On 08/05/2013 02:57 PM, Alexander Bokovoy wrote:
> On Fri, 02 Aug 2013, Ana Krivokapic wrote:
>> On 08/01/2013 04:13 PM, Alexander Bokovoy wrote:
>>> Hi!
>>>
>>> On Thu, 01 Aug 2013, Ana Krivokapic wrote:
>>>> Hello,
>>
>> Thanks Alexander for the quick review!
>>
>>>>
>>>> This patch adds ipa-advise plugins to help configure legacy clients for 
>>>> access
>>>> to trusted domain resources. For more details, please read the commit 
>>>> message.
>>>> Plugins are currently named "config-redhat-sssd-before-1-9" and
>>>> "config-generic-sssd-before-1-9"; suggestions for better names are welcome.
>>>>
>>>> Plugin content heavily inspired by
>>>> https://fedoraproject.org/wiki/QA:Testcase_freeipa_use_legacy_sssd_to_give_access_to_trusted_domain_users.
>>>>
>>>>
>>> I think it is a good start. Comments inline.
>>>
>>>> https://fedorahosted.org/freeipa/ticket/3671
>>>> ---
>>>> install/share/Makefile.am                  |   2 +
>>>> install/share/pam.conf.template            |  22 ++++++
>>>> install/share/sssd.conf.template           |  12 +++
>>> I would imagine we would have multiple plugins that need their own
>>> templates for pam.conf/sssd.conf. What about introducing
>>>  to avoid conflicts?
>>>
>>> In this case you use the same templates for both plugins so you might
>>> have <name> as 'legacy', for example.
>>>
>>> Another way is to have plugin name in the template, e.g.
>>> legacy.sssd.conf.template.
>>
>> Done. I opted for the install/share/advise/<name>/*.template option. The 
>> changes
>> are in the updated patch 52.
>>
>>>
>>>> +class config_redhat_sssd_before_1_9(Advice):
>>>> +    """
>>>> +    Legacy client configuration for Red Hat based platforms.
>>>> +    """
>>>> +
>>>> +    description = ('Instructions for configuring a system with an old
>>>> version '
>>>> +                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
>>>> +                   'instructions is targeted for platforms that include '
>>>> +                   'the authconfig utility, which are all Red Hat based '
>>>> +                   'platforms.')
>>> You need to check that Schema Compatibility plugin is configured to
>>> serve trusted domain users and groups.
>>>
>>> We have two trees:
>>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>>
>>> In both of the trees there should be
>>>    schema-compat-lookup-sssd: <user|group>
>>>
>>> attribute, with the value according to the tree (i.e. user for
>>> cn=users).
>>>
>>> If not, then suggest to run 'ipa-adtrust-install --enable-compat=true' on 
>>> the
>>> IPA server.
>>
>> Done. I added a new API command 'compat-is-enabled' (similar to
>> 'adtrust-is-enabled') to facilitate checking whether the Schema Compatibility
>> plugin is configured. 'compat-is-enabled' is called from the ipa-advise 
>> plugin
>> and the suggestion to run 'ipa-adtrust-install --enable-compat' is printed as
>> the first piece of advice, when appropriate.
>>
>> Patch 54 adds the new API command 'compat-is-enabled', while patch 53 is a 
>> small
>> fix which enables IPA API commands to be run from the ipa-advise plugins.
>>
>>>
>>>> +
>>>> +    def get_info(self):
>>>> +        self.log.comment('Install the sssd and authconfig packages via 
>>>> yum')
>>>> +        self.log.command('yum install -y sssd authconfig\n')
>>> You are using 'wget' below, it might make sense to add it into the above
>>> line too.
>>
>> Fixed in patch 52.
>>
>>>
>>>> +
>>>> +        self.log.comment('Download the CA certificate of the IPA server')
>>>> +        self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
>>>> +        self.log.command('wget http://%s/ipa/config/ca.crt -O '
>>>> +                         '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
>>>> +
>>>> +        self.log.comment('Generate hashes for the openldap library')
>>>> +        self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
>>>> +
>>>> +        self.log.comment('Use the authconfig to configure nsswitch.conf '
>>>> +                         'and the PAM stack')
>>>> +        self.log.command('authconfig --updateall --enablesssd '
>>>> +                         '--enablesssdauth\n')
>>>> +
>>>> +        self.log.comment('Configure SSSD')
>>>> +        self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
>>>> +                         '%s\nEOF' % generate_sssd_conf())
>>>> +        self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
>>>> +
>>>> +        self.log.comment('Start SSSD')
>>>> +        self.log.command('service sssd start')
>>> Would it make sense to also add instructions to restore SELinux context
>>> (if needed)? I'm not sure, just throwing the idea for consideration.
>>
>> I am not sure about this either so I will wait for more opinions about this.
>>
>>>
>>> Same comments go for the second plugin.
>>>
>>
>> I also refactored the plugin a bit (added a new base class to avoid code
>> duplication).
>>
>> Updated patches are attached. Patch 52 depends on patches 53 and 54.
> One small comment:
>
> I've refactored slapi-nis code to make it more generic and references to
> sssd in the configuration options went away, so please change this part
> too:
>
>> +        attr = users_entry.get('schema-compat-lookup-sssd')
> to +        attr = users_entry.get('schema-compat-lookup-nsswitch')
>
>> +        if not attr or 'user' not in attr:
>> +            return dict(result=False)
>> +
>> +        try:
>> +            groups_entry = ldap.get_entry(groups_dn)
>> +        except errors.NotFound:
>> +            return dict(result=False)
>> +
>> +        attr = groups_entry.get('schema-compat-lookup-sssd')
> same here.
>
> It needs my patch 0112 too -- it changes ipa-adtrust-install to write
> proper configuration options to slapi-nis configs.

Done.

Also, references to both relevant tickets
https://fedorahosted.org/freeipa/ticket/3671 and
https://fedorahosted.org/freeipa/ticket/3672 added to commit messages.

Updated patches attached.

-- 
Regards,

Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.

From a2092d3a73a6dba016c64e82a299a7686ecbd6bb Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Thu, 1 Aug 2013 14:12:39 +0200
Subject: [PATCH] Add ipa-advise plugins for legacy clients

Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
 freeipa.spec.in                                |   3 +
 install/configure.ac                           |   2 +
 install/share/Makefile.am                      |   4 +
 install/share/advise/Makefile.am               |  17 ++++
 install/share/advise/legacy/Makefile.am        |  15 +++
 install/share/advise/legacy/pam.conf.template  |  22 ++++
 install/share/advise/legacy/sssd.conf.template |  12 +++
 ipaserver/advise/plugins/legacy_clients.py     | 134 +++++++++++++++++++++++++
 8 files changed, 209 insertions(+)
 create mode 100644 install/share/advise/Makefile.am
 create mode 100644 install/share/advise/legacy/Makefile.am
 create mode 100644 install/share/advise/legacy/pam.conf.template
 create mode 100644 install/share/advise/legacy/sssd.conf.template
 create mode 100644 ipaserver/advise/plugins/legacy_clients.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0afcdae86ee2b9a7b603df3d3bdb1499916ecd0c..d4f90c7d8dceab61095e477d5daaec1cfe4eebec 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -630,6 +630,9 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
+%dir %{_usr}/share/ipa/advise
+%dir %{_usr}/share/ipa/advise/legacy
+%{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/ffextension
 %{_usr}/share/ipa/ffextension/bootstrap.js
 %{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index fca4c6991db63de17c47aa8d86e1d910ac09d47e..29254e6edfb9874ead9b37cc2d310a86fbfa0060 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -85,6 +85,8 @@ AC_CONFIG_FILES([
     html/Makefile
     migration/Makefile
     share/Makefile
+    share/advise/Makefile
+    share/advise/legacy/Makefile
     ui/Makefile
     ui/src/Makefile
     ui/src/libs/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 1e56d2c530375c371cd5e66b4e83d2c13bc86e77..5fff55bd1281d232858df679e7dfd9f84e4545ec 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -1,5 +1,9 @@
 NULL =
 
+SUBDIRS =  				\
+	advise				\
+	$(NULL)
+
 appdir = $(IPA_DATA_DIR)
 app_DATA =				\
 	05rfc2247.ldif			\
diff --git a/install/share/advise/Makefile.am b/install/share/advise/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..877f91ce8926e002582fad859da1b604e623ed38
--- /dev/null
+++ b/install/share/advise/Makefile.am
@@ -0,0 +1,17 @@
+NULL =
+
+SUBDIRS =  				\
+	legacy				\
+	$(NULL)
+
+appdir = $(IPA_DATA_DIR)/advise
+app_DATA =				\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/share/advise/legacy/Makefile.am b/install/share/advise/legacy/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..73cd2718c343b2f3382a92f0ec8b19fb29a15c58
--- /dev/null
+++ b/install/share/advise/legacy/Makefile.am
@@ -0,0 +1,15 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)/advise/legacy
+app_DATA =				\
+	sssd.conf.template		\
+	pam.conf.template		\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_DATA)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/share/advise/legacy/pam.conf.template b/install/share/advise/legacy/pam.conf.template
new file mode 100644
index 0000000000000000000000000000000000000000..bdd91821eb6d8259d7f03a6eac78fc264b0cafa8
--- /dev/null
+++ b/install/share/advise/legacy/pam.conf.template
@@ -0,0 +1,22 @@
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
diff --git a/install/share/advise/legacy/sssd.conf.template b/install/share/advise/legacy/sssd.conf.template
new file mode 100644
index 0000000000000000000000000000000000000000..764e853a42edd913d0a8138202b1fdd055ff2ff4
--- /dev/null
+++ b/install/share/advise/legacy/sssd.conf.template
@@ -0,0 +1,12 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = default
+re_expression = (?P<name>.+)
+
+[domain/default]
+cache_credentials = True
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = ldap://$IPA_SERVER_HOSTNAME
+ldap_search_base = cn=compat,$BASE_DN
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
new file mode 100644
index 0000000000000000000000000000000000000000..3edcceeb226f03e5bdfbd169bd5eeb3c0459d412
--- /dev/null
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -0,0 +1,134 @@
+# Authors: Ana Krivokapic <akriv...@redhat.com>
+#
+# Copyright (C) 2013  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+import os
+
+from ipalib import api
+from ipalib.frontend import Advice
+from ipapython.ipautil import template_file, SHARE_DIR
+
+
+class config_base_sssd_before_1_9(Advice):
+    def check_compat_plugin(self):
+        compat_is_enabled = api.Command['compat_is_enabled']()['result']
+        if not compat_is_enabled:
+            self.log.comment(
+                'Schema Compatibility plugin has not been configured '
+                'on this server. To configure it, run '
+                '"ipa-adtrust-install --enable-compat"'
+            )
+
+    def configure_and_start_sssd(self):
+        sub_dict = dict(
+            IPA_SERVER_HOSTNAME=api.env.host,
+            BASE_DN=','. join(['dc=%s' % c for c in api.env.domain.split('.')])
+        )
+        template = os.path.join(
+            SHARE_DIR,
+            'advise',
+            'legacy',
+            'sssd.conf.template'
+        )
+        sssd_conf = template_file(template, sub_dict)
+
+        self.log.comment('Configure SSSD')
+        self.log.command('cat > /etc/sssd/sssd.conf << EOF \n'
+                         '%s\nEOF' % sssd_conf)
+        self.log.command('chmod 0600 /etc/sssd/sssd.conf\n')
+
+        self.log.comment('Start SSSD')
+        self.log.command('service sssd start')
+
+
+class config_redhat_sssd_before_1_9(config_base_sssd_before_1_9):
+    """
+    Legacy client configuration for Red Hat based platforms.
+    """
+    description = ('Instructions for configuring a system with an old version '
+                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+                   'instructions is targeted for platforms that include '
+                   'the authconfig utility, which are all Red Hat based '
+                   'platforms.')
+
+    def get_info(self):
+        self.check_compat_plugin()
+
+        self.log.comment('Install sssd, authconfig and wget via yum')
+        self.log.command('yum install -y sssd authconfig wget\n')
+
+        self.log.comment('Download the CA certificate of the IPA server')
+        self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
+        self.log.command('wget http://%s/ipa/config/ca.crt -O '
+                         '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
+
+        self.log.comment('Generate hashes for the openldap library')
+        self.log.command('cacertdir_rehash /etc/openldap/cacerts/\n')
+
+        self.log.comment('Use the authconfig to configure nsswitch.conf '
+                         'and the PAM stack')
+        self.log.command('authconfig --updateall --enablesssd '
+                         '--enablesssdauth\n')
+
+        self.configure_and_start_sssd()
+
+
+api.register(config_redhat_sssd_before_1_9)
+
+
+class config_generic_sssd_before_1_9(config_base_sssd_before_1_9):
+    """
+    Legacy client configuration for non Red Hat based platforms.
+    """
+    description = ('Instructions for configuring a system with an old version '
+                   'of SSSD (1.5-1.8) as a FreeIPA client. This set of '
+                   'instructions is targeted for platforms that do not '
+                   'include the authconfig utility.')
+
+    def get_info(self):
+        self.check_compat_plugin()
+
+        with open(os.path.join(
+                SHARE_DIR,
+                'advise',
+                'legacy',
+                'pam.conf.template')) as fd:
+            pam_conf = fd.read()
+
+        self.log.comment('Install sssd using your system\'s package manager. '
+                         'E.g:')
+        self.log.command('apt-get -y install sssd\n')
+
+        self.log.comment('Configure nsswitch.conf. Append sss to the lines '
+                         'beginning with passwd and group. ')
+        self.log.command('grep "^passwd.*sss" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^passwd/s|$| sss|\' /etc/nsswitch.conf ; fi')
+        self.log.command('grep "^group.*sss" /etc/nsswitch.conf')
+        self.log.command('if [ $? -ne 0 ] ; then sed -i '
+                         '\'/^group/s|$| sss|\' /etc/nsswitch.conf ; fi\n')
+
+        self.log.comment('Configure PAM. Configuring the PAM stack differs on '
+                         'particular distributions. The resulting PAM stack '
+                         'should look like this:')
+        self.log.command('cat > /etc/pam.conf << EOF \n'
+                         '%s\nEOF\n' % pam_conf)
+
+        self.configure_and_start_sssd()
+
+
+api.register(config_generic_sssd_before_1_9)
-- 
1.8.1.4

From 3447f8ab93f7168e9b1fd542db580ac92299d5a5 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Fri, 2 Aug 2013 16:14:27 +0200
Subject: [PATCH] Add new command compat-is-enabled

Add a new API command 'compat-is-enabled' which can be used to determine
whether Schema Compatibility plugin is configured to serve trusted domain
users and groups. The new command is not visible in IPA CLI.

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
 API.txt                 |  4 ++++
 VERSION                 |  2 +-
 ipalib/plugins/trust.py | 44 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/API.txt b/API.txt
index 50834ef6b4d02dba2ee4014e00fbbb003728101b..2048057fc256793be85c2fb8fec0bcbf2992d9f4 100644
--- a/API.txt
+++ b/API.txt
@@ -490,6 +490,10 @@ command: cert_status
 arg: Str('request_id')
 option: Str('version?', exclude='webui')
 output: Output('result', None, None)
+command: compat_is_enabled
+args: 0,1,1
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: config_mod
 args: 0,24,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
diff --git a/VERSION b/VERSION
index c1f80834dda41f3698979d0a9f7323ff43e14ae7..313d5f96ffdf025a3e97aa405d432fdae64d0d20 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=62
+IPA_API_VERSION_MINOR=63
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index b19a27ecabb62abdfbc3c7927a8f78e83ad6821d..8790dcd2a5d026c728c6468d5fb7c50f58d0908b 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -990,3 +990,47 @@ def execute(self, *keys, **options):
         return dict(result=True)
 
 api.register(adtrust_is_enabled)
+
+
+class compat_is_enabled(Command):
+    NO_CLI = True
+
+    __doc__ = _('Determine whether Schema Compatibility plugin is configured '
+                'to serve trusted domain users and groups')
+
+    def execute(self, *keys, **options):
+        ldap = self.api.Backend.ldap2
+        users_dn = DN(
+            ('cn', 'users'),
+            ('cn', 'Schema Compatibility'),
+            ('cn', 'plugins'),
+            ('cn', 'config')
+        )
+        groups_dn = DN(
+            ('cn', 'groups'),
+            ('cn', 'Schema Compatibility'),
+            ('cn', 'plugins'),
+            ('cn', 'config')
+        )
+
+        try:
+            users_entry = ldap.get_entry(users_dn)
+        except errors.NotFound:
+            return dict(result=False)
+
+        attr = users_entry.get('schema-compat-lookup-nsswitch')
+        if not attr or 'user' not in attr:
+            return dict(result=False)
+
+        try:
+            groups_entry = ldap.get_entry(groups_dn)
+        except errors.NotFound:
+            return dict(result=False)
+
+        attr = groups_entry.get('schema-compat-lookup-nsswitch')
+        if not attr or 'group' not in attr:
+            return dict(result=False)
+
+        return dict(result=True)
+
+api.register(compat_is_enabled)
-- 
1.8.1.4

From db47e40f8acf402f06e5149682ed4944d1262c7b Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akriv...@redhat.com>
Date: Fri, 2 Aug 2013 16:11:16 +0200
Subject: [PATCH] Enable running API commands in ipa-advise plugins

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
---
 ipalib/rpc.py            | 4 ++--
 ipaserver/advise/base.py | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 36daa8393108cf53052f0dfac9cb0eb84ba4bb54..81e7aa35fdf780b3dcd850cfcc3ba5285d71e461 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -621,7 +621,7 @@ def create_connection(self, ccache=None, verbose=False, fallback=True,
                     kw['transport'] = KerbTransport()
             else:
                 kw['transport'] = LanguageAwareTransport()
-            self.log.info('trying %s' % url)
+            self.log.debug('trying %s' % url)
             setattr(context, 'request_url', url)
             serverproxy = ServerProxy(url, **kw)
             if len(urls) == 1:
@@ -697,7 +697,7 @@ def forward(self, name, *args, **kw):
                 '%s.forward(): %r not in api.Command' % (self.name, name)
             )
         server = getattr(context, 'request_url', None)
-        self.info("Forwarding '%s' to server '%s'", name, server)
+        self.debug("Forwarding '%s' to server '%s'", name, server)
         command = getattr(self.conn, name)
         params = [args, kw]
         try:
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 4b6ee96f86465c85a9a24c578f20c355473a59b6..58d5738d569384f70decca63750b1a450e80668c 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -150,7 +150,9 @@ def print_advice(self, keyword):
         advice.set_options(self.options)
 
         # Print out the actual advice
+        api.Backend.xmlclient.connect()
         advice.get_info()
+        api.Backend.xmlclient.disconnect()
         for line in advice.log.content:
             print line
 
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to