[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 7 commits: Respect LDFLAGS settings defined by user
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Mar 1 17:28:31 GMT 2023
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger
Commits:
a303c31d by Azamat H. Hackimov at 2022-10-17T10:18:25+03:00
Respect LDFLAGS settings defined by user
Don't wipe LDFLAGS defined by user by setting LDFLAGS env variable.
If variable is empty, it will be correctly updated by += assignemnt.
- - - - -
7f23913b by Joachim Philipp at 2022-11-23T18:20:01+01:00
Translated using Weblate (German)
Currently translated at 52.8% (250 of 473 strings)
Co-authored-by: Joachim Philipp <joachim.philipp at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/de/
Translation: certmonger/master
- - - - -
14d65afb by Temuri Doghonadze at 2022-11-23T18:20:01+01:00
Translated using Weblate (Georgian)
Currently translated at 24.5% (116 of 473 strings)
Translated using Weblate (Georgian)
Currently translated at 24.1% (114 of 473 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ka/
Translation: certmonger/master
- - - - -
ad946028 by Sergey Kazorin at 2022-11-23T18:20:01+01:00
Translated using Weblate (Russian)
Currently translated at 100.0% (473 of 473 strings)
Co-authored-by: Sergey Kazorin <kazorin at basealt.ru>
Translate-URL: https://translate.fedoraproject.org/projects/certmonger/master/ru/
Translation: certmonger/master
- - - - -
3301bf42 by Rob Crittenden at 2022-11-30T13:06:16-05:00
Revert "Translated using Weblate (Russian)"
There is a problem in one of the formatted translations:
ru.po:1804: number of format specifications in 'msgid' and 'msgstr'
does not match
/usr/bin/msgfmt: found 1 fatal error
This reverts commit ad946028773246af44e4660d5bd2504602eefab4.
- - - - -
7c754902 by Rob Crittenden at 2022-11-30T13:22:07-05:00
Switch to CA user when saving NSS certificates
A new parameter was added, nss-user, which indicates
the user to become via setuid/setgid when saving
certificates in NSS. This is necessary when using
SoftHSM as a PKCS#11 device to keep the filesystem
permissions correct.
Also tweak cleaning up duplicate certificates. certmonger
makes an effort to remove any duplicates, those with
duplicated nicknames with different certs, etc.
It didn't handle those with tokens though in NSS. A
certificate in a token will have a mirrored entry in the
database to store trust information. This was being
seen as a "duplicate" and certmogner was removing it, thus
removing the trust.
Fixes: https://pagure.io/certmonger/issue/243
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
476dc28e by Rob Crittenden at 2022-11-30T13:55:29-05:00
Tag 0.79.17
- - - - -
13 changed files:
- certmonger.spec
- configure.ac
- po/de.po
- po/ka.po
- src/Makefile.am
- src/certsave-n.c
- src/getcert.c
- src/store-files.c
- src/store-int.h
- src/tdbus.h
- src/tdbush.c
- tests/028-dbus/expected.out
- tests/028-dbus/expected.out.nodsa
Changes:
=====================================
certmonger.spec
=====================================
@@ -27,7 +27,7 @@
%bcond_with xmlrpc
Name: certmonger
-Version: 0.79.16
+Version: 0.79.17
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
@@ -265,6 +265,13 @@ exit 0
%endif
%changelog
+* Wed Nov 30 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.17-1
+- update to 0.79.17
+ - Respect LDFLAGS settings defined by user
+ - Switch to CA user when saving NSS certificates
+ - Translated using Weblate (German)
+ - Translated using Weblate (Georgian)
+
* Thu Aug 25 2022 Rob Crittenden <rcritten at redhat.com> - 0.79.16-1
- update to 0.79.16
- Add a PEM validity checker and validate SCEP CA files
=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(certmonger,0.79.16)
+AC_INIT(certmonger,0.79.17)
AM_INIT_AUTOMAKE([foreign subdir-objects])
AC_CONFIG_MACRO_DIR(m4)
AM_MAINTAINER_MODE([disable])
=====================================
po/de.po
=====================================
@@ -8,21 +8,22 @@
# Mario Blättermann <mario.blaettermann at gmail.com>, 2011
# Nalin Dahyabhai <nalin at fedoraproject.org>, 2011
# Roman Spirgi <bigant at fedoraproject.org>, 2012-2013
+# Joachim Philipp <joachim.philipp at gmail.com>, 2022.
msgid ""
msgstr ""
"Project-Id-Version: certmonger 0.78.6\n"
"Report-Msgid-Bugs-To: certmonger-devel at lists.fedorahosted.org\n"
"POT-Creation-Date: 2017-02-26 02:20-0500\n"
-"PO-Revision-Date: 2015-01-05 05:53-0500\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata at zanata.org>\n"
-"Language-Team: German (http://www.transifex.com/projects/p/certmonger/"
-"language/de/)\n"
+"PO-Revision-Date: 2022-04-21 10:17+0000\n"
+"Last-Translator: Joachim Philipp <joachim.philipp at gmail.com>\n"
+"Language-Team: German <https://translate.fedoraproject.org/projects/"
+"certmonger/master/de/>\n"
"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.6\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.11.2\n"
#: src/casave.c:322 src/casave.c:361 src/dogtag.c:233 src/dogtag.c:238
#: src/dogtag.c:256 src/dogtag.c:261 src/getcert.c:291
@@ -37,14 +38,16 @@ msgstr ""
"Rechnername der Zertifizierungsstelle (CA) konnte nicht ermittelt werden.\n"
#: src/certmaster.c:153 src/dogtag.c:521 src/ipa.c:796
-#, fuzzy, c-format
+#, c-format
msgid "Unable to read signing request from file \"%s\".\n"
-msgstr "Signaturanfrage konnte nicht gelesen werden.\n"
+msgstr "Signaturanfrage von Datei \"%s\" konnte nicht gelesen werden.\n"
#: src/certmaster.c:156 src/dogtag.c:524 src/ipa.c:799
-#, fuzzy, c-format
+#, c-format
msgid "Unable to read signing request from environment variable \"%s\".\n"
-msgstr "Signaturanfrage konnte nicht gelesen werden.\n"
+msgstr ""
+"Signaturanfrage der Environment Variablen \"%s\" konnte nicht gelesen werden."
+"\n"
#: src/certmaster.c:184
#, c-format
@@ -69,22 +72,24 @@ msgstr "Server-Fehler.\n"
#: src/dogtag.c:226
#, c-format
msgid "Profile params (-O) must be in the form of param=value.\n"
-msgstr ""
+msgstr "Profilparameter (-O) müssen die Form param=value haben.\n"
#: src/dogtag.c:249
#, c-format
msgid "Submit params (-o) must be in the form of param=value.\n"
-msgstr ""
+msgstr "Übertragung der Parameter (-o) muss die Form param=value haben.\n"
#: src/dogtag.c:408 src/dogtag.c:413 src/dogtag.c:442
-#, fuzzy, c-format
+#, c-format
msgid "No agent credentials specified, and no default known.\n"
-msgstr "Keine Agent-URL (-T) angegeben, Standarwert nicht gesetzt.\n"
+msgstr ""
+"Keine Anmeldeinformationen des Agenten angegeben, kein Standardwert gesetzt."
+"\n"
#: src/dogtag.c:418
#, c-format
msgid "Requested renewal, but no serial number provided.\n"
-msgstr ""
+msgstr "Aktualisierung wurde angefordert, aber keine Seriennummer angegeben.\n"
#: src/dogtag.c:422
#, c-format
@@ -104,7 +109,7 @@ msgstr "Kein Profil/ Vorlage (-T) angegeben, Standarwert nicht gesetzt.\n"
#: src/dogtag.c:452
#, c-format
msgid "Error shutting down NSS.\n"
-msgstr ""
+msgstr "Fehler beim Beenden von NSS.\n"
#: src/dogtag.c:487 src/dogtag.c:777
#, c-format
@@ -115,6 +120,8 @@ msgstr "Interner Fehler: Unbekannter Status.\n"
#, c-format
msgid "No agent credentials (-n) given, but they are needed.\n"
msgstr ""
+"Keine Anmeldeinformationen des Agenten (-n) vorhanden, sie werden aber "
+"benötigt.\n"
#: src/dogtag.c:757 src/scep.c:619
#, c-format
@@ -133,59 +140,59 @@ msgstr "Interner Fehler: Keine Antwort an \"%s?%s\".\n"
#: src/getcert.c:61 src/main.c:84 src/main.c:86
msgid "COMMAND"
-msgstr ""
+msgstr "BEFEHL"
#: src/getcert.c:62
msgid "DIRECTORY"
-msgstr ""
+msgstr "VERZEICHNIS"
#: src/getcert.c:63 src/getcert.c:70
msgid "LIST"
-msgstr ""
+msgstr "LISTE"
#: src/getcert.c:64 src/getcert.c:68
msgid "ADDRESS"
-msgstr ""
+msgstr "ADRESSE"
#: src/getcert.c:65 src/main.c:87
msgid "FILENAME"
-msgstr ""
+msgstr "DATEINAME"
#: src/getcert.c:66
msgid "HOSTNAME"
-msgstr ""
+msgstr "HOSTNAME"
#: src/getcert.c:67
msgid "ID"
-msgstr ""
+msgstr "ID"
#: src/getcert.c:69
msgid "BITS"
-msgstr ""
+msgstr "BITS"
#: src/getcert.c:71
msgid "MODE"
-msgstr ""
+msgstr "MODUS"
#: src/getcert.c:72
msgid "NAME"
-msgstr ""
+msgstr "NAME"
#: src/getcert.c:73
msgid "PRINCIPAL"
-msgstr ""
+msgstr "HAUPT"
#: src/getcert.c:74
msgid "SUBJECT"
-msgstr ""
+msgstr "THEMA"
#: src/getcert.c:75
msgid "URL"
-msgstr ""
+msgstr "URL"
#: src/getcert.c:76
msgid "USERNAME[:GROUPNAME]"
-msgstr ""
+msgstr "BENUTZERNAME[:GRUPPENNAME]"
#: src/getcert.c:115
#, c-format
@@ -204,7 +211,7 @@ msgstr ""
#: src/getcert.c:142
#, c-format
msgid "Path \"%s\": insufficient permissions.\n"
-msgstr ""
+msgstr "Pfad \"%s\": nicht ausreichende Berechtigungen.\n"
#: src/getcert.c:148
#, c-format
@@ -224,22 +231,22 @@ msgstr "Pfad »%s« ist keine reguläre Datei.\n"
#: src/getcert.c:340
#, c-format
msgid "No system bus running.\n"
-msgstr ""
+msgstr "Kein System Bus läuft.\n"
#: src/getcert.c:341
#, c-format
msgid "Running as UID 0.\n"
-msgstr ""
+msgstr "Läuft als UID 0.\n"
#: src/getcert.c:342
#, c-format
msgid "Launching temporary dedicated service daemon.\n"
-msgstr ""
+msgstr "Starte temporär zugewiesenen service daemon.\n"
#: src/getcert.c:371
#, c-format
msgid "Error connecting to D-Bus.\n"
-msgstr ""
+msgstr "Fehler beim Verbinden zum D-Bus.\n"
#: src/getcert.c:372 src/tdbusm.c:2166
#, c-format
@@ -254,56 +261,52 @@ msgstr "Fehler beim Erstellen der D-Bus-Anfragemeldung.\n"
#: src/getcert.c:393
#, c-format
msgid "missing argument for %s"
-msgstr ""
+msgstr "Fehlendes Argument für %s"
#: src/getcert.c:398
-#, fuzzy
msgid "missing argument"
-msgstr "Optionale Parameter:\n"
+msgstr "Fehlendes Argument"
#: src/getcert.c:401
-#, fuzzy, c-format
+#, c-format
msgid "unrecognized option %s"
-msgstr "%s: Unbekannter Befehl.\n"
+msgstr "Unbekannte Option %s"
#: src/getcert.c:406
-#, fuzzy
msgid "unrecognized option"
-msgstr "%s: Unbekannter Befehl.\n"
+msgstr "Unbekannte Option"
#: src/getcert.c:409
msgid "aliases nested too deeply"
-msgstr ""
+msgstr "Aliase zu tief verschachtelt"
#: src/getcert.c:412
msgid "bad parameter quoting"
-msgstr ""
+msgstr "schlechte Parameterangabe"
#: src/getcert.c:418
msgid "invalid numeric value"
-msgstr ""
+msgstr "Ungültiger numerischer Wert"
#: src/getcert.c:421
msgid "number too large or too small"
-msgstr ""
+msgstr "Nummer zu groß oder zu klein"
#: src/getcert.c:424
msgid "bad operation"
-msgstr ""
+msgstr "Ungültige Operation"
#: src/getcert.c:427
-#, fuzzy
msgid "internal error"
-msgstr "Ein interner Fehler ist aufgetreten."
+msgstr "Interner Fehler"
#: src/getcert.c:430
-#, fuzzy
msgid "out of memory"
-msgstr "Ungenügend Speicher.\n"
+msgstr "Nicht genügend Speicher"
#: src/getcert.c:434
msgid "error in popt configuration file"
-msgstr ""
+msgstr "Fehler in popt Konfigurationsdatei"
#: src/getcert.c:477
#, c-format
@@ -333,90 +336,90 @@ msgstr "Keine Antwort vom %s-Dienst erhalten.\n"
#: src/getcert.c:699 src/getcert.c:3978
#, c-format
msgid "State %s, stuck: %s.\n"
-msgstr ""
+msgstr "Status %s, hängt: %s.\n"
#: src/getcert.c:768 src/getcert.c:1846 src/getcert.c:2500 src/getcert.c:3100
#: src/getcert.c:3354 src/getcert.c:3875
msgid "NSS database for key and cert"
-msgstr ""
+msgstr "NSS Datenbank für Schlüssel und Zertifikat"
#: src/getcert.c:769 src/getcert.c:1847 src/getcert.c:2501 src/getcert.c:3101
#: src/getcert.c:3355 src/getcert.c:3876
msgid "nickname for NSS-based storage (only valid with -d)"
-msgstr ""
+msgstr "Kurzname für NSS-basierte Speicherung (nur gültig mit -d)"
#: src/getcert.c:770 src/getcert.c:1848 src/getcert.c:2502 src/getcert.c:3102
#: src/getcert.c:3356 src/getcert.c:3877
msgid "optional token name for NSS-based storage (only valid with -d)"
-msgstr ""
+msgstr "Optionaler Token-Name für NSS-basierte Speicherung (nur gültig mit -d)"
#: src/getcert.c:771
msgid "PEM file for private key"
-msgstr ""
+msgstr "PEM Datei für privaten Schlüssel"
#: src/getcert.c:772
msgid "PEM file for certificate (only valid with -k)"
-msgstr ""
+msgstr "PEM-Datei für Zertifikat (nur gültig mit -k)"
#: src/getcert.c:773 src/getcert.c:1851 src/getcert.c:2508
msgid "file which holds the private key encryption PIN"
-msgstr ""
+msgstr "Datei, die die PIN zum Verschlüsseln des privaten Schlüssels enthält"
#: src/getcert.c:774 src/getcert.c:1852 src/getcert.c:2509
msgid "private key encryption PIN"
-msgstr ""
+msgstr "PIN zur Verschlüsselung des privaten Schlüssels"
#: src/getcert.c:775 src/getcert.c:1853 src/getcert.c:2510
msgid "owner information for private key"
-msgstr ""
+msgstr "Eigentümerinformationen für privaten Schlüssel"
#: src/getcert.c:776 src/getcert.c:1854 src/getcert.c:2511
msgid "file permissions for private key"
-msgstr ""
+msgstr "Dateiberechtigungen für privaten Schlüssel"
#: src/getcert.c:777 src/getcert.c:1855 src/getcert.c:2512
msgid "owner information for certificate"
-msgstr ""
+msgstr "Eigentümerinformationen für Zertifikat"
#: src/getcert.c:778 src/getcert.c:1856 src/getcert.c:2513
msgid "file permissions for certificate"
-msgstr ""
+msgstr "Dateiberechtigungen für Zertifikat"
#: src/getcert.c:779 src/getcert.c:1857 src/getcert.c:2514
msgid "NSS database in which to store the CA's certificates"
-msgstr ""
+msgstr "NSS Datenbank, in der die CA-Zertifikate gespeichert werden"
#: src/getcert.c:780 src/getcert.c:1858 src/getcert.c:2515
msgid "file in which to store the CA's certificates"
-msgstr ""
+msgstr "Datei in der die CA-Zertifikate gespeichert werden"
#: src/getcert.c:781 src/getcert.c:1859 src/getcert.c:2516
msgid "command to run before saving the certificate"
-msgstr ""
+msgstr "Auszuführender Befehl vor dem Speichern des Zertifikats"
#: src/getcert.c:782 src/getcert.c:1860 src/getcert.c:2517
msgid "command to run after saving the certificate"
-msgstr ""
+msgstr "Auszuführender Befehl nach dem Speichern des Zertifikats"
#: src/getcert.c:783
msgid "nickname to assign to the request"
-msgstr ""
+msgstr "Zugewiesener Kurzname für diese Abfrage"
#: src/getcert.c:784
msgid "type of key to be generated if one is not already in place"
-msgstr ""
+msgstr "Zu erstellender Schlüsseltyp, falls keiner vorhanden ist"
#: src/getcert.c:785
msgid "size of key to be generated if one is not already in place"
-msgstr ""
+msgstr "Größe des zu generierenden Schlüssels, falls noch keiner vorhanden ist"
#: src/getcert.c:786 src/getcert.c:1863
msgid "attempt to renew the certificate when expiration nears (default)"
-msgstr ""
+msgstr "versuchen, kurz vor Ablauf das Zertifikat zu erneuern (Standard)"
#: src/getcert.c:787 src/getcert.c:1864
msgid "don't attempt to renew the certificate when expiration nears"
-msgstr ""
+msgstr "nicht versuchen, kurz vor Ablauf das Zertifikat zu erneuern (Standard)"
#: src/getcert.c:789 src/getcert.c:1866
msgid "use the specified CA configuration rather than the default"
=====================================
po/ka.po
=====================================
@@ -7,7 +7,7 @@ msgstr ""
"Project-Id-Version: certmonger 0.79\n"
"Report-Msgid-Bugs-To: certmonger-devel at lists.fedorahosted.org\n"
"POT-Creation-Date: 2017-02-26 02:20-0500\n"
-"PO-Revision-Date: 2022-03-15 14:16+0000\n"
+"PO-Revision-Date: 2022-11-23 17:20+0000\n"
"Last-Translator: Temuri Doghonadze <temuri.doghonadze at gmail.com>\n"
"Language-Team: Georgian <https://translate.fedoraproject.org/projects/"
"certmonger/master/ka/>\n"
@@ -16,7 +16,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.11.2\n"
+"X-Generator: Weblate 4.14.2\n"
#: src/casave.c:322 src/casave.c:361 src/dogtag.c:233 src/dogtag.c:238
#: src/dogtag.c:256 src/dogtag.c:261 src/getcert.c:291
@@ -210,7 +210,7 @@ msgstr "ბილიკი \"%s\":%s.\n"
#: src/getcert.c:194
#, c-format
msgid "Path \"%s\" is not a regular file.\n"
-msgstr ""
+msgstr "ბილიკი \"%s\" ჩვეულებრივი ფაილი არაა.\n"
#: src/getcert.c:340
#, c-format
@@ -274,7 +274,7 @@ msgstr "არასწორი რიცხვითი მნიშვნე
#: src/getcert.c:421
msgid "number too large or too small"
-msgstr ""
+msgstr "რიცხვი მეტისმეტად დიდი ან მეტისმეტად პატარაა"
#: src/getcert.c:424
msgid "bad operation"
@@ -824,7 +824,7 @@ msgid ",pin set"
msgstr ", პინი დაყენებულია"
#: src/getcert.c:3666
-#, c-format, fuzzy
+#, c-format
msgid ",pinfile='%s'"
msgstr ",pinfile='%s'"
@@ -844,7 +844,7 @@ msgid "\tsigning request thumbprint (SHA1): %s\n"
msgstr ""
#: src/getcert.c:3715
-#, c-format, fuzzy
+#, c-format
msgid "\tCA: %s\n"
msgstr "\tCA: %s\n"
@@ -872,7 +872,6 @@ msgid "\temail: "
msgstr "\tელ-ფოსტა: "
#: src/getcert.c:3742
-#, fuzzy
msgid "\tdns: "
msgstr "\tdns: "
@@ -890,7 +889,6 @@ msgid "\tkey usage: %s\n"
msgstr "\tგასაღების გამოყენება: %s\n"
#: src/getcert.c:3779
-#, fuzzy
msgid "\teku: "
msgstr "\teku: "
@@ -961,7 +959,7 @@ msgid "list only the specified CA configuration"
msgstr ""
#: src/getcert.c:4104
-#, c-format, fuzzy
+#, c-format
msgid "CA '%s':\n"
msgstr "CA '%s':\n"
=====================================
src/Makefile.am
=====================================
@@ -1,7 +1,6 @@
AM_CFLAGS = $(TALLOC_CFLAGS) $(TEVENT_CFLAGS) $(DBUS_CFLAGS) $(KRB5_CFLAGS) \
$(XMLRPC_CFLAGS) $(IDN_CFLAGS) $(UUID_CFLAGS) $(LDAP_CFLAGS) \
$(POPT_CFLAGS)
-LDFLAGS =
if PIE
CFLAGS += -fPIC
LDFLAGS += -fPIC -pie
=====================================
src/certsave-n.c
=====================================
@@ -24,6 +24,8 @@
#include <stdlib.h>
#include <time.h>
#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
#include <nss.h>
#include <nssb64.h>
@@ -83,6 +85,20 @@ add_privkey_to_list(SECKEYPrivateKey **list, SECKEYPrivateKey *key)
return list;
}
+/* Return a nickname minus the token */
+static char *
+cm_get_nickname(char *data)
+{
+ char *p = NULL;
+
+ if (strchr(data, ':') != NULL) {
+ p = strrchr(data, ':') + 1;
+ } else {
+ p = data;
+ }
+ return p;
+}
+
static int
cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
void *userdata)
@@ -123,6 +139,62 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
}
/* Open the database. */
+ if (entry->cm_nss_user != NULL) {
+ struct passwd *pwd;
+ struct group *grp;
+ char *user, *group = NULL;
+ uid_t uid;
+ gid_t gid;
+
+ user = strdup(entry->cm_nss_user);
+ group = strchr(user, ':');
+ if (group != NULL) {
+ *group++ = '\0';
+ if (strlen(group) == 0) {
+ group = NULL;
+ }
+ }
+
+ errno = 0;
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ cm_log(0, "Error looking up user \"%s\", "
+ "not setting identity: %s.\n",
+ user, strerror(errno));
+ free(user);
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+ }
+ uid = pwd->pw_uid;
+ gid = pwd->pw_gid;
+ if (group != NULL) {
+ grp = getgrnam(group);
+ if (grp == NULL) {
+ cm_log(0, "Error looking up group \"%s\", "
+ "not setting identity.\n",
+ group);
+ free(user);
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+ }
+ gid = grp->gr_gid;
+ }
+ free(user);
+
+ cm_log(1, "Switching to %s %d:%d\n", pwd->pw_name, uid, gid);
+
+ if (initgroups(pwd->pw_name, gid) == -1) {
+ cm_log(0, "initgroups error (%s: %d): %s\n", pwd->pw_name, gid, strerror(errno));
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+ }
+ if (setgid(gid) == -1) {
+ cm_log(0, "setgid error (%d): %s\n", gid, strerror(errno));
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+ }
+ if (setuid(uid) == -1) {
+ cm_log(0, "setuid error (%d): %s\n", uid, strerror(errno));
+ _exit(CM_CERTSAVE_STATUS_INTERNAL_ERROR);
+ }
+ }
+
settings = userdata;
readwrite = settings->readwrite;
errno = 0;
@@ -407,7 +479,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
if ((!SECITEM_ItemsAreEqual(&subject,
&node->cert->derSubject)) &&
(sle->slot == node->cert->slot)) {
- cm_log(3, "Found a "
+ cm_log(3, "1 Found a "
"certificate "
"with the same "
"nickname but "
@@ -454,22 +526,27 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
if ((node->cert->nickname != NULL) &&
- (strcmp(entry->cm_cert_nickname,
- node->cert->nickname) != 0) &&
+ (strcmp(cm_get_nickname(entry->cm_cert_nickname),
+ cm_get_nickname(node->cert->nickname)) != 0) &&
(sle->slot == node->cert->slot))
{
i++;
- cm_log(3, "Found a "
+ cm_log(3, "2 Found a "
"certificate with a "
"different nickname but "
"the same subject, "
"removing certificate "
- "\"%s\" with subject "
- "\"%s\".\n",
+ "\"%s\" vs \"%s\" with subject "
+ "\"%s\" in slot \"%s\" vs "
+ "\"%s\".\n",
node->cert->nickname,
+ entry->cm_cert_nickname,
node->cert->subjectName ?
node->cert->subjectName :
- "");
+ "",
+ PK11_GetTokenName(sle->slot),
+ PK11_GetTokenName(node->cert->slot)
+ );
/* Get a handle for this
* certificate's private key,
* in case we need to remove
@@ -573,8 +650,9 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT(node)) {
if (!SECITEM_ItemsAreEqual(item,
- &node->cert->derCert)) {
- cm_log(3, "Found a "
+ &node->cert->derCert) &&
+ (sle->slot == node->cert->slot)) {
+ cm_log(3, "3 Found a "
"certificate "
"with the same "
"nickname and "
=====================================
src/getcert.c
=====================================
@@ -754,8 +754,9 @@ request(const char *argv0, int argc, const char **argv)
char **principal = NULL, **dns = NULL, **email = NULL, **ipaddr = NULL;
char *key_owner = NULL, *key_perms = NULL;
char *cert_owner = NULL, *cert_perms = NULL;
- struct cm_tdbusm_dict param[51];
- const struct cm_tdbusm_dict *params[50];
+ char *nss_user = NULL;
+ struct cm_tdbusm_dict param[52];
+ const struct cm_tdbusm_dict *params[51];
DBusMessage *req, *rep;
int waitreq = 0, timeout = -1;
int is_ca = 0, path_length = -1;
@@ -779,6 +780,7 @@ request(const char *argv0, int argc, const char **argv)
{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+ {"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -929,6 +931,9 @@ request(const char *argv0, int argc, const char **argv)
case 'X':
issuer = talloc_strdup(globals.tctx, poptarg);
break;
+ case 'Z':
+ nss_user = talloc_strdup(globals.tctx, poptarg);
+ break;
case 'N':
subject = talloc_strdup(globals.tctx, poptarg);
break;
@@ -1276,6 +1281,13 @@ request(const char *argv0, int argc, const char **argv)
params[i] = ¶m[i];
i++;
}
+ if (nss_user != NULL) {
+ param[i].key = CM_DBUS_PROP_NSS_USER;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = nss_user;
+ params[i] = ¶m[i];
+ i++;
+ }
if (keytype != NULL) {
param[i].key = "KEY_TYPE";
param[i].value_type = cm_tdbusm_dict_s;
@@ -1572,6 +1584,7 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
char *keyfile, char *certfile,
char *key_owner, char *cert_owner,
char *key_perms, char *cert_perms,
+ char *nss_user,
char *pin, char *pinfile,
char *cpass, char *cpassfile,
char *ca, char *profile, char *issuer,
@@ -1585,8 +1598,8 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
{
DBusMessage *req, *rep;
int i;
- struct cm_tdbusm_dict param[31];
- const struct cm_tdbusm_dict *params[31];
+ struct cm_tdbusm_dict param[32];
+ const struct cm_tdbusm_dict *params[32];
dbus_bool_t b;
const char *capath;
char *p;
@@ -1643,6 +1656,13 @@ add_basic_request(enum cm_tdbus_type bus, char *id,
params[i] = ¶m[i];
i++;
}
+ if (nss_user != NULL) {
+ param[i].key = CM_DBUS_PROP_NSS_USER;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = nss_user;
+ params[i] = ¶m[i];
+ i++;
+ }
} else
if (certfile != NULL) {
if (keyfile != NULL) {
@@ -1848,8 +1868,8 @@ set_tracking(const char *argv0, const char *category,
enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
DBusMessage *req, *rep;
const char *request, *capath;
- struct cm_tdbusm_dict param[28];
- const struct cm_tdbusm_dict *params[29];
+ struct cm_tdbusm_dict param[29];
+ const struct cm_tdbusm_dict *params[30];
char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
char **anchor_dbs = NULL, **anchor_files = NULL;
char *id = NULL, *new_id = NULL, *new_request;
@@ -1858,6 +1878,7 @@ set_tracking(const char *argv0, const char *category,
char *ms_template_spec = NULL;
char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
char *key_owner = NULL, *key_perms = NULL;
+ char *nss_user = NULL;
char *cert_owner = NULL, *cert_perms = NULL;
dbus_bool_t b;
char *p;
@@ -1885,6 +1906,7 @@ set_tracking(const char *argv0, const char *category,
{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+ {"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -2009,6 +2031,9 @@ set_tracking(const char *argv0, const char *category,
case 'X':
issuer = talloc_strdup(globals.tctx, poptarg);
break;
+ case 'Z':
+ nss_user = talloc_strdup(globals.tctx, poptarg);
+ break;
case 'i':
id = talloc_strdup(globals.tctx, poptarg);
break;
@@ -2289,6 +2314,13 @@ set_tracking(const char *argv0, const char *category,
params[i] = ¶m[i];
i++;
}
+ if (nss_user != NULL) {
+ param[i].key = CM_DBUS_PROP_NSS_USER;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = nss_user;
+ params[i] = ¶m[i];
+ i++;
+ }
if (pin != NULL) {
param[i].key = "KEY_PIN";
param[i].value_type = cm_tdbusm_dict_s;
@@ -2441,6 +2473,7 @@ set_tracking(const char *argv0, const char *category,
keyfile, certfile,
key_owner, cert_owner,
key_perms, cert_perms,
+ nss_user,
pin, pinfile,
cpass, cpassfile,
ca, profile, issuer,
@@ -2513,8 +2546,8 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
DBusMessage *req, *rep;
const char *request;
char *capath;
- struct cm_tdbusm_dict param[31];
- const struct cm_tdbusm_dict *params[32];
+ struct cm_tdbusm_dict param[32];
+ const struct cm_tdbusm_dict *params[33];
char *dbdir = NULL, *token = NULL, *nickname = NULL, *certfile = NULL;
char **anchor_dbs = NULL, **anchor_files = NULL;
char *pin = NULL, *pinfile = NULL, *cpass = NULL, *cpassfile = NULL;
@@ -2525,6 +2558,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
char *ms_template_spec = NULL;
char *key_owner = NULL, *key_perms = NULL;
char *cert_owner = NULL, *cert_perms = NULL;
+ char *nss_user = NULL;
char *keytype = NULL;
int keysize = 0;
dbus_bool_t b;
@@ -2552,6 +2586,7 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
{"key-perms", 'm', POPT_ARG_STRING, NULL, 'm', _("file permissions for private key"), HELP_TYPE_MODE},
{"cert-owner", 'O', POPT_ARG_STRING, NULL, 'O', _("owner information for certificate"), HELP_TYPE_USER},
{"cert-perms", 'M', POPT_ARG_STRING, NULL, 'M', _("file permissions for certificate"), HELP_TYPE_MODE},
+ {"nss-user", 'Z', POPT_ARG_STRING, NULL, 'Z', _("user to save NSS private and public keys as"), HELP_TYPE_USER},
{"ca-dbdir", 'a', POPT_ARG_STRING, NULL, 'a', _("NSS database in which to store the CA's certificates"), HELP_TYPE_DIRECTORY},
{"ca-file", 'F', POPT_ARG_STRING, NULL, 'F', _("file in which to store the CA's certificates"), HELP_TYPE_FILENAME},
{"before-command", 'B', POPT_ARG_STRING, NULL, 'B', _("command to run before saving the certificate"), HELP_TYPE_COMMAND},
@@ -2645,6 +2680,9 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
case 'X':
issuer = talloc_strdup(globals.tctx, poptarg);
break;
+ case 'Z':
+ nss_user = talloc_strdup(globals.tctx, poptarg);
+ break;
case 'i':
id = talloc_strdup(globals.tctx, poptarg);
break;
@@ -2885,6 +2923,13 @@ rekey_or_resubmit(const char *argv0, const char *category, int argc,
params[i] = ¶m[i];
i++;
}
+ if (nss_user != NULL) {
+ param[i].key = CM_DBUS_PROP_NSS_USER;
+ param[i].value_type = cm_tdbusm_dict_s;
+ param[i].value.s = nss_user;
+ params[i] = ¶m[i];
+ i++;
+ }
if (keytype != NULL) {
param[i].key = "KEY_TYPE";
param[i].value_type = cm_tdbusm_dict_s;
@@ -5008,6 +5053,8 @@ help(const char *twopartcmd, const char *category)
N_(" owner information for certificate\n"),
N_(" -M MODE, --cert-perms=MODE\n"),
N_(" file permissions for certificate\n"),
+ N_(" -Z USER, --nss-user=USER\n"),
+ N_(" User to switch to during NSS save operations\n"),
NULL,
};
const char *start_tracking_help[] = {
@@ -5096,6 +5143,8 @@ help(const char *twopartcmd, const char *category)
N_(" owner information for certificate\n"),
N_(" -M MODE, --cert-perms=MODE\n"),
N_(" file permissions for certificate\n"),
+ N_(" -Z USER, --nss-user=USER\n"),
+ N_(" User to switch to during NSS save operations\n"),
NULL,
};
const char *stop_tracking_help[] = {
@@ -5204,6 +5253,8 @@ help(const char *twopartcmd, const char *category)
N_(" owner information for certificate\n"),
N_(" -M MODE, --cert-perms=MODE\n"),
N_(" file permissions for certificate\n"),
+ N_(" -Z USER, --nss-user=USER\n"),
+ N_(" User to switch to during NSS save operations\n"),
NULL,
};
const char *rekey_help[] = {
=====================================
src/store-files.c
=====================================
@@ -101,6 +101,8 @@ enum cm_store_file_field {
cm_store_entry_field_cert_owner,
cm_store_entry_field_cert_perms,
+ cm_store_entry_field_nss_user,
+
cm_store_entry_field_cert_issuer_der,
cm_store_entry_field_cert_issuer,
cm_store_entry_field_cert_serial,
@@ -276,6 +278,8 @@ static struct cm_store_file_field_list {
{cm_store_entry_field_cert_owner, "cert_owner"},
{cm_store_entry_field_cert_perms, "cert_perms"},
+ {cm_store_entry_field_nss_user, "nss_user"},
+
{cm_store_entry_field_cert_issuer_der, "cert_issuer_der"},
{cm_store_entry_field_cert_issuer, "cert_issuer"},
{cm_store_entry_field_cert_serial, "cert_serial"},
@@ -1022,6 +1026,9 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
ret->cm_key_issued_count = atoi(p);
talloc_free(p);
break;
+ case cm_store_entry_field_nss_user:
+ ret->cm_nss_user = free_if_empty(p);
+ break;
case cm_store_entry_field_cert_storage_type:
if (strcasecmp(p, "FILE") == 0) {
ret->cm_cert_storage_type =
@@ -1420,6 +1427,7 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
case cm_store_entry_field_key_requested_count:
case cm_store_entry_field_key_next_requested_count:
case cm_store_entry_field_key_issued_count:
+ case cm_store_entry_field_nss_user:
case cm_store_entry_field_cert_storage_type:
case cm_store_entry_field_cert_storage_location:
case cm_store_entry_field_cert_token:
@@ -2042,6 +2050,9 @@ cm_store_entry_write(FILE *fp, struct cm_store_entry *entry)
cm_store_file_write_int(fp, cm_store_entry_field_cert_no_ocsp_check,
entry->cm_cert_no_ocsp_check ? 1 : 0);
+ cm_store_file_write_str(fp, cm_store_entry_field_nss_user,
+ entry->cm_nss_user);
+
cm_store_file_write_str(fp, cm_store_entry_field_last_need_notify_check,
cm_store_timestamp_from_time(entry->cm_last_need_notify_check,
timestamp));
@@ -2280,6 +2291,7 @@ cm_store_entry_save(struct cm_store_entry *entry)
if (cm_store_entry_write(fp, entry) == 0) {
fclose(fp);
dest = (const char *) entry->cm_store_private;
+ cm_log(0, "Wrote to %s\n", dest);
if (rename(path, dest) != 0) {
cm_log(0, "Error renaming \"%s\" to \"%s\": "
"%s.\n", path, dest, strerror(errno));
@@ -2797,6 +2809,8 @@ cm_store_entry_dup(void *parent, struct cm_store_entry *entry)
ret->cm_key_next_requested_count = entry->cm_key_next_requested_count;
ret->cm_key_issued_count = entry->cm_key_issued_count;
+ ret->cm_nss_user = cm_store_maybe_strdup(ret, entry->cm_nss_user);
+
ret->cm_cert_storage_type = entry->cm_cert_storage_type;
ret->cm_cert_storage_location = cm_store_maybe_strdup(ret, entry->cm_cert_storage_location);
ret->cm_cert_token = cm_store_maybe_strdup(ret, entry->cm_cert_token);
=====================================
src/store-int.h
=====================================
@@ -61,6 +61,7 @@ struct cm_store_entry {
char *cm_key_pin_file;
char *cm_key_owner;
mode_t cm_key_perms;
+ char *cm_nss_user;
/* Cached plain public key (used for computing subject and authority key IDs) */
char *cm_key_pubkey, *cm_key_next_pubkey;
/* Cached public key info (used in signing requests when using NSS) */
=====================================
src/tdbus.h
=====================================
@@ -81,6 +81,7 @@
#define CM_DBUS_PROP_KEY_PERMS "key-perms"
#define CM_DBUS_PROP_KEY_TYPE "key-type"
#define CM_DBUS_PROP_KEY_SIZE "key-size"
+#define CM_DBUS_PROP_NSS_USER "nss-user"
#define CM_DBUS_PROP_MONITORING "monitoring"
#define CM_DBUS_PROP_NOTIFICATION_TYPE "notification-type"
#define CM_DBUS_PROP_NOTIFICATION_SYSLOG_PRIORITY "notification-syslog-priority"
=====================================
src/tdbush.c
=====================================
@@ -412,6 +412,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
enum cm_cert_storage_type cert_storage;
char *cert_location, *cert_nickname, *cert_token;
char *cert_owner, *key_owner;
+ char *nss_user;
mode_t cert_perms, key_perms;
char *path, *pre_command, *post_command;
char **root_cert_nssdbs, **root_cert_files;
@@ -1265,6 +1266,15 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
} else {
key_perms = 0;
}
+ param = cm_tdbusm_find_dict_entry(d,
+ CM_DBUS_PROP_NSS_USER,
+ cm_tdbusm_dict_s);
+ if (param != NULL) {
+ nss_user = param->value.s;
+ cm_log(1, "Setting CM_DBUS_PROP_NSS_USER to %s\n", nss_user);
+ } else {
+ nss_user = NULL;
+ }
/* Okay, we can go ahead and add the entry. */
new_entry = cm_store_entry_new(parent);
if (new_entry == NULL) {
@@ -1374,6 +1384,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg,
new_entry->cm_cert_token = maybe_strdup(new_entry, cert_token);
new_entry->cm_cert_owner = maybe_strdup(new_entry, cert_owner);
new_entry->cm_cert_perms = cert_perms;
+ new_entry->cm_nss_user = maybe_strdup(new_entry, nss_user);
new_entry->cm_root_cert_store_nssdbs = maybe_strdupv(new_entry, root_cert_nssdbs);
new_entry->cm_root_cert_store_files = maybe_strdupv(new_entry, root_cert_files);
@@ -3290,6 +3301,14 @@ request_modify(DBusConnection *conn, DBusMessage *msg,
propname[n_propname++] = CM_DBUS_PROP_KEY_PERMS;
}
} else
+ if ((param->value_type == cm_tdbusm_dict_s) &&
+ (strcasecmp(param->key, CM_DBUS_PROP_NSS_USER) == 0)) {
+ entry->cm_nss_user = talloc_strdup(entry, param->value.s);
+ cm_log(1, "Param CM_DBUS_PROP_NSS_USER to %s\n", entry->cm_nss_user);
+ if (n_propname + 2 < sizeof(propname) / sizeof(propname[0])) {
+ propname[n_propname++] = CM_DBUS_PROP_NSS_USER;
+ }
+ } else
if ((param->value_type == cm_tdbusm_dict_b) &&
((strcasecmp(param->key, "RENEW") == 0) ||
(strcasecmp(param->key, CM_DBUS_PROP_AUTORENEW) == 0))) {
@@ -7217,6 +7236,15 @@ cm_tdbush_iface_request(void)
offsetof(struct cm_store_entry, cm_cert_profile),
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL),
+ make_interface_item(cm_tdbush_interface_property,
+ make_property(CM_DBUS_PROP_NSS_USER,
+ cm_tdbush_property_string,
+ cm_tdbush_property_readwrite,
+ cm_tdbush_property_char_p,
+ offsetof(struct cm_store_entry, cm_nss_user),
+ NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL,
+ NULL),
make_interface_item(cm_tdbush_interface_property,
make_property(CM_DBUS_PROP_ROOT_CERT_FILES,
cm_tdbush_property_strings,
@@ -7396,7 +7424,7 @@ cm_tdbush_iface_request(void)
make_interface_item(cm_tdbush_interface_signal,
make_signal(CM_DBUS_SIGNAL_REQUEST_CERT_SAVED,
NULL),
- NULL)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
+ NULL))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))));
}
return ret;
}
=====================================
tests/028-dbus/expected.out
=====================================
@@ -380,6 +380,7 @@ OK
</method>
<property name="ca" type="o" access="read"/>
<property name="ca-profile" type="s" access="read"/>
+ <property name="nss-user" type="s" access="readwrite"/>
<property name="root-cert-files" type="as" access="read"/>
<property name="root-other-cert-files" type="as" access="read"/>
<property name="other-cert-files" type="as" access="read"/>
=====================================
tests/028-dbus/expected.out.nodsa
=====================================
@@ -380,6 +380,7 @@ OK
</method>
<property name="ca" type="o" access="read"/>
<property name="ca-profile" type="s" access="read"/>
+ <property name="nss-user" type="s" access="readwrite"/>
<property name="root-cert-files" type="as" access="read"/>
<property name="root-other-cert-files" type="as" access="read"/>
<property name="other-cert-files" type="as" access="read"/>
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/efa89d77282cb02c0b67b4fea316a6e3ec9c0956...476dc28ebb92625b6c2cd276205be3bb15013ca2
--
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/efa89d77282cb02c0b67b4fea316a6e3ec9c0956...476dc28ebb92625b6c2cd276205be3bb15013ca2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230301/1a59f3b4/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list