date:20161006

  URL: https://github.com/freeipa/freeipa/pull/108
Title: #108: Bump pki min version and add commentary about sub-CA revocation on 
delete

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6b3f4984296f3caff8f29490eae3ed1dca64b8c3
https://fedorahosted.org/freeipa/changeset/2b8163ab5dfcf28a9eba319ef685046ae9d8b5e8
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/358e50b2e194d3ae3d0e8c22c774a24ab84d8be1
https://fedorahosted.org/freeipa/changeset/810c38efce6a3911b39e29b7aac010e467ef25a7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/108#issuecomment-252031461
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#108][+pushed] Bump pki min version and add commentary about sub-CA revocation on delete

  URL: https://github.com/freeipa/freeipa/pull/108
Title: #108: Bump pki min version and add commentary about sub-CA revocation on 
delete

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#108][closed] Bump pki min version and add commentary about sub-CA revocation on delete

   URL: https://github.com/freeipa/freeipa/pull/108
Author: frasertweedale
 Title: #108: Bump pki min version and add commentary about sub-CA revocation 
on delete
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/108/head:pr108
git checkout pr108
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#115][closed] Don't show traceback when ipa config file is not an absolute path

   URL: https://github.com/freeipa/freeipa/pull/115
Author: tomaskrizek
 Title: #115: Don't show traceback when ipa config file is not an absolute path
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/115/head:pr115
git checkout pr115
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path

  URL: https://github.com/freeipa/freeipa/pull/115
Title: #115: Don't show traceback when ipa config file is not an absolute path

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d7a2dfddbc2dc9ae4cea7d65e56d61a6a4d2b928
https://fedorahosted.org/freeipa/changeset/0dea726466b5971cf74b9e8b7e33af0618e5842c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/115#issuecomment-252030530
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#123][comment] Tests: Remove silent deleting and creating entries by tracker

  URL: https://github.com/freeipa/freeipa/pull/123
Title: #123: Tests: Remove silent deleting and creating entries by tracker

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/74e52e86867372365d1d63561f7d1ff961b89ee0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/123#issuecomment-252029305
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#123][+pushed] Tests: Remove silent deleting and creating entries by tracker

  URL: https://github.com/freeipa/freeipa/pull/123
Title: #123: Tests: Remove silent deleting and creating entries by tracker

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
Yeah, and I forgot to write:

11)
There should be an information in webUI, that secrets can be added/retrieved to 
vault only by using vault-archive and vault-retrieve from CLI
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-252018655
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
1)
I created shared vault, but I cannot see it in 'Shared Vaults', it is show only 
in 'My Vaults'
i.e. it was created ad user vault according CLI

2)
'My Vaults' I expected that it will show all vaults created by me, but it is 
not true, it shows only my user vaults. Can we set name to more explicit, like 
'My User Vaults' or is it too much and only I'm dumb?

3)
I broke it, I cannot add vault, adder dialog just show and instantly disappears

Steps to reproduce:
a. click on add vault
b. click on vault user, mark empty line (dont click)
c. press ESC (dialog should disappear)
d. click on add Vault again, it should not work
e. dialog suddenly shows when you click on My Vaults

No errors in browser console. What could cause this?

4) 
Can you please add tests for this?

5) Nitpick
If you add vault from Service vault, then predefined value should be service 
vault in adder dialog.
Same for shared vault

6)
Missing 'type' column in my vaults

7)
For symmetric vault, there is 'salt' shown in CLI, and I can change this in 
CLI. IMO this should be supported in webUI too

8)
For asymetric vault, public key is show in CLI, and user can also change this 
public key, IMO this should work in webUI too.

9)
I would like to see big fat warning in adder dialog that content of 'standard' 
vaults can be seen by users with higher privileges (admins). This is the reason 
why we set symmetric vault as default in CLI. But because in webUI the standard 
vault is the only one vault that can be added, we should inform users to use 
rather CLI and create symmetric vault

* IMO we should add this warning into CLI too

10)
Vaultconfig-show shows transport certificate, should we shown this in webUI as 
well?

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-252016356
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-06 Thread Sumit Bose

On Thu, Oct 06, 2016 at 10:33:48AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> > Hi,
> > 
> > 
> 
> Wow, this is really great.

Hi Rob,

thank you for the feedback.

> 
> I think I'd pre-plan to support different configuration per issuer subject,
> with one named default. It shouldn't be a lot more work and will
> future-proof things for you, particularly in how the rules are stored in
> LDAP.
> 
> I worry a bit about matching without comparing the certificate for the case
> where you don't examine issuer.
> 

Do I understand it correctly that you are looking for rules which will
always and only match for certificate from a given issuer? E.g. if all
matching rules will have the  set like

CN=ca,DC=abd,DC=comclientAuth
CN=ca,DC=def,DC=commsScLogin

certificates from the abc issue must have clientAuth set to be valid for
authentication and certificates from issuer def must have msScLogin set.
But you are right, if one rule does not have issuer set like

CN=ca,DC=abd,DC=comclientAuth
msScLogin

then a certificate from issuer abc which does not have clientAuth set
but msScLogin would be accepted as well.

Do you think it would help to make  a required field but allow
that the lazy admin can just enter a '*' to match any issuer?

> You may want to have an option to require that the presented cert match the
> one stored in LDAP (off by default). I realize that you specifically mention
> this can be problematic, but it can also be quite useful. It can be used,
> for example, to disable a login by removing the certificate from the user's
> entry. It also ensures that some carefully crafted certificate doesn't allow
> a bad actor to map to a user account.

This happens when no mapping rule is given. Then SSSD will fall
back to search/map the user with the whole certificate. And if the
certificate is removed from the LDAP entry of the user Smartcard
authentication will fail as soon as the user entry in the cache of SSSD
is expired.

bye,
Sumit

> 
> rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2016-10-06 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

pvoborni commented:
"""
For other optional UIs like CA/Trusts or DNS, Web UI checks on UI start if the 
component is installed by batch command with:

```JavaScript
{method: "env", params: [[], {}]}
{method: "dns_is_enabled", params: [[], {}]}
{method: "trustconfig_show", params: [[], {}]}
{method: "domainlevel_get", params: [[], {}]}
{method: "ca_is_enabled", params: [[], {}]}
```
For KRA, it can add  kra_is_enabled command.

Traditionally, UI is hidden if component is not installed. 



"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-251997063
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][opened] Issue6386 nss dir

2016-10-06 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/143
Author: tiran
 Title: #143: Issue6386 nss dir
Action: opened

PR body:
"""
See https://fedorahosted.org/freeipa/ticket/6386

* use api.env.nss_dir in all ipaclient plugins
* set api.env.nss_dir to confdir/nssdb
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/143/head:pr143
git checkout pr143
From bcef90d4a65f74f3ab34dabcbcffd7fcce05dcfb Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 6 Oct 2016 16:24:43 +0200
Subject: [PATCH 1/2] Use api.env.nss_dir instead of paths.IPA_NSSDB_DIR

ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.

Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes 
---
 ipaclient/ipa_certupdate.py   | 2 +-
 ipaclient/plugins/otptoken.py | 3 +--
 ipaclient/plugins/vault.py| 7 ++-
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/ipaclient/ipa_certupdate.py b/ipaclient/ipa_certupdate.py
index 2c6b94f..550bbb6 100644
--- a/ipaclient/ipa_certupdate.py
+++ b/ipaclient/ipa_certupdate.py
@@ -108,7 +108,7 @@ def run(self):
 def update_client(self, certs):
 self.update_file(paths.IPA_CA_CRT, certs)
 
-ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+ipa_db = certdb.NSSDatabase(api.env.nss_dir)
 
 # Remove old IPA certs from /etc/ipa/nssdb
 for nickname in ('IPA CA', 'External CA cert'):
diff --git a/ipaclient/plugins/otptoken.py b/ipaclient/plugins/otptoken.py
index dd4a718..885a612 100644
--- a/ipaclient/plugins/otptoken.py
+++ b/ipaclient/plugins/otptoken.py
@@ -25,7 +25,6 @@
 from ipalib.messages import add_message, ResultFormattingError
 from ipalib.plugable import Registry
 from ipalib.frontend import Local
-from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.nsslib import NSSConnection
 from ipapython.version import API_VERSION
@@ -174,7 +173,7 @@ def forward(self, *args, **kwargs):
 
 # Sync the token.
 # pylint: disable=E1101
-handler = HTTPSHandler(dbdir=paths.IPA_NSSDB_DIR,
+handler = HTTPSHandler(dbdir=api.env.nss_dir,
tls_version_min=api.env.tls_version_min,
tls_version_max=api.env.tls_version_max)
 rsp = urllib.request.build_opener(handler).open(sync_uri, query)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index b8b4f29..c099e9e 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -43,7 +43,6 @@
 from ipalib import Bytes, Flag, Str
 from ipalib.plugable import Registry
 from ipalib import _
-from ipaplatform.paths import paths
 
 
 def validated_read(argname, filename, mode='r', encoding=None):
@@ -752,8 +751,7 @@ def forward(self, *args, **options):
 error=_('Invalid vault type'))
 
 # initialize NSS database
-current_dbdir = paths.IPA_NSSDB_DIR
-nss.nss_init(current_dbdir)
+nss.nss_init(api.env.nss_dir)
 
 # retrieve transport certificate
 config = self.api.Command.vaultconfig_show()['result']
@@ -912,8 +910,7 @@ def forward(self, *args, **options):
 vault_type = vault['ipavaulttype'][0]
 
 # initialize NSS database
-current_dbdir = paths.IPA_NSSDB_DIR
-nss.nss_init(current_dbdir)
+nss.nss_init(api.env.nss_dir)
 
 # retrieve transport certificate
 config = self.api.Command.vaultconfig_show()['result']

From 3739cb80b036fb72378a2115ec00cee32559fb96 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 6 Oct 2016 16:42:37 +0200
Subject: [PATCH 2/2] Set nss_dir to confdir/nssdb

Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes 
---
 ipalib/config.py| 4 
 ipalib/constants.py | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index eb6c3ae..a3064da 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -531,6 +531,10 @@ def _finalize_core(self, **defaults):
 self._merge_from_file(self.conf)
 self._merge_from_file(self.conf_default)
 
+# Set nss_dir to nssdb directory in confdir
+if 'nss_dir' not in self:
+self.nss_dir = self._join('confdir', 'nssdb')
+
 # Determine if in_server:
 if 'in_server' not in self:
 self.in_server = (self.context == 'server')
diff --git a/ipalib/constants.py b/ipalib/constants.py
index c423117..3ef5ddf 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -133,7 +133,7 @@
 
 ('rpc_protocol', 'jsonrpc'),
 
-('nss_dir', paths.IPA_NSSDB_DIR),
+('nss_dir', paths.IPA_NSSDB_DIR),  # Set to confdir/nssdb in _finalize_core()
 
 # Define an inclusive range of SSL/TLS version support
 ('tls_version_min',

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-06 Thread Rob Crittenden

Sumit Bose wrote:

Hi,

I've started to write a SSSD design page about enhancing the current
mapping of certificates to users and how to select/match a suitable
certificate if multiple certificates are on a Smartcard.

My currently thoughts and idea and be found at
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
and for your convenience below as well.

Comments and suggestions are welcome. Please let me know about concerns,
alternatives and missing use-cases/user-stories.

bye,
Sumit

= Matching and Mapping Certificates =

Related ticket(s):
*
http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

=== Problem statement ===
Mapping
Currently it is required that a certificate used for authentication is either
stored in the LDAP user entry or in a matching override. This might not always
be applicable and other ways are needed to relate a user with a certificate.

Matching
Even if SSSD will support multiple certificates on a Smartcard in the context
of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict
(or relax) the current certificate selection in certain environments.

=== Use cases ===
Mapping
In some environments it might not be possible or would cause unwanted effort to
add certificates to the LDAP entry of the users to allow Smartcard based
authentication. Reasons might be:
* Certificates/Smartcards are issued externally
* LDAP schema extension is not possible or not allowed

Matching
A user might have multiple certificate on a Smartcard which are suitable for
authentication. But on some host in the environment only certificates from a
specific CA (while all other CAs are trusted as well) or with some special
extension should be valid for login.

=== Overview of the solution ===
To match a certificate a language/syntax has to be defined which allows to
reference items from the certificate and compare the values with the expected
data. To map the certificates to a user the language/syntax should allow to
relate certificate items with LDAP attributes so that the value(s) from the
certificate item can be used in a LDAP search filter.

=== Implementation details ===
Matching
The pkinit plugin of MIT Kerberos must find a suitable certificate from a
Smartcard as well and has defined the following syntax (see the
pkinit_cert_match section of the krb5.conf man page or
http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for
details). The main components are

* regular-expression
* regular-expression
* regular-expression
* extended-key-usage-list
* key-usage-list

and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator
('&&' is the default). If multiple rules are given they are iterated with the order in
the config file as long as a rule matches exactly one certificate.

'''Question: MIT Kerberos use case-sensitive matching and POSIX Extended
Regular Expression syntax, shall we do the same?'''

While and are (imo) already quite flexible I can see some
potential extensions for the other components.

and in MIT Kerberos only accept certain string values related to
some allowed values in those field as defined in https://www.ietf.org/rfc/rfc3280.txt . The
selection is basically determined by what is supported on server side of the pkinit plugin
of MIT Kerberos. Since we plan to extend pkinit and support local authentication without
pkinit as well I would suggest to allow OID strings for those components as well (the
comparison is done on the OID level nonetheless).

The component in MIT Kerberos only checks the otherName SAN component for the
id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the
szOID_NT_PRINCIPAL_NAME OID as mentioned in https://support.microsoft.com/en-us/kb/287547.
While this is sufficient for the default pkinit user case of MIT Kerberos I would suggest
to extend this component by allowing to specific an OID with

Mapping
Since different certificates, e.g. issued by different CAs, might have
different mapping rule, a matching rule must be added if there are more than 1
mapping rule. A single mapping rule without a matching rule might be used as
default/catch-all rule in this case.

If multiple rules matches the derived LDAP filter components can be grouped with the
or-operator "|".

A mapping rule can use a similar syntax like the matching rule where the LDAP
attribute can be added with a ':', e.g.
*
*

Currently I see no usage for , and in mapping rules because they
do not contain any user-specific data. If at some point we will have personal CAs we might consider to
add based mappings.

'''Question, do we need search-and-replace at all (or at this stage)? Most of the
interesting values from the SAN should be directly map-able to LDAP attributes. And
processing the string representation of might be tricky as discussed
below.

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
I'm not sure if this is done on purpose, but Vault section is shown there even 
I have no KRA installed in topology, and I'm getting error

```
An error has occurred (IPA Error 3000: InvocationError)

KRA service is not enabled
```

It is not nice, IMO some placeholder pointing to ipa-kra-install could be better
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-251978110
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#132][synchronized] Draft for a new setup.py (WIP)

2016-10-06 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/132
Author: tiran
 Title: #132: Draft for a new setup.py (WIP)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/132/head:pr132
git checkout pr132
From 0e2692dc1b26d57f9bd6809c9c2c44282d8d5f28 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 4 Oct 2016 13:23:22 +0200
Subject: [PATCH] Draft for a new setup.py

Signed-off-by: Christian Heimes 
---
 .gitignore  |  10 +--
 MANIFEST.in |   3 +-
 Makefile|  25 +++---
 client/man/Makefile.am  |   3 +-
 client/man/ipa.1| 204 
 ipa.1   | 204 
 ipaclient/setup.py  |  38 +
 ipaclient/setup.py.in   |  81 ---
 ipalib/Makefile |   2 +-
 ipalib/setup.py |  32 
 ipalib/setup.py.in  |  71 -
 ipaplatform/setup.py|  36 +
 ipaplatform/setup.py.in |  79 ---
 ipapython/Makefile  |   2 +-
 ipapython/setup.py  |  35 +
 ipapython/setup.py.in   |  79 ---
 ipasetup.py.in  |  71 +
 ipatests/setup.py   |  54 +
 ipatests/setup.py.in|  97 ---
 setup.py|  51 +---
 20 files changed, 496 insertions(+), 681 deletions(-)
 create mode 100644 client/man/ipa.1
 delete mode 100644 ipa.1
 create mode 100644 ipaclient/setup.py
 delete mode 100644 ipaclient/setup.py.in
 create mode 100644 ipalib/setup.py
 delete mode 100644 ipalib/setup.py.in
 create mode 100644 ipaplatform/setup.py
 delete mode 100644 ipaplatform/setup.py.in
 create mode 100755 ipapython/setup.py
 delete mode 100755 ipapython/setup.py.in
 create mode 100644 ipasetup.py.in
 create mode 100644 ipatests/setup.py
 delete mode 100644 ipatests/setup.py.in

diff --git a/.gitignore b/.gitignore
index 61054de..0e63640 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,9 @@ freeipa2-dev-doc
 /dist/
 /RELEASE
 /rpmbuild/
+# Build
+ipasetup.py
+*.egg-info
 
 # Subdirectories
 /daemons/ipa-otpd/ipa-otpd
@@ -64,19 +67,12 @@ freeipa2-dev-doc
 /client/ipa-join
 /client/ipa-rmkeytab
 
-/ipatests/setup.py
-
-/ipaclient/setup.py
-
-/ipalib/setup.py
 !/ipalib/Makefile
 
-/ipapython/setup.py
 /ipapython/version.py
 !/ipapython/Makefile
 
 /ipaplatform/__init__.py
-/ipaplatform/setup.py
 /ipaplatform/tasks.py
 /ipaplatform/services.py
 /ipaplatform/paths.py
diff --git a/MANIFEST.in b/MANIFEST.in
index dd76e10..f34cc7e 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,2 +1 @@
-include COPYING TODO lite-server.py
-include tests/*/*.py
+include COPYING lite-server.py
diff --git a/Makefile b/Makefile
index 6324308..794226c 100644
--- a/Makefile
+++ b/Makefile
@@ -161,23 +161,25 @@ test:
 release-update:
 	if [ ! -e RELEASE ]; then echo 0 > RELEASE; fi
 
-version-update: release-update
+.PHONY: ipasetup
+ipasetup:
+	sed -e s/__VERSION__/$(IPA_VERSION)/ ipasetup.py.in \
+		> ipasetup.py
+	$(PYTHON) setup.py egg_info
+	for directory in ipaclient ipalib ipaplatform ipapython ipatests; do \
+	pushd $${directory} ; \
+	cp ../ipasetup.py . ; \
+	$(PYTHON) setup.py egg_info ; \
+	popd ; \
+	done
+
+version-update: release-update ipasetup
 	sed -e s/__VERSION__/$(IPA_VERSION)/ -e s/__RELEASE__/$(IPA_RPM_RELEASE)/ \
 		freeipa.spec.in > freeipa.spec
 	sed -e s/__VERSION__/$(IPA_VERSION)/ version.m4.in \
 		> version.m4
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/setup.py.in \
-		> ipapython/setup.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipaplatform/setup.py.in \
-		> ipaplatform/setup.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipalib/setup.py.in \
-		> ipalib/setup.py
 	sed -e s/__VERSION__/$(IPA_VERSION)/ ipapython/version.py.in \
 		> ipapython/version.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipatests/setup.py.in \
-		> ipatests/setup.py
-	sed -e s/__VERSION__/$(IPA_VERSION)/ ipaclient/setup.py.in \
-		> ipaclient/setup.py
 	sed -e s/__NUM_VERSION__/$(IPA_NUM_VERSION)/ install/ui/src/libs/loader.js.in \
 		> install/ui/src/libs/loader.js
 	sed -i -e "s:__API_VERSION__:$(IPA_API_VERSION_MAJOR).$(IPA_API_VERSION_MINOR):" install/ui/src/libs/loader.js
@@ -301,6 +303,7 @@ clean: version-update
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
+	find . -name 'ipasetup.py' -or -name 'ipasetup.py[co]' | xargs rm -f
 	rm -f *~
 
 distclean: version-update
diff --git a/client/man/Makefile.am b/client/man/Makefile.am
index 9d8a9c0..1f067ab 100644
--- a/client/man/Makefile.am
+++ b/client/man/Makefile.am
@@ -10,7 +10,8 @@ man1_MANS = \
 		ipa-client-install.1	\
 		ipa-client-automount.1	\
 		ipa-certupdate.1	\
-		ipa-join.1
+		ipa-join.1		\
+		ipa.1
 
 man5_MANS =\
 		default.conf.5
diff --git a/client/man/ipa.1 b/client/man/ipa.1
new file mode 100644

[Freeipa-devel] [freeipa PR#132][comment] Draft for a new setup.py (WIP)

2016-10-06 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/132
Title: #132: Draft for a new setup.py (WIP)

tiran commented:
"""
@mbasti-rh I have removed more hacks and made each setup.py even simpler.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/132#issuecomment-251963879
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

pvomacka commented:
"""
Hi alichbox, 
I agree with steps you are proposing, it does make sense. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251962169
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support

   URL: https://github.com/freeipa/freeipa/pull/134
Author: pspacek
 Title: #134: DNS URI support
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/134/head:pr134
git checkout pr134
From a35fe8f72d3c905d6338bce8a7f682b8f3e228e7 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 28 Sep 2016 15:20:43 +0200
Subject: [PATCH 1/3] DNS: Support URI resource record type

https://fedorahosted.org/freeipa/ticket/6344
---
 ACI.txt |  4 +-
 API.txt | 19 +--
 install/share/60ipadns.ldif |  3 +-
 install/share/dns.ldif  |  2 +-
 install/ui/src/freeipa/dns.js   | 15 +-
 install/updates/40-dns.update   |  3 +-
 ipaserver/plugins/dns.py| 50 --
 ipatests/test_xmlrpc/test_dns_plugin.py | 89 +
 8 files changed, 172 insertions(+), 13 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index fddd598..0b47489 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn:

Re: [Freeipa-devel] 4.4.2 release notes draft

2016-10-06 Thread Petr Vobornik

On 10/05/2016 06:40 PM, Petr Vobornik wrote:
> Hi,
> 
> we planned to release 4.4.2 Today. I'd postpone it to tomorrow morning
> so you have time to read the RN page.
> 
> Almost completely auto-generated release notes page:
> http://www.freeipa.org/page/Releases/4.4.2
> 
> Please help to to highlight important bug fixes.
> 
> Notes:
> - the only manual part is "Known Issues section"
> - the script for generating RN will be shared
> 

The release will be postponed because of regression introduced in 4.4.2:
- https://fedorahosted.org/freeipa/ticket/6385

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#142][comment] CheckedIPAddress: Implement (g|s)etstate and to ensure proper (un)pickling

  URL: https://github.com/freeipa/freeipa/pull/142
Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper 
(un)pickling

mbasti-rh commented:
"""
IMO here (__init__ of CheckedIPAddress) is missing self._net = addr._net  it 
may cause issues
```
 if isinstance(addr, CheckedIPAddress):
 self.prefixlen = addr.prefixlen
 return
```

and self._net should be handled in parent class
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/142#issuecomment-251949631
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support

   URL: https://github.com/freeipa/freeipa/pull/134
Author: pspacek
 Title: #134: DNS URI support
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/134/head:pr134
git checkout pr134
From 4b7b8cc128e6a1b1f7485550c65974ff9b952cdf Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 28 Sep 2016 15:20:43 +0200
Subject: [PATCH 1/3] DNS: Support URI resource record type

https://fedorahosted.org/freeipa/ticket/6344
---
 ACI.txt |  4 +-
 API.txt | 19 +--
 install/share/60ipadns.ldif |  3 +-
 install/share/dns.ldif  |  2 +-
 install/ui/src/freeipa/dns.js   | 15 +-
 ipaserver/plugins/dns.py| 50 --
 ipatests/test_xmlrpc/test_dns_plugin.py | 89 +
 7 files changed, 170 insertions(+), 12 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index fddd598..0b47489 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record ||

[Freeipa-devel] [freeipa PR#134][comment] DNS URI support

  URL: https://github.com/freeipa/freeipa/pull/134
Title: #134: DNS URI support

pspacek commented:
"""
I was playing with an idea of automatic escaping but it cannot be done with 
current record format: There is no way to distinguish alredy escaped text from 
a text which needs escaping. This totally breaks web UI edit workflow because 
it reads text from LDAP, fills text field with it and then double-escapes it 
during save.

For this reason I've given up attempts to automatically escape things, which is 
no different from e.g. TXT records. Call it consistency if you want ;-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/134#issuecomment-251949022
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support

   URL: https://github.com/freeipa/freeipa/pull/134
Author: pspacek
 Title: #134: DNS URI support
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/134/head:pr134
git checkout pr134
From f0a86bd9885128a169834fcf9085dbc23727c1bf Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 28 Sep 2016 15:20:43 +0200
Subject: [PATCH 1/3] DNS: Support URI resource record type

https://fedorahosted.org/freeipa/ticket/6344
---
 ACI.txt |  4 +-
 API.txt | 19 +--
 install/share/60ipadns.ldif |  3 +-
 install/share/dns.ldif  |  2 +-
 install/ui/src/freeipa/dns.js   | 15 +-
 ipaserver/plugins/dns.py| 51 +--
 ipatests/test_xmlrpc/test_dns_plugin.py | 89 +
 7 files changed, 171 insertions(+), 12 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index fddd598..0b47489 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record ||

[Freeipa-devel] [freeipa PR#142][opened] CheckedIPAddress: Implement (g|s)etstate and to ensure proper (un)pickling

2016-10-06 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/142
Author: dkupka
 Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper 
(un)pickling
Action: opened

PR body:
"""
Missing attributes in instance created by pickle.load cause AttributeError in
second part of ipa-server-install --external-ca.

https://fedorahosted.org/freeipa/ticket/6385
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/142/head:pr142
git checkout pr142
From 3f096edf847af84077fc0e04fd16437678afaf2f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 6 Oct 2016 13:31:52 +0200
Subject: [PATCH] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure
 proper (un)pickling

Missing attributes in instance created by pickle.load cause AttributeError in
second part of ipa-server-install --external-ca.

https://fedorahosted.org/freeipa/ticket/6385
---
 ipapython/ipautil.py | 25 +
 1 file changed, 25 insertions(+)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 41544a1..f8badb0 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -205,6 +205,31 @@ def __init__(self, addr, match_local=False, parse_netmask=True,
 
 self.prefixlen = self._net.prefixlen
 
+def __getstate__(self):
+state = {
+'_net': self._net,
+'prefixlen': self.prefixlen
+}
+try:
+state['super_state'] = super(CheckedIPAddress, self).__getstate__()
+except AttributeError:
+# none of base classes implements custom pickling
+pass
+
+return state
+
+def __setstate__(self, state):
+try:
+super_state = state.pop('super_state')
+except KeyError:
+# no state saved for base classes
+pass
+else:
+super(CheckedIPAddress, self).__setstate__(super_state)
+
+self._net = state['_net']
+self.prefixlen = state['prefixlen']
+
 def is_network_addr(self):
 return self == self._net.network
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#133][comment] Tests: print what was expected from exceptions and callables in xmlrpc_tests

  URL: https://github.com/freeipa/freeipa/pull/133
Title: #133: Tests: print what was expected from exceptions and callables in 
xmlrpc_tests

mbasti-rh commented:
"""
Please set proper patch author, otherwise LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/133#issuecomment-251944193
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#134][synchronized] DNS URI support

   URL: https://github.com/freeipa/freeipa/pull/134
Author: pspacek
 Title: #134: DNS URI support
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/134/head:pr134
git checkout pr134
From f0a86bd9885128a169834fcf9085dbc23727c1bf Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 28 Sep 2016 15:20:43 +0200
Subject: [PATCH 1/3] DNS: Support URI resource record type

https://fedorahosted.org/freeipa/ticket/6344
---
 ACI.txt |  4 +-
 API.txt | 19 +--
 install/share/60ipadns.ldif |  3 +-
 install/share/dns.ldif  |  2 +-
 install/ui/src/freeipa/dns.js   | 15 +-
 ipaserver/plugins/dns.py| 51 +--
 ipatests/test_xmlrpc/test_dns_plugin.py | 89 +
 7 files changed, 171 insertions(+), 12 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index fddd598..0b47489 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -73,13 +73,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsdefaultttl || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnstemplateattribute || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord || urirecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example;)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read DNSSEC metadata";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example;)(version 3.0;acl "permission:System: Remove DNS Entries";allow (delete) groupdn = "ldap:///cn=System: Remove DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record ||

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

mirielka commented:
"""
Ok, I will do it like Ales proposed and will sync this PR when new tests are 
ready.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251934592
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

2016-10-06 Thread alichbox

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

alichbox commented:
"""
Ok, I would vote for the new tests and when we have them merged we can safely 
delete this part of code that is not relevant anymore. The reason we would 
leave the current (not relevant tests) here is to not loose the information 
that we need to cover that part.
So my proposal: 1) leave these tests here as they are; 2) write new test suite; 
3) delete the old tests; Does it make sense?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251933994
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#141][opened] Tests: Fix failing test_ipalib/test_parameters

   URL: https://github.com/freeipa/freeipa/pull/141
Author: mirielka
 Title: #141: Tests: Fix failing test_ipalib/test_parameters
Action: opened

PR body:
"""
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.

Partially fixes https://fedorahosted.org/freeipa/ticket/6292
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/141/head:pr141
git checkout pr141
From a6f076cac03e3672399abccf0639b0d6035147b6 Mon Sep 17 00:00:00 2001
From: Lenka Doudova 
Date: Thu, 6 Oct 2016 10:54:07 +0200
Subject: [PATCH] Tests: Fix failing test_ipalib/test_parameters

Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.

Partially fixes https://fedorahosted.org/freeipa/ticket/6292
---
 ipalib/parameters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 77a6136..32ff9a8 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -473,7 +473,7 @@ def __init__(self, name, *rules, **kw):
 CALLABLE_ERROR % (key, value, type(value))
 )
 kw[key] = value
-else:
+elif key not in ('required', 'multivalue'):
 kw.pop(key, None)
 
 # We keep these values to use in __repr__():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#123][comment] Tests: Remove silent deleting and creating entries by tracker

2016-10-06 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/123
Title: #123: Tests: Remove silent deleting and creating entries by tracker

apophys commented:
"""
Looks good, thanks.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/123#issuecomment-251931803
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#123][+ack] Tests: Remove silent deleting and creating entries by tracker

2016-10-06 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/123
Title: #123: Tests: Remove silent deleting and creating entries by tracker

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#134][comment] DNS URI support

  URL: https://github.com/freeipa/freeipa/pull/134
Title: #134: DNS URI support

mbasti-rh commented:
"""
I was able to add an invalid URI record
```
[root@vm-058-017 ~]# ipa dnsrecord-add test.zone. --uri-rec='0 0 trolo"lo'
Record name: test2
  Record name: test2
  URI record: 0 0 "trolo"lo"

[root@vm-058-017 ~]# dig +short test2.test.zone. URI
[root@vm-058-017 ~]# 

journalctl output
failed to parse RR entry:  resource record DN 
'idnsname=test2,idnsname=test.zone.,cn=dns,dc=blabla' data '0 0 "trolo"lo"': 
extra input text
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/134#issuecomment-251930458
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-10-06 Thread Sumit Bose

Hi,

I've started to write a SSSD design page about enhancing the current
mapping of certificates to users and how to select/match a suitable
certificate if multiple certificates are on a Smartcard.

My currently thoughts and idea and be found at
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
and for your convenience below as well.

Comments and suggestions are welcome. Please let me know about concerns,
alternatives and missing use-cases/user-stories.

bye,
Sumit

= Matching and Mapping Certificates =

Related ticket(s):
 * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

=== Problem statement ===
 Mapping 
Currently it is required that a certificate used for authentication is either 
stored in the LDAP user entry or in a matching override. This might not always 
be applicable and other ways are needed to relate a user with a certificate.

 Matching 
Even if SSSD will support multiple certificates on a Smartcard in the context 
of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict 
(or relax) the current certificate selection in certain environments. 

=== Use cases ===
 Mapping 
In some environments it might not be possible or would cause unwanted effort to 
add certificates to the LDAP entry of the users to allow Smartcard based 
authentication. Reasons might be:
* Certificates/Smartcards are issued externally
* LDAP schema extension is not possible or not allowed

 Matching 
A user might have multiple certificate on a Smartcard which are suitable for 
authentication. But on some host in the environment only certificates from a 
specific CA (while all other CAs are trusted as well) or with some special 
extension should be valid for login.

=== Overview of the solution ===
To match a certificate a language/syntax has to be defined which allows to 
reference items from the certificate and compare the values with the expected 
data. To map the certificates to a user the language/syntax should allow to 
relate certificate items with LDAP attributes so that the value(s) from the 
certificate item can be used in a LDAP search filter.


=== Implementation details ===
 Matching 
The pkinit plugin of MIT Kerberos must find a suitable certificate from a 
Smartcard as well and has defined the following syntax (see the 
pkinit_cert_match section of the krb5.conf man page or 
http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for 
details). The main components are

* regular-expression
* regular-expression
* regular-expression
* extended-key-usage-list
* key-usage-list

and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator 
('&&' is the default). If multiple rules are given they are iterated with the 
order in the config file as long as a rule matches exactly one certificate.

'''Question: MIT Kerberos use case-sensitive matching and POSIX Extended 
Regular Expression syntax, shall we do the same?'''

While  and  are (imo) already quite flexible I can see some 
potential extensions for the other components.

 and  in MIT Kerberos only accept certain string values related to 
some allowed values in those field as defined in 
https://www.ietf.org/rfc/rfc3280.txt . The selection is basically determined by 
what is supported on server side of the pkinit plugin of MIT Kerberos. Since we 
plan to extend pkinit and support local authentication without pkinit as well I 
would suggest to allow OID strings for those components as well (the comparison 
is done on the OID level nonetheless).

The  component in MIT Kerberos only checks the otherName SAN component for 
the id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the 
szOID_NT_PRINCIPAL_NAME OID as mentioned in 
https://support.microsoft.com/en-us/kb/287547. While this is sufficient for the 
default pkinit user case of MIT Kerberos I would suggest to extend this 
component by allowing to specific an OID with 

 Mapping 
Since different certificates, e.g. issued by different CAs, might have 
different mapping rule, a matching rule must be added if there are more than 1 
mapping rule. A single mapping rule without a matching rule might be used as 
default/catch-all rule in this case.

If multiple rules matches the derived LDAP filter components can be grouped 
with the or-operator "|".

A mapping rule can use a similar syntax like the matching rule where the LDAP 
attribute can be added with a ':', e.g.
* 
* 

Currently I see no usage for ,  and  in mapping rules because 
they do not contain any user-specific data. If at some point we will have 
personal CAs we might consider to add  based mappings.


'''Question, do we need search-and-replace at all (or at this stage)? Most of 
the interesting values from the SAN should be directly map-able to LDAP 
attributes. And processing the string representation of  might be 
tricky as discussed below. Nevertheless the following

[Freeipa-devel] [freeipa PR#134][comment] DNS URI support

  URL: https://github.com/freeipa/freeipa/pull/134
Title: #134: DNS URI support

mbasti-rh commented:
"""
NACK, please see inline comments
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/134#issuecomment-251916849
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#108][+ack] Bump pki min version and add commentary about sub-CA revocation on delete

  URL: https://github.com/freeipa/freeipa/pull/108
Title: #108: Bump pki min version and add commentary about sub-CA revocation on 
delete

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#115][+ack] Don't show traceback when ipa config file is not an absolute path

  URL: https://github.com/freeipa/freeipa/pull/115
Title: #115: Don't show traceback when ipa config file is not an absolute path

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page

2016-10-06 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/138
Title: #138: Fix ipa-cacert-manage man page

flo-renaud commented:
"""
Hi,
thanks for your comment. Yes, the IDM guide is currently being updated to 
describe this requirement. See 
[lastSuccessfulBuild](http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#manual-cert-install).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/138#issuecomment-251902783
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#132][comment] Draft for a new setup.py (WIP)

  URL: https://github.com/freeipa/freeipa/pull/132
Title: #132: Draft for a new setup.py (WIP)

mbasti-rh commented:
"""
This WIP works for me, I like that we get rid of setup.py.in files.

I'm looking forward to final version

Please fix PEP8 reported error and my inline comments
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/132#issuecomment-251904240
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page

2016-10-06 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/138
Title: #138: Fix ipa-cacert-manage man page

flo-renaud commented:
"""
Hi,
thanks for your comment. Yes, the IDM guide is currently being updated to 
describe this requirement. See 
[lastSuccessfulBuild](http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide%20(html-single)/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#manual-cert-install).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/138#issuecomment-251902783
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#135][comment] Pylint: remove unused variables

  URL: https://github.com/freeipa/freeipa/pull/135
Title: #135: Pylint: remove unused variables

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d9375881460d63cdd696bb0705da0ac205db9870
https://fedorahosted.org/freeipa/changeset/135047d03c1780d682998369aaa531585b39a069
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/135#issuecomment-251902017
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#135][+pushed] Pylint: remove unused variables

  URL: https://github.com/freeipa/freeipa/pull/135
Title: #135: Pylint: remove unused variables

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#135][closed] Pylint: remove unused variables

   URL: https://github.com/freeipa/freeipa/pull/135
Author: mbasti-rh
 Title: #135: Pylint: remove unused variables
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/135/head:pr135
git checkout pr135
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#125][closed] Add iSecStore.span

   URL: https://github.com/freeipa/freeipa/pull/125
Author: tiran
 Title: #125: Add iSecStore.span
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/125/head:pr125
git checkout pr125
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#125][+pushed] Add iSecStore.span

  URL: https://github.com/freeipa/freeipa/pull/125
Title: #125: Add iSecStore.span

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#128][+pushed] Properly handle LDAP socket closures in ipa-otpd

  URL: https://github.com/freeipa/freeipa/pull/128
Title: #128: Properly handle LDAP socket closures in ipa-otpd

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#128][closed] Properly handle LDAP socket closures in ipa-otpd

   URL: https://github.com/freeipa/freeipa/pull/128
Author: npmccallum
 Title: #128: Properly handle LDAP socket closures in ipa-otpd
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/128/head:pr128
git checkout pr128
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#138][comment] Fix ipa-cacert-manage man page

  URL: https://github.com/freeipa/freeipa/pull/138
Title: #138: Fix ipa-cacert-manage man page

mbasti-rh commented:
"""
Is this written in IdM guide, if not IMO it would be nice to open doc bug in BZ 
and add this info there as well
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/138#issuecomment-251898208
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#135][comment] Pylint: remove unused variables

2016-10-06 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/135
Title: #135: Pylint: remove unused variables

stlaz commented:
"""
A refactoring ticket needs opening for the issues with find_entries mentioned 
here. Tests seem to pass, so ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/135#issuecomment-251896732
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#135][+ack] Pylint: remove unused variables

2016-10-06 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/135
Title: #135: Pylint: remove unused variables

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri

2016-10-06 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/113
Title: #113: ipalib.constants: Remove default domain, realm, basedn, 
xmlrpc_uri, ldap_uri

stlaz commented:
"""
NACK, please see the review comment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/113#issuecomment-251895399
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management

   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
From bb58c35a0707e89e0518f6f950f61af9021566d5 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 09:54:24 +0200
Subject: [PATCH 01/10] Additional option to add and del operations can be set

By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 7579bb0..d44f8c8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) {
 
 var that = IPA.table_widget(spec);
 
+/**
+ * The value should be name of the field, which will be added to *_add_*,
+ * *_del_* commands as option: {fieldname: fieldvalue}.
+ *
+ * @property {String} fieldname
+ */
+that.additional_add_del_field = spec.additional_add_del_field;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) {
 });
 command.set_option(that.other_entity.name, values);
 
+that.join_additional_option(command);
+
 command.execute();
 };
 
+that.join_additional_option = function(command) {
+var add_opt = that.additional_add_del_field;
+if (add_opt && typeof add_opt === 'string') {
+var opt_field = that.entity.facet.get_field(add_opt);
+var value;
+if (opt_field) value = opt_field.get_value()[0];
+
+command.set_option(add_opt, value);
+}
+};
+
 that.show_remove_dialog = function() {
 
 var selected_values = that.get_selected_values();
@@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) {
 });
 
 command.set_option(that.other_entity.name, values);
+that.join_additional_option(command);
 
 command.execute();
 };

From a571d178aaff29e1c8aa4982827ccb0b6ab019f9 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 10:09:20 +0200
Subject: [PATCH 02/10] Allow to set another other_entity name

Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index d44f8c8..63beeb8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -429,6 +429,17 @@ IPA.association_table_widget = function (spec) {
  */
 that.additional_add_del_field = spec.additional_add_del_field;
 
+/**
+ * Can be used in situations when the *_add_member command needs entity
+ * as a parameter, but parameter has different name than entity.
+ * i.e. vault_add_member --services=[values] ... this needs values from service
+ * entity, but option is called services, that we can set by setting
+ * this option in spec to other_option_name: 'services'
+ *
+ * @property other_option_name {String}
+ */
+that.other_option_name = spec.other_option_name;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -683,9 +694,9 @@ IPA.association_table_widget = function (spec) {
 on_success: on_success,
 on_error: on_error
 });
-command.set_option(that.other_entity.name, values);
 
 that.join_additional_option(command);
+that.handle_entity_option(command, values);
 
 command.execute();
 };
@@ -701,6 +712,14 @@ IPA.association_table_widget = function (spec) {
 }
 };
 
+that.handle_entity_option = function(command, values) {
+var option_name = that.other_option_name;
+if (!option_name) {
+option_name = that.other_entity.name;
+}
+

Re: [Freeipa-devel] [PATCH] 0097 Add options to write lightweight CA cert or chain to file

2016-10-06 Thread Jan Cholasta


On 23.9.2016 05:29, Fraser Tweedale wrote:

Bump for review.

Rebased patches attached (there was a trivial conflict in imports).

Thanks,
Fraser

On Tue, Sep 06, 2016 at 02:05:06AM +1000, Fraser Tweedale wrote:

On Fri, Aug 26, 2016 at 10:28:58AM +0200, Jan Cholasta wrote:

On 19.8.2016 13:11, Fraser Tweedale wrote:

Bump for review.

On Wed, Aug 17, 2016 at 12:09:39AM +1000, Fraser Tweedale wrote:

On Tue, Aug 16, 2016 at 08:10:08AM +0200, Jan Cholasta wrote:

On 16.8.2016 07:24, Fraser Tweedale wrote:

On Mon, Aug 15, 2016 at 08:19:33AM +0200, Jan Cholasta wrote:

On 9.8.2016 16:47, Fraser Tweedale wrote:

On Mon, Aug 08, 2016 at 10:49:27AM +0200, Jan Cholasta wrote:

On 8.8.2016 09:06, Fraser Tweedale wrote:

On Mon, Aug 08, 2016 at 08:54:05AM +0200, Jan Cholasta wrote:

Hi,

On 8.8.2016 06:34, Fraser Tweedale wrote:

Please review the attached patch with adds --certificate-out and
--certificate-chain-out options to `ca-show' command.

Note that --certificate-chain-out currently writes a bogus file due
to a bug in Dogtag that will be fixed in this week's build.

https://fedorahosted.org/freeipa/ticket/6178


1) The client-side *-out options should be defined on the client side, not
on the server side.


Will option defined on client side be propagated to, and observable
in the ipaserver plugin?  The ipaserver plugin needs to observe that
*-out has been requested and executes additional command(s) on that
basis.


Is there a reason not to *always* return the certs?


We hit Dogtag to retrieve them.


I don't think that's an issue in a -show command.


cert_show is invoked by other commands (cert_find*, cert_show,
cert_request, cert_status, ca_del) but these all hit Dogtag anyway
so I suppose that's fine.  I'll return the cert *and* the chain in
separate attributes, unconditionally.







2) I don't think there should be additional information included in summary
(and it definitely should not be multi-line). I would rather inform the user
via an error message when unable to write the files.


I was just following the pattern of other commands that write certs,
profile config, etc.  Apart from consistency with other commands I
agree that there is no need to have it.  So I will remove it.


If you think there is an actual value in informing the user about
successfully writing the files, please use ipalib.messages for the job.


3) IMO a better format for the certificate chain than PKCS#7 would be
concatenated PEM, as that's the most commonly used format in IPA (in
installers, there are no cert chains in API commands ATM).


Sure, but the main use case isn't IPA.  Other apps require PKCS #7
or concatenated PEMs, but sometimes they must be concatenated
forward, and othertimes backwards.  There is no one size fits all.


True, which is exactly why I think we should at least be self-consistent and
use concatenated PEM (and multi-value DER over the wire).


Dogtag returns a PKCS7 (either DER or PEM, according to HTTP Accept
header).

If we want list-of-PEMs between server and client we have to convert
on the server.  Do we have a good way of doing this without exec'ing
`openssl pkcs7' on the server?  Is it acceptable to exec 'openssl'
to do the conversion on the server?  python-nss does not have PKCS7
functions and I am not keen on adding a pyasn1 PKCS7 parser just for
the sake of pushing bits as list-of-PEMs.


I'm afraid we can't avoid conversion to/from PKCS#7 one way or the other.
For example, if we added a call to retrieve external CA chain using certs
from cn=certificates,cn=ipa,cn=etc, we would have to convert the result to
PKCS#7 if it was our cert chain format of choice.

What we can avoid though is executing "openssl pkcs7" to do the conversion -
we can use an approach similar to our DNSSEC code and use python-cffi to
call libcrypto's PKCS#7 conversion routines instead.


I had a look at the OpenSSL API for parsing PKCS #7; now I prefer to
exec `openssl' to do the job :)

I will transmit DER-encoded PKCS #7 object on the wire; we cannot
used multi-valued DER attribute because order is important.   Client
will convert to PEMs.


Well, my point was not to send PKCS#7 over the wire, so that clients
(including 3rd party clients) do not have to convert from PKCS#7 themselves.

In fact we can use multi-valued DER - whatever you send over the wire from
the server will be received in the exact same order by the client. Even if
it wasn't, you can easily restore the order by matching issuer and subject
names of the certificates.



Should have new patch on list this afternoon.

Thanks,
Fraser



FWIW, man pages and code suggest that PKCS #7 is accepted in
installer, etc.


True, but that's a relatively new feature (since 4.1) and the installer
internally executes "openssl pkcs7" to convert PKCS #7 to list of certs :-)




We can add an option to control the format later, but for now,
Dogtag returns a PKCS #7 (PEM or DER) so let's go with that.  Worst
case is an admin has to invoke `openssl pkcs7' and concat

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

pvomacka commented:
"""
Yes, that's true and I understand that these tests depend on previous actions. 

What I actually wanted to say is that I think that we should rather rewrite 
these tests right now instead of just removing them. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251891416
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

mirielka commented:
"""
Hi, I discussed this with Rob who authored the tests and he said that these 
tests were there just as a kind of checking that no extra revoked certificates 
get in. Tests are cca 4 years old, revoked certificates do get in e.g. due to 
changes in Dogtag (they can be created by other tests and can't be deleted) and 
cert tests fail. Creating new tests as you described (create cert, revoke it 
and check it's in the database with correct info) could be separate task, since 
these tests didn't do such think, they just checked what's already in 
regardless of how it got there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251887928
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#140][comment] Tests: Remove invalid certplugin tests

  URL: https://github.com/freeipa/freeipa/pull/140
Title: #140: Tests: Remove invalid certplugin tests

pvomacka commented:
"""
I think that it is not good idea to remove tests, because we are lowering 
coverage. Therefore NACK. 

Could we rather rewrite these tests? For example issue certain certificates, 
revoke them and then test whether there are revoked certs with correct 
revocation reason. I think that our Tracker could help with it. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/140#issuecomment-251886076
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#140][opened] Tests: Remove invalid certplugin tests