Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 10/20/2015 06:21 PM, Martin Basti wrote: On 20.10.2015 15:53, Martin Basti wrote: On 19.10.2015 14:16, Martin Basti wrote: On 19.10.2015 12:30, Martin Basti wrote: Attribute nsaccountlock has not been processed correctly Patch attached. Self-NACK, more fixes required Updated patch attached, but it still needs to improve because tests in my patch 331 are still failing. Eternal self-NACK for this patch I'm not able to fix UserTracker, I need help from somebody with higher view of how this tracker is supposed to work. Follow my patch 0331 Hi, I'll take a look at it today. Lenka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 20/10/15 06:32, Martin Babinsky wrote:
On 10/15/2015 08:14 PM, Simo Sorce wrote:
On 15/10/15 11:39, Martin Basti wrote:
Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'
Should be fixed with the attached patches.
NACK, in patch 551 you add a test for non-existent CLI option into main
method:
@@ -198,10 +251,20 @@ def main():
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass
I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.
# ipa-ca-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'
The attached patch should address this problem now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 5d5de8c3e1c6d5ce24dd9860e112547bb8705612 Mon Sep 17 00:00:00 2001
From: Simo Sorce
Date: Thu, 20 Aug 2015 17:10:23 -0400
Subject: [PATCH] Allow ipa-ca-install to use the new promotion code
This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).
Signed-off-by: Simo Sorce
---
install/tools/ipa-ca-install | 132 ++-
ipaserver/install/ca.py | 2 -
2 files changed, 92 insertions(+), 42 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..0a76b3dd32a7673a2bbe81c1659d38a700be13da 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,12 +21,16 @@
import sys
import os
import shutil
+import tempfile
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
from ipaserver.install.installutils import create_replica_config
+from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
+from ipaserver.install import cainstance, custodiainstance
+from ipapython import dogtag
from ipapython import version
from ipalib import api
from ipapython.dn import DN
@@ -67,6 +71,8 @@ def parse_options():
type="choice",
choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
help="Signing algorithm of the IPA CA certificate")
+parser.add_option("-P", "--principal", dest="principal", sensitive=True,
+ default=None, help="User allowed to manage replicas")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
@@ -101,20 +107,16 @@ def get_dirman_password():
def install_replica(safe_options, options, filename):
-standard_logging_setup(log_file_name, debug=options.debug)
-
-root_logger.debug('%s was invoked with argument "%s" and options: %s',
-sys.argv[0], filename, safe_options)
-root_logger.debug('IPA version %s', version.VENDOR_VERSION)
-
-if not ipautil.file_exists(filename):
-sys.exit("Replica file %s does not exist" % filename)
-
-if not dsinstance.DsInstance().is_configured():
-sys.exit("IPA server is not configured on this system.\n")
-
-api.bootstrap(in_server=True)
-api.finalize()
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > 0:
+options.promote = True
+else:
+options.promote = False
+if not ipautil.file_exists(filename):
+sys.exit("Replica file %s does not exist" % filename)
+
+# Check if we have admin creds already, otherwise acquire them
+check_creds(options, api.env.realm)
# get the directory manager password
dirman_password = options.password
@@ -132,13 +134,36 @@ def install_replica(safe_options, options, filename):
options.unattended:
sys.exit('admin password required')
-config = create_replica_config(dirman_password, filename, options)
+if options.promote:
+config = ReplicaConfig()
+config.master_host_name = None
+config.realm_name = api.env.realm
+config
Re: [Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
On 20.10.2015 16:07, Martin Basti wrote:
On 20.10.2015 15:57, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/5344
Patch attached.
Test are failing, a fix in UserTracker has to be done (partially in
my patch 329)
SelfNACK, I forgot to add stageuser tests
Updated patch attached.
I extracted tests to the separate patch, tests do not work, I had issues
with user and stageuser trackers.
From 250c5d3f2f5e47b19c628115ecd9df8a71d357dc Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Tue, 20 Oct 2015 18:39:57 +0200
Subject: [PATCH] Allow multiple managers per user - CLI part
https://fedorahosted.org/freeipa/ticket/5344
---
API.txt| 12 ++--
VERSION| 4 ++--
ipalib/plugins/baseuser.py | 7 +--
3 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/API.txt b/API.txt
index 873c6d54221a0c1657b5457bd9dceedb4adf06b3..896df430aaa1952c0fe4af4672b78f1ad11da45e 100644
--- a/API.txt
+++ b/API.txt
@@ -4225,7 +4225,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip
option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
@@ -4285,7 +4285,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False)
-option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False)
+option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, query=True, required=False)
option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('not_in_group*', cli_name='not_in_groups', csv=True)
@@ -4342,7 +4342,7 @@ option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_n
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False)
@@ -5172,7 +5172,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip
option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
@@ -5261,7 +5261,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False)
-option: Str('manager', attribute=True, autofill=Fals
[Freeipa-devel] [PATCHES] 737-742 More Python3 porting
Yet another batch of py3 patches.
We're getting closer: if this was merged, my WIP branch that passes
ipapython & ipalib tests under py3 would currently be down to:
8 files changed, 73 insertions(+), 23 deletions(-)
--
Petr Viktorin
From d2689e85c3f5ffcf30d3524740c45a648d134110 Mon Sep 17 00:00:00 2001
From: Petr Viktorin
Date: Tue, 6 Oct 2015 13:54:33 +0200
Subject: [PATCH] Handle binascii.Error from base64.b64decode()
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
---
ipalib/parameters.py | 2 +-
ipalib/plugins/cert.py | 6 --
ipaplatform/redhat/tasks.py| 2 +-
ipapython/ssh.py | 2 +-
ipaserver/install/ipa_cacert_manage.py | 2 +-
ipaserver/install/ldapupdate.py| 2 +-
ipatests/test_pkcs10/test_pkcs10.py| 7 +++
7 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index ef8814eeb68c4461c8ffc341a897f9322aababd3..dadd87d6a328bdb4297f9b6bd51602b24b8d300a 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1383,7 +1383,7 @@ def _convert_scalar(self, value, index=None):
if isinstance(value, unicode):
try:
value = base64.b64decode(value)
-except TypeError as e:
+except (TypeError, ValueError) as e:
raise Base64DecodeError(reason=str(e))
return super(Bytes, self)._convert_scalar(value, index)
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e4593200e01addea31c8fcda981fbe1d65058c27..b4ea2feae5de9ffc020709092f79791d99472ffc 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -21,6 +21,8 @@
import os
import time
+import binascii
+
from ipalib import Command, Str, Int, Bytes, Flag, File
from ipalib import api
from ipalib import errors
@@ -156,7 +158,7 @@ def validate_csr(ugettext, csr):
return
try:
request = pkcs10.load_certificate_request(csr)
-except TypeError as e:
+except (TypeError, binascii.Error) as e:
raise errors.Base64DecodeError(reason=str(e))
except Exception as e:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % e)
@@ -368,7 +370,7 @@ def execute(self, csr, **kw):
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
-except (NSPRError, PyAsn1Error) as e:
+except (NSPRError, PyAsn1Error, ValueError) as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") % e)
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 446e2886eedca11e66c9e7e6a3d778cd35af0cb6..94d2cb4e906965a20bcfdd55f38854005091c26f 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -210,7 +210,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
issuer = x509.get_der_issuer(cert, x509.DER)
serial_number = x509.get_der_serial_number(cert, x509.DER)
public_key_info = x509.get_der_public_key_info(cert, x509.DER)
-except (NSPRError, PyAsn1Error) as e:
+except (NSPRError, PyAsn1Error, ValueError) as e:
root_logger.warning(
"Failed to decode certificate \"%s\": %s", nickname, e)
continue
diff --git a/ipapython/ssh.py b/ipapython/ssh.py
index 02f577e8b3228c528d474c9468ad4b640dbf682b..a625c422c49a3b0e9082f4351fde7450a4c839d7 100644
--- a/ipapython/ssh.py
+++ b/ipapython/ssh.py
@@ -102,7 +102,7 @@ def _parse_base64(self, key):
try:
key = base64.b64decode(key)
-except (TypeError, binascii.Error):
+except (TypeError, ValueError):
return False
return self._parse_raw(key)
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index a2242fd3df383af9b8aed2aed142ea8cc8a4ef90..66cba891fad4b679ae51a4a11a094de341c24e88 100644
--- a/ipaserv
Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 20.10.2015 15:53, Martin Basti wrote: On 19.10.2015 14:16, Martin Basti wrote: On 19.10.2015 12:30, Martin Basti wrote: Attribute nsaccountlock has not been processed correctly Patch attached. Self-NACK, more fixes required Updated patch attached, but it still needs to improve because tests in my patch 331 are still failing. Eternal self-NACK for this patch I'm not able to fix UserTracker, I need help from somebody with higher view of how this tracker is supposed to work. Follow my patch 0331 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/20/2015 04:27 PM, Martin Babinsky wrote:
On 10/19/2015 04:51 PM, Martin Babinsky wrote:
On 10/19/2015 02:47 PM, Martin Basti wrote:
On 15.10.2015 16:29, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5175
NACK
with domain level 0
ipa-replica-prepare
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
self.ask_for_options()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 215, in ask_for_options
bind_pw=self.dirman_password)
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.
without your patch it works
Martin^2
The function was leaking opened backend connection due to incorrect
disconnect logic. Updated patch should fix this.
Reworked patch attached which used existing function in dsinstance.py to
check domain level.
However, note that it may require my patch 0088 to function correctly.
Attaching updated patch.
--
Martin^3 Babinsky
From b5bcfdc951c7072a0f70d71f26e9a3ce87bbe3ce Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH 1/2] disable ipa-replica-prepare in non-zero IPA domain level
the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.
https://fedorahosted.org/freeipa/ticket/5175
---
ipaserver/install/ipa_replica_prepare.py | 28 +++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..c573428ed59147cbfe22944787726fc817284680 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
from ipalib import api
from ipalib import errors
from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{command_name}' to generate replica file
+is supported only in {min_domain_level}-level IPA domain.
+
+The current IPA domain level is {curr_domain_level} and thus the replica must
+be created by promoting an existing IPA client.
+
+To set up a replica use the following procedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install'
+*without* replica file specified
+"""
class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
api.bootstrap(in_server=True)
api.finalize()
+self.check_domainlevel(api)
+
if api.env.host == self.replica_fqdn:
raise admintool.ScriptError("You can't create a replica on itself")
@@ -673,3 +689,13 @@ class ReplicaPrepare(admintool.AdminTool):
'-w', dm_pwd_fd.name,
'-o', ca_file
])
+
+def check_domainlevel(self, api):
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+command_name=self.command_name,
+min_domain_level=MIN_DOMAIN_LEVEL,
+curr_domain_level=domain_level)
+)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0088] fix dsinstance.py:get_domain_level function
On 20.10.2015 12:49, Martin Babinsky wrote: During review of Simo's patches I have found some inconsistencies between 'get_domain_level' function definition and its usage. This little patch fixes them. ACK Pushed to master: 98bf90e4cecb38fc72a0b598a6e6a50fee284f31 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 20/10/15 06:32, Martin Babinsky wrote:
On 10/15/2015 08:14 PM, Simo Sorce wrote:
On 15/10/15 11:39, Martin Basti wrote:
Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'
Should be fixed with the attached patches.
NACK, in patch 551 you add a test for non-existent CLI option into main
method:
@@ -198,10 +251,20 @@ def main():
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass
I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.
# ipa-ca-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'
Argh! Sorry,
this use was exactly one of the reason I had to introduce the --replica
switch, I will have to rework a bunch of code to detect if we are a
replica or a master, I will hopefully have a revised patch in a few hours.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0086] disable ipa-replica prepare in non-zero domain levels
On 10/19/2015 04:51 PM, Martin Babinsky wrote:
On 10/19/2015 02:47 PM, Martin Basti wrote:
On 15.10.2015 16:29, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5175
NACK
with domain level 0
ipa-replica-prepare
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 169, in
execute
self.ask_for_options()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 215, in ask_for_options
bind_pw=self.dirman_password)
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 61,
in connect
self.id, threading.currentThread().getName()
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: Exception: connect:
'context.ldap2_140616703529424' already exists in thread 'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
connect: 'context.ldap2_140616703529424' already exists in thread
'MainThread'
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: The
ipa-replica-prepare command failed.
without your patch it works
Martin^2
The function was leaking opened backend connection due to incorrect
disconnect logic. Updated patch should fix this.
Reworked patch attached which used existing function in dsinstance.py to
check domain level.
However, note that it may require my patch 0088 to function correctly.
--
Martin^3 Babinsky
From ff54c17fdd39cc06e5cc0241a12edb0a22f7caac Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 15 Oct 2015 16:07:48 +0200
Subject: [PATCH] disable ipa-replica-prepare in non-zero IPA domain level
the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.
https://fedorahosted.org/freeipa/ticket/5175
---
ipaserver/install/ipa_replica_prepare.py | 26 +-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 2b4a60e16bd23f9d4c8e0135708950a6cc40db9a..df79bdfcee71ea9675007d6f80d97f29106624bf 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -41,7 +41,21 @@ from ipapython import version
from ipalib import api
from ipalib import errors
from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+from ipalib.constants import CACERT, MIN_DOMAIN_LEVEL
+
+
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
+Replica creation using '{}' to generate replica file is supported only
+in {}-level IPA domain.
+
+The current IPA domain level is {} and thus the replica must be created by
+promoting an existing IPA client.
+
+To set up a replica use the following procedure:
+1.) set up a client on the host using 'ipa-client-install'
+2.) promote the client to replica running 'ipa-replica-install' *without*
+replica file specified
+"""
class ReplicaPrepare(admintool.AdminTool):
@@ -161,6 +175,8 @@ class ReplicaPrepare(admintool.AdminTool):
api.bootstrap(in_server=True)
api.finalize()
+self.check_domainlevel(api)
+
if api.env.host == self.replica_fqdn:
raise admintool.ScriptError("You can't create a replica on itself")
@@ -673,3 +689,11 @@ class ReplicaPrepare(admintool.AdminTool):
'-w', dm_pwd_fd.name,
'-o', ca_file
])
+
+def check_domainlevel(self, api):
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > MIN_DOMAIN_LEVEL:
+raise RuntimeError(
+UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE.format(
+self.command_name, MIN_DOMAIN_LEVEL, domain_level)
+)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
On 20.10.2015 15:57, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5344 Patch attached. Test are failing, a fix in UserTracker has to be done (partially in my patch 329) SelfNACK, I forgot to add stageuser tests -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
Verified. works as expected On 10/20/2015 03:33 PM, Petr Vobornik wrote: On 10/20/2015 01:32 PM, Martin Babinsky wrote: On 10/20/2015 01:05 PM, Petr Vobornik wrote: On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. Yes the commit message was confusing. I have rewritten it completely. Attaching updated patch. ACK Pushed to master: e0d9a1b47ce6144d57345744d895b63e5b0ea413 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0331] User plugin: allow multiple managers per user - CLI part
https://fedorahosted.org/freeipa/ticket/5344
Patch attached.
Test are failing, a fix in UserTracker has to be done (partially in my
patch 329)
From 48cc0be0a83a0a5e24b9753a94f3fee1a7e25bc3 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Fri, 16 Oct 2015 16:45:39 +0200
Subject: [PATCH] Allow multiple managers per user - CLI part
https://fedorahosted.org/freeipa/ticket/5344
---
API.txt | 12 +--
VERSION | 4 ++--
ipalib/plugins/baseuser.py | 7 +--
ipatests/test_xmlrpc/test_user_plugin.py | 35
4 files changed, 48 insertions(+), 10 deletions(-)
diff --git a/API.txt b/API.txt
index cf5446114a9ccffad8d87421b4cd75c92ff267ee..19e00516921c78531eb2101d2148bbe614581add 100644
--- a/API.txt
+++ b/API.txt
@@ -4225,7 +4225,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip
option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
@@ -4285,7 +4285,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False)
-option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False)
+option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, query=True, required=False)
option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('not_in_group*', cli_name='not_in_groups', csv=True)
@@ -4342,7 +4342,7 @@ option: DateTime('krbprincipalexpiration', attribute=True, autofill=False, cli_n
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False)
@@ -5172,7 +5172,7 @@ option: Str('krbprincipalname', attribute=True, autofill=True, cli_name='princip
option: Str('l', attribute=True, cli_name='city', multivalue=False, required=False)
option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
option: Str('mail', attribute=True, cli_name='email', multivalue=True, required=False)
-option: Str('manager', attribute=True, cli_name='manager', multivalue=False, required=False)
+option: Str('manager', attribute=True, cli_name='manager', multivalue=True, required=False)
option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
@@ -5261,7 +5261,7 @@ option: Str('krbprincipalname', attribute=True, autofill=False, cli_name='princi
option: Str('l', attribute=True, autofill=False, cli_name='city', multivalue=False, query=True, required=False)
option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, query=True, required=False)
option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue=True, query=True, required=False)
-option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, query=True, required=False)
+option: Str('manager', attribute=True, autofill=False, cli_name='manager', multiv
Re: [Freeipa-devel] [PATCH 0329] Tests: fix user tracker
On 19.10.2015 14:16, Martin Basti wrote:
On 19.10.2015 12:30, Martin Basti wrote:
Attribute nsaccountlock has not been processed correctly
Patch attached.
Self-NACK, more fixes required
Updated patch attached, but it still needs to improve because tests in
my patch 331 are still failing.
From 7b1fa0d7b9ad8782d2dbb8e98becb6c016183e07 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 19 Oct 2015 12:21:07 +0200
Subject: [PATCH] Tests: Fix user tracker
---
ipatests/test_xmlrpc/test_user_plugin.py | 42
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 18305ad02906a63baafcdf49bd2c93fa39dc4584..a7f2584e986e262ecddd669167e6a684d545d6c9 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -1649,7 +1649,7 @@ class test_denied_bind_with_expired_principal(XMLRPC_test):
class UserTracker(Tracker):
-""" Class for host plugin like tests """
+""" Class for user plugin like tests """
retrieve_keys = {
u'uid', u'givenname', u'sn', u'homedirectory',
@@ -1671,7 +1671,7 @@ class UserTracker(Tracker):
retrieve_preserved_keys = retrieve_keys - {u'memberof_group'}
retrieve_preserved_all_keys = retrieve_all_keys - {u'memberof_group'}
-create_keys = retrieve_all_keys | {
+create_keys = (retrieve_all_keys - {u'nsaccountlock'}) | {
u'randompassword', u'mepmanagedentry',
u'krbextradata', u'krbpasswordexpiration', u'krblastpwdchange',
u'krbprincipalkey', u'randompassword', u'userpassword'
@@ -1680,7 +1680,8 @@ class UserTracker(Tracker):
activate_keys = retrieve_all_keys - {u'has_keytab', u'has_password',
u'nsaccountlock', u'sshpubkeyfp'}
-find_keys = retrieve_keys - {u'mepmanagedentry', u'memberof_group'}
+find_keys = retrieve_keys - {u'mepmanagedentry', u'memberof_group',
+ u'manager'}
find_all_keys = retrieve_all_keys - {u'mepmanagedentry', u'memberof_group'}
def __init__(self, name, givenname, sn, **kwargs):
@@ -1692,6 +1693,17 @@ class UserTracker(Tracker):
self.kwargs = kwargs
+def _fix_nsaccountlock_attr(self, result):
+# small override because user-* commands returns different type
+# of nsaccountlock value than DS, but overall the value fits
+# expected result
+if u'nsaccountlock' in result:
+if result[u'nsaccountlock'] == [u'true']:
+result[u'nsaccountlock'] = True
+elif result[u'nsaccountlock'] == [u'false']:
+result[u'nsaccountlock'] = False
+
+
def make_create_command(self, force=None):
""" Make function that crates a user using user-add """
return self.make_command(
@@ -1768,6 +1780,8 @@ class UserTracker(Tracker):
has_password=False,
mepmanagedentry=[get_group_dn(self.uid)],
memberof_group=[u'ipausers'],
+nsaccountlock=[u'false'],
+preserved=[u'false']
)
for key in self.kwargs:
@@ -1811,14 +1825,7 @@ class UserTracker(Tracker):
else:
expected = self.filter_attrs(self.retrieve_keys)
-# small override because stageuser-find returns different type
-# of nsaccountlock value than DS, but overall the value fits
-# expected result
-if u'nsaccountlock' in expected:
-if expected[u'nsaccountlock'] == [u'true']:
-expected[u'nsaccountlock'] = True
-elif expected[u'nsaccountlock'] == [u'false']:
-expected[u'nsaccountlock'] = False
+self._fix_nsaccountlock_attr(expected)
assert_deepequal(dict(
value=self.uid,
@@ -1828,14 +1835,13 @@ class UserTracker(Tracker):
def check_find(self, result, all=False, raw=False):
""" Check 'user-find' command result """
-self.attrs[u'nsaccountlock'] = True
-self.attrs[u'preserved'] = True
-
if all:
expected = self.filter_attrs(self.find_all_keys)
else:
expected = self.filter_attrs(self.find_keys)
+self._fix_nsaccountlock_attr(expected)
+
assert_deepequal(dict(
count=1,
truncated=False,
@@ -1854,10 +1860,14 @@ class UserTracker(Tracker):
def check_update(self, result, extra_keys=()):
""" Check 'user-mod' command result """
+expected = self.filter_attrs(self.update_keys | set(extra_keys))
+
+self._fix_nsaccountlock_attr(expected)
+
assert_deepequal(dict(
value=self.uid,
summary=u'Modified user "%s"' % self.uid,
-result=self.filter_attrs(self.update_keys | set(extra_keys))
+result=expected,
), result)
def create_from_staged(self, stageduser):
@@ -1
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 01:32 PM, Martin Babinsky wrote: On 10/20/2015 01:05 PM, Petr Vobornik wrote: On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. Yes the commit message was confusing. I have rewritten it completely. Attaching updated patch. ACK Pushed to master: e0d9a1b47ce6144d57345744d895b63e5b0ea413 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0019] CA ACL tracker and functional test
On 20.10.2015 10:00, Milan Kubík wrote:
On 10/19/2015 01:38 PM, Martin Basti wrote:
On 16.10.2015 15:43, Milan Kubík wrote:
On 09/30/2015 02:47 PM, Martin Basti wrote:
On 09/24/2015 02:49 PM, Milan Kubík
wrote:
Hi
all,
an update for CA ACL tests!
I, with help from M. Babinsky, managed to find a way how to change
the identity during acceptance cest run, which allows
to test CA ACLs (and perhaps other areas with some form of access
controll).
This allowed me to write a test for CA ACLs and certificate
profiles that checks if the ACL/profile is being used and
enforced.
The first several tests are based on Fraser's blogpost using SMIME
profile [1].
The master and ipa-4-2 branches diverged a bit, so I had to change
two commits when rebasing to ipa-4-2 branch.
Commits should be applied in the order (including rebased patches
I sent in an earlier email):
master:
* 12 - 17
ipa-4-2:
* 18, 13 - 15, 19, 17
For convenience:
patches on top of master:
https://github.com/apophys/freeipa/tree/acl-profile-functional
patches on top of ipa-4-2:
https://github.com/apophys/freeipa/tree/acl-42
[1]:
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
Cheers,
Milan
NACK
0)
rpm file does not contain test_xmlrpc/data directory, please modify
setup.py.in.
1)
Code contains to much todo for my taste.
2)
Please do not use filter function, use dict comprehension.
Hi,
updated patches and the numbering mess somehow curbed. The patches
are rebased on top of current master and ipa-4-2.
0) fixed by 0021
1) docs for tracker extended, added more test cases
2) changed
--
Milan Kubik
I have a few comments:
1)
+# TODO: rewrite these into Tracker instances
+@pytest.fixture(scope='class')
+def smime_user(request):
+api.Command.user_add(uid=u'alice', givenname=u'Alice', sn=u'SMIME',
+ userpassword=u'Change123')
+
+unlock_principal_password('alice', 'Change123', 'Secret123')
+
+def fin():
+api.Command.user_del(u'alice')
+request.addfinalizer(fin)
+
+return u'alice'
I do not like hardcoded password value, as this password is used in
many places in the test, I sugest to use a module variable
Done
2)
+class TestSignWithChangedProfile(XMLRPC_test):
+""" Test to verify that the updated profile is used."""
+pass # import invalid profile, try to sign, expect fail
IMO something is missing here, a test maybe?
Done by using profile with constraint that CSR cannot meet.
3)
# noqa
Please remove "# noqa" commets from commits
Done.
--
Milan Kubik
NACK
1)
I still see many hardcoded passwords in the code
with change_principal(smime_user, "Secret123"):
2)
Also the 'alice' username can be extracted to module variable instead
hardcoding
3)
File alice.conf.tmpl can be generalized to be used for more users,
replace alice in template to {username} and in code replace this
variable with alice, also do not forgot rename template to something
more general
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 01:05 PM, Petr Vobornik wrote:
On 10/20/2015 09:19 AM, Martin Babinsky wrote:
On 10/13/2015 07:04 PM, Martin Babinsky wrote:
On 10/13/2015 06:55 PM, Martin Babinsky wrote:
mbabinsk - hide segment direction from topology commands
Ooops forgot to regenerate API.txt. Attaching updated patch.
Ping for review.
commit message is wrong, it doesn't do anything with Web UI. Also there
is only one patch, not 1/2, otherwise ACK.
Yes the commit message was confusing. I have rewritten it completely.
Attaching updated patch.
--
Martin^3 Babinsky
From e35b708c67ae83dad8f0f6d794339eff271ebefc Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 12 Oct 2015 17:49:50 +0200
Subject: [PATCH] do not ask for segment direction when running topology
commands
https://fedorahosted.org/freeipa/ticket/5222
---
API.txt| 2 +-
VERSION| 4 ++--
ipalib/plugins/topology.py | 1 +
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index cf5446114a9ccffad8d87421b4cd75c92ff267ee..873c6d54221a0c1657b5457bd9dceedb4adf06b3 100644
--- a/API.txt
+++ b/API.txt
@@ -4804,7 +4804,7 @@ arg: Str('topologysuffixcn', cli_name='topologysuffix', multivalue=False, primar
arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
-option: StrEnum('iparepltoposegmentdirection', attribute=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left'))
+option: StrEnum('iparepltoposegmentdirection', attribute=True, autofill=True, cli_name='direction', default=u'both', multivalue=False, required=True, values=(u'both', u'left-right', u'right-left'))
option: Str('iparepltoposegmentleftnode', attribute=True, cli_name='leftnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True)
option: Str('iparepltoposegmentrightnode', attribute=True, cli_name='rightnode', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9.][a-zA-Z0-9.-]{0,252}[a-zA-Z0-9.$-]?$', required=True)
option: StrEnum('nsds5replicaenabled', attribute=True, cli_name='enabled', multivalue=False, required=False, values=(u'on', u'off'))
diff --git a/VERSION b/VERSION
index a14b89f289f7d859f381cf78a742a5a5d038d491..cdda198c6ce3148dcf785149dc3ce050782e8caa 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=156
-# Last change: pvoborni - add vault container commands
+IPA_API_VERSION_MINOR=157
+# Last change: mbabinsk - hide segment direction from topology commands
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index c6b86b5909cf5ef2c02515f7a6cbe4e987a927a9..2b82215e273d959fdb207801ed146b843460bae5 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -105,6 +105,7 @@ class topologysegment(LDAPObject):
label=_('Connectivity'),
values=(u'both', u'left-right', u'right-left'),
default=u'both',
+autofill=True,
doc=_('Direction of replication between left and right replication '
'node'),
flags={'no_option', 'no_update'},
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [0089] fix class teardown in user plugin tests
fixes https://fedorahosted.org/freeipa/ticket/5368
--
Martin^3 Babinsky
From a13e6204f3941efb2138bf7a4767b4115d99dbce Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Wed, 14 Oct 2015 08:59:08 +0200
Subject: [PATCH] fix class teardown in user plugin tests
https://fedorahosted.org/freeipa/ticket/5368
---
ipatests/test_xmlrpc/test_user_plugin.py | 5 +
ipatests/test_xmlrpc/xmlrpc_test.py | 11 ++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 18305ad02906a63baafcdf49bd2c93fa39dc4584..3d7b5e6ba14e3ccb144575f52e4e503e6638037d 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -1619,6 +1619,11 @@ class test_denied_bind_with_expired_principal(XMLRPC_test):
cls.connection = ldap.initialize('ldap://{host}'
.format(host=api.env.host))
+@classmethod
+def teardown_class(cls):
+cls.failsafe_del(api.Object.user, user1)
+super(test_denied_bind_with_expired_principal, cls).teardown_class()
+
def test_1_bind_as_test_user(self):
self.failsafe_add(
api.Object.user,
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 80638e2efdd9d7ff07fd89688397acb7d44654cd..a7251f695bf6cd44d0e472234a7120a800ad6543 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -195,11 +195,20 @@ class XMLRPC_test(object):
:param pk: The primary key of the entry to be created
:param options: Kwargs to be passed to obj.add()
"""
+self.failsafe_del(obj, pk)
+return obj.methods['add'](pk, **options)
+
+@classmethod
+def failsafe_del(cls, obj, pk):
+"""
+Delete an entry if it exists
+:param obj: An Object like api.Object.user
+:param pk: The primary key of the entry to be deleted
+"""
try:
obj.methods['del'](pk)
except errors.NotFound:
pass
-return obj.methods['add'](pk, **options)
IGNORE = """Command %r is missing attribute %r in output entry.
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/20/2015 09:19 AM, Martin Babinsky wrote: On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. commit message is wrong, it doesn't do anything with Web UI. Also there is only one patch, not 1/2, otherwise ACK. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0088] fix dsinstance.py:get_domain_level function
During review of Simo's patches I have found some inconsistencies
between 'get_domain_level' function definition and its usage.
This little patch fixes them.
--
Martin^3 Babinsky
From 745231f2cf3b3bd4c1d113052c81387e84339de0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 20 Oct 2015 10:22:36 +0200
Subject: [PATCH] fix dsinstance.py:get_domain_level function
This patch cleans up an unused parameter and fixes the return value when
'ipaDomainLevel' is found: instead of a dict we should return an integer.
---
ipaserver/install/dsinstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 4c3203e447571e3beb1e7ca9b3e5dfecebb7333e..b1ad2d8902788b7bf8c5bfdbcd8a0c1b1f236998 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -165,7 +165,7 @@ def create_ds_user():
)
-def get_domain_level(self, api=api):
+def get_domain_level(api=api):
conn = ipaldap.IPAdmin(ldapi=True, realm=api.env.realm)
conn.do_external_bind('root')
@@ -176,7 +176,7 @@ def get_domain_level(self, api=api):
entry = conn.get_entry(dn, ['ipaDomainLevel'])
except errors.NotFound:
return 0
-return {'result': int(entry.single_value['ipaDomainLevel'])}
+return int(entry.single_value['ipaDomainLevel'])
INF_TEMPLATE = """
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHSET] Replica promotion patches
On 10/15/2015 08:14 PM, Simo Sorce wrote:
On 15/10/15 11:39, Martin Basti wrote:
Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'
Should be fixed with the attached patches.
NACK, in patch 551 you add a test for non-existent CLI option into main
method:
@@ -198,10 +251,20 @@ def main():
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file', None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass
I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.
# ipa-ca-install
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
Hi Martin, On 10/20/2015 10:26 AM, Martin Basti wrote: On 20.10.2015 10:17, Oleg Fayans wrote: On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that dnsrecord-add and host-add works for me, A records is resolvable. Do you have configured /etc/resolv.conf properly on host? (or network manager DNS configuration)? Yes, I did. In fact, I just upgraded the server to the latest version from upstream, and the issue is gone. Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 20.10.2015 10:17, Oleg Fayans wrote: On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that dnsrecord-add and host-add works for me, A records is resolvable. Do you have configured /etc/resolv.conf properly on host? (or network manager DNS configuration)? Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] freshly added service is disabled
On 10/20/2015 10:12 AM, Oleg Fayans wrote: Hi all, While running the caless tests I've encountered a strange behavior of the service module: when I add a new service and then try to disable it, it says, it has been already disabled: ofayans@f22master:~]$ ipa service-add --force Principal: totest/trololo.pesen.net -- Added service "totest/trololo.pesen@pesen.net" -- Principal: totest/trololo.pesen@pesen.net Managed by: trololo.pesen.net ofayans@f22master:~]$ ipa service-disable Principal: totest/trololo.pesen@pesen.net ipa: ERROR: This entry is already disabled ipa help service shows there is no service-enable subcommand. So I have 2 questions: 1. How do I enable previously disabled service? 2. Why is a freshly-created service disabled by default? Service disable revokes existing certificate, removes it from the service entry and also removes Kerberos principal key. When you create a new service, it does not contain principal key nor a certificate therefore there is no work to do in disable command and therefore the message. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 10/20/2015 10:10 AM, Petr Vobornik wrote: On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? It works, I added an output of ping command to show that Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. I know, but there must be a way to fix the host if an admin forgot to add this option. So, ideally, I should be able to create a host, then add a dnsrecord, then add a service. Now, obviously it's not the case: root@f22master:/home/ofayans]$ ping trololo.pesen.net PING trololo.pesen.net (192.168.122.200) 56(84) bytes of data. ^C --- trololo.pesen.net ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms root@f22master:/home/ofayans]$ ipa service-add someservice/trololo.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record root@f22master:/home/ofayans]$ ipa dnsrecord-show Record name: trololo Zone name: pesen.net. Record name: trololo A record: 192.168.122.200 When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] freshly added service is disabled
Hi all, While running the caless tests I've encountered a strange behavior of the service module: when I add a new service and then try to disable it, it says, it has been already disabled: ofayans@f22master:~]$ ipa service-add --force Principal: totest/trololo.pesen.net -- Added service "totest/trololo.pesen@pesen.net" -- Principal: totest/trololo.pesen@pesen.net Managed by: trololo.pesen.net ofayans@f22master:~]$ ipa service-disable Principal: totest/trololo.pesen@pesen.net ipa: ERROR: This entry is already disabled ipa help service shows there is no service-enable subcommand. So I have 2 questions: 1. How do I enable previously disabled service? 2. Why is a freshly-created service disabled by default? -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Host does not have corresponding DNS A/AAAA record
On 10/20/2015 09:57 AM, Oleg Fayans wrote: Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. The check uses DNS resolution to get the info. Does it work well? Other option is to add host with --ip-address option so you can skip the dnsrecord-add call. When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. This error tells that the host entry does not exist. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0012-0019] CA ACL tracker and functional test
On 10/19/2015 01:38 PM, Martin Basti wrote:
On 16.10.2015 15:43, Milan Kubík wrote:
On 09/30/2015 02:47 PM, Martin Basti wrote:
On 09/24/2015 02:49 PM, Milan Kubík
wrote:
Hi
all,
an update for CA ACL tests!
I, with help from M. Babinsky, managed to find a way how to change
the identity during acceptance cest run, which allows
to test CA ACLs (and perhaps other areas with some form of access
controll).
This allowed me to write a test for CA ACLs and certificate
profiles that checks if the ACL/profile is being used and
enforced.
The first several tests are based on Fraser's blogpost using SMIME
profile [1].
The master and ipa-4-2 branches diverged a bit, so I had to change
two commits when rebasing to ipa-4-2 branch.
Commits should be applied in the order (including rebased patches
I sent in an earlier email):
master:
* 12 - 17
ipa-4-2:
* 18, 13 - 15, 19, 17
For convenience:
patches on top of master:
https://github.com/apophys/freeipa/tree/acl-profile-functional
patches on top of ipa-4-2:
https://github.com/apophys/freeipa/tree/acl-42
[1]:
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
Cheers,
Milan
NACK
0)
rpm file does not contain test_xmlrpc/data directory, please modify
setup.py.in.
1)
Code contains to much todo for my taste.
2)
Please do not use filter function, use dict comprehension.
Hi,
updated patches and the numbering mess somehow curbed. The patches
are rebased on top of current master and ipa-4-2.
0) fixed by 0021
1) docs for tracker extended, added more test cases
2) changed
--
Milan Kubik
I have a few comments:
1)
+# TODO: rewrite these into Tracker instances
+@pytest.fixture(scope='class')
+def smime_user(request):
+api.Command.user_add(uid=u'alice', givenname=u'Alice', sn=u'SMIME',
+ userpassword=u'Change123')
+
+unlock_principal_password('alice', 'Change123', 'Secret123')
+
+def fin():
+api.Command.user_del(u'alice')
+request.addfinalizer(fin)
+
+return u'alice'
I do not like hardcoded password value, as this password is used in
many places in the test, I sugest to use a module variable
Done
2)
+class TestSignWithChangedProfile(XMLRPC_test):
+""" Test to verify that the updated profile is used."""
+pass # import invalid profile, try to sign, expect fail
IMO something is missing here, a test maybe?
Done by using profile with constraint that CSR cannot meet.
3)
# noqa
Please remove "# noqa" commets from commits
Done.
--
Milan Kubik
From d3599a45ecb7d3bc8e5364fde239769291672ca2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?=
Date: Fri, 7 Aug 2015 15:54:18 +0200
Subject: [PATCH 3/6] tests: add test to check the default ACL
Also includes basic ACL manipulation and adding
and removing members to/from the acl.
https://fedorahosted.org/freeipa/ticket/57
---
ipatests/test_xmlrpc/test_caacl_plugin.py | 135 --
1 file changed, 128 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_caacl_plugin.py b/ipatests/test_xmlrpc/test_caacl_plugin.py
index 6cf835b229f70797e32bcfd2309cfa7be5732f51..33268d6dde115ce040e55eaae08a7fe1299ad112 100644
--- a/ipatests/test_xmlrpc/test_caacl_plugin.py
+++ b/ipatests/test_xmlrpc/test_caacl_plugin.py
@@ -6,20 +6,20 @@
Test the `ipalib.plugins.caacl` module.
"""
-import os
-
import pytest
-from ipapython import ipautil
-from ipalib import errors, x509
-from ipapython.dn import DN
+from ipalib import errors
from ipatests.test_xmlrpc.ldaptracker import Tracker
from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_caacldn,
- fuzzy_uuid, fuzzy_ipauniqueid,
- raises_exact)
+ fuzzy_uuid, fuzzy_ipauniqueid)
+
from ipatests.test_xmlrpc import objectclasses
from ipatests.util import assert_deepequal
+# reuse the fixture
+from ipatests.test_xmlrpc.test_certprofile_plugin import default_profile
+from ipatests.test_xmlrpc.test_stageuser_plugin import StageUserTracker
+
class CAACLTracker(Tracker):
"""Tracker class for CA ACL LDAP object.
@@ -376,3 +376,124 @@ class CAACLTracker(Tracker):
command = self.make_command(u'caacl_disable', self.name)
self.attrs.update({u'ipaenabledflag': [u'FALSE']})
command()
+
+
+@pytest.fixture(scope='class')
+def default_acl(request):
+name = u'hosts_services_caIPAserviceCert'
+tracker = CAACLTracker(name, service_category=u'all', host_category=u'all')
+tracker.track_create()
+tracker.attrs.update(
+{u'ipamembercertprofile_certprofile': [u'caIPAserviceCert']})
+return tracker
+
+
+@pytest.fixture(scope='class')
+def crud_acl(request):
+name = u'crud-acl'
+tracker = CAACLTracker(name)
+
+return tracker.make_fixture(reques
[Freeipa-devel] Host does not have corresponding DNS A/AAAA record
Hi, I keep hitting a strange issue: when I create a dnsrecord manually and then try to create the host, it complains that the host does not have corresponding DNS A/ record. ofayans@f22master:~]$ ipa dnsrecord-add Record name: fortest Zone name: pesen.net. Please choose a type of DNS resource record to be added The most common types for this type of zone are: A, DNS resource record type: A A IP Address: 192.168.122.253 Record name: fortest A record: 192.168.122.253 ofayans@f22master:~]$ ipa host-add Host name: fortest.pesen.net ipa: ERROR: Host does not have corresponding DNS A/ record ofayans@f22master:~]$ ping fortest PING fortest.pesen.net (192.168.122.253) 56(84) bytes of data. When I then use --force to create the host anyway and then try to add a service to this host, I get the same error: ofayans@f22master:~]$ ipa service-add Principal: fortest/fortest.pesen.net ipa: ERROR: The host 'fortest.pesen.net' does not exist to add a service to. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface
On 10/13/2015 07:04 PM, Martin Babinsky wrote: On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. Ping for review. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
