URL: https://github.com/freeipa/freeipa/pull/135
Author: mbasti-rh
 Title: #135: Pylint: remove unused variables from install modules and scripts
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/135/head:pr135
git checkout pr135
From 118ed2094efb789a0e58f24f2b8f2af0e58da1bc Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 4 Oct 2016 16:54:44 +0200
Subject: [PATCH 1/2] Pylint: remove unused variables from installers and
 scripts

---
 client/ipa-client-automount                        | 12 +++----
 client/ipa-client-install                          | 17 ++++------
 daemons/dnssec/ipa-ods-exporter                    |  6 ++--
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 10 +++---
 install/tools/ipa-adtrust-install                  | 17 +++++-----
 install/tools/ipa-replica-manage                   | 16 ++++-----
 install/tools/ipactl                               | 10 ++----
 ipaclient/ipachangeconf.py                         | 12 ++-----
 ipaclient/ipadiscovery.py                          |  4 ---
 ipapython/install/core.py                          | 12 +++----
 ipaserver/install/bindinstance.py                  |  9 +++--
 ipaserver/install/ca.py                            |  6 +---
 ipaserver/install/cainstance.py                    |  7 +---
 ipaserver/install/certs.py                         | 14 ++++----
 ipaserver/install/dns.py                           | 14 +-------
 ipaserver/install/dnskeysyncinstance.py            | 13 ++------
 ipaserver/install/dogtaginstance.py                |  5 +--
 ipaserver/install/dsinstance.py                    | 17 ++++------
 ipaserver/install/ipa_backup.py                    |  5 ---
 ipaserver/install/ipa_cacert_manage.py             |  3 --
 ipaserver/install/ipa_replica_prepare.py           | 15 +++------
 ipaserver/install/ipa_restore.py                   |  4 ---
 ipaserver/install/ipa_winsync_migrate.py           | 11 +++----
 ipaserver/install/opendnssecinstance.py            |  8 -----
 ipaserver/install/plugins/rename_managed.py        | 11 +++----
 ipaserver/install/replication.py                   | 28 ++++++++--------
 ipaserver/install/server/install.py                | 12 ++-----
 ipaserver/install/server/replicainstall.py         | 38 +++++++++-------------
 ipaserver/install/server/upgrade.py                |  5 ---
 ipaserver/install/upgradeinstance.py               |  4 +--
 30 files changed, 111 insertions(+), 234 deletions(-)

diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 91bdc88..88adb0a 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -45,8 +45,6 @@ from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 def parse_options():
     usage = "%prog [options]\n"
     parser = OptionParser(usage=usage)
@@ -81,7 +79,7 @@ def wait_for_sssd():
         try:
             ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
             found = True
-        except Exception as e:
+        except Exception:
             time.sleep(1)
             n = n + 1
 
@@ -180,7 +178,7 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
         if provider == "ipa":
             domain.add_provider('ipa', 'autofs')
             try:
-                location = domain.get_option('ipa_automount_location')
+                domain.get_option('ipa_automount_location')
                 sys.exit('An automount location is already configured')
             except SSSDConfig.NoOptionError:
                 domain.set_option('ipa_automount_location', options.location)
@@ -373,7 +371,7 @@ def main():
     if not fstore.has_files() and not os.path.exists(paths.IPA_DEFAULT_CONF):
         sys.exit('IPA client is not configured on this system.\n')
 
-    options, args = parse_options()
+    options, _args = parse_options()
 
     standard_logging_setup(
         paths.IPACLIENT_INSTALL_LOG, verbose=False, debug=options.debug,
@@ -400,7 +398,6 @@ def main():
         sys.exit('automount is already configured on this system.\n')
 
     autodiscover = False
-    servers = []
     ds = ipadiscovery.IPADiscovery()
     if not options.server:
         print("Searching for IPA server...")
@@ -437,7 +434,6 @@ def main():
         print("IPA server: DNS discovery")
         root_logger.debug('Configuring to use DNS discovery')
 
-    search_base = str(DN(('cn', options.location), api.env.container_automount, api.env.basedn))
     print("Location: %s" % options.location)
     root_logger.debug('Using automount location %s' % options.location)
 
@@ -457,7 +453,7 @@ def main():
             sys.exit('Cannot connect to the server due to ' + str(e))
         try:
             # Use the RPC directly so older servers are supported
-            result = api.Backend.rpcclient.forward(
+            api.Backend.rpcclient.forward(
                 'automountlocation_show',
                 ipautil.fsdecode(options.location),
                 version=u'2.0',
diff --git a/client/ipa-client-install b/client/ipa-client-install
index d38eaf9..da7d6b3 100755
--- a/client/ipa-client-install
+++ b/client/ipa-client-install
@@ -72,8 +72,6 @@ error was:
 """ % e, file=sys.stderr)
     sys.exit(1)
 
-# pylint: disable=unused-variable
-
 SUCCESS = 0
 CLIENT_INSTALL_ERROR = 1
 CLIENT_NOT_CONFIGURED = 2
@@ -97,7 +95,7 @@ def parse_options():
         initialized = nss.nss_is_initialized()
         try:
             cert = x509.load_certificate_from_file(value)
-        except Exception as e:
+        except Exception:
             raise OptionValueError("%s option '%s' is not a valid certificate file" % (opt, value))
         else:
             del(cert)
@@ -230,7 +228,7 @@ def parse_options():
                                           "be run with --unattended option")
     parser.add_option_group(uninstall_group)
 
-    options, args = parser.parse_args()
+    options, _args = parser.parse_args()
     safe_opts = parser.get_safe_opts(options)
 
     if (options.server and not options.domain):
@@ -383,7 +381,6 @@ def nssldap_exists():
 # helper function for uninstall
 # deletes IPA domain from sssd.conf
 def delete_ipa_domain():
-    sssd = services.service('sssd')
     try:
         sssdconfig = SSSDConfig.SSSDConfig()
         sssdconfig.import_config()
@@ -1509,7 +1506,7 @@ def configure_nisdomain(options, domain):
         try:
             result = ipautil.run([paths.BIN_NISDOMAINNAME],
                                  capture_output=True)
-        except CalledProcessError as e:
+        except CalledProcessError:
             pass
         else:
             nis_domain_name = result.output
@@ -1748,7 +1745,7 @@ def verify_dns_update(fqdn, ips):
 def get_server_connection_interface(server):
     # connect to IPA server, get all ip addresses of inteface used to connect
     for res in socket.getaddrinfo(server, 389, socket.AF_UNSPEC, socket.SOCK_STREAM):
-        (af, socktype, proto, canonname, sa) = res
+        af, socktype, proto, _canonname, sa = res
         try:
             s = socket.socket(af, socktype, proto)
         except socket.error as e:
@@ -1923,7 +1920,7 @@ def get_ca_certs_from_file(url):
     root_logger.debug("trying to retrieve CA cert from file %s", filename)
     try:
         certs = x509.load_certificate_list_from_file(filename)
-    except Exception as e:
+    except Exception:
         raise errors.NoCertificateError(entry=filename)
 
     return certs
@@ -1944,7 +1941,7 @@ def get_ca_certs_from_http(url, warn=True):
     try:
 
         result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True)
-    except CalledProcessError as e:
+    except CalledProcessError:
         raise errors.NoCertificateError(entry=url)
     stdout = result.output
 
@@ -2981,7 +2978,7 @@ def install(options, env, fstore, statestore):
     if nslcd.is_installed():
         save_state(nslcd)
 
-    retcode, conf, filename = (0, None, None)
+    retcode, conf = (0, None)
 
     if not options.no_ac:
         # Modify nsswitch/pam stack
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index bb208d2..6633249 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -41,8 +41,6 @@ from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
 from ipapython.dnssec.ldapkeydb import LdapKeyDB
 from ipapython.dnssec.localhsm import LocalHSM
 
-# pylint: disable=unused-variable
-
 DAEMONNAME = 'ipa-ods-exporter'
 PRINCIPAL = None  # not initialized yet
 WORKDIR = os.path.join(paths.VAR_OPENDNSSEC_DIR ,'tmp')
@@ -446,13 +444,13 @@ def receive_systemd_command(log):
         raise KeyError('Exactly one socket is expected.')
 
     sck = socket.fromfd(fds[0], socket.AF_UNIX, socket.SOCK_STREAM)
-    rlist, wlist, xlist = select.select([sck], [], [], 0)
+    rlist, _wlist, _xlist = select.select([sck], [], [], 0)
     if not rlist:
         log.critical('socket activation did not return socket with a command')
         sys.exit(0)
 
     log.debug('accepting new connection')
-    conn, addr = sck.accept()
+    conn, _addr = sck.accept()
     log.debug('accepted new connection %s', repr(conn))
 
     # this implements cmdhandler_handle_cmd() logic
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 329daa0..967ce6e 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -44,8 +44,6 @@ from ipaplatform.paths import paths
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance, certs
 
-# pylint: disable=unused-variable
-
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
 # info on certmonger CA helper scripts.
@@ -194,7 +192,7 @@ def request_cert():
 
     rc = result.returncode
     if rc == WAIT_WITH_DELAY:
-        delay, sep, cookie = stdout.partition('\n')
+        delay, _sep, cookie = stdout.partition('\n')
         return (rc, delay, cookie)
     else:
         return (rc, stdout)
@@ -282,7 +280,7 @@ def request_and_store_cert():
         if not cookie:
             return (UNCONFIGURED, "Cookie not provided")
 
-        state, sep, cookie = cookie.partition(':')
+        state, _sep, cookie = cookie.partition(':')
         if state not in ('request', 'store'):
             return (UNCONFIGURED,
                     "Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
@@ -306,7 +304,7 @@ def request_and_store_cert():
             cert = result[1]
             cookie = None
     else:
-        cert, sep, cookie = cookie.partition(':')
+        cert, _sep, cookie = cookie.partition(':')
 
     if cookie is None:
         os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
@@ -438,7 +436,7 @@ def renew_ca_cert():
         if not cookie:
             return (UNCONFIGURED, "Cookie not provided")
 
-        state, sep, cookie = cookie.partition(':')
+        state, _sep, cookie = cookie.partition(':')
         if state not in ('retrieve', 'request'):
             return (UNCONFIGURED,
                     "Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 13c62aa..378627d 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -45,8 +45,6 @@ from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -87,7 +85,7 @@ def parse_options():
                       dest="enable_compat", default=False, action="store_true",
                       help="Enable support for trusted domains for old clients")
 
-    options, args = parser.parse_args()
+    options, _args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 
     return safe_options, options
@@ -215,7 +213,7 @@ def set_and_check_netbios_name(netbios_name, unattended):
 def ensure_admin_kinit(admin_name, admin_password):
     try:
         ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
-    except ipautil.CalledProcessError as e:
+    except ipautil.CalledProcessError:
         print("There was error to automatically re-kinit your admin user ticket.")
         return False
     return True
@@ -357,8 +355,8 @@ def main():
         try:
             root_logger.debug("Searching for objects with missing SID with "
                 "filter=%s, base_dn=%s", filter, base_dn)
-            (entries, truncated) = api.Backend.ldap2.find_entries(filter=filter,
-                base_dn=base_dn, attrs_list=[''])
+            entries, _truncated = api.Backend.ldap2.find_entries(
+                filter=filter, base_dn=base_dn, attrs_list=[''])
         except errors.NotFound:
             # All objects have SIDs assigned
             pass
@@ -413,7 +411,7 @@ def main():
         try:
             # Search only masters which have support for domain levels
             # because only these masters will have SSSD recent enough to support AD trust agents
-            (entries_m, truncated) = smb.admin_conn.find_entries(
+            entries_m, _truncated = smb.admin_conn.find_entries(
                 filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
                 base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
         except errors.NotFound:
@@ -423,8 +421,9 @@ def main():
            print(unicode(e))
 
         try:
-           (entries_a, truncated) = smb.admin_conn.find_entries(filter="",
-               base_dn=agents_dn, attrs_list=['member'], scope=ldap.SCOPE_BASE)
+           entries_a, _truncated = smb.admin_conn.find_entries(
+               filter="", base_dn=agents_dn, attrs_list=['member'],
+               scope=ldap.SCOPE_BASE)
         except errors.NotFound:
             pass
         except (errors.DatabaseError, errors.NetworkError) as e:
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 6152898..d9dee9c 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -45,8 +45,6 @@ from ipaclient import ipadiscovery
 from six.moves.xmlrpc_client import MAXINT
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 # dict of command name and tuples of min/max num of args needed
 commands = {
     "list":(0, 1, "[master fqdn]", ""),
@@ -142,7 +140,7 @@ def test_connection(realm, host, nolookup=False):
         if not nolookup:
             enforce_host_existence(host)
         replman = replication.ReplicationManager(realm, host, None)
-        ents = replman.find_replication_agreements()
+        replman.find_replication_agreements()
         del replman
         return True
     except errors.ACIError:
@@ -216,7 +214,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
         if winsync_peer:
             repl = replication.ReplicationManager(realm, winsync_peer,
                                                   dirman_passwd)
-            cn, dn = repl.agreement_dn(replica)
+            _cn, dn = repl.agreement_dn(replica)
             entries = repl.conn.get_entries(
                 dn, conn.SCOPE_BASE,
                 "(objectclass=nsDSWindowsReplicationAgreement)")
@@ -308,7 +306,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
         try:
             repl2.set_readonly(readonly=True)
             repl2.force_sync(repl2.conn, replica1)
-            cn, dn = repl2.agreement_dn(repl1.conn.host)
+            _cn, dn = repl2.agreement_dn(repl1.conn.host)
             repl2.wait_for_repl_update(repl2.conn, dn, 30)
             (range_start, range_max) = repl2.get_DNA_range(repl2.conn.host)
             (next_start, next_max) = repl2.get_DNA_next_range(repl2.conn.host)
@@ -391,7 +389,9 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
             data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
             if data:
                 rid = data.group(1)
-                (scheme, netloc, path, params, query, fragment) = urlparse(data.group(2))
+                (
+                    _scheme, netloc, _path, _params, _query, _fragment
+                ) = urlparse(data.group(2))
                 servers.append((netloc, rid))
             else:
                 print("unable to decode: %s" % ruv)
@@ -1323,7 +1323,7 @@ def store_DNA_range(repl, range_start, range_max, deleted_master, realm,
         except Exception as e:
             print("Connection failed: %s" % e)
             continue
-        (next_start, next_max) = repl2.get_DNA_next_range(candidate)
+        next_start, _next_max = repl2.get_DNA_next_range(candidate)
         if next_start is None:
             try:
                 return repl2.save_DNA_next_range(range_start, range_max)
@@ -1359,7 +1359,7 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
         """
         try:
             (dna_next, dna_max) = range.split('-', 1)
-        except ValueError as e:
+        except ValueError:
             return "Invalid range, must be the form x-y"
 
         try:
diff --git a/install/tools/ipactl b/install/tools/ipactl
index d229738..42bd73e 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -39,9 +39,6 @@ from ipapython.dn import DN
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
-
 MSG_HINT_IGNORE_SERVICE_FAILURE = (
     "Hint: You can use --ignore-service-failure option for forced start in "
     "case that a non-critical service failed"
@@ -89,7 +86,7 @@ def is_dirsrv_debugging_enabled():
         fd.close()
         for line in lines:
             if line.lower().startswith('nsslapd-errorlog-level'):
-                (option, value) = line.split(':')
+                _option, value = line.split(':')
                 if int(value) > 0:
                     debugging = True
 
@@ -239,7 +236,7 @@ def get_config_from_file():
         def_svc_list.append([s[1], s[0]])
 
     ordered_list = []
-    for (order, svc) in sorted(def_svc_list):
+    for _order, svc in sorted(def_svc_list):
         if svc in svc_list:
             ordered_list.append(svc)
 
@@ -286,7 +283,6 @@ def ipa_start(options):
     except Exception as e:
         raise IpactlError("Failed to start Directory Service: " + str(e))
 
-    ldap_list = []
     try:
         svc_list = get_config(dirsrv)
     except Exception as e:
@@ -540,7 +536,7 @@ def main():
         # LSB status code 4: user had insufficient privilege
         raise IpactlError("You must be root to run ipactl.", 4)
 
-    safe_options, options, args = parse_options()
+    _safe_options, options, args = parse_options()
 
     if len(args) != 1:
         # LSB status code 2: invalid or excess argument(s)
diff --git a/ipaclient/ipachangeconf.py b/ipaclient/ipachangeconf.py
index b6cbc9b..b7d8ffc 100644
--- a/ipaclient/ipachangeconf.py
+++ b/ipaclient/ipachangeconf.py
@@ -24,8 +24,6 @@
 
 import six
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -303,7 +301,7 @@ def mergeOld(self, oldopts, newopts):
 
         for o in oldopts:
             if o['type'] == "section" or o['type'] == "subsection":
-                (num, no) = self.findOpts(newopts, o['type'], o['name'])
+                _num, no = self.findOpts(newopts, o['type'], o['name'])
                 if not no:
                     opts.append(o)
                     continue
@@ -327,7 +325,7 @@ def mergeOld(self, oldopts, newopts):
                 continue
 
             if o['type'] == "option":
-                (num, no) = self.findOpts(newopts, 'option', o['name'], True)
+                _num, no = self.findOpts(newopts, 'option', o['name'], True)
                 if not no:
                     opts.append(o)
                     continue
@@ -482,9 +480,6 @@ def parse(self, f):
     #     [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}]
     # section is a section name like 'global'
     def changeConf(self, file, newopts):
-        autosection = False
-        savedsection = None
-        done = False
         output = ""
         f = None
         try:
@@ -517,9 +512,6 @@ def changeConf(self, file, newopts):
     # options is a set of dictionaries in the form:
     #     [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}]
     def newConf(self, file, options):
-        autosection = False
-        savedsection = None
-        done = False
         output = ""
         f = None
         try:
diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py
index e051bc7..2075c33 100644
--- a/ipaclient/ipadiscovery.py
+++ b/ipaclient/ipadiscovery.py
@@ -30,8 +30,6 @@
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
 REALM_NOT_FOUND = -3
@@ -376,8 +374,6 @@ def ipacheckldap(self, thost, trealm, ca_cert_path=None):
 
         lrealms = []
 
-        i = 0
-
         #now verify the server is really an IPA server
         try:
             root_logger.debug("Init LDAP connection to: %s", thost)
diff --git a/ipapython/install/core.py b/ipapython/install/core.py
index 98ee588..e94c0f2 100644
--- a/ipapython/install/core.py
+++ b/ipapython/install/core.py
@@ -19,8 +19,6 @@
 from . import util
 from .util import from_
 
-# pylint: disable=unused-variable
-
 __all__ = ['InvalidStateError', 'KnobValueError', 'Property', 'Knob',
            'Configurable', 'Group', 'Component', 'Composite']
 
@@ -207,7 +205,7 @@ def properties(cls):
 
             result = sorted(result, key=lambda r: r[0])
 
-            for order, owner_cls, name in result:
+            for _order, owner_cls, name in result:
                 yield owner_cls, name
 
     @classmethod
@@ -316,7 +314,7 @@ def validate(self):
         Run the validation part of the configurable.
         """
 
-        for nothing in self._validator():
+        for _nothing in self._validator():
             pass
 
     def _validator(self):
@@ -333,7 +331,7 @@ def execute(self):
         Run the execution part of the configurable.
         """
 
-        for nothing in self._executor():
+        for _nothing in self._executor():
             pass
 
     def _executor(self):
@@ -541,7 +539,7 @@ def components(cls):
 
             result = sorted(result, key=lambda r: r[0])
 
-            for order, owner_cls, name in result:
+            for _order, owner_cls, name in result:
                 yield owner_cls, name
 
     def __getattr__(self, name):
@@ -565,7 +563,7 @@ def _reset(self):
         super(Composite, self)._reset()
 
     def _get_components(self):
-        for owner_cls, name in self.components():
+        for _owner_cls, name in self.components():
             yield getattr(self, name)
 
     def _configure(self):
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index a04822e..350cb3c 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -60,8 +60,6 @@
                          UnresolvableRecordError)
 from ipalib.constants import CACERT
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -289,7 +287,7 @@ def find_reverse_zone(ip_address, api=api):
     while len(zone) > 0:
         if dns_zone_exists(zone, api):
             return zone
-        foo, bar, zone = zone.partition('.')
+        zone = zone.partition('.')[2]
 
     return None
 
@@ -866,7 +864,7 @@ def __add_master_records(self, fqdn, addrs):
         for addr in addrs:
             try:
                 add_fwd_rr(zone, host, addr, self.api)
-            except errors.NotFound as e:
+            except errors.NotFound:
                 pass
 
             reverse_zone = find_reverse_zone(addr, self.api)
@@ -1107,7 +1105,8 @@ def remove_server_ns_records(self, fqdn):
         attributes = ['idnsname', 'objectclass']
         dn = DN(self.api.env.container_dns, self.api.env.basedn)
 
-        entries, truncated = ldap.find_entries(attr_filter, attributes, base_dn=dn)
+        entries, _truncated = ldap.find_entries(
+            attr_filter, attributes, base_dn=dn)
 
         # remove records
         if entries:
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b23ccfd..dadc34e 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -15,8 +15,6 @@
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 
-# pylint: disable=unused-variable
-
 external_cert_file = None
 external_ca_file = None
 
@@ -94,7 +92,7 @@ def install_check(standalone, replica_config, options):
         dsdb = certs.CertDB(realm_name, nssdir=dirname, subject_base=subject_base)
 
         for db in (cadb, dsdb):
-            for nickname, trust_flags in db.list_certs():
+            for nickname, _trust_flags in db.list_certs():
                 if nickname in (certdb.get_ca_nickname(realm_name),
                                 'ipaCert',
                                 'Signing-Cert'):
@@ -121,7 +119,6 @@ def install(standalone, replica_config, options):
 
 def install_step_0(standalone, replica_config, options):
     realm_name = options.realm_name
-    domain_name = options.domain_name
     dm_password = options.dm_password
     host_name = options.host_name
     subject_base = options.subject
@@ -170,7 +167,6 @@ def install_step_0(standalone, replica_config, options):
 
 def install_step_1(standalone, replica_config, options):
     realm_name = options.realm_name
-    domain_name = options.domain_name
     dm_password = options.dm_password
     host_name = options.host_name
     subject_base = options.subject
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index dea1110..d352a1d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -81,8 +81,6 @@
 except ImportError:
     import http.client as httplib
 
-# pylint: disable=unused-variable
-
 # We need to reset the template because the CA uses the regular boot
 # information
 INF_TEMPLATE = """
@@ -1625,9 +1623,6 @@ def __update_entry_from_cert(make_filter, make_entry, dercert):
     """
 
     base_dn = DN(('o', 'ipaca'))
-    serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
-    subject = x509.get_subject(dercert, datatype=x509.DER)
-    issuer = x509.get_issuer(dercert, datatype=x509.DER)
 
     attempts = 0
     server_id = installutils.realm_to_serverid(api.env.realm)
@@ -1909,7 +1904,7 @@ def repair_profile_caIPAserviceCert():
     with api.Backend.ra_certprofile as profile_api:
         try:
             cur_config = profile_api.read_profile(profile_id).splitlines()
-        except errors.RemoteRetrieveError as e:
+        except errors.RemoteRetrieveError:
             # no profile there to check/repair
             api.Backend.ra_certprofile.override_port = None
             return
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index b55bb6c..31fd36c 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -45,8 +45,6 @@
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 # Apache needs access to this database so we need to create it
 # where apache can reach
 NSS_DIR = paths.HTTPD_ALIAS_DIR
@@ -260,7 +258,7 @@ def load_cacert(self, cacert_fname, trust_flags):
         while True:
             try:
                 (cert, st) = find_cert_from_txt(certs, st)
-                (rdn, subject_dn) = get_cert_nickname(cert)
+                _rdn, subject_dn = get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
                 else:
@@ -283,7 +281,7 @@ def get_cert_from_db(self, nickname, pem=True):
             if pem:
                 return cert
             else:
-                (cert, start) = find_cert_from_txt(cert, start=0)
+                cert, _start = find_cert_from_txt(cert, start=0)
                 cert = x509.strip_header(cert)
                 dercert = base64.b64decode(cert)
                 return dercert
@@ -405,7 +403,7 @@ def issue_server_cert(self, certreq_fname, cert_fname):
         result = dogtag.https_request(
             self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient",
             self.secdir, password, "ipaCert", **params)
-        http_status, http_headers, http_body = result
+        http_status, _http_headers, http_body = result
         root_logger.debug("CA answer: %s", http_body)
 
         if http_status != 200:
@@ -459,7 +457,7 @@ def issue_signing_cert(self, certreq_fname, cert_fname):
         result = dogtag.https_request(
             self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient",
             self.secdir, password, "ipaCert", **params)
-        http_status, http_headers, http_body = result
+        http_status, _http_headers, http_body = result
         if http_status != 200:
             raise RuntimeError("Unable to submit cert request")
 
@@ -571,11 +569,11 @@ def create_from_cacert(self, cacert_fname, passwd=None):
             newca = f.readlines()
             f.close()
             newca = "".join(newca)
-            (newca, st) = find_cert_from_txt(newca)
+            newca, _st = find_cert_from_txt(newca)
 
             cacert = self.get_cert_from_db(self.cacert_name)
             if cacert != '':
-                (cacert, st) = find_cert_from_txt(cacert)
+                cacert, _st = find_cert_from_txt(cacert)
 
             if newca == cacert:
                 return
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index efff82a..c16b963 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -30,12 +30,9 @@
 from ipaserver.install.installutils import update_hosts_file
 from ipaserver.install import bindinstance
 from ipaserver.install import dnskeysyncinstance
-from ipaserver.install import ntpinstance
 from ipaserver.install import odsexporterinstance
 from ipaserver.install import opendnssecinstance
 
-# pylint: disable=unused-variable
-
 ip_addresses = []
 reverse_zones = []
 
@@ -45,7 +42,7 @@ def _find_dnssec_enabled_zones(conn):
     dnssec_enabled_filter = conn.make_filter(search_kw)
     dn = DN('cn=dns', api.env.basedn)
     try:
-        entries, truncated = conn.find_entries(
+        entries, _truncated = conn.find_entries(
             base_dn=dn, filter=dnssec_enabled_filter, attrs_list=['idnsname'])
     except errors.NotFound:
         return []
@@ -222,8 +219,6 @@ def install_check(standalone, api, replica, options, hostname):
                                    "database (kasp.db file)")
 
             # check if replica can be the DNSSEC master
-            named = services.knownservices.named
-            ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.IPA_DNSKEYSYNCD_REPLICA]
             environment = {
                 "SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF,
@@ -316,15 +311,8 @@ def install_check(standalone, api, replica, options, hostname):
 
 
 def install(standalone, replica, options, api=api):
-    local_dnskeysyncd_dn = DN(('cn', 'DNSKeySync'), ('cn', api.env.host),
-                              ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
-                              api.env.basedn)
-    conn = api.Backend.ldap2
-
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
 
-    conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()
-
     if standalone:
         # otherwise this is done by server/replica installer
         update_hosts_file(ip_addresses, api.env.host, fstore)
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 3e862b3..f397879 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -21,15 +21,12 @@
 from ipapython.dn import DN
 from ipapython import ipaldap
 from ipapython import sysrestore, ipautil
-from ipaplatform import services
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipalib import errors, api
 from ipalib.constants import CACERT
 from ipaserver.install.bindinstance import dns_container_exists
 
-# pylint: disable=unused-variable
-
 softhsm_token_label = u'ipaDNSSEC'
 softhsm_slot = 0
 replica_keylabel_template = u"dnssec-replica:%s"
@@ -117,7 +114,7 @@ def remove_replica_public_keys(self, replica_fqdn):
             'ipk11Wrap': True,
         }
         filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
-        entries, truncated = ldap.find_entries(filter=filter, base_dn=dn_base)
+        entries, _truncated = ldap.find_entries(filter=filter, base_dn=dn_base)
         for entry in entries:
             ldap.delete_entry(entry)
 
@@ -149,22 +146,18 @@ def create_instance(self, fqdn, realm_name):
         self.start_creation()
 
     def __get_named_uid(self):
-        named = services.knownservices.named
         try:
             return pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
             raise RuntimeError("Named UID not found")
 
     def __get_named_gid(self):
-        named = services.knownservices.named
         try:
             return grp.getgrnam(constants.NAMED_GROUP).gr_gid
         except KeyError:
             raise RuntimeError("Named GID not found")
 
     def __check_dnssec_status(self):
-        ods_enforcerd = services.knownservices.ods_enforcerd
-
         self.named_uid = self.__get_named_uid()
         self.named_gid = self.__get_named_gid()
 
@@ -338,7 +331,7 @@ def __setup_replica_keys(self):
                 if not priv_keys:
                     break  # we found unique id
 
-            public_key_handle, private_key_handle = p11.generate_replica_key_pair(
+            public_key_handle, _privkey_handle = p11.generate_replica_key_pair(
                     keylabel, key_id,
                     pub_cka_verify=False,
                     pub_cka_verify_recover=False,
@@ -394,7 +387,7 @@ def __setup_replica_keys(self):
                 'ipk11Wrap': True,
             }
             filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
-            entries, truncated = ldap.find_entries(filter=filter,
+            entries, _truncated = ldap.find_entries(filter=filter,
                                                    base_dn=dn_base)
             for entry in entries:
                 # don't disable wrapping for new key
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index ea80a2f..d682745 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -45,8 +45,6 @@
 from ipaserver.install.installutils import stopped_service
 from ipapython.ipa_log_manager import log_mgr
 
-# pylint: disable=unused-variable
-
 HTTPD_USER = constants.HTTPD_USER
 
 
@@ -356,7 +354,7 @@ def stop_tracking_certificates(self, stop_certmonger=True):
         services.knownservices.messagebus.start()
         cmonger.start()
 
-        nicknames = [nickname for nickname, profile in self.tracking_reqs]
+        nicknames = [nickname for nickname, _profile in self.tracking_reqs]
         if self.server_cert_name is not None:
             nicknames.append(self.server_cert_name)
 
@@ -477,7 +475,6 @@ def setup_admin(self):
 
     def __remove_admin_from_group(self, group):
         dn = DN(('cn', group), ('ou', 'groups'), ('o', 'ipaca'))
-        entry = self.admin_conn.get_entry(dn)
         mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)]
         try:
             self.admin_conn.modify_s(dn, mod)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 30e0038..aaaba07 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -52,8 +52,6 @@
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 DS_USER = platformconstants.DS_USER
 DS_GROUP = platformconstants.DS_GROUP
 
@@ -186,7 +184,7 @@ def get_domain_level(api=api):
 def get_all_external_schema_files(root):
     """Get all schema files"""
     f = []
-    for path, subdirs, files in os.walk(root):
+    for path, _subdirs, files in os.walk(root):
         for name in files:
             if fnmatch.fnmatch(name, "*.ldif"):
                 f.append(os.path.join(path, name))
@@ -741,7 +739,7 @@ def configure_dirsrv_ccache(self):
             os.chown(filepath, 0, 0)
 
         replacevars = {'KRB5CCNAME': ccache}
-        old_values = ipautil.backup_config_and_replace_variables(
+        ipautil.backup_config_and_replace_variables(
             self.fstore, filepath, replacevars=replacevars)
         tasks.restore_context(filepath)
 
@@ -898,7 +896,6 @@ def add_hbac(self):
 
     def change_admin_password(self, password):
         root_logger.debug("Changing admin password")
-        dirname = config_dirname(self.serverid)
         dmpwdfile = ""
         admpwdfile = ""
 
@@ -937,7 +934,7 @@ def uninstall(self):
         enabled = self.restore_state("enabled")
 
         # Just eat this state if it exists
-        running = self.restore_state("running")
+        self.restore_state("running")
 
         try:
             self.fstore.restore_file(paths.LIMITS_CONF)
@@ -961,10 +958,8 @@ def uninstall(self):
                 root_logger.error("Failed to remove DS instance. You may "
                                   "need to remove instance data manually")
 
-        # At one time we removed this user on uninstall. That can potentially
-        # orphan files, or worse, if another useradd runs in the intermim,
-        # cause files to have a new owner.
-        user_exists = self.restore_state("user_exists")
+        # Just eat this state
+        self.restore_state("user_exists")
 
         # Make sure some upgrade-related state is removed. This could cause
         # re-installation problems.
@@ -1341,7 +1336,7 @@ def update_dna_shared_config(self, method="SASL/GSSAPI", protocol="LDAP"):
         # the failure to update the shared config entry and return
         #
         max_wait = 30
-        for i in range(0, max_wait + 1):
+        for _i in range(0, max_wait + 1):
             try:
                 entries = conn.get_entries(
                     sharedcfgdn, scope=ldap.SCOPE_ONELEVEL,
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 3c38e6f..e7fefd8 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -40,8 +40,6 @@
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 
-# pylint: disable=unused-variable
-
 """
 A test gpg can be generated like this:
 
@@ -382,7 +380,6 @@ def db2ldif(self, instance, backend, online=True):
         '''
         self.log.info('Backing up %s in %s to LDIF' % (backend, instance))
 
-        now = time.localtime()
         cn = time.strftime('export_%Y_%m_%d_%H_%M_%S')
         dn = DN(('cn', cn), ('cn', 'export'), ('cn', 'tasks'), ('cn', 'config'))
 
@@ -434,7 +431,6 @@ def db2bak(self, instance, online=True):
         If executed online create a task and wait for it to complete.
         '''
         self.log.info('Backing up %s' % instance)
-        now = time.localtime()
         cn = time.strftime('backup_%Y_%m_%d_%H_%M_%S')
         dn = DN(('cn', cn), ('cn', 'backup'), ('cn', 'tasks'), ('cn', 'config'))
 
@@ -591,7 +587,6 @@ def finalize_backup(self, data_only=False, encrypt=False, keyring=None):
         os.mkdir(backup_dir)
         os.chmod(backup_dir, 0o700)
 
-        cwd = os.getcwd()
         os.chdir(self.dir)
         args = ['tar',
                 '--xattrs',
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index e691f41..859c254 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -31,8 +31,6 @@
 from ipalib import api, errors, x509, certstore
 from ipaserver.install import certs, cainstance, installutils
 
-# pylint: disable=unused-variable
-
 
 class CACertManage(admintool.AdminTool):
     command_name = 'ipa-cacert-manage'
@@ -87,7 +85,6 @@ def validate_options(self):
             parser.error("command not provided")
 
         command = self.command = self.args[0]
-        options = self.options
 
         if command == 'renew':
             pass
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index e58f9b6..d7ab813 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -43,8 +43,6 @@
 from ipaplatform.paths import paths
 from ipalib.constants import CACERT, DOMAIN_LEVEL_0
 
-# pylint: disable=unused-variable
-
 UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
 Replica creation using '{command_name}' to generate replica file
 is supported only in {domain_level}-level IPA domain.
@@ -215,7 +213,6 @@ def ask_for_options(self):
                     "Directory Manager password required")
 
         # Try out the password & get the subject base
-        suffix = ipautil.realm_to_suffix(api.env.realm)
         try:
             conn = api.Backend.ldap2
             conn.connect(bind_dn=DN(('cn', 'directory manager')),
@@ -254,7 +251,6 @@ def ask_for_options(self):
         try:
             installutils.verify_fqdn(self.replica_fqdn, local_hostname=False)
         except installutils.BadHostError as e:
-            msg = str(e)
             if isinstance(e, installutils.HostLookupError):
                 if not options.ip_addresses:
                     if dns_container_exists(
@@ -292,7 +288,7 @@ def ask_for_options(self):
                 options.ip_addresses, options.reverse_zones, options, False,
                 True)
 
-            host, zone = self.replica_fqdn.split('.', 1)
+            _host, zone = self.replica_fqdn.split('.', 1)
             if not bindinstance.dns_zone_exists(zone, api=api):
                 self.log.error("DNS zone %s does not exist in IPA managed DNS "
                                "server. Either create DNS zone or omit "
@@ -340,7 +336,7 @@ def ask_for_options(self):
                 if options.pkinit_pin is None:
                     raise admintool.ScriptError(
                         "Kerberos KDC private key unlock password required")
-            pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = self.load_pkcs12(
+            pkinit_pkcs12_file, pkinit_pin, _pkinit_ca_cert = self.load_pkcs12(
                 options.pkinit_cert_files, options.pkinit_pin,
                 options.pkinit_cert_name)
             self.pkinit_pkcs12_file = pkinit_pkcs12_file
@@ -537,10 +533,10 @@ def check_dns(self, replica_fqdn):
                       dns.resolver.Timeout, dns.resolver.NoNameservers)
 
         try:
-            dns_answer = resolver.query(replica_fqdn, 'A', 'IN')
+            resolver.query(replica_fqdn, 'A', 'IN')
         except exceptions:
             try:
-                dns_answer = resolver.query(replica_fqdn, 'AAAA', 'IN')
+                resolver.query(replica_fqdn, 'AAAA', 'IN')
             except exceptions:
                 return False
         except Exception as e:
@@ -550,8 +546,6 @@ def check_dns(self, replica_fqdn):
         return True
 
     def wait_for_dns(self):
-        options = self.options
-
         # Make sure replica_fqdn has a trailing dot, so the
         # 'search' directive in /etc/resolv.conf doesn't apply
         replica_fqdn = self.replica_fqdn
@@ -601,7 +595,6 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
         :param passwd_fname: File that holds the cert DB password
         :param is_kdc: True if we're exporting KDC certs
         """
-        options = self.options
         hostname = self.replica_fqdn
         subject_base = self.subject_base
 
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 9cafa68..64ab9e4 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -51,8 +51,6 @@
 except ImportError:
     adtrustinstance = None
 
-# pylint: disable=unused-variable
-
 def recursive_chown(path, uid, gid):
     '''
     Change ownership of all files and directories in a path.
@@ -523,7 +521,6 @@ def ldif2db(self, instance, backend, online=True):
         '''
         self.log.info('Restoring from %s in %s' % (backend, instance))
 
-        now = time.localtime()
         cn = time.strftime('import_%Y_%m_%d_%H_%M_%S')
         dn = DN(('cn', cn), ('cn', 'import'), ('cn', 'tasks'), ('cn', 'config'))
 
@@ -746,7 +743,6 @@ def extract_backup(self, keyring=None):
             self.log.info('Decrypting %s' % filename)
             filename = decrypt_file(self.dir, filename, keyring)
 
-        cwd = os.getcwd()
         os.chdir(self.dir)
 
         args = ['tar',
diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index cf89366..d0653c9 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -29,8 +29,6 @@
 from ipapython.ipautil import realm_to_suffix, posixify
 from ipaserver.install import replication, installutils
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -175,7 +173,7 @@ def create_id_user_override(self, entry):
         }
 
         try:
-            result = api.Command['idoverrideuser_add'](
+            api.Command['idoverrideuser_add'](
                 DEFAULT_TRUST_VIEW_NAME,
                 user_identifier,
                 **kwargs
@@ -193,7 +191,7 @@ def find_winsync_users(self):
 
         user_filter = "(&(objectclass=ntuser)(ntUserDomainId=*))"
         user_base = DN(api.env.container_user, api.env.basedn)
-        entries, _ = self.ldap.find_entries(
+        entries, _truncated = self.ldap.find_entries(
             filter=user_filter,
             base_dn=user_base,
             paged_search=True)
@@ -262,8 +260,9 @@ def create_winsync_group(object_entry, suffix=0):
                                                         user_entry.dn)
 
         try:
-            objects, _ = self.ldap.find_entries(member_filter,
-                                                base_dn=object_container_dn)
+            objects, _truncated = self.ldap.find_entries(
+                member_filter,
+                base_dn=object_container_dn)
         except errors.EmptyResult:
             # If there's nothing to migrate, then let's get out of here
             return
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 39ea196..28638a1 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -20,8 +20,6 @@
 from ipalib import errors, api
 from ipaserver.install import dnskeysyncinstance
 
-# pylint: disable=unused-variable
-
 KEYMASTER = u'dnssecKeyMaster'
 softhsm_slot = 0
 
@@ -126,9 +124,6 @@ def create_instance(self, fqdn, realm_name, generate_master_key=True,
         self.start_creation()
 
     def __check_dnssec_status(self):
-        named = services.knownservices.named
-        ods_enforcerd = services.knownservices.ods_enforcerd
-
         try:
             self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
         except KeyError:
@@ -289,7 +284,6 @@ def __setup_dnssec(self):
             os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
 
             # regenerate zonelist.xml
-            ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
             result = ipautil.run(cmd,
                                  runas=constants.ODS_USER,
@@ -307,7 +301,6 @@ def __setup_dnssec(self):
                 'setup'
             ]
 
-            ods_enforcerd = services.knownservices.ods_enforcerd
             ipautil.run(command, stdin="y", runas=constants.ODS_USER)
 
     def __setup_dnskeysyncd(self):
@@ -353,7 +346,6 @@ def uninstall(self):
         if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
 
             # force to export data
-            ods_enforcerd = services.knownservices.ods_enforcerd
             cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
             try:
                 self.print_msg("Exporting DNSSEC data before uninstallation")
diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py
index 96da85f..5db00c7 100644
--- a/ipaserver/install/plugins/rename_managed.py
+++ b/ipaserver/install/plugins/rename_managed.py
@@ -24,8 +24,6 @@
 from ipapython import ipautil
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 register = Registry()
 
 if six.PY3:
@@ -80,16 +78,15 @@ def generate_update(self, deletes=False):
         old_definition_container = DN(('cn', 'managed entries'), ('cn', 'plugins'), ('cn', 'config'), suffix)
         new_definition_container = DN(('cn', 'Definitions'), ('cn', 'Managed Entries'), ('cn', 'etc'), suffix)
 
-        definitions_dn = DN(('cn', 'Definitions'))
         update_list = []
         restart = False
 
         # If the old entries don't exist the server has already been updated.
         try:
-            definitions_managed_entries, truncated = ldap.find_entries(
+            definitions_managed_entries, _truncated = ldap.find_entries(
                 searchfilter, ['*'], old_definition_container,
                 ldap.SCOPE_ONELEVEL)
-        except errors.NotFound as e:
+        except errors.NotFound:
             return (False, update_list)
 
         for entry in definitions_managed_entries:
@@ -99,7 +96,7 @@ def generate_update(self, deletes=False):
                 assert isinstance(old_dn, DN)
                 try:
                     entry = ldap.get_entry(old_dn, ['*'])
-                except errors.NotFound as e:
+                except errors.NotFound:
                     pass
                 else:
                     # Compute the new dn by replacing the old container with the new container
@@ -164,7 +161,7 @@ class update_managed_post_first(Updater, GenerateUpdateMixin):
 
     def execute(self, **options):
         # Never need to restart with the pre-update changes
-        (ignore, update_list) = self.generate_update(False)
+        _ignore, update_list = self.generate_update(False)
 
         return False, update_list
 
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index e9fa796..fcd0b32 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -38,8 +38,6 @@
 from ipaplatform import services
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -708,7 +706,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
             mod = [(ldap.MOD_ADD, 'nsDS5ReplicatedAttributeListTotal',
                    '(objectclass=*) $ EXCLUDE %s' % " ".join(TOTAL_EXCLUDES))]
             a_conn.modify_s(dn, mod)
-        except ldap.LDAPError as e:
+        except ldap.LDAPError:
             # Apparently there are problems set the total list
             # Probably the master is an old 389-ds server, tell the caller
             # that we will have to set the memberof fixup task
@@ -763,15 +761,15 @@ def get_replica_principal_dns(self, a, b, retries):
                 root_logger.debug('Unable to find entry for %s on %s'
                     % (filter_a, str(b)))
                 self.force_sync(a, b.host)
-                cn, dn = self.agreement_dn(b.host)
-                haserror, error_message = self.wait_for_repl_update(a, dn, 60)
+                _cn, dn = self.agreement_dn(b.host)
+                _haserror, error_message = self.wait_for_repl_update(a, dn, 60)
 
             if not b_entry:
                 root_logger.debug('Unable to find entry for %s on %s'
                     % (filter_b, str(a)))
                 self.force_sync(b, a.host)
-                cn, dn = self.agreement_dn(a.host)
-                haserror, error_message = self.wait_for_repl_update(b, dn, 60)
+                _cn, dn = self.agreement_dn(a.host)
+                _haserror, error_message = self.wait_for_repl_update(b, dn, 60)
 
             retries -= 1
 
@@ -834,10 +832,10 @@ def gssapi_update_agreements(self, a, b):
                (ldap.MOD_DELETE, "nsds5replicabinddn", None),
                (ldap.MOD_DELETE, "nsds5replicacredentials", None)]
 
-        cn, a_ag_dn = self.agreement_dn(b.host)
+        _cn, a_ag_dn = self.agreement_dn(b.host)
         a.modify_s(a_ag_dn, mod)
 
-        cn, b_ag_dn = self.agreement_dn(a.host)
+        _cn, b_ag_dn = self.agreement_dn(a.host)
         b.modify_s(b_ag_dn, mod)
 
         # Finally remove the temporary replication manager user
@@ -863,7 +861,7 @@ def delete_agreement(self, hostname, dn=None):
         better to pass the DN in directly.
         """
         if dn is None:
-            cn, dn = self.agreement_dn(hostname)
+            _cn, dn = self.agreement_dn(hostname)
         return self.conn.delete_entry(dn)
 
     def delete_referral(self, hostname):
@@ -984,7 +982,7 @@ def start_replication(self, conn, hostname=None, master=None):
         print("Starting replication, please wait until this has completed.")
         if hostname == None:
             hostname = self.conn.host
-        cn, dn = self.agreement_dn(hostname, master)
+        _cn, dn = self.agreement_dn(hostname, master)
 
         mod = [(ldap.MOD_ADD, 'nsds5BeginReplicaRefresh', 'start')]
         conn.modify_s(dn, mod)
@@ -1091,7 +1089,7 @@ def setup_winsync_replication(self,
                              repl_man_dn=ad_binddn, repl_man_passwd=ad_pwd,
                              iswinsync=True, win_subtree=ad_subtree)
         root_logger.info("Added new sync agreement, waiting for it to become ready . . .")
-        cn, dn = self.agreement_dn(ad_dc_name)
+        _cn, dn = self.agreement_dn(ad_dc_name)
         self.wait_for_repl_update(self.conn, dn, 300)
         root_logger.info("Agreement is ready, starting replication . . .")
 
@@ -1125,12 +1123,12 @@ def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw):
         # have all principals and their passwords and can release
         # the right tickets. We do this by force pushing all our changes
         self.force_sync(self.conn, r_hostname)
-        cn, dn = self.agreement_dn(r_hostname)
+        _cn, dn = self.agreement_dn(r_hostname)
         self.wait_for_repl_update(self.conn, dn, 300)
 
         # now in the opposite direction
         self.force_sync(r_conn, self.hostname)
-        cn, dn = self.agreement_dn(self.hostname)
+        _cn, dn = self.agreement_dn(self.hostname)
         self.wait_for_repl_update(r_conn, dn, 300)
 
         # now that directories are in sync,
@@ -1698,7 +1696,7 @@ def delete_referral(self, hostname, port):
 
     def has_ipaca(self):
         try:
-            entry = self.conn.get_entry(self.db_suffix)
+            self.conn.get_entry(self.db_suffix)
         except errors.NotFound:
             return False
         else:
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 0bc9691..22328ef 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -59,8 +59,6 @@
 
 from .common import BaseServer, BaseServerCA
 
-# pylint: disable=unused-variable
-
 SYSRESTORE_DIR_PATH = paths.SYSRESTORE
 
 
@@ -531,7 +529,7 @@ def install_check(installer):
             if options.pkinit_pin is None:
                 raise ScriptError(
                     "Kerberos KDC private key unlock password required")
-        pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
+        pkinit_pkcs12_file, pkinit_pin, _pkinit_ca_cert = load_pkcs12(
             cert_files=options.pkinit_cert_files,
             key_password=options.pkinit_pin,
             key_nickname=options.pkinit_cert_name,
@@ -687,14 +685,9 @@ def install(installer):
     options = installer
     fstore = installer._fstore
     sstore = installer._sstore
-    dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file
-    http_pkcs12_file = installer._http_pkcs12_file
-    pkinit_pkcs12_file = installer._pkinit_pkcs12_file
     dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
     http_pkcs12_info = installer._http_pkcs12_info
     pkinit_pkcs12_info = installer._pkinit_pkcs12_info
-    external_cert_file = installer._external_cert_file
-    external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
     realm_name = options.realm_name
@@ -705,7 +698,6 @@ def install(installer):
     host_name = options.host_name
     ip_addresses = options.ip_addresses
     setup_ca = options.setup_ca
-    setup_kra = options.setup_kra
 
     # Installation has started. No IPA sysrestore items are restored in case of
     # failure to enable root cause investigation
@@ -1062,7 +1054,7 @@ def uninstall(installer):
     print("Shutting down all IPA services")
     try:
         run([paths.IPACTL, "stop"], raiseonerr=False)
-    except Exception as e:
+    except Exception:
         pass
 
     ntpinstance.NTPInstance(fstore).uninstall()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 27e9f57..7effda7 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -47,8 +47,6 @@
 
 from .common import BaseServer
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -691,9 +689,9 @@ def install_check(installer):
 
         # Check pre-existing host entry
         try:
-            entry = conn.find_entries(u'fqdn=%s' % config.host_name,
-                                      ['fqdn'], DN(api.env.container_host,
-                                                   api.env.basedn))
+            conn.find_entries(
+                u'fqdn=%s' % config.host_name, ['fqdn'],
+                DN(api.env.container_host, api.env.basedn))
         except errors.NotFound:
             pass
         else:
@@ -920,8 +918,6 @@ def install(installer):
 
 
 def ensure_enrolled(installer):
-    config = installer._config
-
     # Call client install script
     service.print_msg("Configuring client side components")
     try:
@@ -1100,7 +1096,7 @@ def promote_check(installer):
             if options.pkinit_pin is None:
                 raise ScriptError(
                     "Kerberos KDC private key unlock password required")
-        pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
+        pkinit_pkcs12_file, pkinit_pin, _pkinit_ca_cert = load_pkcs12(
             cert_files=options.pkinit_cert_files,
             key_password=options.pkinit_pin,
             key_nickname=options.pkinit_cert_name,
@@ -1201,8 +1197,8 @@ def promote_check(installer):
 
         # Check that we don't already have a replication agreement
         try:
-            (acn, adn) = replman.agreement_dn(config.host_name)
-            entry = conn.get_entry(adn, ['*'])
+            _acn, adn = replman.agreement_dn(config.host_name)
+            conn.get_entry(adn, ['*'])
         except errors.NotFound:
             pass
         else:
@@ -1235,7 +1231,7 @@ def promote_check(installer):
         dn = DN(('cn', 'replication managers'), ('cn', 'sysaccounts'),
                 ('cn', 'etc'), ipautil.realm_to_suffix(config.realm_name))
         try:
-            entry = conn.get_entry(dn)
+            conn.get_entry(dn)
         except errors.NotFound:
             msg = ("The Replication Managers group is not available in "
                    "the domain. Replica promotion requires the use of "
@@ -1374,12 +1370,8 @@ def promote(installer):
     fstore = installer._fstore
     sstore = installer._sstore
     config = installer._config
-    dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file
     dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info
-    http_pkcs12_file = installer._http_pkcs12_file
     http_pkcs12_info = installer._http_pkcs12_info
-    pkinit_pkcs12_file = installer._pkinit_pkcs12_file
-    pkinit_pkcs12_info = installer._pkinit_pkcs12_info
 
     ccache = os.environ['KRB5CCNAME']
     remote_api = installer._remote_api
@@ -1491,14 +1483,16 @@ def promote(installer):
         cainstance.export_kra_agent_pem()
         CA.fix_ra_perms()
 
-    krb = install_krb(config,
-                      setup_pkinit=not options.no_pkinit,
-                      promote=True)
+    install_krb(
+        config,
+        setup_pkinit=not options.no_pkinit,
+        promote=True)
 
-    http = install_http(config,
-                        auto_redirect=not options.no_ui_redirect,
-                        promote=True, pkcs12_info=http_pkcs12_info,
-                        ca_is_configured=installer._ca_enabled)
+    install_http(
+        config,
+        auto_redirect=not options.no_ui_redirect,
+        promote=True, pkcs12_info=http_pkcs12_info,
+        ca_is_configured=installer._ca_enabled)
 
     # Apply any LDAP updates. Needs to be done after the replica is synced-up
     service.print_msg("Applying LDAP updates")
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2893a29..4426b7f 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -49,8 +49,6 @@
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -68,7 +66,6 @@ def uninstall_ipa_kpasswd():
     """
     ipa_kpasswd = KpasswdInstance()
 
-    running = ipa_kpasswd.restore_state("running")
     enabled = not ipa_kpasswd.restore_state("enabled")
 
     if enabled is not None and not enabled:
@@ -81,7 +78,6 @@ def backup_file(filename, ext):
         raise ValueError("Absolute path required")
 
     backupfile = filename + ".bak"
-    (reldir, file) = os.path.split(filename)
 
     while os.path.exists(backupfile):
         backupfile = backupfile + "." + str(ext)
@@ -209,7 +205,6 @@ def update_dbmodules(realm, filename=paths.KRB5_CONF):
     prefix = ''
 
     root_logger.info('[Verifying that KDC configuration is using ipa-kdb backend]')
-    st = os.stat(filename)
     fd = open(filename)
 
     lines = fd.readlines()
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index 2ecbfb6..dbbef4d 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -30,8 +30,6 @@
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
 
-# pylint: disable=unused-variable
-
 DSE = 'dse.ldif'
 
 
@@ -79,7 +77,7 @@ def __init__(self, realm_name, files=[], schema_files=[]):
 
         ext = ''
         rand = random.Random()
-        for i in range(8):
+        for _i in range(8):
             h = "%02x" % rand.randint(0,255)
             ext += h
         service.Service.__init__(self, "dirsrv")

From 7e8edb08d584aee63b312f1945f6434fb92d6e4f Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 4 Oct 2016 20:02:32 +0200
Subject: [PATCH 2/2] Pylint: remove unused variables in ipaserver package

---
 ipaserver/dcerpc.py             | 43 +++++++++++------------------------------
 ipaserver/plugins/aci.py        | 10 ++++------
 ipaserver/plugins/baseldap.py   | 12 +++++-------
 ipaserver/plugins/cert.py       | 10 ++++------
 ipaserver/plugins/dns.py        | 17 ++++++++--------
 ipaserver/plugins/dogtag.py     | 27 +++++++++++++-------------
 ipaserver/plugins/idrange.py    |  6 ++----
 ipaserver/plugins/idviews.py    |  8 +++-----
 ipaserver/plugins/migration.py  |  9 +++------
 ipaserver/plugins/permission.py |  5 +----
 ipaserver/plugins/stageuser.py  | 10 ++++------
 ipaserver/plugins/trust.py      | 34 +++++++++++++++-----------------
 ipaserver/plugins/user.py       |  6 ++----
 ipaserver/rpcserver.py          |  5 +----
 14 files changed, 78 insertions(+), 124 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index fd4e6d3..bd1d8c1 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -63,8 +63,6 @@
 from ldap.filter import escape_filter_chars
 from time import sleep
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
     long = int
@@ -220,7 +218,7 @@ def is_configured(self):
             self.sid = entry_attrs[self.ATTR_SID][0]
             self.dn = entry_attrs.dn
             self.domain = self.api.env.domain
-        except errors.NotFound as e:
+        except errors.NotFound:
             return False
         return True
 
@@ -236,7 +234,7 @@ def get_trusted_domains(self):
             search_kw = {'objectClass': 'ipaNTTrustedDomain'}
             filter = self.ldap.make_filter(search_kw,
                                            rules=self.ldap.MATCH_ALL)
-            (entries, truncated) = self.ldap.find_entries(
+            entries, _truncated = self.ldap.find_entries(
                 filter=filter,
                 base_dn=cn_trust,
                 attrs_list=[self.ATTR_TRUSTED_SID,
@@ -438,7 +436,7 @@ def get_trusted_domain_object_sid(self, object_name,
         try:
             test_sid = security.dom_sid(sid)
             return unicode(test_sid)
-        except TypeError as e:
+        except TypeError:
             raise errors.ValidationError(name=_('trusted domain object'),
                                          error=_('Trusted domain did not '
                                                  'return a valid SID for '
@@ -756,7 +754,7 @@ def __search_in_dc(self, info, host, port, filter, attrs, scope,
 
         if self._admin_creds:
             (ccache_name,
-             principal) = self.kinit_as_administrator(info['dns_domain'])
+             _principal) = self.kinit_as_administrator(info['dns_domain'])
 
         if ccache_name:
             with ipautil.private_ccache(path=ccache_name):
@@ -909,9 +907,9 @@ def init_lsa_pipe(self, remote_host):
                 self._pipe = self.__gen_lsa_connection(binding)
                 if self._pipe and self._pipe.session_key:
                     break
-            except errors.ACIError as e:
+            except errors.ACIError:
                 attempts = attempts + 1
-            except RuntimeError as e:
+            except RuntimeError:
                 # When session key is not available, we just skip this binding
                 session_attempts = session_attempts + 1
 
@@ -976,7 +974,7 @@ def retrieve_anonymously(self, remote_host,
         conn.set_option(_ldap.OPT_SERVER_CONTROLS, [ExtendedDNControl()])
         search_result = None
         try:
-            (objtype, res) = conn.search_s('', _ldap.SCOPE_BASE)[0]
+            _objtype, res = conn.search_s('', _ldap.SCOPE_BASE)[0]
             search_result = res['defaultNamingContext'][0]
             self.info['dns_hostname'] = res['dnsHostName'][0]
         except _ldap.LDAPError as e:
@@ -1426,25 +1424,6 @@ def retrieve_netlogon_info_2(logon_server, domain, function_code, data):
 
 
 def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
-    trust_flags = dict(
-                NETR_TRUST_FLAG_IN_FOREST=0x00000001,
-                NETR_TRUST_FLAG_OUTBOUND=0x00000002,
-                NETR_TRUST_FLAG_TREEROOT=0x00000004,
-                NETR_TRUST_FLAG_PRIMARY=0x00000008,
-                NETR_TRUST_FLAG_NATIVE=0x00000010,
-                NETR_TRUST_FLAG_INBOUND=0x00000020,
-                NETR_TRUST_FLAG_MIT_KRB5=0x00000080,
-                NETR_TRUST_FLAG_AES=0x00000100)
-
-    trust_attributes = dict(
-                NETR_TRUST_ATTRIBUTE_NON_TRANSITIVE=0x00000001,
-                NETR_TRUST_ATTRIBUTE_UPLEVEL_ONLY=0x00000002,
-                NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN=0x00000004,
-                NETR_TRUST_ATTRIBUTE_FOREST_TRANSITIVE=0x00000008,
-                NETR_TRUST_ATTRIBUTE_CROSS_ORGANIZATION=0x00000010,
-                NETR_TRUST_ATTRIBUTE_WITHIN_FOREST=0x00000020,
-                NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL=0x00000040)
-
     def communicate(td):
         td.init_lsa_pipe(td.info['dc'])
         netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
@@ -1492,12 +1471,12 @@ def communicate(td):
         # or as passed-in user in case of a one-way trust
         domval = DomainValidator(api)
         ccache_name = None
-        principal = None
         if creds:
             domval._admin_creds = creds
-            (ccache_name, principal) = domval.kinit_as_administrator(trustdomain)
+            ccache_name, _principal = domval.kinit_as_administrator(
+                trustdomain)
         else:
-            (ccache_name, principal) = domval.kinit_as_http(trustdomain)
+            ccache_name, _principal = domval.kinit_as_http(trustdomain)
         td.creds = credentials.Credentials()
         td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
         if ccache_name:
@@ -1683,7 +1662,7 @@ def join_ad_full_credentials(self, realm, realm_server, realm_admin,
                 self.remote_domain.establish_trust(self.local_domain,
                                                    trustdom_pass,
                                                    trust_type, trust_external)
-            except TrustTopologyConflictSolved as e:
+            except TrustTopologyConflictSolved:
                 # we solved topology conflict, retry again
                 self.remote_domain.establish_trust(self.local_domain,
                                                    trustdom_pass,
diff --git a/ipaserver/plugins/aci.py b/ipaserver/plugins/aci.py
index 840652b..6d84707 100644
--- a/ipaserver/plugins/aci.py
+++ b/ipaserver/plugins/aci.py
@@ -132,8 +132,6 @@
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -293,7 +291,7 @@ def _make_aci(ldap, current, aciname, kw):
             if kw['filter'] in ('', None, u''):
                 raise errors.BadSearchFilter(info=_('empty filter'))
             try:
-                entries = ldap.find_entries(filter=kw['filter'])
+                ldap.find_entries(filter=kw['filter'])
             except errors.NotFound:
                 pass
             a.set_target_filter(kw['filter'])
@@ -334,7 +332,7 @@ def _aci_to_kw(ldap, a, test=False, pkey_only=False):
     if 'targetfilter' in a.target:
         target = a.target['targetfilter']['expression']
         if target.startswith('(memberOf=') or target.startswith('memberOf='):
-            (junk, memberof) = target.split('memberOf=', 1)
+            _junk, memberof = target.split('memberOf=', 1)
             memberof = DN(memberof)
             kw['memberof'] = memberof['cn']
         else:
@@ -394,7 +392,7 @@ def _convert_strings_to_acis(acistrs):
     for a in acistrs:
         try:
             acis.append(ACI(a))
-        except SyntaxError as e:
+        except SyntaxError:
             root_logger.warning("Failed to parse: %s" % a)
     return acis
 
@@ -946,7 +944,7 @@ def execute(self, aciname, **kw):
         aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
 
         for a in acis:
-            prefix, name = _parse_aci_name(a.name)
+            prefix, _name = _parse_aci_name(a.name)
             if _make_aci_name(prefix, kw['newname']) == a.name:
                 raise errors.DuplicateEntry()
 
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index fe47cbe..5770641 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -39,8 +39,6 @@
 from ipapython.dn import DN
 from ipapython.version import API_VERSION
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -745,7 +743,7 @@ def get_password_attributes(self, ldap, dn, entry_attrs):
         for (pwattr, attr) in self.password_attributes:
             search_filter = '(%s=*)' % pwattr
             try:
-                (entries, truncated) = ldap.find_entries(
+                ldap.find_entries(
                     search_filter, [pwattr], dn, ldap.SCOPE_BASE
                 )
                 entry_attrs[attr] = True
@@ -800,10 +798,10 @@ def __json__(self):
         attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
         attrlist = []
         # Go through the MUST first
-        for (oid, attr) in attrs[0].items():
+        for attr in attrs[0].values():
             attrlist.append(attr.names[0].lower())
         # And now the MAY
-        for (oid, attr) in attrs[1].items():
+        for attr in attrs[1].values():
             attrlist.append(attr.names[0].lower())
         json_dict['aciattrs'] = attrlist
         attrlist.sort()
@@ -846,7 +844,7 @@ def _check_limit_object_class(attributes, attrs, allow_only):
         return
     limitattrs = deepcopy(attrs)
     # Go through the MUST first
-    for (oid, attr) in attributes[0].items():
+    for attr in attributes[0].values():
         if attr.names[0].lower() in limitattrs:
             if not allow_only:
                 raise errors.ObjectclassViolation(
@@ -854,7 +852,7 @@ def _check_limit_object_class(attributes, attrs, allow_only):
                         attribute=attr.names[0].lower()))
             limitattrs.remove(attr.names[0].lower())
     # And now the MAY
-    for (oid, attr) in attributes[1].items():
+    for attr in attributes[1].values():
         if attr.names[0].lower() in limitattrs:
             if not allow_only:
                 raise errors.ObjectclassViolation(
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index f9c5d73..e65cf1f 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -53,8 +53,6 @@
 from ipapython.ipa_log_manager import root_logger
 from ipaserver.plugins.service import normalize_principal, validate_realm
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -175,7 +173,7 @@ def validate_csr(ugettext, csr):
         if csr and os.path.exists(csr):
             return
     try:
-        request = pkcs10.load_certificate_request(csr)
+        pkcs10.load_certificate_request(csr)
     except (TypeError, binascii.Error) as e:
         raise errors.Base64DecodeError(reason=str(e))
     except Exception as e:
@@ -415,11 +413,11 @@ def _parse(self, obj, full=True):
             except KeyError:
                 general_names = []
 
-            for name_type, desc, name, der_name in general_names:
+            for name_type, _desc, name, der_name in general_names:
                 try:
                     self._add_san_attribute(
                         obj, full, name_type, name, der_name)
-                except Exception as e:
+                except Exception:
                     # Invalid GeneralName (i.e. not a valid X.509 cert);
                     # don't fail but log something about it
                     root_logger.warning(
@@ -687,7 +685,7 @@ def execute(self, csr, all=False, raw=False, **kw):
                 "to the 'userCertificate' attribute of entry '%s'.") % dn)
 
         # Validate the subject alt name, if any
-        for name_type, desc, name, der_name in subjectaltname:
+        for name_type, desc, name, _der_name in subjectaltname:
             if name_type == nss.certDNSName:
                 name = unicode(name)
                 alt_principal = None
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index e1c4e24..02fdbdf 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -85,8 +85,6 @@
     IPADomainIsNotManagedByIPAError,
 )
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -392,7 +390,7 @@ def _validate_ip6addr(ugettext, ipaddr):
 
 def _validate_ipnet(ugettext, ipnet):
     try:
-        net = netaddr.IPNetwork(ipnet)
+        netaddr.IPNetwork(ipnet)
     except (netaddr.AddrFormatError, ValueError, UnboundLocalError):
         return _('invalid IP network format')
     return None
@@ -1911,8 +1909,9 @@ def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version):
     """
     Adds warning message to result, if required
     """
-    authoritative_zone, truncated = \
-        _get_zone_which_makes_fw_zone_ineffective(api, fwzone)
+    (
+        authoritative_zone, _truncated
+    ) = _get_zone_which_makes_fw_zone_ineffective(api, fwzone)
     if authoritative_zone:
         # forward zone is not effective and forwarding will not work
         messages.add_message(
@@ -2639,7 +2638,7 @@ def _warning_fw_zone_is_not_effective(self, result, *keys, **options):
         not effective
         """
         zone = keys[-1]
-        affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
+        affected_fw_zones, _truncated = _find_subtree_forward_zones_ldap(
             self.api, zone, child_zones_only=True)
         if not affected_fw_zones:
             return
@@ -2863,8 +2862,8 @@ class dnszone_find(DNSZoneBase_find):
     def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
         assert isinstance(base_dn, DN)
 
-        filter, base, dn = super(dnszone_find, self).pre_callback(ldap, filter,
-            attrs_list, base_dn, scope, *args, **options)
+        filter, _base, _scope = super(dnszone_find, self).pre_callback(
+            ldap, filter, attrs_list, base_dn, scope, *args, **options)
 
         if options.get('forward_only', False):
             search_kw = {}
@@ -3446,7 +3445,7 @@ def warning_if_ns_change_cause_fwzone_ineffective(self, result, *keys,
         if not record_name_absolute.is_absolute():
             record_name_absolute = record_name_absolute.derelativize(zone)
 
-        affected_fw_zones, truncated = _find_subtree_forward_zones_ldap(
+        affected_fw_zones, _truncated = _find_subtree_forward_zones_ldap(
             self.api, record_name_absolute)
         if not affected_fw_zones:
             return
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index d7f8673..0bdb4da 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -259,8 +259,6 @@
     import pki.crypto as cryptoutil
     from pki.kra import KRAClient
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -1162,7 +1160,7 @@ def host_has_service(host, ldap2, service='CA'):
         }
     query_filter = ldap2.make_filter(filter_attrs, rules='&')
     try:
-        ent, trunc = ldap2.find_entries(filter=query_filter, base_dn=base_dn)
+        ent, _trunc = ldap2.find_entries(filter=query_filter, base_dn=base_dn)
         if len(ent):
             return True
     except Exception:
@@ -1186,7 +1184,7 @@ def select_any_master(ldap2, service='CA'):
          'ipaConfigString': 'enabledService',}
     query_filter = ldap2.make_filter(filter_attrs, rules='&')
     try:
-        ent, trunc = ldap2.find_entries(filter=query_filter, base_dn=base_dn)
+        ent, _trunc = ldap2.find_entries(filter=query_filter, base_dn=base_dn)
         if len(ent):
             entry = random.choice(ent)
             return entry.dn[1].value
@@ -1285,7 +1283,7 @@ def __enter__(self):
         """Log into the REST API"""
         if self.cookie is not None:
             return
-        status, resp_headers, resp_body = dogtag.https_request(
+        status, resp_headers, _resp_body = dogtag.https_request(
             self.ca_host, self.override_port or self.env.ca_agent_port,
             '/ca/rest/account/login',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
@@ -1485,11 +1483,12 @@ def check_request_status(self, request_id):
         self.debug('%s.check_request_status()', type(self).__name__)
 
         # Call CMS
-        http_status, http_headers, http_body = \
+        http_status, _http_headers, http_body = (
             self._request('/ca/ee/ca/checkRequest',
                           self.env.ca_port,
                           requestId=request_id,
                           xml='true')
+        )
 
         # Parse and handle errors
         if http_status != 200:
@@ -1570,11 +1569,12 @@ def get_certificate(self, serial_number=None):
         serial_number = int(serial_number, 0)
 
         # Call CMS
-        http_status, http_headers, http_body = \
+        http_status, _http_headers, http_body = (
             self._sslget('/ca/agent/ca/displayBySerial',
                          self.env.ca_agent_port,
                          serialNumber=str(serial_number),
                          xml='true')
+        )
 
 
         # Parse and handle errors
@@ -1654,7 +1654,7 @@ def request_certificate(
         if ca_id:
             path += '?issuer-id={}'.format(ca_id)
 
-        http_status, http_headers, http_body = self._ssldo(
+        _http_status, _http_headers, http_body = self._ssldo(
             'POST', path,
             headers={
                 'Content-Type': 'application/xml',
@@ -1728,7 +1728,7 @@ def revoke_certificate(self, serial_number, revocation_reason=0):
         serial_number = int(serial_number, 0)
 
         # Call CMS
-        http_status, http_headers, http_body = \
+        http_status, _http_headers, http_body = \
             self._sslget('/ca/agent/ca/doRevoke',
                          self.env.ca_agent_port,
                          op='revoke',
@@ -1788,11 +1788,12 @@ def take_certificate_off_hold(self, serial_number):
         serial_number = int(serial_number, 0)
 
         # Call CMS
-        http_status, http_headers, http_body = \
+        http_status, _http_headers, http_body = (
             self._sslget('/ca/agent/ca/doUnrevoke',
                          self.env.ca_agent_port,
                          serialNumber=str(serial_number),
                          xml='true')
+        )
 
         # Parse and handle errors
         if http_status != 200:
@@ -2050,7 +2051,7 @@ def read_profile(self, profile_id):
         """
         Read the profile configuration from Dogtag
         """
-        status, resp_headers, resp_body = self._ssldo(
+        _status, _resp_headers, resp_body = self._ssldo(
             'GET', profile_id + '/raw')
         return resp_body
 
@@ -2103,7 +2104,7 @@ def create_ca(self, dn):
         """
 
         assert isinstance(dn, DN)
-        status, resp_headers, resp_body = self._ssldo(
+        _status, _resp_headers, resp_body = self._ssldo(
             'POST', None,
             headers={
                 'Content-type': 'application/json',
@@ -2117,7 +2118,7 @@ def create_ca(self, dn):
             raise errors.RemoteRetrieveError(reason=_("Response from CA was not valid JSON"))
 
     def read_ca(self, ca_id):
-        status, resp_headers, resp_body = self._ssldo(
+        _status, _resp_headers, resp_body = self._ssldo(
             'GET', ca_id, headers={'Accept': 'application/json'})
         try:
             return json.loads(resp_body)
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index ba0a677..c94e677 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -26,8 +26,6 @@
 from ipalib import errors
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -312,7 +310,7 @@ def check_ids_in_modified_range(self, old_base, old_size, new_base,
                         "&")
 
         try:
-            (objects, truncated) = ldap.find_entries(filter=id_filter,
+            ldap.find_entries(filter=id_filter,
                     attrs_list=['uid', 'cn'],
                     base_dn=DN(api.env.container_accounts, api.env.basedn))
         except errors.NotFound:
@@ -555,7 +553,7 @@ def pre_callback(self, ldap, dn, *keys, **options):
                            '(ipanttrusteddomainsid=%s))' % range_sid)
 
             try:
-                (trust_domains, truncated) = ldap.find_entries(
+                trust_domains, _truncated = ldap.find_entries(
                     base_dn=DN(api.env.container_trusts, api.env.basedn),
                     filter=domain_filter)
             except errors.NotFound:
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
index 36499e3..3ee2be4 100644
--- a/ipaserver/plugins/idviews.py
+++ b/ipaserver/plugins/idviews.py
@@ -40,8 +40,6 @@
 
 from ipapython.dn import DN
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -201,7 +199,7 @@ def show_id_overrides(self, dn, entry_attrs):
             attr_name = obj_type + 'overrides'
 
             try:
-                (overrides, truncated) = ldap.find_entries(
+                overrides, _truncated = ldap.find_entries(
                     filter="objectclass=%s" % objectclass,
                     attrs_list=['ipaanchoruuid'],
                     base_dn=dn,
@@ -236,7 +234,7 @@ def enumerate_hosts(self, dn, entry_attrs):
         }
 
         try:
-            (hosts, truncated) = ldap.find_entries(
+            hosts, _truncated = ldap.find_entries(
                 filter=ldap.make_filter(filter_params, rules=ldap.MATCH_ALL),
                 attrs_list=['cn'],
                 base_dn=api.env.container_host + api.env.basedn,
@@ -626,7 +624,7 @@ def remove_ipaobject_overrides(ldap, api, dn):
     override_filter = '(ipaanchoruuid=:IPA:{0}:{1})'.format(api.env.domain,
                                                             object_uuid)
     try:
-        entries, truncated = ldap.find_entries(
+        entries, _truncated = ldap.find_entries(
             override_filter,
             base_dn=DN(api.env.container_views, api.env.basedn),
             paged_search=True
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index b1fcdea..b61ef96 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -40,8 +40,6 @@
 import datetime
 from ipaplatform.paths import paths
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -186,7 +184,6 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs
     attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect']
     attr_blacklist.extend(kwargs.get('attr_blacklist', []))
     ds_ldap = ctx['ds_ldap']
-    has_upg = ctx['has_upg']
     search_bases = kwargs.get('search_bases', None)
     valid_gids = kwargs['valid_gids']
     invalid_gids = kwargs['invalid_gids']
@@ -318,8 +315,8 @@ def _update_default_group(ldap, ctx, force):
         s = datetime.datetime.now()
         searchfilter = "(&(objectclass=posixAccount)(!(memberof=%s)))" % group_dn
         try:
-            (result, truncated) = ldap.find_entries(searchfilter,
-                [''], DN(api.env.container_user, api.env.basedn),
+            result, _truncated = ldap.find_entries(
+                searchfilter, [''], DN(api.env.container_user, api.env.basedn),
                 scope=ldap.SCOPE_SUBTREE, time_limit=-1, size_limit=-1)
         except errors.NotFound:
             api.log.debug('All users have default group set')
@@ -915,7 +912,7 @@ def execute(self, ldapuri, bindpw, **options):
 
         if not ds_base_dn:
             # retrieve base DN from remote LDAP server
-            entries, truncated = ds_ldap.find_entries(
+            entries, _truncated = ds_ldap.find_entries(
                 '', ['namingcontexts', 'defaultnamingcontext'], DN(''),
                 ds_ldap.SCOPE_BASE, size_limit=-1, time_limit=0,
             )
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 593198b..130c99c 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -33,8 +33,6 @@
 from ipapython.dn import DN
 from ipalib.request import context
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -490,7 +488,7 @@ def postprocess_result(self, entry, options):
         if options.get('raw'):
             # Retreive the ACI from LDAP to ensure we get the real thing
             try:
-                acientry, acistring = self._get_aci_entry_and_string(entry)
+                _acientry, acistring = self._get_aci_entry_and_string(entry)
             except errors.NotFound:
                 if list(entry.get('ipapermissiontype')) == ['SYSTEM']:
                     # SYSTEM permissions don't have normal ACIs
@@ -1317,7 +1315,6 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
                 root_entry = ldap.get_entry(DN(api.env.basedn), ['aci'])
             except errors.NotFound:
                 legacy_entries = ()
-                cached_root_entry = None
             self.log.debug('potential legacy entries: %s', len(legacy_entries))
             nonlegacy_names = {e.single_value['cn'] for e in entries}
             for entry in legacy_entries:
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index 5fbd313..1da43ec 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -50,8 +50,6 @@
 from ipapython.ipautil import ipa_generate_password, GEN_TMP_PWD_LEN
 from ipalib.capabilities import client_has_capability
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -385,7 +383,6 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
-        config = ldap.get_ipa_config()
 
         # Fetch the entry again to update memberof, mep data, etc updated
         # at the end of the transaction.
@@ -639,7 +636,9 @@ def __value_2_add(self, args, options, attr, value):
 
                 # Check that this value is a Active user
                 try:
-                    entry_attrs = self._exc_wrapper(args, options, ldap.get_entry)(value, ['dn'])
+                    self._exc_wrapper(args, options, ldap.get_entry)(
+                        value, ['dn']
+                    )
                     return value
                 except errors.NotFound:
                     return u''
@@ -667,10 +666,9 @@ def execute(self, *args, **options):
         # Check it does not exist an active entry with the same RDN
         active_dn = DN(staging_dn[0], api.env.container_user, api.env.basedn)
         try:
-            test_entry_attrs = self._exc_wrapper(args, options, ldap.get_entry)(
+            self._exc_wrapper(args, options, ldap.get_entry)(
                 active_dn, ['dn']
             )
-            assert isinstance(staging_dn, DN)
             raise errors.DuplicateEntry(
                 message=_('active user with name "%(user)s" already exists') %
                 dict(user=args[-1]))
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 4ea19d9..c3f0cda 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -45,8 +45,6 @@
 from ldap import SCOPE_SUBTREE
 from time import sleep
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -228,7 +226,7 @@ def find_adtrust_masters(ldap, api):
     """
 
     try:
-        entries, truncated = ldap.find_entries(
+        entries, _truncated = ldap.find_entries(
                 "cn=ADTRUST",
                 base_dn=api.env.container_masters + api.env.basedn
         )
@@ -374,7 +372,7 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
                 domain_validator._admin_creds = creds
         # KDC might not get refreshed data at the first time,
         # retry several times
-        for retry in range(10):
+        for _retry in range(10):
             info_list = domain_validator.search_in_dc(domain,
                                                       info_filter,
                                                       None,
@@ -619,7 +617,7 @@ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
         ldap = self.api.Backend.ldap2
 
         try:
-            entries, truncated = ldap.find_entries(
+            entries, _truncated = ldap.find_entries(
                 base_dn=DN(self.api.env.container_adtrusts,
                            self.api.env.basedn),
                 scope=ldap.SCOPE_ONELEVEL,
@@ -744,18 +742,17 @@ def execute(self, *keys, **options):
             # Store the created range type, since for POSIX trusts no
             # ranges for the subdomains should be added, POSIX attributes
             # provide a global mapping across all subdomains
-            (created_range_type, _, _) = add_range(self.api, self.trustinstance,
-                                                   range_name, dom_sid,
-                                                   *keys, **options)
-        else:
-            created_range_type = old_range['result']['iparangetype'][0]
+            add_range(
+                self.api, self.trustinstance, range_name, dom_sid,
+                *keys, **options
+            )
 
         attrs_list = self.obj.default_attributes
         if options.get('all', False):
             attrs_list.append('*')
 
         trust_filter = "cn=%s" % result['value']
-        (trusts, truncated) = ldap.find_entries(
+        trusts, _truncated = ldap.find_entries(
                          base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
                          filter=trust_filter,
                          attrs_list=attrs_list)
@@ -773,8 +770,9 @@ def execute(self, *keys, **options):
                 # run the call under original user's credentials
                 res = fetch_domains_from_trust(self.api, self.trustinstance,
                                                **options)
-                domains = add_new_domains_from_trust(self.api, self.trustinstance,
-                                                     result['result'], res, **options)
+                add_new_domains_from_trust(
+                    self.api, self.trustinstance, result['result'], res,
+                    **options)
             else:
                 # One-way trust is more complex. We don't have cross-realm TGT
                 # and cannot use IPA principals to authenticate against AD.
@@ -999,7 +997,7 @@ def execute_ad(self, full_join, *keys, **options):
                         if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only':
                             instructions.append(_("Forward policy is defined for it in IPA DNS, "
                                                    "perhaps forwarder points to incorrect host?"))
-                    except (errors.NotFound, KeyError) as e:
+                    except (errors.NotFound, KeyError):
                         instructions.append(_("IPA manages DNS, please verify "
                                               "your DNS configuration and "
                                               "make sure that service records "
@@ -1383,7 +1381,7 @@ def execute(self, *keys, **options):
                 entry['name'] = [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
                 entry['type'] = [idmap_type_string(xlate[sid][pysss_nss_idmap.TYPE_KEY])]
                 result.append(entry)
-        except ValueError as e:
+        except ValueError:
             pass
 
         return dict(result=result)
@@ -1624,7 +1622,7 @@ def execute(self, *keys, **options):
                     error=_("cannot delete root domain of the trust, "
                             "use trust-del to delete the trust itself"))
             try:
-                res = self.api.Command.trustdomain_enable(keys[0], domain)
+                self.api.Command.trustdomain_enable(keys[0], domain)
             except errors.AlreadyActive:
                 pass
 
@@ -1814,7 +1812,7 @@ def execute(self, *keys, **options):
                 ldap.update_entry(trust_entry)
                 # Force MS-PAC cache re-initialization on KDC side
                 domval = ipaserver.dcerpc.DomainValidator(self.api)
-                (ccache_name, principal) = domval.kinit_as_http(keys[0])
+                domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyActive()
         except errors.NotFound:
@@ -1855,7 +1853,7 @@ def execute(self, *keys, **options):
                 ldap.update_entry(trust_entry)
                 # Force MS-PAC cache re-initialization on KDC side
                 domval = ipaserver.dcerpc.DomainValidator(self.api)
-                (ccache_name, principal) = domval.kinit_as_http(keys[0])
+                domval.kinit_as_http(keys[0])
             else:
                 raise errors.AlreadyInactive()
         except errors.NotFound:
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 239838d..5296093 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -69,8 +69,6 @@
 if api.env.in_server:
     from ipaserver.plugins.ldap2 import ldap2
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -858,7 +856,7 @@ def execute(self, *keys, **options):
         # First check that the user exists and is a delete one
         delete_dn = self.obj.get_either_dn(*keys, **options)
         try:
-            entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn)
+            self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn)
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
         if delete_dn.endswith(DN(self.obj.active_container_dn,
@@ -1087,7 +1085,7 @@ def execute(self, *keys, **options):
         masters = []
         # Get list of masters
         try:
-            (masters, truncated) = ldap.find_entries(
+            masters, _truncated = ldap.find_entries(
                 None, ['*'], DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
                 ldap.SCOPE_ONELEVEL
             )
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 83b54c3..c4f724a 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -64,8 +64,6 @@
 from ipapython.version import VERSION
 from ipalib.text import _
 
-# pylint: disable=unused-variable
-
 if six.PY3:
     unicode = str
 
@@ -423,7 +421,7 @@ def __call__(self, environ, start_response):
             status = HTTP_STATUS_SUCCESS
             response = self.wsgi_execute(environ)
             headers = [('Content-Type', self.content_type + '; charset=utf-8')]
-        except Exception as e:
+        except Exception:
             self.exception('WSGI %s.__call__():', self.name)
             status = HTTP_STATUS_SERVER_ERROR
             response = status
@@ -654,7 +652,6 @@ def __call__(self, environ, start_response):
         if user_ccache is None:
 
             status = HTTP_STATUS_SERVER_ERROR
-            response_headers = [('Content-Type', 'text/html; charset=utf-8')]
 
             self.log.error(
                 '%s: %s', status,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to