Re: [Freeipa-devel] [PATCH] 442 Hide 'New Certificate' action on CA-less install
On 08/19/2013 06:57 PM, Ana Krivokapic wrote: On 08/15/2013 04:00 PM, Petr Vobornik wrote: This action calls cert-request command which is not available on CA-less installs. Thus this action won't be enabled and therefore there is no reason to keep it visible. https://fedorahosted.org/freeipa/ticket/3363 ACK Pushed to ipa-3-3 and master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 443 Web UI integration tests: CA-less
On 08/20/2013 08:25 PM, Ana Krivokapic wrote: On 08/15/2013 04:03 PM, Petr Vobornik wrote: +if is_visible: +is_enabled = 'disabled' not in link.get_attribute(class).split(' ') Nitpick: it would be better to use .split() without arguments here. Here's an example that illustrates the difference in behavior between .split() and split(' ') (e.g. if there are multiple spaces between class names): 'class1 class2 class3 class4'.split() ['class1', 'class2', 'class3', 'class4'] 'class1 class2 class3 class4'.split(' ') ['class1', '', 'class2', 'class3', '', '', '', '', 'class4'] ACK with this change. Fixed all occurrences (4 in total). Pushed to master and ipa-3-3. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 441 Add base-id, range-size and range-type options to trust-add dialog
On 08/21/2013 04:03 PM, Ana Krivokapic wrote: On 08/19/2013 01:28 PM, Petr Vobornik wrote: On 08/15/2013 12:33 PM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/3049 New version. This version adds option for range type auto-detection. Previous patch forced some range type. ACK Pushed to ipa-3-3 and master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 444 Web UI Integration tests: Kerberos Flags
On 08/21/2013 12:14 PM, Ana Krivokapic wrote: On 08/16/2013 01:02 PM, Petr Vobornik wrote: Tests according to: http://www.freeipa.org/page/V3/Kerberos_Flags https://fedorahosted.org/freeipa/ticket/3831 Depends on patch pvoborni-443. ACK Pushed to ipa-3-3 and master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 445 Web UI integration tests: ID range types
On 08/21/2013 04:30 PM, Ana Krivokapic wrote: On 08/20/2013 06:19 PM, Nathaniel McCallum wrote: On Tue, 2013-08-20 at 15:56 +0200, Petr Vobornik wrote: On 08/19/2013 05:33 PM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/3834 New version. Fixes usage of secondary rid for non-trust installation. A lot of the functions have spaces between the function declaration an the first line. I don't know how strictly we follow PEP8, but I thought I'd point it out. Nathaniel A general rule is that we _try_ to make any new code PEP8 compliant, as well as make appropriate fixes when refactoring old code. Personally, I don't have a problem with a few blank lines. Technically, I don't think this is a PEP8 violation as blank lines are allowed inside functions. PEP8 doesn't specify anything about blank lines after function parameter list. The patch works fine and I have no objections to the code, so ACK from me. Pushed to ipa-3-3 and master. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Multiple CA certificates in LDAP, questions
Hi, I'm currently investigating support for multiple CA certificates in LDAP (https://fedorahosted.org/freeipa/ticket/3259, https://fedorahosted.org/freeipa/ticket/3520). This will be useful for CA certificate renewal (https://fedorahosted.org/freeipa/ticket/3304, https://fedorahosted.org/freeipa/ticket/3737) and using certificates issued by custom CAs for IPA HTTP and directory server instances (https://fedorahosted.org/freeipa/ticket/3641). The biggest issue is how to make IPA clients aware of CA certificate changes. One of the tickets suggests polling the LDAP server from SSSD. Would that be sufficient? Perhaps a combination of polling and detecting certificate changes when connecting to LDAP would be better? Another issue is how to handle updating IPA systems with new CA certificate(s). On clients it is probably sufficient to store the certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple places where the update needs to be done (HTTP and directory server NSS databases, KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is unrealistic, so there should be a way to do this externally. The simplest thing that comes to mind is that SSSD would execute an external script to do the update when it detects changes, but I'm not sure how well would that work with SELinux in the picture. Is there a better way to do this? Suggestions and ideas are welcome. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 446 Update idrange search facet after trust creation
Adding a trust creates a range - range search facet should be marked as expired. https://fedorahosted.org/freeipa/ticket/3874 -- Petr Vobornik From 08691a0c62a1a73a2fa130b0f1737304ae080e08 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Tue, 20 Aug 2013 13:44:59 +0200 Subject: [PATCH] Update idrange search facet after trust creation Adding a trust creates a range - range search facet should be marked as expired. https://fedorahosted.org/freeipa/ticket/3874 --- install/ui/src/freeipa/trust.js | 10 ++ ipatests/test_webui/test_range.py | 2 -- ipatests/test_webui/test_trust.py | 4 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js index 53a536763a7e640c2248322c455481c2b137a05d..2653d3e67c2c5591f000e32c43a3a5878eef28fd 100644 --- a/install/ui/src/freeipa/trust.js +++ b/install/ui/src/freeipa/trust.js @@ -38,6 +38,16 @@ return { enable_test: function() { return IPA.trust_enabled; }, +policies: [ +IPA.search_facet_update_policy, +IPA.details_facet_update_policy, +{ +$factory: IPA.adder_facet_update_policy, +source_facet: 'search', +dest_entity: 'idrange', +dest_facet: 'search' +} +], facets: [ { $type: 'search', diff --git a/ipatests/test_webui/test_range.py b/ipatests/test_webui/test_range.py index 98c4098a6dba51d9b5d17c36727e3609f5c7ba36..534cd1cdd20435aebf6fa5832fac68cbf717bf31 100644 --- a/ipatests/test_webui/test_range.py +++ b/ipatests/test_webui/test_range.py @@ -67,8 +67,6 @@ class test_range(range_tasks): sid = self.get_sid() self.navigate_to_entity(ENTITY) -self.facet_button_click('refresh') -self.wait_for_request(n=2) add = self.get_add_data(pkey_ad, range_type='ipa-ad-trust', sid=sid) data = self.get_data(pkey_ad, add_data=add) diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py index 713bcfa640f3767bd1d1b987c4b795d32349cf02..c0e851f322595399142a4a63f8774b660d8046b3 100644 --- a/ipatests/test_webui/test_trust.py +++ b/ipatests/test_webui/test_trust.py @@ -132,8 +132,6 @@ class test_trust(trust_tasks): data = self.get_data(add_data=add) self.add_record(ENTITY, data, delete=True) self.navigate_to_entity('idrange') -self.facet_button_click('refresh') -self.wait_for_request(n=2) self.assert_record_value('Active Directory domain range', range_pkey, column) self.delete_record(range_pkey) @@ -141,8 +139,6 @@ class test_trust(trust_tasks): data = self.get_data(add_data=add) self.add_record(ENTITY, data, delete=True) self.navigate_to_entity('idrange') -self.facet_button_click('refresh') -self.wait_for_request(n=2) self.assert_record_value('Active Directory trust range with POSIX attributes', range_pkey, column) self.delete_record(range_pkey) -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 447 Show human-readable error name in error dialog title
Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title. -- Petr Vobornik From 6034ef0e752f6b380f60a5a5299db972b86dc932 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 22 Aug 2013 13:48:44 +0200 Subject: [PATCH] Show human-readable error name in error dialog title Fixes RPC server's JSON encoding of exception's name. It allows to show the name in Web UI's error dialog title. --- install/ui/src/freeipa/ipa.js | 3 ++- ipaserver/rpcserver.py| 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index 8d54b66e063747fe434085cbe2afbdc7d3c605f8..0e9fdefb98cbc18cfe346c0a2daa7e7d4f70dafa 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -733,7 +733,8 @@ IPA.command = function(spec) { } else if (data.error) { // error_handler() calls IPA.hide_activity_icon() error_handler.call(this, xhr, text_status, /* error_thrown */ { -name: text.get('@i18n:errors.ipa_error', 'IPA Error')+' '+data.error.code, +name: text.get('@i18n:errors.ipa_error', 'IPA Error') + ' ' + + data.error.code + ': ' + data.error.name, code: data.error.code, message: data.error.message, data: data diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index eb9b0734ac4956cb0e65664ae1cb4004d72020de..0ec7b02d2c833086803459a5cad1bbcea9d121e2 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -516,7 +516,7 @@ class jsonserver(WSGIExecutioner, HTTP_Status): error = dict( code=error.errno, message=error.strerror, -name=error.__class__.__name__, +name=unicode(error.__class__.__name__), ) principal = getattr(context, 'principal', 'UNKNOWN') response = dict( -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0091] Perform dirsrv tuning at platform level
On 08/20/2013 06:40 PM, Nathaniel McCallum wrote: On Mon, 2013-08-19 at 14:48 +0200, Tomas Babej wrote: Hi, When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823 I'd prefer the use of 'with' in the RedHatDirectoryService: # check limits.conf need_limits = True with open(/etc/security/limits.conf) as f: for line in f: sline = line.strip() if not sline.startswith(DS_USER): continue if sline.find('nofile') == -1: continue # ok we already have an explicit entry for user/nofile need_limits = False ... and ... with open(/etc/sysconfig/dirsrv, a+) as f: f.write('ulimit -n %s\n' % str(num)) Nathaniel Fixed and I did some additional refactoring in the code. Attached. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From dcdac193cb609e2aa24b961de7ba6d800f5880e4 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 6 Aug 2013 17:09:15 +0200 Subject: [PATCH] Perform dirsrv tuning at platform level When configuring the 389 Directory Server instance, we tune it so that number of file descriptors available to the DS is increased from the default 1024 to 8192. There are platform specific steps that need to be conducted differently on systemd compatible platforms and sysV compatible platforms. systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv set ulimit - nofile 8192 in /etc/security/limits.conf https://fedorahosted.org/freeipa/ticket/3823 --- ipapython/platform/fedora16/service.py | 30 --- ipapython/platform/redhat/service.py | 64 ipaserver/install/dsinstance.py| 67 +++--- 3 files changed, 102 insertions(+), 59 deletions(-) diff --git a/ipapython/platform/fedora16/service.py b/ipapython/platform/fedora16/service.py index bceb87cd5bb2111d5c3460ddcd9940edee5443f4..297e68332df0375d51f7bbf971a05b05339a84af 100644 --- a/ipapython/platform/fedora16/service.py +++ b/ipapython/platform/fedora16/service.py @@ -21,7 +21,7 @@ import os import time from ipapython import ipautil, dogtag -from ipapython.platform import base, redhat +from ipapython.platform import base from ipapython.platform.base import systemd from ipapython.platform.fedora16 import selinux from ipapython.ipa_log_manager import root_logger @@ -78,20 +78,38 @@ class Fedora16Service(systemd.SystemdService): # If we wouldn't do this, our instances will not be started as systemd would # not have any clue about instances (PKI-IPA and the domain we serve) at all. # Thus, hook into dirsrv.restart(). + + class Fedora16DirectoryService(Fedora16Service): -def enable(self, instance_name=): -super(Fedora16DirectoryService, self).enable(instance_name) + +def tune_nofile_platform(self, num=8192, fstore=None): + +Increase the number of files descriptors available to directory server +from the default 1024 to 8192. This will allow to support a greater +number of clients out of the box. + +This is a part of the implementation that is systemd-specific. + +Returns False if the setting of the nofile limit needs to be skipped. + + dirsrv_systemd = /etc/sysconfig/dirsrv.systemd + if os.path.exists(dirsrv_systemd): # We need to enable LimitNOFILE=8192 in the dirsrv@.service # Since 389-ds-base-1.2.10-0.8.a7 the configuration of the # service parameters is performed via # /etc/sysconfig/dirsrv.systemd file which is imported by systemd # into dirsrv@.service unit -replacevars = {'LimitNOFILE':'8192'} -ipautil.inifile_replace_variables(dirsrv_systemd, 'service', replacevars=replacevars) +replacevars = {'LimitNOFILE': str(num)} +ipautil.inifile_replace_variables(dirsrv_systemd, + 'service', + replacevars=replacevars) selinux.restore_context(dirsrv_systemd) -ipautil.run([/bin/systemctl, --system, daemon-reload],raiseonerr=False) +ipautil.run([/bin/systemctl, --system, daemon-reload], +raiseonerr=False) + +return True def restart(self, instance_name=, capture_output=True, wait=True): if len(instance_name) 0: diff --git
[Freeipa-devel] [PATCH 0092] Remove redundant shebangs
Hi, Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853 -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 43c7733ccf691bd50425f021c4ab23f11315343d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Tue, 20 Aug 2013 13:38:29 +0200 Subject: [PATCH] Remove redundant shebangs Remove redundant shebangs from files that are not used as scripts. https://fedorahosted.org/freeipa/ticket/3853 --- ipaserver/advise/base.py | 1 - ipaserver/install/ipa_backup.py | 3 +-- ipaserver/install/ipa_ldap_updater.py| 1 - ipaserver/install/ipa_replica_prepare.py | 1 - ipaserver/install/ipa_restore.py | 3 +-- 5 files changed, 2 insertions(+), 7 deletions(-) diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py index 8350bdbccac3dc6a73c98ba93701076143326a27..92dbb4e9e30c6d624eca95609568ae62bd9ea7fe 100644 --- a/ipaserver/advise/base.py +++ b/ipaserver/advise/base.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # Authors: Tomas Babej tba...@redhat.com # # Copyright (C) 2013 Red Hat diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 8326bb0c61d517758ef5c85f633d005857994eed..12c62154e94cc89054b0b1450504eef95c0700a4 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -1,5 +1,4 @@ -#!/usr/bin/python -# Authors: Rob Crittenden rcrit...@redhat.com +# Authors: Rob Crittenden rcrit...@redhat.com # # Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information diff --git a/ipaserver/install/ipa_ldap_updater.py b/ipaserver/install/ipa_ldap_updater.py index 09a1962eca3023f6ebcbff6bda3b778a992e88b4..ed0f19dfafbd3c57b7637af387aed3e8505f0236 100644 --- a/ipaserver/install/ipa_ldap_updater.py +++ b/ipaserver/install/ipa_ldap_updater.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # Authors: Rob Crittenden rcrit...@redhat.com # Petr Viktorin pvikt...@redhat.com # diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..904b8727ec686cf97572a05f3645c6fe34a2e980 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -1,4 +1,3 @@ -#!/usr/bin/python # Authors: Karl MacMillan kmacmil...@mentalrootkit.com # Petr Viktorin pvikt...@redhat.com # diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 35cc6a5180b647497cd9356f241c9d90d7535a47..2d4be57f7c9643edcee58f35b00baebbb18257f8 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -1,5 +1,4 @@ -#!/usr/bin/python -# Authors: Rob Crittenden rcrit...@redhat.com +# Authors: Rob Crittenden rcrit...@redhat.com # # Copyright (C) 2013 Red Hat # see file 'COPYING' for use and warranty information -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0055 Fix tests which fail after ipa-adtrust-install
On 08/20/2013 04:14 PM, Ana Krivokapic wrote: On 08/09/2013 05:35 PM, Tomas Babej wrote: On 08/09/2013 04:03 PM, Ana Krivokapic wrote: On 08/09/2013 09:39 AM, Tomas Babej wrote: On 08/08/2013 04:09 PM, Ana Krivokapic wrote: Hello, This patch should fix the failing unit tests. https://fedorahosted.org/freeipa/ticket/3852 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel There are two tests failing on my machine when running the tests after ipa-adtrust-install with your patch applied: You say there are two tests failing but I only see one below. That was just debris from trying to break your patch too much, one of my comments rendered invalid in the end :) == FAIL: test_group[24]: group_find: Search for POSIX groups -- Traceback (most recent call last): [...] AssertionError: assert_deepequal: dict keys mismatch. test_group[24]: group_find: Search for POSIX groups missing keys = [] extra keys = ['ipantsecurityidentifier'] expected = {'dn': ipapython.dn.DN('cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), 'cn': [u'editors'], 'objectclass': Fuzzy(None, None, function lambda at 0x3768c08), 'gidnumber': [Fuzzy('^\\d+$', type 'basestring', None)], 'ipauniqueid': [Fuzzy('^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$', type 'unicode', None)], 'description': [u'Limited admins who can edit other users']} got = {'dn': u'cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com', 'cn': (u'editors',), 'objectclass': (u'top', u'groupofnames', u'posixgroup', u'ipausergroup', u'ipaobject', u'nestedGroup', u'ipantgroupattrs'), 'ipantsecurityidentifier': (u'S-1-5-21-1457515837-642396627-3509099663-1002',), 'gidnumber': (u'180462',), 'ipauniqueid': (u'7c6e1672-0039-11e3-9567-001a4a2221fb',), 'description': (u'Limited admins who can edit other users',)} path = ('result', 1) I think you need the wrap the dictionary discribing the editor's group entry with the add_sid wrapper, and its objectclasses using the add_oc wrapper. [tbabej@vm-139 freeipa]$ git diff diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py index d380fe5..14c70cd 100644 --- a/ipatests/test_xmlrpc/test_group_plugin.py +++ b/ipatests/test_xmlrpc/test_group_plugin.py @@ -447,14 +447,15 @@ class test_group(Declarative): objectclasses.posixgroup, u'ipantgroupattrs')), 'ipauniqueid': [fuzzy_uuid], }), -{ +add_sid({ 'dn': get_group_dn('editors'), 'gidnumber': [fuzzy_digits], 'cn': [u'editors'], 'description': [u'Limited admins who can edit other users'], -'objectclass': fuzzy_set_ci(objectclasses.posixgroup), +'objectclass': fuzzy_set_ci(add_oc( +objectclasses.posixgroup, u'ipantgroupattrs')), 'ipauniqueid': [fuzzy_uuid], -}, +}), dict( dn=get_group_dn(group1), cn=[group1], These changes were sufficient for me to have the unit test suite run without errors. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org I retested the patch and the tests are passing in my setup. The editors group definitely does not have the ipantsecurityidentifier attribute nor the ipantgroupattrs objectclass: [akrivoka@vm-181 freeipa]$ ipa group-show editors --all dn: cn=editors,cn=groups,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com Group name: editors Description: Limited admins who can edit other users GID: 197702 ipauniqueid: 91b3597e-00f3-11e3-92ae-001a4a22217b objectclass: top, groupofnames, posixgroup, ipausergroup, ipaobject, nestedGroup What I noticed though, is that if I delete and re-create the editors group (after ipa-adtrust-install has been run), it then gets the above mentioned attribute and objectclass. Maybe you did some similar manipulation in your setup, resulting in the test failing? I think it does depend on whether you have ran the ipa-sidgen task when running the ipa-adtrust-install. Do you think we can cover both cases here? -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. -- Tomas Babej Associate Software Engeneer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org Updated patch should detect the situation when ipa-sidgen task was run, and add the