Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
On 27/11/14 00:50, Gabe Alford wrote: Hello, Wondering if I could get a review. Updated patch attached. Thanks, Gabe On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe Hello, sorry for late response. We push this ticket to backlog, as it would be part of build system refactoring. The app_PYTHON statement is not used anymore in IPA, the better solution is remove it, instead of keeping dead code up-to-date. Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0287] Re-initialize NSS database after otptoken plugin tests
On 11/26/2014 01:10 PM, Petr Viktorin wrote: On 11/21/2014 11:47 AM, Tomas Babej wrote: Hi, OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Note for reviewers: Requires Petr^3's pytest patchset, which I am pushing right now. Thank you! ACK, pushed to master: 792ff0c0c40ddd1583c6789c8f34382c050d3e92 Also sending rebased version for 4-1 branch. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 48c79d08668712a33f1803d9a23065e16b179d82 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 20 Nov 2014 18:37:57 +0100 Subject: [PATCH] Re-initialize NSS database after otptoken plugin tests OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 --- ipalib/x509.py | 31 - ipatests/test_ipaserver/test_otptoken_import.py | 5 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index 88ea415bf2b27760ac478d5d415356d30f6852f8..a87dbf4130c60b1b1daf8bbb2ffb81c208f2529c 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -89,19 +89,12 @@ def strip_header(pem): return pem -def load_certificate(data, datatype=PEM, dbdir=None): +def initialize_nss_database(dbdir=None): -Given a base64-encoded certificate, with or without the -header/footer, return a request object. - -Returns a nss.Certificate type +Initializes NSS database, if not initialized yet. Uses a proper database +directory (.ipa/alias or HTTPD_ALIAS_DIR), depending on the value of +api.env.in_tree. -if type(data) in (tuple, list): -data = data[0] - -if (datatype == PEM): -data = strip_header(data) -data = base64.b64decode(data) if not nss.nss_is_initialized(): if dbdir is None: @@ -116,6 +109,22 @@ def load_certificate(data, datatype=PEM, dbdir=None): else: nss.nss_init(dbdir) +def load_certificate(data, datatype=PEM, dbdir=None): + +Given a base64-encoded certificate, with or without the +header/footer, return a request object. + +Returns a nss.Certificate type + +if type(data) in (tuple, list): +data = data[0] + +if (datatype == PEM): +data = strip_header(data) +data = base64.b64decode(data) + +initialize_nss_database(dbdir=dbdir) + return nss.Certificate(buffer(data)) def load_certificate_from_file(filename, dbdir=None): diff --git a/ipatests/test_ipaserver/test_otptoken_import.py b/ipatests/test_ipaserver/test_otptoken_import.py index 7ee0754da567087eec2e494ce076fff32c6ae14c..9e463466cd133fc2174d1f713b044c99f49a30bb 100644 --- a/ipatests/test_ipaserver/test_otptoken_import.py +++ b/ipatests/test_ipaserver/test_otptoken_import.py @@ -21,12 +21,17 @@ import os import sys import nose from nss import nss +from ipalib.x509 import initialize_nss_database from ipaserver.install.ipa_otptoken_import import PSKCDocument, ValidationError basename = os.path.join(os.path.dirname(__file__), data) class test_otptoken_import(object): + +def tearDown(self): +initialize_nss_database() + def test_figure3(self): doc = PSKCDocument(os.path.join(basename, pskc-figure3.xml)) assert doc.keyname is None -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0173] Throw zonemgr error message before installation proceeds
Ticket: https://fedorahosted.org/freeipa/ticket/4771 Patch attached. -- Martin Basti From 66cafd74e9cf69630f882e6a23e1ebab11b0c096 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Thu, 27 Nov 2014 14:16:23 +0100 Subject: [PATCH] Throw zonemgr error message before installation proceeds Ticket: https://fedorahosted.org/freeipa/ticket/4771 --- ipalib/parameters.py | 35 +-- ipalib/util.py | 45 + 2 files changed, 50 insertions(+), 30 deletions(-) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 0cf14a4cd2900459ccd5d6d52912960c642223aa..7fa55fd6a6854ffa97da211ca5ef04b7ad974dc4 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -112,7 +112,7 @@ from errors import ConversionError, RequirementError, ValidationError from errors import PasswordMismatch, Base64DecodeError from constants import TYPE_ERROR, CALLABLE_ERROR, LDAP_GENERALIZED_TIME_FORMAT from text import Gettext, FixMe -from util import json_serialize +from util import json_serialize, validate_idna_domain from ipapython.dn import DN from ipapython.dnsutil import DNSName import dns.name @@ -1950,36 +1950,11 @@ class DNSNameParam(Param): error = None try: -domain_name = DNSName(value) -except dns.name.BadEscape: -error = _('invalid escape code in domain name') -except dns.name.EmptyLabel: -error = _('empty DNS label') -except dns.name.NameTooLong: -error = _('domain name cannot be longer than 255 characters') -except dns.name.LabelTooLong: -error = _('DNS label cannot be longer than 63 characters') -except dns.exception.SyntaxError: -error = _('invalid domain name') -else: -#compare if IDN normalized and original domain match -#there is N:1 mapping between unicode and IDNA names -#user should use normalized names to avoid mistakes -labels = re.split(u'[.\uff0e\u3002\uff61]', value, flags=re.UNICODE) -try: -map(lambda label: label.encode(ascii), labels) -except UnicodeError: -# IDNA -is_nonnorm = any(encodings.idna.nameprep(x) != x for x in labels) -if is_nonnorm: -error = _(domain name '%(domain)s' should be normalized to - : %(normalized)s) % { - 'domain': value, - 'normalized': '.'.join([encodings.idna.nameprep(x) for x in labels])} -if error: +validate_idna_domain(value) +except ValueError as e: raise ConversionError(name=self.get_param_name(), index=index, - error=error) -value = domain_name + error=unicode(e)) +value = DNSName(value) if self.only_absolute and not value.is_absolute(): value = value.make_absolute() diff --git a/ipalib/util.py b/ipalib/util.py index 7a283106d70ba6a3e25cc7129d57b44b80876882..2c17d80a0427a5c7e45a6a0b64fa1f4d39fffa8a 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -28,6 +28,7 @@ import socket import re import decimal import dns +import encodings import netaddr from types import NoneType from weakref import WeakKeyDictionary @@ -277,6 +278,7 @@ def validate_zonemgr(zonemgr): def validate_zonemgr_str(zonemgr): zonemgr = normalize_zonemgr(zonemgr) +validate_idna_domain(zonemgr) zonemgr = DNSName(zonemgr) return validate_zonemgr(zonemgr) @@ -589,3 +591,46 @@ def validate_dnssec_forwarder(ip_addr): return False return True + + +def validate_idna_domain(value): + +Validate if value is valid IDNA domain. + +If domain is not valid, raises ValueError +:param value: +:return: + +error = None + +try: +DNSName(value) +except dns.name.BadEscape: +error = _('invalid escape code in domain name') +except dns.name.EmptyLabel: +error = _('empty DNS label') +except dns.name.NameTooLong: +error = _('domain name cannot be longer than 255 characters') +except dns.name.LabelTooLong: +error = _('DNS label cannot be longer than 63 characters') +except dns.exception.SyntaxError: +error = _('invalid domain name') +else: +#compare if IDN normalized and original domain match +#there is N:1 mapping between unicode and IDNA names +#user should use normalized names to avoid mistakes +labels = re.split(u'[.\uff0e\u3002\uff61]', value, flags=re.UNICODE) +try: +map(lambda label: label.encode(ascii), labels) +except UnicodeError: +# IDNA +
[Freeipa-devel] [PATCH 0168] Better workaround to get status of CA during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676 Replaces current workaround. Should go to 4.1.3. Patch attached. -- Martin Basti From aceecd06d3174101dd1f7d63f2b22eb1d1447fa1 Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 18 Nov 2014 19:49:15 +0100 Subject: [PATCH] Using wget to get status of CA This is just workaround Ticket: https://fedorahosted.org/freeipa/ticket/4676 --- install/tools/ipa-upgradeconfig | 4 ipaplatform/redhat/services.py | 28 +++- ipapython/dogtag.py | 18 +++--- 3 files changed, 38 insertions(+), 12 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 02bfe3a79f83e65f428fe2220d940eb39fdbd928..b81a474b2bb14f1582dabd649400c13f7ce6d369 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1473,10 +1473,6 @@ def main(): ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) except ipautil.CalledProcessError, e: root_logger.error(Failed to restart %s: %s, ca.service_name, e) -# FIXME https://fedorahosted.org/freeipa/ticket/4676 -# workaround -except RuntimeError as e: -root_logger.warning(str(e)) set_sssd_domain_option('ipa_server_mode', 'True') diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index 58ffebc48477193c7203161d2578b3040862b4e6..a2ff10824edde8832c48613dcc456092441b3097 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -24,6 +24,7 @@ Contains Red Hat OS family-specific service class implementations. import os import time +import xml.dom.minidom from ipaplatform.tasks import tasks from ipaplatform.base import services as base_services @@ -185,7 +186,32 @@ class RedHatCAService(RedHatService): op_timeout = time.time() + timeout while time.time() op_timeout: try: -status = dogtag.ca_status(use_proxy=use_proxy) +# FIXME https://fedorahosted.org/freeipa/ticket/4716 +# workaround +# +# status = dogtag.ca_status(use_proxy=use_proxy) +# +port = 8443 +if use_proxy: +port = 443 + +url = https://%(host)s:%(port)s%(path)s % { +host: api.env.ca_host, +port: port, +path: /ca/admin/ca/getStatus, +} + +args = [ +paths.BIN_WGET, +'-S', '-O', '-', +'--timeout=30', +url +] + +stdout, stderr, returncode = ipautil.run(args) + +status = dogtag._parse_ca_status(stdout) +# end of workaround except Exception: status = 'check interrupted' root_logger.debug('The CA status is: %s' % status) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 14824b99431e85dd73613befd72e500d370cfe2c..d03e596146e1ef4f65f616792d90ac2d869c9db4 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -191,6 +191,16 @@ def get_ca_certchain(ca_host=None, dogtag_constants=None): return chain +def _parse_ca_status(body): +doc = xml.dom.minidom.parseString(body) +try: +item_node = doc.getElementsByTagName(XMLResponse)[0] +item_node = item_node.getElementsByTagName(Status)[0] +return item_node.childNodes[0].data +except IndexError: +raise error_from_xml(doc, _(Retrieving CA status failed: %s)) + + def ca_status(ca_host=None, use_proxy=True): Return the status of the CA, and the httpd proxy in front of it @@ -214,13 +224,7 @@ def ca_status(ca_host=None, use_proxy=True): elif status != 200: raise errors.RemoteRetrieveError( reason=_(Retrieving CA status failed: %s) % reason) -doc = xml.dom.minidom.parseString(body) -try: -item_node = doc.getElementsByTagName(XMLResponse)[0] -item_node = item_node.getElementsByTagName(Status)[0] -return item_node.childNodes[0].data -except IndexError: -raise error_from_xml(doc, _(Retrieving CA status failed: %s)) +return _parse_ca_status(body) def https_request(host, port, url, secdir, password, nickname, **kw): -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 790 webui: fix service unprovisioning
Missed part of field refactoring caused that service could not be unprovisioned. https://fedorahosted.org/freeipa/ticket/4770 For regression tests I've opened ticket: https://fedorahosted.org/freeipa/ticket/4772 -- Petr Vobornik From 0a1ef3e4d4ec6d758a736774d34362d203e5dfba Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 27 Nov 2014 12:47:42 +0100 Subject: [PATCH] webui: fix service unprovisioning Missed part of field refactoring caused that service could not be unprovisioned. https://fedorahosted.org/freeipa/ticket/4770 --- install/ui/src/freeipa/service.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js index 3e47981bdbda9cd076eab75da0f5133503af6f3d..94842a912c77a55acad9d2f0881f3ad23915f700 100644 --- a/install/ui/src/freeipa/service.js +++ b/install/ui/src/freeipa/service.js @@ -467,7 +467,7 @@ IPA.service.unprovision_dialog = function(spec) { that.unprovision = function() { var principal_f = that.facet.fields.get_field('krbprincipalname'); -var pkey = principal_f.values[0]; +var pkey = principal_f.get_value()[0]; rpc.command({ entity: that.entity.name, -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0307] Send DNS NOTIFY message after any modification to the zone
On 11/26/2014 01:46 PM, Martin Basti wrote: On 07/11/14 15:34, Petr Spacek wrote: Hello, Send DNS NOTIFY message after any modification to the zone. https://fedorahosted.org/bind-dyndb-ldap/ticket/144 Works for me. But don't push it before Tomas check the code please. Martin^2 ACK. Works for me... Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc. http://cz.redhat.com ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
On 27.11.2014 11:00, Martin Basti wrote: On 27/11/14 00:50, Gabe Alford wrote: Hello, Wondering if I could get a review. Updated patch attached. Thanks, Gabe On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe Hello, sorry for late response. We push this ticket to backlog, as it would be part of build system refactoring. The app_PYTHON statement is not used anymore in IPA, the better solution is remove it, instead of keeping dead code up-to-date. Just to clarify: It can be pushed if it works, there is no need to postpone accepting patch if the patch seems okay and doesn't break anything. Martin, please keep in mind that contributions are welcome at any time. Milestones in Trac reflect our view of priorities but it doesn't prevent us from accepting correct patches from contributions at any time, no matter which priority is stated in Trac (or even if there is no ticket for it ...). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
On 11/27/2014 04:12 PM, Petr Spacek wrote: On 27.11.2014 11:00, Martin Basti wrote: On 27/11/14 00:50, Gabe Alford wrote: Hello, Wondering if I could get a review. Updated patch attached. Thanks, Gabe On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford redhatri...@gmail.com mailto:redhatri...@gmail.com wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe Hello, sorry for late response. We push this ticket to backlog, as it would be part of build system refactoring. The app_PYTHON statement is not used anymore in IPA, the better solution is remove it, instead of keeping dead code up-to-date. Just to clarify: It can be pushed if it works, there is no need to postpone accepting patch if the patch seems okay and doesn't break anything. Martin, please keep in mind that contributions are welcome at any time. Milestones in Trac reflect our view of priorities but it doesn't prevent us from accepting correct patches from contributions at any time, no matter which priority is stated in Trac (or even if there is no ticket for it ...). This is not a problem of prioritization and the Trac tickets do not indeed prevent accepting contributions to current FreeIPA branches (well, of course, big refactoring would not fit stabilization release etc.). However, AFAIU, in this case Gabe tried to make an unused autotool option up to date, which as Martin correctly stated the better solution is remove it, instead of keeping dead code up-to-date. So in this light, the patch does not break anything, but is not the best move forward either as it would promote redundant work in maintaining unused autotools variable. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
Thanks guys. Sounds like it would be better to submit a patch that removes app_PYTHON if it is considered dead code. Gabe On Thursday, November 27, 2014, Petr Spacek pspa...@redhat.com wrote: On 27.11.2014 11:00, Martin Basti wrote: On 27/11/14 00:50, Gabe Alford wrote: Hello, Wondering if I could get a review. Updated patch attached. Thanks, Gabe On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford redhatri...@gmail.com javascript:; mailto:redhatri...@gmail.com javascript:; wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe Hello, sorry for late response. We push this ticket to backlog, as it would be part of build system refactoring. The app_PYTHON statement is not used anymore in IPA, the better solution is remove it, instead of keeping dead code up-to-date. Just to clarify: It can be pushed if it works, there is no need to postpone accepting patch if the patch seems okay and doesn't break anything. Martin, please keep in mind that contributions are welcome at any time. Milestones in Trac reflect our view of priorities but it doesn't prevent us from accepting correct patches from contributions at any time, no matter which priority is stated in Trac (or even if there is no ticket for it ...). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com javascript:; https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
Exactly, this was the message from Martin :-) I did not test it myself, but removing all app_PYTHON should be benign given we use Python setup.py packaging. On 11/27/2014 04:27 PM, Gabe Alford wrote: Thanks guys. Sounds like it would be better to submit a patch that removes app_PYTHON if it is considered dead code. Gabe On Thursday, November 27, 2014, Petr Spacek pspa...@redhat.com wrote: On 27.11.2014 11:00, Martin Basti wrote: On 27/11/14 00:50, Gabe Alford wrote: Hello, Wondering if I could get a review. Updated patch attached. Thanks, Gabe On Tue, Nov 11, 2014 at 7:21 AM, Gabe Alford redhatri...@gmail.com javascript:; mailto:redhatri...@gmail.com javascript:; wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe Hello, sorry for late response. We push this ticket to backlog, as it would be part of build system refactoring. The app_PYTHON statement is not used anymore in IPA, the better solution is remove it, instead of keeping dead code up-to-date. Just to clarify: It can be pushed if it works, there is no need to postpone accepting patch if the patch seems okay and doesn't break anything. Martin, please keep in mind that contributions are welcome at any time. Milestones in Trac reflect our view of priorities but it doesn't prevent us from accepting correct patches from contributions at any time, no matter which priority is stated in Trac (or even if there is no ticket for it ...). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com javascript:; https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 791 fix indentation in ipa-restore page
-- Petr Vobornik From 67c0d657975dad37cd8393903b7f4b8006696a06 Mon Sep 17 00:00:00 2001 From: Petr Vobornik pvobo...@redhat.com Date: Thu, 27 Nov 2014 17:08:12 +0100 Subject: [PATCH] fix indentation in ipa-restore page --- install/tools/man/ipa-restore.1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-restore.1 b/install/tools/man/ipa-restore.1 index 31734b259524e4b07312a4009184e725aafc3728..d758490615cca4bf15530ed7781fa798b4da0e68 100644 --- a/install/tools/man/ipa-restore.1 +++ b/install/tools/man/ipa-restore.1 @@ -57,6 +57,7 @@ If you have older masters you should consider re\-creating them rather than tryi .TP \fB\-p\fR, \fB\-\-password\fR=\fIPASSWORD\fR The Directory Manager password. +.TP \fB\-\-data\fR Restore the data only. The default is to restore everything in the backup. .TP @@ -70,11 +71,11 @@ Exclude the IPA service log files in the backup (if they were backed up). Applic Perform the restore on\-line. Requires the \-\-data option. .TP \fB\-\-instance\fR=\fIINSTANCE\fR -The backend to restore within an instance or instances. -.TP Restore only the databases in this 389\-ds instance. The default is to restore all found (at most this is the IPA REALM instance and the PKI\-IPA instance). .TP \fB\-\-backend\fR=\fIBACKEND\fR +The backend to restore within an instance or instances. +.TP \fB\-\-v\fR, \fB\-\-verbose\fR Print debugging information .TP -- 1.9.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0307] Send DNS NOTIFY message after any modification to the zone
On 27.11.2014 15:56, Tomas Hozza wrote: On 11/26/2014 01:46 PM, Martin Basti wrote: On 07/11/14 15:34, Petr Spacek wrote: Hello, Send DNS NOTIFY message after any modification to the zone. https://fedorahosted.org/bind-dyndb-ldap/ticket/144 Works for me. But don't push it before Tomas check the code please. Martin^2 ACK. Works for me... Pushed to master: 7dd6ba6c70273fef0ffd34b265e6f1a1b6988a26 -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0287] Re-initialize NSS database after otptoken plugin tests
On 11/27/2014 12:56 PM, Tomas Babej wrote: On 11/26/2014 01:10 PM, Petr Viktorin wrote: On 11/21/2014 11:47 AM, Tomas Babej wrote: Hi, OTP token tests do not properly reinitialize the NSS db, thus making subsequent xmlrpc tests fail on SSL cert validation. Make sure NSS db is re-initalized in the teardown method. https://fedorahosted.org/freeipa/ticket/4748 Note for reviewers: Requires Petr^3's pytest patchset, which I am pushing right now. Thank you! ACK, pushed to master: 792ff0c0c40ddd1583c6789c8f34382c050d3e92 Also sending rebased version for 4-1 branch. ACK Pushed to ipa-4-1: 7215f7e2215b485daac7dc5d54478752b682181b -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Announcing FreeIPA 4.1.2
The FreeIPA team would like to announce FreeIPA v4.1.2 security release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official COPR repository [https://copr.fedoraproject.org/coprs/mkosek/freeipa/]. == Highlights in 4.1.2 == === Bug fixes === * CVE-2014-7850: ensure that user input is properly escaped to prevent XSS attacks [https://fedorahosted.org/freeipa/ticket/4742] [http://www.freeipa.org/page/CVE-2014-7850] * harden mod_nss config on update to use TLSv1.0, TLSv1.1, TLSv1.2 * fixed getkeytab operation [https://fedorahosted.org/freeipa/ticket/4718] [https://fedorahosted.org/freeipa/ticket/4728] * backup and restore fixes related to certificates restore and SELinux context * static code analysis fixes * various small fixes == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-ldap-updater --upgrade # ipa-upgradeconfig Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.1.1 == === Alexander Bokovoy (2) === * Update slapi-nis dependency to pull 0.54.1 * AD trust: improve trust validation === David Kupka (6) === * Remove unneeded internal methods. Move code to public methods. * Remove service file even if it isn't link. * Produce better error in group-add command. * Fix --{user,group}-ignore-attribute in migration plugin. * ipa-restore: Check if directory is provided + better errors. * Fix error message for nonexistent members and add tests. === Gabe Alford (1) === * ipa-server-install Directory Manager help incorrect === Jan Cholasta (15) === * Fix CA certificate backup and restore * Update Requires on pki-ca to 10.2.1-0.1 * Fix wrong expiration date on renewed IPA CA certificates * Restore file extended attributes and SELinux context in ipa-restore * Use correct service name in cainstance.backup_config * Stop tracking certificates before restoring them in ipa-restore * Remove redefinition of LOG from ipa-otp-lasttoken * Unload P11_Helper object's library when it is finalized in ipap11helper * Fix Kerberos error handling in ipa-sam * Fix unchecked return value in ipa-kdb * Fix unchecked return values in ipa-winsync * Fix unchecked return value in ipa-join * Fix unchecked return value in krb5 common utils * Fix memory leak in GetKeytabControl asn1 code * Add TLS 1.2 to the protocol list in mod_nss config === Martin Bašti (12) === * Fix: DNS installer adds invalid zonemgr email * Fix: DNS policy upgrade raises asertion error * Fix upgrade referint plugin * Upgrade: fix trusts objectclass violationi * Fix named working directory permissions * Fix: zonemgr must be unicode value * Fix warning message should not contain CLI commands * Show warning instead of error if CA did not start * Raise right exception if domain name is not valid * Fix pk11helper module compiler warnings * Fix: read_ip_addresses should return ipaddr object * Fix detection of encoding in zonemgr option === Martin Košek (1) === * Lower pki-ca requires to 10.1.2 === Nathaniel McCallum (3) === * Improve otptoken help messages * Ensure users exist when assigning tokens to them * Enable QR code display by default in otptoken-add === Petr Viktorin (5) === * ipa-restore: Don't crash if AD trust is not installed * ipaplatform: Use the dirsrv service, not target * Do not restore SELinux settings that were not backed up * Add additional backup restore checks * copy_schema_to_ca: Fallback to old import location for ipaplatform.services === Petr Voborník (9) === * ranges: prohibit setting