Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes to make the YaST modules work #48

Closed
wants to merge 4 commits into from
Closed

Fixes to make the YaST modules work #48

wants to merge 4 commits into from

Conversation

pzirnik
Copy link

@pzirnik pzirnik commented Feb 26, 2019

  • add pkcs12 password to dialog
  • fix dialog from fully qualified "domain name" to "host name"
  • add info text to dialog that root dn does not append suffix per default
  • make pk12util use the password to extract the certificate
  • install CA certificate to system trust ring
  • create ldap client configuration that commandline ldap tools work
  • get server certificate nickname and create valid ldif to use the certificate
  • comment out debug printout of kdb5_ldap_util command
  • use directory server hostname in ldap request in kerberos setup not fqdn
  • move creation of krb5.conf and kdc.conf prior trying to use kdb5_ldap_util

pzirnik and others added 4 commits February 26, 2019 11:30
@pzirnik
Fixes to make the YaST modules work
9ab209c 
- add pkcs12 password to dialog
- fix dialog from fully qualified "domain name" to "host name"
- add info text to dialog that root dn does not append suffix per default
- make pk12util use the password to extract the certificate
- install CA certificate to system trust ring
- create ldap client configuration that commandline ldap tools work
- get server certificate nickname and create valid ldif to use the certificate
- comment out debug printout of kdb5_ldap_util command
- use directory server hostname in ldap request in kerberos setup not fqdn
- move creation of krb5.conf and kdc.conf prior trying to use kdb5_ldap_util
More fixes to make YaST Module work
6cc6dc8 
- fix install missing krb5-plugin-kdb-ldap
- fix enable dirsrv service
- fix enable kdc service
- fix enable kadmin service
@pzirnik
- enabe dirsrv.target and create links that krb5kdc.service and kadmi…
743b7ff 
…n.servide can use After=dirsrv.target
@pzirnik
- fix enable of services and targets
5720706
@hcderaad hcderaad mentioned this pull request Mar 28, 2019
Merged
@Firstyear
Copy link
Collaborator

Firstyear commented Mar 29, 2019
edited
Loading

I think that #49 is going to replace/conflict with most of this due to the changes in how TLS is enabled in 389-ds due to upstream changes.

389-ds is becoming "more opinionated" and the name of the cert should actually be Server-Cert. So. I think allowing this name as a flexible option is actually going to be a conflict in the future.

Perhaps a better direction for us to take, is to have the yast module accept the cert and key as PEM files, then we create the pkcs12 with the correct naming schemes for import. Given that cert management is difficult to painful at the best of times, especially with pkcs12 files, this would certainly help users have an easier time with 389-ds setups.

EDIT: Upstream plans to have their CLI tools take PEM files to transform and insert into the cert db, so perhaps once those are implemented we can take advantage of those?

@hcderaad
Copy link

I think that #49 is going to replace/conflict with most of this due to the changes in how TLS is enabled in 389-ds due to upstream changes.

389-ds is becoming "more opinionated" and the name of the cert should actually be Server-Cert. So. I think allowing this name as a flexible option is actually going to be a conflict in the future.

Perhaps a better direction for us to take, is to have the yast module accept the cert and key as PEM files, then we create the pkcs12 with the correct naming schemes for import. Given that cert management is difficult to painful at the best of times, especially with pkcs12 files, this would certainly help users have an easier time with 389-ds setups.

EDIT: Upstream plans to have their CLI tools take PEM files to transform and insert into the cert db, so perhaps once those are implemented we can take advantage of those?

Aligning with upstream sounds like the best approach. As little conversions as possible will increase the reliability and predictability of using this module. That was the original aim for this PR anyway AFAIK.

@Firstyear
Copy link
Collaborator

Sounds good. Thanks for the PR, and I hope we can use some of your work in the future :)

@hcderaad
Copy link

hcderaad commented Apr 2, 2019

Sounds good. Thanks for the PR, and I hope we can use some of your work in the future :)

The kudos for that PR belong to @pzirnik who has imho made a great effort in also resolving some krb server related issues. As the #49 do not address krb related issues, @jreidinger could perhaps check if some of the changes from this PR (#48) might be reusable to fix some of the krb setup problems?

@jreidinger
Copy link
Member

@hcderaad well, I am not maintainer of this module and neither yast team. it used to be maintained by Howard and I think that now @Firstyear maintains it, or am I wrong?

@Firstyear
Copy link
Collaborator

@hcderaad I think that some of the changes here are still applicable, so let's rework it to make it work in light of #49.

I think that "technically" I'm the "official" maintainer now, as I'm hired by SUSE Labs to work on 389 Directory Server, which by virtue means I inherit this code too. But I'd appreciate all the help I can get here please! Thanks,

@pzirnik
Copy link
Author

pzirnik commented Apr 3, 2019 via email

@Firstyear
Copy link
Collaborator

@pzirnik Sounds great to me, I look forward to seeing the reworked PR. Also happy to discuss any ideas or questions you have. Thanks!

@hcderaad
Copy link

@hcderaad I think that some of the changes here are still applicable, so let's rework it to make it work in light of #49.

I think that "technically" I'm the "official" maintainer now, as I'm hired by SUSE Labs to work on 389 Directory Server, which by virtue means I inherit this code too. But I'd appreciate all the help I can get here please! Thanks,

@Firstyear Excellent news, welcome on board :-) Very much looking forward to some improvements on this component. If there is anything to test, please drop me a line!

@pzirnik
Copy link
Author

pzirnik commented Jun 26, 2019

I prepared a patchset to fix the SLE-15-GA branch both for ldap and kerberos.
Let me know if i should open a pull request for SLE-15-GA. I will open a bug to have this fixed for SLE-15-GA as we have a L3 case.
I can not create a patchset for the kerberos related fixes for MASTER as i do not know on what ds389 server package this depends .... on SLE-15 i get error file not found "/usr/sbin/dscreate"

@dgdavid
Copy link
Member

dgdavid commented Aug 9, 2021

@Firstyear,

Hope everything is going well :)

I'm reviewing old and open PRs in YaST modules (both, maintained by us and by other teams, like this) and just wondering if it is time for closing this PR or instead you plan to continue moving it forward.

Thanks!

@Firstyear
Copy link
Collaborator

I think we can close this as we agreed we'd make a reworked pr if needed. :)

@Firstyear Firstyear closed this Aug 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pzirnik @Firstyear @hcderaad @jreidinger @dgdavid