[Freeipa-devel] [freeipa PR#2025][opened] replica install: fix --password handling

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2025
Author: stlaz
 Title: #2025: replica install: fix --password handling
Action: opened

PR body:
"""
Don't specify host_password if admin_password has already been
resolved.

This fixes the case when --password and --principal
are both set in replica installation when the client is not yet
installed on the replica-to-be machine.

Fixes: https://github.com/freeipa/freeipa-container/issues/177


The `--password` option handling is way too complex for what it should be. Damn 
you, backward compatibility.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2025/head:pr2025
git checkout pr2025
From b266ec2d565a808d9a7d2a37748719c7a7bcc0c5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 14 Jun 2018 08:58:04 +0200
Subject: [PATCH] replica install: fix --password handling

Don't specify host_password if admin_password has already been
resolved.

This fixes the case when --password and --principal
are both set in replica installation when the client is not yet
installed on the replica-to-be machine.

Fixes: https://github.com/freeipa/freeipa-container/issues/177
---
 ipaserver/install/ipa_replica_install.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_install.py b/ipaserver/install/ipa_replica_install.py
index eb2f247d3c..f6512e1959 100644
--- a/ipaserver/install/ipa_replica_install.py
+++ b/ipaserver/install/ipa_replica_install.py
@@ -79,7 +79,7 @@ def host_password(self):
 admin_password = (
 super(CompatServerReplicaInstall, self).admin_password)
 if (self.replica_file is None and
-(not self.principal or admin_password)):
+not (self.principal or admin_password)):
 return self.auto_password
 
 return super(CompatServerReplicaInstall, self).host_password
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/4BTKXEJWE7REUULZ4WUHE7KYPABHFBF5/

[Freeipa-devel] [freeipa PR#1976][closed] Make Python 2 build dependency optional

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1976
Author: tiran
 Title: #1976: Make Python 2 build dependency optional
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1976/head:pr1976
git checkout pr1976
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/SFQBRFDJYN2X6RRSCB6JGYOQJHL2T7VI/

[Freeipa-devel] [freeipa PR#2003][closed] [Backport][ipa-4-6] Adding xfail to failing tests

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2003
Author: stlaz
 Title: #2003: [Backport][ipa-4-6] Adding xfail to failing tests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2003/head:pr2003
git checkout pr2003
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/SXL3BDAZJ7ANHBX3AX3J2MWOH2CUVRCA/

[Freeipa-devel] [freeipa PR#2002][closed] [Backport][ipa-4-6] Disable Schema Compat plugin during server upgrade

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2002
Author: rcritten
 Title: #2002: [Backport][ipa-4-6] Disable Schema Compat plugin during server 
upgrade
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2002/head:pr2002
git checkout pr2002
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/K3BDWCMODSHCDII26472KR2ZGWE3VAOZ/

[Freeipa-devel] [freeipa PR#2003][opened] [Backport][ipa-4-6] Adding xfail to failing tests

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/2003
Author: stlaz
 Title: #2003: [Backport][ipa-4-6] Adding xfail to failing tests
Action: opened

PR body:
"""
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.

TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2003/head:pr2003
git checkout pr2003
From 4219d1dd11e965ccd1d5f641297230ed76d02ebe Mon Sep 17 00:00:00 2001
From: Felipe Barreto 
Date: Wed, 30 May 2018 10:04:06 -0300
Subject: [PATCH] Adding xfail to failing tests

The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.

TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
---
 ipatests/test_integration/test_dnssec.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 40b4e1b356..755e10ecd8 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -5,6 +5,7 @@
 from __future__ import absolute_import
 
 import logging
+import pytest
 
 import dns.dnssec
 import dns.resolver
@@ -144,6 +145,7 @@ def test_if_zone_is_signed_replica(self):
 self.master.ip, test_zone_repl, timeout=5
 ), "DNS zone %s is not signed (master)" % test_zone
 
+@pytest.mark.xfail(reason='Ticket N 5670')
 def test_disable_reenable_signing_master(self):
 
 dnskey_old = resolve_with_dnssec(self.master.ip, test_zone,
@@ -191,6 +193,7 @@ def test_disable_reenable_signing_master(self):
  rtype="DNSKEY").rrset
 assert dnskey_old != dnskey_new, "DNSKEY should be different"
 
+@pytest.mark.xfail(reason='Ticket N 5670')
 def test_disable_reenable_signing_replica(self):
 
 dnskey_old = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl,
@@ -307,6 +310,7 @@ def test_sign_root_zone(self):
 self.replicas[0].ip, root_zone, timeout=300
 ), "Zone %s is not signed (replica)" % root_zone
 
+@pytest.mark.xfail(reason='Ticket N 5670')
 def test_chain_of_trust(self):
 """
 Validate signed DNS records, using our own signed root zone
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/XC4JZP4D2UFBGU737R2UG5ZA7JNKRZKB/

[Freeipa-devel] [freeipa PR#1914][closed] Fixing DNSSEC tests with restarting named

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1914
Author: felipevolpone
 Title: #1914: Fixing DNSSEC tests with restarting named
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1914/head:pr1914
git checkout pr1914
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/R3KRMJIPY6SHICFLQ4UOSAUZEB2LTC76/

[Freeipa-devel] [freeipa PR#1959][closed] [Backport][ipa-4-6] Travis: ignore 'line break after binary operator'

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1959
Author: tiran
 Title: #1959: [Backport][ipa-4-6] Travis: ignore 'line break after binary 
operator'
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1959/head:pr1959
git checkout pr1959
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/PHCLEUB3SN5NONYJ2UG5KMH2GK7J3TQZ/

[Freeipa-devel] [freeipa PR#1958][opened] Travis: ignore 'line break after binary operator'

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1958
Author: stlaz
 Title: #1958: Travis: ignore 'line break after binary operator'
Action: opened

PR body:
"""
We started seeing the error `line break after binary operator` but when fixed, 
error of `line break before binary operator` appears. Ignore one of these. 
Worked for https://github.com/freeipa/freeipa/pull/1563
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1958/head:pr1958
git checkout pr1958
From 23b6c5f0a1838dac9cd93eae9d02675a83dfe185 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 23 May 2018 15:03:54 +0200
Subject: [PATCH] Travis: ignore 'line break after binary operator'

---
 .travis_run_task.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index d3a9cd5ed6..61d655088a 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -38,8 +38,9 @@ if [[ "$TASK_TO_RUN" == "lint" ]]
 then
 if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
 then
-git diff origin/$TRAVIS_BRANCH -U0 | pycodestyle --diff &> $PEP8_ERROR_LOG ||:
-fi 
+git diff origin/$TRAVIS_BRANCH -U0 | \
+pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:
+fi
 fi
 
 if [[ -n "$TESTS_TO_RUN" ]]
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/UJWD5HNG22S23JEEQVA57Z5Y5NT7IJKY/

[Freeipa-devel] [freeipa PR#1917][closed] [Backport][ipa-4-6] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1917
Author: stlaz
 Title: #1917: [Backport][ipa-4-6] Allow user administrator to change user 
homedir
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1917/head:pr1917
git checkout pr1917
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1918][closed] [Backport][ipa-4-5] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1918
Author: stlaz
 Title: #1918: [Backport][ipa-4-5] Allow user administrator to change user 
homedir
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1918/head:pr1918
git checkout pr1918
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1918][opened] [Backport][ipa-4-5] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1918
Author: stlaz
 Title: #1918: [Backport][ipa-4-5] Allow user administrator to change user 
homedir
Action: opened

PR body:
"""
This PR was opened automatically because PR #1912 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1918/head:pr1918
git checkout pr1918
From c4d6c6dd184f454a7dd7cf6ceadcab08cdbc1c5d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 9 May 2018 12:26:12 +0200
Subject: [PATCH] Allow user administrator to change user homedir

https://pagure.io/freeipa/issue/7427
---
 ACI.txt   |  2 +-
 ipaserver/plugins/user.py | 12 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 9c7996cc6b..b402aedd81 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -361,7 +361,7 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 8866ac0f0a..af8d6a9900 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -304,12 +304,12 @@ class user(baseuser):
 'businesscategory', 'carlicense', 'cn', 'departmentnumber',
 'description', 'displayname', 'employeetype',
 'employeenumber', 'facsimiletelephonenumber',
-'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
-'initials', 'l', 'labeleduri', 'loginshell', 'manager', 'mail',
-'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
-'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
-'street', 'telephonenumber', 'title', 'userclass',
-'preferredlanguage',
+'gecos', 'givenname', 'homedirectory', 'homephone',
+'inetuserhttpurl', 'initials', 'l', 'labeleduri', 'loginshell',
+'manager', 'mail', 'mepmanagedentry', 'mobile', 'objectclass',
+'ou', 'pager', 'postalcode', 'roomnumber', 'secretary',
+'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title',
+'userclass', 'preferredlanguage'
 },
 'replaces': [
 '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl 

[Freeipa-devel] [freeipa PR#1917][opened] [Backport][ipa-4-6] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1917
Author: stlaz
 Title: #1917: [Backport][ipa-4-6] Allow user administrator to change user 
homedir
Action: opened

PR body:
"""
This PR was opened automatically because PR #1912 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1917/head:pr1917
git checkout pr1917
From 7bf144b44cd5e181ccf69bae5b7d9f0799f72926 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 9 May 2018 12:26:12 +0200
Subject: [PATCH] Allow user administrator to change user homedir

https://pagure.io/freeipa/issue/7427
---
 ACI.txt   |  2 +-
 ipaserver/plugins/user.py | 12 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 185812a881..e5134a55f8 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -361,7 +361,7 @@ aci: (targetattr = "krbcanonicalname || krbprincipalname")(targetfilter = "(obje
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || departmentnumber || description || displayname || employeenumber || employeetype || facsimiletelephonenumber || gecos || givenname || homedirectory || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || mail || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index d35c8a948d..bb73a2eb10 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -307,12 +307,12 @@ class user(baseuser):
 'businesscategory', 'carlicense', 'cn', 'departmentnumber',
 'description', 'displayname', 'employeetype',
 'employeenumber', 'facsimiletelephonenumber',
-'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
-'initials', 'l', 'labeleduri', 'loginshell', 'manager', 'mail',
-'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
-'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
-'street', 'telephonenumber', 'title', 'userclass',
-'preferredlanguage',
+'gecos', 'givenname', 'homedirectory', 'homephone',
+'inetuserhttpurl', 'initials', 'l', 'labeleduri', 'loginshell',
+'manager', 'mail', 'mepmanagedentry', 'mobile', 'objectclass',
+'ou', 'pager', 'postalcode', 'roomnumber', 'secretary',
+'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title',
+'userclass', 'preferredlanguage'
 },
 'replaces': [
 '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl 

[Freeipa-devel] [freeipa PR#1912][closed] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1912
Author: stlaz
 Title: #1912: Allow user administrator to change user homedir
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1912/head:pr1912
git checkout pr1912
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1906][closed] mod_ssl: add SSLVerifyDepth for external CA installs

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1906
Author: stlaz
 Title: #1906: mod_ssl: add SSLVerifyDepth for external CA installs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1906/head:pr1906
git checkout pr1906
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1912][opened] Allow user administrator to change user homedir

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1912
Author: stlaz
 Title: #1912: Allow user administrator to change user homedir
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/7427
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1912/head:pr1912
git checkout pr1912
From d53a27ebca6d41d3edf722b22768845f85a88822 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 9 May 2018 12:26:12 +0200
Subject: [PATCH] Allow user administrator to change user homedir

https://pagure.io/freeipa/issue/7427
---
 ipaserver/plugins/user.py | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index d35c8a948d..bb73a2eb10 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -307,12 +307,12 @@ class user(baseuser):
 'businesscategory', 'carlicense', 'cn', 'departmentnumber',
 'description', 'displayname', 'employeetype',
 'employeenumber', 'facsimiletelephonenumber',
-'gecos', 'givenname', 'homephone', 'inetuserhttpurl',
-'initials', 'l', 'labeleduri', 'loginshell', 'manager', 'mail',
-'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
-'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
-'street', 'telephonenumber', 'title', 'userclass',
-'preferredlanguage',
+'gecos', 'givenname', 'homedirectory', 'homephone',
+'inetuserhttpurl', 'initials', 'l', 'labeleduri', 'loginshell',
+'manager', 'mail', 'mepmanagedentry', 'mobile', 'objectclass',
+'ou', 'pager', 'postalcode', 'roomnumber', 'secretary',
+'seealso', 'sn', 'st', 'street', 'telephonenumber', 'title',
+'userclass', 'preferredlanguage'
 },
 'replaces': [
 '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX;)(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1799][closed] [ipa-4-6] Make sure ipa-4-6 is tested on F27

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1799
Author: stlaz
 Title: #1799: [ipa-4-6] Make sure ipa-4-6 is tested on F27
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1799/head:pr1799
git checkout pr1799
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1906][opened] mod_ssl: add SSLVerifyDepth for external CA installs

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1906
Author: stlaz
 Title: #1906: mod_ssl: add SSLVerifyDepth for external CA installs
Action: opened

PR body:
"""
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1906/head:pr1906
git checkout pr1906
From ba7302ce817a32c6dacad531d31553e04c5ad07f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 4 May 2018 12:16:33 +0200
Subject: [PATCH] mod_ssl: add SSLVerifyDepth for external CA installs

mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.

https://pagure.io/freeipa/issue/7530
---
 ipalib/constants.py   | 2 ++
 ipaserver/install/httpinstance.py | 7 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index e161d65adf..af4b2bb81a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -319,3 +319,5 @@
 )
 
 SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
+# certificate verification depth of Apache's mod_ssl (SSLVerifyDepth)
+MOD_SSL_VERIFY_DEPTH = 5
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index dbbb4000ff..14e678f88d 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -43,7 +43,7 @@
 import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api, x509
-from ipalib.constants import IPAAPI_USER
+from ipalib.constants import IPAAPI_USER, MOD_SSL_VERIFY_DEPTH
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
@@ -412,6 +412,11 @@ def configure_mod_ssl_certs(self):
 installutils.set_directive(paths.HTTPD_SSL_CONF,
'SSLCACertificateFile',
paths.IPA_CA_CRT, False)
+# set SSLVerifyDepth for external CA installations
+installutils.set_directive(paths.HTTPD_SSL_CONF,
+   'SSLVerifyDepth',
+   MOD_SSL_VERIFY_DEPTH,
+   quotes=False)
 
 def __publish_ca_cert(self):
 ca_subject = self.cert.issuer
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1884][opened] Add absolute_import to test_authselect

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1884
Author: stlaz
 Title: #1884: Add absolute_import to test_authselect
Action: opened

PR body:
"""
This is to keep backward compatibility with Python 2
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1884/head:pr1884
git checkout pr1884
From 20cb4f21fde220c9c124b2c4160abed1ee9612dc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 30 Apr 2018 11:02:04 +0200
Subject: [PATCH] Add absolute_import to test_authselect

This is to keep backward compatibility with Python 2
---
 ipatests/test_integration/test_authselect.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
index 8d8fb8b802..e713f87282 100644
--- a/ipatests/test_integration/test_authselect.py
+++ b/ipatests/test_integration/test_authselect.py
@@ -6,6 +6,8 @@
 Module provides tests to verify that the authselect code works.
 """
 
+from __future__ import absolute_import
+
 import pytest
 
 import ipaplatform.paths
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1881][opened] Travis: test IPA 4.6 on F27

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1881
Author: stlaz
 Title: #1881: Travis: test IPA 4.6 on F27
Action: opened

PR body:
"""
Newer versions of Fedora could cause errors in Travis tests, make
F27 be the testing platform for FreeIPA 4.6
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1881/head:pr1881
git checkout pr1881
From 57176a3271c28c8395b78ad645468ad3dfea8e61 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 30 Apr 2018 10:08:01 +0200
Subject: [PATCH] Travis: test IPA 4.6 on F27

Newer versions of Fedora could cause errors in Travis tests, make
F27 be the testing platform for FreeIPA 4.6
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 579e843bcb..e63cc52fe1 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,7 +13,7 @@ python:
 cache: pip
 env:
 global:
-- TEST_RUNNER_IMAGE="freeipa/freeipa-test-runner:master-latest"
+- TEST_RUNNER_IMAGE="freeipa/freeipa-test-runner:ipa-4-6_f27"
   PEP8_ERROR_LOG="pycodestyle_errors.log"
   CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
   CI_BACKLOG_SIZE=5000
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1859][closed] Fix typo in ipa-getkeytab --help

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1859
Author: stlaz
 Title: #1859: Fix typo in ipa-getkeytab --help
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1859/head:pr1859
git checkout pr1859
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1859][opened] Fix typo in ipa-getkeytab --help

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1859
Author: stlaz
 Title: #1859: Fix typo in ipa-getkeytab --help
Action: opened

PR body:
"""
Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1859/head:pr1859
git checkout pr1859
From e879f15130428e6f58eb7299011f18b0fab61f8f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 25 Apr 2018 10:48:05 +0200
Subject: [PATCH] Fix typo in ipa-getkeytab --help

Fix the typo in ipa-getkeytab -k option description by
replacing the text with the one from man
---
 client/ipa-getkeytab.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 8ffd2b0ad1..478b500b56 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -763,7 +763,8 @@ int main(int argc, const char *argv[])
   _("The principal to get a keytab for (ex: ftp/ftp.example@example.com)"),
   _("Kerberos Service Principal Name") },
 { "keytab", 'k', POPT_ARG_STRING, , 0,
-  _("File were to store the keytab information"),
+  _("The keytab file to append the new key to (will be "
+"created if it does not exist)."),
   _("Keytab File Name") },
 	{ "enctypes", 'e', POPT_ARG_STRING, _string, 0,
   _("Encryption types to request"),
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1785][closed] Travis - use F28 for testing

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1785
Author: stlaz
 Title: #1785: Travis - use F28 for testing
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1785/head:pr1785
git checkout pr1785
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1828][opened] install: configure dogtag status request timeout

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1828
Author: stlaz
 Title: #1828: install: configure dogtag status request timeout
Action: opened

PR body:
"""
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.

This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them.  Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried.  Setting a shorter timeout allows the request to be
re-tried.

Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support.  It is known that a
value of 5s is too short in HSM environment.

This fix requires pki-core >= 10.6.0, which is already required by
the spec file.

Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1828/head:pr1828
git checkout pr1828
From 425221e520798cbca86c3f8c6714a095efe118fa Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 27 Feb 2018 16:29:02 +1100
Subject: [PATCH] install: configure dogtag status request timeout

Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.

This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them.  Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried.  Setting a shorter timeout allows the request to be
re-tried.

Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support.  It is known that a
value of 5s is too short in HSM environment.

This fix requires pki-core >= 10.6.0, which is already required by
the spec file.

Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud 
---
 ipaserver/install/cainstance.py | 17 +
 1 file changed, 17 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d2126a1b1e..8a11b5deca 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -496,6 +496,23 @@ def __spawn_instance(self):
 ipalib.constants.IPA_CA_RECORD,
 ipautil.format_netloc(api.env.domain)))
 
+# Configures the status request timeout, i.e. the connect/data
+# timeout on the HTTP request to get the status of Dogtag.
+#
+# This configuration is needed in "multiple IP address" scenarios
+# where this server's hostname has multiple IP addresses but the
+# HTTP server is only listening on one of them.  Without a timeout,
+# if a "wrong" IP address is tried first, it will take a long time
+# to timeout, exceeding the overall timeout hence the request will
+# not be re-tried.  Setting a shorter timeout allows the request
+# to be re-tried.
+#
+# Note that HSMs cause different behaviour so this value might
+# not be suitable for when we implement HSM support.  It is
+# known that a value of 5s is too short in HSM environment.
+#
+config.set("CA", "pki_status_request_timeout", "15")  # 15 seconds
+
 # Client security database
 config.set("CA", "pki_client_pkcs12_password", self.admin_password)
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1799][opened] [ipa-4-6] Make sure ipa-4-6 is tested on F27

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1799
Author: stlaz
 Title: #1799: [ipa-4-6] Make sure ipa-4-6 is tested on F27
Action: opened

PR body:
"""
ipa-4-6 is shipped last on F27, test it there.

Depends on: https://github.com/freeipa/ipa-docker-test-runner/pull/41
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1799/head:pr1799
git checkout pr1799
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1798][opened] [Backport][ipa 4.5] replica-install: pass --ip-address to client install

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1798
Author: stlaz
 Title: #1798: [Backport][ipa 4.5] replica-install: pass --ip-address to client 
install
Action: opened

PR body:
"""
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1798/head:pr1798
git checkout pr1798
From c76e712404fd51f6816befda28f16e0e0894c426 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 6 Apr 2018 09:10:20 +0200
Subject: [PATCH] replica-install: pass --ip-address to client install

In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
---
 ipaserver/install/server/replicainstall.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 16b478a54a..646e2a4746 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -946,6 +946,10 @@ def ensure_enrolled(installer):
 args.append("--mkhomedir")
 if installer.force_join:
 args.append("--force-join")
+if installer.ip_addresses:
+for ip in installer.ip_addresses:
+# installer.ip_addresses is of type [CheckedIPAddress]
+args.extend(("--ip-address", str(ip)))
 
 try:
 # Call client install script
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1797][opened] replica-install: pass --ip-address to client install

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1797
Author: stlaz
 Title: #1797: replica-install: pass --ip-address to client install
Action: opened

PR body:
"""
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1797/head:pr1797
git checkout pr1797
From 2c8e20413eacb3a3bca87fc58d9bb1114afcbb21 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 6 Apr 2018 09:10:20 +0200
Subject: [PATCH] replica-install: pass --ip-address to client install

In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
---
 ipaserver/install/server/replicainstall.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 01f2c9a9d8..fa531e0e53 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -950,6 +950,10 @@ def ensure_enrolled(installer):
 args.append("--mkhomedir")
 if installer.force_join:
 args.append("--force-join")
+if installer.ip_addresses:
+for ip in installer.ip_addresses:
+# installer.ip_addresses is of type [CheckedIPAddress]
+args.extend(("--ip-address", str(ip)))
 
 try:
 # Call client install script
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1785][opened] Travis - use F28 for testing

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1785
Author: stlaz
 Title: #1785: Travis - use F28 for testing
Action: opened

PR body:
"""
python2 pylint fails on Fedora 28 with errors about relative imports from 
`ipapplatform` that seem to be false-positives. Use only python3 pylint for 
Travis.

The Fedora 28 test-runner container in this commit is only to show that the 
tests pass, I'll update the Fedora 28 container in DockerHub FreeIPA repo once 
we agree on this PR.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1785/head:pr1785
git checkout pr1785
From 6238a6af208af64bb31c62885ee6d765c23fa00a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 15 Sep 2017 20:57:13 +0200
Subject: [PATCH 1/2] TMP: Test this branch on f28

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index f81af742b9..ce9b8244f9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,7 +13,7 @@ python:
 cache: pip
 env:
 global:
-- TEST_RUNNER_IMAGE="freeipa/freeipa-test-runner:master-latest"
+- TEST_RUNNER_IMAGE="stlaz/freeipa-test-runner:f28"
   PEP8_ERROR_LOG="pycodestyle_errors.log"
   CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
   CI_BACKLOG_SIZE=5000

From 4e26189649c983f3c02d37214a2f20e799c865ce Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 5 Apr 2018 09:21:16 +0200
Subject: [PATCH 2/2] Do all lint targets only with python3

---
 .test_runner_config.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index 125c1ea7f7..e548843b47 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -54,8 +54,7 @@ steps:
   - sed -ri "s/mode = production/mode = development/" /etc/ipa/default.conf
   - systemctl restart httpd.service
   lint:
-  - make PYTHON=/usr/bin/python2 V=0 lint
-  - make PYTHON=/usr/bin/python3 V=0 pylint
+  - make PYTHON=/usr/bin/python3 V=0 lint
   webui_unit:
   - dnf install -y npm
   - cd ${container_working_dir}/install/ui/js/libs && make
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1784][opened] replica-install: pass --ip-address to client install

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1784
Author: stlaz
 Title: #1784: replica-install: pass --ip-address to client install
Action: opened

PR body:
"""
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1784/head:pr1784
git checkout pr1784
From 65b9204c245aa50b208a723748f1f5294852a20f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 6 Apr 2018 09:10:20 +0200
Subject: [PATCH] replica-install: pass --ip-address to client install

In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.

This patch passes all the --ip-address options down to the client
installation script.

https://pagure.io/freeipa/issue/7405
---
 ipaserver/install/server/replicainstall.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 028c0e6fbd..83497ae7e2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -946,6 +946,10 @@ def ensure_enrolled(installer):
 args.append("--mkhomedir")
 if installer.force_join:
 args.append("--force-join")
+if installer.ip_addresses:
+for ip in installer.ip_addresses:
+# installer.ip_addresses is of type [CheckedIPAddress]
+args.extend(("--ip-address", str(ip)))
 
 try:
 # Call client install script
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1731][opened] HTTPD encrypted key upgrade and backup

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1731
Author: stlaz
 Title: #1731: HTTPD encrypted key upgrade and backup
Action: opened

PR body:
"""
During my recent work on HTTPD key encryption, I forgot to create the password 
to the encrypted key during upgrade and also to back it up during `ipa-backup`. 
This PR fixes that.

https://pagure.io/freeipa/issue/7421
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1731/head:pr1731
git checkout pr1731
From 209628c1343881890a69d2daa714d0de20387ee0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 23 Mar 2018 14:34:41 +0100
Subject: [PATCH 1/2] Fix upgrading of FreeIPA HTTPD

With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.

https://pagure.io/freeipa/issue/7421
---
 ipaserver/install/certs.py| 18 +-
 ipaserver/install/httpinstance.py | 13 -
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 50b9716453..db3080dc92 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -72,12 +72,20 @@ def install_pem_from_p12(p12_fname, p12_passwd, pem_fname):
  "-passin", "file:" + pwd.name])
 
 
-def install_key_from_p12(p12_fname, p12_passwd, pem_fname):
+def install_key_from_p12(
+p12_fname, p12_passwd, pem_fname, out_passwd_fname=None
+):
 pwd = ipautil.write_tmp_file(p12_passwd)
-ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts",
- "-in", p12_fname, "-out", pem_fname,
- "-passin", "file:" + pwd.name],
-umask=0o077)
+args = [
+paths.OPENSSL, "pkcs12", "-nocerts",
+"-in", p12_fname, "-out", pem_fname,
+"-passin", "file:" + pwd.name]
+if out_passwd_fname is not None:
+args.extend(['-passout', 'file:{}'.format(out_passwd_fname)])
+else:
+args.append('-nodes')
+
+ipautil.run(args, umask=0o077)
 
 
 def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 91de4071ca..521533f278 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -613,9 +613,20 @@ def migrate_to_mod_ssl(self):
 certs.install_pem_from_p12(temp.name,
pk12_password,
paths.HTTPD_CERT_FILE)
+with open(
+os.path.join(
+paths.IPA_PASSWD_DIR,
+HTTPD_PASSWD_FILE_FMT.format(host=api.env.host)
+), 'wb') as passwd_file:
+os.fchmod(passwd_file.fileno(), 0o600)
+passwd_fname = passwd_file.name
+passwd_file.write(
+ipautil.ipa_generate_password().encode('utf-8'))
+
 certs.install_key_from_p12(temp.name,
pk12_password,
-   paths.HTTPD_KEY_FILE)
+   paths.HTTPD_KEY_FILE,
+   out_passwd_fname=passwd_fname)
 
 self.backup_ssl_conf()
 self.configure_mod_ssl_certs()

From 8ce895fa85a551b65b557710dc2d173ee498d0ed Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 23 Mar 2018 14:37:58 +0100
Subject: [PATCH 2/2] ipa_backup: Backup the password to HTTPD priv key

https://pagure.io/freeipa/issue/7421
---
 ipaserver/install/ipa_backup.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index f8fc2fdccf..ba56009aa0 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -29,6 +29,7 @@
 from ipaplatform.paths import paths
 from ipaplatform import services
 from ipalib import api, errors
+from ipalib.constants import HTTPD_PASSWD_FILE_FMT
 from ipapython import version
 from ipapython.ipautil import run, write_tmp_file
 from ipapython import admintool, certdb
@@ -365,6 +366,11 @@ def add_instance_specific_data(self):
 if os.path.exists(file):
 self.files.append(file)
 
+self.files.append(
+os.path.join(paths.IPA_PASSWD_DIR,
+ HTTPD_PASSWD_FILE_FMT.format(host=api.env.host))
+)
+
 self.logs.append(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % serverid)
 
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1730][opened] Remove py35 env from tox testing

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1730
Author: stlaz
 Title: #1730: Remove py35 env from tox testing
Action: opened

PR body:
"""
Ever since fa94ef04, only Python3 versions >=3.6 are supported.
Removing py35 env from tox tests.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1730/head:pr1730
git checkout pr1730
From 3be5c5d7f1719880f9f1066fb8bbc635b1423622 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 23 Mar 2018 12:22:28 +0100
Subject: [PATCH] Remove py35 env from tox testing

Ever since fa94ef04, only Python3 versions >=3.6 are supported.
Removing py35 env from tox tests.
---
 tox.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tox.ini b/tox.ini
index 2d445251b9..2e44f359cc 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,6 +1,6 @@
 [tox]
 minversion=2.3.1
-envlist=py27,py35,py36,pylint2,pylint3,pypi
+envlist=py27,py36,pylint2,pylint3,pypi
 skip_missing_interpreters=true
 skipsdist=true
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1717][closed] Dogtag configs: rename deprecated options

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1717
Author: stlaz
 Title: #1717: Dogtag configs: rename deprecated options
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1717/head:pr1717
git checkout pr1717
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1717][opened] Dogtag configs: rename deprecated options

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1717
Author: stlaz
 Title: #1717: Dogtag configs: rename deprecated options
Action: opened

PR body:
"""
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1717/head:pr1717
git checkout pr1717
From e55f7e6f0bf2640ed08b379635fcbcd16b9c3e51 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 21 Mar 2018 10:09:32 +0100
Subject: [PATCH] Dogtag configs: rename deprecated options

ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
---
 ipaserver/install/cainstance.py  | 4 ++--
 ipaserver/install/krainstance.py | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8a11b5deca..75a37afca5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -540,7 +540,7 @@ def __spawn_instance(self):
 str(DN(('cn', 'CA Subsystem'), self.subject_base)))
 config.set("CA", "pki_ocsp_signing_subject_dn",
 str(DN(('cn', 'OCSP Subsystem'), self.subject_base)))
-config.set("CA", "pki_ssl_server_subject_dn",
+config.set("CA", "pki_sslserver_subject_dn",
 str(DN(('cn', self.fqdn), self.subject_base)))
 config.set("CA", "pki_audit_signing_subject_dn",
 str(DN(('cn', 'CA Audit'), self.subject_base)))
@@ -551,7 +551,7 @@ def __spawn_instance(self):
 # Certificate nicknames
 config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
 config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
-config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
+config.set("CA", "pki_sslserver_nickname", "Server-Cert cert-pki-ca")
 config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
 config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 9fd78ed941..8878abbfc1 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -208,7 +208,7 @@ def __spawn_instance(self):
 # Certificate subject DNs
 config.set("KRA", "pki_subsystem_subject_dn",
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
-config.set("KRA", "pki_ssl_server_subject_dn",
+config.set("KRA", "pki_sslserver_subject_dn",
str(DN(('cn', self.fqdn), self.subject_base)))
 config.set("KRA", "pki_audit_signing_subject_dn",
str(DN(('cn', 'KRA Audit'), self.subject_base)))
@@ -224,7 +224,7 @@ def __spawn_instance(self):
 # the ca certs.
 config.set("KRA", "pki_subsystem_nickname",
"subsystemCert cert-pki-ca")
-config.set("KRA", "pki_ssl_server_nickname",
+config.set("KRA", "pki_sslserver_nickname",
"Server-Cert cert-pki-ca")
 config.set("KRA", "pki_audit_signing_nickname",
"auditSigningCert cert-pki-kra")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1715][closed] Fix some typos in man page

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1715
Author: miz-take
 Title: #1715: Fix some typos in man page
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1715/head:pr1715
git checkout pr1715
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1677][opened] [Backport][ipa-4-6] ipa_tests: test signing request with subca on replica

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1677
Author: stlaz
 Title: #1677: [Backport][ipa-4-6] ipa_tests: test signing request with subca 
on replica
Action: opened

PR body:
"""
This PR was opened automatically because PR #1645 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1677/head:pr1677
git checkout pr1677
From 92a98c277b9904292c128ddf73b6727db1d181cf Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Mon, 26 Feb 2018 15:58:17 +0100
Subject: [PATCH] ipa_tests: test signing request with subca on replica

test to verify that replica is able to sign a certificate with
new sub CA.

https://pagure.io/freeipa/issue/7387
---
 .../test_integration/test_replica_promotion.py | 23 ++
 1 file changed, 23 insertions(+)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index c093369464..4a31828183 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -613,3 +613,26 @@ def test_sub_ca_key_replication(self):
   encoding='utf-8')
 # check for cert/key import error message
 assert self.ERR_MESS not in pki_debug_log
+
+def test_sign_with_subca_on_replica(self):
+master = self.master
+replica = self.replicas[0]
+
+TEST_KEY_FILE = '/etc/pki/tls/private/test_subca.key'
+TEST_CRT_FILE = '/etc/pki/tls/private/test_subca.crt'
+
+caacl_cmd = ['ipa', 'caacl-add-ca', 'hosts_services_caIPAserviceCert',
+ '--cas', self.SUBCA]
+master.run_command(caacl_cmd)
+
+request_cmd = [paths.IPA_GETCERT, 'request', '-w', '-k',
+   TEST_KEY_FILE, '-f', TEST_CRT_FILE, '-X', self.SUBCA]
+replica.run_command(request_cmd)
+
+status_cmd = [paths.IPA_GETCERT, 'status', '-v', '-f', TEST_CRT_FILE]
+status = replica.run_command(status_cmd)
+assert 'State MONITORING, stuck: no' in status.stdout_text
+
+ssl_cmd = ['openssl', 'x509', '-text', '-in', TEST_CRT_FILE]
+ssl = replica.run_command(ssl_cmd)
+assert 'Issuer: CN = {}'.format(self.SUBCA) in ssl.stdout_text
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1645][closed] ipa_tests: test signing request with subca on replica

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1645
Author: Rezney
 Title: #1645: ipa_tests: test signing request with subca on replica
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1645/head:pr1645
git checkout pr1645
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1668][opened] Backup HTTPD's mod_ssl config and cert-key pair

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1668
Author: stlaz
 Title: #1668: Backup HTTPD's mod_ssl config and cert-key pair
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/3757
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1668/head:pr1668
git checkout pr1668
From df41810d8ce38a40a7ad4642c24ee1d9fad89879 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Mar 2018 12:30:01 +0100
Subject: [PATCH] Backup HTTPD's mod_ssl config and cert-key pair

https://pagure.io/freeipa/issue/3757
---
 ipaserver/install/ipa_backup.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 9193eb02cb..f8fc2fdccf 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -113,7 +113,6 @@ class Backup(admintool.AdminTool):
 paths.ROOT_PKI,
 paths.PKI_TOMCAT,
 paths.SYSCONFIG_PKI,
-paths.HTTPD_ALIAS_DIR,
 paths.VAR_LIB_PKI_DIR,
 paths.SYSRESTORE,
 paths.IPA_CLIENT_SYSRESTORE,
@@ -152,7 +151,9 @@ class Backup(admintool.AdminTool):
 paths.HTTPD_IPA_KDCPROXY_CONF,
 paths.HTTPD_IPA_PKI_PROXY_CONF,
 paths.HTTPD_IPA_REWRITE_CONF,
-paths.HTTPD_NSS_CONF,
+paths.HTTPD_SSL_CONF,
+paths.HTTPD_CERT_FILE,
+paths.HTTPD_KEY_FILE,
 paths.HTTPD_IPA_CONF,
 paths.SSHD_CONFIG,
 paths.SSH_CONFIG,
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1635][opened] Encrypt httpd key stored on disk

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1635
Author: stlaz
 Title: #1635: Encrypt httpd key stored on disk
Action: opened

PR body:
"""
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1635/head:pr1635
git checkout pr1635
From ff1e674278b55034801c6b41f84b7388d06258f4 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 26 Feb 2018 10:15:05 +0100
Subject: [PATCH] Encrypt httpd key stored on disk

This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421
---
 freeipa.spec.in |  2 ++
 install/tools/Makefile.am   |  2 ++
 install/tools/ipa-httppswd.sh   |  1 +
 install/tools/ipa-pwdreader.sh  |  7 +++
 ipalib/x509.py  | 10 --
 ipaplatform/base/paths.py   |  2 ++
 ipaserver/install/httpinstance.py   | 16 ++--
 ipaserver/install/ipa_server_certinstall.py | 17 ++---
 8 files changed, 50 insertions(+), 7 deletions(-)
 create mode 12 install/tools/ipa-httppswd.sh
 create mode 100644 install/tools/ipa-pwdreader.sh

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cf35e67c81..a913c39954 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1305,6 +1305,8 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-pwdreader.sh
+%{_libexecdir}/ipa/ipa-httppswd.sh
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
 %{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 6b9a64a3d2..1e11a144de 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -37,4 +37,6 @@ dist_app_SCRIPTS =		\
 	ipa-custodia-check	\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
+	ipa-httppswd.sh		\
+	ipa-pwdreader.sh	\
 	$(NULL)
diff --git a/install/tools/ipa-httppswd.sh b/install/tools/ipa-httppswd.sh
new file mode 12
index 00..297e031c1e
--- /dev/null
+++ b/install/tools/ipa-httppswd.sh
@@ -0,0 +1 @@
+ipa-pwdreader.sh
\ No newline at end of file
diff --git a/install/tools/ipa-pwdreader.sh b/install/tools/ipa-pwdreader.sh
new file mode 100644
index 00..e5ec8ec04d
--- /dev/null
+++ b/install/tools/ipa-pwdreader.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+HTTP_PASSWD_LOC="/var/lib/ipa/certs/httpd_passwd.txt"
+
+if [ "$(basename $0)" == "ipa-httppswd.sh" ] && \
+[ -f "$HTTP_PASSWD_LOC" ]; then
+cat "$HTTP_PASSWD_LOC"
+fi
diff --git a/ipalib/x509.py b/ipalib/x509.py
index b49bc96622..7986ddbf5f 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -569,20 +569,26 @@ def write_certificate_list(certs, filename):
 raise errors.FileError(reason=str(e))
 
 
-def write_pem_private_key(priv_key, filename):
+def write_pem_private_key(priv_key, filename, passwd=None):
 """
 Write a private key to a file in PEM format. Will force 0x600 permissions
 on file.
 
 :param priv_key: cryptography ``PrivateKey`` object
+:param passwd: ``bytes`` representing the password to store the
+private key with
 """
+if passwd is not None:
+enc_alg = serialization.BestAvailableEncryption(passwd)
+else:
+enc_alg = serialization.NoEncryption()
 try:
 with open(filename, 'wb') as fp:
 os.fchmod(fp.fileno(), 0o600)
 fp.write(priv_key.private_bytes(
 Encoding.PEM,
 PrivateFormat.TraditionalOpenSSL,
-serialization.NoEncryption()))
+encryption_algorithm=enc_alg))
 except (IOError, OSError) as e:
 raise errors.FileError(reason=str(e))
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 69bf9a2f31..9d25739411 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -53,6 +53,7 @@ class BasePathNamespace(object):
 HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
 HTTPD_CERT_FILE = "/var/lib/ipa/certs/httpd.crt"
 HTTPD_KEY_FILE = "/var/lib/ipa/certs/httpd.key"
+HTTPD_PASSWD_FILE = "/var/lib/ipa/certs/httpd_passwd.txt"
 # only used on Fedora
 HTTPD_IPA_WSGI_MODULES_CONF = None
 OLD_IPA_KEYTAB = 

[Freeipa-devel] [freeipa PR#1449][closed] Switch from mod_nss to mod_ssl

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1449
Author: rcritten
 Title: #1449: Switch from mod_nss to mod_ssl
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1449/head:pr1449
git checkout pr1449
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1599][closed] Fix FileStore.backup_file() not to backup same file

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1599
Author: stlaz
 Title: #1599: Fix FileStore.backup_file() not to backup same file
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1599/head:pr1599
git checkout pr1599
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1599][opened] Fix FileStore.backup_file() not to backup same file

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1599
Author: stlaz
 Title: #1599: Fix FileStore.backup_file() not to backup same file
Action: opened

PR body:
"""
FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.

This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1599/head:pr1599
git checkout pr1599
From 7913f7596c41800bbe1413af53853359fdab47bb Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 19 Feb 2018 09:50:41 +0100
Subject: [PATCH] Fix FileStore.backup_file() not to backup same file

FileStore.backup_file() docstring claimed not to store a
copy of the same file but the behavior of the method did not
match this description.

This commit makes the backed-up file filename derivation
deterministic by hashing its content by SHA-256, thus it
should not back up two files with the same filename and content.
---
 ipalib/install/sysrestore.py | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ipalib/install/sysrestore.py b/ipalib/install/sysrestore.py
index b2e1a00482..446f539174 100644
--- a/ipalib/install/sysrestore.py
+++ b/ipalib/install/sysrestore.py
@@ -40,6 +40,7 @@
 
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
+from hashlib import sha256
 
 if six.PY3:
 unicode = str
@@ -111,7 +112,7 @@ def save(self):
 p.write(f)
 
 def backup_file(self, path):
-"""Create a copy of the file at @path - so long as a copy
+"""Create a copy of the file at @path - as long as an exact copy
 does not already exist - which will be restored to its
 original location by restore_files().
 """
@@ -126,11 +127,11 @@ def backup_file(self, path):
 
 _reldir, backupfile = os.path.split(path)
 
-filename = ""
-for _i in range(8):
-h = "%02x" % self.random.randint(0,255)
-filename += h
-filename += "-"+backupfile
+with open(path, 'rb') as f:
+cont_hash = sha256(f.read()).hexdigest()
+
+filename = "{hexhash}-{bcppath}".format(
+hexhash=cont_hash, bcppath=backupfile)
 
 backup_path = os.path.join(self._path, filename)
 if os.path.exists(backup_path):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1568][closed] [Backport][ipa-4-5] - ipatest: replica install with existing entry on master

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1568
Author: Rezney
 Title: #1568: [Backport][ipa-4-5] - ipatest: replica install with existing 
entry on master
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1568/head:pr1568
git checkout pr1568
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1563][opened] Support the 1.4.x python installer tools in 389-ds

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1563
Author: stlaz
 Title: #1563: Support the 1.4.x python installer tools in 389-ds
Action: opened

PR body:
"""
Opened on behalf of https://github.com/Firstyear
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1563/head:pr1563
git checkout pr1563
From 06c24ae5112000874cf81ca27ebbc65855377230 Mon Sep 17 00:00:00 2001
From: William Brown 
Date: Fri, 1 Dec 2017 16:33:45 +0100
Subject: [PATCH] Support the 1.4.x python installer tools in 389-ds

---
 install/share/ldapi.ldif|   4 ++
 ipaplatform/base/paths.py   |  48 +---
 ipaserver/install/dsinstance.py | 119 ++--
 3 files changed, 145 insertions(+), 26 deletions(-)

diff --git a/install/share/ldapi.ldif b/install/share/ldapi.ldif
index 607506fd16..47f3f2caa8 100644
--- a/install/share/ldapi.ldif
+++ b/install/share/ldapi.ldif
@@ -3,4 +3,8 @@ dn: cn=config
 changetype: modify
 replace: nsslapd-ldapilisten
 nsslapd-ldapilisten: on
+-
+replace: nsslapd-ldapifilepath
+nsslapd-ldapifilepath: /var/run/slapd-$SERVERID.socket
+-
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 189506d897..98592fbf79 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -32,9 +32,6 @@ class BasePathNamespace(object):
 SYSTEMCTL = "/bin/systemctl"
 TAR = "/bin/tar"
 AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
-ETC_DIRSRV = "/etc/dirsrv"
-DS_KEYTAB = "/etc/dirsrv/ds.keytab"
-ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE = "/etc/dirsrv/slapd-%s"
 ETC_FEDORA_RELEASE = "/etc/fedora-release"
 GROUP = "/etc/group"
 ETC_HOSTNAME = "/etc/hostname"
@@ -189,13 +186,11 @@ class BasePathNamespace(object):
 BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
 BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
 BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
-USR_LIB_DIRSRV = "/usr/lib/dirsrv"
 LIB_FIREFOX = "/usr/lib/firefox"
 LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
 PAM_KRB5_SO = "/usr/lib/security/pam_krb5.so"
 LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
 BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
-USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
 LIB64_FIREFOX = "/usr/lib64/firefox"
 LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
 PAM_KRB5_SO_64 = "/usr/lib64/security/pam_krb5.so"
@@ -226,11 +221,9 @@ class BasePathNamespace(object):
 PKIDESTROY = "/usr/sbin/pkidestroy"
 PKISPAWN = "/usr/sbin/pkispawn"
 PKI = "/usr/bin/pki"
-REMOVE_DS_PL = "/usr/sbin/remove-ds.pl"
 RESTORECON = "/usr/sbin/restorecon"
 SELINUXENABLED = "/usr/sbin/selinuxenabled"
 SETSEBOOL = "/usr/sbin/setsebool"
-SETUP_DS_PL = "/usr/sbin/setup-ds.pl"
 SMBD = "/usr/sbin/smbd"
 USERADD = "/usr/sbin/useradd"
 FONTS_DIR = "/usr/share/fonts"
@@ -265,11 +258,6 @@ class BasePathNamespace(object):
 CERTMONGER_REQUESTS_DIR = "/var/lib/certmonger/requests/"
 VAR_LIB_DIRSRV = "/var/lib/dirsrv"
 DIRSRV_BOOT_LDIF = "/var/lib/dirsrv/boot.ldif"
-VAR_LIB_DIRSRV_INSTANCE_SCRIPTS_TEMPLATE = "/var/lib/dirsrv/scripts-%s"
-VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s"
-SLAPD_INSTANCE_BACKUP_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/bak/%s"
-SLAPD_INSTANCE_DB_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/db/%s"
-SLAPD_INSTANCE_LDIF_DIR_TEMPLATE = "/var/lib/dirsrv/slapd-%s/ldif"
 VAR_LIB_IPA = "/var/lib/ipa"
 IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
 SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
@@ -304,10 +292,6 @@ class BasePathNamespace(object):
 SSSD_PUBCONF_KNOWN_HOSTS = "/var/lib/sss/pubconf/known_hosts"
 SSSD_PUBCONF_KRB5_INCLUDE_D_DIR = "/var/lib/sss/pubconf/krb5.include.d/"
 VAR_LOG_AUDIT = "/var/log/audit/audit.log"
-DIRSRV_LOCK_DIR = "/var/lock/dirsrv"
-VAR_LOG_DIRSRV_INSTANCE_TEMPLATE = "/var/log/dirsrv/slapd-%s"
-SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
-SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
 VAR_LOG_HTTPD_DIR = "/var/log/httpd"
 VAR_LOG_HTTPD_ERROR = "/var/log/httpd/error_log"
 IPABACKUP_LOG = "/var/log/ipabackup.log"
@@ -347,13 +331,8 @@ class BasePathNamespace(object):
 SVC_LIST_FILE = "/var/run/ipa/services.list"
 KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
 SLAPD_INSTANCE_SOCKET_TEMPLATE = "/var/run/slapd-%s.socket"
-ALL_SLAPD_INSTANCE_SOCKETS = "/var/run/slapd-*.socket"
 ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert'
 ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
-LDIF2DB = '/usr/sbin/ldif2db'
-DB2LDIF = '/usr/sbin/db2ldif'
-BAK2DB = '/usr/sbin/bak2db'
-DB2BAK = '/usr/sbin/db2bak'
 KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'
 CERTMONGER = 

[Freeipa-devel] [freeipa PR#1552][closed] Bump 389-ds-base to 1.3.7.9-1

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1552
Author: stlaz
 Title: #1552: Bump 389-ds-base to 1.3.7.9-1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1552/head:pr1552
git checkout pr1552
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1552][opened] Bump 389-ds-base to 1.3.7.8-1

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1552
Author: stlaz
 Title: #1552: Bump 389-ds-base to 1.3.7.8-1
Action: opened

PR body:
"""
Bump 389-ds-version due to problems with replication and connections
not being closed.

https://pagure.io/freeipa/issue/7165
https://pagure.io/freeipa/issue/7228

Reopening, the original PR should not have been closed.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1552/head:pr1552
git checkout pr1552
From 1501ad3d984a9dce90c836234d559a501244435a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 28 Nov 2017 12:51:46 +0100
Subject: [PATCH] Bump 389-ds-base to 1.3.7.8-1

Bump 389-ds-version due to problems with replication and connections
not being closed.

https://pagure.io/freeipa/issue/7165
https://pagure.io/freeipa/issue/7228
---
 freeipa.spec.in | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7e9ad5f321..517fce7584 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -289,8 +289,9 @@ Requires: python3-pyldap >= 2.4.15
 Requires: python2-ipaserver = %{version}-%{release}
 Requires: python-ldap >= 2.4.15
 %endif
-# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
-Requires: 389-ds-base >= 1.3.7.6-1
+# 1.3.7.9-1: https://pagure.io/freeipa/issue/7228
+#https://pagure.io/freeipa/issue/7165
+Requires: 389-ds-base >= 1.3.7.9-1
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -337,8 +338,9 @@ Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.79.5-1
-# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
-Requires(pre): 389-ds-base >= 1.3.7.6-1
+# 1.3.7.9-1: https://pagure.io/freeipa/issue/7228
+#https://pagure.io/freeipa/issue/7165
+Requires(pre): 389-ds-base >= 1.3.7.9-1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#980][closed] [tests] Replica Promotion improvements

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/980
Author: Akasurde
 Title: #980: [tests] Replica Promotion improvements
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/980/head:pr980
git checkout pr980
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1475][opened] [Backport][ipa-4-6] replica_prepare: Remove the correct NSS DB files

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1475
Author: stlaz
 Title: #1475: [Backport][ipa-4-6] replica_prepare: Remove the correct NSS DB 
files
Action: opened

PR body:
"""
This PR was opened automatically because PR #1473 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1475/head:pr1475
git checkout pr1475
From 684db248e805fcd3e0919a3e0f1bf9d4a41648ee Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 16 Jan 2018 13:09:33 +0100
Subject: [PATCH] replica_prepare: Remove the correct NSS DB files

Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.

https://pagure.io/freeipa/issue/7049
---
 ipaserver/install/ipa_replica_prepare.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 6872cefec1..80578c3903 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -569,7 +569,7 @@ def export_certdb(self, fname, passwd_fname):
 installutils.remove_file(pkcs12_fname)
 installutils.remove_file(passwd_fname)
 
-for fname in (certdb.NSS_SQL_FILES + certdb.NSS_SQL_FILES):
+for fname in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES):
 self.remove_info_file(fname)
 self.remove_info_file("noise.txt")
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1471][closed] Add a helpful comment to ca.py:install_check()

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1471
Author: stlaz
 Title: #1471: Add a helpful comment to ca.py:install_check()
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1471/head:pr1471
git checkout pr1471
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1473][opened] replica_prepare: Remove the correct NSS DB files

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1473
Author: stlaz
 Title: #1473: replica_prepare: Remove the correct NSS DB files
Action: opened

PR body:
"""
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1473/head:pr1473
git checkout pr1473
From ad04c321ea19b5aedd6018d54b941109ca0ecbf8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 16 Jan 2018 13:09:33 +0100
Subject: [PATCH] replica_prepare: Remove the correct NSS DB files

Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
---
 ipaserver/install/ipa_replica_prepare.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 6872cefec1..80578c3903 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -569,7 +569,7 @@ def export_certdb(self, fname, passwd_fname):
 installutils.remove_file(pkcs12_fname)
 installutils.remove_file(passwd_fname)
 
-for fname in (certdb.NSS_SQL_FILES + certdb.NSS_SQL_FILES):
+for fname in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES):
 self.remove_info_file(fname)
 self.remove_info_file("noise.txt")
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1471][opened] Add a helpful comment to ca.py:install_check()

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1471
Author: stlaz
 Title: #1471: Add a helpful comment to ca.py:install_check()
Action: opened

PR body:
"""
Such a comment could have saved me ~30 seconds. Hopefully you'll find it 
useful, too.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1471/head:pr1471
git checkout pr1471
From 2f803da2687b44896f49b0588e2d6f360a143f75 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 16 Jan 2018 09:40:33 +0100
Subject: [PATCH] Add a helpful comment to ca.py:install_check()

---
 ipaserver/install/ca.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8490175adb..bef0af8972 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -217,6 +217,7 @@ def install_check(standalone, replica_config, options):
 dsdb = certs.CertDB(
 realm_name, nssdir=dirname, subject_base=options._subject_base)
 
+# Check that we can add our CA cert to DS and PKI NSS databases
 for db in (cadb, dsdb):
 if not db.exists():
 continue
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1432][closed] test for nsslapd-ignore-time-skew param of dirsrv in replica installation

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1432
Author: mrizwan93
 Title: #1432: test for nsslapd-ignore-time-skew param of dirsrv in replica 
installation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1432/head:pr1432
git checkout pr1432
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1424][closed] Fixing how to parse the backup dir in test_backup_and_restore

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1424
Author: felipevolpone
 Title: #1424: Fixing how to parse the backup dir in test_backup_and_restore
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1424/head:pr1424
git checkout pr1424
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1135][closed] [Backport][ipa-4-6] tests_py3: decode get_file_contents() result

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1135
Author: stlaz
 Title: #1135: [Backport][ipa-4-6] tests_py3: decode get_file_contents() result
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1135/head:pr1135
git checkout pr1135
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1275][closed] [Backport][ipa-4-5] manpage: ipa-replica-conncheck - fix minor typo

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1275
Author: stlaz
 Title: #1275: [Backport][ipa-4-5] manpage: ipa-replica-conncheck - fix minor 
typo
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1275/head:pr1275
git checkout pr1275
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1274][opened] [Backport][ipa-4-6] manpage: ipa-replica-conncheck - fix minor typo

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1274
Author: stlaz
 Title: #1274: [Backport][ipa-4-6] manpage: ipa-replica-conncheck - fix minor 
typo
Action: opened

PR body:
"""
This PR was opened automatically because PR #1270 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1274/head:pr1274
git checkout pr1274
From e046d356c28f1d5f52e7aceea9508020e73f5d38 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Fri, 10 Nov 2017 10:24:57 +0100
Subject: [PATCH] manpage: ipa-replica-conncheck - fix minor typo

Fixes minor typo "Defaults t" to "Defaults to".

https://pagure.io/freeipa/issue/7250
---
 install/tools/man/ipa-replica-conncheck.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
index 4fc55e8bf5..6451f3545e 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -40,7 +40,7 @@ Automatically log in to master machine and execute the master machine part of th
 The Kerberos realm name for the IPA server
 .TP
 \fB\-k\fR \fIKDC\fR, \fB\-\-kdc\fR=\fIKDC\fR
-KDC server address. Defaults t \fIMASTER\fR
+KDC server address. Defaults to \fIMASTER\fR
 .TP
 \fB\-p\fR \fIPRINCIPAL\fR, \fB\-\-principal\fR=\fIPRINCIPAL\fR
 Authorized Kerberos principal to use to log in to master machine. Defaults to \fIadmin\fR
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1275][opened] [Backport][ipa-4-5] manpage: ipa-replica-conncheck - fix minor typo

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1275
Author: stlaz
 Title: #1275: [Backport][ipa-4-5] manpage: ipa-replica-conncheck - fix minor 
typo
Action: opened

PR body:
"""
This PR was opened automatically because PR #1270 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1275/head:pr1275
git checkout pr1275
From ec72346beffb986c1e576bde60c8d2195df4b81a Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Fri, 10 Nov 2017 10:24:57 +0100
Subject: [PATCH] manpage: ipa-replica-conncheck - fix minor typo

Fixes minor typo "Defaults t" to "Defaults to".

https://pagure.io/freeipa/issue/7250
---
 install/tools/man/ipa-replica-conncheck.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
index 4fc55e8bf5..6451f3545e 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -40,7 +40,7 @@ Automatically log in to master machine and execute the master machine part of th
 The Kerberos realm name for the IPA server
 .TP
 \fB\-k\fR \fIKDC\fR, \fB\-\-kdc\fR=\fIKDC\fR
-KDC server address. Defaults t \fIMASTER\fR
+KDC server address. Defaults to \fIMASTER\fR
 .TP
 \fB\-p\fR \fIPRINCIPAL\fR, \fB\-\-principal\fR=\fIPRINCIPAL\fR
 Authorized Kerberos principal to use to log in to master machine. Defaults to \fIadmin\fR
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1270][closed] manpage: ipa-replica-conncheck - fix minor typo

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1270
Author: Rezney
 Title: #1270: manpage: ipa-replica-conncheck - fix minor typo
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1270/head:pr1270
git checkout pr1270
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1271][opened] [Backport][ipa-4-6] Py3: fix fetching of tar files

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1271
Author: stlaz
 Title: #1271: [Backport][ipa-4-6] Py3: fix fetching of tar files
Action: opened

PR body:
"""
This PR was opened automatically because PR #1256 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1271/head:pr1271
git checkout pr1271
From 0eb7aa5ee4c22522a9cd7d7c83996d7240f6ece5 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 8 Nov 2017 13:43:43 +0100
Subject: [PATCH] Py3: fix fetching of tar files

pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.

https://pagure.io/freeipa/issue/7131

Signed-off-by: Christian Heimes 
---
 ipatests/pytest_plugins/integration/__init__.py | 24 +---
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/ipatests/pytest_plugins/integration/__init__.py b/ipatests/pytest_plugins/integration/__init__.py
index 62b8e71ecf..bee669b0dd 100644
--- a/ipatests/pytest_plugins/integration/__init__.py
+++ b/ipatests/pytest_plugins/integration/__init__.py
@@ -131,23 +131,25 @@ def collect_logs(name, logs_dict, logfile_dir=None, beakerlib_plugin=None):
 
 for host, logs in logs_dict.items():
 logger.info('Collecting logs from: %s', host.hostname)
-
+dirname = os.path.join(topdirname, host.hostname)
+if not os.path.isdir(dirname):
+os.makedirs(dirname)
+tarname = os.path.join(dirname, 'logs.tar.xz')
+# get temporary file name
+cmd = host.run_command(['mktemp'])
+tmpname = cmd.stdout_text.strip()
 # Tar up the logs on the remote server
 cmd = host.run_command(
-['tar', '-c',  '--ignore-failed-read', '-J', '-v'] + logs,
+['tar', 'cJvf', tmpname, '--ignore-failed-read'] + logs,
 log_stdout=False, raiseonerr=False)
 if cmd.returncode:
 logger.warning('Could not collect all requested logs')
-
+# fetch tar file
+with open(tarname, 'wb') as f:
+f.write(host.get_file_contents(tmpname))
+# delete from remote
+host.run_command(['rm', '-f', tmpname])
 # Unpack on the local side
-dirname = os.path.join(topdirname, host.hostname)
-try:
-os.makedirs(dirname)
-except OSError:
-pass
-tarname = os.path.join(dirname, 'logs.tar.xz')
-with open(tarname, 'w') as f:
-f.write(cmd.stdout_text)
 ipautil.run(['tar', 'xJvf', 'logs.tar.xz'], cwd=dirname,
 raiseonerr=False)
 os.unlink(tarname)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1269][closed] [Backport][ipa-4-6] Don't fail on cert_find in the UI on a CA-less installation

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1269
Author: stlaz
 Title: #1269: [Backport][ipa-4-6] Don't fail on cert_find in the UI on a 
CA-less installation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1269/head:pr1269
git checkout pr1269
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1196][closed] Don't fail on cert_find in the UI on a CA-less installation

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1196
Author: rcritten
 Title: #1196: Don't fail on cert_find in the UI on a CA-less installation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1196/head:pr1196
git checkout pr1196
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1269][opened] [Backport][ipa-4-6] Don't fail on cert_find in the UI on a CA-less installation

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1269
Author: stlaz
 Title: #1269: [Backport][ipa-4-6] Don't fail on cert_find in the UI on a 
CA-less installation
Action: opened

PR body:
"""
This PR was opened automatically because PR #1196 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1269/head:pr1269
git checkout pr1269
From b08f3c5373c3f92d4ab88a16d75b4c1004ba8098 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Tue, 24 Oct 2017 15:43:08 -0400
Subject: [PATCH] Fix cert-find for CA-less installations

Change eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.

The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.

Fixes https://pagure.io/freeipa/issue/7202

Signed-off-by: Rob Crittenden 
---
 ipaserver/plugins/cert.py | 22 --
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 38314cd0c0..f40d0f9439 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1555,6 +1555,7 @@ def _ldap_search(self, all, pkey_only, no_members, **options):
 
 truncated = bool(truncated)
 
+ca_enabled = getattr(context, 'ca_enabled')
 for entry in entries:
 for attr in ('usercertificate', 'usercertificate;binary'):
 for cert in entry.get(attr, []):
@@ -1563,7 +1564,12 @@ def _ldap_search(self, all, pkey_only, no_members, **options):
 obj = result[cert_key]
 except KeyError:
 obj = {'serial_number': cert.serial_number}
-if not pkey_only and all:
+if not pkey_only and (all or not ca_enabled):
+# Retrieving certificate details is now deferred
+# until after all certificates are collected.
+# For the case of CA-less we need to keep
+# the certificate because getting it again later
+# would require unnecessary LDAP searches.
 obj['certificate'] = (
 base64.b64encode(
 cert.public_bytes(x509.Encoding.DER))
@@ -1580,6 +1586,11 @@ def _ldap_search(self, all, pkey_only, no_members, **options):
 
 def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 no_members=True, timelimit=None, sizelimit=None, **options):
+# Store ca_enabled status in the context to save making the API
+# call multiple times.
+ca_enabled = self.api.Command.ca_is_enabled()['result']
+setattr(context, 'ca_enabled', ca_enabled)
+
 if 'cacn' in options:
 ca_obj = api.Command.ca_show(options['cacn'])['result']
 ca_sdn = unicode(ca_obj['ipacasubjectdn'][0])
@@ -1634,7 +1645,8 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 
 if not pkey_only:
 ca_objs = {}
-ra = self.api.Backend.ra
+if ca_enabled:
+ra = self.api.Backend.ra
 
 for key, obj in six.iteritems(result):
 if all and 'cacn' in obj:
@@ -1659,6 +1671,12 @@ def execute(self, criteria=None, all=False, raw=False, pkey_only=False,
 
 if not raw:
 self.obj._parse(obj, all)
+if not ca_enabled and not all:
+# For the case of CA-less don't display the full
+# certificate unless requested. It is kept in the
+# entry from _ldap_search() so its attributes can
+# be retrieved.
+obj.pop('certificate', None)
 self.obj._fill_owners(obj)
 
 result = list(six.itervalues(result))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1268][closed] [Backport][ipa-4-6] ipatests: Fix interactive prompt in ca_less tests

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1268
Author: stlaz
 Title: #1268: [Backport][ipa-4-6] ipatests: Fix interactive prompt in ca_less 
tests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1268/head:pr1268
git checkout pr1268
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1268][opened] [Backport][ipa-4-6] ipatests: Fix interactive prompt in ca_less tests

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1268
Author: stlaz
 Title: #1268: [Backport][ipa-4-6] ipatests: Fix interactive prompt in ca_less 
tests
Action: opened

PR body:
"""
This PR was opened automatically because PR #1142 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1268/head:pr1268
git checkout pr1268
From bbd10fb3e3211546fec58b1eed3b6cc728ad0d56 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Wed, 11 Oct 2017 10:41:57 +0530
Subject: [PATCH] ipatests: Fix interactive prompt in ca_less tests

This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.

Fixes: https://pagure.io/freeipa/issue/7182

Signed-off-by: Abhijeet Kasurde 
---
 ipatests/test_integration/test_caless.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index eccc9967db..ae9b193686 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -65,6 +65,9 @@ def get_install_stdin(cert_passwords=()):
 
 def get_replica_prepare_stdin(cert_passwords=()):
 lines = list(cert_passwords)  # Enter foo.p12 unlock password
+lines += [
+'yes',  # Continue [no]?
+]
 return '\n'.join(lines + [''])
 
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1142][closed] ipatests: Fix interactive prompt in ca_less tests

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1142
Author: Akasurde
 Title: #1142: ipatests: Fix interactive prompt in ca_less tests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1142/head:pr1142
git checkout pr1142
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1144][closed] Ignore ACI errors when pwpolicy-del fails in group-del

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1144
Author: germanparente
 Title: #1144: Ignore ACI errors when pwpolicy-del fails in group-del
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1144/head:pr1144
git checkout pr1144
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1011][reopened] py3: dnssec

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1011
Author: tomaskrizek
 Title: #1011: py3: dnssec
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1011/head:pr1011
git checkout pr1011
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1238][closed] [Backport][ipa-4-6] test_forced_client: decode get_file_contents() result

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1238
Author: tomaskrizek
 Title: #1238: [Backport][ipa-4-6] test_forced_client: decode 
get_file_contents() result
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1238/head:pr1238
git checkout pr1238
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1242][closed] [Backport][ipa-4-6] test_external_dns: add missing test cases

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1242
Author: tomaskrizek
 Title: #1242: [Backport][ipa-4-6] test_external_dns: add missing test cases
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1242/head:pr1242
git checkout pr1242
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1237][closed] [Backport][ipa-4-6] Fix log capture when running pytests_multihosts commands

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1237
Author: tomaskrizek
 Title: #1237: [Backport][ipa-4-6] Fix log capture when running 
pytests_multihosts commands
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1237/head:pr1237
git checkout pr1237
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1250][closed] [Backport][ipa-4-6] 389-ds-base crashed as part of ipa-server-intall in ipa-uuid

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1250
Author: stlaz
 Title: #1250: [Backport][ipa-4-6] 389-ds-base crashed as part of 
ipa-server-intall in ipa-uuid
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1250/head:pr1250
git checkout pr1250
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1248][closed] [Backport][ipa-4-6] ipa-getkeytab man page: add more details about the -r option

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1248
Author: stlaz
 Title: #1248: [Backport][ipa-4-6] ipa-getkeytab man page: add more details 
about the -r option
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1248/head:pr1248
git checkout pr1248
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1247][closed] [Backport][ipa-4-6] CA-less integration tests minor log fixes

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1247
Author: stlaz
 Title: #1247: [Backport][ipa-4-6] CA-less integration tests minor log fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1247/head:pr1247
git checkout pr1247
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1261][opened] Bump pki-kra for python3 vaults

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1261
Author: stlaz
 Title: #1261: Bump pki-kra for python3 vaults
Action: opened

PR body:
"""
Dogtag fixed vaults in the latest version of pki, bump it in our
spec.

https://pagure.io/freeipa/issue/7033
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1261/head:pr1261
git checkout pr1261
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1252][opened] [Backport][ipa-4-6] Don't allow OTP or RADIUS in FIPS mode

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1252
Author: stlaz
 Title: #1252: [Backport][ipa-4-6] Don't allow OTP or RADIUS in FIPS mode
Action: opened

PR body:
"""
This PR was opened automatically because PR #1244 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1252/head:pr1252
git checkout pr1252
From 536812bbdb8e2589861a076c4ba9cddd6468a5b1 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 7 Nov 2017 14:42:12 +0100
Subject: [PATCH] Don't allow OTP or RADIUS in FIPS mode

RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.

https://pagure.io/freeipa/issue/7168
---
 ipaserver/plugins/baseuser.py |  3 +++
 ipaserver/plugins/config.py   | 16 
 2 files changed, 19 insertions(+)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index ef5585822f..ea4cd90996 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -31,6 +31,7 @@
 LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
 add_missing_object_class)
 from ipaserver.plugins.service import (validate_realm, normalize_principal)
+from ipaserver.plugins.config import check_fips_auth_opts
 from ipalib.request import context
 from ipalib import _
 from ipalib.constants import PATTERN_GROUPUSER_NAME
@@ -480,6 +481,7 @@ def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
 **options):
 assert isinstance(dn, DN)
 set_krbcanonicalname(entry_attrs)
+check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
 self.obj.convert_usercertificate_pre(entry_attrs)
 
 def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -603,6 +605,7 @@ def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
 assert isinstance(dn, DN)
 add_sshpubkey_to_attrs_pre(self.context, attrs_list)
 
+check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
 self.check_namelength(ldap, **options)
 
 self.check_mail(entry_attrs)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index ce15e6096f..c9033fa8e7 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -85,6 +85,20 @@
 
 register = Registry()
 
+
+def check_fips_auth_opts(fips_mode, **options):
+"""
+OTP and RADIUS are not allowed in FIPS mode since they use MD5
+checksums (OTP uses our RADIUS responder daemon ipa-otpd).
+"""
+if 'ipauserauthtype' in options and fips_mode:
+if ('otp' in options['ipauserauthtype'] or
+'radius' in options['ipauserauthtype']):
+raise errors.InvocationError(
+'OTP and RADIUS authentication in FIPS is '
+'not yet supported')
+
+
 @register()
 class config(LDAPObject):
 """
@@ -398,6 +412,8 @@ class config_mod(LDAPUpdate):
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 assert isinstance(dn, DN)
+check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options)
+
 if 'ipadefaultprimarygroup' in entry_attrs:
 group=entry_attrs['ipadefaultprimarygroup']
 try:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1246][closed] [Backport][ipa-4-5] Add indexing to improve host-find performance

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1246
Author: stlaz
 Title: #1246: [Backport][ipa-4-5] Add indexing to improve host-find performance
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1246/head:pr1246
git checkout pr1246
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1241][closed] 389-ds-base crashed as part of ipa-server-intall in ipa-uuid

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1241
Author: tbordaz
 Title: #1241: 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1241/head:pr1241
git checkout pr1241
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1249][opened] [Backport][ipa-4-5] ipa-getkeytab man page: add more details about the -r option

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1249
Author: stlaz
 Title: #1249: [Backport][ipa-4-5] ipa-getkeytab man page: add more details 
about the -r option
Action: opened

PR body:
"""
This PR was opened automatically because PR #1243 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1249/head:pr1249
git checkout pr1249
From e0aea2a9c8ecd458d9e15d8f98e92add68dd9eca Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 7 Nov 2017 09:31:19 +0100
Subject: [PATCH] ipa-getkeytab man page: add more details about the -r option

The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.

Fixes:
https://pagure.io/freeipa/issue/7237
---
 client/man/ipa-getkeytab.1 | 35 ++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index 08f6ec40d3..39ff0d5da8 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -44,10 +44,15 @@ provided, so the principal name is just the service
 name and hostname (ldap/foo.example.com from the
 example above).
 
+ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
+
 \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
 This renders all other keytabs for that principal invalid.
+When multiple hosts or services need to share the same key (for instance in high availability or load balancing clusters), the \fB\-r\fR option must be used to retrieve the existing key instead of generating a new one (please refer to the EXAMPLES section).
+
+Note that the user or host calling \fBipa-getkeytab\fR needs to be allowed to generate the key with \fBipa host\-allow\-create\-keytab\fR or \fBipa service\-allow\-create\-keytab\fR,
+and the user or host calling \fBipa-getkeytab \-r\fR needs to be allowed to retrieve the keytab for the host or service with \fBipa host\-allow\-retrieve\-keytab\fR or \fBipa service\-allow\-retrieve\-keytab\fR.
 
-This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
 .SH "OPTIONS"
 .TP
 \fB\-p principal\-name\fR
@@ -118,16 +123,44 @@ keytab must have access to the keys for this operation to succeed.
 Add and retrieve a keytab for the NFS service principal on
 the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
 
+.nf
# ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
+.fi
 
 Add and retrieve a keytab for the ldap service principal on
 the host foo.example.com and save it in the file /tmp/ldap.keytab.
 
+.nf
# ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
+.fi
 
 Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
 
+.nf
# ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
+.fi
+
+Add and retrieve a keytab for a clustered HTTP service deployed on client1.example.com and client2.example.com (already enrolled), using the client-frontend.example.com host name:
+
+.nf
+   # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
+   # ipa service-add HTTP/client-frontend.example.com
+   # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
+   # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
+.fi
+
+   On client1, generate and retrieve a new keytab for client-frontend.example.com:
+.nf
+   # kinit -k
+   # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
+
+.fi
+   On client2, retrieve the existing keytab for client-frontend.example.com:
+.nf
+   # kinit -k
+   # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
+.fi
+
 .SH "EXIT 

[Freeipa-devel] [freeipa PR#1247][opened] [Backport][ipa-4-6] CA-less integration tests minor log fixes

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1247
Author: stlaz
 Title: #1247: [Backport][ipa-4-6] CA-less integration tests minor log fixes
Action: opened

PR body:
"""
This PR was opened automatically because PR #1233 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1247/head:pr1247
git checkout pr1247
From ac9a39e3a65ed0116b03c09c4bbb6c9baef5c50f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 6 Nov 2017 09:07:31 +0100
Subject: [PATCH 1/2] caless tests: make debug log of certificates sensible

CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
---
 ipatests/test_integration/test_caless.py | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index ef33be2136..231cdb75e7 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -360,8 +360,8 @@ def verify_installation(self):
 logger.debug('Expected /etc/ipa/ca.crt contents:\n%s',
  expected_cacrt.decode('utf-8'))
 expected_cacrt = x509.load_unknown_x509_certificate(expected_cacrt)
-logger.debug('Expected binary CA cert:\n%r',
- expected_cacrt)
+logger.debug('Expected CA cert:\n%r',
+ expected_cacrt.public_bytes(x509.Encoding.PEM))
 for host in [self.master] + self.replicas:
 # Check the LDAP entry
 ldap = host.ldap_connect()
@@ -370,7 +370,7 @@ def verify_installation(self):
   ('cn', 'etc'), host.domain.basedn))
 cert_from_ldap = entry.single_value['cACertificate']
 logger.debug('CA cert from LDAP on %s:\n%r',
- host, cert_from_ldap)
+ host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
 assert cert_from_ldap == expected_cacrt
 
 # Verify certmonger was not started
@@ -384,7 +384,7 @@ def verify_installation(self):
  host, remote_cacrt)
 cacrt = x509.load_unknown_x509_certificate(remote_cacrt)
 logger.debug('%s: Decoded /etc/ipa/ca.crt:\n%r',
- host, cacrt)
+ host, cacrt.public_bytes(x509.Encoding.PEM))
 assert expected_cacrt == cacrt
 
 

From 06497c1a5576b3893a62457210b4e90fce1bf800 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 6 Nov 2017 09:11:39 +0100
Subject: [PATCH 2/2] caless tests: decode cert bytes in debug log

Bytes would cause the logger to throw up while interpolating the
string.
---
 ipatests/test_integration/test_caless.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 231cdb75e7..eccc9967db 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -381,7 +381,7 @@ def verify_installation(self):
 # Check the cert PEM file
 remote_cacrt = host.get_file_contents(paths.IPA_CA_CRT)
 logger.debug('%s:/etc/ipa/ca.crt contents:\n%s',
- host, remote_cacrt)
+ host, remote_cacrt.decode('utf-8'))
 cacrt = x509.load_unknown_x509_certificate(remote_cacrt)
 logger.debug('%s: Decoded /etc/ipa/ca.crt:\n%r',
  host, cacrt.public_bytes(x509.Encoding.PEM))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1246][opened] [Backport][ipa-4-5] Add indexing to improve host-find performance

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1246
Author: stlaz
 Title: #1246: [Backport][ipa-4-5] Add indexing to improve host-find performance
Action: opened

PR body:
"""
This PR was opened automatically because PR #1215 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1246/head:pr1246
git checkout pr1246








  

  https://assets-cdn.github.com;>
  https://avatars0.githubusercontent.com;>
  https://avatars1.githubusercontent.com;>
  https://avatars2.githubusercontent.com;>
  https://avatars3.githubusercontent.com;>
  https://github-cloud.s3.amazonaws.com;>
  https://user-images.githubusercontent.com/;>



  https://assets-cdn.github.com/assets/frameworks-d7137690e30123bade38abb082ac79f36cc7a105ff92e602405f53b725465cab.css; media="all" rel="stylesheet" />
  https://assets-cdn.github.com/assets/github-3802ba05bbc2b945940b138b79ae8a55487741ed14fc337567348d097321cc96.css; media="all" rel="stylesheet" />
  
  
  https://assets-cdn.github.com/assets/site-cd79f063f6da2fef8de0055aa11c913cc1873486fc05ade3227e0cbcc7a168c6.css; media="all" rel="stylesheet" />
  

  
  
  [Backport][ipa-4-5] Add indexing to improve host-find performance by stlaz · Pull Request #1246 · freeipa/freeipa · GitHub
  
  https://github.com/fluidicon.png; title="GitHub">
  


https://avatars3.githubusercontent.com/u/718169?s=400v=4; property="og:image" />https://github.com/freeipa/freeipa/pull/1246; property="og:url" />

  https://assets-cdn.github.com/;>
  
  
  
  
  

  

  



https://collector.githubapp.com/github-external/browser_event; name="octolytics-event-url" />





  


  

  
  

  



  

  
  


  span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 {  background-color: #0e8a16 !important;  color: #fff !important;}.labelstyle-0e8a16.selected {  background-color: #0e8a16 !important;  color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected {  background:rgba(14, 138, 22, 0.12) !important;  color: #0f9918 !important;}

span.labelstyle-fef2c0, .linked-labelstyle-fef2c0 {  background-color: #fef2c0 !important;  color: #333026 !important;}.labelstyle-fef2c0.selected {  background-color: #fef2c0 !important;  color: #333026 !important;}.label-select-menu .labelstyle-fef2c0.selected {  background:rgba(254, 242, 192, 0.12) !important;  color: #989173 !important;}

span.labelstyle-1d76db, .linked-labelstyle-1d76db {  background-color: #1d76db !important;  color: #fff !important;}.labelstyle-1d76db.selected {  background-color: #1d76db !important;  color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected {  background:rgba(29, 118, 219, 0.12) !important;  color: #145299 !important;}

span.labelstyle-bfd4f2, .linked-labelstyle-bfd4f2 {  background-color: #bfd4f2 !important;  color: #282c33 !important;}.labelstyle-bfd4f2.selected {  background-color: #bfd4f2 !important;  color: #282c33 !important;}.label-select-menu .labelstyle-bfd4f2.selected {  background:rgba(191, 212, 242, 0.12) !important;  color: #788699 !important;}

span.labelstyle-660060, .linked-labelstyle-660060 {  background-color: #660060 !important;  color: #fff !important;}.labelstyle-660060.selected {  background-color: #660060 !important;  color: #fff !important;}.label-select-menu .labelstyle-660060.selected {  background:rgba(102, 0, 96, 0.12) !important;  color: #990090 !important;}

span.labelstyle-fbca04, .linked-labelstyle-fbca04 {  background-color: #fbca04 !important;  color: #332900 !important;}.labelstyle-fbca04.selected {  background-color: #fbca04 !important;  color: #332900 !important;}.label-select-menu .labelstyle-fbca04.selected {  background:rgba(251, 202, 4, 0.12) !important;  color: #997b02 !important;}

span.labelstyle-d93f0b, .linked-labelstyle-d93f0b {  background-color: #d93f0b !important;  color: #fff !important;}.labelstyle-d93f0b.selected {  background-color: #d93f0b !important;  color: #fff !important;}.label-select-menu .labelstyle-d93f0b.selected {  background:rgba(217, 63, 11, 0.12) !important;  color: #982c07 !important;}

span.labelstyle-c2e0c6, .linked-labelstyle-c2e0c6 {  background-color: #c2e0c6 !important;  color: #2c332d !important;}.labelstyle-c2e0c6.selected {  background-color: #c2e0c6 !important;  color: #2c332d !important;}.label-select-menu .labelstyle-c2e0c6.selected {  background:rgba(194, 224, 198, 0.12) !important;  color: #849987 !important;}

span.labelstyle-dd, .linked-labelstyle-dd {  background-color: #dd !important;  color: #33 !important;}.labelstyle-dd.selected {  background-color: #dd !important;  color: #33 !important;}.label-select-menu .labelstyle-dd.selected {  background:rgba(221, 221, 221, 0.12) !important;  color: #99 !important;}


  https://github.com/freeipa/freeipa/commits/backport_pr1215_ipa-4-5.atom; rel="alternate" title="Recent Commits to freeipa:backport_pr1215_ipa-4-5" 

[Freeipa-devel] [freeipa PR#1215][closed] Add indexing to improve host-find performance

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1215
Author: stlaz
 Title: #1215: Add indexing to improve host-find performance
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1215/head:pr1215
git checkout pr1215
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1245][opened] [Backport][ipa-4-6] Add indexing to improve host-find performance

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1245
Author: stlaz
 Title: #1245: [Backport][ipa-4-6] Add indexing to improve host-find performance
Action: opened

PR body:
"""
This PR was opened automatically because PR #1215 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1245/head:pr1245
git checkout pr1245
From b1d1e9f2b9be82ee3efe4deb49291ae43cf8130e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 3 Nov 2017 09:23:10 +0100
Subject: [PATCH 1/2] Add the sub operation for fqdn index config

This should improve performance of the host-find command.

https://pagure.io/freeipa/issue/6371
---
 install/share/indices.ldif| 1 +
 install/updates/20-indices.update | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index bc5f485dbd..65477e3c70 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -108,6 +108,7 @@ cn: fqdn
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: pres
+nsIndexType: sub
 
 dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index cb1fc6506a..c155c741a9 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -70,8 +70,9 @@ default:cn: fqdn
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq
-default:nsIndexType: pres
+only:nsIndexType: eq
+only:nsIndexType: pres
+only:nsIndexType: sub
 
 dn: cn=macAddress,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: macAddress

From 85afc2e957f6bb020d7143da4de540d7f0597ac9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 27 Oct 2017 09:34:38 +0200
Subject: [PATCH 2/2] Add indexing to improve host-find performance

host-find  command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.

https://pagure.io/freeipa/issue/6371
---
 install/share/indices.ldif| 45 +++
 install/updates/20-indices.update | 40 ++
 2 files changed, 85 insertions(+)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index 65477e3c70..e91ef01ed7 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -288,3 +288,48 @@ objectClass: nsIndex
 nsSystemIndex: false
 nsIndexType: eq
 nsIndexType: sub
+
+dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: description
+objectClass: top
+objectClass: nsindex
+nssystemindex: false
+nsindextype: eq
+nsindextype: sub
+
+dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: l
+objectClass: top
+objectClass: nsindex
+nssystemindex: false
+nsindextype: eq
+nsindextype: sub
+
+dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: nsOsVersion
+objectClass: top
+objectClass: nsindex
+nssystemindex: false
+nsindextype: eq
+nsindextype: sub
+
+dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: nsHardwarePlatform
+objectClass: top
+objectClass: nsindex
+nssystemindex: false
+nsindextype: eq
+nsindextype: sub
+
+dn: cn=nsHostLocation,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+changetype: add
+cn: nsHostLocation
+objectClass: top
+objectClass: nsindex
+nssystemindex: false
+nsindextype: eq
+nsindextype: sub
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index c155c741a9..d1704adfc2 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -268,3 +268,43 @@ default: objectClass: nsIndex
 only: nsSystemIndex: false
 only: nsIndexType: eq
 only: nsIndexType: sub
+
+dn: cn=description,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+default: cn: description
+default: objectclass: top
+default: objectclass: nsindex
+default: nssystemindex: false
+default: nsindextype: eq
+default: nsindextype: sub
+
+dn: cn=l,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+default: cn: l
+default: objectclass: top
+default: objectclass: nsindex
+default: nssystemindex: false
+default: nsindextype: eq
+default: nsindextype: sub
+
+dn: cn=nsOsVersion,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+default: cn: nsOsVersion
+default: objectclass: top
+default: objectclass: nsindex
+default: nssystemindex: false
+default: nsindextype: eq
+default: nsindextype: sub
+
+dn: cn=nsHardwarePlatform,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config
+default: cn: nsHardwarePlatform
+default: objectclass: top
+default: objectclass: nsindex

[Freeipa-devel] [freeipa PR#1231][closed] [Backport][ipa-4-6] Py3: fix ipa-replica-conncheck

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1231
Author: stlaz
 Title: #1231: [Backport][ipa-4-6] Py3: fix ipa-replica-conncheck
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1231/head:pr1231
git checkout pr1231
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1233][opened] CA-less integration tests minor log fixes

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1233
Author: stlaz
 Title: #1233: CA-less integration tests minor log fixes
Action: opened

PR body:
"""
These changes should fix certain issues with debug logging in the CA-less 
tests, should we be able to get the debug logger working again.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1233/head:pr1233
git checkout pr1233
From bb6fe8ea12e77b41b4789d07a8a1af9461e103dd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 6 Nov 2017 09:07:31 +0100
Subject: [PATCH 1/2] caless tests: make debug log of certificates sensible

CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
---
 ipatests/test_integration/test_caless.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d32e223579..0f9dfdfce6 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -361,7 +361,7 @@ def verify_installation(self):
  expected_cacrt)
 expected_cacrt = x509.load_unknown_x509_certificate(expected_cacrt)
 logger.debug('Expected binary CA cert:\n%r',
- expected_cacrt)
+ expected_cacrt.public_bytes(x509.Encoding.DER))
 for host in [self.master] + self.replicas:
 # Check the LDAP entry
 ldap = host.ldap_connect()
@@ -370,7 +370,7 @@ def verify_installation(self):
   ('cn', 'etc'), host.domain.basedn))
 cert_from_ldap = entry.single_value['cACertificate']
 logger.debug('CA cert from LDAP on %s:\n%r',
- host, cert_from_ldap)
+ host, cert_from_ldap.public_bytes(x509.Encoding.DER))
 assert cert_from_ldap == expected_cacrt
 
 # Verify certmonger was not started
@@ -384,7 +384,7 @@ def verify_installation(self):
  host, remote_cacrt)
 cacrt = x509.load_unknown_x509_certificate(remote_cacrt)
 logger.debug('%s: Decoded /etc/ipa/ca.crt:\n%r',
- host, cacrt)
+ host, cacrt.public_bytes(x509.Encoding.DER))
 assert expected_cacrt == cacrt
 
 

From bfc075b251c1889a7b477e713f03433d19488b81 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 6 Nov 2017 09:11:39 +0100
Subject: [PATCH 2/2] caless tests: decode cert bytes in debug log

Bytes would cause the logger to throw up while interpolating the
string.
---
 ipatests/test_integration/test_caless.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 0f9dfdfce6..c52acf460d 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -381,7 +381,7 @@ def verify_installation(self):
 # Check the cert PEM file
 remote_cacrt = host.get_file_contents(paths.IPA_CA_CRT)
 logger.debug('%s:/etc/ipa/ca.crt contents:\n%s',
- host, remote_cacrt)
+ host, remote_cacrt.decode('utf-8'))
 cacrt = x509.load_unknown_x509_certificate(remote_cacrt)
 logger.debug('%s: Decoded /etc/ipa/ca.crt:\n%r',
  host, cacrt.public_bytes(x509.Encoding.DER))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1231][opened] [Backport][ipa-4-6] Py3: fix ipa-replica-conncheck

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1231
Author: stlaz
 Title: #1231: [Backport][ipa-4-6] Py3: fix ipa-replica-conncheck
Action: opened

PR body:
"""
This PR was opened automatically because PR #1212 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1231/head:pr1231
git checkout pr1231
From 2aea715b079d9cff8110bd0c4e044200b1439ed5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 26 Oct 2017 16:38:11 +0200
Subject: [PATCH] Py3: fix ipa-replica-conncheck

ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.

Related to
https://pagure.io/freeipa/issue/7131
---
 install/tools/ipa-replica-conncheck | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index beca66f68a..067e47bcbf 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -290,7 +290,7 @@ class PortResponder(threading.Thread):
 self._sockets = []
 self._close = False
 self._close_lock = threading.Lock()
-self.responder_data = 'FreeIPA'
+self.responder_data = b'FreeIPA'
 self.ports_opened = False
 self.ports_open_cond = threading.Condition()
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1212][closed] Py3: fix ipa-replica-conncheck

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1212
Author: flo-renaud
 Title: #1212: Py3: fix ipa-replica-conncheck
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1212/head:pr1212
git checkout pr1212
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1186][opened] lint: disable no-name-in-module for py3 package

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1186
Author: stlaz
 Title: #1186: lint: disable no-name-in-module for py3 package
Action: opened

PR body:
"""
pylint mistakenly reports no-name-in-module when we're deciding
whether to use the package for the given python version.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1186/head:pr1186
git checkout pr1186
From 9816442fdf0ae327a14cace14772eeb61e8d7fa0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 20 Oct 2017 15:37:35 +0200
Subject: [PATCH] lint: disable no-name-in-module for py3 package

pylint mistakenly reports no-name-in-module when we're deciding
whether to use the package for the given python version.
---
 ipalib/rpc.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 0c2f981765..5c1bec365f 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -82,12 +82,12 @@
 from xmlrpc.client import (Binary, Fault, DateTime, dumps, loads, ServerProxy,
 Transport, ProtocolError, MININT, MAXINT)
 
-# pylint: disable=import-error
+# pylint: disable=import-error, no-name-in-module
 if six.PY3:
 from http.client import RemoteDisconnected
 else:
 from httplib import BadStatusLine as RemoteDisconnected
-# pylint: enable=import-error
+# pylint: enable=import-error, no-name-in-module
 
 
 if six.PY3:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1182][closed] Use os.path.isfile() and isdir()

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1182
Author: tiran
 Title: #1182: Use os.path.isfile() and isdir()
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1182/head:pr1182
git checkout pr1182
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1183][opened] [Backport][ipa-4-6] Use os.path.isfile() and isdir()

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1183
Author: stlaz
 Title: #1183: [Backport][ipa-4-6] Use os.path.isfile() and isdir()
Action: opened

PR body:
"""
This PR was opened automatically because PR #1182 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1183/head:pr1183
git checkout pr1183
From 8e35d54228b0e81337c57cc409f3c1573b891ec4 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 20 Oct 2017 11:10:20 +0200
Subject: [PATCH] Use os.path.isfile() and isdir()

Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes 
---
 install/tools/ipa-ca-install|  2 +-
 install/tools/ipa-dns-install   |  2 +-
 ipaclient/install/client.py | 26 -
 ipalib/plugable.py  |  2 +-
 ipaplatform/base/services.py|  4 ++--
 ipapython/ipautil.py| 20 ++-
 ipaserver/install/ca.py |  4 ++--
 ipaserver/install/cainstance.py |  2 +-
 ipaserver/install/certs.py  |  4 ++--
 ipaserver/install/dns.py|  3 ++-
 ipaserver/install/dsinstance.py |  2 +-
 ipaserver/install/installutils.py   |  4 ++--
 ipaserver/install/ipa_kra_install.py|  4 ++--
 ipaserver/install/ipa_replica_prepare.py| 10 +-
 ipaserver/install/kra.py|  2 +-
 ipaserver/install/opendnssecinstance.py |  2 +-
 ipaserver/install/server/__init__.py|  2 +-
 ipaserver/install/server/install.py |  6 +++---
 ipaserver/install/server/replicainstall.py  |  8 
 ipaserver/install/server/upgrade.py |  2 +-
 ipatests/test_install/test_updates.py   |  6 +++---
 ipatests/test_ipalib/test_text.py   |  5 ++---
 ipatests/test_ipaserver/test_ldap.py|  5 ++---
 ipatests/test_ipaserver/test_topology_plugin.py |  3 +--
 ipatests/test_pkcs10/test_pkcs10.py |  3 +--
 ipatests/test_xmlrpc/test_cert_plugin.py|  2 +-
 26 files changed, 57 insertions(+), 78 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 3bdd7634dc..e962aa13e8 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -159,7 +159,7 @@ def install_replica(safe_options, options, filename):
 else:
 if filename is None:
 sys.exit("A replica file is required")
-if not ipautil.file_exists(filename):
+if not os.path.isfile(filename):
 sys.exit("Replica file %s does not exist" % filename)
 
 if not options.promote:
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 099d16560d..6963cb343e 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -113,7 +113,7 @@ def parse_options():
 parser.error("You must specify at least one option: "
 "--forwarder or --no-forwarders or --auto-forwarders")
 
-if options.kasp_db_file and not ipautil.file_exists(options.kasp_db_file):
+if options.kasp_db_file and not os.path.isfile(options.kasp_db_file):
 parser.error("File %s does not exist" % options.kasp_db_file)
 
 if options.dm_password:
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 8d705198a9..2f89e7eaed 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -54,8 +54,6 @@
 from ipapython.install.common import step
 from ipapython.ipautil import (
 CalledProcessError,
-dir_exists,
-file_exists,
 realm_to_suffix,
 run,
 user_input,
@@ -192,7 +190,7 @@ def nssldap_exists():
 for file_type in ['mandatory', 'optional']:
 try:
 for filename in function[file_type]:
-if file_exists(filename):
+if os.path.isfile(filename):
 files_found[function['function']].append(filename)
 if file_type == 'mandatory':
 retval = True
@@ -605,7 +603,7 @@ def hardcode_ldap_server(cli_server):
 DNS Discovery didn't return a valid IPA server, hardcode a value into
 the file instead.
 """
-if not file_exists(paths.LDAP_CONF):
+if not os.path.isfile(paths.LDAP_CONF):
 return
 
 ldapconf = IPAChangeConf("IPA Installer")
@@ -859,8 +857,8 @@ def configure_sssd_conf(
 sssd_enable_service(sssdconfig, 'ifp')
 
 if (
-(options.conf_ssh and file_exists(paths.SSH_CONFIG)) or
-

[Freeipa-devel] [freeipa PR#1156][opened] p11-kit: add serial number in DER format

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1156
Author: stlaz
 Title: #1156: p11-kit: add serial number in DER format
Action: opened

PR body:
"""
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1156/head:pr1156
git checkout pr1156
From fa64266d4c9fdaae359fc5e9ff3a34457c77eef2 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 16 Oct 2017 13:29:07 +0200
Subject: [PATCH] p11-kit: add serial number in DER format

This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210
---
 ipalib/x509.py  | 5 +
 ipaplatform/redhat/tasks.py | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 9f7a3c3115..576cbd1c24 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -123,6 +123,7 @@ def __init__(self, cert, backend=None):
 # some field types encode-decoding is not strongly defined
 self._subject = self.__get_der_field('subject')
 self._issuer = self.__get_der_field('issuer')
+self._serial_number = self.__get_der_field('serialNumber')
 
 def __getstate__(self):
 state = {
@@ -216,6 +217,10 @@ def serial_number(self):
 return self._cert.serial_number
 
 @property
+def serial_number_bytes(self):
+return self._serial_number
+
+@property
 def version(self):
 return self._cert.version
 
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 81c9286daf..0e7810f623 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
 try:
 subject = cert.subject_bytes
 issuer = cert.issuer_bytes
-serial_number = cert.serial_number
+serial_number = cert.serial_number_bytes
 public_key_info = cert.public_key_info_bytes
 except (PyAsn1Error, ValueError, CertificateError) as e:
 logger.warning(
@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
 label = urllib.parse.quote(nickname)
 subject = urllib.parse.quote(subject)
 issuer = urllib.parse.quote(issuer)
-serial_number = urllib.parse.quote(str(serial_number))
+serial_number = urllib.parse.quote(serial_number)
 public_key_info = urllib.parse.quote(public_key_info)
 
 obj = ("[p11-kit-object-v1]\n"
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1140][closed] [Backport][ipa-4-5] travis: make tests fail if pep8 does not pass

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1140
Author: stlaz
 Title: #1140: [Backport][ipa-4-5]  travis: make tests fail if pep8 does not 
pass 
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1140/head:pr1140
git checkout pr1140
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1139][closed] [Backport][ipa-4-6] travis: make tests fail if pep8 does not pass

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1139
Author: stlaz
 Title: #1139: [Backport][ipa-4-6]  travis: make tests fail if pep8 does not 
pass 
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1139/head:pr1139
git checkout pr1139
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1140][opened] [Backport][ipa-4-5] travis: make tests fail if pep8 does not pass

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1140
Author: stlaz
 Title: #1140: [Backport][ipa-4-5]  travis: make tests fail if pep8 does not 
pass 
Action: opened

PR body:
"""
This PR was opened automatically because PR #1122 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1140/head:pr1140
git checkout pr1140
From ada9c07aa5ee76bacc6b49ca69d28ed3cde80188 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 3 Oct 2017 12:41:45 +0200
Subject: [PATCH] travis: make tests fail if pep8 does not pass

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 7d77070936..2887b008ba 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -39,6 +39,7 @@ install:
 script:
 - mkdir -p $CI_RUNNER_LOGS_DIR
 - travis_wait 50 ./.travis_run_task.sh
+- test -z "`cat $PEP8_ERROR_LOG`"
 after_failure:
 - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG
 - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1122][closed] travis: make tests fail if pep8 does not pass

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1122
Author: stlaz
 Title: #1122:  travis: make tests fail if pep8 does not pass 
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1122/head:pr1122
git checkout pr1122
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1139][opened] [Backport][ipa-4-6] travis: make tests fail if pep8 does not pass

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1139
Author: stlaz
 Title: #1139: [Backport][ipa-4-6]  travis: make tests fail if pep8 does not 
pass 
Action: opened

PR body:
"""
This PR was opened automatically because PR #1122 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1139/head:pr1139
git checkout pr1139
From bfbe8d6412af0d65c86e139cc43cd097636a5d9c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 3 Oct 2017 12:41:45 +0200
Subject: [PATCH] travis: make tests fail if pep8 does not pass

---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 556232a17a..a2d942b294 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -59,6 +59,7 @@ install:
 script:
 - mkdir -p $CI_RUNNER_LOGS_DIR
 - travis_wait 50 ./.travis_run_task.sh
+- test -z "`cat $PEP8_ERROR_LOG`"
 after_failure:
 - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG
 - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1134][closed] [Backport][ipa-4-6] Remove the `message` attribute from exceptions

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1134
Author: stlaz
 Title: #1134: [Backport][ipa-4-6] Remove the `message` attribute from 
exceptions
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1134/head:pr1134
git checkout pr1134
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1130][closed] prci: bump f26 template to 0.1.5

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1130
Author: tomaskrizek
 Title: #1130: prci: bump f26 template to 0.1.5
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1130/head:pr1130
git checkout pr1130
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1135][opened] [Backport][ipa-4-6] tests_py3: decode get_file_contents() result

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1135
Author: stlaz
 Title: #1135: [Backport][ipa-4-6] tests_py3: decode get_file_contents() result
Action: opened

PR body:
"""
This PR was opened automatically because PR #1118 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1135/head:pr1135
git checkout pr1135
From f14122c6367a1ce83f51a3fc948ed6c96dc26d46 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Fri, 29 Sep 2017 07:43:30 +0200
Subject: [PATCH] tests_py3: decode get_file_contents() result

When running tests in python3 we get bytes object instead of
bytestring from get_file_contents() and when passing it to
run_command() we later fail on concatenation in shell_quote().

https://pagure.io/freeipa/issue/7131
---
 ipatests/pytest_plugins/integration/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index 9988259dc8..efefb51173 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -228,7 +228,7 @@ def restore_files(host):
 def restore_hostname(host):
 backupname = os.path.join(host.config.test_dir, 'backup_hostname')
 try:
-hostname = host.get_file_contents(backupname)
+hostname = host.get_file_contents(backupname, encoding='utf-8')
 except IOError:
 logger.debug('No hostname backed up on %s', host.hostname)
 else:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1118][closed] tests_py3: decode get_file_contents() result

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1118
Author: Rezney
 Title: #1118: tests_py3: decode get_file_contents() result
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1118/head:pr1118
git checkout pr1118
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1134][opened] [Backport][ipa-4-6] Remove the `message` attribute from exceptions

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1134
Author: stlaz
 Title: #1134: [Backport][ipa-4-6] Remove the `message` attribute from 
exceptions
Action: opened

PR body:
"""
This PR was opened automatically because PR #1121 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1134/head:pr1134
git checkout pr1134
From ec7a618f914b0df60eecf947d5d523846e0f8eca Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 3 Oct 2017 12:36:21 +0200
Subject: [PATCH] Remove the `message` attribute from exceptions

This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.

https://pagure.io/freeipa/issue/7131
---
 ipalib/errors.py|  2 +-
 ipalib/messages.py  |  5 -
 ipaserver/install/installutils.py   |  2 +-
 ipaserver/plugins/group.py  |  2 +-
 ipatests/test_ipalib/test_errors.py | 19 ++-
 ipatests/test_webui/test_user.py|  3 ++-
 ipatests/test_xmlrpc/test_dns_plugin.py |  4 ++--
 7 files changed, 13 insertions(+), 24 deletions(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 6aaca708a0..fb7fb4e2a9 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -369,7 +369,7 @@ class ServerCommandError(PublicError):
 For example:
 
 >>> e = CommandError(name='foobar')
->>> raise ServerCommandError(error=e.message, server='https://localhost')
+>>> raise ServerCommandError(error=str(e), server='https://localhost')
 Traceback (most recent call last):
   ...
 ServerCommandError: error on server 'https://localhost': unknown command 'foobar'
diff --git a/ipalib/messages.py b/ipalib/messages.py
index 02b0a0e102..fd458a1757 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -129,11 +129,6 @@ def to_dict(self):
 data=self.kw,
 )
 
-if six.PY3:
-@property
-def message(self):
-return str(self)
-
 
 class VersionMissing(PublicMessage):
 """
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 8983718950..c525f945a3 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -969,7 +969,7 @@ def handle_error(error, log_file_name=None):
 return error, 1
 
 if isinstance(error, errors.ACIError):
-return error.message, 1
+return str(error), 1
 if isinstance(error, ldap.INVALID_CREDENTIALS):
 return "Invalid password", 1
 if isinstance(error, ldap.INSUFFICIENT_ACCESS):
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index 1fb092d5f0..5e94272396 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -439,7 +439,7 @@ def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs)
 # using --setattr.
 if call_func.__name__ == 'update_entry':
 if isinstance(exc, errors.ObjectclassViolation):
-if 'gidNumber' in exc.message and 'posixGroup' in exc.message:
+if 'gidNumber' in str(exc) and 'posixGroup' in str(exc):
 raise errors.RequirementError(name='gidnumber')
 raise exc
 
diff --git a/ipatests/test_ipalib/test_errors.py b/ipatests/test_ipalib/test_errors.py
index 893a3e9b92..04b6e57417 100644
--- a/ipatests/test_ipalib/test_errors.py
+++ b/ipatests/test_ipalib/test_errors.py
@@ -65,7 +65,6 @@ def new(self, **kw):
 for (key, value) in kw.items():
 assert getattr(inst, key) is value
 assert str(inst) == self.klass.format % kw
-assert inst.message == str(inst)
 return inst
 
 
@@ -119,7 +118,6 @@ def test_init(self):
 assert inst.returncode == 1
 assert inst.argv == (bin_false,)
 assert str(inst) == "return code 1 from ('{}',)".format(bin_false)
-assert inst.message == str(inst)
 
 
 class test_PluginSubclassError(PrivateExceptionTester):
@@ -138,7 +136,6 @@ def test_init(self):
 assert inst.bases == ('base1', 'base2')
 assert str(inst) == \
 "'bad' not subclass of any base in ('base1', 'base2')"
-assert inst.message == str(inst)
 
 
 class test_PluginDuplicateError(PrivateExceptionTester):
@@ -155,7 +152,6 @@ def test_init(self):
 inst = self.new(plugin='my_plugin')
 assert inst.plugin == 'my_plugin'
 assert str(inst) == "'my_plugin' was already registered"
-assert inst.message == str(inst)
 
 
 class test_PluginOverrideError(PrivateExceptionTester):
@@ -174,7 +170,6 @@ def test_init(self):
 assert inst.name == 'cmd'
 assert inst.plugin == 'my_cmd'
 assert str(inst) == "unexpected override of Base.cmd with 'my_cmd'"
-assert inst.message == str(inst)
 
 
 class test_PluginMissingOverrideError(PrivateExceptionTester):
@@ 

[Freeipa-devel] [freeipa PR#1121][closed] Remove the `message` attribute from exceptions

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1121
Author: stlaz
 Title: #1121: Remove the `message` attribute from exceptions
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1121/head:pr1121
git checkout pr1121
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1133][closed] [4.5] Use correct container for ipa-4-5 testing

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1133
Author: stlaz
 Title: #1133: [4.5] Use correct container for ipa-4-5 testing
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1133/head:pr1133
git checkout pr1133
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org