URL: https://github.com/freeipa/freeipa/pull/3039
Author: tiran
Title: #3039: Add temporary directory manager
Action: opened
PR body:
"""
The temporary directory manager simplifies the handling of temporary
files that are shared with other processes or kept through out the life
time of the current process. It should only be used in case
tempfile.NamedTemporaryFile is not up for the task.
The manager creates a new temporary directory for each user. The
directory and all its files are accessible by the target user and the
root group ($uid:root / 0o770 / 0o660) to avoid DAC override capability.
The temporary directory is automatically removed on process exit.
Related: https://pagure.io/freeipa/issue/7911
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3039/head:pr3039
git checkout pr3039
URL: https://github.com/freeipa/freeipa/pull/3102
Author: tiran
Title: #3102: Workaround for AJP to bind on IPv6 localhost
Action: opened
PR body:
"""
Tomcat's AJP connector binds to IPv4 localhost only. This causes issues
with IPv6-only environment. The installer now detects if localhost6 is
available and working, then configures Dogtag's Tomcat to use
localhost6.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3102/head:pr3102
git checkout pr3102
URL: https://github.com/freeipa/freeipa/pull/2331
Author: mrizwan93
Title: #2331: Installation of replica against a specific server
Action: opened
PR body:
"""
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 so that replica2 will fetch secrets from
master as custodia service is not running on replica1.
related ticket: https://pagure.io/freeipa/issue/7566
Signed-off-by: Mohammad Rizwan Yusuf <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2331/head:pr2331
git checkout pr2331
URL: https://github.com/freeipa/freeipa/pull/3483
Author: frasertweedale
Title: #3483: Support AES wrapping in LWCA key replication
Action: opened
PR body:
"""
The PR enhances the NSSWrappedCertDB custodia store to accept an optional
symmetric encryption algorithm OID to use for encrypting the key. Also update
the ipa-pki-retrieve-key program to request AES wrapping.
For backwards compatibility when older servers request a key, default to 3DES
(which is what the older server supports).
For backwards compatibility when retrieving a key from an older server, try AES
first, and on HTTP 404 retry without the algorithm OID.
This change depends on Dogtag PR https://github.com/dogtagpki/pki/pull/232, and
new Dogtag release containing the change (so that we can bump the dep min
bound in FreeIPA).
Changes:
```
4afb3c3fa (Fraser Tweedale, 21 hours ago)
ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that specifies
that AES encryption should be used. Fall back to a simple request (which
will use default export algorithm) if the server returns 404. The 404
indicates that either:
- It is an old server that does not support extra key arguments
- It is a new server but the key does not exist, in which case the
fallback request will also fail with 404.
Fixes: https://pagure.io/freeipa/issue/8020
c5d150a39 (Fraser Tweedale, 8 days ago)
NSSWrappedCertDB: accept optional symmetric algorithm
Add support for specifying the desired symmetric encryption algorithm for
exporting wrapped key (for LWCA key replication). If not specified,
defaults to DES-EDE3-CBC for backwards compatibility.
Client-side changes will occur in a subsequent commit.
Part of: https://pagure.io/freeipa/issue/8020
86ba401cc (Fraser Tweedale, 8 days ago)
IPASecStore: support extra key arguments
To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal support
for AES. Whereas we currently request a key with the path:
/keys/ca_wrapped/<nickname>
and whereas paths with > 3 components are unsupported, add support for
handlers to signal that they support extra arguments (defaulting to False),
those arguments being conveyed as additional path components, e.g.:
# 2.16.840.1.101.3.4.1.2 = aes128-cbc
/keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2
This commit only adds the Custodia support for extra handler arguments.
Work to support LWCA key replication with AES wrapping will continue in
subsequent commits.
Part of: https://pagure.io/freeipa/issue/8020
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3483/head:pr3483
git checkout pr3483
URL: https://github.com/freeipa/freeipa/pull/3416
Author: mulatinho
Title: #3416: Issue #7987 - Fix python3 shebang scripts
Action: opened
PR body:
"""
Hi guys, it is my first contribution to the project, it seems that ipa python scripts was using -E flag and @cheimes suggested that -I flag would be a better alternative, I saw that was part of 4.8 version milestone and make a change. Hope it everything is OK :)
All the scripts now are using this shebang:
```#!/usr/bin/python3 -I```
I am testing the scripts but until now everything is OK.
Related: https://pagure.io/freeipa/issue/7987
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3416/head:pr3416
git checkout pr3416
URL: https://github.com/freeipa/freeipa/pull/3602
Author: wladich
Title: #3602: ipatests: add tests for cached_auth_timeout in sssd.conf
Action: opened
PR body:
"""
The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain
Related to: https://bugzilla.redhat.com/1685581
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3602/head:pr3602
git checkout pr3602
URL: https://github.com/freeipa/freeipa/pull/3563
Author: serg-cymbaluk
Title: #3563: WebUI: Make 'Unlock' option is available only on locked user page
Action: opened
PR body:
"""
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.
Ticket: https://pagure.io/freeipa/issue/5062
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3563/head:pr3563
git checkout pr3563
URL: https://github.com/freeipa/freeipa/pull/3572
Author: abbra
Title: #3572: [Backport][ipa-4-8] Fix ca_initialize_hsm_state
Action: opened
PR body:
"""
This PR was opened automatically because PR #3567 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3572/head:pr3572
git checkout pr3572