URL: https://github.com/freeipa/freeipa/pull/837
Author: frasertweedale
Title: #837: ca-add: fix permission issue
Action: opened
PR body:
"""
The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs. Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.
To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag. If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag. If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.
This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted. But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails. Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.
Fixes: https://pagure.io/freeipa/issue/6609
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/837/head:pr837
git checkout pr837
URL: https://github.com/freeipa/freeipa/pull/894
Author: felipevolpone
Title: #894: Fixing ipa-replica-install --setup-kra if it's the first KRA in topology
Action: opened
PR body:
"""
I'm trying to fix the ticket, but I'm not quite sure of how to do it. Until now, I removed the exception and called the api in kra to install it. However, I'm getting an exception:
```
bash-4.3$ sudo python /usr/sbin/ipa-replica-install -r DOM-116.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM --setup-kra --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Timed out trying to obtain keys.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
from /var/log/ipareplica-install.log
```
2017-06-23T18:38:44Z DEBUG stderr=
2017-06-23T18:38:44Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG Created connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG raw: hostgroup_show(u'ipaservers', rights=True, all=True, version=u'2.228')
2017-06-23T18:38:44Z DEBUG hostgroup_show(u'ipaservers', rights=True, all=True, raw=False, version=u'2.228', no_members=False)
2017-06-23T18:38:44Z DEBUG flushing ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com from SchemaCache
2017-06-23T18:38:44Z DEBUG retrieving schema for SchemaCache url=ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f73c6769f38>
2017-06-23T18:38:44Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG Created connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG flushing ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com from SchemaCache
2017-06-23T18:38:44Z DEBUG retrieving schema for SchemaCache url=ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f73c6769c20>
2017-06-23T18:38:44Z DEBUG No IPA DNS servers, skipping forward/reverse resolution check
2017-06-23T18:38:44Z DEBUG Initializing principal host/vm-058-064.abc.idm.lab.eng.brq.redhat.com(a)DOM-116.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM using keytab /etc/krb5.keytab
2017-06-23T18:38:44Z DEBUG using ccache /tmp/krbcc9omA2g/ccache
2017-06-23T18:38:44Z DEBUG Attempt 1/1: success
2017-06-23T18:38:44Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-06-23T18:38:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2017-06-23T18:38:44Z INFO Waiting up to 300 seconds to see our keys appear on host: None
2017-06-23T18:38:45Z DEBUG Transient error getting keys: '{'desc': "Can't contact LDAP server"}'
2017-06-23T18:43:45Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:43:45Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 375, in validate
for _nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 636, in _configure
next(validator)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 613, in main
replica_promote_check(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1270, in promote_check
raise ScriptError(e)
2017-06-23T18:43:45Z DEBUG The ipa-replica-install command failed, exception: ScriptError: Timed out trying to obtain keys.
2017-06-23T18:43:45Z ERROR Timed out trying to obtain keys.
2017-06-23T18:43:45Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
There is a high chance that I'm getting the wrong path here, so if there is someone able to help me (pointing to some docs or explaining more details of it), it would be great.
Ticket https://pagure.io/freeipa/issue/7008
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/894/head:pr894
git checkout pr894
URL: https://github.com/freeipa/freeipa/pull/884
Author: npmccallum
Title: #884: ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace
Action: opened
PR body:
"""
For some unknown reason, when I wrote the ipa-otptoken-import script
I used bad input data which had the PBKDF2 parameters in the wrong
XML namespace. I have corrected this input data to match RFC 6030.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/884/head:pr884
git checkout pr884
URL: https://github.com/freeipa/freeipa/pull/877
Author: seriv
Title: #877: LDAP ObjectClasses are case-insensitive
Action: opened
PR body:
"""
In the IPA servers of the previous versions new users were created with objectClass capitalizations like 'posixAccount'.
They should be treated as matching 'posixaccount'.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/877/head:pr877
git checkout pr877
URL: https://github.com/freeipa/freeipa/pull/880
Author: felipevolpone
Title: #880: Changing how commands handles error when it can't connect to IPA server
Action: opened
PR body:
"""
The commands that connects with IPA server can raise a `NetworkError` with the message: "ipa: ERROR: can't connect to `http://localhost:8888/ipa/json': [Errno 111] Connection refused`. Instead of that, this changes the message error in order to be more user-friendly.
I've used the `GenericError` because it inherits from `PublicError`and do not have a default message. So, I do not have to change the `run` method in `ipalib/cli.py` to handle a different exception/case.
Ticket: https://pagure.io/freeipa/issue/6261
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/880/head:pr880
git checkout pr880
URL: https://github.com/freeipa/freeipa/pull/878
Author: stlaz
Title: #878: [experimental] Make certificate an object
Action: opened
PR body:
"""
This is a WIP patchset (you can tell it's WIP by the lack of the commit
messages) which implements certificates as objects. This should
very much simplify the way certificates are processed in the whole
project and is a first part of this effort. This makes us not care about
the certificate format (=> no encoding/decoding) until we really need
to write it somewhere.
In the second part of this effort, there should be a Certificate parameter
to the framework which should further improve the format-agnostic
behavior.
This is a part of Python 3 effort which showed that it's necessary to
improve how certificates are worked with.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/878/head:pr878
git checkout pr878
URL: https://github.com/freeipa/freeipa/pull/809
Author: frasertweedale
Title: #809: Support specifying external CA template (preliminary refactors)
Action: opened
PR body:
"""
This PR contains a couple of refactorings, as groundwork for
upcoming support for specifying the external CA profile/template
during install / ca-install / cacert-manage renew / etc.
https://pagure.io/freeipa/issue/6858
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/809/head:pr809
git checkout pr809