prevents installation of FreeIPA if the host is fips-enabled. >> >> https://fedorahosted.org/freeipa/ticket/5761 >> >> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch >> >> >> >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 >> From: Florence Blanc-Renaud >> Date: Fri, 24 Jun 2016 16:16:22 +0200 >> Subject: [PATCH] Do not allow installation in FIPS mode >> >> https://fedorahosted.org/freeipa/ticket/5761 >> --- >> client/ipa-client-install | 4 ++++ >> install/tools/ipactl | 6 ++++++ >> ipaserver/install/server/install.py | 5 +++++ >> ipaserver/install/server/replicainstall.py | 5 +++++ >> 4 files changed, 20 insertions(+) >> >> diff --git a/client/ipa-client-install b/client/ipa-client-install >> index 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 100755 >> --- a/client/ipa-client-install >> +++ b/client/ipa-client-install >> @@ -3064,6 +3064,10 @@ def main(): >> >> if not os.getegid() == 0: >> sys.exit("\nYou must be root to run ipa-client-install.\n") >> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: > > Usually it is safer to call open() and catch exception if the file does not > exist. The code above has inherent problem with race-conditions between time > of check (path.exists) and time of use (open). > > Of course it is not a problem here because this file is part of kernel's > interface but in general please use the try: open() except: form. > >> + if f.read().strip() != '0': >> + sys.exit("Cannot install IPA client in FIPS mode") > > Personally I would like to see more informative messages. > > I would recommend something like " is not supported in FIPS mode". > > In my eyes it is difference between "How do I ...? You dont!" vs "How do I > ...? Sorry, we do not support that right now." Given that this code is duplicated 4 times I'd also move it to a function in ipapython, is_fips_enabled() or something . rob > > > Sorry for nitpicking! :-) > > Petr^2 Spacek > > > >> tasks.check_selinux_status() >> logging_setup(options) >> root_logger.debug( >> diff --git a/install/tools/ipactl b/install/tools/ipactl >> index 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 100755 >> --- a/install/tools/ipactl >> +++ b/install/tools/ipactl >> @@ -545,6 +545,12 @@ def main(): >> elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status": >> raise IpactlError("Unrecognized action [" + args[0] + "]", 2) >> >> + if (args[0] in ('start', 'restart') and >> + os.path.exists('/proc/sys/crypto/fips_enabled')): >> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >> + if f.read().strip() != '0': >> + raise IpactlError("Cannot start IPA server in FIPS mode") >> + >> # check if IPA is configured at all >> try: >> check_IPA_configuration() >> diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py >> index 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d 100644 >> --- a/ipaserver/install/server/install.py >> +++ b/ipaserver/install/server/install.py >> @@ -319,6 +319,11 @@ def install_check(installer): >> external_ca_file = installer._external_ca_file >> http_ca_cert = installer._ca_cert >> >> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >> + if f.read().strip() != '0': >> + sys.exit("Cannot install IPA server in FIPS mode") >> + >> tasks.check_selinux_status() >> >> if options.master_password: >> diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py >> index 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 100644 >> --- a/ipaserver/install/server/replicainstall.py >> +++ b/ipaserver/install/server/replicainstall.py >> @@ -485,6 +485,11 @@ def install_check(installer): >> options = installer >> filename = installer.replica_file >> >> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >> + if f.read().strip() != '0': >> + sys.exit("Cannot install IPA server in FIPS mode") >> + >> tasks.check_selinux_status() >> >> if is_ipa_configured(): >> -- 2.7.4 > From rcritten at redhat.com Mon Jun 27 13:57:46 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2016 09:57:46 -0400 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> Message-ID: <577130DA.9010806@redhat.com> Gabe Alford wrote: > On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud > > wrote: > > Hi, > > this fix is a port of Bug 1131570 - Do not allow IdM > server/replica/client installation in a FIPS-140 mode > It prevents installation of FreeIPA if the host is fips-enabled. > > https://fedorahosted.org/freeipa/ticket/5761 > > > Shouldn't this be about fixing FreeIPA to allow installation/operation > in FIPS mode rather than disabling it? There are many environments where > FIPS is required, and FreeIPA should support it. This is a stop-gap measure to provide users with reasonable feedback on the current state of things. Getting FIPS working, particularly in the server, is a somewhat non-trivial task. rob From ldoudova at redhat.com Mon Jun 27 14:00:45 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Mon, 27 Jun 2016 16:00:45 +0200 Subject: [Freeipa-devel] [PATCH 0167] test_serverroles: ensure that test API is initialized with correct ldap_uri In-Reply-To: <0ea54227-a56c-7894-20e7-a74240770926@redhat.com> References: <0ea54227-a56c-7894-20e7-a74240770926@redhat.com> Message-ID: On 06/27/2016 02:04 PM, Martin Babinsky wrote: > Makes the test suite play nice with others during CI. > > https://fedorahosted.org/freeipa/ticket/6000 > ACK, thank you! Lenka From pvomacka at redhat.com Mon Jun 27 14:34:54 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 27 Jun 2016 16:34:54 +0200 Subject: [Freeipa-devel] [PATCH] 0058 WebUI: certificate widget on ID override user page In-Reply-To: <60dc6971-d853-ad03-0272-77077dd251a6@redhat.com> References: <8d5edba0-0b80-8ccf-6d71-13f977c4b94b@redhat.com> <60dc6971-d853-ad03-0272-77077dd251a6@redhat.com> Message-ID: On 06/23/2016 04:25 PM, Petr Vobornik wrote: > On 06/20/2016 06:54 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patch. >> >> https://fedorahosted.org/freeipa/ticket/5926 >> > 1. I'm not sure whether to include the certificate field in the adder > dialog. But if so then it is not good that it accepts different output > then a cert widget. The difference is that cert widget is able to work > also with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" > values. Oh, you are right, I forgot to add custom widget which handles that. Fixed now. > > Otherwise it works good. > > If we decided not to fix 1. in this patch then ACK. > > Push should wait on the other cert patches. > Updated patch attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0058-2-Add-certificate-widget-to-ID-override-user-details-p.patch Type: text/x-patch Size: 7120 bytes Desc: not available URL: From jcholast at redhat.com Mon Jun 27 14:44:46 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 27 Jun 2016 16:44:46 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <16fe8df8-0ee1-c68a-f444-784d298ce289@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <16fe8df8-0ee1-c68a-f444-784d298ce289@redhat.com> Message-ID: <93e36dc7-30c1-3a6c-9304-987e279a98f8@redhat.com> On 27.6.2016 14:55, David Kupka wrote: > On 28/04/16 14:45, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Patch set: > schema: client-side cleanup > automember: fix automember to work with thin client > schema: do not crash in command_defaults if argument is None > schema: fix param default value handling > > works* for me, ACK. Thanks, pushed to master: f7cc15f0990ef2db57717a3c6a8e9db2c3dee951 Attaching the patches for reference. > > *) xmlrpc test for automember_plugin test started failing with > automember patch. Fix for test attached. LGTM -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-650-schema-fix-param-default-value-handling.patch Type: text/x-patch Size: 3922 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-651-schema-do-not-crash-in-command_defaults-if-argument-.patch Type: text/x-patch Size: 909 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-652-automember-fix-automember-to-work-with-thin-client.patch Type: text/x-patch Size: 6643 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-653-schema-client-side-code-cleanup.patch Type: text/x-patch Size: 17999 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 27 15:48:14 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 27 Jun 2016 17:48:14 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> Message-ID: On 06/23/2016 04:58 PM, Petr Vobornik wrote: > On 06/23/2016 04:34 PM, Martin Basti wrote: >> >> On 23.06.2016 09:57, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patch. >>> >>> Part of: https://fedorahosted.org/freeipa/ticket/5905 >>> >>> >>> >> Works for me >> > In this patch and also in some other(cert patches) the confirm message > has following structure: > To confirm your intention to $action, click the $button_name button. > > On other places of Web UI, more human and easier structure is used: > Do you want to update DNS records? > [Update] [Cancel] > > IMHO we should use it here as well. And the same for(separate path): > remove_certificate_hold_confirmation > revoke_confirmation" > > > otherwise the patch is OK. > The patch with simplified confirm message is attached. Patch with new 'remove cert hold' and 'revoke cert' messages will be sent in separate thread. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0061-2-Add-button-for-dns_update_system_records-command.patch Type: text/x-patch Size: 4216 bytes Desc: not available URL: From pvomacka at redhat.com Mon Jun 27 15:50:20 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 27 Jun 2016 17:50:20 +0200 Subject: [Freeipa-devel] [PATCH] 0064: webui: simplify confirmation messages in confirmation dialogs Message-ID: <88cd8843-8e38-5c82-5908-ec9cd1f4fcfe@redhat.com> Hello, Please review attached patch which simplifies confirmation messages for 'remove cert hold' and 'restore cert' actions. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0064-Simplify-the-confirmation-messages.patch Type: text/x-patch Size: 5122 bytes Desc: not available URL: From mkubik at redhat.com Mon Jun 27 15:55:47 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Mon, 27 Jun 2016 17:55:47 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR Message-ID: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> Hi all, the pki packages that are currently in the COPR repo [1] are broken. There is a conflict between pki-server and pki-base: Error: Transaction check error: file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ Regards -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From blipton at redhat.com Mon Jun 27 17:14:21 2016 From: blipton at redhat.com (Ben Lipton) Date: Mon, 27 Jun 2016 13:14:21 -0400 Subject: [Freeipa-devel] [WIP] Automatic CSR generation - first steps Message-ID: <0f176317-3fd1-f0c8-88a7-a593be092e19@redhat.com> Hi, I have implemented the core functionality of the automatic CSR generation design (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation). The code (which should be considered a work in progress) is available at https://github.com/LiptonB/freeipa/pull/2, please take a look and let me know what you think! First, a demo, then some notes: [root at ipavm ~]# ipa cert-get-requestdata --principal host/hostname.ipadom.example.com --format openssl Debug output: [req] prompt = no distinguished_name = sec0 req_extensions = exts [sec0] CN=hostname.ipadom.example.com O=IPADOM.EXAMPLE.COM [sec1] DNS=hostname.ipadom.example.com [exts] subjectAltName=@sec1 [root at ipavm ~]# ipa cert-get-requestdata --principal host/hostname.ipadom.example.com --format certutil Debug output: certutil -R -s CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN dns:hostname.ipadom.example.com Notes: - This is implemented using the four-level schema (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A). I'm very interested in comments on improving the schema or the way I interact with it in the code. - Only includes rules for one profile at the moment, and it's probably not one you'd use (it weirdly puts the FQDN in both Subject and SubjectAltName). Think of it as an example to show that extensions are supported. - Right now, transformation rules are implemented in python. Migrating them to a scheme where rules are text-based and can be added at runtime is a future goal. -------------- next part -------------- An HTML attachment was scrubbed... URL: From blipton at redhat.com Mon Jun 27 17:44:34 2016 From: blipton at redhat.com (Ben Lipton) Date: Mon, 27 Jun 2016 13:44:34 -0400 Subject: [Freeipa-devel] [WIP] Automatic CSR generation - first steps In-Reply-To: <0f176317-3fd1-f0c8-88a7-a593be092e19@redhat.com> References: <0f176317-3fd1-f0c8-88a7-a593be092e19@redhat.com> Message-ID: <7b971146-6d1b-5a4e-c230-97de8e962842@redhat.com> My email client is playing tricks on me - https://github.com/LiptonB/freeipa/pull/2 is the correct link. On 06/27/2016 01:14 PM, Ben Lipton wrote: > Hi, > > I have implemented the core functionality of the automatic CSR > generation design > (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation). > The code (which should be considered a work in progress) is available > at https://github.com/LiptonB/freeipa/pull/2, please take a look and > let me know what you think! > > First, a demo, then some notes: > > [root at ipavm ~]# ipa cert-get-requestdata --principal > host/hostname.ipadom.example.com --format openssl > Debug output: [req] > prompt = no > distinguished_name = sec0 > req_extensions = exts > > [sec0] > CN=hostname.ipadom.example.com > O=IPADOM.EXAMPLE.COM > > [sec1] > DNS=hostname.ipadom.example.com > > [exts] > subjectAltName=@sec1 > > > [root at ipavm ~]# ipa cert-get-requestdata --principal > host/hostname.ipadom.example.com --format certutil > Debug output: certutil -R -s > CN=hostname.ipadom.example.com,O=IPADOM.EXAMPLE.COM --extSAN > dns:hostname.ipadom.example.com > > > Notes: > - This is implemented using the four-level schema > (http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema#Option_A). > I'm very interested in comments on improving the schema or the way I > interact with it in the code. > - Only includes rules for one profile at the moment, and it's probably > not one you'd use (it weirdly puts the FQDN in both Subject and > SubjectAltName). Think of it as an example to show that extensions are > supported. > - Right now, transformation rules are implemented in python. Migrating > them to a scheme where rules are text-based and can be added at > runtime is a future goal. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon Jun 27 18:11:17 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 27 Jun 2016 20:11:17 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> Message-ID: <20160627181116.GE31123@10.4.128.1> On (27/06/16 17:55), Milan Kub?k wrote: >Hi all, > >the pki packages that are currently in the COPR repo [1] are broken. There is >a conflict between pki-server and pki-base: > >Error: Transaction check error: > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch > >[1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ > I can see the same with pki-core in fedora 24 updates-testing. File a fedora bug. LS From frenaud at redhat.com Mon Jun 27 18:14:19 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Mon, 27 Jun 2016 20:14:19 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <57713048.6020201@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> Message-ID: <22be7ada-62af-2017-c479-caabb598d572@redhat.com> On 06/27/2016 03:55 PM, Rob Crittenden wrote: > Petr Spacek wrote: >> On 27.6.2016 08:38, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> this fix is a port of Bug 1131570 - Do not allow IdM >>> server/replica/client >>> installation in a FIPS-140 mode >>> It prevents installation of FreeIPA if the host is fips-enabled. >>> >>> https://fedorahosted.org/freeipa/ticket/5761 >>> >>> freeipa-frenaud-0008-Do-not-allow-installation-in-FIPS-mode.patch >>> >>> >>> >From afecbb3d228cf1d6cee59da53bf7a803f030d0b1 Mon Sep 17 00:00:00 2001 >>> From: Florence Blanc-Renaud >>> Date: Fri, 24 Jun 2016 16:16:22 +0200 >>> Subject: [PATCH] Do not allow installation in FIPS mode >>> >>> https://fedorahosted.org/freeipa/ticket/5761 >>> --- >>> client/ipa-client-install | 4 ++++ >>> install/tools/ipactl | 6 ++++++ >>> ipaserver/install/server/install.py | 5 +++++ >>> ipaserver/install/server/replicainstall.py | 5 +++++ >>> 4 files changed, 20 insertions(+) >>> >>> diff --git a/client/ipa-client-install b/client/ipa-client-install >>> index >>> 0a601b63118b0a3568066495837121c65e5df04f..f80ff9c469709ea3b63902610b3b8b5c35448904 >>> 100755 >>> --- a/client/ipa-client-install >>> +++ b/client/ipa-client-install >>> @@ -3064,6 +3064,10 @@ def main(): >>> >>> if not os.getegid() == 0: >>> sys.exit("\nYou must be root to run ipa-client-install.\n") >>> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >>> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >> >> Usually it is safer to call open() and catch exception if the file >> does not >> exist. The code above has inherent problem with race-conditions >> between time >> of check (path.exists) and time of use (open). >> >> Of course it is not a problem here because this file is part of kernel's >> interface but in general please use the try: open() except: form. >> >>> + if f.read().strip() != '0': >>> + sys.exit("Cannot install IPA client in FIPS mode") >> >> Personally I would like to see more informative messages. >> >> I would recommend something like " is not supported in FIPS >> mode". >> >> In my eyes it is difference between "How do I ...? You dont!" vs "How >> do I >> ...? Sorry, we do not support that right now." > > Given that this code is duplicated 4 times I'd also move it to a > function in ipapython, is_fips_enabled() or something . > > rob > >> >> >> Sorry for nitpicking! :-) >> >> Petr^2 Spacek >> >> >> >>> tasks.check_selinux_status() >>> logging_setup(options) >>> root_logger.debug( >>> diff --git a/install/tools/ipactl b/install/tools/ipactl >>> index >>> 547b21d875dff7231fae8dfc10faf995b0ca230b..9c68fffe73bfdd97789907226f8765c09707d552 >>> 100755 >>> --- a/install/tools/ipactl >>> +++ b/install/tools/ipactl >>> @@ -545,6 +545,12 @@ def main(): >>> elif args[0] != "start" and args[0] != "stop" and args[0] != >>> "restart" and args[0] != "status": >>> raise IpactlError("Unrecognized action [" + args[0] + "]", 2) >>> >>> + if (args[0] in ('start', 'restart') and >>> + os.path.exists('/proc/sys/crypto/fips_enabled')): >>> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >>> + if f.read().strip() != '0': >>> + raise IpactlError("Cannot start IPA server in FIPS >>> mode") >>> + >>> # check if IPA is configured at all >>> try: >>> check_IPA_configuration() >>> diff --git a/ipaserver/install/server/install.py >>> b/ipaserver/install/server/install.py >>> index >>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..0c0683733ef38444a82d085f771596a9b066ef1d >>> 100644 >>> --- a/ipaserver/install/server/install.py >>> +++ b/ipaserver/install/server/install.py >>> @@ -319,6 +319,11 @@ def install_check(installer): >>> external_ca_file = installer._external_ca_file >>> http_ca_cert = installer._ca_cert >>> >>> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >>> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >>> + if f.read().strip() != '0': >>> + sys.exit("Cannot install IPA server in FIPS mode") >>> + >>> tasks.check_selinux_status() >>> >>> if options.master_password: >>> diff --git a/ipaserver/install/server/replicainstall.py >>> b/ipaserver/install/server/replicainstall.py >>> index >>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..a2946339c7aeee8529f6ecf8ec4d85c9291fd291 >>> 100644 >>> --- a/ipaserver/install/server/replicainstall.py >>> +++ b/ipaserver/install/server/replicainstall.py >>> @@ -485,6 +485,11 @@ def install_check(installer): >>> options = installer >>> filename = installer.replica_file >>> >>> + if os.path.exists('/proc/sys/crypto/fips_enabled'): >>> + with open('/proc/sys/crypto/fips_enabled', 'r') as f: >>> + if f.read().strip() != '0': >>> + sys.exit("Cannot install IPA server in FIPS mode") >>> + >>> tasks.check_selinux_status() >>> >>> if is_ipa_configured(): >>> -- 2.7.4 >> > Hi all, thanks for your suggestions. Updated patch attached. Flo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0008-2-Do-not-allow-installation-in-FIPS-mode.patch Type: text/x-patch Size: 5211 bytes Desc: not available URL: From rcritten at redhat.com Mon Jun 27 20:18:15 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 27 Jun 2016 16:18:15 -0400 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <22be7ada-62af-2017-c479-caabb598d572@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> Message-ID: <57718A07.8000708@redhat.com> Florence Blanc-Renaud wrote: > Hi all, > > thanks for your suggestions. Updated patch attached. > Flo. > The invocation in ipactl should say server, not client. Otherwise LGTM (untested). rob From ldoudova at redhat.com Tue Jun 28 04:34:33 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Tue, 28 Jun 2016 06:34:33 +0200 Subject: [Freeipa-devel] [PATCH 0023][Tests] Fix frontend tests - #5987 Message-ID: <2e56ec52-1831-dc0d-bde4-6635321b9236@redhat.com> Hi, I've made patch to fix for https://fedorahosted.org/freeipa/ticket/5987. Please note, that this patch must be applied on top on my patch no. 0018, which provides other fixes on the same file (and same test). Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0023-Tests-Fix-frontend-tests.patch Type: text/x-patch Size: 1245 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 28 06:04:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2016 08:04:02 +0200 Subject: [Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs In-Reply-To: <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> References: <20160601045104.GB4744@dhcp-40-8.bne.redhat.com> <20160607054221.GP4744@dhcp-40-8.bne.redhat.com> <20160608031541.GR4744@dhcp-40-8.bne.redhat.com> <78415ac3-0da3-d76a-afc6-4d083fdbfc1a@redhat.com> <20160608152129.GU4744@dhcp-40-8.bne.redhat.com> <20160609064448.GZ4744@dhcp-40-8.bne.redhat.com> <66e6cde6-376a-3145-179a-7a78f6cdea8b@redhat.com> <20160609091050.GA4744@dhcp-40-8.bne.redhat.com> <20160609144800.GD4744@dhcp-40-8.bne.redhat.com> <20160613063834.GQ4744@dhcp-40-8.bne.redhat.com> <05f5b503-2f10-c410-0ac7-32810e4e58ed@redhat.com> Message-ID: <92f1fcdb-9c1a-f5cb-4aaa-024ae63baf63@redhat.com> On 13.6.2016 08:59, Jan Cholasta wrote: > On 13.6.2016 08:38, Fraser Tweedale wrote: >> On Fri, Jun 10, 2016 at 12:48:00AM +1000, Fraser Tweedale wrote: >>> On Thu, Jun 09, 2016 at 12:36:35PM +0200, Jan Cholasta wrote: >>>> On 9.6.2016 11:10, Fraser Tweedale wrote: >>>>> On Thu, Jun 09, 2016 at 10:12:40AM +0200, Jan Cholasta wrote: >>>>>> On 9.6.2016 08:44, Fraser Tweedale wrote: >>>>>>> On Thu, Jun 09, 2016 at 01:21:29AM +1000, Fraser Tweedale wrote: >>>>>>>> On Wed, Jun 08, 2016 at 01:00:36PM +0200, Jan Cholasta wrote: >>>>>>>>> On 8.6.2016 05:15, Fraser Tweedale wrote: >>>>>>>>>> On Tue, Jun 07, 2016 at 03:42:22PM +1000, Fraser Tweedale wrote: >>>>>>>>>>> On Wed, Jun 01, 2016 at 02:51:04PM +1000, Fraser Tweedale wrote: >>>>>>>>>>>> Hi team, >>>>>>>>>>>> >>>>>>>>>>>> This patchset implements the 'ca' plugin for creating and >>>>>>>>>>>> managing >>>>>>>>>>>> lightweight sub-CAs, and updates the 'caacl' plugin and >>>>>>>>>>>> 'cert-request' command to support multiple CAs. >>>>>>>>>>>> >>>>>>>>>>>> A brief overview of the patches: >>>>>>>>>>>> >>>>>>>>>>>> 0059 >>>>>>>>>>>> 'ca' plugin, associated schema changes and container objects, >>>>>>>>>>>> Dogtag REST API wrapper >>>>>>>>>>>> 0060 >>>>>>>>>>>> Add CA entry for the IPA CA on install/upgrade >>>>>>>>>>>> 0061 >>>>>>>>>>>> Update 'caacl' plugin with CA support (including enforcement) >>>>>>>>>>>> 0062 >>>>>>>>>>>> Update ra.request_certificate() to support specifying >>>>>>>>>>>> target CA >>>>>>>>>>>> 0063 >>>>>>>>>>>> Add '--ca' option to 'cert-request' command >>>>>>>>>>>> 0064 >>>>>>>>>>>> Add '--issuer' option to 'cert-find' command >>>>>>>>>>>> >>>>>>>>>>>> These patches depend on other pending patches: >>>>>>>>>>>> >>>>>>>>>>>> 0051, 0052, 0053, 0054, 0055, 0056 >>>>>>>>>>>> >>>>>>>>>>>> Signing key replication depends on unmerged Dogtag patches. >>>>>>>>>>>> Builds >>>>>>>>>>>> of Dogtag with the required patches, and of FreeIPA with all >>>>>>>>>>>> completed sub-CAs work, should be available from my COPR soon: >>>>>>>>>>>> https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>>>>>>>> >>>>>>>>>>>> Some parts of the design are not implemented in the current >>>>>>>>>>>> patchset, including: >>>>>>>>>>>> >>>>>>>>>>>> - local parent CA (ipaca object) references >>>>>>>>>>>> - sub-CA certificate renewal >>>>>>>>>>>> - 'cert-show' command '--ca=NAME' option >>>>>>>>>>>> - certmonger support for specifying CA >>>>>>>>>>>> - revocation of deleted CAs >>>>>>>>>>>> >>>>>>>>>>>> I look forward to your reviews! >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Fraser >>>>>>>>>>>> >>>>>>>>>>> Rebased and updated patches attached. >>>>>>>>>>> >>>>>>>>>>> Substantive changes: >>>>>>>>>>> >>>>>>>>>>> - add required attributes for issuer DN and subject DN >>>>>>>>>>> - prevent rename of IPA CA >>>>>>>>>>> - when adding IPA CA entry, contact Dogtag to learn authority >>>>>>>>>>> id, >>>>>>>>>>> issuer DN and subject DN >>>>>>>>>>> - add 'read_ca' method to Dogtag interface >>>>>>>>>>> - tighten ACIs to prevent modification of ipacaid attribute >>>>>>>>>>> >>>>>>>>>> Updated patch 0064-3; adds --issuer option to cert-show and --ca >>>>>>>>>> option to cert-show and cert-find. >>>>>>>>> >>>>>>>>> Patch 0059: >>>>>>>>> >>>>>>>>> 1) On upgrade, why is the lightweight CA container created >>>>>>>>> twice - once in >>>>>>>>> 41-subca.update, once using ensure_entry() call? It should be >>>>>>>>> done only >>>>>>>>> once. >>>>>>>>> >>>>>>>> I'll remove 41-subca.update; the routine in cainstance is the one >>>>>>>> that's needed. >>>>>>>> >>>>>>>>> 2) In ca_del, every CA specified in args[0] should be deleted, >>>>>>>>> not just the >>>>>>>>> first one. >>>>>>>>> >>>>>>>>> 3) Do not use NonFatalError, issue a warning instead: >>>>>>>>> >>>>>>>>> self.add_message(MyNewWarningClass(name=...)) >>>>>>>>> >>>>>>>>> 4) Can it actually happen that ca_show does not return ipacaid? >>>>>>>>> I guess not, >>>>>>>>> so you should be able to remove the check altogether and don't >>>>>>>>> bother with >>>>>>>>> the warning. >>>>>>>>> >>>>>>>> ipacaid is mandatory now, so I'll remove the check. >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0060-0062: LGTM >>>>>>>>> >>>>>>>> Yippee \o/ >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0063: >>>>>>>>> >>>>>>>>> Could you please define the CA param as follows: >>>>>>>>> >>>>>>>>> Str('cacn?', >>>>>>>>> cli_name='ca', >>>>>>>>> query=True, >>>>>>>>> label=_("CA"), >>>>>>>>> doc=_("CA to use"), >>>>>>>>> ), >>>>>>>>> >>>>>>>>> ? >>>>>>>>> >>>>>>>>> This is for consitency with framework-generated parent key >>>>>>>>> params, which >>>>>>>>> unfortunately we cannot leverage in cert_request currently. >>>>>>>>> >>>>>>>> No problemo. >>>>>>>> >>>>>>>>> >>>>>>>>> Patch 0064: >>>>>>>>> >>>>>>>>> 1) See my comment for patch 0063, it applies here as well. >>>>>>>>> >>>>>>>>> 2) The --issuer option should not be included in cert_show - >>>>>>>>> show commands >>>>>>>>> are supposed to retrieve an object given primary key(s), and >>>>>>>>> the primary key >>>>>>>>> of CA objects is just their cn. >>>>>>>>> >>>>>>>> The --issuer argument is because primary key for a cert is really >>>>>>>> (issuer, serial). So it show the cert _with_ that issuer (and >>>>>>>> serial), not the cert _for_ that issuer. >>>>>> >>>>>> Correct, but in IPA the issuer is represented by the CA object, so >>>>>> in IPA >>>>>> the primary key for a certificate is actually (CA name, serial). >>>>>> >>>>>> Certificate lookup by issuer name and serial is actually a search >>>>>> operation, >>>>>> analogical to how CA lookup by subject name is also a search >>>>>> operation, so >>>>>> it should be done by cert-find. >>>>>> >>>>> OK, I will remove the --issuer option for cert-find. >>>>> >>>>>>>> >>>>>>>>> 3) In find commands, the options form a filter, so instead of >>>>>>>>> raising >>>>>>>>> MutuallyExclusiveError in cert-find, return an empty result, as >>>>>>>>> with any >>>>>>>>> other unmatched filter. >>>>>>>>> >>>>>>>> Here, --issuer and --ca are two different ways to specify the >>>>>>>> issuer. --issuer lets you give the issuer DN straight up; --ca >>>>>>>> takes the name of an IPA CA object and looks up its issuer DN. >>>>>>>> (Thus it makes no sense to give both options at once). >>>>>> >>>>>> That's one way to look at it, but it's true only if you assume that >>>>>> cert-find can only search certificates in Dogtag. This will very >>>>>> soon became >>>>>> untrue, as we will allow cert-find to also search certificates >>>>>> anywhere in >>>>>> LDAP (the server part of ticket #5381). There, the difference >>>>>> between the >>>>>> options would be that with --ca you search for certificates issued >>>>>> by the >>>>>> specified managed CA, but with --issuer you search for >>>>>> certificates with the >>>>>> given issuer name, be it managed CA or not. >>>>>> >>>>> --ca is just a "shorthand" for --issuer - it merely looks up subject >>>>> DN of the specified CA, and uses that as the issuer option. >>>>> >>>>>> For now, IMO the correct behavior should be that if both are >>>>>> specified and >>>>>> the issuer name of the specified CA does not match the specified >>>>>> issuer >>>>>> name, empty result is returned, otherwise carry on with the search in >>>>>> Dogtag. >>>>>> >>>>> If I allow both, the behaviour will then be: >>>>> >>>>> specify issuer DN only) >>>>> search using given issuer DN >>>>> specify CA only) >>>>> search using subject DN of specified CA. If no such CA, error. >>>>> specify issuer DN and CA) >>>>> search using given issuer DN, and ensure that result (if any) >>>>> matches subject DN of specified CA. If no such CA, error. >>>>> >>>>> I'm happy to implement this if you confirm that you think it's the >>>>> correct behaviour. >>>> >>>> Looks correct to me. >>>> >>> Thanks; updated patches attached. Martin, this patch should also >>> fix the upgrade issue. >>> >>> Cheers, >>> Fraser >>> >> Another rebase to fix conflicts in VERSION file. No other changes. > > Thanks. > > The remaining cert commands (status, revoke, remove-hold) should also > have the cacn option consistent with cert-show. This can be added in > further patch, though. Ticket: . (Note that this should be fixed in time for 4.4, as it is an backward incompatible change.) > > I think it would make sense if the cn argument in ca commands was > optional, with the default being 'ipa'. This can also be done later. (No ticket yet since this is a backward compatible change.) > > So LGTM. If Martin agrees, we can push this patch set. > -- Jan Cholasta From mbabinsk at redhat.com Tue Jun 28 07:04:53 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 28 Jun 2016 09:04:53 +0200 Subject: [Freeipa-devel] Fwd: Re: [PATCH 0166] test-{service, host}-plugin: only expect krbcanonicalname when all=True In-Reply-To: <3f65de81-dc6f-d234-97fe-b95a860a61d0@redhat.com> References: <3f65de81-dc6f-d234-97fe-b95a860a61d0@redhat.com> Message-ID: <009067e7-3730-b987-4858-0524ebbf8fd5@redhat.com> Bringing freeipa-devel list back to loop. -------- Forwarded Message -------- Subject: Re: [PATCH 0166] test-{service,host}-plugin: only expect krbcanonicalname when all=True Date: Tue, 28 Jun 2016 06:54:19 +0200 From: Lenka Doudova To: Martin Babinsky On 06/27/2016 09:46 AM, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/3864 > ACK. Lenka From mbasti at redhat.com Tue Jun 28 07:16:26 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 09:16:26 +0200 Subject: [Freeipa-devel] [PATCH 0167] test_serverroles: ensure that test API is initialized with correct ldap_uri In-Reply-To: References: <0ea54227-a56c-7894-20e7-a74240770926@redhat.com> Message-ID: <245a3122-d3c9-eb6f-2c40-95687ea90800@redhat.com> On 27.06.2016 16:00, Lenka Doudova wrote: > > > On 06/27/2016 02:04 PM, Martin Babinsky wrote: >> Makes the test suite play nice with others during CI. >> >> https://fedorahosted.org/freeipa/ticket/6000 >> > ACK, thank you! > > Lenka > Pushed to master: a79d45ad790d57c0f3f8db88ceae95e34267cda3 From mbasti at redhat.com Tue Jun 28 07:18:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 09:18:49 +0200 Subject: [Freeipa-devel] Fwd: Re: [PATCH 0166] test-{service, host}-plugin: only expect krbcanonicalname when all=True In-Reply-To: <009067e7-3730-b987-4858-0524ebbf8fd5@redhat.com> References: <3f65de81-dc6f-d234-97fe-b95a860a61d0@redhat.com> <009067e7-3730-b987-4858-0524ebbf8fd5@redhat.com> Message-ID: On 28.06.2016 09:04, Martin Babinsky wrote: > > Bringing freeipa-devel list back to loop. > > -------- Forwarded Message -------- > Subject: Re: [PATCH 0166] test-{service,host}-plugin: only expect > krbcanonicalname when all=True > Date: Tue, 28 Jun 2016 06:54:19 +0200 > From: Lenka Doudova > To: Martin Babinsky > > > On 06/27/2016 09:46 AM, Martin Babinsky wrote: >> https://fedorahosted.org/freeipa/ticket/3864 >> > ACK. > > Lenka > Pushed to master: d0c38d86a1f3da233da25176b4e1f267fbdc6e7f From pvoborni at redhat.com Tue Jun 28 07:24:40 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Jun 2016 09:24:40 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160627181116.GE31123@10.4.128.1> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> Message-ID: On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: > On (27/06/16 17:55), Milan Kub?k wrote: >> Hi all, >> >> the pki packages that are currently in the COPR repo [1] are broken. There is >> a conflict between pki-server and pki-base: >> >> Error: Transaction check error: >> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >> >> [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >> > I can see the same with pki-core in fedora 24 updates-testing. > File a fedora bug. > > LS > Right, even though I can't reproduce, the package in freeipa-master copr should be the same as the one in updates testing. It was built from the same srpm: https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm -- Petr Vobornik From abokovoy at redhat.com Tue Jun 28 07:57:33 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jun 2016 10:57:33 +0300 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> Message-ID: <20160628075733.okm72eey6fsw6pxw@redhat.com> On Tue, 28 Jun 2016, Petr Vobornik wrote: >On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >> On (27/06/16 17:55), Milan Kub?k wrote: >>> Hi all, >>> >>> the pki packages that are currently in the COPR repo [1] are broken. There is >>> a conflict between pki-server and pki-base: >>> >>> Error: Transaction check error: >>> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>> >>> [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >>> >> I can see the same with pki-core in fedora 24 updates-testing. >> File a fedora bug. >> >> LS >> > >Right, even though I can't reproduce, the package in freeipa-master copr >should be the same as the one in updates testing. It was built from the >same srpm: >https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm One particular issue could be that you have pki-server installed from one source and pki-base considered from a different one. For yum and dnf there is a difference where the package comes from and all subpackages of the same source package should be coming from the same repository to avoid conflicts like this because after install the package keeps its source repo mark. -- / Alexander Bokovoy From mbasti at redhat.com Tue Jun 28 08:28:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 10:28:00 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628075733.okm72eey6fsw6pxw@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> Message-ID: <0d667a3d-94c7-e286-25a5-63d6f031931e@redhat.com> On 28.06.2016 09:57, Alexander Bokovoy wrote: > On Tue, 28 Jun 2016, Petr Vobornik wrote: >> On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >>> On (27/06/16 17:55), Milan Kub?k wrote: >>>> Hi all, >>>> >>>> the pki packages that are currently in the COPR repo [1] are >>>> broken. There is >>>> a conflict between pki-server and pki-base: >>>> >>>> Error: Transaction check error: >>>> file >>>> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >>>> from install of pki-server-10.3.3-1.fc24.noarch conflicts with file >>>> from package pki-base-10.3.3-1.fc24.noarch >>>> file >>>> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >>>> from install of pki-server-10.3.3-1.fc24.noarch conflicts with file >>>> from package pki-base-10.3.3-1.fc24.noarch >>>> >>>> [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >>>> >>> I can see the same with pki-core in fedora 24 updates-testing. >>> File a fedora bug. >>> >>> LS >>> >> >> Right, even though I can't reproduce, the package in freeipa-master copr >> should be the same as the one in updates testing. It was built from the >> same srpm: >> https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm >> > One particular issue could be that you have pki-server installed from > one source and pki-base considered from a different one. For yum and dnf > there is a difference where the package comes from and all subpackages > of the same source package should be coming from the same repository to > avoid conflicts like this because after install the package keeps its > source repo mark. I will remove pki-core from copr repo as it is not needed there Martin^2 From slaznick at redhat.com Tue Jun 28 08:34:17 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 28 Jun 2016 10:34:17 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <3a8c2f35-6be5-81ff-431f-39f2bad39ce2@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> <3a8c2f35-6be5-81ff-431f-39f2bad39ce2@redhat.com> Message-ID: <4f318927-fcfd-ce0e-372f-2feb2958a223@redhat.com> On 06/17/2016 09:14 AM, Stanislav Laznicka wrote: > On 06/14/2016 04:40 PM, Jan Cholasta wrote: >> On 14.6.2016 16:35, Martin Basti wrote: >>> On 14.06.2016 16:37, Jan Cholasta wrote: >>>> On 14.6.2016 16:29, Martin Basti wrote: >>>>> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>>>>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>>>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>>>>> >>>>>>>>>>>>> NACK >>>>>>>>>>>>> >>>>>>>>>>>>> please remove it from LDAPAddReverseMember too, it >>>>>>>>>>>>> contains the >>>>>>>>>>>>> same >>>>>>>>>>>>> code >>>>>>>>>>>>> >>>>>>>>>>>>> Martin^2 >>>>>>>>>>>> >>>>>>>>>>>> Please see the modified patch. >>>>>>>>>>>> >>>>>>>>>>>> Standa >>>>>>>>>>>> >>>>>>>>>>> ACK >>>>>>>>>>> >>>>>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>>>>> >>>>>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>>>>> every >>>>>>>>>> reverse member command always acts like --all was specified. >>>>>>>>>> >>>>>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>>>>> get_entry() >>>>>>>>> instead of '*', because this code were there for 4 years and I >>>>>>>>> don't >>>>>>>>> feel happy enough to change it now, what we may break. >>>>>>>>> >>>>>>>>> Should I revert this commit then and postpone the ticket? >>>>>>>> >>>>>>>> It's a bug and should be fixed. The fix is easy so I see no >>>>>>>> point in >>>>>>>> postponing it. I see no reason to be really afraid, I'm pretty >>>>>>>> sure >>>>>>>> that removing the objectclass attribute (which is invisible in the >>>>>>>> CLI anyway) from the output of all the 4 commands that use this >>>>>>>> code >>>>>>>> won't break anything. >>>>>>>> >>>>>>> >>>>>>> Ok >>>>>> It seems that tests expect objectClass to be always returned in >>>>>> derived methods. Is that expected behavior? If so, please see the >>>>>> attached patch. I wonder if the keys of the passed options should >>>>>> make >>>>>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >>>>> >>>>> I still don't think that we should use that attrs list, because >>>>> according git history, attrs_list was really used only with code that >>>>> was removed, and as you can see Standa had add extra objectclass >>>>> attribute there >>>> >>>> So the assumption here is that if it's in git history, it's not a bug? >>>> >>>> The extra object class should *not* be included by default. >>>> >>>> (Also I don't see any reason to have this split into 2 patches.) >>>> > Right. I added the objectclass so that it behaves similar to what the > other commands do and so that it does not break tests but it can be > removed and tests could be fixed. The question here is - do we want it > in 4.4, then? If so can we be sure it won't break anything (although > we know that it's broken as it is, and it's been like that for the > past 4 years)? > > Currently, the LDAP*ReverseMember are used in adding/removing > permissions/privileges to privileges/roles so I think we don't want it > to go bad - but could it? > After discussion with Honza we agreed that the patch should not break anything while trying to fix the bug. Attached is the new patch with fixed tests. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0045-2-The-LDAP-ReverseMember-shouldn-t-imply-all-is-always.patch Type: text/x-patch Size: 6830 bytes Desc: not available URL: From ofayans at redhat.com Tue Jun 28 08:43:00 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 28 Jun 2016 10:43:00 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides In-Reply-To: <20160627082808.GG3346@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <575981D9.2040305@redhat.com> <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <5770DE7F.4060104@redhat.com> <20160627082808.GG3346@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: <57723894.4090402@redhat.com> Hi Sumit, The testplan is updated according to your second note. The WebUI part I'll test once Pavel's patch is merged. On 06/27/2016 10:28 AM, Sumit Bose wrote: > On Mon, Jun 27, 2016 at 10:06:23AM +0200, Oleg Fayans wrote: >> Hi Sumit, >> >> I've updated the testplan. (Thank you for the link to Fraser's blogpost, >> it was really very useful!). All the operations described were >> performed manually and succeed. Could you please review it again in case >> I forgot something? > > Thank you, the tests are looking good. > > I have two comments. First, for your information, I#m not sure if WebUI > is in the scope of this tests, Pavel already send '0058 WebUI: > certificate widget on ID override user page' to the freeipa-devel list, > so adding certificates to idoverrides with the WebUI should work soon as > well. > > Second, the LDAP attribute used to store the certificates is a > multi-value attribute. Adding a test where a second certificate is added > to the override and removed (without deleting the other certificate) > might be useful here. > > bye, > Sumit > >> >> >> On 06/09/2016 05:06 PM, Sumit Bose wrote: >>> On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: >>>> Hi guys, >>>> >>>> Here is the first somewhat skeletal and pretty short version of the >>>> testplan. Could you please review it anyone? >>>> >>>> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan >>> >>> Hi Oleg, >>> >>> 'Make sure the id view is applied to ipa master host' the IPA >>> masters/servers will always and only have the 'Default Trust View'. But >>> it is ok to use the 'Default Trust View' for testing the certificates in >>> the ID override. >>> >>> The 'openssl req ...' call will only generate a certificate request and >>> not the certificate itself. The request must still be signed by e.g. the >>> IPA CA. Please see the blog posts of Fraser >>> (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) >>> and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. >>> >>> Since you want to test certificates in overrides you should use >>> idoverrideuser-add-cert and idoverrideuser-remove-cert instead of >>> user-add-cert and user-remove-cert. >>> >>> bye, >>> Sumit >>> >>>> -- >>>> Oleg Fayans >>>> Quality Engineer >>>> FreeIPA team >>>> RedHat. >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> >> -- >> Oleg Fayans >> Quality Engineer >> FreeIPA team >> RedHat. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ofayans at redhat.com Tue Jun 28 08:45:59 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 28 Jun 2016 10:45:59 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test Message-ID: <57723947.2090508@redhat.com> Passing test output: https://paste.fedoraproject.org/385774/71035231/ -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0049-Added-methods-to-manipulate-certs.patch Type: text/x-patch Size: 1286 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0050-Automated-test-for-certs-in-idoverrides-feature.patch Type: text/x-patch Size: 4751 bytes Desc: not available URL: From frenaud at redhat.com Tue Jun 28 08:51:25 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 28 Jun 2016 10:51:25 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <57718A07.8000708@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> Message-ID: <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> On 06/27/2016 10:18 PM, Rob Crittenden wrote: > Florence Blanc-Renaud wrote: >> Hi all, >> >> thanks for your suggestions. Updated patch attached. >> Flo. >> > > The invocation in ipactl should say server, not client. > > Otherwise LGTM (untested). > > rob Hi all, thanks to Rob for catching the typo. Patch with updated message is attached, Flo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0008-3-Do-not-allow-installation-in-FIPS-mode.patch Type: text/x-patch Size: 5211 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 28 08:51:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 10:51:53 +0200 Subject: [Freeipa-devel] [PATCH 0020][Tests] Make ID views test reflect new krbcanonicalname attribute In-Reply-To: References: <83a969ef-94ca-be4f-da91-e83b4f91174c@redhat.com> Message-ID: <1bb0b2b5-46a3-f21f-9b04-4b7619f8caad@redhat.com> On 27.06.2016 11:10, Lenka Doudova wrote: > > > On 06/27/2016 10:26 AM, Martin Babinsky wrote: >> On 06/23/2016 03:51 PM, Lenka Doudova wrote: >>> Patch attached. >>> >>> Lenka >>> >>> >>> >> >> Thanks for catching this. >> >> conditional ACK if you add >> https://fedorahosted.org/freeipa/ticket/3864 to the commit message. >> > Ah, yes. New patch with fixed commit message attached. > Thanks, > Lenka > > Pushed to master: 22f26cfa8e06e08795a6ad611bb7c72f003e65c4 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue Jun 28 08:55:22 2016 From: sbose at redhat.com (Sumit Bose) Date: Tue, 28 Jun 2016 10:55:22 +0200 Subject: [Freeipa-devel] [Testplan Review] Certs in ID overrides In-Reply-To: <57723894.4090402@redhat.com> References: <575981D9.2040305@redhat.com> <20160609150619.GM3302@p.Speedport_W_724V_Typ_A_05011603_00_009> <5770DE7F.4060104@redhat.com> <20160627082808.GG3346@p.Speedport_W_724V_Typ_A_05011603_00_009> <57723894.4090402@redhat.com> Message-ID: <20160628085522.GC18060@p.Speedport_W_724V_Typ_A_05011603_00_009> On Tue, Jun 28, 2016 at 10:43:00AM +0200, Oleg Fayans wrote: > Hi Sumit, > > The testplan is updated according to your second note. The WebUI part > I'll test once Pavel's patch is merged. Thank you. bye, Sumit > > On 06/27/2016 10:28 AM, Sumit Bose wrote: > > On Mon, Jun 27, 2016 at 10:06:23AM +0200, Oleg Fayans wrote: > >> Hi Sumit, > >> > >> I've updated the testplan. (Thank you for the link to Fraser's blogpost, > >> it was really very useful!). All the operations described were > >> performed manually and succeed. Could you please review it again in case > >> I forgot something? > > > > Thank you, the tests are looking good. > > > > I have two comments. First, for your information, I#m not sure if WebUI > > is in the scope of this tests, Pavel already send '0058 WebUI: > > certificate widget on ID override user page' to the freeipa-devel list, > > so adding certificates to idoverrides with the WebUI should work soon as > > well. > > > > Second, the LDAP attribute used to store the certificates is a > > multi-value attribute. Adding a test where a second certificate is added > > to the override and removed (without deleting the other certificate) > > might be useful here. > > > > bye, > > Sumit > > > >> > >> > >> On 06/09/2016 05:06 PM, Sumit Bose wrote: > >>> On Thu, Jun 09, 2016 at 04:48:57PM +0200, Oleg Fayans wrote: > >>>> Hi guys, > >>>> > >>>> Here is the first somewhat skeletal and pretty short version of the > >>>> testplan. Could you please review it anyone? > >>>> > >>>> http://www.freeipa.org/page/V4/Certs_in_ID_overrides/Test_Plan > >>> > >>> Hi Oleg, > >>> > >>> 'Make sure the id view is applied to ipa master host' the IPA > >>> masters/servers will always and only have the 'Default Trust View'. But > >>> it is ok to use the 'Default Trust View' for testing the certificates in > >>> the ID override. > >>> > >>> The 'openssl req ...' call will only generate a certificate request and > >>> not the certificate itself. The request must still be signed by e.g. the > >>> IPA CA. Please see the blog posts of Fraser > >>> (https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/) > >>> and Nathan (https://blog-nkinder.rhcloud.com/?p=184) for details. > >>> > >>> Since you want to test certificates in overrides you should use > >>> idoverrideuser-add-cert and idoverrideuser-remove-cert instead of > >>> user-add-cert and user-remove-cert. > >>> > >>> bye, > >>> Sumit > >>> > >>>> -- > >>>> Oleg Fayans > >>>> Quality Engineer > >>>> FreeIPA team > >>>> RedHat. > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-devel mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > >> > >> -- > >> Oleg Fayans > >> Quality Engineer > >> FreeIPA team > >> RedHat. > > -- > Oleg Fayans > Quality Engineer > FreeIPA team > RedHat. From mbasti at redhat.com Tue Jun 28 09:05:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 11:05:21 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> Message-ID: <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> On 28.06.2016 10:51, Florence Blanc-Renaud wrote: > On 06/27/2016 10:18 PM, Rob Crittenden wrote: >> Florence Blanc-Renaud wrote: >>> Hi all, >>> >>> thanks for your suggestions. Updated patch attached. >>> Flo. >>> >> >> The invocation in ipactl should say server, not client. >> >> Otherwise LGTM (untested). >> >> rob > > Hi all, > > thanks to Rob for catching the typo. > Patch with updated message is attached, > Flo. > > Thank you for the patch I have two comments: 1) + except Exception: + # Consider that the host is not fips-enabled if the file does not exist + pass exceptions should be as much specific as possible, otherwise it may mask real issues please use 'except IOError' if you want catch the case that file does not exist 2) in replicainstall.py and install.py please raise exception (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. Sys.exit() should not be used in modules, it is hard to debug etc. It can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkupka at redhat.com Tue Jun 28 10:12:32 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Jun 2016 12:12:32 +0200 Subject: [Freeipa-devel] [PATCH 0139] DNS: Fix tests for realm domains integration with DNS zone ad In-Reply-To: References: Message-ID: <85b77783-46a1-611c-cf0b-b81f0d7fd2a9@redhat.com> On 27/06/16 11:48, Petr Spacek wrote: > Hello, > > DNS: Fix tests for realm domains integration with DNS zone add > > We forgot to update tests after change in > 22f4045f72daf182c44ce574291c0d8a7733713b. > > https://fedorahosted.org/freeipa/ticket/5980 > > > It should go to master, 4-3, and 4-2 as well (as the original change). > idnsforwarders needs to be changed on both occurrences. Fixed patch attached. Petr^2 approved the change. Attached version works as expected and the test is green again, ACK. -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0139.1-DNS-Fix-tests-for-realm-domains-integration-with-DNS.patch Type: text/x-patch Size: 2353 bytes Desc: not available URL: From ftweedal at redhat.com Tue Jun 28 10:23:35 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 28 Jun 2016 20:23:35 +1000 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> Message-ID: <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: > Hi Fraser, > > I was testing FreeIPA Sub-CA feature and setup a Sub-CA: > > CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG > > Then I set up ACL and generated a certificate request by: > > $ certutil -R -d . -a -g 2048 -s > 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org' > > The resulting certificate is attached. What I pondering about is > > Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority > ... > Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org > > Shouldn't the subject have O=VPN in it also? > Hi Martin, (Cc freeipa-devel@ ; this info may be of general interest) The subject is determined by the certificate profile. In the case of caIPAserviceCert, the pattern is: CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O The CN comes from the CSR, and the Organisation is the IPA certificate subject base (as a literal string in the profile configuration). There are no substitution variables available to say "use such and such from the issuer DN". If the default pattern is not suitable, you can define a profile with the subject DN pattern having exactly the O=... parts of DN you want (and/or other attributes), then associate the profile with the CA through CA ACLs. (This approach is not elegant and does not scale well to many CAs). Hope that my explanation is helpful. Cheers, Fraser From mbasti at redhat.com Tue Jun 28 10:31:15 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 12:31:15 +0200 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: <645867b1-4296-29b2-c904-40ba1c61650c@redhat.com> References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> <645867b1-4296-29b2-c904-40ba1c61650c@redhat.com> Message-ID: On 27.06.2016 14:22, Martin Basti wrote: > > > On 27.06.2016 14:10, Fraser Tweedale wrote: >> On Mon, Jun 27, 2016 at 02:02:15PM +0200, Martin Basti wrote: >>> >>> On 27.06.2016 13:58, Fraser Tweedale wrote: >>>> Hi all, >>>> >>>> The attached patch fixes the OCSP URI in the Dogtag CA and system >>>> certificates (https://fedorahosted.org/freeipa/ticket/5956). It >>>> depends on a patch[1] for Dogtag which is expected to be released in >>>> v10.3.4. In the meantime, you can test with the build of v10.3.4 >>>> from my COPR[2]. >>>> >>>> [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html >>>> [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>> >>>> Cheers, >>>> Fraser >>>> >>>> >>> Hello, >>> >>> this upgrade is executed always, is it on purpose? >>> If not please use sysupgrade and run upgrade only once >>> >> It is intentional; the directive only gets added if it is missing. >> I do not see any benefit in gating it with the sysupgrade mechanism. >> >> Thanks, >> Fraser > Ok > ************* Module ipaserver.install.cainstance ipaserver/install/cainstance.py:465: [E0602(undefined-variable), CAInstance.__spawn_instance] Undefined variable 'IPA_CA_RECORD') you need ipalib.constants.IPA_CA_RECORD Martin^2 From mbasti at redhat.com Tue Jun 28 10:32:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 12:32:36 +0200 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> <645867b1-4296-29b2-c904-40ba1c61650c@redhat.com> Message-ID: <4bfe4637-d8c5-01de-67a9-fb820478d83e@redhat.com> On 28.06.2016 12:31, Martin Basti wrote: > > > On 27.06.2016 14:22, Martin Basti wrote: >> >> >> On 27.06.2016 14:10, Fraser Tweedale wrote: >>> On Mon, Jun 27, 2016 at 02:02:15PM +0200, Martin Basti wrote: >>>> >>>> On 27.06.2016 13:58, Fraser Tweedale wrote: >>>>> Hi all, >>>>> >>>>> The attached patch fixes the OCSP URI in the Dogtag CA and system >>>>> certificates (https://fedorahosted.org/freeipa/ticket/5956). It >>>>> depends on a patch[1] for Dogtag which is expected to be released in >>>>> v10.3.4. In the meantime, you can test with the build of v10.3.4 >>>>> from my COPR[2]. >>>>> >>>>> [1] https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html >>>>> [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>>> >>>> Hello, >>>> >>>> this upgrade is executed always, is it on purpose? >>>> If not please use sysupgrade and run upgrade only once >>>> >>> It is intentional; the directive only gets added if it is missing. >>> I do not see any benefit in gating it with the sysupgrade mechanism. >>> >>> Thanks, >>> Fraser >> Ok >> > ************* Module ipaserver.install.cainstance > ipaserver/install/cainstance.py:465: [E0602(undefined-variable), > CAInstance.__spawn_instance] Undefined variable 'IPA_CA_RECORD') > > you need ipalib.constants.IPA_CA_RECORD > > Martin^2 > Ahh nevermind, this is a clash of different patches, works on master :) From dkupka at redhat.com Tue Jun 28 10:33:00 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Jun 2016 12:33:00 +0200 Subject: [Freeipa-devel] [PATCH] API compatibility Message-ID: <9d8c0ba2-7a69-f6cf-2e5a-6e971a0105af@redhat.com> Hello! Honza has pushed first patches needed for API compatibility into his GitHub repo [1]. I have reviewed patch set adding command versioning: frontend: forward command calls using full name schema: support plugin versioning plugable: support plugin versioning plugable: use plugin class as the key in API namespaces misc: generate `plugins` result directly in the command Works as expected, ACK. [1] https://github.com/jcholast/freeipa/commits/trac-4427 -- David Kupka From mkosek at redhat.com Tue Jun 28 10:33:03 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 28 Jun 2016 12:33:03 +0200 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> Message-ID: <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> On 06/28/2016 12:23 PM, Fraser Tweedale wrote: > On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: >> Hi Fraser, >> >> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: >> >> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG >> >> Then I set up ACL and generated a certificate request by: >> >> $ certutil -R -d . -a -g 2048 -s >> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org' >> >> The resulting certificate is attached. What I pondering about is >> >> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority >> ... >> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org >> >> Shouldn't the subject have O=VPN in it also? >> > Hi Martin, > > (Cc freeipa-devel@ ; this info may be of general interest) > > The subject is determined by the certificate profile. In the case > of caIPAserviceCert, the pattern is: > > CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O > > The CN comes from the CSR, and the Organisation is the IPA > certificate subject base (as a literal string in the profile > configuration). > > There are no substitution variables available to say "use such and > such from the issuer DN". If the default pattern is not suitable, > you can define a profile with the subject DN pattern having exactly > the O=... parts of DN you want (and/or other attributes), then > associate the profile with the CA through CA ACLs. (This approach > is not elegant and does not scale well to many CAs). > > Hope that my explanation is helpful. The explanation is helpful, I just do not I like the answer :-) What do you think would make most sense for Sub-CA users? I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would fill the non-CN part of issuer DN, i.e. in this case: O=DEMO1.FREEIPA.ORG, O=VPN which would make this profile flexible and usable in any Sub-CA. Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and respective Dogtag release? I am just afraid that given we release this feature in 4.4, people would have to very creative and duplicate lot of certificate profiles for different sub-CAs just to workaround the Subject patter limitation, as you mentioned. Martin From jcholast at redhat.com Tue Jun 28 10:49:55 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2016 12:49:55 +0200 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> Message-ID: On 28.6.2016 12:33, Martin Kosek wrote: > On 06/28/2016 12:23 PM, Fraser Tweedale wrote: >> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: >>> Hi Fraser, >>> >>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: >>> >>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG >>> >>> Then I set up ACL and generated a certificate request by: >>> >>> $ certutil -R -d . -a -g 2048 -s >>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 'ipa.demo1.freeipa.org' >>> >>> The resulting certificate is attached. What I pondering about is >>> >>> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority >>> ... >>> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org >>> >>> Shouldn't the subject have O=VPN in it also? >>> >> Hi Martin, >> >> (Cc freeipa-devel@ ; this info may be of general interest) >> >> The subject is determined by the certificate profile. In the case >> of caIPAserviceCert, the pattern is: >> >> CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O >> >> The CN comes from the CSR, and the Organisation is the IPA >> certificate subject base (as a literal string in the profile >> configuration). >> >> There are no substitution variables available to say "use such and >> such from the issuer DN". If the default pattern is not suitable, >> you can define a profile with the subject DN pattern having exactly >> the O=... parts of DN you want (and/or other attributes), then >> associate the profile with the CA through CA ACLs. (This approach >> is not elegant and does not scale well to many CAs). >> >> Hope that my explanation is helpful. > > The explanation is helpful, I just do not I like the answer :-) What do you > think would make most sense for Sub-CA users? > > I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would > fill the non-CN part of issuer DN, i.e. in this case: > > O=DEMO1.FREEIPA.ORG, O=VPN > > which would make this profile flexible and usable in any Sub-CA. > > Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and > respective Dogtag release? I am just afraid that given we release this feature > in 4.4, people would have to very creative and duplicate lot of certificate > profiles for different sub-CAs just to workaround the Subject patter > limitation, as you mentioned. What is the use case? The certificate is equally good with both the current and your suggested issuer name. There is no relation between issuer name and subject name in general, and AFAIK the current recommendation is to omit subject name for end-entity certificate entirely and instead rely on SAN, so why should we bother? Honza -- Jan Cholasta From mkosek at redhat.com Tue Jun 28 10:49:26 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 28 Jun 2016 12:49:26 +0200 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> Message-ID: On 06/28/2016 12:49 PM, Jan Cholasta wrote: > On 28.6.2016 12:33, Martin Kosek wrote: >> On 06/28/2016 12:23 PM, Fraser Tweedale wrote: >>> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: >>>> Hi Fraser, >>>> >>>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: >>>> >>>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG >>>> >>>> Then I set up ACL and generated a certificate request by: >>>> >>>> $ certutil -R -d . -a -g 2048 -s >>>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 >>>> 'ipa.demo1.freeipa.org' >>>> >>>> The resulting certificate is attached. What I pondering about is >>>> >>>> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority >>>> ... >>>> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org >>>> >>>> Shouldn't the subject have O=VPN in it also? >>>> >>> Hi Martin, >>> >>> (Cc freeipa-devel@ ; this info may be of general interest) >>> >>> The subject is determined by the certificate profile. In the case >>> of caIPAserviceCert, the pattern is: >>> >>> CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O >>> >>> The CN comes from the CSR, and the Organisation is the IPA >>> certificate subject base (as a literal string in the profile >>> configuration). >>> >>> There are no substitution variables available to say "use such and >>> such from the issuer DN". If the default pattern is not suitable, >>> you can define a profile with the subject DN pattern having exactly >>> the O=... parts of DN you want (and/or other attributes), then >>> associate the profile with the CA through CA ACLs. (This approach >>> is not elegant and does not scale well to many CAs). >>> >>> Hope that my explanation is helpful. >> >> The explanation is helpful, I just do not I like the answer :-) What do you >> think would make most sense for Sub-CA users? >> >> I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would >> fill the non-CN part of issuer DN, i.e. in this case: >> >> O=DEMO1.FREEIPA.ORG, O=VPN >> >> which would make this profile flexible and usable in any Sub-CA. > >> >> Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and >> respective Dogtag release? I am just afraid that given we release this feature >> in 4.4, people would have to very creative and duplicate lot of certificate >> profiles for different sub-CAs just to workaround the Subject patter >> limitation, as you mentioned. > > What is the use case? This is what I am trying to find out. > The certificate is equally good with both the current and > your suggested issuer name. There is no relation between issuer name and > subject name in general, and AFAIK the current recommendation is to omit > subject name for end-entity certificate entirely and instead rely on SAN, so > why should we bother? I am aware of the SAN related change, regarding hostnames. So this proposal would apparently not add that much value in this case. What about user certificates (S/MIME certs, Smart Card certs), are there cases where admin would need to get issuer to subject name? From lslebodn at redhat.com Tue Jun 28 11:03:00 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 28 Jun 2016 13:03:00 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628075733.okm72eey6fsw6pxw@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> Message-ID: <20160628110300.GF21566@10.4.128.1> On (28/06/16 10:57), Alexander Bokovoy wrote: >On Tue, 28 Jun 2016, Petr Vobornik wrote: >> On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >> > On (27/06/16 17:55), Milan Kub?k wrote: >> > > Hi all, >> > > >> > > the pki packages that are currently in the COPR repo [1] are broken. There is >> > > a conflict between pki-server and pki-base: >> > > >> > > Error: Transaction check error: >> > > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >> > > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >> > > >> > > [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >> > > >> > I can see the same with pki-core in fedora 24 updates-testing. >> > File a fedora bug. >> > >> > LS >> > >> >> Right, even though I can't reproduce, the package in freeipa-master copr >> should be the same as the one in updates testing. It was built from the >> same srpm: >> https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm >One particular issue could be that you have pki-server installed from >one source and pki-base considered from a different one. For yum and dnf >there is a difference where the package comes from and all subpackages >of the same source package should be coming from the same repository to >avoid conflicts like this because after install the package keeps its >source repo mark. It is not a "particular issue". It's real packaging bug and have to be fixed. The same files are owned by two packages even though one depens on other. Milan, please fiel a fedora bug. [root at 5946ca9bf02b /]# rpm -q pki-server pki-base pki-server-10.3.3-1.fc24.noarch pki-base-10.3.3-1.fc24.noarch [root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo [root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo [root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki pki-base = 10.3.3-1.fc24 pki-base-java = 10.3.3-1.fc24 pki-tools = 10.3.3-1.fc24 LS From cheimes at redhat.com Tue Jun 28 11:07:26 2016 From: cheimes at redhat.com (Christian Heimes) Date: Tue, 28 Jun 2016 13:07:26 +0200 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> Message-ID: <553a8e60-0b19-0132-0c8f-d845dc468502@redhat.com> On 2016-06-28 12:49, Martin Kosek wrote: > On 06/28/2016 12:49 PM, Jan Cholasta wrote: >> On 28.6.2016 12:33, Martin Kosek wrote: >>> On 06/28/2016 12:23 PM, Fraser Tweedale wrote: >>>> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: >>>>> Hi Fraser, >>>>> >>>>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: >>>>> >>>>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG >>>>> >>>>> Then I set up ACL and generated a certificate request by: >>>>> >>>>> $ certutil -R -d . -a -g 2048 -s >>>>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 >>>>> 'ipa.demo1.freeipa.org' >>>>> >>>>> The resulting certificate is attached. What I pondering about is >>>>> >>>>> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority >>>>> ... >>>>> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org >>>>> >>>>> Shouldn't the subject have O=VPN in it also? >>>>> >>>> Hi Martin, >>>> >>>> (Cc freeipa-devel@ ; this info may be of general interest) >>>> >>>> The subject is determined by the certificate profile. In the case >>>> of caIPAserviceCert, the pattern is: >>>> >>>> CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O >>>> >>>> The CN comes from the CSR, and the Organisation is the IPA >>>> certificate subject base (as a literal string in the profile >>>> configuration). >>>> >>>> There are no substitution variables available to say "use such and >>>> such from the issuer DN". If the default pattern is not suitable, >>>> you can define a profile with the subject DN pattern having exactly >>>> the O=... parts of DN you want (and/or other attributes), then >>>> associate the profile with the CA through CA ACLs. (This approach >>>> is not elegant and does not scale well to many CAs). >>>> >>>> Hope that my explanation is helpful. >>> >>> The explanation is helpful, I just do not I like the answer :-) What do you >>> think would make most sense for Sub-CA users? >>> >>> I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would >>> fill the non-CN part of issuer DN, i.e. in this case: >>> >>> O=DEMO1.FREEIPA.ORG, O=VPN >>> >>> which would make this profile flexible and usable in any Sub-CA. >> >>> >>> Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and >>> respective Dogtag release? I am just afraid that given we release this feature >>> in 4.4, people would have to very creative and duplicate lot of certificate >>> profiles for different sub-CAs just to workaround the Subject patter >>> limitation, as you mentioned. >> >> What is the use case? > > This is what I am trying to find out. > >> The certificate is equally good with both the current and >> your suggested issuer name. There is no relation between issuer name and >> subject name in general, and AFAIK the current recommendation is to omit >> subject name for end-entity certificate entirely and instead rely on SAN, so >> why should we bother? > > I am aware of the SAN related change, regarding hostnames. So this proposal > would apparently not add that much value in this case. What about user > certificates (S/MIME certs, Smart Card certs), are there cases where admin > would need to get issuer to subject name? In my opinion it makes sense to have an indication of the issuer's purpose and designation in the subject of a EE cert. User's have been complaining about the hard-coded issuer name 'Certificate Authority' in the root CA. They'll do the same for Sub CAs. In my experience the subject DN is often the first string of a certificate that users see in case of an error. Therefore we should avoid naming conflicts, e.g. two certificates with the same subject "O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org", one issued by "O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority" and the other issued by "O=DEMO1.FREEIPA.ORG, O=clientauth, CN=Certificate Authority". Technically it's not required to have unique subjects. For users and admins it is much nicer to have clear indicators of the intermediate CA in a subject, too. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From mkubik at redhat.com Tue Jun 28 11:11:36 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 28 Jun 2016 13:11:36 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628110300.GF21566@10.4.128.1> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> <20160628110300.GF21566@10.4.128.1> Message-ID: On 06/28/2016 01:03 PM, Lukas Slebodnik wrote: > On (28/06/16 10:57), Alexander Bokovoy wrote: >> On Tue, 28 Jun 2016, Petr Vobornik wrote: >>> On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >>>> On (27/06/16 17:55), Milan Kub?k wrote: >>>>> Hi all, >>>>> >>>>> the pki packages that are currently in the COPR repo [1] are broken. There is >>>>> a conflict between pki-server and pki-base: >>>>> >>>>> Error: Transaction check error: >>>>> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>>>> file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>>>> >>>>> [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >>>>> >>>> I can see the same with pki-core in fedora 24 updates-testing. >>>> File a fedora bug. >>>> >>>> LS >>>> >>> Right, even though I can't reproduce, the package in freeipa-master copr >>> should be the same as the one in updates testing. It was built from the >>> same srpm: >>> https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm >> One particular issue could be that you have pki-server installed from >> one source and pki-base considered from a different one. For yum and dnf >> there is a difference where the package comes from and all subpackages >> of the same source package should be coming from the same repository to >> avoid conflicts like this because after install the package keeps its >> source repo mark. > It is not a "particular issue". > It's real packaging bug and have to be fixed. > > The same files are owned by two packages even though one depens on other. > Milan, please fiel a fedora bug. > > [root at 5946ca9bf02b /]# rpm -q pki-server pki-base > pki-server-10.3.3-1.fc24.noarch > pki-base-10.3.3-1.fc24.noarch > > [root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo > > [root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo > > [root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki > pki-base = 10.3.3-1.fc24 > pki-base-java = 10.3.3-1.fc24 > pki-tools = 10.3.3-1.fc24 > > LS Thanks for the rpm output, Lukas. https://bugzilla.redhat.com/show_bug.cgi?id=1350773 -- Milan Kubik From abokovoy at redhat.com Tue Jun 28 11:20:32 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jun 2016 14:20:32 +0300 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628110300.GF21566@10.4.128.1> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> <20160628110300.GF21566@10.4.128.1> Message-ID: <20160628112032.abtb2d45pj45xzy4@redhat.com> On Tue, 28 Jun 2016, Lukas Slebodnik wrote: >On (28/06/16 10:57), Alexander Bokovoy wrote: >>On Tue, 28 Jun 2016, Petr Vobornik wrote: >>> On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >>> > On (27/06/16 17:55), Milan Kub?k wrote: >>> > > Hi all, >>> > > >>> > > the pki packages that are currently in the COPR repo [1] are broken. There is >>> > > a conflict between pki-server and pki-base: >>> > > >>> > > Error: Transaction check error: >>> > > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>> > > file /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo from install of pki-server-10.3.3-1.fc24.noarch conflicts with file from package pki-base-10.3.3-1.fc24.noarch >>> > > >>> > > [1]: https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >>> > > >>> > I can see the same with pki-core in fedora 24 updates-testing. >>> > File a fedora bug. >>> > >>> > LS >>> > >>> >>> Right, even though I can't reproduce, the package in freeipa-master copr >>> should be the same as the one in updates testing. It was built from the >>> same srpm: >>> https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm >>One particular issue could be that you have pki-server installed from >>one source and pki-base considered from a different one. For yum and dnf >>there is a difference where the package comes from and all subpackages >>of the same source package should be coming from the same repository to >>avoid conflicts like this because after install the package keeps its >>source repo mark. >It is not a "particular issue". It is a particular issue -- there may be more issues with multi-repository package delivery but this particular bug of dnf/yum not allowing upgrades of packages with the same name delivered via different repositories stands out. >It's real packaging bug and have to be fixed. Right. >The same files are owned by two packages even though one depens on other. >Milan, please fiel a fedora bug. > >[root at 5946ca9bf02b /]# rpm -q pki-server pki-base >pki-server-10.3.3-1.fc24.noarch >pki-base-10.3.3-1.fc24.noarch > >[root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo > >[root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo This is not a real bug: https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership ------------------------------------------------------------------------ In most cases, it should not be necessary for multiple packages to contain identical copies of the same file. However, if it is necessary, multiple packages may contain identical copies of the same file, as long as the following requirements are met: The packages sharing ownership of the identical files are built from a single SRPM. OR The packages sharing ownership of the identical files are not in a dependency chain (e.g. if package A requires package B, they should not both contain identical files, either A or B must own the common files, but not both.) -------------------------------------------------------------------------- The bug here is that they come from different repositories and thus from the dnf/yum point of view are built from different source packages. > >[root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki >pki-base = 10.3.3-1.fc24 >pki-base-java = 10.3.3-1.fc24 >pki-tools = 10.3.3-1.fc24 > >LS -- / Alexander Bokovoy From mkubik at redhat.com Tue Jun 28 11:27:17 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 28 Jun 2016 13:27:17 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628112032.abtb2d45pj45xzy4@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> <20160628110300.GF21566@10.4.128.1> <20160628112032.abtb2d45pj45xzy4@redhat.com> Message-ID: <1a3bb957-4ab0-0b2c-3ca7-85e41e7a4d77@redhat.com> On 06/28/2016 01:20 PM, Alexander Bokovoy wrote: > On Tue, 28 Jun 2016, Lukas Slebodnik wrote: >> On (28/06/16 10:57), Alexander Bokovoy wrote: >>> On Tue, 28 Jun 2016, Petr Vobornik wrote: >>>> On 06/27/2016 08:11 PM, Lukas Slebodnik wrote: >>>> > On (27/06/16 17:55), Milan Kub?k wrote: >>>> > > Hi all, >>>> > > >>>> > > the pki packages that are currently in the COPR repo [1] are >>>> broken. There is >>>> > > a conflict between pki-server and pki-base: >>>> > > >>>> > > Error: Transaction check error: >>>> > > file >>>> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >>>> from install of pki-server-10.3.3-1.fc24.noarch conflicts with file >>>> from package pki-base-10.3.3-1.fc24.noarch >>>> > > file >>>> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >>>> from install of pki-server-10.3.3-1.fc24.noarch conflicts with file >>>> from package pki-base-10.3.3-1.fc24.noarch >>>> > > >>>> > > [1]: >>>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-master/ >>>> > > >>>> > I can see the same with pki-core in fedora 24 updates-testing. >>>> > File a fedora bug. >>>> > >>>> > LS >>>> > >>>> >>>> Right, even though I can't reproduce, the package in freeipa-master >>>> copr >>>> should be the same as the one in updates testing. It was built from >>>> the >>>> same srpm: >>>> https://kojipkgs.fedoraproject.org//packages/pki-core/10.3.3/1.fc24/src/pki-core-10.3.3-1.fc24.src.rpm >>>> >>> One particular issue could be that you have pki-server installed from >>> one source and pki-base considered from a different one. For yum and >>> dnf >>> there is a difference where the package comes from and all subpackages >>> of the same source package should be coming from the same repository to >>> avoid conflicts like this because after install the package keeps its >>> source repo mark. >> It is not a "particular issue". > It is a particular issue -- there may be more issues with > multi-repository package delivery but this particular bug of dnf/yum not > allowing upgrades of packages with the same name delivered via different > repositories stands out. > >> It's real packaging bug and have to be fixed. > Right. > >> The same files are owned by two packages even though one depens on >> other. >> Milan, please fiel a fedora bug. >> >> [root at 5946ca9bf02b /]# rpm -q pki-server pki-base >> pki-server-10.3.3-1.fc24.noarch >> pki-base-10.3.3-1.fc24.noarch >> >> [root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >> >> [root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >> /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo > This is not a real bug: > https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership > > ------------------------------------------------------------------------ > In most cases, it should not be necessary for multiple packages to > contain identical copies of the same file. However, if it is necessary, > multiple packages may contain identical copies of the same file, as long > as the following requirements are met: > > The packages sharing ownership of the identical files are built from > a single SRPM. > OR > > The packages sharing ownership of the identical files are not in a > dependency chain (e.g. if package A requires package B, they should not > both contain identical files, either A or B must own the common files, > but not both.) > -------------------------------------------------------------------------- > > The bug here is that they come from different repositories and thus from > the dnf/yum point of view are built from different source packages. > >> >> [root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki >> pki-base = 10.3.3-1.fc24 >> pki-base-java = 10.3.3-1.fc24 >> pki-tools = 10.3.3-1.fc24 >> >> LS > The bug is exactly the violation of the second clause. pki-server requires pki-base while both own the files. -- Milan Kubik From jcholast at redhat.com Tue Jun 28 11:31:29 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2016 13:31:29 +0200 Subject: [Freeipa-devel] [PATCH] API compatibility In-Reply-To: <9d8c0ba2-7a69-f6cf-2e5a-6e971a0105af@redhat.com> References: <9d8c0ba2-7a69-f6cf-2e5a-6e971a0105af@redhat.com> Message-ID: On 28.6.2016 12:33, David Kupka wrote: > Hello! > > Honza has pushed first patches needed for API compatibility into his > GitHub repo [1]. > > I have reviewed patch set adding command versioning: > > frontend: forward command calls using full name > schema: support plugin versioning > plugable: support plugin versioning > plugable: use plugin class as the key in API namespaces > misc: generate `plugins` result directly in the command > > Works as expected, ACK. Thanks, pushed to master: 5f52e0fcbfb927c3adada58e94bd10685535d2bd Attaching the patches for reference. > > [1] https://github.com/jcholast/freeipa/commits/trac-4427 -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-654-misc-generate-plugins-result-directly-in-the-command.patch Type: text/x-patch Size: 2216 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-655-plugable-use-plugin-class-as-the-key-in-API-namespac.patch Type: text/x-patch Size: 12189 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-656-plugable-support-plugin-versioning.patch Type: text/x-patch Size: 177712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-657-schema-support-plugin-versioning.patch Type: text/x-patch Size: 17841 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-658-frontend-forward-command-calls-using-full-name.patch Type: text/x-patch Size: 1342 bytes Desc: not available URL: From ofayans at redhat.com Tue Jun 28 11:40:28 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 28 Jun 2016 13:40:28 +0200 Subject: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test In-Reply-To: <57723947.2090508@redhat.com> References: <57723947.2090508@redhat.com> Message-ID: <5772622C.9000205@redhat.com> Patch-0050 rebased against latest upstream branch On 06/28/2016 10:45 AM, Oleg Fayans wrote: > Passing test output: > > https://paste.fedoraproject.org/385774/71035231/ > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch Type: text/x-patch Size: 4745 bytes Desc: not available URL: From abokovoy at redhat.com Tue Jun 28 11:50:17 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Tue, 28 Jun 2016 14:50:17 +0300 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <1a3bb957-4ab0-0b2c-3ca7-85e41e7a4d77@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> <20160628110300.GF21566@10.4.128.1> <20160628112032.abtb2d45pj45xzy4@redhat.com> <1a3bb957-4ab0-0b2c-3ca7-85e41e7a4d77@redhat.com> Message-ID: <20160628115017.zpret2qyimpxvolt@redhat.com> On Tue, 28 Jun 2016, Milan Kub?k wrote: >>>It's real packaging bug and have to be fixed. >>Right. >> >>>The same files are owned by two packages even though one depens on >>>other. >>>Milan, please fiel a fedora bug. >>> >>>[root at 5946ca9bf02b /]# rpm -q pki-server pki-base >>>pki-server-10.3.3-1.fc24.noarch >>>pki-base-10.3.3-1.fc24.noarch >>> >>>[root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >>> >>>[root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >>>/usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >>This is not a real bug: >>https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership >> >>------------------------------------------------------------------------ >>In most cases, it should not be necessary for multiple packages to >>contain identical copies of the same file. However, if it is necessary, >>multiple packages may contain identical copies of the same file, as long >>as the following requirements are met: >> >> The packages sharing ownership of the identical files are built from >>a single SRPM. >>OR >> >> The packages sharing ownership of the identical files are not in a >>dependency chain (e.g. if package A requires package B, they should not >>both contain identical files, either A or B must own the common files, >>but not both.) -------------------------------------------------------------------------- >> >>The bug here is that they come from different repositories and thus from >>the dnf/yum point of view are built from different source packages. >> >>> >>>[root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki >>>pki-base = 10.3.3-1.fc24 >>>pki-base-java = 10.3.3-1.fc24 >>>pki-tools = 10.3.3-1.fc24 >>> >>>LS >> >The bug is exactly the violation of the second clause. pki-server >requires pki-base while both own the files. Right -- what I wanted to point is that the conflict you get from dnf is not due to violating this policy, it is due to the files ownership coming from subpackages built from different source packages. Package policy violations are not always (not in this case) enforced by dnf/yum/rpm. -- / Alexander Bokovoy From ftweedal at redhat.com Tue Jun 28 12:05:46 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 28 Jun 2016 22:05:46 +1000 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> Message-ID: <20160628120546.GZ4200@dhcp-40-8.bne.redhat.com> On Tue, Jun 28, 2016 at 12:49:26PM +0200, Martin Kosek wrote: > On 06/28/2016 12:49 PM, Jan Cholasta wrote: > > On 28.6.2016 12:33, Martin Kosek wrote: > >> On 06/28/2016 12:23 PM, Fraser Tweedale wrote: > >>> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: > >>>> Hi Fraser, > >>>> > >>>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: > >>>> > >>>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG > >>>> > >>>> Then I set up ACL and generated a certificate request by: > >>>> > >>>> $ certutil -R -d . -a -g 2048 -s > >>>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 > >>>> 'ipa.demo1.freeipa.org' > >>>> > >>>> The resulting certificate is attached. What I pondering about is > >>>> > >>>> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority > >>>> ... > >>>> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org > >>>> > >>>> Shouldn't the subject have O=VPN in it also? > >>>> > >>> Hi Martin, > >>> > >>> (Cc freeipa-devel@ ; this info may be of general interest) > >>> > >>> The subject is determined by the certificate profile. In the case > >>> of caIPAserviceCert, the pattern is: > >>> > >>> CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O > >>> > >>> The CN comes from the CSR, and the Organisation is the IPA > >>> certificate subject base (as a literal string in the profile > >>> configuration). > >>> > >>> There are no substitution variables available to say "use such and > >>> such from the issuer DN". If the default pattern is not suitable, > >>> you can define a profile with the subject DN pattern having exactly > >>> the O=... parts of DN you want (and/or other attributes), then > >>> associate the profile with the CA through CA ACLs. (This approach > >>> is not elegant and does not scale well to many CAs). > >>> > >>> Hope that my explanation is helpful. > >> > >> The explanation is helpful, I just do not I like the answer :-) What do you > >> think would make most sense for Sub-CA users? > >> > >> I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would > >> fill the non-CN part of issuer DN, i.e. in this case: > >> > >> O=DEMO1.FREEIPA.ORG, O=VPN > >> > >> which would make this profile flexible and usable in any Sub-CA. > > > >> > >> Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and > >> respective Dogtag release? I am just afraid that given we release this feature > >> in 4.4, people would have to very creative and duplicate lot of certificate > >> profiles for different sub-CAs just to workaround the Subject patter > >> limitation, as you mentioned. > > > > What is the use case? > > This is what I am trying to find out. > > > The certificate is equally good with both the current and > > your suggested issuer name. There is no relation between issuer name and > > subject name in general, and AFAIK the current recommendation is to omit > > subject name for end-entity certificate entirely and instead rely on SAN, so > > why should we bother? > > I am aware of the SAN related change, regarding hostnames. So this proposal > would apparently not add that much value in this case. What about user > certificates (S/MIME certs, Smart Card certs), are there cases where admin > would need to get issuer to subject name? > I do not think it is so important... the issuer name appears on the certificate too, and all issuers appear in the cert chain. Unless there is some particular software or a customer that expects/needs a particular relationship between Issuer DN and Subject DN... but I do not know of a such a case. I agree it would possibly be useful to have variables for info in the Issuer DN, that can be referenced in the Subject DN pattern. It probably won't fit into v4.4 timeframe, though. Cheers, Fraser From lslebodn at redhat.com Tue Jun 28 12:06:29 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 28 Jun 2016 14:06:29 +0200 Subject: [Freeipa-devel] Broken pki 10.3.3-1 packages in freeipa-master COPR In-Reply-To: <20160628115017.zpret2qyimpxvolt@redhat.com> References: <6be5793b-0d73-76dd-e825-c314eaa7fdd3@redhat.com> <20160627181116.GE31123@10.4.128.1> <20160628075733.okm72eey6fsw6pxw@redhat.com> <20160628110300.GF21566@10.4.128.1> <20160628112032.abtb2d45pj45xzy4@redhat.com> <1a3bb957-4ab0-0b2c-3ca7-85e41e7a4d77@redhat.com> <20160628115017.zpret2qyimpxvolt@redhat.com> Message-ID: <20160628120628.GG21566@10.4.128.1> On (28/06/16 14:50), Alexander Bokovoy wrote: >On Tue, 28 Jun 2016, Milan Kub?k wrote: >> > > It's real packaging bug and have to be fixed. >> > Right. >> > >> > > The same files are owned by two packages even though one depens >> > > on other. >> > > Milan, please fiel a fedora bug. >> > > >> > > [root at 5946ca9bf02b /]# rpm -q pki-server pki-base >> > > pki-server-10.3.3-1.fc24.noarch >> > > pki-base-10.3.3-1.fc24.noarch >> > > >> > > [root at 5946ca9bf02b /]# rpm -ql pki-base | grep pkiparser.py >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >> > > >> > > [root at 5946ca9bf02b /]# rpm -ql pki-server | grep pkiparser.py >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.py >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyc >> > > /usr/lib/python2.7/site-packages/pki/server/deployment/pkiparser.pyo >> > This is not a real bug: >> > https://fedoraproject.org/wiki/Packaging:Guidelines#File_and_Directory_Ownership >> > >> > ------------------------------------------------------------------------ >> > In most cases, it should not be necessary for multiple packages to >> > contain identical copies of the same file. However, if it is necessary, >> > multiple packages may contain identical copies of the same file, as long >> > as the following requirements are met: >> > >> > The packages sharing ownership of the identical files are built from >> > a single SRPM. >> > OR >> > >> > The packages sharing ownership of the identical files are not in a >> > dependency chain (e.g. if package A requires package B, they should not >> > both contain identical files, either A or B must own the common files, >> > but not both.) -------------------------------------------------------------------------- >> > >> > The bug here is that they come from different repositories and thus from >> > the dnf/yum point of view are built from different source packages. >> > >> > > >> > > [root at 5946ca9bf02b /]# rpm -q --requires pki-server | grep pki >> > > pki-base = 10.3.3-1.fc24 >> > > pki-base-java = 10.3.3-1.fc24 >> > > pki-tools = 10.3.3-1.fc24 >> > > >> > > LS >> > >> The bug is exactly the violation of the second clause. pki-server >> requires pki-base while both own the files. >Right -- what I wanted to point is that the conflict you get from dnf is >not due to violating this policy, it is due to the files ownership >coming from subpackages built from different source packages. Package >policy violations are not always (not in this case) enforced by >dnf/yum/rpm. If there was not a violation of packaging guidelines then it would not be a problem if pki-base is from one repository and pki-server from other. It has to work because they are built from the same source. LS From mbasti at redhat.com Tue Jun 28 12:18:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 14:18:32 +0200 Subject: [Freeipa-devel] [PATCH 0138] replica-install: Compare domain names as DNS names and not string In-Reply-To: <5cbac6aa-7a72-585b-e180-ce0a49073691@redhat.com> References: <1cd85c87-b219-1412-f2b1-d5db20247628@redhat.com> <96cfb27f-2bb4-2ad2-d444-b0637d47d425@redhat.com> <7797a6c8-163b-2047-bbcc-79dd2883e01b@redhat.com> <5cbac6aa-7a72-585b-e180-ce0a49073691@redhat.com> Message-ID: On 27.06.2016 14:03, Martin Basti wrote: > > > On 27.06.2016 14:02, Petr Spacek wrote: >> On 27.6.2016 11:20, Petr Spacek wrote: >>> On 27.6.2016 10:30, Martin Basti wrote: >>>>> >>>>> On 23.06.2016 18:32, Petr Spacek wrote: >>>>>>> Hello, >>>>>>> >>>>>>> replica-install: Compare domain names as DNS names and not strings >>>>>>> >>>>>>> This fixes false possitive where user inputs "example.com" and >>>>>>> "EXAMPLE.COM" >>>>>>> were not considered equivalent and installation was wrongly >>>>>>> refused. >>>>>>> >>>>>>> https://fedorahosted.org/freeipa/ticket/5976 >>>>>>> >>>>> NACK, client installer should normalize domain name as host-add >>>>> does, because >>>>> it will blow up in different places, we cannot compare this part >>>>> as DNS name >>>>> when other parts works with it as strings >>>>> >>>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR Cannot >>>>> promote this >>>>> client to a replica. Local domain 'ipa.example.COM' does not match >>>>> IPA domain >>>>> 'ipa.example.com'. >>> Okay, I will use the same validator as ipa-server-install and >>> normalize it as >>> you suggested. >> Here you go. I was not able to find a corner case which would break >> this. >> > LGTM > ACK Pushed to: master: 8b12ef50e1c016a5a025cf2a69271f769b585a03 ipa-4-3: 3d71c43504ea7837ea14bb9dd4a469c07337293f From mbasti at redhat.com Tue Jun 28 12:21:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 14:21:40 +0200 Subject: [Freeipa-devel] [PATCH 0139] DNS: Fix tests for realm domains integration with DNS zone ad In-Reply-To: <85b77783-46a1-611c-cf0b-b81f0d7fd2a9@redhat.com> References: <85b77783-46a1-611c-cf0b-b81f0d7fd2a9@redhat.com> Message-ID: <4df8ea2c-7695-1393-8971-bd77045dda87@redhat.com> On 28.06.2016 12:12, David Kupka wrote: > On 27/06/16 11:48, Petr Spacek wrote: >> Hello, >> >> DNS: Fix tests for realm domains integration with DNS zone add >> >> We forgot to update tests after change in >> 22f4045f72daf182c44ce574291c0d8a7733713b. >> >> https://fedorahosted.org/freeipa/ticket/5980 >> >> >> It should go to master, 4-3, and 4-2 as well (as the original change). >> > > idnsforwarders needs to be changed on both occurrences. Fixed patch > attached. Petr^2 approved the change. Attached version works as > expected and the test is green again, ACK. > > > Pushed to: master: bf91c0f938502fdd9ac6490d0781788ec99a868b ipa-4-3: ae3b905ecb5fe3c1e2b46aeee9ed66fa03337f9b ipa-4-2: 864cc6994b2b4abc775be88864b706e6386be3f2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From slaznick at redhat.com Tue Jun 28 12:52:05 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Tue, 28 Jun 2016 14:52:05 +0200 Subject: [Freeipa-devel] [PATCH 0053] Fix wrong imports in copy-schema-to-ca Message-ID: Hello, The attached patch fixes wrong imports in copy-schema-to-ca.py script. https://fedorahosted.org/freeipa/ticket/6003 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0053-Fix-wrong-imports-in-copy-schema-to-ca.py.patch Type: text/x-patch Size: 2028 bytes Desc: not available URL: From jcholast at redhat.com Tue Jun 28 13:04:18 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 28 Jun 2016 15:04:18 +0200 Subject: [Freeipa-devel] [PATCH] Schema caching for thin client In-Reply-To: <8c777221-f39b-370e-2038-3eac431da36c@redhat.com> References: <752f9367-5fef-bc1f-7c20-5d08c6d0d431@redhat.com> <6ab0a96e-a1e6-2255-f92c-0cba664d7d8a@redhat.com> <5528da40-6250-e1ed-96ad-c5dfb5fd7862@redhat.com> <5a4796d1-b5cd-d888-e45d-e5dee99fe8a4@redhat.com> <475bdc05-7908-9d93-303a-5146869e0918@redhat.com> <8c777221-f39b-370e-2038-3eac431da36c@redhat.com> Message-ID: On 21.6.2016 16:49, Martin Basti wrote: > > > On 21.06.2016 16:51, Jan Cholasta wrote: >> On 21.6.2016 16:33, Martin Basti wrote: >>> >>> >>> On 21.06.2016 16:24, Jan Cholasta wrote: >>>> On 21.6.2016 15:11, Jan Cholasta wrote: >>>>> On 16.6.2016 09:12, David Kupka wrote: >>>>>> On 06/15/2016 08:15 PM, Petr Vobornik wrote: >>>>>>> On 06/15/2016 02:36 PM, David Kupka wrote: >>>>>>>> Hello! >>>>>>>> Schema caching for thin client is available here: >>>>>>>> >>>>>>>> https://github.com/dkupka/freeipa/commits/schema_cache >>>>>>>> >>>>>>>> Comments and reviews welcome. >>>>>>>> >>>>>>>> Enjoy! >>>>>>> >>>>>>> Not doing proper review. I'll test by using it. But: >>>>>>> >>>>>>> 1. lint fails >>>>>>> >>>>>>> Pylint is running, please wait ... >>>>>>> ************* Module ipaclient.remote_plugins.schema_cache >>>>>>> ipaclient/remote_plugins/schema_cache.py:283: >>>>>>> [W1612(unicode-builtin), >>>>>>> _refresh_schema] unicode built-in referenced) >>>>>>> Makefile:137: recipe for target 'lint' failed >>>>>>> make: *** [lint] Error 1 >>>>>>> >>>>>>> I.e, you miss: >>>>>>> >>>>>>> import six >>>>>>> >>>>>>> if six.PY3: >>>>>>> unicode = str >>>>>>> >>>>>> >>>>>> Thanks for the catch, fixed version force-pushed. >>>>> >>>>> ACK on the server part, i.e. the first 3 commits: >>>>> >>>>> 0cd99a7 schema: Cache schema in api instance >>>>> b9a58c4 schema: Add known_fingerprints option to schema command >>>>> f6f4e53 schema: Add fingerprint and TTL >>>>> >>>>> Pushed to master: d0e708cba240bd92a4467495caeb654eff6ae69a >>>> >>>> ACK on this commit: >>>> >>>> 7fc7941 schema: return fingerprint as unicode text >>>> >>>> Pushed to master: a5f48476adfd9971a1756bd5ad3cb7c9e2afef22 >>>> >>> >>> Is Okay to keep just last 4 bytes from SHA1, how big is possibility for >>> conflict? >> >> 2.3283064365386963e-10 >> >> Git uses 3.5 bytes for short commit IDs by default. So far, there are >> only 4 conflicts in freeipa git: >> >> $ git log --oneline | grep -E '^[0-9a-z]{8,}' >> c6c84fae Py3: replace tab with space >> b194b850 Fix remove while iterating in suppress_netgroup_memberof. >> 58a3b1d0 85: Added ReadOnly._lock() method to make class easier to >> use; updated subclasses and unit tests >> bc524460 Fix build issues by combining patches submitted by Michael >> Gregg and Karl MacMillan Remove #!/usr/bin/python from many files to >> quiet rpmlint >> >> So IMO 4 bytes is good enough for our API schema fingerprints. >> >> Even if 4 bytes turn out not to be good enough, we can increase the >> length at any time without breaking clients, because clients don't >> care about fingerprint specifics. >> > Okay ACK on the remaining patches: ce74a12 schema: Caching on schema on client bdd6ec2 env: Add 'server' variable to api.env Pushed to master: a636842889f832e977df61dbeac4e1055e129c0f -- Jan Cholasta From pspacek at redhat.com Tue Jun 28 13:12:27 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 15:12:27 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> Message-ID: <7adf7c4a-8767-1ed2-361d-320f4f05c2be@redhat.com> On 27.6.2016 17:48, Pavel Vomacka wrote: > > > On 06/23/2016 04:58 PM, Petr Vobornik wrote: >> On 06/23/2016 04:34 PM, Martin Basti wrote: >>> >>> On 23.06.2016 09:57, Pavel Vomacka wrote: >>>> Hello, >>>> >>>> please review attached patch. >>>> >>>> Part of: https://fedorahosted.org/freeipa/ticket/5905 >>>> >>>> >>>> >>> Works for me >>> >> In this patch and also in some other(cert patches) the confirm message >> has following structure: >> To confirm your intention to $action, click the $button_name button. >> >> On other places of Web UI, more human and easier structure is used: >> Do you want to update DNS records? >> [Update] [Cancel] >> >> IMHO we should use it here as well. And the same for(separate path): >> remove_certificate_hold_confirmation >> revoke_confirmation" >> >> >> otherwise the patch is OK. The patch works! Nitpick: 'Update DNS records' is too generic. The button and message should contain keyword 'system' somewhere. E.g. 'Update system DNS records'. Feel free to push it when you add the keyword :-) -- Petr^2 Spacek From pspacek at redhat.com Tue Jun 28 13:22:50 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 15:22:50 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> Message-ID: <637c41ad-1bbe-b482-2764-4a56b67647d3@redhat.com> On 27.6.2016 11:43, Martin Basti wrote: > > > On 27.06.2016 10:56, Petr Spacek wrote: >> On 24.6.2016 12:25, Martin Basti wrote: >>> >>> On 23.06.2016 18:26, Petr Spacek wrote: >>>> On 23.6.2016 16:38, Martin Basti wrote: >>>>> Patches attached. >>>>> >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> >>>>> >>>>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>>>> >>>>> >>>>> >>>>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>>>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>>>> for unused locations" >>>>> >>>>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>>>> >>>>> After deeper investigation, we found out that empty locations are needed >>>>> for clients, because clients may have cached records for longer time for >>>>> that particular location. Only way how to remove location is to remove >>>>> it using location-del >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ipaserver/dns_data_management.py | 11 ++++------- >>>>> 1 file changed, 4 insertions(+), 7 deletions(-) >>>>> >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>>>> self.api_instance = api_instance >>>>> self.domain_abs = >>>>> DNSName(self.api_instance.env.domain).make_absolute() >>>>> self.servers_data = {} >>>>> - self.used_locations = set() >>>>> self.__init_data() >>>>> def reload_data(self): >>>>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>>>> def __init_data(self): >>>>> self.servers_data = {} >>>>> - self.used_locations = set() >>>>> servers_result = self.api_instance.Command.server_find( >>>>> pkey_only=True)['result'] >>>>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>>>> 'location': location, >>>>> 'roles': roles, >>>>> } >>>>> - if location: >>>>> - self.used_locations.add(location) >>>>> def __add_srv_records( >>>>> self, zone_obj, hostname, rname_port_map, >>>>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>>>> pkey_only=True)['result'] >>>>> servers = [s['cn'][0] for s in servers_result] >>>>> - # generate only records for used location, records for >>>>> unassigned >>>>> - # locations are useless >>>>> + locations_result = >>>>> self.api_instance.Command.location_find()['result'] >>>>> + locations = [l['idnsname'][0] for l in locations_result] >>>>> + >>>>> for server in servers: >>>>> self._get_location_dns_records_for_server( >>>>> zone_obj, server, >>>>> - self.used_locations, roles=roles, >>>>> + locations, roles=roles, >>>>> include_master_role=include_master_role) >>>>> return zone_obj >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>>>> >>>>> >>>>> >>>>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>>>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in >>>>> adtrust-install >>>>> >>>>> Since DNS location mechanism is active, this option has no effect, >>>>> because records are generate dynamically. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/tools/ipa-adtrust-install | 10 +++++++--- >>>>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>>>> 2 files changed, 15 insertions(+), 16 deletions(-) >>>>> >>>>> diff --git a/install/tools/ipa-adtrust-install >>>>> b/install/tools/ipa-adtrust-install >>>>> index >>>>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>>>> >>>>> 100755 >>>>> --- a/install/tools/ipa-adtrust-install >>>>> +++ b/install/tools/ipa-adtrust-install >>>>> @@ -29,6 +29,8 @@ import ldap >>>>> import six >>>>> +from optparse import SUPPRESS_HELP >>>>> + >>>>> from ipaserver.install import adtrustinstance >>>>> from ipaserver.install.installutils import ( >>>>> read_password, >>>>> @@ -54,9 +56,11 @@ def parse_options(): >>>>> default=False, help="print debugging information") >>>>> parser.add_option("--netbios-name", dest="netbios_name", >>>>> help="NetBIOS name of the IPA domain") >>>>> + >>>>> + # no-msdcs has not effect, option is here just for backward >>>>> compatibility >>>>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>>>> - default=False, help="Do not create DNS service >>>>> records " \ >>>>> - "for Windows in managed DNS >>>>> server") >>>>> + default=False, help=SUPPRESS_HELP) >>>>> + >>>>> parser.add_option("--rid-base", dest="rid_base", type=int, >>>>> default=1000, >>>>> help="Start value for mapping UIDs and GIDs to >>>>> RIDs") >>>>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>>>> @@ -390,7 +394,7 @@ def main(): >>>>> smb.setup(api.env.host, api.env.realm, >>>>> netbios_name, reset_netbios_name, >>>>> options.rid_base, options.secondary_rid_base, >>>>> - options.no_msdcs, options.add_sids, >>>>> + options.add_sids, >>>>> enable_compat = options.enable_compat) >>>>> smb.find_local_id_range() >>>>> smb.create_instance() >>>>> diff --git a/ipaserver/install/adtrustinstance.py >>>>> b/ipaserver/install/adtrustinstance.py >>>>> index >>>>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/adtrustinstance.py >>>>> +++ b/ipaserver/install/adtrustinstance.py >>>>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>>>> def __init__(self, fstore=None): >>>>> self.netbios_name = None >>>>> self.reset_netbios_name = None >>>>> - self.no_msdcs = None >>>>> self.add_sids = None >>>>> self.smbd_user = None >>>>> self.smb_dn_pwd = None >>>>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>>>> err_msg = None >>>>> - if self.no_msdcs: >>>>> - err_msg = '--no-msdcs was given, special DNS service records >>>>> ' \ >>>>> - 'are not added to local DNS server' >>>>> + ret = api.Command['dns_is_enabled']() >>>>> + if not ret['result']: >>>>> + err_msg = "DNS management was not enabled at install time." >>>>> else: >>>>> - ret = api.Command['dns_is_enabled']() >>>>> - if not ret['result']: >>>>> - err_msg = "DNS management was not enabled at install time." >>>>> - else: >>>>> - if not dns_zone_exists(zone): >>>>> - err_msg = "DNS zone %s cannot be managed " \ >>>>> - "as it is not defined in IPA" % zone >>>>> + if not dns_zone_exists(zone): >>>>> + err_msg = ( >>>>> + "DNS zone %s cannot be managed as it is not defined >>>>> in " >>>>> + "IPA" % zone) >>>>> if err_msg: >>>>> self.print_msg(err_msg) >>>>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>>>> def setup(self, fqdn, realm_name, netbios_name, >>>>> reset_netbios_name, rid_base, secondary_rid_base, >>>>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>>>> + add_sids=False, smbd_user="samba", >>>>> enable_compat=False): >>>>> self.fqdn = fqdn >>>>> self.realm = realm_name >>>>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>>>> self.reset_netbios_name = reset_netbios_name >>>>> self.rid_base = rid_base >>>>> self.secondary_rid_base = secondary_rid_base >>>>> - self.no_msdcs = no_msdcs >>>>> self.add_sids = add_sids >>>>> self.enable_compat = enable_compat >>>>> self.smbd_user = smbd_user >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>>>> >>>>> >>>>> >>>>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>>>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>>>> information >>>>> >>>>> Because separated calls for of server-show, getting server data is quite >>>>> slow. This commit replaces several server-show with one server-find >>>>> command. There are future plans to improve speed of server-find that >>>>> will be beneficial for DNS locations. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> ipaserver/dns_data_management.py | 10 ++++------ >>>>> 1 file changed, 4 insertions(+), 6 deletions(-) >>>>> >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>>>> """ >>>>> self.__init_data() >>>>> - def __get_server_attrs(self, hostname): >>>>> - server_result = >>>>> self.api_instance.Command.server_show(hostname)['result'] >>>>> + def __get_server_attrs(self, server_result): >>>>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>>>> location = server_result.get('ipalocation_location', [None])[0] >>>>> roles = set(server_result.get('enabled_role_servrole', ())) >>>>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>>>> self.servers_data = {} >>>>> servers_result = self.api_instance.Command.server_find( >>>>> - pkey_only=True)['result'] >>>>> - servers = [s['cn'][0] for s in servers_result] >>>>> - for s in servers: >>>>> + no_members=False)['result'] >>>>> + for s in servers_result: >>>>> weight, location, roles = self.__get_server_attrs(s) >>>>> - self.servers_data[s] = { >>>>> + self.servers_data[s['cn'][0]] = { >>>>> 'weight': weight, >>>>> 'location': location, >>>>> 'roles': roles, >>>>> -- 2.5.5 >>>>> >>>>> >>>>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>>>> >>>>> >>>>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>>>> From: Martin Basti >>>>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>>>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>>>> >>>>> We don't need anymore: >>>>> * sample of zone file - list of all records required by IPa will be >>>>> provided >>>>> >>>>> * NTP related params - DNS records will be updated automatically, >>>>> based on LDAP values >>>>> >>>>> * CA related params - DNS records will be updated automatically based >>>>> * on LDAP values >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>> --- >>>>> install/share/bind.zone.db.template | 29 --------------- >>>>> ipaserver/dns_data_management.py | 9 +++++ >>>>> ipaserver/install/bindinstance.py | 58 >>>>> ++++++++---------------------- >>>>> ipaserver/install/dns.py | 5 ++- >>>>> ipaserver/install/server/install.py | 8 ++--- >>>>> ipaserver/install/server/replicainstall.py | 4 +-- >>>>> 6 files changed, 30 insertions(+), 83 deletions(-) >>>>> delete mode 100644 install/share/bind.zone.db.template >>>>> >>>>> diff --git a/install/share/bind.zone.db.template >>>>> b/install/share/bind.zone.db.template >>>>> deleted file mode 100644 >>>>> index >>>>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>>>> >>>>> >>>>> --- a/install/share/bind.zone.db.template >>>>> +++ /dev/null >>>>> @@ -1,29 +0,0 @@ >>>>> -$$ORIGIN $DOMAIN. >>>>> -$$TTL 86400 >>>>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>>>> - 01 ; serial >>>>> - 3H ; refresh >>>>> - 15M ; retry >>>>> - 1W ; expiry >>>>> - 1D ) ; minimum >>>>> - >>>>> - IN NS $HOST >>>>> -$HOST IN A $IP >>>>> -; >>>>> -; ldap servers >>>>> -_ldap._tcp IN SRV 0 100 389 $HOST >>>>> - >>>>> -;kerberos realm >>>>> -_kerberos IN TXT $REALM >>>>> - >>>>> -; kerberos servers >>>>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>>>> -_kerberos._udp IN SRV 0 100 88 $HOST >>>>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>>>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>>>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>>>> -$OPTIONAL_NTP >>>>> - >>>>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>>>> -$IPA_CA_RECORD >>>>> diff --git a/ipaserver/dns_data_management.py >>>>> b/ipaserver/dns_data_management.py >>>>> index >>>>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>>>> >>>>> 100644 >>>>> --- a/ipaserver/dns_data_management.py >>>>> +++ b/ipaserver/dns_data_management.py >>>>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>>>> ) >>>>> ) >>>>> return records >>>>> + >>>>> + @classmethod >>>>> + def records_list_from_zone(cls, zone_obj, sort=True): >>>>> + records = [] >>>>> + for name, node in zone_obj.items(): >>>>> + records.extend(IPASystemRecords.records_list_from_node(name, >>>>> node)) >>>>> + if sort: >>>>> + records.sort() >>>>> + return records >>>>> diff --git a/ipaserver/install/bindinstance.py >>>>> b/ipaserver/install/bindinstance.py >>>>> index >>>>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/bindinstance.py >>>>> +++ b/ipaserver/install/bindinstance.py >>>>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>>>> suffix = ipautil.dn_attribute_property('_suffix') >>>>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>>>> forwarders, >>>>> - forward_policy, ntp, reverse_zones, >>>>> + forward_policy, reverse_zones, >>>>> named_user=constants.NAMED_USER, zonemgr=None, >>>>> - ca_configured=None, no_dnssec_validation=False): >>>>> + no_dnssec_validation=False): >>>>> self.named_user = named_user >>>>> self.fqdn = fqdn >>>>> self.ip_addresses = ip_addresses >>>>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>>>> self.forward_policy = forward_policy >>>>> self.host = fqdn.split(".")[0] >>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>> - self.ntp = ntp >>>>> self.reverse_zones = reverse_zones >>>>> - self.ca_configured = ca_configured >>>>> self.no_dnssec_validation=no_dnssec_validation >>>>> if not zonemgr: >>>>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>>>> def host_in_default_domain(self): >>>>> return normalize_zone(self.host_domain) == >>>>> normalize_zone(self.domain) >>>>> - def create_sample_bind_zone(self): >>>>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>>>> "bind.zone.db.template", self.sub_dict) >>>>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>>>> - os.write(bind_fd, bind_txt) >>>>> - os.close(bind_fd) >>>>> - print("Sample zone file for bind has been created in "+bind_name) >>>>> + def create_file_with_system_records(self): >>>>> + system_records = IPASystemRecords(self.api) >>>>> + text = u'\n'.join( >>>>> + IPASystemRecords.records_list_from_zone( >>>>> + system_records.get_base_records() >>>>> + ) >>>>> + ) >>>>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>>>> + os.write(fd, text) >>>>> + os.close(fd) >>>>> + print("Please add records in this file to your DNS system:", name) >>>>> def create_instance(self): >>>>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>>>> root_logger.debug("Unable to mask named (%s)", e) >>>>> def __setup_sub_dict(self): >>>>> - if self.forwarders: >>>>> - fwds = "\n" >>>>> - for forwarder in self.forwarders: >>>>> - fwds += "\t\t%s;\n" % forwarder >>>>> - fwds += "\t" >>>>> - else: >>>>> - fwds = " " >>>>> - >>>>> - if self.ntp: >>>>> - optional_ntp = "\n;ntp server\n" >>>>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>>>> self.host_in_rr >>>>> - else: >>>>> - optional_ntp = "" >>>>> - >>>>> - ipa_ca = "" >>>>> - for addr in self.ip_addresses: >>>>> - if addr.version in (4, 6): >>>>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>>>> - IPA_CA_RECORD, >>>>> - "A" if addr.version == 4 else "AAAA", >>>>> - str(addr)) >>>>> - >>>>> self.sub_dict = dict( >>>>> FQDN=self.fqdn, >>>>> - IP=[str(ip) for ip in self.ip_addresses], >>>>> - DOMAIN=self.domain, >>>>> - HOST=self.host, >>>>> - REALM=self.realm, >>>>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>>>> - FORWARDERS=fwds, >>>>> - FORWARD_POLICY=self.forward_policy, >>>>> SUFFIX=self.suffix, >>>>> - OPTIONAL_NTP=optional_ntp, >>>>> - ZONEMGR=self.zonemgr, >>>>> - IPA_CA_RECORD=ipa_ca, >>>>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>>>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>>>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>>>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>>>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>>>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>>>> domain_name, >>>>> - reverse_zones, ntp=False, >>>>> ca_configured=None): >>>>> + reverse_zones): >>>>> self.fqdn = fqdn >>>>> self.ip_addresses = ip_addresses >>>>> self.realm = realm_name >>>>> self.domain = domain_name >>>>> self.host = fqdn.split(".")[0] >>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>> - self.ntp = ntp >>>>> self.reverse_zones = reverse_zones >>>>> - self.ca_configured = ca_configured >>>>> self.first_instance = False >>>>> self.zonemgr = 'hostmaster.%s' % self.domain >>>>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>>>> index >>>>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/dns.py >>>>> +++ b/ipaserver/install/dns.py >>>>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>>>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>>>> autobind=AUTOBIND_ENABLED) >>>>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>>>> - options.forwarders, options.forward_policy, conf_ntp, >>>>> + options.forwarders, options.forward_policy, >>>>> reverse_zones, zonemgr=options.zonemgr, >>>>> - no_dnssec_validation=options.no_dnssec_validation, >>>>> - ca_configured=options.setup_ca) >>>>> + no_dnssec_validation=options.no_dnssec_validation) >>>>> if standalone and not options.unattended: >>>>> print("") >>>>> diff --git a/ipaserver/install/server/install.py >>>>> b/ipaserver/install/server/install.py >>>>> index >>>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/server/install.py >>>>> +++ b/ipaserver/install/server/install.py >>>>> @@ -848,17 +848,17 @@ def install(installer): >>>>> if setup_ca: >>>>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>>>> + api.Backend.ldap2.connect(autobind=True) >>>>> if options.setup_dns: >>>>> - api.Backend.ldap2.connect(autobind=True) >>>>> dns.install(False, False, options) >>>>> else: >>>>> # Create a BIND instance >>>>> bind = bindinstance.BindInstance(fstore, dm_password) >>>>> bind.setup(host_name, ip_addresses, realm_name, >>>>> - domain_name, (), 'first', not options.no_ntp, (), >>>>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>>>> + domain_name, (), 'first', (), >>>>> + zonemgr=options.zonemgr, >>>>> no_dnssec_validation=options.no_dnssec_validation) >>>>> - bind.create_sample_bind_zone() >>>>> + bind.create_file_with_system_records() >>>>> # Restart httpd to pick up the new IPA configuration >>>>> service.print_msg("Restarting the web server") >>>>> diff --git a/ipaserver/install/server/replicainstall.py >>>>> b/ipaserver/install/server/replicainstall.py >>>>> index >>>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>>>> >>>>> 100644 >>>>> --- a/ipaserver/install/server/replicainstall.py >>>>> +++ b/ipaserver/install/server/replicainstall.py >>>>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>>>> str(ip), >>>>> config.realm_name, >>>>> config.domain_name, >>>>> - reverse_zone, >>>>> - not options.no_ntp, >>>>> - options.setup_ca) >>>>> + reverse_zone) >>>>> except errors.NotFound as e: >>>>> root_logger.debug('Replica DNS records could not be added ' >>>>> 'on master: %s', str(e)) >>>>> -- 2.5.5 >>>> While testing this patch I've found out that ipa-dns-install does not work >>>> idempotently anymore and explodes when re-run. >>>> >>>> I'm not sure what is the root cause yet. >>>> >>>> # ipa-dns-install --forwarder 10.34.78.1 >>>> >>>> WARNING: yacc table file version is out of date >>>> >>>> The log file for this installation can be found in >>>> /var/log/ipaserver-install.log >>>> ============================================================================== >>>> >>>> This program will setup DNS for the FreeIPA Server. >>>> >>>> This includes: >>>> * Configure DNS (bind) >>>> * Configure SoftHSM (required by DNSSEC) >>>> * Configure ipa-dnskeysyncd (required by DNSSEC) >>>> >>>> NOTE: DNSSEC zone signing is not enabled by default >>>> >>>> >>>> To accept the default shown in brackets, press the Enter key. >>>> >>>> Checking DNS forwarders, please wait ... >>>> Do you want to search for missing reverse zones? [yes]: >>>> >>>> The following operations may take some minutes to complete. >>>> Please wait until the prompt is returned. >>>> >>>> Configuring DNS (named) >>>> [1/8]: generating rndc key file >>>> [2/8]: setting up our own record >>>> ipa : ERROR DNS query for >>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>> out after 30.0012078285 seconds >>>> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >>>> seconds >>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>> >>>> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >>>> 2016-06-23T15:41:54Z DEBUG raw: >>>> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >>>> 2016-06-23T15:41:54Z DEBUG dnszone_show(>>> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >>>> version=u'2.199') >>>> 2016-06-23T15:42:24Z ERROR DNS query for >>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>> out after 30.0012078285 seconds >>>> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 448, in start_creation >>>> run_step(full_msg, method) >>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>> line >>>> 438, in run_step >>>> method() >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>> line 860, in __add_self >>>> self.__add_master_records(self.fqdn, self.ip_addresses) >>>> File >>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>> line 843, in __add_master_records >>>> verify_host_resolvable(fqdn) >>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >>>> verify_host_resolvable >>>> raise errors.DNSResolverError(exception=ex) >>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>> IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we >>> changed resolving of server hostname from gethosbyname() to pure DNS >>> >>> Workaround is to set nameserver to /etc/resolv.conf >>>> >>>> >>>> I was not able to test replica installation because of some weird ACI problem >>>> somewhere, replica install is failing with ACIError while adding ldap/replica >>>> principal. This is probably a regression from some other patchset. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5996 >> NACK >> >> make[5]: *** No rule to make target 'bind.zone.db.template', needed by >> 'all-am'. Stop. >> >> I'm not exactly sure how I missed this before, possibly git clean -xdf was >> missing ... >> > My bad > > updated patches attached. ACK -- Petr^2 Spacek From mbasti at redhat.com Tue Jun 28 13:24:25 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 15:24:25 +0200 Subject: [Freeipa-devel] [PATCH 0538-0540] DNS locations: epilogue In-Reply-To: <637c41ad-1bbe-b482-2764-4a56b67647d3@redhat.com> References: <000bdb75-7d72-c0d5-5352-8a0261c2847a@redhat.com> <1b9f6343-20f9-5aeb-b452-b12a8736e9e2@redhat.com> <013df7d5-360f-455a-039b-3bfa2424846f@redhat.com> <304ae23f-4ced-3147-9561-8b277ba4ae6a@redhat.com> <637c41ad-1bbe-b482-2764-4a56b67647d3@redhat.com> Message-ID: <4ced1cec-42f1-d59c-2f04-79e5198c7ba9@redhat.com> On 28.06.2016 15:22, Petr Spacek wrote: > On 27.6.2016 11:43, Martin Basti wrote: >> >> On 27.06.2016 10:56, Petr Spacek wrote: >>> On 24.6.2016 12:25, Martin Basti wrote: >>>> On 23.06.2016 18:26, Petr Spacek wrote: >>>>> On 23.6.2016 16:38, Martin Basti wrote: >>>>>> Patches attached. >>>>>> >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0538-Revert-DNS-Locations-do-not-generate-location-record.patch >>>>>> >>>>>> >>>>>> >>>>>> From 28499422115cbfbb343033511319c7c8710e1ff5 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Tue, 21 Jun 2016 18:04:13 +0200 >>>>>> Subject: [PATCH 1/4] Revert "DNS Locations: do not generate location records >>>>>> for unused locations" >>>>>> >>>>>> This reverts commit bbf8227e3fd678d4bd6659a12055ba3dbe1c8230. >>>>>> >>>>>> After deeper investigation, we found out that empty locations are needed >>>>>> for clients, because clients may have cached records for longer time for >>>>>> that particular location. Only way how to remove location is to remove >>>>>> it using location-del >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> ipaserver/dns_data_management.py | 11 ++++------- >>>>>> 1 file changed, 4 insertions(+), 7 deletions(-) >>>>>> >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> a9e9c0a3856961b5494c8d3ca30ddb2e4aa5c523..eac2e7d1a5618ea92372bd81b7d12752791ef117 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -68,7 +68,6 @@ class IPASystemRecords(object): >>>>>> self.api_instance = api_instance >>>>>> self.domain_abs = >>>>>> DNSName(self.api_instance.env.domain).make_absolute() >>>>>> self.servers_data = {} >>>>>> - self.used_locations = set() >>>>>> self.__init_data() >>>>>> def reload_data(self): >>>>>> @@ -92,7 +91,6 @@ class IPASystemRecords(object): >>>>>> def __init_data(self): >>>>>> self.servers_data = {} >>>>>> - self.used_locations = set() >>>>>> servers_result = self.api_instance.Command.server_find( >>>>>> pkey_only=True)['result'] >>>>>> @@ -104,8 +102,6 @@ class IPASystemRecords(object): >>>>>> 'location': location, >>>>>> 'roles': roles, >>>>>> } >>>>>> - if location: >>>>>> - self.used_locations.add(location) >>>>>> def __add_srv_records( >>>>>> self, zone_obj, hostname, rname_port_map, >>>>>> @@ -353,12 +349,13 @@ class IPASystemRecords(object): >>>>>> pkey_only=True)['result'] >>>>>> servers = [s['cn'][0] for s in servers_result] >>>>>> - # generate only records for used location, records for >>>>>> unassigned >>>>>> - # locations are useless >>>>>> + locations_result = >>>>>> self.api_instance.Command.location_find()['result'] >>>>>> + locations = [l['idnsname'][0] for l in locations_result] >>>>>> + >>>>>> for server in servers: >>>>>> self._get_location_dns_records_for_server( >>>>>> zone_obj, server, >>>>>> - self.used_locations, roles=roles, >>>>>> + locations, roles=roles, >>>>>> include_master_role=include_master_role) >>>>>> return zone_obj >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0539-DNS-Locations-hide-option-no-msdcs-in-adtrust-instal.patch >>>>>> >>>>>> >>>>>> >>>>>> From 37cae4f05cd3c0a2c4de037402938a5437dbc072 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Tue, 21 Jun 2016 18:17:55 +0200 >>>>>> Subject: [PATCH 2/4] DNS Locations: hide option --no-msdcs in >>>>>> adtrust-install >>>>>> >>>>>> Since DNS location mechanism is active, this option has no effect, >>>>>> because records are generate dynamically. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> install/tools/ipa-adtrust-install | 10 +++++++--- >>>>>> ipaserver/install/adtrustinstance.py | 21 ++++++++------------- >>>>>> 2 files changed, 15 insertions(+), 16 deletions(-) >>>>>> >>>>>> diff --git a/install/tools/ipa-adtrust-install >>>>>> b/install/tools/ipa-adtrust-install >>>>>> index >>>>>> 5babcdb7cb169e4a944acca55739064e0464d41e..5ba72a65d00ca683239a4ff3c5e7cfdc62c0bb6c >>>>>> >>>>>> 100755 >>>>>> --- a/install/tools/ipa-adtrust-install >>>>>> +++ b/install/tools/ipa-adtrust-install >>>>>> @@ -29,6 +29,8 @@ import ldap >>>>>> import six >>>>>> +from optparse import SUPPRESS_HELP >>>>>> + >>>>>> from ipaserver.install import adtrustinstance >>>>>> from ipaserver.install.installutils import ( >>>>>> read_password, >>>>>> @@ -54,9 +56,11 @@ def parse_options(): >>>>>> default=False, help="print debugging information") >>>>>> parser.add_option("--netbios-name", dest="netbios_name", >>>>>> help="NetBIOS name of the IPA domain") >>>>>> + >>>>>> + # no-msdcs has not effect, option is here just for backward >>>>>> compatibility >>>>>> parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true", >>>>>> - default=False, help="Do not create DNS service >>>>>> records " \ >>>>>> - "for Windows in managed DNS >>>>>> server") >>>>>> + default=False, help=SUPPRESS_HELP) >>>>>> + >>>>>> parser.add_option("--rid-base", dest="rid_base", type=int, >>>>>> default=1000, >>>>>> help="Start value for mapping UIDs and GIDs to >>>>>> RIDs") >>>>>> parser.add_option("--secondary-rid-base", dest="secondary_rid_base", >>>>>> @@ -390,7 +394,7 @@ def main(): >>>>>> smb.setup(api.env.host, api.env.realm, >>>>>> netbios_name, reset_netbios_name, >>>>>> options.rid_base, options.secondary_rid_base, >>>>>> - options.no_msdcs, options.add_sids, >>>>>> + options.add_sids, >>>>>> enable_compat = options.enable_compat) >>>>>> smb.find_local_id_range() >>>>>> smb.create_instance() >>>>>> diff --git a/ipaserver/install/adtrustinstance.py >>>>>> b/ipaserver/install/adtrustinstance.py >>>>>> index >>>>>> 6ab15df27216580d440ce72386113d6872c046b2..0114a33a046b863b7e901c3d6f02044f18c45f85 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/adtrustinstance.py >>>>>> +++ b/ipaserver/install/adtrustinstance.py >>>>>> @@ -124,7 +124,6 @@ class ADTRUSTInstance(service.Service): >>>>>> def __init__(self, fstore=None): >>>>>> self.netbios_name = None >>>>>> self.reset_netbios_name = None >>>>>> - self.no_msdcs = None >>>>>> self.add_sids = None >>>>>> self.smbd_user = None >>>>>> self.smb_dn_pwd = None >>>>>> @@ -585,17 +584,14 @@ class ADTRUSTInstance(service.Service): >>>>>> err_msg = None >>>>>> - if self.no_msdcs: >>>>>> - err_msg = '--no-msdcs was given, special DNS service records >>>>>> ' \ >>>>>> - 'are not added to local DNS server' >>>>>> + ret = api.Command['dns_is_enabled']() >>>>>> + if not ret['result']: >>>>>> + err_msg = "DNS management was not enabled at install time." >>>>>> else: >>>>>> - ret = api.Command['dns_is_enabled']() >>>>>> - if not ret['result']: >>>>>> - err_msg = "DNS management was not enabled at install time." >>>>>> - else: >>>>>> - if not dns_zone_exists(zone): >>>>>> - err_msg = "DNS zone %s cannot be managed " \ >>>>>> - "as it is not defined in IPA" % zone >>>>>> + if not dns_zone_exists(zone): >>>>>> + err_msg = ( >>>>>> + "DNS zone %s cannot be managed as it is not defined >>>>>> in " >>>>>> + "IPA" % zone) >>>>>> if err_msg: >>>>>> self.print_msg(err_msg) >>>>>> @@ -766,7 +762,7 @@ class ADTRUSTInstance(service.Service): >>>>>> def setup(self, fqdn, realm_name, netbios_name, >>>>>> reset_netbios_name, rid_base, secondary_rid_base, >>>>>> - no_msdcs=False, add_sids=False, smbd_user="samba", >>>>>> + add_sids=False, smbd_user="samba", >>>>>> enable_compat=False): >>>>>> self.fqdn = fqdn >>>>>> self.realm = realm_name >>>>>> @@ -774,7 +770,6 @@ class ADTRUSTInstance(service.Service): >>>>>> self.reset_netbios_name = reset_netbios_name >>>>>> self.rid_base = rid_base >>>>>> self.secondary_rid_base = secondary_rid_base >>>>>> - self.no_msdcs = no_msdcs >>>>>> self.add_sids = add_sids >>>>>> self.enable_compat = enable_compat >>>>>> self.smbd_user = smbd_user >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0540-DNS-Locations-optimization-use-server-find-to-get-in.patch >>>>>> >>>>>> >>>>>> >>>>>> From 86a3e48bd2494867cdf538d6902ef65cbaada1af Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Wed, 22 Jun 2016 13:12:52 +0200 >>>>>> Subject: [PATCH 3/4] DNS Locations: optimization: use server-find to get >>>>>> information >>>>>> >>>>>> Because separated calls for of server-show, getting server data is quite >>>>>> slow. This commit replaces several server-show with one server-find >>>>>> command. There are future plans to improve speed of server-find that >>>>>> will be beneficial for DNS locations. >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> ipaserver/dns_data_management.py | 10 ++++------ >>>>>> 1 file changed, 4 insertions(+), 6 deletions(-) >>>>>> >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> eac2e7d1a5618ea92372bd81b7d12752791ef117..e7f65958fb908426ad186b327c3e8cb8f37d66f4 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -78,8 +78,7 @@ class IPASystemRecords(object): >>>>>> """ >>>>>> self.__init_data() >>>>>> - def __get_server_attrs(self, hostname): >>>>>> - server_result = >>>>>> self.api_instance.Command.server_show(hostname)['result'] >>>>>> + def __get_server_attrs(self, server_result): >>>>>> weight = int(server_result.get('ipaserviceweight', [u'100'])[0]) >>>>>> location = server_result.get('ipalocation_location', [None])[0] >>>>>> roles = set(server_result.get('enabled_role_servrole', ())) >>>>>> @@ -93,11 +92,10 @@ class IPASystemRecords(object): >>>>>> self.servers_data = {} >>>>>> servers_result = self.api_instance.Command.server_find( >>>>>> - pkey_only=True)['result'] >>>>>> - servers = [s['cn'][0] for s in servers_result] >>>>>> - for s in servers: >>>>>> + no_members=False)['result'] >>>>>> + for s in servers_result: >>>>>> weight, location, roles = self.__get_server_attrs(s) >>>>>> - self.servers_data[s] = { >>>>>> + self.servers_data[s['cn'][0]] = { >>>>>> 'weight': weight, >>>>>> 'location': location, >>>>>> 'roles': roles, >>>>>> -- 2.5.5 >>>>>> >>>>>> >>>>>> freeipa-mbasti-0541-DNS-Locations-cleanup-of-bininstance.patch >>>>>> >>>>>> >>>>>> From 6161501cc11a25b811bd56ba0244b00eaa9edbe0 Mon Sep 17 00:00:00 2001 >>>>>> From: Martin Basti >>>>>> Date: Thu, 23 Jun 2016 14:50:11 +0200 >>>>>> Subject: [PATCH 4/4] DNS Locations: cleanup of bininstance >>>>>> >>>>>> We don't need anymore: >>>>>> * sample of zone file - list of all records required by IPa will be >>>>>> provided >>>>>> >>>>>> * NTP related params - DNS records will be updated automatically, >>>>>> based on LDAP values >>>>>> >>>>>> * CA related params - DNS records will be updated automatically based >>>>>> * on LDAP values >>>>>> >>>>>> https://fedorahosted.org/freeipa/ticket/2008 >>>>>> --- >>>>>> install/share/bind.zone.db.template | 29 --------------- >>>>>> ipaserver/dns_data_management.py | 9 +++++ >>>>>> ipaserver/install/bindinstance.py | 58 >>>>>> ++++++++---------------------- >>>>>> ipaserver/install/dns.py | 5 ++- >>>>>> ipaserver/install/server/install.py | 8 ++--- >>>>>> ipaserver/install/server/replicainstall.py | 4 +-- >>>>>> 6 files changed, 30 insertions(+), 83 deletions(-) >>>>>> delete mode 100644 install/share/bind.zone.db.template >>>>>> >>>>>> diff --git a/install/share/bind.zone.db.template >>>>>> b/install/share/bind.zone.db.template >>>>>> deleted file mode 100644 >>>>>> index >>>>>> ec175c60825869ea9b86f7d1351a96189028b5d4..0000000000000000000000000000000000000000 >>>>>> >>>>>> >>>>>> --- a/install/share/bind.zone.db.template >>>>>> +++ /dev/null >>>>>> @@ -1,29 +0,0 @@ >>>>>> -$$ORIGIN $DOMAIN. >>>>>> -$$TTL 86400 >>>>>> -@ IN SOA $DOMAIN. $ZONEMGR ( >>>>>> - 01 ; serial >>>>>> - 3H ; refresh >>>>>> - 15M ; retry >>>>>> - 1W ; expiry >>>>>> - 1D ) ; minimum >>>>>> - >>>>>> - IN NS $HOST >>>>>> -$HOST IN A $IP >>>>>> -; >>>>>> -; ldap servers >>>>>> -_ldap._tcp IN SRV 0 100 389 $HOST >>>>>> - >>>>>> -;kerberos realm >>>>>> -_kerberos IN TXT $REALM >>>>>> - >>>>>> -; kerberos servers >>>>>> -_kerberos._tcp IN SRV 0 100 88 $HOST >>>>>> -_kerberos._udp IN SRV 0 100 88 $HOST >>>>>> -_kerberos-master._tcp IN SRV 0 100 88 $HOST >>>>>> -_kerberos-master._udp IN SRV 0 100 88 $HOST >>>>>> -_kpasswd._tcp IN SRV 0 100 464 $HOST >>>>>> -_kpasswd._udp IN SRV 0 100 464 $HOST >>>>>> -$OPTIONAL_NTP >>>>>> - >>>>>> -; CNAME for IPA CA replicas (used for CRL, OCSP) >>>>>> -$IPA_CA_RECORD >>>>>> diff --git a/ipaserver/dns_data_management.py >>>>>> b/ipaserver/dns_data_management.py >>>>>> index >>>>>> e7f65958fb908426ad186b327c3e8cb8f37d66f4..48717c7c478ea4ea62e6cdfe169fd9fe99c0880b >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/dns_data_management.py >>>>>> +++ b/ipaserver/dns_data_management.py >>>>>> @@ -477,3 +477,12 @@ class IPASystemRecords(object): >>>>>> ) >>>>>> ) >>>>>> return records >>>>>> + >>>>>> + @classmethod >>>>>> + def records_list_from_zone(cls, zone_obj, sort=True): >>>>>> + records = [] >>>>>> + for name, node in zone_obj.items(): >>>>>> + records.extend(IPASystemRecords.records_list_from_node(name, >>>>>> node)) >>>>>> + if sort: >>>>>> + records.sort() >>>>>> + return records >>>>>> diff --git a/ipaserver/install/bindinstance.py >>>>>> b/ipaserver/install/bindinstance.py >>>>>> index >>>>>> 08c32f4837a5b4f72b78a52002a58c888db6cc91..a63b2dfd329f7cf535c2cf6e2d83b5c86fdddacf >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/bindinstance.py >>>>>> +++ b/ipaserver/install/bindinstance.py >>>>>> @@ -623,9 +623,9 @@ class BindInstance(service.Service): >>>>>> suffix = ipautil.dn_attribute_property('_suffix') >>>>>> def setup(self, fqdn, ip_addresses, realm_name, domain_name, >>>>>> forwarders, >>>>>> - forward_policy, ntp, reverse_zones, >>>>>> + forward_policy, reverse_zones, >>>>>> named_user=constants.NAMED_USER, zonemgr=None, >>>>>> - ca_configured=None, no_dnssec_validation=False): >>>>>> + no_dnssec_validation=False): >>>>>> self.named_user = named_user >>>>>> self.fqdn = fqdn >>>>>> self.ip_addresses = ip_addresses >>>>>> @@ -635,9 +635,7 @@ class BindInstance(service.Service): >>>>>> self.forward_policy = forward_policy >>>>>> self.host = fqdn.split(".")[0] >>>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>>> - self.ntp = ntp >>>>>> self.reverse_zones = reverse_zones >>>>>> - self.ca_configured = ca_configured >>>>>> self.no_dnssec_validation=no_dnssec_validation >>>>>> if not zonemgr: >>>>>> @@ -666,12 +664,17 @@ class BindInstance(service.Service): >>>>>> def host_in_default_domain(self): >>>>>> return normalize_zone(self.host_domain) == >>>>>> normalize_zone(self.domain) >>>>>> - def create_sample_bind_zone(self): >>>>>> - bind_txt = ipautil.template_file(ipautil.SHARE_DIR + >>>>>> "bind.zone.db.template", self.sub_dict) >>>>>> - [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.") >>>>>> - os.write(bind_fd, bind_txt) >>>>>> - os.close(bind_fd) >>>>>> - print("Sample zone file for bind has been created in "+bind_name) >>>>>> + def create_file_with_system_records(self): >>>>>> + system_records = IPASystemRecords(self.api) >>>>>> + text = u'\n'.join( >>>>>> + IPASystemRecords.records_list_from_zone( >>>>>> + system_records.get_base_records() >>>>>> + ) >>>>>> + ) >>>>>> + [fd, name] = tempfile.mkstemp(".db","ipa.system.records.") >>>>>> + os.write(fd, text) >>>>>> + os.close(fd) >>>>>> + print("Please add records in this file to your DNS system:", name) >>>>>> def create_instance(self): >>>>>> @@ -761,41 +764,10 @@ class BindInstance(service.Service): >>>>>> root_logger.debug("Unable to mask named (%s)", e) >>>>>> def __setup_sub_dict(self): >>>>>> - if self.forwarders: >>>>>> - fwds = "\n" >>>>>> - for forwarder in self.forwarders: >>>>>> - fwds += "\t\t%s;\n" % forwarder >>>>>> - fwds += "\t" >>>>>> - else: >>>>>> - fwds = " " >>>>>> - >>>>>> - if self.ntp: >>>>>> - optional_ntp = "\n;ntp server\n" >>>>>> - optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s" % >>>>>> self.host_in_rr >>>>>> - else: >>>>>> - optional_ntp = "" >>>>>> - >>>>>> - ipa_ca = "" >>>>>> - for addr in self.ip_addresses: >>>>>> - if addr.version in (4, 6): >>>>>> - ipa_ca += "%s\t\t\tIN %s\t\t\t%s\n" % ( >>>>>> - IPA_CA_RECORD, >>>>>> - "A" if addr.version == 4 else "AAAA", >>>>>> - str(addr)) >>>>>> - >>>>>> self.sub_dict = dict( >>>>>> FQDN=self.fqdn, >>>>>> - IP=[str(ip) for ip in self.ip_addresses], >>>>>> - DOMAIN=self.domain, >>>>>> - HOST=self.host, >>>>>> - REALM=self.realm, >>>>>> SERVER_ID=installutils.realm_to_serverid(self.realm), >>>>>> - FORWARDERS=fwds, >>>>>> - FORWARD_POLICY=self.forward_policy, >>>>>> SUFFIX=self.suffix, >>>>>> - OPTIONAL_NTP=optional_ntp, >>>>>> - ZONEMGR=self.zonemgr, >>>>>> - IPA_CA_RECORD=ipa_ca, >>>>>> BINDKEYS_FILE=paths.NAMED_BINDKEYS_FILE, >>>>>> MANAGED_KEYS_DIR=paths.NAMED_MANAGED_KEYS_DIR, >>>>>> ROOT_KEY=paths.NAMED_ROOT_KEY, >>>>>> @@ -1026,16 +998,14 @@ class BindInstance(service.Service): >>>>>> ipautil.run([paths.GENERATE_RNDC_KEY]) >>>>>> def add_master_dns_records(self, fqdn, ip_addresses, realm_name, >>>>>> domain_name, >>>>>> - reverse_zones, ntp=False, >>>>>> ca_configured=None): >>>>>> + reverse_zones): >>>>>> self.fqdn = fqdn >>>>>> self.ip_addresses = ip_addresses >>>>>> self.realm = realm_name >>>>>> self.domain = domain_name >>>>>> self.host = fqdn.split(".")[0] >>>>>> self.suffix = ipautil.realm_to_suffix(self.realm) >>>>>> - self.ntp = ntp >>>>>> self.reverse_zones = reverse_zones >>>>>> - self.ca_configured = ca_configured >>>>>> self.first_instance = False >>>>>> self.zonemgr = 'hostmaster.%s' % self.domain >>>>>> diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py >>>>>> index >>>>>> 2ea11739e07c73132bddee01309af618532e9815..44ebd39dfa7f1d947061c3b4c0347242f8502be0 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/dns.py >>>>>> +++ b/ipaserver/install/dns.py >>>>>> @@ -329,10 +329,9 @@ def install(standalone, replica, options, api=api): >>>>>> bind = bindinstance.BindInstance(fstore, ldapi=True, api=api, >>>>>> autobind=AUTOBIND_ENABLED) >>>>>> bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, >>>>>> - options.forwarders, options.forward_policy, conf_ntp, >>>>>> + options.forwarders, options.forward_policy, >>>>>> reverse_zones, zonemgr=options.zonemgr, >>>>>> - no_dnssec_validation=options.no_dnssec_validation, >>>>>> - ca_configured=options.setup_ca) >>>>>> + no_dnssec_validation=options.no_dnssec_validation) >>>>>> if standalone and not options.unattended: >>>>>> print("") >>>>>> diff --git a/ipaserver/install/server/install.py >>>>>> b/ipaserver/install/server/install.py >>>>>> index >>>>>> 930cca7b31ca06c04ab92deff49b6a4f198c2b6e..c28c095fb3cccd4cd412c0496374050434e438a1 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/server/install.py >>>>>> +++ b/ipaserver/install/server/install.py >>>>>> @@ -848,17 +848,17 @@ def install(installer): >>>>>> if setup_ca: >>>>>> services.knownservices['pki_tomcatd'].restart('pki-tomcat') >>>>>> + api.Backend.ldap2.connect(autobind=True) >>>>>> if options.setup_dns: >>>>>> - api.Backend.ldap2.connect(autobind=True) >>>>>> dns.install(False, False, options) >>>>>> else: >>>>>> # Create a BIND instance >>>>>> bind = bindinstance.BindInstance(fstore, dm_password) >>>>>> bind.setup(host_name, ip_addresses, realm_name, >>>>>> - domain_name, (), 'first', not options.no_ntp, (), >>>>>> - zonemgr=options.zonemgr, ca_configured=setup_ca, >>>>>> + domain_name, (), 'first', (), >>>>>> + zonemgr=options.zonemgr, >>>>>> no_dnssec_validation=options.no_dnssec_validation) >>>>>> - bind.create_sample_bind_zone() >>>>>> + bind.create_file_with_system_records() >>>>>> # Restart httpd to pick up the new IPA configuration >>>>>> service.print_msg("Restarting the web server") >>>>>> diff --git a/ipaserver/install/server/replicainstall.py >>>>>> b/ipaserver/install/server/replicainstall.py >>>>>> index >>>>>> 52b2ea5b0691cd99c6cb566af5a15af3b2dffb14..0277d324a60b2893dda57119453dabf5df28ea10 >>>>>> >>>>>> 100644 >>>>>> --- a/ipaserver/install/server/replicainstall.py >>>>>> +++ b/ipaserver/install/server/replicainstall.py >>>>>> @@ -210,9 +210,7 @@ def install_dns_records(config, options, remote_api): >>>>>> str(ip), >>>>>> config.realm_name, >>>>>> config.domain_name, >>>>>> - reverse_zone, >>>>>> - not options.no_ntp, >>>>>> - options.setup_ca) >>>>>> + reverse_zone) >>>>>> except errors.NotFound as e: >>>>>> root_logger.debug('Replica DNS records could not be added ' >>>>>> 'on master: %s', str(e)) >>>>>> -- 2.5.5 >>>>> While testing this patch I've found out that ipa-dns-install does not work >>>>> idempotently anymore and explodes when re-run. >>>>> >>>>> I'm not sure what is the root cause yet. >>>>> >>>>> # ipa-dns-install --forwarder 10.34.78.1 >>>>> >>>>> WARNING: yacc table file version is out of date >>>>> >>>>> The log file for this installation can be found in >>>>> /var/log/ipaserver-install.log >>>>> ============================================================================== >>>>> >>>>> This program will setup DNS for the FreeIPA Server. >>>>> >>>>> This includes: >>>>> * Configure DNS (bind) >>>>> * Configure SoftHSM (required by DNSSEC) >>>>> * Configure ipa-dnskeysyncd (required by DNSSEC) >>>>> >>>>> NOTE: DNSSEC zone signing is not enabled by default >>>>> >>>>> >>>>> To accept the default shown in brackets, press the Enter key. >>>>> >>>>> Checking DNS forwarders, please wait ... >>>>> Do you want to search for missing reverse zones? [yes]: >>>>> >>>>> The following operations may take some minutes to complete. >>>>> Please wait until the prompt is returned. >>>>> >>>>> Configuring DNS (named) >>>>> [1/8]: generating rndc key file >>>>> [2/8]: setting up our own record >>>>> ipa : ERROR DNS query for >>>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>>> out after 30.0012078285 seconds >>>>> [error] DNSResolverError: The DNS operation timed out after 30.0012078285 >>>>> seconds >>>>> Unexpected error - see /var/log/ipaserver-install.log for details: >>>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>>> >>>>> 2016-06-23T15:41:54Z DEBUG [2/8]: setting up our own record >>>>> 2016-06-23T15:41:54Z DEBUG raw: >>>>> dnszone_show(u'abc.idm.lab.eng.brq.redhat.com', version=u'2.199') >>>>> 2016-06-23T15:41:54Z DEBUG dnszone_show(>>>> abc.idm.lab.eng.brq.redhat.com.>, rights=False, all=False, raw=False, >>>>> version=u'2.199') >>>>> 2016-06-23T15:42:24Z ERROR DNS query for >>>>> vm-058-082.abc.idm.lab.eng.brq.redhat.com. A failed: The DNS operation timed >>>>> out after 30.0012078285 seconds >>>>> 2016-06-23T15:42:24Z DEBUG Traceback (most recent call last): >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line >>>>> 448, in start_creation >>>>> run_step(full_msg, method) >>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", >>>>> line >>>>> 438, in run_step >>>>> method() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>>> line 860, in __add_self >>>>> self.__add_master_records(self.fqdn, self.ip_addresses) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/bindinstance.py", >>>>> line 843, in __add_master_records >>>>> verify_host_resolvable(fqdn) >>>>> File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 76, in >>>>> verify_host_resolvable >>>>> raise errors.DNSResolverError(exception=ex) >>>>> DNSResolverError: The DNS operation timed out after 30.0012078285 seconds >>>> IMO this the same case as https://fedorahosted.org/freeipa/ticket/5962 we >>>> changed resolving of server hostname from gethosbyname() to pure DNS >>>> >>>> Workaround is to set nameserver to /etc/resolv.conf >>>>> >>>>> I was not able to test replica installation because of some weird ACI problem >>>>> somewhere, replica install is failing with ACIError while adding ldap/replica >>>>> principal. This is probably a regression from some other patchset. >>>>> >>>>> https://fedorahosted.org/freeipa/ticket/5996 >>> NACK >>> >>> make[5]: *** No rule to make target 'bind.zone.db.template', needed by >>> 'all-am'. Stop. >>> >>> I'm not exactly sure how I missed this before, possibly git clean -xdf was >>> missing ... >>> >> My bad >> >> updated patches attached. > ACK > Pushed to master: 104040cf363ec50d8006474422f2c13e44266806 From mkosek at redhat.com Tue Jun 28 13:55:35 2016 From: mkosek at redhat.com (Martin Kosek) Date: Tue, 28 Jun 2016 15:55:35 +0200 Subject: [Freeipa-devel] FreeIPA Sub-CA: certificate subject In-Reply-To: <20160628120546.GZ4200@dhcp-40-8.bne.redhat.com> References: <2f451fc3-d1fc-16ce-e585-74e69c23c80a@redhat.com> <20160628102335.GY4200@dhcp-40-8.bne.redhat.com> <79fb7338-920d-5d3f-6770-bf98a0835eae@redhat.com> <20160628120546.GZ4200@dhcp-40-8.bne.redhat.com> Message-ID: On 06/28/2016 02:05 PM, Fraser Tweedale wrote: > On Tue, Jun 28, 2016 at 12:49:26PM +0200, Martin Kosek wrote: >> On 06/28/2016 12:49 PM, Jan Cholasta wrote: >>> On 28.6.2016 12:33, Martin Kosek wrote: >>>> On 06/28/2016 12:23 PM, Fraser Tweedale wrote: >>>>> On Tue, Jun 28, 2016 at 11:00:17AM +0200, Martin Kosek wrote: >>>>>> Hi Fraser, >>>>>> >>>>>> I was testing FreeIPA Sub-CA feature and setup a Sub-CA: >>>>>> >>>>>> CN=Certificate Authority,O=VPN,O=DEMO1.FREEIPA.ORG >>>>>> >>>>>> Then I set up ACL and generated a certificate request by: >>>>>> >>>>>> $ certutil -R -d . -a -g 2048 -s >>>>>> 'CN=ipa.demo1.freeipa.org,O=VPN,O=DEMO1.FREEIPA.ORG' -8 >>>>>> 'ipa.demo1.freeipa.org' >>>>>> >>>>>> The resulting certificate is attached. What I pondering about is >>>>>> >>>>>> Issuer: O=DEMO1.FREEIPA.ORG, O=VPN, CN=Certificate Authority >>>>>> ... >>>>>> Subject: O=DEMO1.FREEIPA.ORG, CN=ipa.demo1.freeipa.org >>>>>> >>>>>> Shouldn't the subject have O=VPN in it also? >>>>>> >>>>> Hi Martin, >>>>> >>>>> (Cc freeipa-devel@ ; this info may be of general interest) >>>>> >>>>> The subject is determined by the certificate profile. In the case >>>>> of caIPAserviceCert, the pattern is: >>>>> >>>>> CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O >>>>> >>>>> The CN comes from the CSR, and the Organisation is the IPA >>>>> certificate subject base (as a literal string in the profile >>>>> configuration). >>>>> >>>>> There are no substitution variables available to say "use such and >>>>> such from the issuer DN". If the default pattern is not suitable, >>>>> you can define a profile with the subject DN pattern having exactly >>>>> the O=... parts of DN you want (and/or other attributes), then >>>>> associate the profile with the CA through CA ACLs. (This approach >>>>> is not elegant and does not scale well to many CAs). >>>>> >>>>> Hope that my explanation is helpful. >>>> >>>> The explanation is helpful, I just do not I like the answer :-) What do you >>>> think would make most sense for Sub-CA users? >>>> >>>> I would like to see pattern like "$$issuer.suffix$$" where the Dogtag would >>>> fill the non-CN part of issuer DN, i.e. in this case: >>>> >>>> O=DEMO1.FREEIPA.ORG, O=VPN >>>> >>>> which would make this profile flexible and usable in any Sub-CA. >>> >>>> >>>> Should I file a ticket? Can you scope if it fits in some FreeIPA 4.4.x and >>>> respective Dogtag release? I am just afraid that given we release this feature >>>> in 4.4, people would have to very creative and duplicate lot of certificate >>>> profiles for different sub-CAs just to workaround the Subject patter >>>> limitation, as you mentioned. >>> >>> What is the use case? >> >> This is what I am trying to find out. >> >>> The certificate is equally good with both the current and >>> your suggested issuer name. There is no relation between issuer name and >>> subject name in general, and AFAIK the current recommendation is to omit >>> subject name for end-entity certificate entirely and instead rely on SAN, so >>> why should we bother? >> >> I am aware of the SAN related change, regarding hostnames. So this proposal >> would apparently not add that much value in this case. What about user >> certificates (S/MIME certs, Smart Card certs), are there cases where admin >> would need to get issuer to subject name? >> > I do not think it is so important... the issuer name appears on the > certificate too, and all issuers appear in the cert chain. Unless > there is some particular software or a customer that expects/needs a > particular relationship between Issuer DN and Subject DN... but I do > not know of a such a case. > > I agree it would possibly be useful to have variables for info in > the Issuer DN, that can be referenced in the Subject DN pattern. > It probably won't fit into v4.4 timeframe, though. Right. I would file that ticket when someone really requests it. Looks like no change is needed in this case, I thus consider this question successfully resolved. Martin From ofayans at redhat.com Tue Jun 28 14:01:42 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Tue, 28 Jun 2016 16:01:42 +0200 Subject: [Freeipa-devel] [Test][Patch-0051] Fixed import error in replica promotion test Message-ID: <57728346.40000@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0051-Fixed-import-error.patch Type: text/x-patch Size: 1025 bytes Desc: not available URL: From pvomacka at redhat.com Tue Jun 28 14:32:20 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 28 Jun 2016 16:32:20 +0200 Subject: [Freeipa-devel] [PATCH] 0065, 66: webui: authentication indicators on host page Message-ID: <9eaa5115-38a3-a52f-8f7a-3130edd54428@redhat.com> Hello, please review attached patches. I moved strings used by authentication indicators widget to another dict so the second patch changes strings in custom_checkbox widget on service page. https://fedorahosted.org/freeipa/ticket/5872 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0065-Add-authentication-identificator-to-host-page.patch Type: text/x-patch Size: 5979 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0066-Change-paths-of-strings-in-auth-indicators-widget-on.patch Type: text/x-patch Size: 1621 bytes Desc: not available URL: From pspacek at redhat.com Tue Jun 28 14:35:48 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 16:35:48 +0200 Subject: [Freeipa-devel] [PATCH 0053] Fix wrong imports in copy-schema-to-ca In-Reply-To: References: Message-ID: On 28.6.2016 14:52, Stanislav Laznicka wrote: > Hello, > > The attached patch fixes wrong imports in copy-schema-to-ca.py script. > > https://fedorahosted.org/freeipa/ticket/6003 ACK -- Petr^2 Spacek From pspacek at redhat.com Tue Jun 28 14:46:19 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 16:46:19 +0200 Subject: [Freeipa-devel] [PATCH 0537] CA replica promotion: add proper CA DNS records In-Reply-To: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> References: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> Message-ID: On 23.6.2016 12:44, Martin Basti wrote: > patch attached. > > https://fedorahosted.org/freeipa/ticket/5966 ACK -- Petr^2 Spacek From frenaud at redhat.com Tue Jun 28 14:57:35 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Tue, 28 Jun 2016 16:57:35 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> Message-ID: On 06/28/2016 11:05 AM, Martin Basti wrote: > > > On 28.06.2016 10:51, Florence Blanc-Renaud wrote: >> On 06/27/2016 10:18 PM, Rob Crittenden wrote: >>> Florence Blanc-Renaud wrote: >>>> Hi all, >>>> >>>> thanks for your suggestions. Updated patch attached. >>>> Flo. >>>> >>> >>> The invocation in ipactl should say server, not client. >>> >>> Otherwise LGTM (untested). >>> >>> rob >> >> Hi all, >> >> thanks to Rob for catching the typo. >> Patch with updated message is attached, >> Flo. >> >> > > Thank you for the patch I have two comments: > > 1) > + except Exception: > + # Consider that the host is not fips-enabled if the file does > not exist > + pass > > exceptions should be as much specific as possible, otherwise it may mask > real issues > please use 'except IOError' if you want catch the case that file does > not exist > > 2) > in replicainstall.py and install.py please raise exception > (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, etc. > > Sys.exit() should not be used in modules, it is hard to debug etc. It > can be used only in scripts (ipa-client-install, ipa-replica-manage, etc..) > > Martin^2 Hi, hopefully converging with this updated patch :) Thanks for all the comments, I'm learning tips with each iteration. Flo. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0008-4-Do-not-allow-installation-in-FIPS-mode.patch Type: text/x-patch Size: 5261 bytes Desc: not available URL: From dkupka at redhat.com Tue Jun 28 14:58:05 2016 From: dkupka at redhat.com (David Kupka) Date: Tue, 28 Jun 2016 16:58:05 +0200 Subject: [Freeipa-devel] [PATCH 0107] test: cert: Reflect change in behavior in tests Message-ID: -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0107.0-test-cert-Reflect-change-in-behavior-in-tests.patch Type: text/x-patch Size: 1698 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 28 14:59:31 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 16:59:31 +0200 Subject: [Freeipa-devel] [PATCH 0537] CA replica promotion: add proper CA DNS records In-Reply-To: References: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> Message-ID: On 28.06.2016 16:46, Petr Spacek wrote: > On 23.6.2016 12:44, Martin Basti wrote: >> patch attached. >> >> https://fedorahosted.org/freeipa/ticket/5966 > ACK > Pushed to master: 5693d195501611c6abe9dbdf1370b898ffa6b3c7 Pushed to ipa-4-3: 8502fe4883d33afab57cfc4cb4695ed8061daa7e From pvomacka at redhat.com Tue Jun 28 15:38:55 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Tue, 28 Jun 2016 17:38:55 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: <7adf7c4a-8767-1ed2-361d-320f4f05c2be@redhat.com> References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> <7adf7c4a-8767-1ed2-361d-320f4f05c2be@redhat.com> Message-ID: On 06/28/2016 03:12 PM, Petr Spacek wrote: > On 27.6.2016 17:48, Pavel Vomacka wrote: >> >> On 06/23/2016 04:58 PM, Petr Vobornik wrote: >>> On 06/23/2016 04:34 PM, Martin Basti wrote: >>>> On 23.06.2016 09:57, Pavel Vomacka wrote: >>>>> Hello, >>>>> >>>>> please review attached patch. >>>>> >>>>> Part of: https://fedorahosted.org/freeipa/ticket/5905 >>>>> >>>>> >>>>> >>>> Works for me >>>> >>> In this patch and also in some other(cert patches) the confirm message >>> has following structure: >>> To confirm your intention to $action, click the $button_name button. >>> >>> On other places of Web UI, more human and easier structure is used: >>> Do you want to update DNS records? >>> [Update] [Cancel] >>> >>> IMHO we should use it here as well. And the same for(separate path): >>> remove_certificate_hold_confirmation >>> revoke_confirmation" >>> >>> >>> otherwise the patch is OK. > The patch works! > > Nitpick: 'Update DNS records' is too generic. The button and message should > contain keyword 'system' somewhere. > > E.g. 'Update system DNS records'. Feel free to push it when you add the > keyword :-) > Thank you for review. Strings updated. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0061-3-Add-button-for-dns_update_system_records-command.patch Type: text/x-patch Size: 4258 bytes Desc: not available URL: From mkubik at redhat.com Tue Jun 28 15:41:16 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Tue, 28 Jun 2016 17:41:16 +0200 Subject: [Freeipa-devel] [PATCH 0537] CA replica promotion: add proper CA DNS records In-Reply-To: References: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> Message-ID: On 06/28/2016 04:59 PM, Martin Basti wrote: > > > On 28.06.2016 16:46, Petr Spacek wrote: >> On 23.6.2016 12:44, Martin Basti wrote: >>> patch attached. >>> >>> https://fedorahosted.org/freeipa/ticket/5966 >> ACK >> > Pushed to master: 5693d195501611c6abe9dbdf1370b898ffa6b3c7 > Pushed to ipa-4-3: 8502fe4883d33afab57cfc4cb4695ed8061daa7e > The patch doesn't pass lint on 4.3 branch. Pylint is running, please wait ... ************* Module ipaserver.install.cainstance ipaserver/install/cainstance.py:1632: [E0602(undefined-variable, __get_profile_config)] Undefined variable 'ipalib' Makefile:137: recipe for target 'lint' failed -- Milan Kubik From pvoborni at redhat.com Tue Jun 28 15:50:51 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Tue, 28 Jun 2016 17:50:51 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> <7adf7c4a-8767-1ed2-361d-320f4f05c2be@redhat.com> Message-ID: <9a2c5b78-c6bb-1f4d-8ea9-076bda703c3a@redhat.com> On 06/28/2016 05:38 PM, Pavel Vomacka wrote: > > > On 06/28/2016 03:12 PM, Petr Spacek wrote: >> On 27.6.2016 17:48, Pavel Vomacka wrote: >>> >>> On 06/23/2016 04:58 PM, Petr Vobornik wrote: >>>> On 06/23/2016 04:34 PM, Martin Basti wrote: >>>>> On 23.06.2016 09:57, Pavel Vomacka wrote: >>>>>> Hello, >>>>>> >>>>>> please review attached patch. >>>>>> >>>>>> Part of: https://fedorahosted.org/freeipa/ticket/5905 >>>>>> >>>>>> >>>>>> >>>>> Works for me >>>>> >>>> In this patch and also in some other(cert patches) the confirm message >>>> has following structure: >>>> To confirm your intention to $action, click the $button_name >>>> button. >>>> >>>> On other places of Web UI, more human and easier structure is used: >>>> Do you want to update DNS records? >>>> [Update] [Cancel] >>>> >>>> IMHO we should use it here as well. And the same for(separate path): >>>> remove_certificate_hold_confirmation >>>> revoke_confirmation" >>>> >>>> >>>> otherwise the patch is OK. >> The patch works! >> >> Nitpick: 'Update DNS records' is too generic. The button and message >> should >> contain keyword 'system' somewhere. >> >> E.g. 'Update system DNS records'. Feel free to push it when you add the >> keyword :-) >> > > Thank you for review. > > Strings updated. > ACK -- Petr Vobornik From mbasti at redhat.com Tue Jun 28 16:42:36 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 18:42:36 +0200 Subject: [Freeipa-devel] [PATCH 0537] CA replica promotion: add proper CA DNS records In-Reply-To: References: <6e1def5f-c622-8353-cfd4-be46f30d2e2a@redhat.com> Message-ID: On 28.06.2016 17:41, Milan Kub?k wrote: > On 06/28/2016 04:59 PM, Martin Basti wrote: >> >> >> On 28.06.2016 16:46, Petr Spacek wrote: >>> On 23.6.2016 12:44, Martin Basti wrote: >>>> patch attached. >>>> >>>> https://fedorahosted.org/freeipa/ticket/5966 >>> ACK >>> >> Pushed to master: 5693d195501611c6abe9dbdf1370b898ffa6b3c7 >> Pushed to ipa-4-3: 8502fe4883d33afab57cfc4cb4695ed8061daa7e >> > The patch doesn't pass lint on 4.3 branch. > > Pylint is running, please wait ... > ************* Module ipaserver.install.cainstance > ipaserver/install/cainstance.py:1632: [E0602(undefined-variable, > __get_profile_config)] Undefined variable 'ipalib' > Makefile:137: recipe for target 'lint' failed > fix was pushed under one-liner rule Pushed to ipa-4-3: afee95a82e13732fbdb72a6c07e8241da29154d0 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-CA-replica-promotion-fix-forgotten-import.patch Type: text/x-patch Size: 886 bytes Desc: not available URL: From mbasti at redhat.com Tue Jun 28 17:18:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Tue, 28 Jun 2016 19:18:09 +0200 Subject: [Freeipa-devel] [PATCH] 0079 Set default OCSP URI on install and upgrade In-Reply-To: <4bfe4637-d8c5-01de-67a9-fb820478d83e@redhat.com> References: <20160627115820.GU4200@dhcp-40-8.bne.redhat.com> <20160627121008.GV4200@dhcp-40-8.bne.redhat.com> <645867b1-4296-29b2-c904-40ba1c61650c@redhat.com> <4bfe4637-d8c5-01de-67a9-fb820478d83e@redhat.com> Message-ID: <5009d344-89cd-5736-6b7a-2bdca3f47280@redhat.com> On 28.06.2016 12:32, Martin Basti wrote: > > > On 28.06.2016 12:31, Martin Basti wrote: >> >> >> On 27.06.2016 14:22, Martin Basti wrote: >>> >>> >>> On 27.06.2016 14:10, Fraser Tweedale wrote: >>>> On Mon, Jun 27, 2016 at 02:02:15PM +0200, Martin Basti wrote: >>>>> >>>>> On 27.06.2016 13:58, Fraser Tweedale wrote: >>>>>> Hi all, >>>>>> >>>>>> The attached patch fixes the OCSP URI in the Dogtag CA and system >>>>>> certificates (https://fedorahosted.org/freeipa/ticket/5956). It >>>>>> depends on a patch[1] for Dogtag which is expected to be released in >>>>>> v10.3.4. In the meantime, you can test with the build of v10.3.4 >>>>>> from my COPR[2]. >>>>>> >>>>>> [1] >>>>>> https://www.redhat.com/archives/pki-devel/2016-June/msg00138.html >>>>>> [2] https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/ >>>>>> >>>>>> Cheers, >>>>>> Fraser >>>>>> >>>>>> >>>>> Hello, >>>>> >>>>> this upgrade is executed always, is it on purpose? >>>>> If not please use sysupgrade and run upgrade only once >>>>> >>>> It is intentional; the directive only gets added if it is missing. >>>> I do not see any benefit in gating it with the sysupgrade mechanism. >>>> >>>> Thanks, >>>> Fraser >>> Ok >>> >> ************* Module ipaserver.install.cainstance >> ipaserver/install/cainstance.py:465: [E0602(undefined-variable), >> CAInstance.__spawn_instance] Undefined variable 'IPA_CA_RECORD') >> >> you need ipalib.constants.IPA_CA_RECORD >> >> Martin^2 >> > Ahh nevermind, this is a clash of different patches, works on master :) > ACK Pushed to master: 45daffa22fcc6c481a8302f1947a5e0ded0b3eb8 From pspacek at redhat.com Tue Jun 28 17:40:36 2016 From: pspacek at redhat.com (Petr Spacek) Date: Tue, 28 Jun 2016 19:40:36 +0200 Subject: [Freeipa-devel] [PATCH 0140-0142] Use NSS for name->resolution in IPA installer & relax some DNS checks Message-ID: Hello, DNS: Remove unnecessary DNS check from installer Previously we were checking content of DNS before actually adding DNS records for replicas. This is causing cycle in logic and adds weird corner cases to the installer which can blow up on DNS timeout or so. The check was completely unnecessary because the installer knows IP addresses and name of the machine. Removal of the check makes the installer more reliable. https://fedorahosted.org/freeipa/ticket/5962 Use NSS for name->resolution in IPA installer This fixes scenarios where IPA server is not able to resolve own name and option --ip-address was not specified by the user. This partially reverts changes from commit dc405005f537cf278fd6ddfe6b87060bd13d9a67 https://fedorahosted.org/freeipa/ticket/5962 client-install: do not fail if DNS times out during DNS update generation https://fedorahosted.org/freeipa/ticket/5962 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0140-client-install-do-not-fail-if-DNS-times-out-during-D.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0141-Use-NSS-for-name-resolution-in-IPA-installer.patch Type: text/x-patch Size: 4712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0142-DNS-Remove-unnecessary-DNS-check-from-installer.patch Type: text/x-patch Size: 2071 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Jun 28 18:08:19 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 28 Jun 2016 20:08:19 +0200 Subject: [Freeipa-devel] [WIP] Kerberos principal aliases pt. 2 In-Reply-To: References: Message-ID: <7064fcdb-1005-20fb-d880-4749b468e241@redhat.com> On 06/24/2016 09:52 AM, Martin Babinsky wrote: > Hi list, > > I am furiously working on tickets related to the proper support and API > for managing kerberos principal aliases for hosts, users, and > services[1-5]. > > To better track and comment on my progress, I have forked freeipa on git > and created a branch for you to test and review. The link is here: > > https://github.com/martbab/freeipa/tree/krb5-principal-aliases > > Please be aware that I may force-push into the branch without warning > when fixing issues we will discover during testing/review. > > [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases > [2] https://fedorahosted.org/freeipa/ticket/3864 > [3] https://fedorahosted.org/freeipa/ticket/3961 > [4] https://fedorahosted.org/freeipa/ticket/1365 > [5] https://fedorahosted.org/freeipa/ticket/5413 > Based on Jan's suggestions I have reworked the code substantially and force-pushed it into the github branch. Please review. -- Martin^3 Babinsky From ftweedal at redhat.com Wed Jun 29 04:08:44 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jun 2016 14:08:44 +1000 Subject: [Freeipa-devel] [PATCH] 0080 cert-find: fix 'issuer' option Message-ID: <20160629040844.GA4200@dhcp-40-8.bne.redhat.com> Hi, The attached patch fixes a regression introduced by a patch https://fedorahosted.org/freeipa/ticket/5381 (commit d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1). Thanks, Fraser -------------- next part -------------- From d1a624b1dc5cea9ab648dff0890bcd3f5fd1ddf0 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Jun 2016 13:18:55 +1000 Subject: [PATCH] cert-find: fix 'issuer' option The 'issuer' option of cert-find was recently changed from Str to DNParam, however, 'ra.find' expects a string and throws when it receives a DN. When constructing the dict that gets passed to 'ra.find', turn DNParams into strings. Part of: https://fedorahosted.org/freeipa/ticket/5381 --- ipaserver/plugins/cert.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 564d582c77ef63e780604fd7fc55e6cc7889a351..888621fc5af634b95addc9c0ade58c76ce42edfe 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1031,6 +1031,8 @@ class cert_find(Search, CertMethod): continue if isinstance(value, datetime.datetime): value = value.strftime(PKIDATE_FORMAT) + elif isinstance(value, DN): + value = unicode(value) ra_options[name] = value if sizelimit is not None: if sizelimit != 0: -- 2.5.5 From ftweedal at redhat.com Wed Jun 29 04:11:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jun 2016 14:11:03 +1000 Subject: [Freeipa-devel] [PATCH] 0081 Add --ca option to cert-revoke and cert-remove-hold Message-ID: <20160629041103.GB4200@dhcp-40-8.bne.redhat.com> Dear team, The attached patch implements the --ca option for the rest of the cert-blah commands (https://fedorahosted.org/freeipa/ticket/5999). Thanks, Fraser -------------- next part -------------- From 668b826d94237d33e34605a5517b40c17de36780 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Jun 2016 13:57:53 +1000 Subject: [PATCH] Add --ca option to cert-revoke and cert-remove-hold Implement the --ca option for cert-revoke and cert-remove-hold. Defaults to the IPA CA. Raise NotFound if the cert with the given serial was not issued by the nominated CA. Also default the --ca option of cert-show to the IPA CA. Add commentary to cert-status to explain why it does not use the --ca option. Fixes: https://fedorahosted.org/freeipa/ticket/5999 --- API.txt | 10 ++++++---- ipaserver/plugins/cert.py | 47 ++++++++++++++++++++++++++++++++--------------- 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/API.txt b/API.txt index 76e58aeec4301577952f919b17a58b777771c06a..77a67cbc7a0533cf13404abd3a7d27972e2d65cc 100644 --- a/API.txt +++ b/API.txt @@ -760,8 +760,9 @@ output: ListOfEntries('result') output: Output('summary', type=[, ]) output: Output('truncated', type=[]) command: cert_remove_hold/1 -args: 1,1,1 +args: 1,2,1 arg: Int('serial_number') +option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa') option: Str('version?') output: Output('result') command: cert_request/1 @@ -769,7 +770,7 @@ args: 1,8,3 arg: Str('csr', cli_name='csr_file') option: Flag('add', autofill=True, default=False) option: Flag('all', autofill=True, cli_name='all', default=False) -option: Str('cacn?', cli_name='ca') +option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa') option: Str('principal') option: Str('profile_id?') option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -779,8 +780,9 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: cert_revoke/1 -args: 1,2,1 +args: 1,3,1 arg: Int('serial_number') +option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa') option: Int('revocation_reason', autofill=True, default=0) option: Str('version?') output: Output('result') @@ -788,7 +790,7 @@ command: cert_show/1 args: 1,6,3 arg: Int('serial_number') option: Flag('all', autofill=True, cli_name='all', default=False) -option: Str('cacn?', cli_name='ca') +option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa') option: Flag('no_members', autofill=True, default=False) option: Str('out?') option: Flag('raw', autofill=True, cli_name='raw', default=False) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 564d582c77ef63e780604fd7fc55e6cc7889a351..5137a1e1cff7554b3aca8a6f830199f220fcaa2b 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -321,6 +321,8 @@ class BaseCertMethod(Method): def get_options(self): yield Str('cacn?', cli_name='ca', + default=IPA_CA_CN, + autofill=True, query=True, label=_('Issuing CA'), doc=_('Name of issuing CA'), @@ -408,7 +410,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): # enforcement so that user gets better error message if # referencing nonexistant CA) and look up authority ID. # - ca = kw.get('cacn', IPA_CA_CN) + ca = kw['cacn'] ca_id = api.Command.ca_show(ca)['result']['ipacaid'][0] """ @@ -624,6 +626,8 @@ class cert_status(Retrieve, BaseCertMethod, VirtualCommand): def get_options(self): for option in super(cert_status, self).get_options(): if option.name == 'cacn': + # Dogtag requests are uniquely identified by their + # number; there is no need to distinguish by CA. continue yield option @@ -734,10 +738,8 @@ class cert_show(Retrieve, CertMethod, VirtualCommand): raise acierr hostname = get_host_from_principal(bind_principal) - issuer_dn = None - if 'cacn' in options: - ca_obj = api.Command.ca_show(options['cacn'])['result'] - issuer_dn = ca_obj['ipacasubjectdn'][0] + ca_obj = api.Command.ca_show(options['cacn'])['result'] + issuer_dn = ca_obj['ipacasubjectdn'][0] # Dogtag lightweight CAs have shared serial number domain, so # we don't tell Dogtag the issuer (but we check the cert after). @@ -745,7 +747,7 @@ class cert_show(Retrieve, CertMethod, VirtualCommand): result = self.Backend.ra.get_certificate(str(serial_number)) cert = x509.load_certificate(result['certificate']) - if issuer_dn is not None and DN(unicode(cert.issuer)) != DN(issuer_dn): + if DN(unicode(cert.issuer)) != DN(issuer_dn): # DN of cert differs from what we requested raise errors.NotFound( reason=_("Certificate with serial number %(serial)s " @@ -796,12 +798,16 @@ class cert_revoke(PKQuery, CertMethod, VirtualCommand): ) for option in super(cert_revoke, self).get_options(): - if option.name == 'cacn': - continue yield option def execute(self, serial_number, **kw): ca_enabled_check() + + # Make sure that the cert specified by issuer+serial exists. + # Will raise NotFound if it does not. + cert_show_options = dict(cacn=kw['cacn']) + api.Command.cert_show(unicode(serial_number), **cert_show_options) + hostname = None try: self.check_access() @@ -810,13 +816,18 @@ class cert_revoke(PKQuery, CertMethod, VirtualCommand): try: # Let cert_show() handle verifying that the subject of the # cert we're dealing with matches the hostname in the principal - result = api.Command['cert_show'](unicode(serial_number))['result'] + result = api.Command['cert_show']( + unicode(serial_number), **cert_show_options + )['result'] except errors.NotImplementedError: pass revocation_reason = kw['revocation_reason'] if revocation_reason == 7: raise errors.CertificateOperationError(error=_('7 is not a valid revocation reason')) return dict( + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we already checked that + # the given serial was issued by the named ca). result=self.Backend.ra.revoke_certificate( str(serial_number), revocation_reason=revocation_reason) ) @@ -837,16 +848,18 @@ class cert_remove_hold(PKQuery, CertMethod, VirtualCommand): ) operation = "certificate remove hold" - def get_options(self): - for option in super(cert_remove_hold, self).get_options(): - if option.name == 'cacn': - continue - yield option - def execute(self, serial_number, **kw): ca_enabled_check() + + # Make sure that the cert specified by issuer+serial exists. + # Will raise NotFound if it does not. + api.Command.cert_show(serial_number, cacn=kw['cacn']) + self.check_access() return dict( + # Dogtag lightweight CAs have shared serial number domain, so + # we don't tell Dogtag the issuer (but we already checked that + # the given serial was issued by the named ca). result=self.Backend.ra.take_certificate_off_hold( str(serial_number)) ) @@ -944,6 +957,10 @@ class cert_find(Search, CertMethod): if option.name == 'no_members': option = option.clone(default=True, flags=set(option.flags) | {'no_option'}) + elif option.name == 'cacn': + # make CA optional, so that user may directly + # specify Issuer DN instead + option = option.clone(default=None, autofill=None) yield option for owner in self.obj._owners(): -- 2.5.5 From ftweedal at redhat.com Wed Jun 29 05:25:39 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jun 2016 15:25:39 +1000 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported Message-ID: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> The attached patch fixes https://fedorahosted.org/freeipa/ticket/5991. Thanks, Fraser -------------- next part -------------- From 2363a1fe3486a00c69df781cc9bd43f5916a1733 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Jun 2016 15:02:51 +1000 Subject: [PATCH] cert-request: better error msg when 'add' not supported cert-request supports adding service principals that don't exist. If add is requested for other principal types, the error message just says "the principal doesn't exist". Add a new error type with better error message to explain that 'add' is not supported for host or user principals. Fixes: https://fedorahosted.org/freeipa/ticket/5991 --- ipalib/errors.py | 9 +++++++++ ipaserver/plugins/cert.py | 18 +++++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 10491a94211648df8bda60f3dbc9e52d19e83d10..70d17d64f53c75aabf7ae99c56bebd136230c7a3 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1396,6 +1396,15 @@ class ServerRemovalError(ExecutionError): errno = 4033 format = _('Server removal aborted: %(reason)s.') +class OperationNotSupportedForPrincipalType(ExecutionError): + """ + **4034** Raised when an operation is not supported for a principal type + """ + + errno = 4034 + format = _( + '%(operation)s is not supported for %(principal_type)s principals') + class BuiltinError(ExecutionError): """ diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 564d582c77ef63e780604fd7fc55e6cc7889a351..f9fd3ef4b1a1a5cb370fd7876a88c5ecbb69e4e2 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -145,6 +145,12 @@ http://www.ietf.org/rfc/rfc5280.txt USER, HOST, SERVICE = range(3) +PRINCIPAL_TYPE_STRING_MAP = { + USER: _('user'), + HOST: _('host'), + SERVICE: _('service'), +} + register = Registry() PKIDATE_FORMAT = '%Y-%m-%d' @@ -385,7 +391,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): ), Flag( 'add', - doc=_("automatically add the principal if it doesn't exist"), + doc=_("automatically add the principal if it doesn't exist (service princpals only)"), ), ) @@ -480,8 +486,14 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): elif principal_type == USER: principal_obj = api.Command['user_show'](principal_name, all=True) except errors.NotFound as e: - if principal_type == SERVICE and add: - principal_obj = api.Command['service_add'](principal_string, force=True) + if add: + if principal_type == SERVICE: + principal_obj = api.Command['service_add']( + principal_string, force=True) + else: + raise errors.OperationNotSupportedForPrincipalType( + operation="'add'", + principal_type=PRINCIPAL_TYPE_STRING_MAP[principal_type]) else: raise errors.NotFound( reason=_("The principal for this request doesn't exist.")) -- 2.5.5 From jcholast at redhat.com Wed Jun 29 06:55:41 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 08:55:41 +0200 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal In-Reply-To: <20160624064943.GP4200@dhcp-40-8.bne.redhat.com> References: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> <20160624064943.GP4200@dhcp-40-8.bne.redhat.com> Message-ID: On 24.6.2016 08:49, Fraser Tweedale wrote: > On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote: >> Hi, >> >> On 21.6.2016 08:24, Fraser Tweedale wrote: >>> The attached patches add lightweight CA renewal. There are two >>> substantive aspects: >>> >>> 1. The renew_ca_cert updates the serial number in the lightweight >>> CA's entry in the Dogtag database. This causes CA clones to observe >>> the renewal and update the certs in their own NSSDBs. >>> >>> 2. The ipa-certupdate command adds Certmonger tracking requests for >>> lightweight CAs (on the renewal master only). >>> >>> Correct behaviour also depends on my patch 0069 (in-server API for >>> renew_ca_cert script). >> >> Patch 0072-0074: LGTM >> >> Patch 0075: >> >> 1) Lightweight CA certs should be tracked by certmonger on all CA servers, >> not just on the renewal master. The behavior should be the same as for the >> main CA cert, i.e. the actual renewal is done only on the renewal master, >> other CA servers only update their NSS DBs (this is handled in >> dogtag-ipa-ca-renew-agent-submit). >> >> This is important because CA renewal master can change at any time, and >> without all CA certs being tracked on all CA servers, there is no guarantee >> the renewal would happen. >> >> 2) Since CA clones update their NSS DBs on their own, >> dogtag-ipa-ca-renew-agent should be updated not to put them in >> cn=ca_renewal,cn=ipa,cn=etc. >> > Thanks for the review, Honza. Updated patch 0075-2 attached. Thanks, ACK. Rebased patch 0072 and pushed to master: 0078e7a9192a940104d8f6621b33d24d814c109b It would be nice if lightweight CAs known at replica install time were tracked without having to manually run ipa-certupdate after ipa-replica-install. Shall I file a ticket for this, or will you be able to provide a patch before Friday? -- Jan Cholasta From dkupka at redhat.com Wed Jun 29 07:22:31 2016 From: dkupka at redhat.com (David Kupka) Date: Wed, 29 Jun 2016 09:22:31 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: On 28/04/16 14:45, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Commit "schema: fix Flag arguments on the client" fixes regression reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. -- David Kupka From jcholast at redhat.com Wed Jun 29 07:30:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 09:30:17 +0200 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal In-Reply-To: References: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> <20160624064943.GP4200@dhcp-40-8.bne.redhat.com> Message-ID: <66f412e4-5894-53d9-9c3e-c5691da0f105@redhat.com> On 29.6.2016 08:55, Jan Cholasta wrote: > On 24.6.2016 08:49, Fraser Tweedale wrote: >> On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote: >>> Hi, >>> >>> On 21.6.2016 08:24, Fraser Tweedale wrote: >>>> The attached patches add lightweight CA renewal. There are two >>>> substantive aspects: >>>> >>>> 1. The renew_ca_cert updates the serial number in the lightweight >>>> CA's entry in the Dogtag database. This causes CA clones to observe >>>> the renewal and update the certs in their own NSSDBs. >>>> >>>> 2. The ipa-certupdate command adds Certmonger tracking requests for >>>> lightweight CAs (on the renewal master only). >>>> >>>> Correct behaviour also depends on my patch 0069 (in-server API for >>>> renew_ca_cert script). >>> >>> Patch 0072-0074: LGTM >>> >>> Patch 0075: >>> >>> 1) Lightweight CA certs should be tracked by certmonger on all CA >>> servers, >>> not just on the renewal master. The behavior should be the same as >>> for the >>> main CA cert, i.e. the actual renewal is done only on the renewal >>> master, >>> other CA servers only update their NSS DBs (this is handled in >>> dogtag-ipa-ca-renew-agent-submit). >>> >>> This is important because CA renewal master can change at any time, and >>> without all CA certs being tracked on all CA servers, there is no >>> guarantee >>> the renewal would happen. >>> >>> 2) Since CA clones update their NSS DBs on their own, >>> dogtag-ipa-ca-renew-agent should be updated not to put them in >>> cn=ca_renewal,cn=ipa,cn=etc. >>> >> Thanks for the review, Honza. Updated patch 0075-2 attached. > > Thanks, ACK. > > Rebased patch 0072 and pushed to master: > 0078e7a9192a940104d8f6621b33d24d814c109b > > It would be nice if lightweight CAs known at replica install time were > tracked without having to manually run ipa-certupdate after > ipa-replica-install. Shall I file a ticket for this, or will you be able > to provide a patch before Friday? Also, the certs should be untracked on server uninstall. -- Jan Cholasta From jcholast at redhat.com Wed Jun 29 07:54:48 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 09:54:48 +0200 Subject: [Freeipa-devel] [PATCH] 0080 cert-find: fix 'issuer' option In-Reply-To: <20160629040844.GA4200@dhcp-40-8.bne.redhat.com> References: <20160629040844.GA4200@dhcp-40-8.bne.redhat.com> Message-ID: <2cfe6dbb-f6a7-bb6c-dd31-85b38d8a5673@redhat.com> On 29.6.2016 06:08, Fraser Tweedale wrote: > Hi, > > The attached patch fixes a regression introduced by a patch > https://fedorahosted.org/freeipa/ticket/5381 (commit > d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1). Thanks, ACK. Pushed to master: 6e4e522e524f40a6b05aeb1cc4b43655ed722e36 -- Jan Cholasta From jcholast at redhat.com Wed Jun 29 08:04:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 10:04:05 +0200 Subject: [Freeipa-devel] [PATCH] 0081 Add --ca option to cert-revoke and cert-remove-hold In-Reply-To: <20160629041103.GB4200@dhcp-40-8.bne.redhat.com> References: <20160629041103.GB4200@dhcp-40-8.bne.redhat.com> Message-ID: Hi, On 29.6.2016 06:11, Fraser Tweedale wrote: > Dear team, > > The attached patch implements the --ca option for the rest of the > cert-blah commands (https://fedorahosted.org/freeipa/ticket/5999). 1) I don't think cert-status should be treated specially. The operation to check status of a certificate request is not specific to Dogtag. 2) cert-show is called twice in cert-revoke. Can we call it just once? Honza -- Jan Cholasta From slaznick at redhat.com Wed Jun 29 08:14:04 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 29 Jun 2016 10:14:04 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <4f318927-fcfd-ce0e-372f-2feb2958a223@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> <3a8c2f35-6be5-81ff-431f-39f2bad39ce2@redhat.com> <4f318927-fcfd-ce0e-372f-2feb2958a223@redhat.com> Message-ID: <8e56a1bb-5482-19f9-cd36-0eb89141a40a@redhat.com> On 06/28/2016 10:34 AM, Stanislav Laznicka wrote: > On 06/17/2016 09:14 AM, Stanislav Laznicka wrote: >> On 06/14/2016 04:40 PM, Jan Cholasta wrote: >>> On 14.6.2016 16:35, Martin Basti wrote: >>>> On 14.06.2016 16:37, Jan Cholasta wrote: >>>>> On 14.6.2016 16:29, Martin Basti wrote: >>>>>> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>>>>>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>>>>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>>>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>>>>>> >>>>>>>>>>>>>> NACK >>>>>>>>>>>>>> >>>>>>>>>>>>>> please remove it from LDAPAddReverseMember too, it >>>>>>>>>>>>>> contains the >>>>>>>>>>>>>> same >>>>>>>>>>>>>> code >>>>>>>>>>>>>> >>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>> >>>>>>>>>>>>> Please see the modified patch. >>>>>>>>>>>>> >>>>>>>>>>>>> Standa >>>>>>>>>>>>> >>>>>>>>>>>> ACK >>>>>>>>>>>> >>>>>>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>>>>>> >>>>>>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>>>>>> every >>>>>>>>>>> reverse member command always acts like --all was specified. >>>>>>>>>>> >>>>>>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>>>>>> get_entry() >>>>>>>>>> instead of '*', because this code were there for 4 years and >>>>>>>>>> I don't >>>>>>>>>> feel happy enough to change it now, what we may break. >>>>>>>>>> >>>>>>>>>> Should I revert this commit then and postpone the ticket? >>>>>>>>> >>>>>>>>> It's a bug and should be fixed. The fix is easy so I see no >>>>>>>>> point in >>>>>>>>> postponing it. I see no reason to be really afraid, I'm pretty >>>>>>>>> sure >>>>>>>>> that removing the objectclass attribute (which is invisible in >>>>>>>>> the >>>>>>>>> CLI anyway) from the output of all the 4 commands that use >>>>>>>>> this code >>>>>>>>> won't break anything. >>>>>>>>> >>>>>>>> >>>>>>>> Ok >>>>>>> It seems that tests expect objectClass to be always returned in >>>>>>> derived methods. Is that expected behavior? If so, please see the >>>>>>> attached patch. I wonder if the keys of the passed options >>>>>>> should make >>>>>>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >>>>>> >>>>>> I still don't think that we should use that attrs list, because >>>>>> according git history, attrs_list was really used only with code >>>>>> that >>>>>> was removed, and as you can see Standa had add extra objectclass >>>>>> attribute there >>>>> >>>>> So the assumption here is that if it's in git history, it's not a >>>>> bug? >>>>> >>>>> The extra object class should *not* be included by default. >>>>> >>>>> (Also I don't see any reason to have this split into 2 patches.) >>>>> >> Right. I added the objectclass so that it behaves similar to what the >> other commands do and so that it does not break tests but it can be >> removed and tests could be fixed. The question here is - do we want >> it in 4.4, then? If so can we be sure it won't break anything >> (although we know that it's broken as it is, and it's been like that >> for the past 4 years)? >> >> Currently, the LDAP*ReverseMember are used in adding/removing >> permissions/privileges to privileges/roles so I think we don't want >> it to go bad - but could it? >> > After discussion with Honza we agreed that the patch should not break > anything while trying to fix the bug. Attached is the new patch with > fixed tests. > > Hopefully last modification - attrs_list should not be updated by received options as these don't reflect the entry's actual attributes. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0045-3-The-LDAP-ReverseMember-shouldn-t-imply-all-is-always.patch Type: text/x-patch Size: 5160 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 29 08:21:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 10:21:05 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: On 29.6.2016 09:22, David Kupka wrote: > On 28/04/16 14:45, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Commit "schema: fix Flag arguments on the client" fixes regression > reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. Thanks, pushed to master: a77e21cbca05be422fe5826857cfba7e0ba6e71f Attaching the patch for reference. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-659-schema-fix-Flag-arguments-on-the-client.patch Type: text/x-patch Size: 947 bytes Desc: not available URL: From jcholast at redhat.com Wed Jun 29 08:44:52 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 10:44:52 +0200 Subject: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember In-Reply-To: <8e56a1bb-5482-19f9-cd36-0eb89141a40a@redhat.com> References: <9fa1d762-0140-d0fb-2ade-5f86f5c375cd@redhat.com> <107e0f58-1f49-0d91-17d7-6ddaefdc5727@redhat.com> <4d9124fe-f366-d02e-2cb6-6a959eff715f@redhat.com> <11d14f48-e422-f734-bcaa-1a67bc413126@redhat.com> <28133686-a016-2dd4-1494-df517371fe33@redhat.com> <9b44cd8a-2e0b-c34f-0119-f694e1635485@redhat.com> <67b72959-049d-f48f-3f62-5f02eeb0c48b@redhat.com> <32158985-d1cd-7ae0-0695-f92f8ab67def@redhat.com> <26f68915-9aeb-f88e-07e7-611ed043e2e4@redhat.com> <2d6ab479-5e25-7b00-e726-446b9c77a93e@redhat.com> <3a8c2f35-6be5-81ff-431f-39f2bad39ce2@redhat.com> <4f318927-fcfd-ce0e-372f-2feb2958a223@redhat.com> <8e56a1bb-5482-19f9-cd36-0eb89141a40a@redhat.com> Message-ID: <9e0e078b-610e-75ea-6fec-d07ead3b73aa@redhat.com> On 29.6.2016 10:14, Stanislav Laznicka wrote: > On 06/28/2016 10:34 AM, Stanislav Laznicka wrote: >> On 06/17/2016 09:14 AM, Stanislav Laznicka wrote: >>> On 06/14/2016 04:40 PM, Jan Cholasta wrote: >>>> On 14.6.2016 16:35, Martin Basti wrote: >>>>> On 14.06.2016 16:37, Jan Cholasta wrote: >>>>>> On 14.6.2016 16:29, Martin Basti wrote: >>>>>>> On 08.06.2016 14:17, Stanislav Laznicka wrote: >>>>>>>> On 06/07/2016 10:42 AM, Martin Basti wrote: >>>>>>>>> On 07.06.2016 10:43, Jan Cholasta wrote: >>>>>>>>>> On 7.6.2016 10:22, Martin Basti wrote: >>>>>>>>>>> On 07.06.2016 09:07, Jan Cholasta wrote: >>>>>>>>>>>> On 6.6.2016 18:29, Martin Basti wrote: >>>>>>>>>>>>> On 03.06.2016 14:28, Stanislav Laznicka wrote: >>>>>>>>>>>>>> On 06/03/2016 02:19 PM, Martin Basti wrote: >>>>>>>>>>>>>>> On 03.06.2016 14:13, Stanislav Laznicka wrote: >>>>>>>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5892 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> NACK >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> please remove it from LDAPAddReverseMember too, it >>>>>>>>>>>>>>> contains the >>>>>>>>>>>>>>> same >>>>>>>>>>>>>>> code >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Martin^2 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Please see the modified patch. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Standa >>>>>>>>>>>>>> >>>>>>>>>>>>> ACK >>>>>>>>>>>>> >>>>>>>>>>>>> Pushed to master: c56d65b064e1e0410c03cf1206816cad4d8d86cc >>>>>>>>>>>> >>>>>>>>>>>> I think the attrs_list was supposed to be passed to the >>>>>>>>>>>> ldap.get_entry() call rather than removed, which would fix that >>>>>>>>>>>> every >>>>>>>>>>>> reverse member command always acts like --all was specified. >>>>>>>>>>>> >>>>>>>>>>> I'm really afraid, what can happen if we put attr_list into >>>>>>>>>>> get_entry() >>>>>>>>>>> instead of '*', because this code were there for 4 years and >>>>>>>>>>> I don't >>>>>>>>>>> feel happy enough to change it now, what we may break. >>>>>>>>>>> >>>>>>>>>>> Should I revert this commit then and postpone the ticket? >>>>>>>>>> >>>>>>>>>> It's a bug and should be fixed. The fix is easy so I see no >>>>>>>>>> point in >>>>>>>>>> postponing it. I see no reason to be really afraid, I'm pretty >>>>>>>>>> sure >>>>>>>>>> that removing the objectclass attribute (which is invisible in >>>>>>>>>> the >>>>>>>>>> CLI anyway) from the output of all the 4 commands that use >>>>>>>>>> this code >>>>>>>>>> won't break anything. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Ok >>>>>>>> It seems that tests expect objectClass to be always returned in >>>>>>>> derived methods. Is that expected behavior? If so, please see the >>>>>>>> attached patch. I wonder if the keys of the passed options >>>>>>>> should make >>>>>>>> it to attrs_list as well (similarly to LDAPUpdate and LDAPCreate)? >>>>>>> >>>>>>> I still don't think that we should use that attrs list, because >>>>>>> according git history, attrs_list was really used only with code >>>>>>> that >>>>>>> was removed, and as you can see Standa had add extra objectclass >>>>>>> attribute there >>>>>> >>>>>> So the assumption here is that if it's in git history, it's not a >>>>>> bug? >>>>>> >>>>>> The extra object class should *not* be included by default. >>>>>> >>>>>> (Also I don't see any reason to have this split into 2 patches.) >>>>>> >>> Right. I added the objectclass so that it behaves similar to what the >>> other commands do and so that it does not break tests but it can be >>> removed and tests could be fixed. The question here is - do we want >>> it in 4.4, then? If so can we be sure it won't break anything >>> (although we know that it's broken as it is, and it's been like that >>> for the past 4 years)? >>> >>> Currently, the LDAP*ReverseMember are used in adding/removing >>> permissions/privileges to privileges/roles so I think we don't want >>> it to go bad - but could it? >>> >> After discussion with Honza we agreed that the patch should not break >> anything while trying to fix the bug. Attached is the new patch with >> fixed tests. >> >> > Hopefully last modification - attrs_list should not be updated by > received options as these don't reflect the entry's actual attributes. Thanks, ACK. Pushed to master: 427bbf6c0d61cf52f14a9f2606143f994340ec83 -- Jan Cholasta From ftweedal at redhat.com Wed Jun 29 08:41:31 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jun 2016 18:41:31 +1000 Subject: [Freeipa-devel] [PATCH] 0072..0075 Lightweight CA renewal In-Reply-To: <66f412e4-5894-53d9-9c3e-c5691da0f105@redhat.com> References: <20160621062416.GE4200@dhcp-40-8.bne.redhat.com> <3151c80a-656a-80f3-804d-e368ec513b25@redhat.com> <20160624064943.GP4200@dhcp-40-8.bne.redhat.com> <66f412e4-5894-53d9-9c3e-c5691da0f105@redhat.com> Message-ID: <20160629084131.GE4200@dhcp-40-8.bne.redhat.com> On Wed, Jun 29, 2016 at 09:30:17AM +0200, Jan Cholasta wrote: > On 29.6.2016 08:55, Jan Cholasta wrote: > > On 24.6.2016 08:49, Fraser Tweedale wrote: > > > On Thu, Jun 23, 2016 at 09:51:02AM +0200, Jan Cholasta wrote: > > > > Hi, > > > > > > > > On 21.6.2016 08:24, Fraser Tweedale wrote: > > > > > The attached patches add lightweight CA renewal. There are two > > > > > substantive aspects: > > > > > > > > > > 1. The renew_ca_cert updates the serial number in the lightweight > > > > > CA's entry in the Dogtag database. This causes CA clones to observe > > > > > the renewal and update the certs in their own NSSDBs. > > > > > > > > > > 2. The ipa-certupdate command adds Certmonger tracking requests for > > > > > lightweight CAs (on the renewal master only). > > > > > > > > > > Correct behaviour also depends on my patch 0069 (in-server API for > > > > > renew_ca_cert script). > > > > > > > > Patch 0072-0074: LGTM > > > > > > > > Patch 0075: > > > > > > > > 1) Lightweight CA certs should be tracked by certmonger on all CA > > > > servers, > > > > not just on the renewal master. The behavior should be the same as > > > > for the > > > > main CA cert, i.e. the actual renewal is done only on the renewal > > > > master, > > > > other CA servers only update their NSS DBs (this is handled in > > > > dogtag-ipa-ca-renew-agent-submit). > > > > > > > > This is important because CA renewal master can change at any time, and > > > > without all CA certs being tracked on all CA servers, there is no > > > > guarantee > > > > the renewal would happen. > > > > > > > > 2) Since CA clones update their NSS DBs on their own, > > > > dogtag-ipa-ca-renew-agent should be updated not to put them in > > > > cn=ca_renewal,cn=ipa,cn=etc. > > > > > > > Thanks for the review, Honza. Updated patch 0075-2 attached. > > > > Thanks, ACK. > > > > Rebased patch 0072 and pushed to master: > > 0078e7a9192a940104d8f6621b33d24d814c109b > > > > It would be nice if lightweight CAs known at replica install time were > > tracked without having to manually run ipa-certupdate after > > ipa-replica-install. Shall I file a ticket for this, or will you be able > > to provide a patch before Friday? > > Also, the certs should be untracked on server uninstall. > File the ticket, and I'll try to address by Friday anyways :) Thanks, Fraser From jcholast at redhat.com Wed Jun 29 08:49:57 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 10:49:57 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <93e36dc7-30c1-3a6c-9304-987e279a98f8@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <16fe8df8-0ee1-c68a-f444-784d298ce289@redhat.com> <93e36dc7-30c1-3a6c-9304-987e279a98f8@redhat.com> Message-ID: On 27.6.2016 16:44, Jan Cholasta wrote: > On 27.6.2016 14:55, David Kupka wrote: >> On 28/04/16 14:45, Jan Cholasta wrote: >>> Hi, >>> >>> I have pushed my thin client WIP branch to GitHub: >>> . >>> >>> All commits up to "ipalib: use relative imports for cross-plugin >>> imports" should be good for review. The rest is subject to change >>> (WARNING: I will force push into this branch). >>> >>> Honza >>> >> >> Hello! >> >> Patch set: >> schema: client-side cleanup >> automember: fix automember to work with thin client >> schema: do not crash in command_defaults if argument is None >> schema: fix param default value handling >> >> works* for me, ACK. > > Thanks, pushed to master: f7cc15f0990ef2db57717a3c6a8e9db2c3dee951 > > Attaching the patches for reference. > >> >> *) xmlrpc test for automember_plugin test started failing with >> automember patch. Fix for test attached. > > LGTM ACK. Pushed to master: 95191e1612f93823bd0e325ef9b97fa9a4d7869c -- Jan Cholasta From ftweedal at redhat.com Wed Jun 29 08:47:23 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 29 Jun 2016 18:47:23 +1000 Subject: [Freeipa-devel] [PATCH] 0081 Add --ca option to cert-revoke and cert-remove-hold In-Reply-To: References: <20160629041103.GB4200@dhcp-40-8.bne.redhat.com> Message-ID: <20160629084722.GF4200@dhcp-40-8.bne.redhat.com> On Wed, Jun 29, 2016 at 10:04:05AM +0200, Jan Cholasta wrote: > Hi, > > On 29.6.2016 06:11, Fraser Tweedale wrote: > > Dear team, > > > > The attached patch implements the --ca option for the rest of the > > cert-blah commands (https://fedorahosted.org/freeipa/ticket/5999). > > 1) I don't think cert-status should be treated specially. The operation to > check status of a certificate request is not specific to Dogtag. > I'm happy to add the option, with the caveat that because (of top of head) there is not (yet) a way in Dogtag to distinguish/filter requests by target CA, value may go unused. > > 2) cert-show is called twice in cert-revoke. Can we call it just once? > I'll address this in next patchset. Thanks for reviewing! Fraser From ofayans at redhat.com Wed Jun 29 08:56:06 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 29 Jun 2016 10:56:06 +0200 Subject: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain Message-ID: <57738D26.50404@redhat.com> -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0052-Test-for-incorrect-client-domain.patch Type: text/x-patch Size: 2384 bytes Desc: not available URL: From frenaud at redhat.com Wed Jun 29 09:30:14 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Wed, 29 Jun 2016 11:30:14 +0200 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> Message-ID: <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> On 06/29/2016 07:25 AM, Fraser Tweedale wrote: > The attached patch fixes > https://fedorahosted.org/freeipa/ticket/5991. > > Thanks, > Fraser > > > Hi Fraser, A few cosmetic comments: PEP8 issues: ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) and there is a typo in ipaserver/plugins/cert.py + doc=_("automatically add the principal if it doesn't exist (service princpals only)"), should be "princ*i*pals only" Otherwise LGTM, Flo From jcholast at redhat.com Wed Jun 29 10:18:37 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 12:18:37 +0200 Subject: [Freeipa-devel] [PATCH] 0081 Add --ca option to cert-revoke and cert-remove-hold In-Reply-To: <20160629084722.GF4200@dhcp-40-8.bne.redhat.com> References: <20160629041103.GB4200@dhcp-40-8.bne.redhat.com> <20160629084722.GF4200@dhcp-40-8.bne.redhat.com> Message-ID: On 29.6.2016 10:47, Fraser Tweedale wrote: > On Wed, Jun 29, 2016 at 10:04:05AM +0200, Jan Cholasta wrote: >> Hi, >> >> On 29.6.2016 06:11, Fraser Tweedale wrote: >>> Dear team, >>> >>> The attached patch implements the --ca option for the rest of the >>> cert-blah commands (https://fedorahosted.org/freeipa/ticket/5999). >> >> 1) I don't think cert-status should be treated specially. The operation to >> check status of a certificate request is not specific to Dogtag. >> > I'm happy to add the option, with the caveat that because (of top of > head) there is not (yet) a way in Dogtag to distinguish/filter > requests by target CA, value may go unused. IMO that's OK, since it's a safe non-descructive operation. > >> >> 2) cert-show is called twice in cert-revoke. Can we call it just once? >> > I'll address this in next patchset. OK. > > Thanks for reviewing! > Fraser > -- Jan Cholasta From mbasti at redhat.com Wed Jun 29 10:23:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 12:23:29 +0200 Subject: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain In-Reply-To: <57738D26.50404@redhat.com> References: <57738D26.50404@redhat.com> Message-ID: On 29.06.2016 10:56, Oleg Fayans wrote: > > Hello, + assert_error(result, + "Failed to verify that %s is an IPA Server" % + self.master.hostname) I would expect this error there: "Cannot promote this client to a replica. Local domain '{local}' does not match IPA domain '{ipadomain}'. " You should not use random REALM, in this case you don't test domains but realms. You can leave the test with incorrect realm there, but as separated testcase Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jun 29 10:36:22 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 12:36:22 +0200 Subject: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain In-Reply-To: References: <57738D26.50404@redhat.com> Message-ID: <9336ba45-b099-a35f-5053-8736c856ecd7@redhat.com> On 29.6.2016 12:23, Martin Basti wrote: > > > On 29.06.2016 10:56, Oleg Fayans wrote: >> >> > > Hello, > > + assert_error(result, > + "Failed to verify that %s is an IPA Server" % > + self.master.hostname) > > > I would expect this error there: > > "Cannot promote this client to a replica. Local domain '{local}' does not > match IPA domain '{ipadomain}'. " > > You should not use random REALM, in this case you don't test domains but > realms. You can leave the test with incorrect realm there, but as separated > testcase Even more importantly, the check is part of ipa-replica-install - and this test is testing anything in ipa-replica-install. -- Petr^2 Spacek From mbasti at redhat.com Wed Jun 29 11:04:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 13:04:48 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> Message-ID: <4239c1e6-349e-acdc-0df8-31a0ac09b689@redhat.com> On 28.06.2016 16:57, Florence Blanc-Renaud wrote: > On 06/28/2016 11:05 AM, Martin Basti wrote: >> >> >> On 28.06.2016 10:51, Florence Blanc-Renaud wrote: >>> On 06/27/2016 10:18 PM, Rob Crittenden wrote: >>>> Florence Blanc-Renaud wrote: >>>>> Hi all, >>>>> >>>>> thanks for your suggestions. Updated patch attached. >>>>> Flo. >>>>> >>>> >>>> The invocation in ipactl should say server, not client. >>>> >>>> Otherwise LGTM (untested). >>>> >>>> rob >>> >>> Hi all, >>> >>> thanks to Rob for catching the typo. >>> Patch with updated message is attached, >>> Flo. >>> >>> >> >> Thank you for the patch I have two comments: >> >> 1) >> + except Exception: >> + # Consider that the host is not fips-enabled if the file does >> not exist >> + pass >> >> exceptions should be as much specific as possible, otherwise it may mask >> real issues >> please use 'except IOError' if you want catch the case that file does >> not exist >> >> 2) >> in replicainstall.py and install.py please raise exception >> (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, >> etc. >> >> Sys.exit() should not be used in modules, it is hard to debug etc. It >> can be used only in scripts (ipa-client-install, ipa-replica-manage, >> etc..) >> >> Martin^2 > > Hi, > > hopefully converging with this updated patch :) > Thanks for all the comments, I'm learning tips with each iteration. > > Flo. > I propose following changes (in attached patch). If you agree I can squash patches and push it. Martin^2 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0000-FIPS-reviewer-proposed-changes.patch Type: text/x-patch Size: 1480 bytes Desc: not available URL: From frenaud at redhat.com Wed Jun 29 11:14:48 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Wed, 29 Jun 2016 13:14:48 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <4239c1e6-349e-acdc-0df8-31a0ac09b689@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> <4239c1e6-349e-acdc-0df8-31a0ac09b689@redhat.com> Message-ID: On 06/29/2016 01:04 PM, Martin Basti wrote: > > > On 28.06.2016 16:57, Florence Blanc-Renaud wrote: >> On 06/28/2016 11:05 AM, Martin Basti wrote: >>> >>> >>> On 28.06.2016 10:51, Florence Blanc-Renaud wrote: >>>> On 06/27/2016 10:18 PM, Rob Crittenden wrote: >>>>> Florence Blanc-Renaud wrote: >>>>>> Hi all, >>>>>> >>>>>> thanks for your suggestions. Updated patch attached. >>>>>> Flo. >>>>>> >>>>> >>>>> The invocation in ipactl should say server, not client. >>>>> >>>>> Otherwise LGTM (untested). >>>>> >>>>> rob >>>> >>>> Hi all, >>>> >>>> thanks to Rob for catching the typo. >>>> Patch with updated message is attached, >>>> Flo. >>>> >>>> >>> >>> Thank you for the patch I have two comments: >>> >>> 1) >>> + except Exception: >>> + # Consider that the host is not fips-enabled if the file does >>> not exist >>> + pass >>> >>> exceptions should be as much specific as possible, otherwise it may mask >>> real issues >>> please use 'except IOError' if you want catch the case that file does >>> not exist >>> >>> 2) >>> in replicainstall.py and install.py please raise exception >>> (RuntimeError) instead of sys.exit() to keep proper logging, cleanup, >>> etc. >>> >>> Sys.exit() should not be used in modules, it is hard to debug etc. It >>> can be used only in scripts (ipa-client-install, ipa-replica-manage, >>> etc..) >>> >>> Martin^2 >> >> Hi, >> >> hopefully converging with this updated patch :) >> Thanks for all the comments, I'm learning tips with each iteration. >> >> Flo. >> > I propose following changes (in attached patch). If you agree I can > squash patches and push it. > > Martin^2 Hi Martin, thanks for the proposal, OK for me. Flo. From pspacek at redhat.com Wed Jun 29 12:13:59 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 14:13:59 +0200 Subject: [Freeipa-devel] [PATCH 0107] test: cert: Reflect change in behavior in tests In-Reply-To: References: Message-ID: <31a9f77f-b1e1-62fa-fc51-0b118749f4be@redhat.com> On 28.6.2016 16:58, David Kupka wrote: > > -- > David Kupka > > freeipa-dkupka-0107.0-test-cert-Reflect-change-in-behavior-in-tests.patch > > > From 4331e9a62a3cea81b548c555001a7d7ed1127574 Mon Sep 17 00:00:00 2001 > From: David Kupka > Date: Tue, 28 Jun 2016 10:47:10 +0200 > Subject: [PATCH] test: cert: Reflect change in behavior in tests > > Command cert-find with parameter sizelimit set to 0 no longer returns 0 > certificates but returns all. > > More precise ConversionError is returned when parameter is not > convertible to its type. > > https://fedorahosted.org/freeipa/ticket/5381 > https://fedorahosted.org/freeipa/ticket/4739 > --- > ipatests/test_xmlrpc/test_cert_plugin.py | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py > index 1a6168da29393eb041273da3bbfa845858cdaf72..8127ef224b24a0b3a63c3d07ef72d4b53feda4be 100644 > --- a/ipatests/test_xmlrpc/test_cert_plugin.py > +++ b/ipatests/test_xmlrpc/test_cert_plugin.py > @@ -429,8 +429,9 @@ class test_cert_find(XMLRPC_test): > """ > Search with a sizelimit of 0 > """ > + count_all = api.Command['cert_find']()['count'] > res = api.Command['cert_find'](sizelimit=0) > - assert 'count' in res and res['count'] == 0 > + assert 'count' in res and res['count'] == count_all > > @raises(errors.ValidationError) > def test_0028_find_negative_size(self): > @@ -453,7 +454,7 @@ class test_cert_find(XMLRPC_test): > res = api.Command['cert_find'](subject=u'ipatestcert.%s' % api.env.domain) > assert 'count' in res and res['count'] >= 1 > > - @raises(errors.ValidationError) > + @raises(errors.ConversionError) > def test_0031_search_on_invalid_date(self): > """ > Search using invalid date format > -- 2.7.4 ACK -- Petr^2 Spacek From slaznick at redhat.com Wed Jun 29 12:17:46 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 29 Jun 2016 14:17:46 +0200 Subject: [Freeipa-devel] [PATCH] 0007 Fix ipa-server-certinstall with certs signed by 3rd-party CA In-Reply-To: <264af0c4-f182-78fb-2c32-2195fe09874b@redhat.com> References: <264af0c4-f182-78fb-2c32-2195fe09874b@redhat.com> Message-ID: On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote: > Hi, > > This patch fixes ipa-server-certinstall when used with 3rd-party certs. > The scenario is the following: > - install the server with an embedded CA > - use ipa-cacert-manage to install a 3rd party CA > - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS > databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias > and /etc/dirsrv/slapd-XXX) > - use ipa-server-certinstall to replace the Directory/Apache server > certificates with a cert signed by the 3rd party CA. > > Note that I had to run ipa-certupdate after putting selinux mode to > permissive (otherwise the cert does not get into > /etc/pki/pki-tomcat/alias) and a bz has been opened against > selinux-policy to solve this issue. > > https://fedorahosted.org/freeipa/ticket/4785 > https://fedorahosted.org/freeipa/ticket/4786 > > Hello, The patch works as expected with the selinux requirement you mentioned. I will just add Honza for code sanity check. Therefore conditional ACK if the code can take no further improvements. Standa -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Wed Jun 29 12:25:43 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 14:25:43 +0200 Subject: [Freeipa-devel] [PATCH 660] replica install: don't allow install against a newer server Message-ID: <65420217-632b-a9ab-bab0-b627b5f8d4c8@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-660-replica-install-don-t-allow-install-against-a-newer-.patch Type: text/x-patch Size: 2797 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 29 12:22:24 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 14:22:24 +0200 Subject: [Freeipa-devel] [PATCH 0140-0142] Use NSS for name->resolution in IPA installer & relax some DNS checks In-Reply-To: References: Message-ID: On 28.06.2016 19:40, Petr Spacek wrote: > Hello, > > DNS: Remove unnecessary DNS check from installer > > Previously we were checking content of DNS before actually adding DNS > records for replicas. This is causing cycle in logic and adds weird > corner cases to the installer which can blow up on DNS timeout or so. > > The check was completely unnecessary because the installer knows IP > addresses and name of the machine. Removal of the check makes > the installer more reliable. > > https://fedorahosted.org/freeipa/ticket/5962 > > Use NSS for name->resolution in IPA installer > > This fixes scenarios where IPA server is not able to resolve own name > and option --ip-address was not specified by the user. > > This partially reverts changes from commit > dc405005f537cf278fd6ddfe6b87060bd13d9a67 > > https://fedorahosted.org/freeipa/ticket/5962 > > client-install: do not fail if DNS times out during DNS update generation > > https://fedorahosted.org/freeipa/ticket/5962 > ACK master: * 1802f7a2258c793d11c7a9c2a4786cea42b9b058 client-install: do not fail if DNS times out during DNS update generation * 7be50ea7150b36adf9051fc1003dd36f61d68451 Use NSS for name->resolution in IPA installer * 954f6095fd2783e631cba042f86bec87394f9224 DNS: Remove unnecessary DNS check from installer Patches for ipa-4-3 need rebase From pspacek at redhat.com Wed Jun 29 12:31:00 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 14:31:00 +0200 Subject: [Freeipa-devel] [PATCH 0140-0142] Use NSS for name->resolution in IPA installer & relax some DNS checks In-Reply-To: References: Message-ID: On 29.6.2016 14:22, Martin Basti wrote: > > > On 28.06.2016 19:40, Petr Spacek wrote: >> Hello, >> >> DNS: Remove unnecessary DNS check from installer >> >> Previously we were checking content of DNS before actually adding DNS >> records for replicas. This is causing cycle in logic and adds weird >> corner cases to the installer which can blow up on DNS timeout or so. >> >> The check was completely unnecessary because the installer knows IP >> addresses and name of the machine. Removal of the check makes >> the installer more reliable. >> >> https://fedorahosted.org/freeipa/ticket/5962 >> >> Use NSS for name->resolution in IPA installer >> >> This fixes scenarios where IPA server is not able to resolve own name >> and option --ip-address was not specified by the user. >> >> This partially reverts changes from commit >> dc405005f537cf278fd6ddfe6b87060bd13d9a67 >> >> https://fedorahosted.org/freeipa/ticket/5962 >> >> client-install: do not fail if DNS times out during DNS update generation >> >> https://fedorahosted.org/freeipa/ticket/5962 >> > ACK > > master: > * 1802f7a2258c793d11c7a9c2a4786cea42b9b058 client-install: do not fail if DNS > times out during DNS update generation > * 7be50ea7150b36adf9051fc1003dd36f61d68451 Use NSS for name->resolution in IPA > installer > * 954f6095fd2783e631cba042f86bec87394f9224 DNS: Remove unnecessary DNS check > from installer > > Patches for ipa-4-3 need rebase Here is the rebase. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-pspacek-0140-client-install-do-not-fail-if-DNS-times-out-during-D.patch Type: text/x-patch Size: 1098 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-pspacek-0141-Use-NSS-for-name-resolution-in-IPA-installer.patch Type: text/x-patch Size: 4712 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-pspacek-0142-DNS-Remove-unnecessary-DNS-check-from-installer.patch Type: text/x-patch Size: 2085 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 29 12:36:29 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 14:36:29 +0200 Subject: [Freeipa-devel] [PATCH 0144] Fix `Conflicts` with ipa-python Message-ID: <5263645c-e22b-0ec2-241e-9c995c7da7a1@redhat.com> Hello, Fix `Conflicts` with ipa-python The conflicts should have constant version in it because it is related to package split. https://fedorahosted.org/freeipa/ticket/6004 I've tested the same change in RHEL 7.2->7.3 upgrade and it worked just fine. Upgrade from IPA 4.3.1 to master on Fedora 24 worked just fine, too. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0144-Fix-Conflicts-with-ipa-python.patch Type: text/x-patch Size: 1378 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 29 12:47:09 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 14:47:09 +0200 Subject: [Freeipa-devel] [PATCH 0140-0142] Use NSS for name->resolution in IPA installer & relax some DNS checks In-Reply-To: References: Message-ID: <875f2a05-136e-0fd7-d8f7-c391339640c6@redhat.com> On 29.06.2016 14:31, Petr Spacek wrote: > On 29.6.2016 14:22, Martin Basti wrote: >> >> On 28.06.2016 19:40, Petr Spacek wrote: >>> Hello, >>> >>> DNS: Remove unnecessary DNS check from installer >>> >>> Previously we were checking content of DNS before actually adding DNS >>> records for replicas. This is causing cycle in logic and adds weird >>> corner cases to the installer which can blow up on DNS timeout or so. >>> >>> The check was completely unnecessary because the installer knows IP >>> addresses and name of the machine. Removal of the check makes >>> the installer more reliable. >>> >>> https://fedorahosted.org/freeipa/ticket/5962 >>> >>> Use NSS for name->resolution in IPA installer >>> >>> This fixes scenarios where IPA server is not able to resolve own name >>> and option --ip-address was not specified by the user. >>> >>> This partially reverts changes from commit >>> dc405005f537cf278fd6ddfe6b87060bd13d9a67 >>> >>> https://fedorahosted.org/freeipa/ticket/5962 >>> >>> client-install: do not fail if DNS times out during DNS update generation >>> >>> https://fedorahosted.org/freeipa/ticket/5962 >>> >> ACK >> >> master: >> * 1802f7a2258c793d11c7a9c2a4786cea42b9b058 client-install: do not fail if DNS >> times out during DNS update generation >> * 7be50ea7150b36adf9051fc1003dd36f61d68451 Use NSS for name->resolution in IPA >> installer >> * 954f6095fd2783e631cba042f86bec87394f9224 DNS: Remove unnecessary DNS check >> from installer >> >> Patches for ipa-4-3 need rebase > Here is the rebase. > ipa-4-3: * 6dce438b7a192bf30310a0334bc302c590fa2637 client-install: do not fail if DNS times out during DNS update generation * dc7413234361eed1a63d78c9ac932a38b53d838b Use NSS for name->resolution in IPA installer * ced5124508a47415b3ff86159eb55b96f57bb29a DNS: Remove unnecessary DNS check from installer From jcholast at redhat.com Wed Jun 29 12:54:26 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 14:54:26 +0200 Subject: [Freeipa-devel] [PATCH 661] backup: use in-server API in ipa-backup and ipa-restore Message-ID: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> Hi, the attached patch fixes . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-661-backup-use-in-server-API-in-ipa-backup-and-ipa-resto.patch Type: text/x-patch Size: 1591 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 29 12:51:40 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 14:51:40 +0200 Subject: [Freeipa-devel] [PATCH 0107] test: cert: Reflect change in behavior in tests In-Reply-To: <31a9f77f-b1e1-62fa-fc51-0b118749f4be@redhat.com> References: <31a9f77f-b1e1-62fa-fc51-0b118749f4be@redhat.com> Message-ID: <9f736f74-243f-53d3-368c-1d8dc54dbdd7@redhat.com> On 29.06.2016 14:13, Petr Spacek wrote: > On 28.6.2016 16:58, David Kupka wrote: >> -- >> David Kupka >> >> freeipa-dkupka-0107.0-test-cert-Reflect-change-in-behavior-in-tests.patch >> >> >> From 4331e9a62a3cea81b548c555001a7d7ed1127574 Mon Sep 17 00:00:00 2001 >> From: David Kupka >> Date: Tue, 28 Jun 2016 10:47:10 +0200 >> Subject: [PATCH] test: cert: Reflect change in behavior in tests >> >> Command cert-find with parameter sizelimit set to 0 no longer returns 0 >> certificates but returns all. >> >> More precise ConversionError is returned when parameter is not >> convertible to its type. >> >> https://fedorahosted.org/freeipa/ticket/5381 >> https://fedorahosted.org/freeipa/ticket/4739 >> --- >> ipatests/test_xmlrpc/test_cert_plugin.py | 5 +++-- >> 1 file changed, 3 insertions(+), 2 deletions(-) >> >> diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py >> index 1a6168da29393eb041273da3bbfa845858cdaf72..8127ef224b24a0b3a63c3d07ef72d4b53feda4be 100644 >> --- a/ipatests/test_xmlrpc/test_cert_plugin.py >> +++ b/ipatests/test_xmlrpc/test_cert_plugin.py >> @@ -429,8 +429,9 @@ class test_cert_find(XMLRPC_test): >> """ >> Search with a sizelimit of 0 >> """ >> + count_all = api.Command['cert_find']()['count'] >> res = api.Command['cert_find'](sizelimit=0) >> - assert 'count' in res and res['count'] == 0 >> + assert 'count' in res and res['count'] == count_all >> >> @raises(errors.ValidationError) >> def test_0028_find_negative_size(self): >> @@ -453,7 +454,7 @@ class test_cert_find(XMLRPC_test): >> res = api.Command['cert_find'](subject=u'ipatestcert.%s' % api.env.domain) >> assert 'count' in res and res['count'] >= 1 >> >> - @raises(errors.ValidationError) >> + @raises(errors.ConversionError) >> def test_0031_search_on_invalid_date(self): >> """ >> Search using invalid date format >> -- 2.7.4 > ACK > Pushed to master: 573819eb07ea67311004850b7726f3368bacb49b From pvoborni at redhat.com Wed Jun 29 13:07:35 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 15:07:35 +0200 Subject: [Freeipa-devel] [PATCH 661] backup: use in-server API in ipa-backup and ipa-restore In-Reply-To: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> References: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> Message-ID: On 06/29/2016 02:54 PM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza > Milan, could you run backup test suite with this patch? I've a feeling that something else there might be also broken. -- Petr Vobornik From mkubik at redhat.com Wed Jun 29 13:09:47 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Wed, 29 Jun 2016 15:09:47 +0200 Subject: [Freeipa-devel] [PATCH 661] backup: use in-server API in ipa-backup and ipa-restore In-Reply-To: References: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> Message-ID: On 06/29/2016 03:07 PM, Petr Vobornik wrote: > On 06/29/2016 02:54 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . >> >> Honza >> > Milan, could you run backup test suite with this patch? I've a feeling > that something else there might be also broken. Will do. -- Milan Kubik From pvoborni at redhat.com Wed Jun 29 13:42:36 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 15:42:36 +0200 Subject: [Freeipa-devel] [PATCH] 0018-0030, 52 webui: add support for more certificates In-Reply-To: <83f3f3a3-4521-1663-26e5-735060970b3a@redhat.com> References: <571F520B.2000501@redhat.com> <571F58E7.1070703@redhat.com> <571F79E2.2000106@redhat.com> <83f3f3a3-4521-1663-26e5-735060970b3a@redhat.com> Message-ID: <826bd856-c8da-4ab6-adae-8a00c9a97170@redhat.com> On 06/27/2016 02:55 PM, Pavel Vomacka wrote: >>>>>>>> >>>>> Great stuff, couple comments below. >>>>> >>>>> We can discuss some items in person. Not everything needs to be done. >>>>> >>>>> I didn't run it, just reading the code. >>>>> >>>>> Patch 0018: >>>>> snip >> >> It calls ,render on custom actions object. But this method is not part >> of the interface: >> + custom_actions.render(); >> >> IMHO it should be called internally in the widget as a result of >> set_items or disable_item, enable_item call. > Fixed. ACK >>>>> Patch 0019: >>>>> >>>>> 1. Shouldn't disable_item or enable_item automatically rerender the >>>>> items? >> Same for set and get_items. As mentioned above. >> >> The render code in disable/enable_item should be executed only if >> this.ul_node exists. >> > Fixed. ACK snip >>>>> >>>>> Patch 0020: >>>>> >>>>> 1. Working widgets inherits from IPA.widget so why do you redefine >>>>> 'name', 'facet', 'entity' >>>>> >>>>> 2. why to you introduce 'base_cls' and 'other_cls' when there are >>>>> 'base_css_class' and 'css_class'? >>>>> >>>>> 3. typo in comment 'opaciti' >>>>> >>>>> 4. We can ignore IE < 9, I'm not sure if you avoid using some features >>>>> because of IE9. >>>>> >>>>> 5. _normalize_bg_color_css could be moved to util.js But I wonder >>>>> if we >>>>> need it. rgba is supported in 95% of browsers and definitely in all >>>>> supported by IPA (chrome, firefox). >> Patch 0020-2: ACK >> >>>>> Patch 0021: >>>>> snip >> OK, if addressed later then ACK for 0021-2 which is the same as 0021 >> >>>>> Patch 0022: >>>>> >>>>> 1. Leftover line: >>>>> var sn = record[i].serial_number; >> 0022-2: ACK >> >>>>> Patch 0023: snip >> 1. table mixin has prepared space for doc text but nothing is there >> 2. while at it(otherwise don't bother), remove empty line at the end of >> create_cell, create_row, create_header_cell >> >> 3. When I see a content of create_content on certificate.js:316, >> following is repeated many times, it can be changed into a reusable >> function. >> >> row = that.create_row().appendTo(table_layout); >> row.append(that >> .create_header_cell('@i18n:objects.cert.organizational_unit', ':')); >> row.append(that.create_cell(that.subject.ou, '', >> 'break-words')); >> >> create_cert_row(header, value).appendTo(table_layout); >> >> But I don't insist on this change. > Changed. ACK >> >>>>> Patch 0024: >>>>> >>>>> Will require changes described in patch 21(rpc). >>>>> >>>>> 1. should the methods have rather params: serial_number and >>>>> revocation_reason, instead of certificate(maybe ok) and dialog(not >>>>> ok)? >>>>> That way it would be more general/reusable. >> 1. buttons.restore should not be removed, it is still used on >> stageuser.js:309: label: '@i18n:buttons.restore', > The label is returned back. ACK >> >>>>> Patch 0025: ACK >> Why the new revision newly doesn't remove IPA.cert.view_action and >> IPA.cert.get_action implementation ? > I accidentally removed it. Returned back in new revision. ACK >> >>>>> Patch 0026: >>>>> >>>>> 1. Add link use exactly the same code as in multivalued_widget. The >>>>> code >>>>> should be moved to method: create_add_link(container) and then reused. >>>>> new_row would be overridedn and it would call open_addcert_dialog or >>>>> open_addcert_dialog renamed to new_row. >>>>> >>>>> 2. it can have a spec default: >>>>> spec.dropdown_menu = spec.dropdown_menu !== undefined ? true : >>>>> spec.dropdown_menu; >>>>> >>>>> And then it doesn't have to be defined in patches 28, 29, 30. >> 1. why is there a custom certs_field with: >> spec.adapter = spec.field_adapter || {}; >> >> field_adapter was supposed to be used only in section. In field IMHO, >> you can use 'adapter' spec property directly. We can use >> f.register('certs', field.field); >> >> Or am I missing something? > No, you are not. Changed from field_adapter to adapter. >> ACK, but please mention additional changes in mail, it's sort of surprise to see load_revocation_reason removed. >> 0027-4: ACK >> >> 0028-3: ACK > Because of change above there is a new revision of patch 0028. 0028-4: ACK >> >> >> Patch 0029-3 and 0030-3: >> >> If 0028 makes IPA.host.has_password_evaluator reusable, then it might be >> good to rename it/move so that it is not called "host". >> >> And then IPA.service.has_keytab_evaluator needs to be removed. >> > I guess that you meant IPA.host.has_keytab_evaluator in first sentence > too. So I hope that this is fixed. >> >>>> >>> I moved big part of certs_widget code to more general >>> custom_command_multivalued_widget. This change will be useful in future. >>> 0029-4 ACK 0030-4 ACK >>> Updated patches attached. It would be nice to apply patch 57 between >>> patches 25 >>> and 26, but it should be possible to apply it on the top. >> Patch 52-2: ACK >> >> Patch 57: ACK >> >> 1. I wonder if `entity: that.facet.entity.name` in create_add_command >> will be future-proof, but that can be improved later. > I'm not sure why it is not future-proof. We can discuss it later. >> >> >> In general: I don't like the fact that cert-find commands takes at least >> 1.2s which makes loading of user,host,service details page 6x slower >> than before. From access log, it seems it(or dogtag) does too many >> unnecessary things. > Yes that's true, I'm adding jcholast to CC, I think that he should know > about it. > Updated patches attached. > So all is ACKed master: * e3e83272c9ffaf2a09f910e754c4a0421c816fd0 Add support for custom menu in multivalued widget * f243bd2d6564dd35ab5d506578f5d1d2ccb99b2f Extends functionality of DropdownWidget * 3d61aca6237852908e0857f9e28ed9c7243b7a3e Add working widget * 044d3c25de6806b68b1f1627863873ecb1a87957 Add ability to turn off activity icon * e7a55ef30b252a616f50c58f99a538e9b090037c Add Object adapter * 06a9a84876345135acac933aca9ada235651997e Refactored certificate view and remove hold dialog * 260a00b81ff10dbe05d35741febfffde2e4ef1dc Changed the way how to handle remove hold and revoke actions * 3056f349b94eb99deb665937a61204e0bfea6b78 Remove old useless actions - get and view * 6d3622c600a82f889e77809c982d996974335e62 Add widget for showing multiple certificates * 55a0baf1c32e1c472efe2ce81870e05abccb5a4a Add certificate widget * 0b72571c5ab36dc0a2d93ded9a10a1b7b08d552e Add new certificates widget to the user details page * 79ec965a967ee561fe3ad1363a64fbb06702e358 Add new certificates widget to the host details page. Also extends evaluator and add support for adapters. * 82e69e430009d8b47e45dadd6895af1d71ecd1dd Add new certificates widget to the service details page * 2f048224d2509cddf07532f9703aa88f4eebc9b8 Updated certificates table * d7898ac2eb3b9d7b0e24579c9d8ea2f541f55268 Add new custom command multivalued widget -- Petr Vobornik From slaznick at redhat.com Wed Jun 29 13:52:32 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 29 Jun 2016 15:52:32 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> Message-ID: On 06/24/2016 03:14 PM, Martin Basti wrote: > > > On 24.06.2016 15:11, Sumit Bose wrote: >> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>> https://fedorahosted.org/freeipa/ticket/433 >> The patch works for me as expected, but the API.txt update is missing in >> the patch. >> >> bye, >> Sumit > > There are no updated managed permissions for krbprincipalauthind > attribute in hosts.py, is this omitted on purpose? > Martin^2 > The attached patch adds them should these be required. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0054-Added-permissions-for-auth.-indicators-read-modify.patch Type: text/x-patch Size: 3038 bytes Desc: not available URL: From mbasti at redhat.com Wed Jun 29 13:53:16 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 15:53:16 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> Message-ID: <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> On 29.06.2016 15:52, Stanislav Laznicka wrote: > On 06/24/2016 03:14 PM, Martin Basti wrote: >> >> >> On 24.06.2016 15:11, Sumit Bose wrote: >>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>>> https://fedorahosted.org/freeipa/ticket/433 >>> The patch works for me as expected, but the API.txt update is >>> missing in >>> the patch. >>> >>> bye, >>> Sumit >> >> There are no updated managed permissions for krbprincipalauthind >> attribute in hosts.py, is this omitted on purpose? >> Martin^2 >> > The attached patch adds them should these be required. > > Then we also needs patch for services.py, because there are missing ACIs too Martin^2 From slaznick at redhat.com Wed Jun 29 14:02:52 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 29 Jun 2016 16:02:52 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> Message-ID: <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> On 06/29/2016 03:53 PM, Martin Basti wrote: > > > On 29.06.2016 15:52, Stanislav Laznicka wrote: >> On 06/24/2016 03:14 PM, Martin Basti wrote: >>> >>> >>> On 24.06.2016 15:11, Sumit Bose wrote: >>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>>>> https://fedorahosted.org/freeipa/ticket/433 >>>> The patch works for me as expected, but the API.txt update is >>>> missing in >>>> the patch. >>>> >>>> bye, >>>> Sumit >>> >>> There are no updated managed permissions for krbprincipalauthind >>> attribute in hosts.py, is this omitted on purpose? >>> Martin^2 >>> >> The attached patch adds them should these be required. >> >> > > Then we also needs patch for services.py, because there are missing > ACIs too > > Martin^2 It was already included but let me separate it in two patches, then. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0054-2-host-Added-permissions-for-auth.-indicators-read-mod.patch Type: text/x-patch Size: 1742 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0055-service-Added-permissions-for-auth.-indicators-read-.patch Type: text/x-patch Size: 1692 bytes Desc: not available URL: From mbabinsk at redhat.com Wed Jun 29 14:29:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 29 Jun 2016 16:29:06 +0200 Subject: [Freeipa-devel] Kerberos Principal Aliases Testplan review Message-ID: <2ea79a2a-3036-cede-8fde-a9306eccc328@redhat.com> Hi, I have looked at the testplan[1] and have the following comments: In general LGTM, but I miss the following test scenarios: 1.) Test principal alias removal, more specifically test that the removal of the alias equivalent to the canonical name triggers an error 2.) Test that you cannot create an enterprise principal alias whose suffix overlaps with trusted domains UPN[2]. You do not need trust for this, just a domain entry in LDAP, see `test_xmlrpc/test_range_plugin.py` and MockLDAP class for hints. Basically you should get an error when adding principal alias such as 'user\@trusted.domain.upn at REALM' regardless of the case of 'trusted.domain.upn'. 3.) test that when adding alias to an entry lacking 'krbcanonicalname' (e.g. old entry from upgrade), the existing value of 'krbprincipalname' is copied to the attribute That is all I can currently think of off the top of my head. [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases/Test_Plan [2] http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains -- Martin^3 Babinsky From mbasti at redhat.com Wed Jun 29 14:32:37 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 16:32:37 +0200 Subject: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode In-Reply-To: <4239c1e6-349e-acdc-0df8-31a0ac09b689@redhat.com> References: <48520b8f-f312-08a8-a6a5-90709953d46e@redhat.com> <471d80f7-d9bd-4204-c455-adf8bb919555@redhat.com> <57713048.6020201@redhat.com> <22be7ada-62af-2017-c479-caabb598d572@redhat.com> <57718A07.8000708@redhat.com> <679fc870-a4ac-b227-5ce3-6a3a0e95cee1@redhat.com> <64bcbda3-e921-e6bc-2af8-33c219b0a3b6@redhat.com> <4239c1e6-349e-acdc-0df8-31a0ac09b689@redhat.com> Message-ID: <4166a6ec-6342-0f6f-c943-b26b2ceea595@redhat.com> On 29.06.2016 13:04, Martin Basti wrote: > > > On 28.06.2016 16:57, Florence Blanc-Renaud wrote: >> On 06/28/2016 11:05 AM, Martin Basti wrote: >>> >>> >>> On 28.06.2016 10:51, Florence Blanc-Renaud wrote: >>>> On 06/27/2016 10:18 PM, Rob Crittenden wrote: >>>>> Florence Blanc-Renaud wrote: >>>>>> Hi all, >>>>>> >>>>>> thanks for your suggestions. Updated patch attached. >>>>>> Flo. >>>>>> >>>>> >>>>> The invocation in ipactl should say server, not client. >>>>> >>>>> Otherwise LGTM (untested). >>>>> >>>>> rob >>>> >>>> Hi all, >>>> >>>> thanks to Rob for catching the typo. >>>> Patch with updated message is attached, >>>> Flo. >>>> >>>> >>> >>> Thank you for the patch I have two comments: >>> >>> 1) >>> + except Exception: >>> + # Consider that the host is not fips-enabled if the file does >>> not exist >>> + pass >>> >>> exceptions should be as much specific as possible, otherwise it may >>> mask >>> real issues >>> please use 'except IOError' if you want catch the case that file does >>> not exist >>> >>> 2) >>> in replicainstall.py and install.py please raise exception >>> (RuntimeError) instead of sys.exit() to keep proper logging, >>> cleanup, etc. >>> >>> Sys.exit() should not be used in modules, it is hard to debug etc. It >>> can be used only in scripts (ipa-client-install, ipa-replica-manage, >>> etc..) >>> >>> Martin^2 >> >> Hi, >> >> hopefully converging with this updated patch :) >> Thanks for all the comments, I'm learning tips with each iteration. >> >> Flo. >> > I propose following changes (in attached patch). If you agree I can > squash patches and push it. > > Martin^2 > > ACK pushed to master: * 3c40d3aa9e3d431be1e625aa91cdcbeffd0d1271 Do not allow installation in FIPS mode ipa-4-3: * 4ce0ff61a8e46de4a2f2dfca41610323f9569d8a Do not allow installation in FIPS mode -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed Jun 29 14:34:30 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 16:34:30 +0200 Subject: [Freeipa-devel] [PATCH] 0061: webui: Add support for 'dns_update_system_records' command In-Reply-To: <9a2c5b78-c6bb-1f4d-8ea9-076bda703c3a@redhat.com> References: <4ee39dd9-5d33-1e68-c311-8c70b6f6742c@redhat.com> <6f795abb-c2d2-0ac3-26f0-733d777eb9aa@redhat.com> <7adf7c4a-8767-1ed2-361d-320f4f05c2be@redhat.com> <9a2c5b78-c6bb-1f4d-8ea9-076bda703c3a@redhat.com> Message-ID: <4e946117-97dc-977a-b6da-f49bfa8eabf7@redhat.com> On 06/28/2016 05:50 PM, Petr Vobornik wrote: > On 06/28/2016 05:38 PM, Pavel Vomacka wrote: >> > > ACK > master: * 31a13c9e9849eca794aa7908bc252185c4b36678 Add button for dns_update_system_records command -- Petr Vobornik From slaznick at redhat.com Wed Jun 29 14:40:21 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Wed, 29 Jun 2016 16:40:21 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> Message-ID: <469399a4-2d19-8d12-fd92-6ce95fa7a2c6@redhat.com> On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: > On 06/29/2016 03:53 PM, Martin Basti wrote: >> >> >> On 29.06.2016 15:52, Stanislav Laznicka wrote: >>> On 06/24/2016 03:14 PM, Martin Basti wrote: >>>> >>>> >>>> On 24.06.2016 15:11, Sumit Bose wrote: >>>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/433 >>>>> The patch works for me as expected, but the API.txt update is >>>>> missing in >>>>> the patch. >>>>> >>>>> bye, >>>>> Sumit >>>> >>>> There are no updated managed permissions for krbprincipalauthind >>>> attribute in hosts.py, is this omitted on purpose? >>>> Martin^2 >>>> >>> The attached patch adds them should these be required. >>> >>> >> >> Then we also needs patch for services.py, because there are missing >> ACIs too >> >> Martin^2 > > It was already included but let me separate it in two patches, then. > > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be included. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0054-3-host-Added-permissions-for-auth.-indicators-read-mod.patch Type: text/x-patch Size: 5114 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-slaznick-0055-2-service-Added-permissions-for-auth.-indicators-read-.patch Type: text/x-patch Size: 4209 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 29 14:40:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 16:40:33 +0200 Subject: [Freeipa-devel] [PATCH] 0064: webui: simplify confirmation messages in confirmation dialogs In-Reply-To: <88cd8843-8e38-5c82-5908-ec9cd1f4fcfe@redhat.com> References: <88cd8843-8e38-5c82-5908-ec9cd1f4fcfe@redhat.com> Message-ID: <1ae7a09c-96ce-975f-78f0-fba99abccbda@redhat.com> On 06/27/2016 05:50 PM, Pavel Vomacka wrote: > Hello, > > Please review attached patch which simplifies confirmation messages for > 'remove cert hold' and 'restore cert' actions. > I'd change: You can select a reason from the pull-down list. To: Select a reason from the pull-down list. -- Petr Vobornik From gkaihoro at redhat.com Wed Jun 29 14:43:31 2016 From: gkaihoro at redhat.com (Ganna Kaihorodova) Date: Wed, 29 Jun 2016 10:43:31 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0017][Tests] Fix failing ipatests/test_ipalib/test_errors.py In-Reply-To: <897924a1-d9d2-2032-e676-e8f58864f184@redhat.com> References: <897924a1-d9d2-2032-e676-e8f58864f184@redhat.com> Message-ID: <345585902.8871321.1467211411437.JavaMail.zimbra@redhat.com> Hello! ACK Best regards, Ganna Kaihorodova Associate Software Quality Engineer ----- Original Message ----- From: "Lenka Doudova" To: "freeipa-devel" Sent: Monday, June 20, 2016 10:35:50 AM Subject: [Freeipa-devel] [PATCH 0017][Tests] Fix failing ipatests/test_ipalib/test_errors.py Hi, attaching patch to fix failing test in ipatests/test_ipalib/test_errors.py. Failures were caused by comparing unicode and non-unicode strings, hence I modified responsible non-unicode strings to unicode. Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From mbasti at redhat.com Wed Jun 29 14:45:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Wed, 29 Jun 2016 16:45:34 +0200 Subject: [Freeipa-devel] [PATCH 0017][Tests] Fix failing ipatests/test_ipalib/test_errors.py In-Reply-To: <345585902.8871321.1467211411437.JavaMail.zimbra@redhat.com> References: <897924a1-d9d2-2032-e676-e8f58864f184@redhat.com> <345585902.8871321.1467211411437.JavaMail.zimbra@redhat.com> Message-ID: <2ff1abe9-ac5c-8264-3a7f-b8f7fb56a47d@redhat.com> On 29.06.2016 16:43, Ganna Kaihorodova wrote: > Hello! > > ACK > > Best regards, > Ganna Kaihorodova > Associate Software Quality Engineer > > > ----- Original Message ----- > From: "Lenka Doudova" > To: "freeipa-devel" > Sent: Monday, June 20, 2016 10:35:50 AM > Subject: [Freeipa-devel] [PATCH 0017][Tests] Fix failing ipatests/test_ipalib/test_errors.py > > Hi, > > attaching patch to fix failing test in > ipatests/test_ipalib/test_errors.py. Failures were caused by comparing > unicode and non-unicode strings, hence I modified responsible > non-unicode strings to unicode. > > > Lenka > > Pushed to master: f37c3af0db225538157f899d04a041af5addfa01 From pvoborni at redhat.com Wed Jun 29 14:46:42 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 16:46:42 +0200 Subject: [Freeipa-devel] [PATCH] 0058 WebUI: certificate widget on ID override user page In-Reply-To: References: <8d5edba0-0b80-8ccf-6d71-13f977c4b94b@redhat.com> <60dc6971-d853-ad03-0272-77077dd251a6@redhat.com> Message-ID: <133705ae-34d6-1e1c-c9fc-224af9578a0f@redhat.com> On 06/27/2016 04:34 PM, Pavel Vomacka wrote: > > > On 06/23/2016 04:25 PM, Petr Vobornik wrote: >> On 06/20/2016 06:54 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patch. >>> >>> https://fedorahosted.org/freeipa/ticket/5926 >>> >> 1. I'm not sure whether to include the certificate field in the adder >> dialog. But if so then it is not good that it accepts different output >> then a cert widget. The difference is that cert widget is able to work >> also with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" >> values. > Oh, you are right, I forgot to add custom widget which handles that. > Fixed now. >> >> Otherwise it works good. >> >> If we decided not to fix 1. in this patch then ACK. >> >> Push should wait on the other cert patches. >> > Updated patch attached. > ACK master: * aaf65e9c56c75d78d1c1f7dcefdb52dd3ddc419a Add certificate widget to ID override user details page. -- Petr Vobornik From jcholast at redhat.com Wed Jun 29 14:53:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Wed, 29 Jun 2016 16:53:05 +0200 Subject: [Freeipa-devel] [PATCHES 662-665] session: do not initialize session manager on import Message-ID: Hi, the attached patches fix . Honza -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-662-session-move-the-session-module-from-ipalib-to-ipase.patch Type: text/x-patch Size: 106072 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-663-session-do-not-initialize-session-manager-on-import.patch Type: text/x-patch Size: 5344 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-664-xmlserver-initialize-RPC-server-plugins-only-in-serv.patch Type: text/x-patch Size: 1191 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-665-makeaci-makeapi-oddjob-use-the-default-API-context.patch Type: text/x-patch Size: 2010 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 29 15:42:59 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 17:42:59 +0200 Subject: [Freeipa-devel] [PATCH] 0062, 63: webui: Add button for 'server-del' command In-Reply-To: <0836f330-b7fb-a541-d13a-8ea9b4711021@redhat.com> References: <0836f330-b7fb-a541-d13a-8ea9b4711021@redhat.com> Message-ID: <5b64fa15-ba16-3f2f-9461-d95033ea0a8c@redhat.com> On 06/24/2016 12:40 PM, Pavel Vomacka wrote: > Hello, > > please review attached patches, they add 'Delete Server' button. > 1. there is a whitespace warning while applying patch 63. 2. It breaks expectation of no_init. Instead of var that = IPA.details_facet(spec); Use var that = IPA.details_facet(spec, no_init); Then rename: that.init_facet = function() { ?o that.init_servers_facet = function() { Add there at beginning: that.init_details_facet 3. IPA.action and IPA.delete_action has the functionality of server_delete_action build-in, including redirection to server search page which is missing in this patch. Updated patch with the issues fixed is attached. I did not test final version of the patch because my testing env. died. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0063-2-Add-button-for-server-del-command.patch Type: text/x-patch Size: 5257 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 29 15:46:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 17:46:44 +0200 Subject: [Freeipa-devel] [PATCH 660] replica install: don't allow install against a newer server In-Reply-To: <65420217-632b-a9ab-bab0-b627b5f8d4c8@redhat.com> References: <65420217-632b-a9ab-bab0-b627b5f8d4c8@redhat.com> Message-ID: <3f0c4f71-2045-8bfa-a7d6-d6a9bd7a7a53@redhat.com> On 29.6.2016 14:25, Jan Cholasta wrote: > Hi, > > the attached patch fixes . ACK -- Petr^2 Spacek From gkaihoro at redhat.com Wed Jun 29 15:51:53 2016 From: gkaihoro at redhat.com (Ganna Kaihorodova) Date: Wed, 29 Jun 2016 11:51:53 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0018][Tests] Fix some of the failing tests in test_ipalib/test_frontend.py In-Reply-To: <84901af3-4f60-b145-41f0-9558bbbb1e48@redhat.com> References: <84901af3-4f60-b145-41f0-9558bbbb1e48@redhat.com> Message-ID: <1412334976.8937184.1467215513195.JavaMail.zimbra@redhat.com> Hello! ACK Best regards, Ganna Kaihorodova Associate Software Quality Engineer ----- Original Message ----- From: "Lenka Doudova" To: "freeipa-devel" Sent: Tuesday, June 21, 2016 10:21:44 AM Subject: [Freeipa-devel] [PATCH 0018][Tests] Fix some of the failing tests in test_ipalib/test_frontend.py Hi, attaching patch with fix for a few failing tests in ipatests/test_ipalib/test_frontend.py. Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From gkaihoro at redhat.com Wed Jun 29 15:52:28 2016 From: gkaihoro at redhat.com (Ganna Kaihorodova) Date: Wed, 29 Jun 2016 11:52:28 -0400 (EDT) Subject: [Freeipa-devel] [PATCH 0023][Tests] Fix frontend tests - #5987 In-Reply-To: <2e56ec52-1831-dc0d-bde4-6635321b9236@redhat.com> References: <2e56ec52-1831-dc0d-bde4-6635321b9236@redhat.com> Message-ID: <501149030.8937392.1467215548568.JavaMail.zimbra@redhat.com> Hello! ACK Best regards, Ganna Kaihorodova Associate Software Quality Engineer ----- Original Message ----- From: "Lenka Doudova" To: "freeipa-devel" Sent: Tuesday, June 28, 2016 6:34:33 AM Subject: [Freeipa-devel] [PATCH 0023][Tests] Fix frontend tests - #5987 Hi, I've made patch to fix for https://fedorahosted.org/freeipa/ticket/5987. Please note, that this patch must be applied on top on my patch no. 0018, which provides other fixes on the same file (and same test). Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From ldoudova at redhat.com Wed Jun 29 16:27:11 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 29 Jun 2016 18:27:11 +0200 Subject: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file Message-ID: <1c1eeea2-19f9-b4e6-bc56-204fdb888b18@redhat.com> Hi all, a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py produces incorrect /etc/hosts file (solitary IPv6 address), and currently parser is not able to resolve the issue, causing ipa-server-install to fail with 'list index out of range' error. Hence I'm attaching patch to fix this issue before parser is fixed (related ticket to it #6014). The fix is just change of regexs responsible for creating incorrect file so that all the lines containing defined hostname are removed, not just specific IP/hostname/shortname strings. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0024-Tests-Fix-integration-tests-not-to-produce-incorrect.patch Type: text/x-patch Size: 1662 bytes Desc: not available URL: From pvoborni at redhat.com Wed Jun 29 16:38:23 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 29 Jun 2016 18:38:23 +0200 Subject: [Freeipa-devel] [PATCH] 0065, 66: webui: authentication indicators on host page In-Reply-To: <9eaa5115-38a3-a52f-8f7a-3130edd54428@redhat.com> References: <9eaa5115-38a3-a52f-8f7a-3130edd54428@redhat.com> Message-ID: On 06/28/2016 04:32 PM, Pavel Vomacka wrote: > Hello, > > please review attached patches. I moved strings used by authentication > indicators widget to another dict so the second patch changes strings in > custom_checkbox widget on service page. > > https://fedorahosted.org/freeipa/ticket/5872 > ACK push should wait on server side. -- Petr Vobornik From ofayans at redhat.com Wed Jun 29 16:39:40 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Wed, 29 Jun 2016 18:39:40 +0200 Subject: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file In-Reply-To: <1c1eeea2-19f9-b4e6-bc56-204fdb888b18@redhat.com> References: <1c1eeea2-19f9-b4e6-bc56-204fdb888b18@redhat.com> Message-ID: <5773F9CC.9070902@redhat.com> In fact, I believe /etc/hosts file should not be touched at all. Hostname resolution is usually governed by the DNS system of the lab in which tests are running. We do not modify it when perform tests manually, so I'd rather remove this method at all. On 06/29/2016 06:27 PM, Lenka Doudova wrote: > Hi all, > > a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py > produces incorrect /etc/hosts file (solitary IPv6 address), and > currently parser is not able to resolve the issue, causing > ipa-server-install to fail with 'list index out of range' error. > > Hence I'm attaching patch to fix this issue before parser is fixed > (related ticket to it #6014). The fix is just change of regexs > responsible for creating incorrect file so that all the lines containing > defined hostname are removed, not just specific IP/hostname/shortname > strings. > > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From ldoudova at redhat.com Wed Jun 29 16:48:16 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Wed, 29 Jun 2016 18:48:16 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> Message-ID: On 06/27/2016 11:05 AM, Lenka Doudova wrote: > > > On 06/27/2016 10:33 AM, Martin Babinsky wrote: >> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>> On 27.6.2016 10:26, Petr Spacek wrote: >>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>> Hi! >>>>>>> >>>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>>> fail on >>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already >>>>>>> present, >>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>> >>>>>>> To prevent these failures I prepared attached patch, that will >>>>>>> still >>>>>>> attempt to add the forward zone, but in case of non-zero return >>>>>>> code >>>>>>> will check the message if it says that the forward zone is already >>>>>>> configured, and lets the tests continue, if it is so. >>>>>>> >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>> >>>>>> >>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>> will mean that the zone exists. So it might hide other issues - >>>>>> not very >>>>>> good. >>>>>> >>>>>> On the other hand it is not very robust to parse error message. >>>>>> >>>>>> Question for general audience: What do you think if IPA client's >>>>>> exit >>>>>> status would be the IPA error code instead of "1" for every >>>>>> error. E.g. >>>>>> in DuplicateEntry case it's 4002. >>>>>> >>>>>> Btw, this is not a NACK. >>>>>> >>>>> >>>>> Well AFAIK the exit status on POSIX systems is encoded into a >>>>> single byte so >>>>> you cannot have the return value greater that 255. We would have >>>>> to devise >>>>> some mapping between our XMLRPC status codes and subprocess return >>>>> codes. >>>>> >>>>> Some of our exceptions have defined return values outside plain >>>>> '1', e.g. >>>>> NotFound has return value of 2. It would be possible to extend >>>>> this concept on >>>>> other common errors. >>>> >>>> Even more importantly, the forward zone is completely unnecessary >>>> because DNS >>>> when DNS is set up properly. I would simply remove the >>>> dnsforwardzone-add. >>>> >>> Grr, I meant this: >>> Even more importantly, the forward zone is completely unnecessary >>> when DNS is >>> set up properly. I would simply remove the dnsforwardzone-add. >>> >> +1, our tests should not fiddle with the provisioned environment as >> much as they sometimes do. >> > Well, I have nothing against removing it completely, but left it there > just because with previous AD machines with "wild" domains it was > necessary. > Looking at the code, your suggestion would probably mean to entirely > remove method configure_dns_for_trust from > ipatests/test_integration/tasks.py, right? I'll have to verify this > won't break anything else. > > Lenka > Hi, to get back to this issue: do we really want to have the DNS configuration method removed? I mean, we no longer need it for our CI tests, with new AD VMs it works without it, but should somebody else with different setup run these tests, they could experience failures because their AD domain would not be configured in DNS by default and the test would no longer provide that configuration. It doesn't feel right to delete something we needed before but don't need anymore, in case somebody else is depending on the same configuration. But of course, I'll abide by your counsel. In case the call on DNS configuration method really is removed, should I remove even it's definition? It's not used anywhere else, so it would be quite logical. Thanks, Lenka From pspacek at redhat.com Wed Jun 29 16:49:53 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 18:49:53 +0200 Subject: [Freeipa-devel] [PATCH 0024][Tests] Fix integration tests not to produce incorrect /etc/hosts file In-Reply-To: <5773F9CC.9070902@redhat.com> References: <1c1eeea2-19f9-b4e6-bc56-204fdb888b18@redhat.com> <5773F9CC.9070902@redhat.com> Message-ID: On 29.6.2016 18:39, Oleg Fayans wrote: > In fact, I believe /etc/hosts file should not be touched at all. > Hostname resolution is usually governed by the DNS system of the lab in > which tests are running. We do not modify it when perform tests > manually, so I'd rather remove this method at all. +1, it should not be need. Let me know if it is needed for some reason and I will have a look. Petr^2 Spacek > On 06/29/2016 06:27 PM, Lenka Doudova wrote: >> Hi all, >> >> a function 'fix_etc_hosts' in ipatests/test_integration/tasks.py >> produces incorrect /etc/hosts file (solitary IPv6 address), and >> currently parser is not able to resolve the issue, causing >> ipa-server-install to fail with 'list index out of range' error. >> >> Hence I'm attaching patch to fix this issue before parser is fixed >> (related ticket to it #6014). The fix is just change of regexs >> responsible for creating incorrect file so that all the lines containing >> defined hostname are removed, not just specific IP/hostname/shortname >> strings. >> >> >> Lenka From pspacek at redhat.com Wed Jun 29 16:51:29 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 18:51:29 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> Message-ID: <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> On 29.6.2016 18:48, Lenka Doudova wrote: > > > On 06/27/2016 11:05 AM, Lenka Doudova wrote: >> >> >> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>> Hi! >>>>>>>> >>>>>>>> With newly created AD machines in Brno lab, existing trust tests fail on >>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>> >>>>>>>> To prevent these failures I prepared attached patch, that will still >>>>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>>>> will check the message if it says that the forward zone is already >>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>> >>>>>>>> >>>>>>>> Lenka >>>>>>>> >>>>>>> >>>>>>> >>>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>>> will mean that the zone exists. So it might hide other issues - not very >>>>>>> good. >>>>>>> >>>>>>> On the other hand it is not very robust to parse error message. >>>>>>> >>>>>>> Question for general audience: What do you think if IPA client's exit >>>>>>> status would be the IPA error code instead of "1" for every error. E.g. >>>>>>> in DuplicateEntry case it's 4002. >>>>>>> >>>>>>> Btw, this is not a NACK. >>>>>>> >>>>>> >>>>>> Well AFAIK the exit status on POSIX systems is encoded into a single >>>>>> byte so >>>>>> you cannot have the return value greater that 255. We would have to devise >>>>>> some mapping between our XMLRPC status codes and subprocess return codes. >>>>>> >>>>>> Some of our exceptions have defined return values outside plain '1', e.g. >>>>>> NotFound has return value of 2. It would be possible to extend this >>>>>> concept on >>>>>> other common errors. >>>>> >>>>> Even more importantly, the forward zone is completely unnecessary because >>>>> DNS >>>>> when DNS is set up properly. I would simply remove the dnsforwardzone-add. >>>>> >>>> Grr, I meant this: >>>> Even more importantly, the forward zone is completely unnecessary when DNS is >>>> set up properly. I would simply remove the dnsforwardzone-add. >>>> >>> +1, our tests should not fiddle with the provisioned environment as much as >>> they sometimes do. >>> >> Well, I have nothing against removing it completely, but left it there just >> because with previous AD machines with "wild" domains it was necessary. >> Looking at the code, your suggestion would probably mean to entirely remove >> method configure_dns_for_trust from ipatests/test_integration/tasks.py, >> right? I'll have to verify this won't break anything else. >> >> Lenka >> > Hi, > > to get back to this issue: do we really want to have the DNS configuration > method removed? I mean, we no longer need it for our CI tests, with new AD VMs > it works without it, but should somebody else with different setup run these > tests, they could experience failures because their AD domain would not be > configured in DNS by default and the test would no longer provide that > configuration. It doesn't feel right to delete something we needed before but > don't need anymore, in case somebody else is depending on the same > configuration. But of course, I'll abide by your counsel. > In case the call on DNS configuration method really is removed, should I > remove even it's definition? It's not used anywhere else, so it would be quite > logical. Feel free to keep empty method around as a "hook" for other people. The important thing is that it should do nothing by default. -- Petr^2 Spacek From mkubik at redhat.com Wed Jun 29 17:06:47 2016 From: mkubik at redhat.com (=?UTF-8?Q?Milan_Kub=c3=adk?=) Date: Wed, 29 Jun 2016 19:06:47 +0200 Subject: [Freeipa-devel] [PATCH 661] backup: use in-server API in ipa-backup and ipa-restore In-Reply-To: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> References: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> Message-ID: <1d8269b7-0767-9add-4e7d-9eb1916c8fdd@redhat.com> On 06/29/2016 02:54 PM, Jan Cholasta wrote: > Hi, > > the attached patch fixes . > > Honza > > > The restore works with the patch. ACK. -- Milan Kubik -------------- next part -------------- An HTML attachment was scrubbed... URL: From pspacek at redhat.com Wed Jun 29 17:38:40 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 19:38:40 +0200 Subject: [Freeipa-devel] [PATCH 0145] DNS: Reinitialize DNS resolver after changing resolv.con Message-ID: <9dfc4118-b352-ccab-5bd4-fdc9745c0d2b@redhat.com> Hello, DNS: Reinitialize DNS resolver after changing resolv.conf Previously the installer did not reinitialize resolver so queries for records created using --ip-address option might not be answered. This led to incorrect results during 'Updating DNS system records' phase at the end of installation. This is kind of hack but right now we do not have enough time to extend python-dns's interface with resolver_reinit() method. https://fedorahosted.org/freeipa/ticket/5962 -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0145-DNS-Reinitialize-DNS-resolver-after-changing-resolv..patch Type: text/x-patch Size: 1768 bytes Desc: not available URL: From pspacek at redhat.com Wed Jun 29 17:49:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Wed, 29 Jun 2016 19:49:39 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: On 29.6.2016 18:52, Lenka Doudova wrote: > > > On 06/29/2016 06:51 PM, Petr Spacek wrote: >> On 29.6.2016 18:48, Lenka Doudova wrote: >>> >>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>> >>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>> Hi! >>>>>>>>>> >>>>>>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>>>>>> fail on >>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>> >>>>>>>>>> To prevent these failures I prepared attached patch, that will still >>>>>>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>>>>>> will check the message if it says that the forward zone is already >>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Lenka >>>>>>>>>> >>>>>>>>> >>>>>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>>>>> will mean that the zone exists. So it might hide other issues - not very >>>>>>>>> good. >>>>>>>>> >>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>> >>>>>>>>> Question for general audience: What do you think if IPA client's exit >>>>>>>>> status would be the IPA error code instead of "1" for every error. E.g. >>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>> >>>>>>>>> Btw, this is not a NACK. >>>>>>>>> >>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a single >>>>>>>> byte so >>>>>>>> you cannot have the return value greater that 255. We would have to >>>>>>>> devise >>>>>>>> some mapping between our XMLRPC status codes and subprocess return codes. >>>>>>>> >>>>>>>> Some of our exceptions have defined return values outside plain '1', e.g. >>>>>>>> NotFound has return value of 2. It would be possible to extend this >>>>>>>> concept on >>>>>>>> other common errors. >>>>>>> Even more importantly, the forward zone is completely unnecessary because >>>>>>> DNS >>>>>>> when DNS is set up properly. I would simply remove the dnsforwardzone-add. >>>>>>> >>>>>> Grr, I meant this: >>>>>> Even more importantly, the forward zone is completely unnecessary when >>>>>> DNS is >>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>> >>>>> +1, our tests should not fiddle with the provisioned environment as much as >>>>> they sometimes do. >>>>> >>>> Well, I have nothing against removing it completely, but left it there just >>>> because with previous AD machines with "wild" domains it was necessary. >>>> Looking at the code, your suggestion would probably mean to entirely remove >>>> method configure_dns_for_trust from ipatests/test_integration/tasks.py, >>>> right? I'll have to verify this won't break anything else. >>>> >>>> Lenka >>>> >>> Hi, >>> >>> to get back to this issue: do we really want to have the DNS configuration >>> method removed? I mean, we no longer need it for our CI tests, with new AD VMs >>> it works without it, but should somebody else with different setup run these >>> tests, they could experience failures because their AD domain would not be >>> configured in DNS by default and the test would no longer provide that >>> configuration. It doesn't feel right to delete something we needed before but >>> don't need anymore, in case somebody else is depending on the same >>> configuration. But of course, I'll abide by your counsel. >>> In case the call on DNS configuration method really is removed, should I >>> remove even it's definition? It's not used anywhere else, so it would be quite >>> logical. >> Feel free to keep empty method around as a "hook" for other people. The >> important thing is that it should do nothing by default. >> > So leave the method call, but erase method contents and let it just pass? Fine with me. (List re-added.) -- Petr^2 Spacek From blipton at redhat.com Wed Jun 29 18:46:57 2016 From: blipton at redhat.com (Ben Lipton) Date: Wed, 29 Jun 2016 14:46:57 -0400 Subject: [Freeipa-devel] [PATCH] 0001: Silence sshd messages during install Message-ID: The attached patch silences some annoying messages I've been getting when upgrading the freeipa-client package on F24: """ WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems. Could not load host key: /etc/ssh/ssh_host_dsa_key """ Since the script causing the message only looks at the return code from sshd to determine the right options to use, I thought it might be ok to discard the output. What do you think? Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-blipton-0001-Silence-sshd-messages-during-install.patch Type: text/x-patch Size: 2427 bytes Desc: not available URL: From ftweedal at redhat.com Thu Jun 30 04:29:24 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jun 2016 14:29:24 +1000 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> Message-ID: <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud wrote: > On 06/29/2016 07:25 AM, Fraser Tweedale wrote: > > The attached patch fixes > > https://fedorahosted.org/freeipa/ticket/5991. > > > > Thanks, > > Fraser > > > > > > > Hi Fraser, > > A few cosmetic comments: > > PEP8 issues: > ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 > ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) > ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) > > and there is a typo in ipaserver/plugins/cert.py > + doc=_("automatically add the principal if it doesn't exist > (service princpals only)"), > > should be "princ*i*pals only" > > Otherwise LGTM, > Flo > Thanks for review, Flo. Updated patch attached. Cheers, Fraser -------------- next part -------------- From f5e6d032d437904a7fcadecf90ec9b74a0f4348e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Jun 2016 15:02:51 +1000 Subject: [PATCH] cert-request: better error msg when 'add' not supported cert-request supports adding service principals that don't exist. If add is requested for other principal types, the error message just says "the principal doesn't exist". Add a new error type with better error message to explain that 'add' is not supported for host or user principals. Fixes: https://fedorahosted.org/freeipa/ticket/5991 --- ipalib/errors.py | 9 +++++++++ ipaserver/plugins/cert.py | 20 +++++++++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 10491a94211648df8bda60f3dbc9e52d19e83d10..70d17d64f53c75aabf7ae99c56bebd136230c7a3 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1396,6 +1396,15 @@ class ServerRemovalError(ExecutionError): errno = 4033 format = _('Server removal aborted: %(reason)s.') +class OperationNotSupportedForPrincipalType(ExecutionError): + """ + **4034** Raised when an operation is not supported for a principal type + """ + + errno = 4034 + format = _( + '%(operation)s is not supported for %(principal_type)s principals') + class BuiltinError(ExecutionError): """ diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 888621fc5af634b95addc9c0ade58c76ce42edfe..9c3b3d2cd5630ce9f05efd2c8c0020ab8af284bd 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -145,6 +145,12 @@ http://www.ietf.org/rfc/rfc5280.txt USER, HOST, SERVICE = range(3) +PRINCIPAL_TYPE_STRING_MAP = { + USER: _('user'), + HOST: _('host'), + SERVICE: _('service'), +} + register = Registry() PKIDATE_FORMAT = '%Y-%m-%d' @@ -385,7 +391,9 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): ), Flag( 'add', - doc=_("automatically add the principal if it doesn't exist"), + doc=_( + "automatically add the principal if it doesn't exist " + "(service principals only)"), ), ) @@ -480,8 +488,14 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): elif principal_type == USER: principal_obj = api.Command['user_show'](principal_name, all=True) except errors.NotFound as e: - if principal_type == SERVICE and add: - principal_obj = api.Command['service_add'](principal_string, force=True) + if add: + if principal_type == SERVICE: + principal_obj = api.Command['service_add']( + principal_string, force=True) + else: + princtype_str = PRINCIPAL_TYPE_STRING_MAP[principal_type] + raise errors.OperationNotSupportedForPrincipalType( + operation="'add'", principal_type=princtype_str) else: raise errors.NotFound( reason=_("The principal for this request doesn't exist.")) -- 2.5.5 From ftweedal at redhat.com Thu Jun 30 04:37:01 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jun 2016 14:37:01 +1000 Subject: [Freeipa-devel] [PATCH] 0083 Fix regression on ipa-4-3 branch Message-ID: <20160630043701.GK4200@dhcp-40-8.bne.redhat.com> The attached patch fixes a regression on the ipa-4-3 branch, caused by commit 3d71c43504ea7837ea14bb9dd4a469c07337293f. Thanks, Fraser -------------- next part -------------- From 4d4c62a2c26affb82a7f2e40f36ad0de66beabf9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Jun 2016 14:30:30 +1000 Subject: [PATCH] Move normalize_hostname to where it is expected Commit 3d71c43504ea7837ea14bb9dd4a469c07337293f broke ipa-client-install by importing normalize_hostname from the wrong module. Move the function. https://fedorahosted.org/freeipa/ticket/5976 --- ipalib/plugins/host.py | 10 +--------- ipalib/util.py | 8 ++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 3fe9c5f9cace71210125371b0aa891490a3dca99..0bb5a535bddfbd3032ab91e410ec6d4fa33f889f 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -44,7 +44,7 @@ from ipalib import x509 from ipalib import output from ipalib.request import context from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options, - convert_sshpubkey_post, validate_hostname) + convert_sshpubkey_post, validate_hostname, normalize_hostname) from ipapython.ipautil import ipa_generate_password, CheckedIPAddress from ipapython.dnsutil import DNSName from ipapython.ssh import SSHPublicKey @@ -267,14 +267,6 @@ def validate_ipaddr(ugettext, ipaddr): return None -def normalize_hostname(hostname): - """Use common fqdn form without the trailing dot""" - if hostname.endswith(u'.'): - hostname = hostname[:-1] - hostname = hostname.lower() - return hostname - - def _hostname_validator(ugettext, value): try: validate_hostname(value) diff --git a/ipalib/util.py b/ipalib/util.py index 7a991490f76694261deda995ea138f35cf73a1f6..6caf3962d354292834a6ff7bdec424f1df1975e7 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -844,3 +844,11 @@ def detect_dns_zone_realm_type(api, domain): def has_managed_topology(api): domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0) return domainlevel > DOMAIN_LEVEL_0 + + +def normalize_hostname(hostname): + """Use common fqdn form without the trailing dot""" + if hostname.endswith(u'.'): + hostname = hostname[:-1] + hostname = hostname.lower() + return hostname -- 2.5.5 From mbasti at redhat.com Thu Jun 30 07:18:06 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 09:18:06 +0200 Subject: [Freeipa-devel] [PATCH 0545] cert.py: split doctring to multiple ugettext strings Message-ID: Make life of translators easier, there was recent change in cert.py docstring, so they have to translate the whole docstring again, so I'm splitting it to multiple parts. Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0545-cert.py-split-module-docstring-to-multiple-ugetext-s.patch Type: text/x-patch Size: 4224 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 30 07:40:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 09:40:57 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log Message-ID: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> https://fedorahosted.org/freeipa/ticket/5757 Patches attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0546-Enhance-logger-to-allow-logfiles-with-timestamps.patch Type: text/x-patch Size: 1758 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0547-Use-timestamps-for-ipa-replica-conncheck-with-timest.patch Type: text/x-patch Size: 2241 bytes Desc: not available URL: From pspacek at redhat.com Thu Jun 30 07:56:36 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 09:56:36 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> Message-ID: <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> On 30.6.2016 09:40, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5757 > > > Patches attached. I would rather use timestamp format with dashes between numbers to make it easier to read and parse for humans. Compare: 201606270954 201606290954 201606300954 with 2016-06-27-09-54 2016-06-29-09-54 2016-06-30-09-54 -- Petr^2 Spacek From jcholast at redhat.com Thu Jun 30 08:02:20 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 10:02:20 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> Message-ID: On 30.6.2016 09:56, Petr Spacek wrote: > On 30.6.2016 09:40, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5757 "The easiest solution would be to add timestamps to logs, or log to different logs from oddjob or from installer (ipareplica-conncheck.local.log and ipareplica-conncheck.remote.log)" Actually the easiest solution would be not to log into a file when executed from oddjob. >> >> >> Patches attached. > > I would rather use timestamp format with dashes between numbers to make it > easier to read and parse for humans. > > Compare: > > 201606270954 > 201606290954 > 201606300954 > > with > > 2016-06-27-09-54 > 2016-06-29-09-54 > 2016-06-30-09-54 > -- Jan Cholasta From pspacek at redhat.com Thu Jun 30 08:06:25 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 10:06:25 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> Message-ID: <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> On 30.6.2016 10:02, Jan Cholasta wrote: > On 30.6.2016 09:56, Petr Spacek wrote: >> On 30.6.2016 09:40, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5757 > > "The easiest solution would be to add timestamps to logs, or log to different > logs from oddjob or from installer (ipareplica-conncheck.local.log and > ipareplica-conncheck.remote.log)" > > Actually the easiest solution would be not to log into a file when executed > from oddjob. Well, IPA is hard enough to debug even with logs. I would not make situation even worse by not logging at all :-) >>> Patches attached. >> >> I would rather use timestamp format with dashes between numbers to make it >> easier to read and parse for humans. >> >> Compare: >> >> 201606270954 >> 201606290954 >> 201606300954 >> >> with >> >> 2016-06-27-09-54 >> 2016-06-29-09-54 >> 2016-06-30-09-54 From jcholast at redhat.com Thu Jun 30 08:14:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 10:14:42 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> Message-ID: <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> On 30.6.2016 10:06, Petr Spacek wrote: > On 30.6.2016 10:02, Jan Cholasta wrote: >> On 30.6.2016 09:56, Petr Spacek wrote: >>> On 30.6.2016 09:40, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5757 >> >> "The easiest solution would be to add timestamps to logs, or log to different >> logs from oddjob or from installer (ipareplica-conncheck.local.log and >> ipareplica-conncheck.remote.log)" >> >> Actually the easiest solution would be not to log into a file when executed >> from oddjob. > > Well, IPA is hard enough to debug even with logs. I would not make situation > even worse by not logging at all :-) The commands logs into stderr, and both stdout and stderr are sent back to the caller of the oddjob. Alternatively, it could log into a different file (say /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an overkill to fix this bug. > >>>> Patches attached. >>> >>> I would rather use timestamp format with dashes between numbers to make it >>> easier to read and parse for humans. >>> >>> Compare: >>> >>> 201606270954 >>> 201606290954 >>> 201606300954 >>> >>> with >>> >>> 2016-06-27-09-54 >>> 2016-06-29-09-54 >>> 2016-06-30-09-54 -- Jan Cholasta From pspacek at redhat.com Thu Jun 30 08:12:21 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 10:12:21 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> Message-ID: On 30.6.2016 10:14, Jan Cholasta wrote: > On 30.6.2016 10:06, Petr Spacek wrote: >> On 30.6.2016 10:02, Jan Cholasta wrote: >>> On 30.6.2016 09:56, Petr Spacek wrote: >>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>> https://fedorahosted.org/freeipa/ticket/5757 >>> >>> "The easiest solution would be to add timestamps to logs, or log to different >>> logs from oddjob or from installer (ipareplica-conncheck.local.log and >>> ipareplica-conncheck.remote.log)" >>> >>> Actually the easiest solution would be not to log into a file when executed >>> from oddjob. >> >> Well, IPA is hard enough to debug even with logs. I would not make situation >> even worse by not logging at all :-) > > The commands logs into stderr, and both stdout and stderr are sent back to the > caller of the oddjob. > > Alternatively, it could log into a different file (say > /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an overkill to > fix this bug. When we are at it, a custom logger is overkill. IMHO we should log everything to journal and be done with it ... Petr^2 Spacek >>>>> Patches attached. >>>> >>>> I would rather use timestamp format with dashes between numbers to make it >>>> easier to read and parse for humans. >>>> >>>> Compare: >>>> >>>> 201606270954 >>>> 201606290954 >>>> 201606300954 >>>> >>>> with >>>> >>>> 2016-06-27-09-54 >>>> 2016-06-29-09-54 >>>> 2016-06-30-09-54 -- Petr^2 Spacek From slaznick at redhat.com Thu Jun 30 08:13:42 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 30 Jun 2016 10:13:42 +0200 Subject: [Freeipa-devel] [PATCH 0545] cert.py: split doctring to multiple ugettext strings In-Reply-To: References: Message-ID: On 06/30/2016 09:18 AM, Martin Basti wrote: > Make life of translators easier, there was recent change in cert.py > docstring, so they have to translate the whole docstring again, so I'm > splitting it to multiple parts. > > > Patch attached > I'm not sure whether the "See RFC 5280 for more details" should be split from the link. Also, you need to add "\n" at the end of each reason string (you're not using multiline strings there). From jcholast at redhat.com Thu Jun 30 08:21:33 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 10:21:33 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> Message-ID: <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> On 30.6.2016 10:12, Petr Spacek wrote: > On 30.6.2016 10:14, Jan Cholasta wrote: >> On 30.6.2016 10:06, Petr Spacek wrote: >>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>> >>>> "The easiest solution would be to add timestamps to logs, or log to different >>>> logs from oddjob or from installer (ipareplica-conncheck.local.log and >>>> ipareplica-conncheck.remote.log)" >>>> >>>> Actually the easiest solution would be not to log into a file when executed >>>> from oddjob. >>> >>> Well, IPA is hard enough to debug even with logs. I would not make situation >>> even worse by not logging at all :-) >> >> The commands logs into stderr, and both stdout and stderr are sent back to the >> caller of the oddjob. >> >> Alternatively, it could log into a different file (say >> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an overkill to >> fix this bug. > > When we are at it, a custom logger is overkill. IMHO we should log everything > to journal and be done with it ... It's not, we want to log to at least stderr ourselves. Also, it would be even harder to implement than timestamps, and time is a factor here. It would fit more into . > > Petr^2 Spacek > >>>>>> Patches attached. >>>>> >>>>> I would rather use timestamp format with dashes between numbers to make it >>>>> easier to read and parse for humans. >>>>> >>>>> Compare: >>>>> >>>>> 201606270954 >>>>> 201606290954 >>>>> 201606300954 >>>>> >>>>> with >>>>> >>>>> 2016-06-27-09-54 >>>>> 2016-06-29-09-54 >>>>> 2016-06-30-09-54 > > -- Jan Cholasta From frenaud at redhat.com Thu Jun 30 08:24:26 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 30 Jun 2016 10:24:26 +0200 Subject: [Freeipa-devel] [PATCH] 0009 Do not log error when removing a non-existing file Message-ID: Hi, this patch fixes issue 1) of the following ticket: Uninstallation complains about missing 'ipa.conf' Issue 2) is not reproducible on the master, and issue 3) is handled in a separate ticket. https://fedorahosted.org/freeipa/ticket/6012 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-frenaud-0009-Do-not-log-error-when-removing-a-non-existing-file.patch Type: text/x-patch Size: 1747 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 30 08:32:19 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 10:32:19 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <8685c55c-ed6f-b9c5-880d-3e06240f0c0b@redhat.com> On 29.6.2016 10:21, Jan Cholasta wrote: > On 29.6.2016 09:22, David Kupka wrote: >> On 28/04/16 14:45, Jan Cholasta wrote: >>> Hi, >>> >>> I have pushed my thin client WIP branch to GitHub: >>> . >>> >>> All commits up to "ipalib: use relative imports for cross-plugin >>> imports" should be good for review. The rest is subject to change >>> (WARNING: I will force push into this branch). >>> >>> Honza >>> >> >> Hello! >> >> Commit "schema: fix Flag arguments on the client" fixes regression >> reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. > > Thanks, pushed to master: a77e21cbca05be422fe5826857cfba7e0ba6e71f > > Attaching the patch for reference. Martin found a regression caused by this patch. The attached patch should fix it. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-666-schema-properly-fix-Flag-arguments-on-the-client.patch Type: text/x-patch Size: 1175 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 30 08:39:26 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 30 Jun 2016 10:39:26 +0200 Subject: [Freeipa-devel] [PATCH] 0064: webui: simplify confirmation messages in confirmation dialogs In-Reply-To: <1ae7a09c-96ce-975f-78f0-fba99abccbda@redhat.com> References: <88cd8843-8e38-5c82-5908-ec9cd1f4fcfe@redhat.com> <1ae7a09c-96ce-975f-78f0-fba99abccbda@redhat.com> Message-ID: <41f41086-8255-f130-9e75-4c03a02c159c@redhat.com> On 06/29/2016 04:40 PM, Petr Vobornik wrote: > On 06/27/2016 05:50 PM, Pavel Vomacka wrote: >> Hello, >> >> Please review attached patch which simplifies confirmation messages for >> 'remove cert hold' and 'restore cert' actions. >> > I'd change: > You can select a reason from the pull-down list. > To: > Select a reason from the pull-down list. > Changed. Updated patch attached. -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0064-2-Simplify-the-confirmation-messages.patch Type: text/x-patch Size: 5072 bytes Desc: not available URL: From jcholast at redhat.com Thu Jun 30 08:45:55 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 10:45:55 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <8685c55c-ed6f-b9c5-880d-3e06240f0c0b@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <8685c55c-ed6f-b9c5-880d-3e06240f0c0b@redhat.com> Message-ID: On 30.6.2016 10:32, Jan Cholasta wrote: > On 29.6.2016 10:21, Jan Cholasta wrote: >> On 29.6.2016 09:22, David Kupka wrote: >>> On 28/04/16 14:45, Jan Cholasta wrote: >>>> Hi, >>>> >>>> I have pushed my thin client WIP branch to GitHub: >>>> . >>>> >>>> All commits up to "ipalib: use relative imports for cross-plugin >>>> imports" should be good for review. The rest is subject to change >>>> (WARNING: I will force push into this branch). >>>> >>>> Honza >>>> >>> >>> Hello! >>> >>> Commit "schema: fix Flag arguments on the client" fixes regression >>> reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. >> >> Thanks, pushed to master: a77e21cbca05be422fe5826857cfba7e0ba6e71f >> >> Attaching the patch for reference. > > Martin found a regression caused by this patch. The attached patch > should fix it. Self-NACK, correct patch attached. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-666.1-schema-properly-fix-Flag-arguments-on-the-client.patch Type: text/x-patch Size: 1164 bytes Desc: not available URL: From dkupka at redhat.com Thu Jun 30 08:51:16 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Jun 2016 10:51:16 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <8685c55c-ed6f-b9c5-880d-3e06240f0c0b@redhat.com> Message-ID: <26cb8feb-bc76-3338-7de2-fbc8e12436d3@redhat.com> On 30/06/16 10:45, Jan Cholasta wrote: > On 30.6.2016 10:32, Jan Cholasta wrote: >> On 29.6.2016 10:21, Jan Cholasta wrote: >>> On 29.6.2016 09:22, David Kupka wrote: >>>> On 28/04/16 14:45, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> I have pushed my thin client WIP branch to GitHub: >>>>> . >>>>> >>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>> imports" should be good for review. The rest is subject to change >>>>> (WARNING: I will force push into this branch). >>>>> >>>>> Honza >>>>> >>>> >>>> Hello! >>>> >>>> Commit "schema: fix Flag arguments on the client" fixes regression >>>> reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. >>> >>> Thanks, pushed to master: a77e21cbca05be422fe5826857cfba7e0ba6e71f >>> >>> Attaching the patch for reference. >> >> Martin found a regression caused by this patch. The attached patch >> should fix it. > > Self-NACK, correct patch attached. > Works for me, ACK. -- David Kupka From jcholast at redhat.com Thu Jun 30 09:02:42 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 11:02:42 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <26cb8feb-bc76-3338-7de2-fbc8e12436d3@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <8685c55c-ed6f-b9c5-880d-3e06240f0c0b@redhat.com> <26cb8feb-bc76-3338-7de2-fbc8e12436d3@redhat.com> Message-ID: On 30.6.2016 10:51, David Kupka wrote: > On 30/06/16 10:45, Jan Cholasta wrote: >> On 30.6.2016 10:32, Jan Cholasta wrote: >>> On 29.6.2016 10:21, Jan Cholasta wrote: >>>> On 29.6.2016 09:22, David Kupka wrote: >>>>> On 28/04/16 14:45, Jan Cholasta wrote: >>>>>> Hi, >>>>>> >>>>>> I have pushed my thin client WIP branch to GitHub: >>>>>> . >>>>>> >>>>>> All commits up to "ipalib: use relative imports for cross-plugin >>>>>> imports" should be good for review. The rest is subject to change >>>>>> (WARNING: I will force push into this branch). >>>>>> >>>>>> Honza >>>>>> >>>>> >>>>> Hello! >>>>> >>>>> Commit "schema: fix Flag arguments on the client" fixes regression >>>>> reported in https://fedorahosted.org/freeipa/ticket/6009, ACK. >>>> >>>> Thanks, pushed to master: a77e21cbca05be422fe5826857cfba7e0ba6e71f >>>> >>>> Attaching the patch for reference. >>> >>> Martin found a regression caused by this patch. The attached patch >>> should fix it. >> >> Self-NACK, correct patch attached. >> > Works for me, ACK. Thanks. Pushed to master: 8d5272e68775046db450d860c173a4d531a95ff2 -- Jan Cholasta From jcholast at redhat.com Thu Jun 30 09:04:27 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 11:04:27 +0200 Subject: [Freeipa-devel] [PATCH 661] backup: use in-server API in ipa-backup and ipa-restore In-Reply-To: <1d8269b7-0767-9add-4e7d-9eb1916c8fdd@redhat.com> References: <122e4bf8-577a-7ac9-3b91-73bf09b61091@redhat.com> <1d8269b7-0767-9add-4e7d-9eb1916c8fdd@redhat.com> Message-ID: <9ab29b14-cb04-7465-2355-86804d12621f@redhat.com> On 29.6.2016 19:06, Milan Kub?k wrote: > On 06/29/2016 02:54 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . >> >> Honza >> >> >> > > The restore works with the patch. ACK. Thanks. Pushed to master: ce93b091d2ffbafedc721551f437631eed0e5a86 -- Jan Cholasta From mbasti at redhat.com Thu Jun 30 09:07:48 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 11:07:48 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> Message-ID: On 30.06.2016 10:21, Jan Cholasta wrote: > On 30.6.2016 10:12, Petr Spacek wrote: >> On 30.6.2016 10:14, Jan Cholasta wrote: >>> On 30.6.2016 10:06, Petr Spacek wrote: >>>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>>> >>>>> "The easiest solution would be to add timestamps to logs, or log >>>>> to different >>>>> logs from oddjob or from installer (ipareplica-conncheck.local.log >>>>> and >>>>> ipareplica-conncheck.remote.log)" >>>>> >>>>> Actually the easiest solution would be not to log into a file when >>>>> executed >>>>> from oddjob. >>>> >>>> Well, IPA is hard enough to debug even with logs. I would not make >>>> situation >>>> even worse by not logging at all :-) >>> >>> The commands logs into stderr, and both stdout and stderr are sent >>> back to the >>> caller of the oddjob. >>> >>> Alternatively, it could log into a different file (say >>> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an >>> overkill to >>> fix this bug. >> >> When we are at it, a custom logger is overkill. IMHO we should log >> everything >> to journal and be done with it ... > > It's not, we want to log to at least stderr ourselves. > > Also, it would be even harder to implement than timestamps, and time > is a factor here. It would fit more into > . > I can add option --no-log to ipa-replica-conncheck >> >> Petr^2 Spacek >> >>>>>>> Patches attached. >>>>>> >>>>>> I would rather use timestamp format with dashes between numbers >>>>>> to make it >>>>>> easier to read and parse for humans. >>>>>> >>>>>> Compare: >>>>>> >>>>>> 201606270954 >>>>>> 201606290954 >>>>>> 201606300954 >>>>>> >>>>>> with >>>>>> >>>>>> 2016-06-27-09-54 >>>>>> 2016-06-29-09-54 >>>>>> 2016-06-30-09-54 >> >> > > From jcholast at redhat.com Thu Jun 30 09:19:29 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 11:19:29 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> Message-ID: <2eed31fa-a011-8fd0-aeaf-a85060aa0a2e@redhat.com> On 30.6.2016 11:07, Martin Basti wrote: > > > On 30.06.2016 10:21, Jan Cholasta wrote: >> On 30.6.2016 10:12, Petr Spacek wrote: >>> On 30.6.2016 10:14, Jan Cholasta wrote: >>>> On 30.6.2016 10:06, Petr Spacek wrote: >>>>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>>>> >>>>>> "The easiest solution would be to add timestamps to logs, or log >>>>>> to different >>>>>> logs from oddjob or from installer (ipareplica-conncheck.local.log >>>>>> and >>>>>> ipareplica-conncheck.remote.log)" >>>>>> >>>>>> Actually the easiest solution would be not to log into a file when >>>>>> executed >>>>>> from oddjob. >>>>> >>>>> Well, IPA is hard enough to debug even with logs. I would not make >>>>> situation >>>>> even worse by not logging at all :-) >>>> >>>> The commands logs into stderr, and both stdout and stderr are sent >>>> back to the >>>> caller of the oddjob. >>>> >>>> Alternatively, it could log into a different file (say >>>> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an >>>> overkill to >>>> fix this bug. >>> >>> When we are at it, a custom logger is overkill. IMHO we should log >>> everything >>> to journal and be done with it ... >> >> It's not, we want to log to at least stderr ourselves. >> >> Also, it would be even harder to implement than timestamps, and time >> is a factor here. It would fit more into >> . >> > I can add option --no-log to ipa-replica-conncheck Works for me, but don't forget to update install/oddjob/org.freeipa.server.conncheck. > >>> >>> Petr^2 Spacek >>> >>>>>>>> Patches attached. >>>>>>> >>>>>>> I would rather use timestamp format with dashes between numbers >>>>>>> to make it >>>>>>> easier to read and parse for humans. >>>>>>> >>>>>>> Compare: >>>>>>> >>>>>>> 201606270954 >>>>>>> 201606290954 >>>>>>> 201606300954 >>>>>>> >>>>>>> with >>>>>>> >>>>>>> 2016-06-27-09-54 >>>>>>> 2016-06-29-09-54 >>>>>>> 2016-06-30-09-54 >>> >>> >> >> > -- Jan Cholasta From frenaud at redhat.com Thu Jun 30 09:38:35 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 30 Jun 2016 11:38:35 +0200 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> Message-ID: On 06/30/2016 06:29 AM, Fraser Tweedale wrote: > On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud wrote: >> On 06/29/2016 07:25 AM, Fraser Tweedale wrote: >>> The attached patch fixes >>> https://fedorahosted.org/freeipa/ticket/5991. >>> >>> Thanks, >>> Fraser >>> >>> >>> >> Hi Fraser, >> >> A few cosmetic comments: >> >> PEP8 issues: >> ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 >> ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) >> ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) >> >> and there is a typo in ipaserver/plugins/cert.py >> + doc=_("automatically add the principal if it doesn't exist >> (service princpals only)"), >> >> should be "princ*i*pals only" >> >> Otherwise LGTM, >> Flo >> > Thanks for review, Flo. Updated patch attached. > > Cheers, > Fraser > Hi Fraser, thanks for updated patch. There is still a pep8 error: ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 I am also wondering if the message is clear enough. When running the CLI it's ok because the user typed --add, but the GUI displays "'add' is not supported for user principals" and I feel "'add' option is not supported for user principals" would be more user-friendly. What do you think? Flo. From ftweedal at redhat.com Thu Jun 30 09:49:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jun 2016 19:49:04 +1000 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> Message-ID: <20160630094904.GO4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 11:38:35AM +0200, Florence Blanc-Renaud wrote: > On 06/30/2016 06:29 AM, Fraser Tweedale wrote: > > On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud wrote: > > > On 06/29/2016 07:25 AM, Fraser Tweedale wrote: > > > > The attached patch fixes > > > > https://fedorahosted.org/freeipa/ticket/5991. > > > > > > > > Thanks, > > > > Fraser > > > > > > > > > > > > > > > Hi Fraser, > > > > > > A few cosmetic comments: > > > > > > PEP8 issues: > > > ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 > > > ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) > > > ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) > > > > > > and there is a typo in ipaserver/plugins/cert.py > > > + doc=_("automatically add the principal if it doesn't exist > > > (service princpals only)"), > > > > > > should be "princ*i*pals only" > > > > > > Otherwise LGTM, > > > Flo > > > > > Thanks for review, Flo. Updated patch attached. > > > > Cheers, > > Fraser > > > Hi Fraser, > > thanks for updated patch. There is still a pep8 error: > ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 > Whups! > I am also wondering if the message is clear enough. When running the CLI > it's ok because the user typed --add, but the GUI displays "'add' is not > supported for user principals" > and I feel > "'add' option is not supported for user principals" > would be more user-friendly. What do you think? > Yes, I concur that mentioning "option" is an improvement. Will cut a new patch shortly Thanks! Fraser From jcholast at redhat.com Thu Jun 30 09:55:04 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 11:55:04 +0200 Subject: [Freeipa-devel] [PATCH 660] replica install: don't allow install against a newer server In-Reply-To: <3f0c4f71-2045-8bfa-a7d6-d6a9bd7a7a53@redhat.com> References: <65420217-632b-a9ab-bab0-b627b5f8d4c8@redhat.com> <3f0c4f71-2045-8bfa-a7d6-d6a9bd7a7a53@redhat.com> Message-ID: <16cf7ff5-b941-f75d-d71b-9b2f149187b8@redhat.com> On 29.6.2016 17:46, Petr Spacek wrote: > On 29.6.2016 14:25, Jan Cholasta wrote: >> Hi, >> >> the attached patch fixes . > > ACK Thanks. Pushed to master: 99339bf7892fcc1201e06e6a8105b0bb4681c4f4 -- Jan Cholasta From pspacek at redhat.com Thu Jun 30 10:07:44 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 12:07:44 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> Message-ID: <654d77dd-24c0-e822-ae67-13cf4d84b5e4@redhat.com> On 30.6.2016 10:21, Jan Cholasta wrote: > On 30.6.2016 10:12, Petr Spacek wrote: >> On 30.6.2016 10:14, Jan Cholasta wrote: >>> On 30.6.2016 10:06, Petr Spacek wrote: >>>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>>> >>>>> "The easiest solution would be to add timestamps to logs, or log to >>>>> different >>>>> logs from oddjob or from installer (ipareplica-conncheck.local.log and >>>>> ipareplica-conncheck.remote.log)" >>>>> >>>>> Actually the easiest solution would be not to log into a file when executed >>>>> from oddjob. >>>> >>>> Well, IPA is hard enough to debug even with logs. I would not make situation >>>> even worse by not logging at all :-) >>> >>> The commands logs into stderr, and both stdout and stderr are sent back to the >>> caller of the oddjob. >>> >>> Alternatively, it could log into a different file (say >>> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an overkill to >>> fix this bug. >> >> When we are at it, a custom logger is overkill. IMHO we should log everything >> to journal and be done with it ... > > It's not, we want to log to at least stderr ourselves. > > Also, it would be even harder to implement than timestamps, and time is a Sure, we do not have time: => ACK for current version of the patch. Petr^2 Spacek > factor here. It would fit more into > . > >> >> Petr^2 Spacek >> >>>>>>> Patches attached. >>>>>> >>>>>> I would rather use timestamp format with dashes between numbers to make it >>>>>> easier to read and parse for humans. >>>>>> >>>>>> Compare: >>>>>> >>>>>> 201606270954 >>>>>> 201606290954 >>>>>> 201606300954 >>>>>> >>>>>> with >>>>>> >>>>>> 2016-06-27-09-54 >>>>>> 2016-06-29-09-54 >>>>>> 2016-06-30-09-54 >> >> > > -- Petr^2 Spacek From ldoudova at redhat.com Thu Jun 30 10:32:02 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jun 2016 12:32:02 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: On 06/29/2016 07:49 PM, Petr Spacek wrote: > On 29.6.2016 18:52, Lenka Doudova wrote: >> >> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>> Hi! >>>>>>>>>>> >>>>>>>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>>>>>>> fail on >>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already present, >>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>> >>>>>>>>>>> To prevent these failures I prepared attached patch, that will still >>>>>>>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>>>>>>> will check the message if it says that the forward zone is already >>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Lenka >>>>>>>>>>> >>>>>>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>>>>>> will mean that the zone exists. So it might hide other issues - not very >>>>>>>>>> good. >>>>>>>>>> >>>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>>> >>>>>>>>>> Question for general audience: What do you think if IPA client's exit >>>>>>>>>> status would be the IPA error code instead of "1" for every error. E.g. >>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>> >>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>> >>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a single >>>>>>>>> byte so >>>>>>>>> you cannot have the return value greater that 255. We would have to >>>>>>>>> devise >>>>>>>>> some mapping between our XMLRPC status codes and subprocess return codes. >>>>>>>>> >>>>>>>>> Some of our exceptions have defined return values outside plain '1', e.g. >>>>>>>>> NotFound has return value of 2. It would be possible to extend this >>>>>>>>> concept on >>>>>>>>> other common errors. >>>>>>>> Even more importantly, the forward zone is completely unnecessary because >>>>>>>> DNS >>>>>>>> when DNS is set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>> >>>>>>> Grr, I meant this: >>>>>>> Even more importantly, the forward zone is completely unnecessary when >>>>>>> DNS is >>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>> >>>>>> +1, our tests should not fiddle with the provisioned environment as much as >>>>>> they sometimes do. >>>>>> >>>>> Well, I have nothing against removing it completely, but left it there just >>>>> because with previous AD machines with "wild" domains it was necessary. >>>>> Looking at the code, your suggestion would probably mean to entirely remove >>>>> method configure_dns_for_trust from ipatests/test_integration/tasks.py, >>>>> right? I'll have to verify this won't break anything else. >>>>> >>>>> Lenka >>>>> >>>> Hi, >>>> >>>> to get back to this issue: do we really want to have the DNS configuration >>>> method removed? I mean, we no longer need it for our CI tests, with new AD VMs >>>> it works without it, but should somebody else with different setup run these >>>> tests, they could experience failures because their AD domain would not be >>>> configured in DNS by default and the test would no longer provide that >>>> configuration. It doesn't feel right to delete something we needed before but >>>> don't need anymore, in case somebody else is depending on the same >>>> configuration. But of course, I'll abide by your counsel. >>>> In case the call on DNS configuration method really is removed, should I >>>> remove even it's definition? It's not used anywhere else, so it would be quite >>>> logical. >>> Feel free to keep empty method around as a "hook" for other people. The >>> important thing is that it should do nothing by default. >>> >> So leave the method call, but erase method contents and let it just pass? > Fine with me. (List re-added.) > Ah, sorry for doing the wrong reply. Anyway, fixed patch attached. I decided to do as you suggested - the original DNS configuring function is now empty, I modified the comment to explain significance of this strange thing. I also changed patch title to better reflect proposed changes. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0022.2-Tests-Remove-DNS-configuration-from-trust-tests.patch Type: text/x-patch Size: 2754 bytes Desc: not available URL: From ldoudova at redhat.com Thu Jun 30 10:41:49 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jun 2016 12:41:49 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: On 06/30/2016 12:32 PM, Lenka Doudova wrote: > > > On 06/29/2016 07:49 PM, Petr Spacek wrote: >> On 29.6.2016 18:52, Lenka Doudova wrote: >>> >>> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>>> Hi! >>>>>>>>>>>> >>>>>>>>>>>> With newly created AD machines in Brno lab, existing trust >>>>>>>>>>>> tests >>>>>>>>>>>> fail on >>>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is >>>>>>>>>>>> already present, >>>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>>> >>>>>>>>>>>> To prevent these failures I prepared attached patch, that >>>>>>>>>>>> will still >>>>>>>>>>>> attempt to add the forward zone, but in case of non-zero >>>>>>>>>>>> return code >>>>>>>>>>>> will check the message if it says that the forward zone is >>>>>>>>>>>> already >>>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Lenka >>>>>>>>>>>> >>>>>>>>>>> Current approach expects that every error of ipa >>>>>>>>>>> dnsforward-add here >>>>>>>>>>> will mean that the zone exists. So it might hide other >>>>>>>>>>> issues - not very >>>>>>>>>>> good. >>>>>>>>>>> >>>>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>>>> >>>>>>>>>>> Question for general audience: What do you think if IPA >>>>>>>>>>> client's exit >>>>>>>>>>> status would be the IPA error code instead of "1" for every >>>>>>>>>>> error. E.g. >>>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>>> >>>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>>> >>>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a >>>>>>>>>> single >>>>>>>>>> byte so >>>>>>>>>> you cannot have the return value greater that 255. We would >>>>>>>>>> have to >>>>>>>>>> devise >>>>>>>>>> some mapping between our XMLRPC status codes and subprocess >>>>>>>>>> return codes. >>>>>>>>>> >>>>>>>>>> Some of our exceptions have defined return values outside >>>>>>>>>> plain '1', e.g. >>>>>>>>>> NotFound has return value of 2. It would be possible to >>>>>>>>>> extend this >>>>>>>>>> concept on >>>>>>>>>> other common errors. >>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>> unnecessary because >>>>>>>>> DNS >>>>>>>>> when DNS is set up properly. I would simply remove the >>>>>>>>> dnsforwardzone-add. >>>>>>>>> >>>>>>>> Grr, I meant this: >>>>>>>> Even more importantly, the forward zone is completely >>>>>>>> unnecessary when >>>>>>>> DNS is >>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>> >>>>>>> +1, our tests should not fiddle with the provisioned environment >>>>>>> as much as >>>>>>> they sometimes do. >>>>>>> >>>>>> Well, I have nothing against removing it completely, but left it >>>>>> there just >>>>>> because with previous AD machines with "wild" domains it was >>>>>> necessary. >>>>>> Looking at the code, your suggestion would probably mean to >>>>>> entirely remove >>>>>> method configure_dns_for_trust from >>>>>> ipatests/test_integration/tasks.py, >>>>>> right? I'll have to verify this won't break anything else. >>>>>> >>>>>> Lenka >>>>>> >>>>> Hi, >>>>> >>>>> to get back to this issue: do we really want to have the DNS >>>>> configuration >>>>> method removed? I mean, we no longer need it for our CI tests, >>>>> with new AD VMs >>>>> it works without it, but should somebody else with different setup >>>>> run these >>>>> tests, they could experience failures because their AD domain >>>>> would not be >>>>> configured in DNS by default and the test would no longer provide >>>>> that >>>>> configuration. It doesn't feel right to delete something we needed >>>>> before but >>>>> don't need anymore, in case somebody else is depending on the same >>>>> configuration. But of course, I'll abide by your counsel. >>>>> In case the call on DNS configuration method really is removed, >>>>> should I >>>>> remove even it's definition? It's not used anywhere else, so it >>>>> would be quite >>>>> logical. >>>> Feel free to keep empty method around as a "hook" for other people. >>>> The >>>> important thing is that it should do nothing by default. >>>> >>> So leave the method call, but erase method contents and let it just >>> pass? >> Fine with me. (List re-added.) >> > Ah, sorry for doing the wrong reply. > Anyway, fixed patch attached. I decided to do as you suggested - the > original DNS configuring function is now empty, I modified the comment > to explain significance of this strange thing. I also changed patch > title to better reflect proposed changes. > > Lenka > > NACK the previous one, forgot PEP8. New patch attached. Lenka -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0022.3-Tests-Remove-DNS-configuration-from-trust-tests.patch Type: text/x-patch Size: 2753 bytes Desc: not available URL: From ofayans at redhat.com Thu Jun 30 10:46:02 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jun 2016 12:46:02 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: <5774F86A.1020307@redhat.com> On 06/30/2016 12:41 PM, Lenka Doudova wrote: > > > On 06/30/2016 12:32 PM, Lenka Doudova wrote: >> >> >> On 06/29/2016 07:49 PM, Petr Spacek wrote: >>> On 29.6.2016 18:52, Lenka Doudova wrote: >>>> >>>> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>>>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>>>> Hi! >>>>>>>>>>>>> >>>>>>>>>>>>> With newly created AD machines in Brno lab, existing trust >>>>>>>>>>>>> tests >>>>>>>>>>>>> fail on >>>>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is >>>>>>>>>>>>> already present, >>>>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>>>> >>>>>>>>>>>>> To prevent these failures I prepared attached patch, that >>>>>>>>>>>>> will still >>>>>>>>>>>>> attempt to add the forward zone, but in case of non-zero >>>>>>>>>>>>> return code >>>>>>>>>>>>> will check the message if it says that the forward zone is >>>>>>>>>>>>> already >>>>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Lenka >>>>>>>>>>>>> >>>>>>>>>>>> Current approach expects that every error of ipa >>>>>>>>>>>> dnsforward-add here >>>>>>>>>>>> will mean that the zone exists. So it might hide other >>>>>>>>>>>> issues - not very >>>>>>>>>>>> good. >>>>>>>>>>>> >>>>>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>>>>> >>>>>>>>>>>> Question for general audience: What do you think if IPA >>>>>>>>>>>> client's exit >>>>>>>>>>>> status would be the IPA error code instead of "1" for every >>>>>>>>>>>> error. E.g. >>>>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>>>> >>>>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>>>> >>>>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a >>>>>>>>>>> single >>>>>>>>>>> byte so >>>>>>>>>>> you cannot have the return value greater that 255. We would >>>>>>>>>>> have to >>>>>>>>>>> devise >>>>>>>>>>> some mapping between our XMLRPC status codes and subprocess >>>>>>>>>>> return codes. >>>>>>>>>>> >>>>>>>>>>> Some of our exceptions have defined return values outside >>>>>>>>>>> plain '1', e.g. >>>>>>>>>>> NotFound has return value of 2. It would be possible to >>>>>>>>>>> extend this >>>>>>>>>>> concept on >>>>>>>>>>> other common errors. >>>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>>> unnecessary because >>>>>>>>>> DNS >>>>>>>>>> when DNS is set up properly. I would simply remove the >>>>>>>>>> dnsforwardzone-add. >>>>>>>>>> >>>>>>>>> Grr, I meant this: >>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>> unnecessary when >>>>>>>>> DNS is >>>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>>> >>>>>>>> +1, our tests should not fiddle with the provisioned environment >>>>>>>> as much as >>>>>>>> they sometimes do. >>>>>>>> >>>>>>> Well, I have nothing against removing it completely, but left it >>>>>>> there just >>>>>>> because with previous AD machines with "wild" domains it was >>>>>>> necessary. >>>>>>> Looking at the code, your suggestion would probably mean to >>>>>>> entirely remove >>>>>>> method configure_dns_for_trust from >>>>>>> ipatests/test_integration/tasks.py, >>>>>>> right? I'll have to verify this won't break anything else. >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>> Hi, >>>>>> >>>>>> to get back to this issue: do we really want to have the DNS >>>>>> configuration >>>>>> method removed? I mean, we no longer need it for our CI tests, >>>>>> with new AD VMs >>>>>> it works without it, but should somebody else with different setup >>>>>> run these >>>>>> tests, they could experience failures because their AD domain >>>>>> would not be >>>>>> configured in DNS by default and the test would no longer provide >>>>>> that >>>>>> configuration. It doesn't feel right to delete something we needed >>>>>> before but >>>>>> don't need anymore, in case somebody else is depending on the same >>>>>> configuration. But of course, I'll abide by your counsel. >>>>>> In case the call on DNS configuration method really is removed, >>>>>> should I >>>>>> remove even it's definition? It's not used anywhere else, so it >>>>>> would be quite >>>>>> logical. >>>>> Feel free to keep empty method around as a "hook" for other people. >>>>> The >>>>> important thing is that it should do nothing by default. >>>>> >>>> So leave the method call, but erase method contents and let it just >>>> pass? >>> Fine with me. (List re-added.) >>> >> Ah, sorry for doing the wrong reply. >> Anyway, fixed patch attached. I decided to do as you suggested - the >> original DNS configuring function is now empty, I modified the comment >> to explain significance of this strange thing. I also changed patch >> title to better reflect proposed changes. >> >> Lenka >> >> > NACK the previous one, forgot PEP8. New patch attached. > > Lenka Functional ACK > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From pspacek at redhat.com Thu Jun 30 10:51:03 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 12:51:03 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: On 30.6.2016 12:32, Lenka Doudova wrote: > > > On 06/29/2016 07:49 PM, Petr Spacek wrote: >> On 29.6.2016 18:52, Lenka Doudova wrote: >>> >>> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>>> Hi! >>>>>>>>>>>> >>>>>>>>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>>>>>>>> fail on >>>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already >>>>>>>>>>>> present, >>>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>>> >>>>>>>>>>>> To prevent these failures I prepared attached patch, that will still >>>>>>>>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>>>>>>>> will check the message if it says that the forward zone is already >>>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Lenka >>>>>>>>>>>> >>>>>>>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>>>>>>> will mean that the zone exists. So it might hide other issues - not >>>>>>>>>>> very >>>>>>>>>>> good. >>>>>>>>>>> >>>>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>>>> >>>>>>>>>>> Question for general audience: What do you think if IPA client's exit >>>>>>>>>>> status would be the IPA error code instead of "1" for every error. >>>>>>>>>>> E.g. >>>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>>> >>>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>>> >>>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a single >>>>>>>>>> byte so >>>>>>>>>> you cannot have the return value greater that 255. We would have to >>>>>>>>>> devise >>>>>>>>>> some mapping between our XMLRPC status codes and subprocess return >>>>>>>>>> codes. >>>>>>>>>> >>>>>>>>>> Some of our exceptions have defined return values outside plain '1', >>>>>>>>>> e.g. >>>>>>>>>> NotFound has return value of 2. It would be possible to extend this >>>>>>>>>> concept on >>>>>>>>>> other common errors. >>>>>>>>> Even more importantly, the forward zone is completely unnecessary >>>>>>>>> because >>>>>>>>> DNS >>>>>>>>> when DNS is set up properly. I would simply remove the >>>>>>>>> dnsforwardzone-add. >>>>>>>>> >>>>>>>> Grr, I meant this: >>>>>>>> Even more importantly, the forward zone is completely unnecessary when >>>>>>>> DNS is >>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>> >>>>>>> +1, our tests should not fiddle with the provisioned environment as >>>>>>> much as >>>>>>> they sometimes do. >>>>>>> >>>>>> Well, I have nothing against removing it completely, but left it there just >>>>>> because with previous AD machines with "wild" domains it was necessary. >>>>>> Looking at the code, your suggestion would probably mean to entirely remove >>>>>> method configure_dns_for_trust from ipatests/test_integration/tasks.py, >>>>>> right? I'll have to verify this won't break anything else. >>>>>> >>>>>> Lenka >>>>>> >>>>> Hi, >>>>> >>>>> to get back to this issue: do we really want to have the DNS configuration >>>>> method removed? I mean, we no longer need it for our CI tests, with new >>>>> AD VMs >>>>> it works without it, but should somebody else with different setup run these >>>>> tests, they could experience failures because their AD domain would not be >>>>> configured in DNS by default and the test would no longer provide that >>>>> configuration. It doesn't feel right to delete something we needed before >>>>> but >>>>> don't need anymore, in case somebody else is depending on the same >>>>> configuration. But of course, I'll abide by your counsel. >>>>> In case the call on DNS configuration method really is removed, should I >>>>> remove even it's definition? It's not used anywhere else, so it would be >>>>> quite >>>>> logical. >>>> Feel free to keep empty method around as a "hook" for other people. The >>>> important thing is that it should do nothing by default. >>>> >>> So leave the method call, but erase method contents and let it just pass? >> Fine with me. (List re-added.) >> > Ah, sorry for doing the wrong reply. > Anyway, fixed patch attached. I decided to do as you suggested - the original > DNS configuring function is now empty, I modified the comment to explain > significance of this strange thing. I also changed patch title to better > reflect proposed changes. ACK if it passes your tests. -- Petr^2 Spacek From ldoudova at redhat.com Thu Jun 30 10:58:10 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jun 2016 12:58:10 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> Message-ID: <318770da-e34c-ee8e-d1b6-3b9e383243a9@redhat.com> On 06/30/2016 12:51 PM, Petr Spacek wrote: > On 30.6.2016 12:32, Lenka Doudova wrote: >> >> On 06/29/2016 07:49 PM, Petr Spacek wrote: >>> On 29.6.2016 18:52, Lenka Doudova wrote: >>>> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>>>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>>>> Hi! >>>>>>>>>>>>> >>>>>>>>>>>>> With newly created AD machines in Brno lab, existing trust tests >>>>>>>>>>>>> fail on >>>>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is already >>>>>>>>>>>>> present, >>>>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>>>> >>>>>>>>>>>>> To prevent these failures I prepared attached patch, that will still >>>>>>>>>>>>> attempt to add the forward zone, but in case of non-zero return code >>>>>>>>>>>>> will check the message if it says that the forward zone is already >>>>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Lenka >>>>>>>>>>>>> >>>>>>>>>>>> Current approach expects that every error of ipa dnsforward-add here >>>>>>>>>>>> will mean that the zone exists. So it might hide other issues - not >>>>>>>>>>>> very >>>>>>>>>>>> good. >>>>>>>>>>>> >>>>>>>>>>>> On the other hand it is not very robust to parse error message. >>>>>>>>>>>> >>>>>>>>>>>> Question for general audience: What do you think if IPA client's exit >>>>>>>>>>>> status would be the IPA error code instead of "1" for every error. >>>>>>>>>>>> E.g. >>>>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>>>> >>>>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>>>> >>>>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into a single >>>>>>>>>>> byte so >>>>>>>>>>> you cannot have the return value greater that 255. We would have to >>>>>>>>>>> devise >>>>>>>>>>> some mapping between our XMLRPC status codes and subprocess return >>>>>>>>>>> codes. >>>>>>>>>>> >>>>>>>>>>> Some of our exceptions have defined return values outside plain '1', >>>>>>>>>>> e.g. >>>>>>>>>>> NotFound has return value of 2. It would be possible to extend this >>>>>>>>>>> concept on >>>>>>>>>>> other common errors. >>>>>>>>>> Even more importantly, the forward zone is completely unnecessary >>>>>>>>>> because >>>>>>>>>> DNS >>>>>>>>>> when DNS is set up properly. I would simply remove the >>>>>>>>>> dnsforwardzone-add. >>>>>>>>>> >>>>>>>>> Grr, I meant this: >>>>>>>>> Even more importantly, the forward zone is completely unnecessary when >>>>>>>>> DNS is >>>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>>> >>>>>>>> +1, our tests should not fiddle with the provisioned environment as >>>>>>>> much as >>>>>>>> they sometimes do. >>>>>>>> >>>>>>> Well, I have nothing against removing it completely, but left it there just >>>>>>> because with previous AD machines with "wild" domains it was necessary. >>>>>>> Looking at the code, your suggestion would probably mean to entirely remove >>>>>>> method configure_dns_for_trust from ipatests/test_integration/tasks.py, >>>>>>> right? I'll have to verify this won't break anything else. >>>>>>> >>>>>>> Lenka >>>>>>> >>>>>> Hi, >>>>>> >>>>>> to get back to this issue: do we really want to have the DNS configuration >>>>>> method removed? I mean, we no longer need it for our CI tests, with new >>>>>> AD VMs >>>>>> it works without it, but should somebody else with different setup run these >>>>>> tests, they could experience failures because their AD domain would not be >>>>>> configured in DNS by default and the test would no longer provide that >>>>>> configuration. It doesn't feel right to delete something we needed before >>>>>> but >>>>>> don't need anymore, in case somebody else is depending on the same >>>>>> configuration. But of course, I'll abide by your counsel. >>>>>> In case the call on DNS configuration method really is removed, should I >>>>>> remove even it's definition? It's not used anywhere else, so it would be >>>>>> quite >>>>>> logical. >>>>> Feel free to keep empty method around as a "hook" for other people. The >>>>> important thing is that it should do nothing by default. >>>>> >>>> So leave the method call, but erase method contents and let it just pass? >>> Fine with me. (List re-added.) >>> >> Ah, sorry for doing the wrong reply. >> Anyway, fixed patch attached. I decided to do as you suggested - the original >> DNS configuring function is now empty, I modified the comment to explain >> significance of this strange thing. I also changed patch title to better >> reflect proposed changes. > ACK if it passes your tests. > Yes, I've had no problems running the tests since I started to use this. Thanks. From mbasti at redhat.com Thu Jun 30 11:04:22 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:04:22 +0200 Subject: [Freeipa-devel] [PATCH 0548] Fix replica install with CA Message-ID: https://fedorahosted.org/freeipa/ticket/5966 This only for master branch, ipa-4-3 fix will be different (soon) Patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0548-Fix-replica-install-with-CA.patch Type: text/x-patch Size: 3286 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 30 11:08:08 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:08:08 +0200 Subject: [Freeipa-devel] [PATCH 0545] cert.py: split doctring to multiple ugettext strings In-Reply-To: References: Message-ID: <7bf3ae48-1f13-d45d-7faf-a2248508624d@redhat.com> On 30.06.2016 10:13, Stanislav Laznicka wrote: > On 06/30/2016 09:18 AM, Martin Basti wrote: >> Make life of translators easier, there was recent change in cert.py >> docstring, so they have to translate the whole docstring again, so >> I'm splitting it to multiple parts. >> >> >> Patch attached >> > I'm not sure whether the "See RFC 5280 for more details" should be > split from the link. It doesn't matter > Also, you need to add "\n" at the end of each reason string (you're > not using multiline strings there). Fixed, patch attached -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0545.2-cert.py-split-module-docstring-to-multiple-ugetext-s.patch Type: text/x-patch Size: 4269 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 30 11:14:53 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:14:53 +0200 Subject: [Freeipa-devel] [PATCH 0022][Tests] Prevent trust test failures cause by adding duplicate DNS forward zone In-Reply-To: <318770da-e34c-ee8e-d1b6-3b9e383243a9@redhat.com> References: <8f0b13cb-cc6e-1e0f-e56d-d16c26c8c9a3@redhat.com> <7e0d68b1-0c98-f22a-739a-9366fd39bcbb@redhat.com> <01fb470f-6a85-6805-fc36-2137fb4d7c51@redhat.com> <38d82175-0566-8b03-327f-ea3dd8b1860b@redhat.com> <8f38d8cb-052b-a09b-856e-e8817e9a7489@redhat.com> <1a20608c-4e17-b190-5cac-db39c71e2dba@redhat.com> <318770da-e34c-ee8e-d1b6-3b9e383243a9@redhat.com> Message-ID: <7a38333f-5bbf-624f-1943-a39d23474898@redhat.com> On 30.06.2016 12:58, Lenka Doudova wrote: > > > On 06/30/2016 12:51 PM, Petr Spacek wrote: >> On 30.6.2016 12:32, Lenka Doudova wrote: >>> >>> On 06/29/2016 07:49 PM, Petr Spacek wrote: >>>> On 29.6.2016 18:52, Lenka Doudova wrote: >>>>> On 06/29/2016 06:51 PM, Petr Spacek wrote: >>>>>> On 29.6.2016 18:48, Lenka Doudova wrote: >>>>>>> On 06/27/2016 11:05 AM, Lenka Doudova wrote: >>>>>>>> On 06/27/2016 10:33 AM, Martin Babinsky wrote: >>>>>>>>> On 06/27/2016 10:28 AM, Petr Spacek wrote: >>>>>>>>>> On 27.6.2016 10:26, Petr Spacek wrote: >>>>>>>>>>> On 27.6.2016 10:18, Martin Babinsky wrote: >>>>>>>>>>>> On 06/27/2016 10:04 AM, Petr Vobornik wrote: >>>>>>>>>>>>> On 06/27/2016 09:42 AM, Lenka Doudova wrote: >>>>>>>>>>>>>> Hi! >>>>>>>>>>>>>> >>>>>>>>>>>>>> With newly created AD machines in Brno lab, existing >>>>>>>>>>>>>> trust tests >>>>>>>>>>>>>> fail on >>>>>>>>>>>>>> 'ipa dnsforwardzone-add' command claiming the zone is >>>>>>>>>>>>>> already >>>>>>>>>>>>>> present, >>>>>>>>>>>>>> as new AD domain is dom-221.idm.lab.eng.brq.redhat.com. >>>>>>>>>>>>>> >>>>>>>>>>>>>> To prevent these failures I prepared attached patch, that >>>>>>>>>>>>>> will still >>>>>>>>>>>>>> attempt to add the forward zone, but in case of non-zero >>>>>>>>>>>>>> return code >>>>>>>>>>>>>> will check the message if it says that the forward zone >>>>>>>>>>>>>> is already >>>>>>>>>>>>>> configured, and lets the tests continue, if it is so. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Lenka >>>>>>>>>>>>>> >>>>>>>>>>>>> Current approach expects that every error of ipa >>>>>>>>>>>>> dnsforward-add here >>>>>>>>>>>>> will mean that the zone exists. So it might hide other >>>>>>>>>>>>> issues - not >>>>>>>>>>>>> very >>>>>>>>>>>>> good. >>>>>>>>>>>>> >>>>>>>>>>>>> On the other hand it is not very robust to parse error >>>>>>>>>>>>> message. >>>>>>>>>>>>> >>>>>>>>>>>>> Question for general audience: What do you think if IPA >>>>>>>>>>>>> client's exit >>>>>>>>>>>>> status would be the IPA error code instead of "1" for >>>>>>>>>>>>> every error. >>>>>>>>>>>>> E.g. >>>>>>>>>>>>> in DuplicateEntry case it's 4002. >>>>>>>>>>>>> >>>>>>>>>>>>> Btw, this is not a NACK. >>>>>>>>>>>>> >>>>>>>>>>>> Well AFAIK the exit status on POSIX systems is encoded into >>>>>>>>>>>> a single >>>>>>>>>>>> byte so >>>>>>>>>>>> you cannot have the return value greater that 255. We would >>>>>>>>>>>> have to >>>>>>>>>>>> devise >>>>>>>>>>>> some mapping between our XMLRPC status codes and subprocess >>>>>>>>>>>> return >>>>>>>>>>>> codes. >>>>>>>>>>>> >>>>>>>>>>>> Some of our exceptions have defined return values outside >>>>>>>>>>>> plain '1', >>>>>>>>>>>> e.g. >>>>>>>>>>>> NotFound has return value of 2. It would be possible to >>>>>>>>>>>> extend this >>>>>>>>>>>> concept on >>>>>>>>>>>> other common errors. >>>>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>>>> unnecessary >>>>>>>>>>> because >>>>>>>>>>> DNS >>>>>>>>>>> when DNS is set up properly. I would simply remove the >>>>>>>>>>> dnsforwardzone-add. >>>>>>>>>>> >>>>>>>>>> Grr, I meant this: >>>>>>>>>> Even more importantly, the forward zone is completely >>>>>>>>>> unnecessary when >>>>>>>>>> DNS is >>>>>>>>>> set up properly. I would simply remove the dnsforwardzone-add. >>>>>>>>>> >>>>>>>>> +1, our tests should not fiddle with the provisioned >>>>>>>>> environment as >>>>>>>>> much as >>>>>>>>> they sometimes do. >>>>>>>>> >>>>>>>> Well, I have nothing against removing it completely, but left >>>>>>>> it there just >>>>>>>> because with previous AD machines with "wild" domains it was >>>>>>>> necessary. >>>>>>>> Looking at the code, your suggestion would probably mean to >>>>>>>> entirely remove >>>>>>>> method configure_dns_for_trust from >>>>>>>> ipatests/test_integration/tasks.py, >>>>>>>> right? I'll have to verify this won't break anything else. >>>>>>>> >>>>>>>> Lenka >>>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> to get back to this issue: do we really want to have the DNS >>>>>>> configuration >>>>>>> method removed? I mean, we no longer need it for our CI tests, >>>>>>> with new >>>>>>> AD VMs >>>>>>> it works without it, but should somebody else with different >>>>>>> setup run these >>>>>>> tests, they could experience failures because their AD domain >>>>>>> would not be >>>>>>> configured in DNS by default and the test would no longer >>>>>>> provide that >>>>>>> configuration. It doesn't feel right to delete something we >>>>>>> needed before >>>>>>> but >>>>>>> don't need anymore, in case somebody else is depending on the same >>>>>>> configuration. But of course, I'll abide by your counsel. >>>>>>> In case the call on DNS configuration method really is removed, >>>>>>> should I >>>>>>> remove even it's definition? It's not used anywhere else, so it >>>>>>> would be >>>>>>> quite >>>>>>> logical. >>>>>> Feel free to keep empty method around as a "hook" for other >>>>>> people. The >>>>>> important thing is that it should do nothing by default. >>>>>> >>>>> So leave the method call, but erase method contents and let it >>>>> just pass? >>>> Fine with me. (List re-added.) >>>> >>> Ah, sorry for doing the wrong reply. >>> Anyway, fixed patch attached. I decided to do as you suggested - the >>> original >>> DNS configuring function is now empty, I modified the comment to >>> explain >>> significance of this strange thing. I also changed patch title to >>> better >>> reflect proposed changes. >> ACK if it passes your tests. >> > Yes, I've had no problems running the tests since I started to use this. > Thanks. > Pushed to master: 1d9e1521c59a5b43c2322892ce5cbe8cceff2790 From ftweedal at redhat.com Thu Jun 30 11:16:44 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jun 2016 21:16:44 +1000 Subject: [Freeipa-devel] [PATCH] 0085 Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3 Message-ID: <20160630111644.GR4200@dhcp-40-8.bne.redhat.com> Hullo, The attached patch fixes https://fedorahosted.org/freeipa/ticket/6011. Cheers, Fraser -------------- next part -------------- From c92ed38c0ef41814dec6ddf4a003948af5bc0beb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 30 Jun 2016 21:01:07 +1000 Subject: [PATCH] Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3 ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 --- ipaserver/install/cainstance.py | 14 +++++++++++--- ipaserver/install/server/upgrade.py | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index ef69c898bcd4f9d8d7e698b04117047a33c1e45f..28f8fe156ff828fdcfafdf602fa6675a4ee84fea 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1695,7 +1695,7 @@ def ensure_ldap_profiles_container(): ) def ensure_lightweight_cas_container(): - ensure_entry( + return ensure_entry( DN(('ou', 'authorities'), ('ou', 'ca'), ('o', 'ipaca')), objectclass=['top', 'organizationalUnit'], ou=['authorities'], @@ -1703,6 +1703,12 @@ def ensure_lightweight_cas_container(): def ensure_entry(dn, **attrs): + """Ensure an entry exists. + + If an entry with the given DN already exists, return ``False``, + otherwise add the entry and return ``True``. + + """ server_id = installutils.realm_to_serverid(api.env.realm) dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id @@ -1712,12 +1718,14 @@ def ensure_entry(dn, **attrs): try: conn.get_entry(dn) + return False except errors.NotFound: # entry doesn't exist; add it entry = conn.make_entry(dn, **attrs) conn.add_entry(entry) - - conn.disconnect() + return True + finally: + conn.disconnect() def configure_profiles_acl(): diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 3955a8cb9faf8e5c3350fc3912ea9f05a4b97719..43427178b11f63797a9537eadee836d7cf224311 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1747,6 +1747,7 @@ def upgrade_configuration(): ca_enable_pkix(ca), ca_configure_profiles_acl(ca), ca_configure_lightweight_ca_acls(ca), + ca_ensure_lightweight_cas_container(ca), ca_add_default_ocsp_uri(ca), ]) @@ -1758,7 +1759,6 @@ def upgrade_configuration(): except ipautil.CalledProcessError as e: root_logger.error("Failed to restart %s: %s", ca.service_name, e) - ca_ensure_lightweight_cas_container(ca) ca_enable_ldap_profile_subsystem(ca) # This step MUST be done after ca_enable_ldap_profile_subsystem and -- 2.5.5 From mbasti at redhat.com Thu Jun 30 11:16:49 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:16:49 +0200 Subject: [Freeipa-devel] [PATCH 0018][Tests] Fix some of the failing tests in test_ipalib/test_frontend.py In-Reply-To: <1412334976.8937184.1467215513195.JavaMail.zimbra@redhat.com> References: <84901af3-4f60-b145-41f0-9558bbbb1e48@redhat.com> <1412334976.8937184.1467215513195.JavaMail.zimbra@redhat.com> Message-ID: <751d8600-ee65-61c7-bcd0-3f2e8c889711@redhat.com> On 29.06.2016 17:51, Ganna Kaihorodova wrote: > Hello! > > ACK > > Best regards, > Ganna Kaihorodova > Associate Software Quality Engineer > > > ----- Original Message ----- > From: "Lenka Doudova" > To: "freeipa-devel" > Sent: Tuesday, June 21, 2016 10:21:44 AM > Subject: [Freeipa-devel] [PATCH 0018][Tests] Fix some of the failing tests in test_ipalib/test_frontend.py > > Hi, > > attaching patch with fix for a few failing tests in > ipatests/test_ipalib/test_frontend.py. > > > Lenka > > Pushed to master: 35d3a58421bc96b2a3c0352cb7d5976042f9cc03 From pspacek at redhat.com Thu Jun 30 11:18:15 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 13:18:15 +0200 Subject: [Freeipa-devel] [PATCH 0548] Fix replica install with CA In-Reply-To: References: Message-ID: <240c23fc-4c58-6af4-70df-0cfd650bbf84@redhat.com> On 30.6.2016 13:04, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5966 > > This only for master branch, ipa-4-3 fix will be different (soon) > > Patch attached ACK -- Petr^2 Spacek From mbasti at redhat.com Thu Jun 30 11:18:18 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:18:18 +0200 Subject: [Freeipa-devel] [PATCH 0023][Tests] Fix frontend tests - #5987 In-Reply-To: <501149030.8937392.1467215548568.JavaMail.zimbra@redhat.com> References: <2e56ec52-1831-dc0d-bde4-6635321b9236@redhat.com> <501149030.8937392.1467215548568.JavaMail.zimbra@redhat.com> Message-ID: On 29.06.2016 17:52, Ganna Kaihorodova wrote: > Hello! > > ACK > > Best regards, > Ganna Kaihorodova > Associate Software Quality Engineer > > > ----- Original Message ----- > From: "Lenka Doudova" > To: "freeipa-devel" > Sent: Tuesday, June 28, 2016 6:34:33 AM > Subject: [Freeipa-devel] [PATCH 0023][Tests] Fix frontend tests - #5987 > > Hi, > > I've made patch to fix for https://fedorahosted.org/freeipa/ticket/5987. > > Please note, that this patch must be applied on top on my patch no. > 0018, which provides other fixes on the same file (and same test). > > > Lenka > > Pushed to master: 0399110240e0a064c3faae407d9d62ba07281eb9 From slaznick at redhat.com Thu Jun 30 11:20:45 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 30 Jun 2016 13:20:45 +0200 Subject: [Freeipa-devel] [PATCH 0545] cert.py: split doctring to multiple ugettext strings In-Reply-To: <7bf3ae48-1f13-d45d-7faf-a2248508624d@redhat.com> References: <7bf3ae48-1f13-d45d-7faf-a2248508624d@redhat.com> Message-ID: <3b509c3c-3f61-b3fe-8f86-419dd058627b@redhat.com> On 06/30/2016 01:08 PM, Martin Basti wrote: > > > On 30.06.2016 10:13, Stanislav Laznicka wrote: >> On 06/30/2016 09:18 AM, Martin Basti wrote: >>> Make life of translators easier, there was recent change in cert.py >>> docstring, so they have to translate the whole docstring again, so >>> I'm splitting it to multiple parts. >>> >>> >>> Patch attached >>> >> I'm not sure whether the "See RFC 5280 for more details" should be >> split from the link. > It doesn't matter >> Also, you need to add "\n" at the end of each reason string (you're >> not using multiline strings there). > Fixed, patch attached Looks good to me, ACK. From mbasti at redhat.com Thu Jun 30 11:20:32 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:20:32 +0200 Subject: [Freeipa-devel] [PATCH 0548] Fix replica install with CA In-Reply-To: <240c23fc-4c58-6af4-70df-0cfd650bbf84@redhat.com> References: <240c23fc-4c58-6af4-70df-0cfd650bbf84@redhat.com> Message-ID: On 30.06.2016 13:18, Petr Spacek wrote: > On 30.6.2016 13:04, Martin Basti wrote: >> https://fedorahosted.org/freeipa/ticket/5966 >> >> This only for master branch, ipa-4-3 fix will be different (soon) >> >> Patch attached > ACK > Pushed to master: a155f692e7ad7807a5ea28250d1e72b3e821991e From mbasti at redhat.com Thu Jun 30 11:21:23 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:21:23 +0200 Subject: [Freeipa-devel] [PATCH 0545] cert.py: split doctring to multiple ugettext strings In-Reply-To: <3b509c3c-3f61-b3fe-8f86-419dd058627b@redhat.com> References: <7bf3ae48-1f13-d45d-7faf-a2248508624d@redhat.com> <3b509c3c-3f61-b3fe-8f86-419dd058627b@redhat.com> Message-ID: <6d3bed5b-6f78-2f7a-e8d1-964d9d4bd7bb@redhat.com> On 30.06.2016 13:20, Stanislav Laznicka wrote: > On 06/30/2016 01:08 PM, Martin Basti wrote: >> >> >> On 30.06.2016 10:13, Stanislav Laznicka wrote: >>> On 06/30/2016 09:18 AM, Martin Basti wrote: >>>> Make life of translators easier, there was recent change in cert.py >>>> docstring, so they have to translate the whole docstring again, so >>>> I'm splitting it to multiple parts. >>>> >>>> >>>> Patch attached >>>> >>> I'm not sure whether the "See RFC 5280 for more details" should be >>> split from the link. >> It doesn't matter >>> Also, you need to add "\n" at the end of each reason string (you're >>> not using multiline strings there). >> Fixed, patch attached > > Looks good to me, ACK. > Pushed to master: fed9d9aaa73604f6e100acbe2d3c192f4e4676e8 From ftweedal at redhat.com Thu Jun 30 11:30:43 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 30 Jun 2016 21:30:43 +1000 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: <20160630094904.GO4200@dhcp-40-8.bne.redhat.com> References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> <20160630094904.GO4200@dhcp-40-8.bne.redhat.com> Message-ID: <20160630113043.GS4200@dhcp-40-8.bne.redhat.com> On Thu, Jun 30, 2016 at 07:49:04PM +1000, Fraser Tweedale wrote: > On Thu, Jun 30, 2016 at 11:38:35AM +0200, Florence Blanc-Renaud wrote: > > On 06/30/2016 06:29 AM, Fraser Tweedale wrote: > > > On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud wrote: > > > > On 06/29/2016 07:25 AM, Fraser Tweedale wrote: > > > > > The attached patch fixes > > > > > https://fedorahosted.org/freeipa/ticket/5991. > > > > > > > > > > Thanks, > > > > > Fraser > > > > > > > > > > > > > > > > > > > Hi Fraser, > > > > > > > > A few cosmetic comments: > > > > > > > > PEP8 issues: > > > > ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 > > > > ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) > > > > ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) > > > > > > > > and there is a typo in ipaserver/plugins/cert.py > > > > + doc=_("automatically add the principal if it doesn't exist > > > > (service princpals only)"), > > > > > > > > should be "princ*i*pals only" > > > > > > > > Otherwise LGTM, > > > > Flo > > > > > > > Thanks for review, Flo. Updated patch attached. > > > > > > Cheers, > > > Fraser > > > > > Hi Fraser, > > > > thanks for updated patch. There is still a pep8 error: > > ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 > > > Whups! > > > I am also wondering if the message is clear enough. When running the CLI > > it's ok because the user typed --add, but the GUI displays "'add' is not > > supported for user principals" > > and I feel > > "'add' option is not supported for user principals" > > would be more user-friendly. What do you think? > > > Yes, I concur that mentioning "option" is an improvement. Will cut > a new patch shortly > > Thanks! > Fraser > Updated patch attached. Third time's the charm? ;) Cheers, Fraser -------------- next part -------------- From 99c1d5c32b19a070f5e995fce4de32dee39433c1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 29 Jun 2016 15:02:51 +1000 Subject: [PATCH] cert-request: better error msg when 'add' not supported cert-request supports adding service principals that don't exist. If add is requested for other principal types, the error message just says "the principal doesn't exist". Add a new error type with better error message to explain that 'add' is not supported for host or user principals. Fixes: https://fedorahosted.org/freeipa/ticket/5991 --- ipalib/errors.py | 10 ++++++++++ ipaserver/plugins/cert.py | 21 ++++++++++++++++++--- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 10491a94211648df8bda60f3dbc9e52d19e83d10..7b4f15dd60ee80719195ba1b9b85d075b10bdf4f 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1397,6 +1397,16 @@ class ServerRemovalError(ExecutionError): format = _('Server removal aborted: %(reason)s.') +class OperationNotSupportedForPrincipalType(ExecutionError): + """ + **4034** Raised when an operation is not supported for a principal type + """ + + errno = 4034 + format = _( + '%(operation)s is not supported for %(principal_type)s principals') + + class BuiltinError(ExecutionError): """ **4100** Base class for builtin execution errors (*4100 - 4199*). diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 63351c54c134f2bd58e8eb18bb0dc3bc6a5734b3..526360bb6b777abd398ad6d5e63f040fb52ac529 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -145,6 +145,12 @@ http://www.ietf.org/rfc/rfc5280.txt USER, HOST, SERVICE = range(3) +PRINCIPAL_TYPE_STRING_MAP = { + USER: _('user'), + HOST: _('host'), + SERVICE: _('service'), +} + register = Registry() PKIDATE_FORMAT = '%Y-%m-%d' @@ -385,7 +391,9 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): ), Flag( 'add', - doc=_("automatically add the principal if it doesn't exist"), + doc=_( + "automatically add the principal if it doesn't exist " + "(service principals only)"), ), ) @@ -480,8 +488,15 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): elif principal_type == USER: principal_obj = api.Command['user_show'](principal_name, all=True) except errors.NotFound as e: - if principal_type == SERVICE and add: - principal_obj = api.Command['service_add'](principal_string, force=True) + if add: + if principal_type == SERVICE: + principal_obj = api.Command['service_add']( + principal_string, force=True) + else: + princtype_str = PRINCIPAL_TYPE_STRING_MAP[principal_type] + raise errors.OperationNotSupportedForPrincipalType( + operation=_("'add' option"), + principal_type=princtype_str) else: raise errors.NotFound( reason=_("The principal for this request doesn't exist.")) -- 2.5.5 From pvoborni at redhat.com Thu Jun 30 11:42:09 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 13:42:09 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <469399a4-2d19-8d12-fd92-6ce95fa7a2c6@redhat.com> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> <469399a4-2d19-8d12-fd92-6ce95fa7a2c6@redhat.com> Message-ID: On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: > On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: >> On 06/29/2016 03:53 PM, Martin Basti wrote: >>> >>> >>> On 29.06.2016 15:52, Stanislav Laznicka wrote: >>>> On 06/24/2016 03:14 PM, Martin Basti wrote: >>>>> >>>>> >>>>> On 24.06.2016 15:11, Sumit Bose wrote: >>>>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel McCallum wrote: >>>>>>> https://fedorahosted.org/freeipa/ticket/433 >>>>>> The patch works for me as expected, but the API.txt update is >>>>>> missing in >>>>>> the patch. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>> >>>>> There are no updated managed permissions for krbprincipalauthind >>>>> attribute in hosts.py, is this omitted on purpose? >>>>> Martin^2 >>>>> >>>> The attached patch adds them should these be required. >>>> >>>> >>> >>> Then we also needs patch for services.py, because there are missing >>> ACIs too >>> >>> Martin^2 >> >> It was already included but let me separate it in two patches, then. >> >> > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be > included. > Attaching new version of Nathnaniel's patch with API.txt and VERSION updated. ACK for 0096-2 Pushed to master * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication indicators support to Host objects. The "{Service|Host} {Read|Modify} " permissions looks good to me. ACK if Nathaniel agrees that it doesn't deserved it's own permission for modify. -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-npmccallum-0096-2-Add-authentication-indicators-support-to-Host-object.patch Type: text/x-patch Size: 5702 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 30 11:43:25 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 13:43:25 +0200 Subject: [Freeipa-devel] [PATCH] 0065, 66: webui: authentication indicators on host page In-Reply-To: References: <9eaa5115-38a3-a52f-8f7a-3130edd54428@redhat.com> Message-ID: On 06/29/2016 06:38 PM, Petr Vobornik wrote: > On 06/28/2016 04:32 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patches. I moved strings used by authentication >> indicators widget to another dict so the second patch changes strings in >> custom_checkbox widget on service page. >> >> https://fedorahosted.org/freeipa/ticket/5872 >> > > > ACK > > push should wait on server side. > master: * 55049fceb978f2e20b13800b77775377428de386 Add authentication identificator to host page * ec6925e775598602e909d7a1f226f0c1e28cb074 Change paths of strings in auth indicators widget on service page -- Petr Vobornik From mbabinsk at redhat.com Thu Jun 30 11:51:08 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Jun 2016 13:51:08 +0200 Subject: [Freeipa-devel] [PATCHES 662-665] session: do not initialize session manager on import In-Reply-To: References: Message-ID: On 06/29/2016 04:53 PM, Jan Cholasta wrote: > Hi, > > the attached patches fix . > > Honza > > > ACK. -- Martin^3 Babinsky From mbasti at redhat.com Thu Jun 30 11:54:17 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 13:54:17 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: <654d77dd-24c0-e822-ae67-13cf4d84b5e4@redhat.com> References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> <654d77dd-24c0-e822-ae67-13cf4d84b5e4@redhat.com> Message-ID: On 30.06.2016 12:07, Petr Spacek wrote: > On 30.6.2016 10:21, Jan Cholasta wrote: >> On 30.6.2016 10:12, Petr Spacek wrote: >>> On 30.6.2016 10:14, Jan Cholasta wrote: >>>> On 30.6.2016 10:06, Petr Spacek wrote: >>>>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>>>> "The easiest solution would be to add timestamps to logs, or log to >>>>>> different >>>>>> logs from oddjob or from installer (ipareplica-conncheck.local.log and >>>>>> ipareplica-conncheck.remote.log)" >>>>>> >>>>>> Actually the easiest solution would be not to log into a file when executed >>>>>> from oddjob. >>>>> Well, IPA is hard enough to debug even with logs. I would not make situation >>>>> even worse by not logging at all :-) >>>> The commands logs into stderr, and both stdout and stderr are sent back to the >>>> caller of the oddjob. >>>> >>>> Alternatively, it could log into a different file (say >>>> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an overkill to >>>> fix this bug. >>> When we are at it, a custom logger is overkill. IMHO we should log everything >>> to journal and be done with it ... >> It's not, we want to log to at least stderr ourselves. >> >> Also, it would be even harder to implement than timestamps, and time is a > Sure, we do not have time: > => ACK for current version of the patch. > > Petr^2 Spacek > >> factor here. It would fit more into >> . >> >>> Petr^2 Spacek >>> >>>>>>>> Patches attached. >>>>>>> I would rather use timestamp format with dashes between numbers to make it >>>>>>> easier to read and parse for humans. >>>>>>> >>>>>>> Compare: >>>>>>> >>>>>>> 201606270954 >>>>>>> 201606290954 >>>>>>> 201606300954 >>>>>>> >>>>>>> with >>>>>>> >>>>>>> 2016-06-27-09-54 >>>>>>> 2016-06-29-09-54 >>>>>>> 2016-06-30-09-54 >>> >> > New patches attaches -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0546-Add-option-no-log-for-ipa-replica-conncheck-script.patch Type: text/x-patch Size: 1435 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-mbasti-0547-Do-not-log-to-file-in-remote-conncheck-side.patch Type: text/x-patch Size: 825 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 30 11:57:34 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 30 Jun 2016 13:57:34 +0200 Subject: [Freeipa-devel] [PATCH] 0062, 63: webui: Add button for 'server-del' command In-Reply-To: <5b64fa15-ba16-3f2f-9461-d95033ea0a8c@redhat.com> References: <0836f330-b7fb-a541-d13a-8ea9b4711021@redhat.com> <5b64fa15-ba16-3f2f-9461-d95033ea0a8c@redhat.com> Message-ID: <89b2a2e4-7f04-9418-67ba-24a68c4f7468@redhat.com> On 06/29/2016 05:42 PM, Petr Vobornik wrote: > On 06/24/2016 12:40 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patches, they add 'Delete Server' button. >> > 1. there is a whitespace warning while applying patch 63. > > 2. It breaks expectation of no_init. > Instead of > var that = IPA.details_facet(spec); > Use > var that = IPA.details_facet(spec, no_init); > > Then rename: > that.init_facet = function() { > ?o > that.init_servers_facet = function() { > > Add there at beginning: > that.init_details_facet > > > 3. IPA.action and IPA.delete_action has the functionality of > server_delete_action build-in, including redirection to server search > page which is missing in this patch. > > Updated patch with the issues fixed is attached. > > I did not test final version of the patch because my testing env. died. Thank you, everything works well. ACK -- Pavel^3 Vomacka From jcholast at redhat.com Thu Jun 30 12:09:44 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 14:09:44 +0200 Subject: [Freeipa-devel] [PATCHES 662-665] session: do not initialize session manager on import In-Reply-To: References: Message-ID: <6dd81030-a1f9-2b03-c7d2-577f01d20a62@redhat.com> On 30.6.2016 13:51, Martin Babinsky wrote: > On 06/29/2016 04:53 PM, Jan Cholasta wrote: >> Hi, >> >> the attached patches fix . >> >> Honza >> >> >> > ACK. Thanks. Pushed to master: 2615103c68e68596473260064dbe84585073eb51 -- Jan Cholasta From mbasti at redhat.com Thu Jun 30 12:16:57 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 14:16:57 +0200 Subject: [Freeipa-devel] [PATCH 0145] DNS: Reinitialize DNS resolver after changing resolv.con In-Reply-To: <9dfc4118-b352-ccab-5bd4-fdc9745c0d2b@redhat.com> References: <9dfc4118-b352-ccab-5bd4-fdc9745c0d2b@redhat.com> Message-ID: On 29.06.2016 19:38, Petr Spacek wrote: > Hello, > > DNS: Reinitialize DNS resolver after changing resolv.conf > > Previously the installer did not reinitialize resolver so queries for > records created using --ip-address option might not be answered. This led > to incorrect results during 'Updating DNS system records' phase at the > end of installation. > > This is kind of hack but right now we do not have enough time to extend > python-dns's interface with resolver_reinit() method. > > https://fedorahosted.org/freeipa/ticket/5962 > ACK Pushed to master: 3b79ce005c43c6cb270175dc987eed3ba19e0f53 From pvoborni at redhat.com Thu Jun 30 12:20:24 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 14:20:24 +0200 Subject: [Freeipa-devel] [PATCH] 0064: webui: simplify confirmation messages in confirmation dialogs In-Reply-To: <41f41086-8255-f130-9e75-4c03a02c159c@redhat.com> References: <88cd8843-8e38-5c82-5908-ec9cd1f4fcfe@redhat.com> <1ae7a09c-96ce-975f-78f0-fba99abccbda@redhat.com> <41f41086-8255-f130-9e75-4c03a02c159c@redhat.com> Message-ID: <41489195-f44a-d6f0-4bb6-04c20790279e@redhat.com> On 06/30/2016 10:39 AM, Pavel Vomacka wrote: > > > On 06/29/2016 04:40 PM, Petr Vobornik wrote: >> On 06/27/2016 05:50 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> Please review attached patch which simplifies confirmation messages for >>> 'remove cert hold' and 'restore cert' actions. >>> >> I'd change: >> You can select a reason from the pull-down list. >> To: >> Select a reason from the pull-down list. >> > Changed. Updated patch attached. > ACK Pushed to master: a3c7f845e019f79c2cefde0526790dec4f118b56 -- Petr Vobornik From pvoborni at redhat.com Thu Jun 30 12:23:17 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 14:23:17 +0200 Subject: [Freeipa-devel] [PATCH] 0062, 63: webui: Add button for 'server-del' command In-Reply-To: <89b2a2e4-7f04-9418-67ba-24a68c4f7468@redhat.com> References: <0836f330-b7fb-a541-d13a-8ea9b4711021@redhat.com> <5b64fa15-ba16-3f2f-9461-d95033ea0a8c@redhat.com> <89b2a2e4-7f04-9418-67ba-24a68c4f7468@redhat.com> Message-ID: <3d7004d5-3f16-8bca-18a5-2a8054f9e878@redhat.com> On 06/30/2016 01:57 PM, Pavel Vomacka wrote: > > > On 06/29/2016 05:42 PM, Petr Vobornik wrote: >> On 06/24/2016 12:40 PM, Pavel Vomacka wrote: >>> Hello, >>> >>> please review attached patches, they add 'Delete Server' button. >>> >> 1. there is a whitespace warning while applying patch 63. >> >> 2. It breaks expectation of no_init. >> Instead of >> var that = IPA.details_facet(spec); >> Use >> var that = IPA.details_facet(spec, no_init); >> >> Then rename: >> that.init_facet = function() { >> ?o >> that.init_servers_facet = function() { >> >> Add there at beginning: >> that.init_details_facet >> >> >> 3. IPA.action and IPA.delete_action has the functionality of >> server_delete_action build-in, including redirection to server search >> page which is missing in this patch. >> >> Updated patch with the issues fixed is attached. >> >> I did not test final version of the patch because my testing env. died. > Thank you, everything works well. > > ACK > master: * e65ce4fedc8e8e4f16c8d0c56f7618a84e8e7f85 Add support to change button css class on confirm dialog * 7f4de88ea1da11d4111a917672c0cb7ab9866c90 Add button for server-del command -- Petr Vobornik From mbasti at redhat.com Thu Jun 30 12:29:34 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 14:29:34 +0200 Subject: [Freeipa-devel] [PATCH 0053] Fix wrong imports in copy-schema-to-ca In-Reply-To: References: Message-ID: On 28.06.2016 16:35, Petr Spacek wrote: > On 28.6.2016 14:52, Stanislav Laznicka wrote: >> Hello, >> >> The attached patch fixes wrong imports in copy-schema-to-ca.py script. >> >> https://fedorahosted.org/freeipa/ticket/6003 > ACK > Pushed to master: f3858be6e353fadf0b1da1c31b908264ddd636c5 From ofayans at redhat.com Thu Jun 30 12:40:39 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jun 2016 14:40:39 +0200 Subject: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain In-Reply-To: References: <57738D26.50404@redhat.com> Message-ID: <57751347.50908@redhat.com> Hi Martin, Attached is a new version of the patch with two test cases separated. On 06/29/2016 12:23 PM, Martin Basti wrote: > > > On 29.06.2016 10:56, Oleg Fayans wrote: >> >> > > Hello, > > + assert_error(result, > + "Failed to verify that %s is an IPA Server" % > + self.master.hostname) > > > I would expect this error there: > > "Cannot promote this client to a replica. Local domain '{local}' does > not match IPA domain '{ipadomain}'. " Right, that's what this ticket is about: https://fedorahosted.org/freeipa/ticket/6006 Once these changes are implemented, we can update this test > > You should not use random REALM, in this case you don't test domains but > realms. You can leave the test with incorrect realm there, but as > separated testcase Oh, ok. But it does not seem possible to setup client providing only --realm without --domain: installer would not do it. > > Martin^2 > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ofayans-0052.1-Test-for-incorrect-client-domain.patch Type: text/x-patch Size: 2503 bytes Desc: not available URL: From pvomacka at redhat.com Thu Jun 30 12:48:18 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Thu, 30 Jun 2016 14:48:18 +0200 Subject: [Freeipa-devel] [PATCH] 0067-72: webui for kerberos aliases Message-ID: Hello, please review these patches. First two patches fix two minor bugs in custom_command_multivalued_widget. The rest of patches add webui for kerberos aliases. https://fedorahosted.org/freeipa/ticket/5927 -- Pavel^3 Vomacka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0067-Change-error-handling-of-remove-command.patch Type: text/x-patch Size: 1212 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0068-Set-default-confirmation-button-label-to-Remove.patch Type: text/x-patch Size: 1011 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0069-Add-widgets-for-kerberos-aliases.patch Type: text/x-patch Size: 5802 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0070-Add-widget-for-kerberos-aliases-to-user-page.patch Type: text/x-patch Size: 1297 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0071-Add-widget-for-kerberos-aliases-to-hosts-page.patch Type: text/x-patch Size: 1307 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvomacka-0072-Add-widget-for-kerberos-aliases-to-service-page.patch Type: text/x-patch Size: 2745 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 30 12:57:29 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 14:57:29 +0200 Subject: [Freeipa-devel] [Test][patch-0052] Test for incorrect client domain In-Reply-To: <57751347.50908@redhat.com> References: <57738D26.50404@redhat.com> <57751347.50908@redhat.com> Message-ID: On 30.06.2016 14:40, Oleg Fayans wrote: > Hi Martin, > > Attached is a new version of the patch with two test cases separated. > > On 06/29/2016 12:23 PM, Martin Basti wrote: >> >> On 29.06.2016 10:56, Oleg Fayans wrote: >>> >> Hello, >> >> + assert_error(result, >> + "Failed to verify that %s is an IPA Server" % >> + self.master.hostname) >> >> >> I would expect this error there: >> >> "Cannot promote this client to a replica. Local domain '{local}' does >> not match IPA domain '{ipadomain}'. " > Right, that's what this ticket is about: > https://fedorahosted.org/freeipa/ticket/6006 > > Once these changes are implemented, we can update this test Wat? You get exactly the right message from ipa-replica-install, tested, reviewed by several people. > >> You should not use random REALM, in this case you don't test domains but >> realms. You can leave the test with incorrect realm there, but as >> separated testcase > Oh, ok. But it does not seem possible to setup client providing only > --realm without --domain: installer would not do it. > Try to read again: "should not use *random* REALM". Nothing prevents you to use, --realm=TEST.REALM --domain=random-blah-domain > >> Martin^2 >> >> > > NACK + domain_name = 'exxample.test' + realm_name = domain_name.upper() you still use random realm name, and you still don't test ipa-replica-install, that ticket has nothing related to domain in ipa-client-install, it is related to replica promotion Martin^2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jun 30 13:00:56 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 15:00:56 +0200 Subject: [Freeipa-devel] [PATCH] 0007 Fix ipa-server-certinstall with certs signed by 3rd-party CA In-Reply-To: References: <264af0c4-f182-78fb-2c32-2195fe09874b@redhat.com> Message-ID: <8d8196fe-adf7-1201-9f5b-2ed8f83b1e45@redhat.com> On 06/29/2016 02:17 PM, Stanislav Laznicka wrote: > On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote: >> Hi, >> >> This patch fixes ipa-server-certinstall when used with 3rd-party certs. >> The scenario is the following: >> - install the server with an embedded CA >> - use ipa-cacert-manage to install a 3rd party CA >> - use ipa-certupdate to put the 3rd party CA cert in the relevant NSS >> databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and >> /etc/dirsrv/slapd-XXX) >> - use ipa-server-certinstall to replace the Directory/Apache server >> certificates with a cert signed by the 3rd party CA. >> >> Note that I had to run ipa-certupdate after putting selinux mode to permissive >> (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz has >> been opened against selinux-policy to solve this issue. >> >> https://fedorahosted.org/freeipa/ticket/4785 >> https://fedorahosted.org/freeipa/ticket/4786 >> >> > Hello, > > The patch works as expected with the selinux requirement you mentioned. I will > just add Honza for code sanity check. Therefore conditional ACK if the code can > take no further improvements. > > Standa > > Pushed to master: 025cfd911bce6214ef2b4311b16c5b6df6ad173a According to Honza, it doesn't solve all corner cases. This can be fixed in a future. Honza, please open a ticket with the corner cases when you have time. -- Petr Vobornik From frenaud at redhat.com Thu Jun 30 13:16:48 2016 From: frenaud at redhat.com (Florence Blanc-Renaud) Date: Thu, 30 Jun 2016 15:16:48 +0200 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: <20160630113043.GS4200@dhcp-40-8.bne.redhat.com> References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> <20160630094904.GO4200@dhcp-40-8.bne.redhat.com> <20160630113043.GS4200@dhcp-40-8.bne.redhat.com> Message-ID: On 06/30/2016 01:30 PM, Fraser Tweedale wrote: > On Thu, Jun 30, 2016 at 07:49:04PM +1000, Fraser Tweedale wrote: >> On Thu, Jun 30, 2016 at 11:38:35AM +0200, Florence Blanc-Renaud wrote: >>> On 06/30/2016 06:29 AM, Fraser Tweedale wrote: >>>> On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud wrote: >>>>> On 06/29/2016 07:25 AM, Fraser Tweedale wrote: >>>>>> The attached patch fixes >>>>>> https://fedorahosted.org/freeipa/ticket/5991. >>>>>> >>>>>> Thanks, >>>>>> Fraser >>>>>> >>>>>> >>>>>> >>>>> Hi Fraser, >>>>> >>>>> A few cosmetic comments: >>>>> >>>>> PEP8 issues: >>>>> ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 >>>>> ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 characters) >>>>> ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 characters) >>>>> >>>>> and there is a typo in ipaserver/plugins/cert.py >>>>> + doc=_("automatically add the principal if it doesn't exist >>>>> (service princpals only)"), >>>>> >>>>> should be "princ*i*pals only" >>>>> >>>>> Otherwise LGTM, >>>>> Flo >>>>> >>>> Thanks for review, Flo. Updated patch attached. >>>> >>>> Cheers, >>>> Fraser >>>> >>> Hi Fraser, >>> >>> thanks for updated patch. There is still a pep8 error: >>> ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 >>> >> Whups! >> >>> I am also wondering if the message is clear enough. When running the CLI >>> it's ok because the user typed --add, but the GUI displays "'add' is not >>> supported for user principals" >>> and I feel >>> "'add' option is not supported for user principals" >>> would be more user-friendly. What do you think? >>> >> Yes, I concur that mentioning "option" is an improvement. Will cut >> a new patch shortly >> >> Thanks! >> Fraser >> > Updated patch attached. Third time's the charm? ;) > > Cheers, > Fraser > Hi Fraser, thanks for the updated patch. Yes, 3rd time's the charm :) Ack, Flo. From slaznick at redhat.com Thu Jun 30 13:36:20 2016 From: slaznick at redhat.com (Stanislav Laznicka) Date: Thu, 30 Jun 2016 15:36:20 +0200 Subject: [Freeipa-devel] [PATCH 0144] Fix `Conflicts` with ipa-python In-Reply-To: <5263645c-e22b-0ec2-241e-9c995c7da7a1@redhat.com> References: <5263645c-e22b-0ec2-241e-9c995c7da7a1@redhat.com> Message-ID: <4d9f536c-4a38-30a4-ef19-78b4823f687e@redhat.com> On 06/29/2016 02:36 PM, Petr Spacek wrote: > Hello, > > Fix `Conflicts` with ipa-python > > The conflicts should have constant version in it because it is related > to package split. > > https://fedorahosted.org/freeipa/ticket/6004 > > > I've tested the same change in RHEL 7.2->7.3 upgrade and it worked just fine. > Upgrade from IPA 4.3.1 to master on Fedora 24 worked just fine, too. > ACK, worked for me as well. From mbasti at redhat.com Thu Jun 30 13:42:51 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 15:42:51 +0200 Subject: [Freeipa-devel] [PATCH] 0082 cert-request: better error msg when 'add' not supported In-Reply-To: References: <20160629052539.GC4200@dhcp-40-8.bne.redhat.com> <97c3f1a8-39c8-dd4b-d1a8-eba39a696057@redhat.com> <20160630042924.GJ4200@dhcp-40-8.bne.redhat.com> <20160630094904.GO4200@dhcp-40-8.bne.redhat.com> <20160630113043.GS4200@dhcp-40-8.bne.redhat.com> Message-ID: On 30.06.2016 15:16, Florence Blanc-Renaud wrote: > On 06/30/2016 01:30 PM, Fraser Tweedale wrote: >> On Thu, Jun 30, 2016 at 07:49:04PM +1000, Fraser Tweedale wrote: >>> On Thu, Jun 30, 2016 at 11:38:35AM +0200, Florence Blanc-Renaud wrote: >>>> On 06/30/2016 06:29 AM, Fraser Tweedale wrote: >>>>> On Wed, Jun 29, 2016 at 11:30:14AM +0200, Florence Blanc-Renaud >>>>> wrote: >>>>>> On 06/29/2016 07:25 AM, Fraser Tweedale wrote: >>>>>>> The attached patch fixes >>>>>>> https://fedorahosted.org/freeipa/ticket/5991. >>>>>>> >>>>>>> Thanks, >>>>>>> Fraser >>>>>>> >>>>>>> >>>>>>> >>>>>> Hi Fraser, >>>>>> >>>>>> A few cosmetic comments: >>>>>> >>>>>> PEP8 issues: >>>>>> ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 >>>>>> ./ipaserver/plugins/cert.py:394:80: E501 line too long (98 > 79 >>>>>> characters) >>>>>> ./ipaserver/plugins/cert.py:496:80: E501 line too long (81 > 79 >>>>>> characters) >>>>>> >>>>>> and there is a typo in ipaserver/plugins/cert.py >>>>>> + doc=_("automatically add the principal if it doesn't >>>>>> exist >>>>>> (service princpals only)"), >>>>>> >>>>>> should be "princ*i*pals only" >>>>>> >>>>>> Otherwise LGTM, >>>>>> Flo >>>>>> >>>>> Thanks for review, Flo. Updated patch attached. >>>>> >>>>> Cheers, >>>>> Fraser >>>>> >>>> Hi Fraser, >>>> >>>> thanks for updated patch. There is still a pep8 error: >>>> ./ipalib/errors.py:1399:1: E302 expected 2 blank lines, found 1 >>>> >>> Whups! >>> >>>> I am also wondering if the message is clear enough. When running >>>> the CLI >>>> it's ok because the user typed --add, but the GUI displays "'add' >>>> is not >>>> supported for user principals" >>>> and I feel >>>> "'add' option is not supported for user principals" >>>> would be more user-friendly. What do you think? >>>> >>> Yes, I concur that mentioning "option" is an improvement. Will cut >>> a new patch shortly >>> >>> Thanks! >>> Fraser >>> >> Updated patch attached. Third time's the charm? ;) >> >> Cheers, >> Fraser >> > Hi Fraser, > > thanks for the updated patch. Yes, 3rd time's the charm :) > Ack, > Flo. > Pushed to master: 3fab1b63502c3206d792b7aeaa12d486612f0137 From mbasti at redhat.com Thu Jun 30 13:46:33 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 15:46:33 +0200 Subject: [Freeipa-devel] [PATCH 0144] Fix `Conflicts` with ipa-python In-Reply-To: <4d9f536c-4a38-30a4-ef19-78b4823f687e@redhat.com> References: <5263645c-e22b-0ec2-241e-9c995c7da7a1@redhat.com> <4d9f536c-4a38-30a4-ef19-78b4823f687e@redhat.com> Message-ID: <4db440fe-0a81-f001-20c2-b2166b87171b@redhat.com> On 30.06.2016 15:36, Stanislav Laznicka wrote: > On 06/29/2016 02:36 PM, Petr Spacek wrote: >> Hello, >> >> Fix `Conflicts` with ipa-python >> >> The conflicts should have constant version in it because it is related >> to package split. >> >> https://fedorahosted.org/freeipa/ticket/6004 >> >> >> I've tested the same change in RHEL 7.2->7.3 upgrade and it worked >> just fine. >> Upgrade from IPA 4.3.1 to master on Fedora 24 worked just fine, too. >> > ACK, worked for me as well. > Pushed to master: 669da991837267435a6e6563794f93c2f207c80b From ldoudova at redhat.com Thu Jun 30 13:47:40 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jun 2016 15:47:40 +0200 Subject: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust Message-ID: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> Hi, attaching patch with some basic coverage for external trust feature. Bit more detailed info in commit message. Since the feature requires me to run commands previously used only for forest root domains even for subdomains, I made some changes in ipatests/test_integration/tasks.py file, so that it would enable me to reuse existing function without copy-pasting them for one variable change. Lenka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-ldoudova-0025-Tests-External-trust.patch Type: text/x-patch Size: 12155 bytes Desc: not available URL: From npmccallum at redhat.com Thu Jun 30 13:55:03 2016 From: npmccallum at redhat.com (Nathaniel McCallum) Date: Thu, 30 Jun 2016 09:55:03 -0400 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> <469399a4-2d19-8d12-fd92-6ce95fa7a2c6@redhat.com> Message-ID: <1467294903.4972.0.camel@redhat.com> On Thu, 2016-06-30 at 13:42 +0200, Petr Vobornik wrote: > On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: > > > > On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: > > > > > > On 06/29/2016 03:53 PM, Martin Basti wrote: > > > > > > > > > > > > > > > > On 29.06.2016 15:52, Stanislav Laznicka wrote: > > > > > > > > > > On 06/24/2016 03:14 PM, Martin Basti wrote: > > > > > > > > > > > > > > > > > > > > > > > > On 24.06.2016 15:11, Sumit Bose wrote: > > > > > > > > > > > > > > On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel > > > > > > > McCallum wrote: > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/433 > > > > > > > The patch works for me as expected, but the API.txt > > > > > > > update is > > > > > > > missing in > > > > > > > the patch. > > > > > > > > > > > > > > bye, > > > > > > > Sumit > > > > > > > > > > > > There are no updated managed permissions for > > > > > > krbprincipalauthind > > > > > > attribute in hosts.py, is this omitted on purpose? > > > > > > Martin^2 > > > > > > > > > > > The attached patch adds them should these be required. > > > > > > > > > > > > > > > > > > Then we also needs patch for services.py, because there are > > > > missing > > > > ACIs too > > > > > > > > Martin^2 > > > > > > It was already included but let me separate it in two patches, > > > then. > > > > > > > > Good catch from Petr Vobornik - the rebuilt ACI.txt should also be > > included. > > > > Attaching new version of Nathnaniel's patch with API.txt and VERSION > updated. > > ACK for 0096-2 > > Pushed to master > * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication > indicators > support to Host objects. > > The??"{Service|Host} {Read|Modify} " permissions looks good to me. > ACK > if Nathaniel agrees that it doesn't deserved it's own permission for > modify. I agree. We can add it later if someone needs it. From mbasti at redhat.com Thu Jun 30 14:04:21 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 16:04:21 +0200 Subject: [Freeipa-devel] [PATCH] 0077 Check for CA subject name collision before attempting creation In-Reply-To: References: <20160624073434.GQ4200@dhcp-40-8.bne.redhat.com> Message-ID: <040cc865-1962-9613-1e90-5458a37b9435@redhat.com> On 24.06.2016 10:34, Milan Kub?k wrote: > On 06/24/2016 09:34 AM, Fraser Tweedale wrote: >> Hi, >> >> Attached patch fixes https://fedorahosted.org/freeipa/ticket/5981. >> >> Cheers, >> Fraser > Thanks for the patch, ACK. > Pushed to master: 16f33ddb51523fe9a4c68e91519099991ece10a5 From mbasti at redhat.com Thu Jun 30 14:07:42 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 16:07:42 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency In-Reply-To: References: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> Message-ID: On 06.06.2016 18:40, Petr Vobornik wrote: > On 06/06/2016 07:28 AM, Jan Cholasta wrote: >> Hi, >> >> On 3.6.2016 18:29, Petr Vobornik wrote: >>> admintools doesn't pull python[2|3]-ipaclient by default which ends >>> with exception if CLI is used. >> Please use this ticket URL: > done, new patch version attached. > > > Honza, can be this pushed? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ofayans at redhat.com Thu Jun 30 14:12:21 2016 From: ofayans at redhat.com (Oleg Fayans) Date: Thu, 30 Jun 2016 16:12:21 +0200 Subject: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust In-Reply-To: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> References: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> Message-ID: <577528C5.1060203@redhat.com> Hi Lenka, The changes in test_trust.py are fine. As for tasks.py: 1. I'd rename sync_time_hostname to just sync_time and 2. I would start ntpd again in the same method: it's no good to keep this thing in mind each time you call it. Besides, I would split the changes into 2 patches: one for tasks.py and other for test_trust.py On 06/30/2016 03:47 PM, Lenka Doudova wrote: > Hi, > > attaching patch with some basic coverage for external trust feature. Bit > more detailed info in commit message. > > Since the feature requires me to run commands previously used only for > forest root domains even for subdomains, I made some changes in > ipatests/test_integration/tasks.py file, so that it would enable me to > reuse existing function without copy-pasting them for one variable change. > > > Lenka > > > -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From jcholast at redhat.com Thu Jun 30 14:20:40 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 16:20:40 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency In-Reply-To: References: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> Message-ID: On 30.6.2016 16:07, Martin Basti wrote: > > > On 06.06.2016 18:40, Petr Vobornik wrote: >> On 06/06/2016 07:28 AM, Jan Cholasta wrote: >>> Hi, >>> >>> On 3.6.2016 18:29, Petr Vobornik wrote: >>>> admintools doesn't pull python[2|3]-ipaclient by default which ends >>>> with exception if CLI is used. >>> Please use this ticket URL: >> done, new patch version attached. >> >> >> > Honza, can be this pushed? Pushed where? The is no longer required, at least on master. -- Jan Cholasta From mbabinsk at redhat.com Thu Jun 30 14:17:02 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Jun 2016 16:17:02 +0200 Subject: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust In-Reply-To: <577528C5.1060203@redhat.com> References: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> <577528C5.1060203@redhat.com> Message-ID: <3b8821ea-16f1-875e-487e-642a7a615ad5@redhat.com> On 06/30/2016 04:12 PM, Oleg Fayans wrote: > Hi Lenka, > > The changes in test_trust.py are fine. > As for tasks.py: > 1. I'd rename sync_time_hostname to just sync_time and > 2. I would start ntpd again in the same method: it's no good to keep > this thing in mind each time you call it. > If you start ntpd again you may de-sync AD DC and IPA master again when there is substantial time difference between them (as is usually the case). It is best to left ntpd stopped and even disable it afterwards. > Besides, I would split the changes into 2 patches: one for tasks.py and > other for test_trust.py > > > On 06/30/2016 03:47 PM, Lenka Doudova wrote: >> Hi, >> >> attaching patch with some basic coverage for external trust feature. Bit >> more detailed info in commit message. >> >> Since the feature requires me to run commands previously used only for >> forest root domains even for subdomains, I made some changes in >> ipatests/test_integration/tasks.py file, so that it would enable me to >> reuse existing function without copy-pasting them for one variable change. >> >> >> Lenka >> >> >> > -- Martin^3 Babinsky From ldoudova at redhat.com Thu Jun 30 14:20:02 2016 From: ldoudova at redhat.com (Lenka Doudova) Date: Thu, 30 Jun 2016 16:20:02 +0200 Subject: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust In-Reply-To: <577528C5.1060203@redhat.com> References: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> <577528C5.1060203@redhat.com> Message-ID: <12c54a36-86c3-9c20-a696-697dbaf660d0@redhat.com> On 06/30/2016 04:12 PM, Oleg Fayans wrote: > Hi Lenka, > > The changes in test_trust.py are fine. > As for tasks.py: > 1. I'd rename sync_time_hostname to just sync_time and There's already one sync_time function with different contents, it seemed nicer to create a new function than adding some "switch" into the old one, making it three time longer. > 2. I would start ntpd again in the same method: it's no good to keep > this thing in mind each time you call it. Leaving ntpd stopped is "legacy" from original function, and as I am not sure which purpose it serves, I decided to leave it as it is. > > Besides, I would split the changes into 2 patches: one for tasks.py and > other for test_trust.py No problem there, + adding ticket info into commit message, as I seem to have forgot again. > > > On 06/30/2016 03:47 PM, Lenka Doudova wrote: >> Hi, >> >> attaching patch with some basic coverage for external trust feature. Bit >> more detailed info in commit message. >> >> Since the feature requires me to run commands previously used only for >> forest root domains even for subdomains, I made some changes in >> ipatests/test_integration/tasks.py file, so that it would enable me to >> reuse existing function without copy-pasting them for one variable change. >> >> >> Lenka >> >> >> From dkupka at redhat.com Thu Jun 30 14:25:11 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Jun 2016 16:25:11 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> Message-ID: <0c2dd2d6-e8f0-8269-35f0-7c2e2e88fbd9@redhat.com> On 28/04/16 14:45, Jan Cholasta wrote: > Hi, > > I have pushed my thin client WIP branch to GitHub: > . > > All commits up to "ipalib: use relative imports for cross-plugin > imports" should be good for review. The rest is subject to change > (WARNING: I will force push into this branch). > > Honza > Hello! Patch set: server: exclude Local commands from RPC client: add placeholders for required remote plugins client: ignore override errors in command overrides plugable: add option to ignore override errors cert: fix CLI output of cert_remove_hold frontend: do not ignore client-side output params user: add object plugin for user_status server: define missing virtual attributes contains mostly fixes for some bugs discovered in thin client. Works for me, ACK. -- David Kupka From jcholast at redhat.com Thu Jun 30 14:33:07 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 30 Jun 2016 16:33:07 +0200 Subject: [Freeipa-devel] [WIP] Thin client In-Reply-To: <0c2dd2d6-e8f0-8269-35f0-7c2e2e88fbd9@redhat.com> References: <4587fed6-1e63-0fe0-3749-c9793167c77c@redhat.com> <0c2dd2d6-e8f0-8269-35f0-7c2e2e88fbd9@redhat.com> Message-ID: On 30.6.2016 16:25, David Kupka wrote: > On 28/04/16 14:45, Jan Cholasta wrote: >> Hi, >> >> I have pushed my thin client WIP branch to GitHub: >> . >> >> All commits up to "ipalib: use relative imports for cross-plugin >> imports" should be good for review. The rest is subject to change >> (WARNING: I will force push into this branch). >> >> Honza >> > > Hello! > > Patch set: > > server: exclude Local commands from RPC > client: add placeholders for required remote plugins > client: ignore override errors in command overrides > plugable: add option to ignore override errors > cert: fix CLI output of cert_remove_hold > frontend: do not ignore client-side output params > user: add object plugin for user_status > server: define missing virtual attributes > > contains mostly fixes for some bugs discovered in thin client. Works for > me, ACK. Thanks, pushed to master: 2beb72ffa4bea5e22c2ba4685a524df36d1f800c Attaching the patches for reference. -- Jan Cholasta -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-667-server-define-missing-virtual-attributes.patch Type: text/x-patch Size: 25301 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-668-user-add-object-plugin-for-user_status.patch Type: text/x-patch Size: 7163 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-669-frontend-do-not-ignore-client-side-output-params.patch Type: text/x-patch Size: 1415 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-670-cert-fix-CLI-output-of-cert_remove_hold.patch Type: text/x-patch Size: 2061 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-671-plugable-add-option-to-ignore-override-errors.patch Type: text/x-patch Size: 2498 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-672-client-ignore-override-errors-in-command-overrides.patch Type: text/x-patch Size: 16302 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-673-client-add-placeholders-for-required-remote-plugins.patch Type: text/x-patch Size: 6017 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-jcholast-674-server-exclude-Local-commands-from-RPC.patch Type: text/x-patch Size: 6368 bytes Desc: not available URL: From mbasti at redhat.com Thu Jun 30 14:30:54 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 16:30:54 +0200 Subject: [Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency In-Reply-To: References: <6c52b86f-26e5-c14b-18fd-7f4aebe943f9@redhat.com> <4973471a-53eb-0156-d4e1-e12c46a4063b@redhat.com> Message-ID: On 30.06.2016 16:20, Jan Cholasta wrote: > On 30.6.2016 16:07, Martin Basti wrote: >> >> >> On 06.06.2016 18:40, Petr Vobornik wrote: >>> On 06/06/2016 07:28 AM, Jan Cholasta wrote: >>>> Hi, >>>> >>>> On 3.6.2016 18:29, Petr Vobornik wrote: >>>>> admintools doesn't pull python[2|3]-ipaclient by default which ends >>>>> with exception if CLI is used. >>>> Please use this ticket URL: >>>> >>> done, new patch version attached. >>> >>> >>> >> Honza, can be this pushed? > > Pushed where? The is no longer required, at least on master. > ok From mbasti at redhat.com Thu Jun 30 14:39:12 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 16:39:12 +0200 Subject: [Freeipa-devel] [PATCH] 0083 Fix regression on ipa-4-3 branch In-Reply-To: <20160630043701.GK4200@dhcp-40-8.bne.redhat.com> References: <20160630043701.GK4200@dhcp-40-8.bne.redhat.com> Message-ID: On 30.06.2016 06:37, Fraser Tweedale wrote: > The attached patch fixes a regression on the ipa-4-3 branch, caused > by commit 3d71c43504ea7837ea14bb9dd4a469c07337293f. > > Thanks, > Fraser > > ACK, thanks Pushed to ipa-4-3: 8ce40940300e0e37191251a8a26bb8a4b5fcd604 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Thu Jun 30 14:45:33 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 16:45:33 +0200 Subject: [Freeipa-devel] [PATCH 0096] Add authentication indicators support to Host objects In-Reply-To: <1467294903.4972.0.camel@redhat.com> References: <1466533549.17252.2.camel@redhat.com> <20160624131136.GH14566@p.Speedport_W_724V_Typ_A_05011603_00_009> <006914d7-90b2-02b5-0492-c6a90d908c0e@redhat.com> <01ed7b85-e132-bff7-ff2c-e9b0f1b2629d@redhat.com> <25e643d7-60a6-54e6-4406-63efb3c13b78@redhat.com> <469399a4-2d19-8d12-fd92-6ce95fa7a2c6@redhat.com> <1467294903.4972.0.camel@redhat.com> Message-ID: <9049f72f-797b-b606-00c9-8d98effd6711@redhat.com> On 06/30/2016 03:55 PM, Nathaniel McCallum wrote: > On Thu, 2016-06-30 at 13:42 +0200, Petr Vobornik wrote: >> On 06/29/2016 04:40 PM, Stanislav Laznicka wrote: >>> >>> On 06/29/2016 04:02 PM, Stanislav Laznicka wrote: >>>> >>>> On 06/29/2016 03:53 PM, Martin Basti wrote: >>>>> >>>>> >>>>> >>>>> On 29.06.2016 15:52, Stanislav Laznicka wrote: >>>>>> >>>>>> On 06/24/2016 03:14 PM, Martin Basti wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 24.06.2016 15:11, Sumit Bose wrote: >>>>>>>> >>>>>>>> On Tue, Jun 21, 2016 at 02:25:49PM -0400, Nathaniel >>>>>>>> McCallum wrote: >>>>>>>>> >>>>>>>>> https://fedorahosted.org/freeipa/ticket/433 >>>>>>>> The patch works for me as expected, but the API.txt >>>>>>>> update is >>>>>>>> missing in >>>>>>>> the patch. >>>>>>>> >>>>>>>> bye, >>>>>>>> Sumit >>>>>>> >>>>>>> There are no updated managed permissions for >>>>>>> krbprincipalauthind >>>>>>> attribute in hosts.py, is this omitted on purpose? >>>>>>> Martin^2 >>>>>>> >>>>>> The attached patch adds them should these be required. >>>>>> >>>>>> >>>>> >>>>> Then we also needs patch for services.py, because there are >>>>> missing >>>>> ACIs too >>>>> >>>>> Martin^2 >>>> >>>> It was already included but let me separate it in two patches, >>>> then. >>>> >>>> >>> Good catch from Petr Vobornik - the rebuilt ACI.txt should also be >>> included. >>> >> >> Attaching new version of Nathnaniel's patch with API.txt and VERSION >> updated. >> >> ACK for 0096-2 >> >> Pushed to master >> * 0855b014b1edcb1632a41e380220abd7bb5e481a Add authentication >> indicators >> support to Host objects. >> >> The "{Service|Host} {Read|Modify} " permissions looks good to me. >> ACK >> if Nathaniel agrees that it doesn't deserved it's own permission for >> modify. > > I agree. We can add it later if someone needs it. > pushed to master: * 97db87b383b1ae4639bdb51793354bad30adf5a9 host: Added permissions for auth. indicators read/modify * 235b19ba7f9807ecf10436d1a5b28518b4475a70 service: Added permissions for auth. indicators read/modify -- Petr Vobornik From mbabinsk at redhat.com Thu Jun 30 15:01:06 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Jun 2016 17:01:06 +0200 Subject: [Freeipa-devel] [PATCH 0025][Tests] RFE: External trust In-Reply-To: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> References: <22e9385b-24f3-5d00-be28-8087218e84ec@redhat.com> Message-ID: On 06/30/2016 03:47 PM, Lenka Doudova wrote: > Hi, > > attaching patch with some basic coverage for external trust feature. Bit > more detailed info in commit message. > > Since the feature requires me to run commands previously used only for > forest root domains even for subdomains, I made some changes in > ipatests/test_integration/tasks.py file, so that it would enable me to > reuse existing function without copy-pasting them for one variable change. > > > Lenka > > > Hi Lenka, I have a few comments: 1.) -def establish_trust_with_ad(master, ad, extra_args=()): +def establish_trust_with_ad(master, ad, extra_args=(), subdomain=False): This modification seems extremely kludgy to me. I would rather change the function signature to: -def establish_trust_with_ad(master, ad, extra_args=()): +def establish_trust_with_ad(master, ad_domain, extra_args=()): and pass the domain name itself to the function instead of doing magic inside. The same goes with `remove trust_with_ad`. You may want to fix the calls to them in existing code so that the domain is passed instead of the whole trust object. 2.) +def sync_time_hostname(host, srv_hostname): + """ + Syncs time with the remote server given by its hostname. + Please note that this function leaves ntpd stopped. + """ + host.run_command(['systemctl', 'stop', 'ntpd']) + host.run_command(['ntpdate', srv_hostname]) + + this looks like a duplicate of the function above it, why is it even needed? 3.) +class TestExternalTrustWithSubdomain(ADTrustBase): + """ + Test establishing external trust with subdomain + """ + + @classmethod + def install(cls, mh): + super(ADTrustBase, cls).install(mh) + cls.ad = cls.ad_domains[0].ads[0] + cls.install_adtrust() + cls.check_sid_generation() + + # Determine whether the subdomain AD is available + try: + child_ad = cls.host_by_role(cls.optional_extra_roles[0]) + cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:]) + cls.ad_subdomain_hostname = child_ad.hostname + except LookupError: + cls.ad_subdomain = None + + cls.configure_dns_and_time() Please use proper OOP practices when overriding the behavior of the base test class. For starters you could rewrite the install method like this: + @classmethod + def install(cls, mh): + # Determine whether the subdomain AD is available + try: + cls.child_ad = cls.host_by_role(cls.optional_extra_roles[0]) + cls.ad_subdomain = '.'.join(child_ad.hostname.split('.')[1:]) + cls.ad_subdomain_hostname = child_ad.hostname + except LookupError: + raise nose.SkipTest("AFAIK this will skip the whole test class") + super(ADTrustBase, cls).install(mh) with child_ad stored as class attribute, you can override `configure_dns_and_time`: + def configure_dns_and_time(cls): + tasks.configure_dns_for_trust(cls.master, cls.ad_subdomain) # no need to re-implement the function just to get to the child AD DC hostname now + tasks.sync_time(cls.master, cls.child_ad.hostname) You can then use this class as an intermediary in the hierarchy and inherit the other external/non-external trust test classes from it, since most setup method in them are just copy-pasted from this one. -- Martin^3 Babinsky From pvoborni at redhat.com Thu Jun 30 15:27:10 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 17:27:10 +0200 Subject: [Freeipa-devel] [PATCH] 0067-72: webui for kerberos aliases In-Reply-To: References: Message-ID: On 06/30/2016 02:48 PM, Pavel Vomacka wrote: > Hello, > > please review these patches. First two patches fix two minor bugs in > custom_command_multivalued_widget. > > The rest of patches add webui for kerberos aliases. > > https://fedorahosted.org/freeipa/ticket/5927 > A preliminary review - I only read the code. Patch 0067: LGTM, btw same wrong interface is in on_error_add, but there it is not use Patch 0068: lGTM Patch 0069: 1. A nitpick, not necessarily a NACK. krb_custom_command_multivalued_widget should be named e.g. krb_principal_multivalued_widget. 2. Doc texts for the new widges are missing. This can be added later. 3. `!principal_name || principal_name === '')` is the same as `!principal_name` so var principal_name = value[0]; if (!principal_name || principal_name === '') { principal_name = {}; } could be simplified into var principal_name = value[0] || {}; but why is an object set into that.principal_name when it is later used as a text: `that.principal_text.text(that.principal_name);` Patch 0070: LGTM Patch 0071: LGTM Patch 0072: LGTM if the change of krbprincipalname to krbcanonicalname is good. -- Petr Vobornik From mbasti at redhat.com Thu Jun 30 16:05:27 2016 From: mbasti at redhat.com (Martin Basti) Date: Thu, 30 Jun 2016 18:05:27 +0200 Subject: [Freeipa-devel] [PATCH 0548] Fix replica install with CA In-Reply-To: References: <240c23fc-4c58-6af4-70df-0cfd650bbf84@redhat.com> Message-ID: On 30.06.2016 13:20, Martin Basti wrote: > > > On 30.06.2016 13:18, Petr Spacek wrote: >> On 30.6.2016 13:04, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5966 >>> >>> This only for master branch, ipa-4-3 fix will be different (soon) >>> >>> Patch attached >> ACK >> > Pushed to master: a155f692e7ad7807a5ea28250d1e72b3e821991e > And 4.3 patch attached. -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-4-3-mbasti-0548.1-Fix-replica-install-with-CA.patch Type: text/x-patch Size: 3422 bytes Desc: not available URL: From yurchor at ukr.net Thu Jun 30 16:56:28 2016 From: yurchor at ukr.net (Yuri Chornoivan) Date: Thu, 30 Jun 2016 19:56:28 +0300 Subject: [Freeipa-devel] [PATCH] Fix minor typo Message-ID: Hi, /ipaserver/plugins/cert.py:120: Verify that a certificate is owner by a specific user: It might be Verify that a certificate is owned by a specific user: Thanks for reviewing this possible typo fix. Best regards, Yuri -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-minor-typo.patch Type: application/octet-stream Size: 799 bytes Desc: not available URL: From pvoborni at redhat.com Thu Jun 30 17:34:16 2016 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 30 Jun 2016 19:34:16 +0200 Subject: [Freeipa-devel] [PATCH] 961 webui: prevent infinite reload for users with krbbprincipal alias set Message-ID: Web UI has an inbuilt mechanism to reload in case response from a server contains a different principal than the one loaded during Web UI startup. see rpc.js:381 With kerberos aliases support the loaded principal could be different because krbprincipalname contained multiple values. In such case krbcanonicalname should be used - it contains the same principal as the one which will be in future API responses. part of: https://fedorahosted.org/freeipa/ticket/5927 -- Petr Vobornik -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pvoborni-0961-webui-prevent-infinite-reload-for-users-with-krbbpri.patch Type: text/x-patch Size: 1585 bytes Desc: not available URL: From mbabinsk at redhat.com Thu Jun 30 17:42:15 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Jun 2016 19:42:15 +0200 Subject: [Freeipa-devel] [PATCH 0546-0547] use timestamps for ipareplica-conncheck.log In-Reply-To: References: <99fed015-9ac8-7f87-284d-a5f08aa67c19@redhat.com> <0f7601a7-2a42-ed7b-e48a-f93812433646@redhat.com> <66bd71cf-27e3-abfa-ab32-c9b25b05bec4@redhat.com> <898c49ab-189d-4a9f-68af-72ed6761dcf0@redhat.com> <372907cb-6380-7df9-0ade-022a2ca5f629@redhat.com> <654d77dd-24c0-e822-ae67-13cf4d84b5e4@redhat.com> Message-ID: <30d0400f-c2ac-d0c7-9df4-1cf35ce03caf@redhat.com> On 06/30/2016 01:54 PM, Martin Basti wrote: > > > On 30.06.2016 12:07, Petr Spacek wrote: >> On 30.6.2016 10:21, Jan Cholasta wrote: >>> On 30.6.2016 10:12, Petr Spacek wrote: >>>> On 30.6.2016 10:14, Jan Cholasta wrote: >>>>> On 30.6.2016 10:06, Petr Spacek wrote: >>>>>> On 30.6.2016 10:02, Jan Cholasta wrote: >>>>>>> On 30.6.2016 09:56, Petr Spacek wrote: >>>>>>>> On 30.6.2016 09:40, Martin Basti wrote: >>>>>>>>> https://fedorahosted.org/freeipa/ticket/5757 >>>>>>> "The easiest solution would be to add timestamps to logs, or log to >>>>>>> different >>>>>>> logs from oddjob or from installer >>>>>>> (ipareplica-conncheck.local.log and >>>>>>> ipareplica-conncheck.remote.log)" >>>>>>> >>>>>>> Actually the easiest solution would be not to log into a file >>>>>>> when executed >>>>>>> from oddjob. >>>>>> Well, IPA is hard enough to debug even with logs. I would not make >>>>>> situation >>>>>> even worse by not logging at all :-) >>>>> The commands logs into stderr, and both stdout and stderr are sent >>>>> back to the >>>>> caller of the oddjob. >>>>> >>>>> Alternatively, it could log into a different file (say >>>>> /var/log/ipareplica-conncheck-oddjob.log). IMO timestamps are an >>>>> overkill to >>>>> fix this bug. >>>> When we are at it, a custom logger is overkill. IMHO we should log >>>> everything >>>> to journal and be done with it ... >>> It's not, we want to log to at least stderr ourselves. >>> >>> Also, it would be even harder to implement than timestamps, and time >>> is a >> Sure, we do not have time: >> => ACK for current version of the patch. >> >> Petr^2 Spacek >> >>> factor here. It would fit more into >>> . >>> >>>> Petr^2 Spacek >>>> >>>>>>>>> Patches attached. >>>>>>>> I would rather use timestamp format with dashes between numbers >>>>>>>> to make it >>>>>>>> easier to read and parse for humans. >>>>>>>> >>>>>>>> Compare: >>>>>>>> >>>>>>>> 201606270954 >>>>>>>> 201606290954 >>>>>>>> 201606300954 >>>>>>>> >>>>>>>> with >>>>>>>> >>>>>>>> 2016-06-27-09-54 >>>>>>>> 2016-06-29-09-54 >>>>>>>> 2016-06-30-09-54 >>>> >>> >> > > New patches attaches > > Works for me, ACK. -- Martin^3 Babinsky From mbabinsk at redhat.com Thu Jun 30 17:54:53 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Thu, 30 Jun 2016 19:54:53 +0200 Subject: [Freeipa-devel] [PATCH] 961 webui: prevent infinite reload for users with krbbprincipal alias set In-Reply-To: References: Message-ID: On 06/30/2016 07:34 PM, Petr Vobornik wrote: > Web UI has an inbuilt mechanism to reload in case response from a server > contains a different principal than the one loaded during Web UI > startup. > > see rpc.js:381 > > With kerberos aliases support the loaded principal could be different > because krbprincipalname contained multiple values. > > In such case krbcanonicalname should be used - it contains the same > principal as the one which will be in future API responses. > > part of: https://fedorahosted.org/freeipa/ticket/5927 > This patch is the WebUI counterpart to my WIP hacks to rpcserver.py which possible to login to webui via enterprise principal (e.g. use at email.com). for me ACK. -- Martin^3 Babinsky From pspacek at redhat.com Thu Jun 30 19:23:39 2016 From: pspacek at redhat.com (Petr Spacek) Date: Thu, 30 Jun 2016 21:23:39 +0200 Subject: [Freeipa-devel] [PATCH 0146] Fix internal errors in host-add and other commands caused by DNS resolutio Message-ID: <666c475c-8c59-41ef-08f7-0f0592729c4a@redhat.com> Hello, Fix internal errors in host-add and other commands caused by DNS resolution Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. >From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 I've split parser and checks into separate classes. Attached script CheckedIPAddressRefactoring.py uses python-hypothesis to compare results from old and new implementations. It seems that all valid inputs return the very same results. The new implementation is a bit stricter when it comes to invalid inputs (parse_netmask=False & addr=IPNetwork instance) but as far as I can tell this case could not happen in current IPA anyway. ipa-server-install, ipa-client-install, ipa-replica-install, and ipa-ca-install on replica seem to work. DNS records for ipa-ca were properly updated after replica installation. Also installation on server without A/AAAA record in DNS and subsequent ipa-dns-install worked just fine. -- Petr^2 Spacek -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pspacek-0146-Fix-internal-errors-in-host-add-and-other-commands-c.patch Type: text/x-patch Size: 13245 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: CheckedIPAddressRefactoring.py Type: text/x-python Size: 14480 bytes Desc: not available URL: From dkupka at redhat.com Thu Jun 30 19:34:37 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Jun 2016 21:34:37 +0200 Subject: [Freeipa-devel] [PATCH] pwpolicy: Do not expire passwords when maxlife is set to 0 (infinity). In-Reply-To: <7d0b9a1f-95da-142c-7fa5-f9e5fbcd1ec4@redhat.com> References: <1462372560.3624.62.camel@redhat.com> <7d0b9a1f-95da-142c-7fa5-f9e5fbcd1ec4@redhat.com> Message-ID: <1777358e-8acf-fd18-6714-f705a4a48de8@redhat.com> On 04/05/16 17:22, Pavel Vomacka wrote: > > > On 05/04/2016 04:36 PM, Simo Sorce wrote: >> On Wed, 2016-05-04 at 15:39 +0200, Martin Kosek wrote: >>> On 05/02/2016 02:28 PM, David Kupka wrote: >>>> https://fedorahosted.org/freeipa/ticket/2795 >>> That patch looks suspiciously short given the struggles I saw in >>> http://www.redhat.com/archives/freeipa-devel/2015-June/msg00198.html >>> :-) >>> >>> Instead of setting to IPAPWD_END_OF_TIME, should we instead avoid >>> filling >>> "krbPasswordExpiration" attribute at all, i.e. have password *without* >>> expiration? Or is krbPasswordExpiration mandatory? >> So I looked at the MIT code, and it seem like they are coping just fine >> with a missing (ie value = 0 internally) pw_expiration attribute. >> >> So if we make our code cope with omitting any expiration if the >> attribute is missing then yes, we can mark no expiration with simply >> removing (or not setting) the krbPasswordExpiration attribute. >> The attribute itself is optional and can be omitted. >> >> I think this is a good idea, and is definitely better than inventing a a >> magic value. >> >> Simo. >> > Just a note: I tested David's patch and it actually doesn't work when > the new password policy for ipausers group is created (priority = 0, > which should be the highest priority). The maxlife and minlife values > are empty. Even if I set the new password policy maxlife and minlife to > 0 the result was that password will expire in 90 days. The patch worked > correctly when I changed value of maxlife and minlife to 0 in > 'global_policy'. Then the password expiration was set to 2038-01-01. > Hello! I hope I've finally find all the places in ipa-kdb and ipa-pwd-extop plugins to tickle in order to have password that don't expire. Updated patch attached. https://fedorahosted.org/freeipa/ticket/2795 -- David Kupka -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-dkupka-0100.1-Allow-unexpiring-passwords.patch Type: text/x-patch Size: 5696 bytes Desc: not available URL: From dkupka at redhat.com Thu Jun 30 21:17:34 2016 From: dkupka at redhat.com (David Kupka) Date: Thu, 30 Jun 2016 23:17:34 +0200 Subject: [Freeipa-devel] [WIP] Kerberos principal aliases pt. 2 In-Reply-To: <7064fcdb-1005-20fb-d880-4749b468e241@redhat.com> References: <7064fcdb-1005-20fb-d880-4749b468e241@redhat.com> Message-ID: <043bef51-3318-2caf-46c4-aa300a501c5c@redhat.com> On 28/06/16 20:08, Martin Babinsky wrote: > On 06/24/2016 09:52 AM, Martin Babinsky wrote: >> Hi list, >> >> I am furiously working on tickets related to the proper support and API >> for managing kerberos principal aliases for hosts, users, and >> services[1-5]. >> >> To better track and comment on my progress, I have forked freeipa on git >> and created a branch for you to test and review. The link is here: >> >> https://github.com/martbab/freeipa/tree/krb5-principal-aliases >> >> Please be aware that I may force-push into the branch without warning >> when fixing issues we will discover during testing/review. >> >> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases >> [2] https://fedorahosted.org/freeipa/ticket/3864 >> [3] https://fedorahosted.org/freeipa/ticket/3961 >> [4] https://fedorahosted.org/freeipa/ticket/1365 >> [5] https://fedorahosted.org/freeipa/ticket/5413 >> > > Based on Jan's suggestions I have reworked the code substantially and > force-pushed it into the github branch. Please review. > Hello! I have gone through the code and tested the functionality in basic use cases (server-install, upgrade, replica-install, adding/removing principals, getting ticket with alias, ...). Code looks good to me and everything* seems to work smoothly. condACK, if Pavel or Petr^1 (or anyone else who tried this) don't report any issue really soon. *except for https://fedorahosted.org/freeipa/ticket/6017 -- David Kupka