[Freeipa-devel] ipa-4-2 branch is broken !!!

[Martin Basti]

Lint failed in current ipa-4-2 branch.

===
Errors were found during the static code check.

If you are certain that any of the reported errors are false positives, 
please

mark them in the source code according to the pylint documentation.
===

* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:43: [E0602(undefined-variable), 
test_ldap] Undefined variable 'pytest')
ipatests/test_ipaserver/test_ldap.py:154: [E0602(undefined-variable), 
test_LDAPEntry] Undefined variable 'pytest')

Makefile:119: recipe for target 'lint' failed

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [patch 0024] Fix missed module import in ipaserver tests

[Milan Kubík]

--
Milan Kubik

From 7dabe3f38005e1553b28b98a32578390f2bc629b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Thu, 12 Nov 2015 10:39:48 +0100
Subject: [PATCH] ipatests: Fix missed module import in ipaserver tests

---
 ipatests/test_ipaserver/test_ldap.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_ipaserver/test_ldap.py b/ipatests/test_ipaserver/test_ldap.py
index 85e578b12d3d7ae5c98e221bf4b0fdadfd0d..06c1eb4bf88d95032bde35f959b479cf462f62a9 100644
--- a/ipatests/test_ipaserver/test_ldap.py
+++ b/ipatests/test_ipaserver/test_ldap.py
@@ -28,6 +28,7 @@
 import os
 
 import nose
+import pytest
 from nose.tools import assert_raises  # pylint: disable=E0611
 import nss.nss as nss
 
-- 
2.6.2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] ipa-4-2 branch is broken !!!

[Milan Kubík]

On 11/12/2015 10:35 AM, Martin Basti wrote:

Lint failed in current ipa-4-2 branch.

=== 


Errors were found during the static code check.

If you are certain that any of the reported errors are false 
positives, please

mark them in the source code according to the pylint documentation.
=== 



* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:43: [E0602(undefined-variable), 
test_ldap] Undefined variable 'pytest')
ipatests/test_ipaserver/test_ldap.py:154: [E0602(undefined-variable), 
test_LDAPEntry] Undefined variable 'pytest')

Makefile:119: recipe for target 'lint' failed

Fixed by patch 0024.

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0380] spec: Add Provides directives to alternative package names

[Jan Cholasta]

On 9.11.2015 13:34, Tomas Babej wrote:



On 11/09/2015 01:10 PM, Jan Cholasta wrote:

Hi,

On 9.11.2015 12:58, Tomas Babej wrote:

Hi,

this fixes:

https://fedorahosted.org/freeipa/ticket/5408


a) Don't include %{release} in the Provides, release number is
meaningless between distros.



Good point.


b) Please put the Provides near the related Conflicts and Obsoletes,
like this:

Provides: %{alt_name}-XXX = %{version}
Conflicts: %{alt_name}-XXX
Obsoletes: %{alt_name}-XXX < %{version}

Honza



Updated version attached.


Thanks, ACK.

Pushed to master: ab58ec0d50f172093e75b7834f6ed5e39992c2d9

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0095] remove an unneccesary check from IPA server uninstaller

[Jan Cholasta]

On 11.11.2015 16:32, Jan Cholasta wrote:

On 11.11.2015 16:24, Martin Babinsky wrote:

This check for a deprecated option added in
  https://fedorahosted.org/freeipa/ticket/4516 and somehow ended up in
both install_check and uninstall_check during installer refactoring.

The placement in the latter is rather pointless so this patch removes it.


ACK.


Pushed to master: d66492c15e847ffe68829e1b92cc43dbc60c4c7d

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion

[Petr Vobornik]

On 11/10/2015 05:43 PM, Martin Babinsky wrote:

On 11/04/2015 06:50 PM, Petr Vobornik wrote:

On 11/04/2015 01:30 PM, Martin Babinsky wrote:

On 10/30/2015 05:06 PM, Martin Babinsky wrote:

On 10/30/2015 03:38 PM, Petr Vobornik wrote:

On 10/30/2015 03:26 PM, Martin Babinsky wrote:

patch for https://fedorahosted.org/freeipa/ticket/5309

The ticket itself is about connectivity checks in topology suffixes,
but
there is a code (install/tools/ipa-replica-manage starting at line
788
after applying my patch) which monitors whether the segments pointing
to/from the deleted host are already deleted.

These checks are currently hardcoded for 'realm' prefix, should we
generalize them as well or is it a part of other effort?



Could be separate patch but yes.

Ok I have included it in the attached patch so that both of these
operations are performed for all suffixes.




Hmm, I'm thinking whether the 'check_last_link_managed' and
'check_deleted_segments' should not be called per-suffix, but should
themselves check all suffixes available. This could make the fix for
https://fedorahosted.org/freeipa/ticket/5409 also easier.



Depends if the output is reusable. If so then why not.
check_last_link_managed basically adds text to several
get_topology_connection_errors calls.


Attaching updated patch.



I'm not sure about (pseudo code):

topo_errors = ([], [])
for each suffix:
topo_errors[0].extend(orig_errors)
topo_errors[1].extend(new_errors)
return topo_errors

In check_deleted_segments wait_for_segment_removal is per-suffix check 
but uses topo_errors which contains errors from both suffices. Topo 
erros are used to relax the check if topology is disconnected but this 
might relax it too much.


I would change the errors to per-suffix as well, e.g.:
  topo_errors = {}
  for each suffix:
  topo_errors[suffix_name] = (orig_errors, new_errors)
  return topo_errors

Otherwise it looks OK (not tested yet).
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1

[Martin Basti]

On 09.11.2015 14:37, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5424

thanks,

Gabe


Thank you for you patch, almost ACK, but I propose following changes 
(patch attached) in error message.


Let me know if you agree with the change.

Martin
From eda85f8e18dda352adc01e403cd60529a257511a Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Sun, 8 Nov 2015 17:18:17 -0700
Subject: [PATCH] ipa-replica-manage del continues when host does not exist in
 domain level 1

- Raises error and stops operation unless --cleanup is specified.

https://fedorahosted.org/freeipa/ticket/5424
---
 install/tools/ipa-replica-manage | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index b9998da44dcc1f01c5eb342ee713634de0ee84ee..2de6fd7993be290fefa5c2c7d07733c39d457ed6 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -740,7 +740,13 @@ def del_master_managed(realm, hostname, options):
 try:
 api.Command.server_del(hostname_u)
 except errors.NotFound:
-print("Server entry already deleted: %s" % (hostname))
+if not options.cleanup:
+print("{hostname} does not exist.".format(hostname=hostname))
+print("Please specify an actual server or add the --cleanup "
+  "option to force clean up.")
+sys.exit(1)
+else:
+print("Server entry already deleted: %s" % (hostname))
 
 # 6. Cleanup
 try:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Milan Kubík]

On 11/10/2015 12:13 PM, Filip Škola wrote:

Hi,

fixed.

F.

On Tue, 10 Nov 2015 10:52:45 +0100
Milan Kubík  wrote:


On 11/09/2015 04:35 PM, Filip Škola wrote:

Another patch was applied in the meantime.

Attaching an updated version.

F.

On Mon, 9 Nov 2015 13:35:02 +0100
Milan Kubík  wrote:


On 11/06/2015 11:32 AM, Filip Škola wrote:
Hi,
the patch doesn't apply.


Please fix this.

  ipatests/test_xmlrpc/test_user_plugin.py:1419:
[E0602(undefined-variable),
TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined variable
'user1')

Also, use the version numbers for your changed patches.





Thanks for the patch. Several issues:

1. Use dict.items instead of dict.iteritems, for python3 compatibility

2. What is the purpose of TestPrepare class? The 'purge' methods do not 
call any ipa commands.
Tracker.make_fixture should be used to make the Tracked resources clean 
themselves up when they're out of scope.


3. Why reference the resources by hardcoded name if they have a fixture 
representation?


4. Rewrite {create,delete}_test_group to a fixture. You may want to use 
different scope (or not).


5. In `def atest_rename_to_invalid_login(self, user):` - use 
pytest.skipif decorator and provide a reason if you must,

do not obfuscate method name in order not to run it.


--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0024] Fix missed module import in ipaserver tests

[Martin Basti]

On 12.11.2015 10:55, Milan Kubík wrote:






ACK
Pushed to ipa-4-2: af076525ccc26abd7f957d801b26bfb83718b5d7

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0331, 0337] User plugin: allow multiple managers per user - CLI part

[Martin Basti]

On 27.10.2015 14:59, Martin Basti wrote:



On 20.10.2015 18:46, Martin Basti wrote:



On 20.10.2015 16:07, Martin Basti wrote:



On 20.10.2015 15:57, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5344

Patch attached.

Test are failing, a fix in UserTracker has to be done (partially in 
my patch 329)




SelfNACK, I forgot to add stageuser tests



Updated patch attached.

I extracted tests to the separate patch, tests do not work, I had 
issues with user and stageuser trackers.





Patch to fix issues with --addattr and managers added and attached.




The new one patch 0331 attached, patch 0337 is not needed anymore.

This patch also fixes https://fedorahosted.org/freeipa/ticket/5387
From a85d8d2d0e1ab0aabe57c560bbd7a45527f5a7f7 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 5 Nov 2015 17:11:23 +0100
Subject: [PATCH] Allow multiple managers per user - CLI part

Added commands:
* user-add-manager
* user-remove-manager
* stageuser-add-manager
* stageuser-remove-manager

Commit contains override of convert_attribute_members method in baseuser
class that ensures the managers will be returned in 'manager' attribute
due to backward compatibility instead of 'manager_user' as would be
expected.

https://fedorahosted.org/freeipa/ticket/5344

This patch also fixes: https://fedorahosted.org/freeipa/ticket/5387
---
 API.txt | 44 
 VERSION |  4 ++--
 ipalib/plugins/baseuser.py  | 55 +++--
 ipalib/plugins/stageuser.py | 22 +-
 ipalib/plugins/user.py  | 24 ++--
 5 files changed, 117 insertions(+), 32 deletions(-)

diff --git a/API.txt b/API.txt
index 873c6d54221a0c1657b5457bd9dceedb4adf06b3..0976c97213775d79da43ee382a0badbe029b7960 100644
--- a/API.txt
+++ b/API.txt
@@ -4248,6 +4248,17 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: stageuser_add_manager
+args: 1,5,3
+arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', , None)
+output: Output('failed', , None)
+output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: stageuser_del
 args: 1,2,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
@@ -4367,6 +4378,17 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: stageuser_remove_manager
+args: 1,5,3
+arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('version?', exclude='webui')
+output: Output('completed', , None)
+output: Output('failed', , None)
+output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 command: stageuser_show
 args: 1,5,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
@@ -5208,6 +5230,17 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: user_add_manager
+args: 1,5,3
+arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Flag('no_members', 

Re: [Freeipa-devel] [PATCH 0344] Use absolute domain name in detection of A/AAAA records

[Martin Basti]

On 09.11.2015 08:47, Petr Spacek wrote:

On 4.11.2015 16:16, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/5421

I'm not entirely sure how this patch will interact with magic included in
ipalib/plugins/dns.py:class dns_resolve(Command).

I would like to delete the 'normalization' from at least one of these places.

Also, as you know, DNS names are not strings and should be manipulated using
python-dns so all crazy things in DNS names do not break in weird corner cases.


Updated patch attached.
From 48358ae3806ad713b93c71718919404e17525104 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 4 Nov 2015 16:09:21 +0100
Subject: [PATCH] Use absolute domain in  detection of A/ records

Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421
---
 ipapython/ipautil.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4acdd1a98818bf311a8fef103e7219cc62a28ec1..2e306013bf64f56917688da7aec3d9678ec627bc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -49,6 +49,7 @@ from ipapython import ipavalidate
 from ipapython import config
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.dnsutil import DNSName
 
 SHARE_DIR = paths.USR_SHARE_IPA_DIR
 PLUGINS_SHARE_DIR = paths.IPA_PLUGINS
@@ -911,9 +912,11 @@ def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=Non
 raise last_socket_error # pylint: disable=E0702
 
 def is_host_resolvable(fqdn):
+if not isinstance(fqdn, DNSName):
+fqdn = DNSName(fqdn)
 for rdtype in (rdatatype.A, rdatatype.):
 try:
-resolver.query(fqdn, rdtype)
+resolver.query(fqdn.make_absolute(), rdtype)
 except DNSException:
 continue
 else:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0338] Drop configure.jar file

[Martin Basti]

On 05.11.2015 18:27, Petr Vobornik wrote:

On 10/30/2015 09:31 AM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5144

Patch attached.




configure.jar is basically a signed zip which contains 
preferences.html therefore also all references to preferences.html 
should be removed.



ssbrowser.html:

Also whole section "Automatic Configuration of older versions" should 
be removed.


and list item:
"""
Import CA certificate. Make sure you checked 
all three checkboxes.

"""
should be moved as a first item in the list in section Firefox

Thank you, updated patch attached.
From 5db38580da239a90079ddf838c92ea862f595863 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 27 Oct 2015 15:36:55 +0100
Subject: [PATCH] Drop configure.jar

Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144
---
 freeipa.spec.in|  4 --
 install/html/ssbrowser.html| 25 +
 install/share/Makefile.am  |  1 -
 install/share/preferences.html.template| 90 --
 ipaplatform/base/paths.py  |  1 -
 ipaserver/install/httpinstance.py  | 26 -
 ipaserver/install/ipa_replica_prepare.py   |  5 --
 ipaserver/install/server/replicainstall.py | 12 
 8 files changed, 3 insertions(+), 161 deletions(-)
 delete mode 100644 install/share/preferences.html.template

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 913f03926ef3d2bcdcfc51a6036f7c076a7fb7ef..6430b67d8ac8cd95fb2626bedd5f2c00de0b9913 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -466,13 +466,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
@@ -833,13 +831,11 @@ fi
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %{_usr}/share/ipa/kdcproxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index b88deac900fb1d5a1a5960741512593f9b7f3b15..325c2d393067c52fade653494c1917a9af51394f 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -10,18 +10,6 @@
 $(document).ready(function() {
 var domain = '.' + (IPA_DOMAIN || 'example.com');
 $('.example-domain').text(domain);
-
-var browser = IPA.browser_config.get_browser();
-if (browser.mozilla) {
-var ff_config = $("#configurefirefox");
-var obj = $('', {
-type: 'text/html',
-'class': 'browser-config'
-});
-obj.prop('data', 'jar:/ipa/errors/configure.jar!/preferences.html');
-obj.appendTo(ff_config);
-ff_config.show();
-}
 });
 }
 
@@ -63,6 +51,9 @@
 
 
 
+Import CA certificate. Make sure you checked all three checkboxes.
+
+
 In the address bar of Firefox, type about:config to display the list of current configuration options.
 
 
@@ -77,16 +68,6 @@
  You are all set. 
 
 
-Automatic Configuration of older versions
-You can configure older versions of Firefox (up to version 14) using signed code. Use Firefox configuration page for newer versions.
-
-Import CA certificate. Make sure you checked all three checkboxes.
-
-   

Re: [Freeipa-devel] [PATCH 0332] fix user post_callback

[Martin Basti]

On 21.10.2015 11:14, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5387

Patch attached.




Fix for this ticket has been implemented in patch mbasti-0331-2

Attached patch contains only common postcallback code to from user and 
stageuser to parent class.
From 4a5b52301199170a194d477648350c7206357415 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 5 Nov 2015 17:06:22 +0100
Subject: [PATCH] Move common code of user and stageuser to baseuser
 postcallback

usser-add and stageuser-add contains common code that can be exported to
baseuser common postcallback
---
 ipalib/plugins/baseuser.py  | 3 +++
 ipalib/plugins/stageuser.py | 4 +---
 ipalib/plugins/user.py  | 3 ---
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index b974e3fb18659e7eb6e75557e0d4db3ec1197dcd..cf0fd88d9b9ee83ee046852e0e4709362947b291 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -491,6 +491,9 @@ class baseuser_add(LDAPCreate):
 def post_common_callback(self, ldap, dn, entry_attrs, **options):
 assert isinstance(dn, DN)
 self.obj.convert_usercertificate_post(entry_attrs, **options)
+self.obj.get_password_attributes(ldap, dn, entry_attrs)
+convert_sshpubkey_post(ldap, dn, entry_attrs)
+radius_dn2pk(self.api, entry_attrs)
 
 class baseuser_del(LDAPDelete):
 """
diff --git a/ipalib/plugins/stageuser.py b/ipalib/plugins/stageuser.py
index 00fba1f8329e638a304e3f70d10b89aaf38aaebc..47c96bb715fcf8293f4ce257566ab914644fa489 100644
--- a/ipalib/plugins/stageuser.py
+++ b/ipalib/plugins/stageuser.py
@@ -389,9 +389,7 @@ class stageuser_add(baseuser_add):
 # if both randompassword and userpassword options were used
 pass
 
-self.obj.get_password_attributes(ldap, dn, entry_attrs)
-convert_sshpubkey_post(ldap, dn, entry_attrs)
-radius_dn2pk(self.api, entry_attrs)
+self.post_common_callback(ldap, dn, entry_attrs, **options)
 return dn
 
 @register()
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 5c3e78b138acb89eb66a6f724019b0c1041b76ce..81a7070359253262f30e65298c42759cd055e67d 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -568,9 +568,6 @@ class user_add(baseuser_add):
 # if both randompassword and userpassword options were used
 pass
 
-self.obj.get_password_attributes(ldap, dn, entry_attrs)
-convert_sshpubkey_post(ldap, dn, entry_attrs)
-radius_dn2pk(self.api, entry_attrs)
 self.obj.get_preserved_attribute(entry_attrs, options)
 
 self.post_common_callback(ldap, dn, entry_attrs, **options)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] ipa-4-2 branch is broken !!!

[Martin Basti]

On 12.11.2015 11:00, Milan Kubík wrote:

On 11/12/2015 10:35 AM, Martin Basti wrote:

Lint failed in current ipa-4-2 branch.

=== 


Errors were found during the static code check.

If you are certain that any of the reported errors are false 
positives, please

mark them in the source code according to the pylint documentation.
=== 



* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:43: [E0602(undefined-variable), 
test_ldap] Undefined variable 'pytest')
ipatests/test_ipaserver/test_ldap.py:154: [E0602(undefined-variable), 
test_LDAPEntry] Undefined variable 'pytest')

Makefile:119: recipe for target 'lint' failed

Fixed by patch 0024.


The issue has been fixed,
thanks.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1

[Gabe Alford]

Yeah. That's better. Thanks, Martin. Ack.



On Thu, Nov 12, 2015 at 6:02 AM, Martin Basti  wrote:

>
>
> On 09.11.2015 14:37, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5424
>
> thanks,
>
> Gabe
>
>
> Thank you for you patch, almost ACK, but I propose following changes
> (patch attached) in error message.
>
> Let me know if you agree with the change.
>
> Martin
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1

[Martin Basti]

On 12.11.2015 14:32, Gabe Alford wrote:

Yeah. That's better. Thanks, Martin. Ack.



Pushed to master: efe8f26ddf81db471bbce693dacd35f80e7615e2


On Thu, Nov 12, 2015 at 6:02 AM, Martin Basti > wrote:




On 09.11.2015 14:37, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5424

thanks,

Gabe



Thank you for you patch, almost ACK, but I propose following
changes (patch attached) in error message.

Let me know if you agree with the change.

Martin




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0338] Drop configure.jar file

[Martin Basti]

On 12.11.2015 14:53, Petr Vobornik wrote:

On 11/12/2015 12:27 PM, Martin Basti wrote:



On 05.11.2015 18:27, Petr Vobornik wrote:

On 10/30/2015 09:31 AM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5144

Patch attached.




configure.jar is basically a signed zip which contains
preferences.html therefore also all references to preferences.html
should be removed.


ssbrowser.html:

Also whole section "Automatic Configuration of older versions" should
be removed.

and list item:
"""
Import CA certificate. Make sure you checked
all three checkboxes.
"""
should be moved as a first item in the list in section Firefox

Thank you, updated patch attached.



1. following first line should be removed as well:
 preferences_filename = paths.PREFERENCES_HTML
-if ipautil.file_exists(preferences_filename):

Which also means that PREFERENCES_HTML won't be used and can be removed.

Aaa sorry my bad, I wanted to remove it from paths, I just somehow 
forgot to do that.

Updated patch attached.
From 6322ff96273e91abd1d7f24fe84270491e7e6b60 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 27 Oct 2015 15:36:55 +0100
Subject: [PATCH] Drop configure.jar

Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144
---
 freeipa.spec.in|  4 --
 install/html/ssbrowser.html| 25 +
 install/share/Makefile.am  |  1 -
 install/share/preferences.html.template| 90 --
 ipaplatform/base/paths.py  |  2 -
 ipaserver/install/httpinstance.py  | 26 -
 ipaserver/install/ipa_replica_prepare.py   |  6 --
 ipaserver/install/server/replicainstall.py | 12 
 8 files changed, 3 insertions(+), 163 deletions(-)
 delete mode 100644 install/share/preferences.html.template

diff --git a/freeipa.spec.in b/freeipa.spec.in
index c3ca3413ffc3850b849a69adbbae8476355f3c76..f605f653a84c45c6ce0d949a921cef0c7ec508ca 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -473,13 +473,11 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
@@ -840,13 +838,11 @@ fi
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %{_usr}/share/ipa/kdcproxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index b88deac900fb1d5a1a5960741512593f9b7f3b15..325c2d393067c52fade653494c1917a9af51394f 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -10,18 +10,6 @@
 $(document).ready(function() {
 var domain = '.' + (IPA_DOMAIN || 'example.com');
 $('.example-domain').text(domain);
-
-var browser = IPA.browser_config.get_browser();
-if (browser.mozilla) {
-var ff_config = $("#configurefirefox");
-var obj = $('', {
-type: 'text/html',
-'class': 'browser-config'
-});
-obj.prop('data', 'jar:/ipa/errors/configure.jar!/preferences.html');
-obj.appendTo(ff_config);
-ff_config.show();
-}
 });
 }
 
@@ -63,6 +51,9 @@
 
 
 
+Import CA certificate. Make sure you checked all three checkboxes.
+
+
 In the address bar of Firefox, type about:config to display the 

Re: [Freeipa-devel] [PATCH 0338] Drop configure.jar file

[Petr Vobornik]

On 11/12/2015 12:27 PM, Martin Basti wrote:



On 05.11.2015 18:27, Petr Vobornik wrote:

On 10/30/2015 09:31 AM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5144

Patch attached.




configure.jar is basically a signed zip which contains
preferences.html therefore also all references to preferences.html
should be removed.


ssbrowser.html:

Also whole section "Automatic Configuration of older versions" should
be removed.

and list item:
"""
Import CA certificate. Make sure you checked
all three checkboxes.
"""
should be moved as a first item in the list in section Firefox

Thank you, updated patch attached.



1. following first line should be removed as well:
 preferences_filename = paths.PREFERENCES_HTML
-if ipautil.file_exists(preferences_filename):

Which also means that PREFERENCES_HTML won't be used and can be removed.

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion

[Martin Babinsky]

On 11/12/2015 02:04 PM, Petr Vobornik wrote:

On 11/10/2015 05:43 PM, Martin Babinsky wrote:

On 11/04/2015 06:50 PM, Petr Vobornik wrote:

On 11/04/2015 01:30 PM, Martin Babinsky wrote:

On 10/30/2015 05:06 PM, Martin Babinsky wrote:

On 10/30/2015 03:38 PM, Petr Vobornik wrote:

On 10/30/2015 03:26 PM, Martin Babinsky wrote:

patch for https://fedorahosted.org/freeipa/ticket/5309

The ticket itself is about connectivity checks in topology suffixes,
but
there is a code (install/tools/ipa-replica-manage starting at line
788
after applying my patch) which monitors whether the segments
pointing
to/from the deleted host are already deleted.

These checks are currently hardcoded for 'realm' prefix, should we
generalize them as well or is it a part of other effort?



Could be separate patch but yes.

Ok I have included it in the attached patch so that both of these
operations are performed for all suffixes.




Hmm, I'm thinking whether the 'check_last_link_managed' and
'check_deleted_segments' should not be called per-suffix, but should
themselves check all suffixes available. This could make the fix for
https://fedorahosted.org/freeipa/ticket/5409 also easier.



Depends if the output is reusable. If so then why not.
check_last_link_managed basically adds text to several
get_topology_connection_errors calls.


Attaching updated patch.



I'm not sure about (pseudo code):

 topo_errors = ([], [])
 for each suffix:
 topo_errors[0].extend(orig_errors)
 topo_errors[1].extend(new_errors)
 return topo_errors

In check_deleted_segments wait_for_segment_removal is per-suffix check
but uses topo_errors which contains errors from both suffices. Topo
erros are used to relax the check if topology is disconnected but this
might relax it too much.

I would change the errors to per-suffix as well, e.g.:
   topo_errors = {}
   for each suffix:
   topo_errors[suffix_name] = (orig_errors, new_errors)
   return topo_errors

Otherwise it looks OK (not tested yet).


I didn't realize that. I have modified the patch accordingly.

--
Martin^3 Babinsky
From f163d3f45e4d82cfd046f80d45cfccaa8aac0776 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 30 Oct 2015 13:59:03 +0100
Subject: [PATCH] check for disconnected topology and deleted agreements for
 all suffices

The code in ipa-replica-manage which checks for disconnected topology and
deleted agreements during node removal was generalized so that it now performs
these checks for all suffixes to which the node belongs.

https://fedorahosted.org/freeipa/ticket/5309
---
 install/tools/ipa-replica-manage | 246 ++-
 1 file changed, 165 insertions(+), 81 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index b9998da44dcc1f01c5eb342ee713634de0ee84ee..93c1014a49ed2c32bed22dbf80c6d925e6f3d825 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -570,46 +570,96 @@ def check_last_link(delrepl, realm, dirman_passwd, force):
 else:
 return None
 
-def check_last_link_managed(api, masters, hostname, force):
+
+def map_masters_to_suffices(masters, suffices):
+masters_to_suffix = {}
+suffix_name_to_root = {
+s['iparepltopoconfroot'][0]: s['cn'][0] for s in suffices
+}
+
+for master in masters:
+managed_suffices = master['iparepltopomanagedsuffix']
+for suffix in managed_suffices:
+suffix_name = suffix_name_to_root[suffix]
+try:
+masters_to_suffix[suffix_name].append(master)
+except KeyError:
+masters_to_suffix[suffix_name] = [master]
+
+return masters_to_suffix
+
+
+def check_hostname_in_masters(hostname, masters):
+master_cns = {m['cn'][0] for m in masters}
+return hostname in master_cns
+
+
+def check_last_link_managed(api, hostname, masters, force):
 """
 Check if 'hostname' is safe to delete.
 
 :returns: tuple with lists of current and future errors in topology
   (current_errors, new_errors)
 """
+suffices = api.Command.topologysuffix_find(u'')['result']
+suffix_to_masters = map_masters_to_suffices(masters, suffices)
+topo_errors_by_suffix = {}
+
+for suffix in suffices:
+suffix_name = suffix['cn'][0]
+suffix_members = suffix_to_masters[suffix_name]
+print("Checking connectivity in topology suffix '{}'".format(
+suffix_name))
+if not check_hostname_in_masters(hostname, suffix_members):
+print(
+"'{}' is not a part of topology suffix '{}'".format(
+hostname, suffix_name
+)
+)
+print("Not checking connectivity")
+continue
+
+segments = api.Command.topologysegment_find(
+suffix_name, sizelimit=0).get('result')
+graph = create_topology_graph(suffix_to_masters[suffix_name],