[Freeipa-devel] [freeipa PR#156][synchronized] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Author: jcholast Title: #156: cert: add revocation reason back to cert-find output Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/156/head:pr156 git checkout pr156 From 94c1a5b30136c51bdd518132d33148b862b4d68c Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 12:58:46 +0200 Subject: [PATCH] cert: add revocation reason back to cert-find output In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were accidentally removed from cert-find output. In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and `revoked` were added back. Add back `revocation_reason` as well. Also, do not include `revoked` with --raw, as it's a virtual attribute. https://fedorahosted.org/freeipa/ticket/6269 --- ipaserver/plugins/cert.py | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index e65cf1f..d13974e 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1231,16 +1231,17 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): obj = {'serial_number': serial_number} else: obj = ra_obj -obj['issuer'] = issuer -obj['subject'] = DN(ra_obj['subject']) -obj['revoked'] = ( -ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) - if all: -ra_obj = ra.get_certificate(str(serial_number)) -if not raw: +obj.update(ra.get_certificate(str(serial_number))) + +if not raw: +obj['issuer'] = issuer +obj['subject'] = DN(ra_obj['subject']) +obj['revoked'] = ( +ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) +if all: obj['certificate'] = ( -ra_obj['certificate'].replace('\r\n', '')) +obj['certificate'].replace('\r\n', '')) self.obj._parse(obj) obj['cacn'] = ca_obj['cn'][0] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#2][opened] fix ldif syntax and add idnsTemplateAttribute
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2 Author: stutiredboy Title: #2: fix ldif syntax and add idnsTemplateAttribute Action: opened PR body: """ schema.ldif lost some white space in the line end. schema.ldif lost the idnsTemplateAttribute definitition """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/2/head:pr2 git checkout pr2 From 43820dc2450046cda9deb2cf7450e5dfdc92ec76 Mon Sep 17 00:00:00 2001 From: rootDate: Tue, 11 Oct 2016 17:21:07 +0800 Subject: [PATCH 1/2] fix ldif syntax and add idnsTemplateAttribute --- doc/schema.ldif | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/schema.ldif b/doc/schema.ldif index 8fdc99f..ee20f02 100644 --- a/doc/schema.ldif +++ b/doc/schema.ldif @@ -362,9 +362,16 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY caseIgnoreMatch + EQUALITY caseIgnoreMatch SINGLE-VALUE ) # +olcattributeTypes: ( 2.16.840.1.113730.3.8.5.29 + NAME 'idnsTemplateAttribute' + DESC 'Template attribute for dynamic attribute generation' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'IPA v4.4' ) +# attributeTypes: ( 2.16.840.1.113730.3.8.5.30 NAME 'idnsSubstitutionVariable' DESC 'User defined variable for DNS plugin' @@ -426,6 +433,6 @@ objectClasses: ( 2.16.840.1.113730.3.8.6.6 objectClasses: ( 2.16.840.1.113730.3.8.6.5 NAME 'idnsTemplateObject' DESC 'Template object for dynamic DNS attribute generation' - SUP top + SUP top AUXILIARY MUST ( idnsTemplateAttribute ) ) From 196e0bce0985a5cd6fcacf80e9565d502ee99147 Mon Sep 17 00:00:00 2001 From: tiredboy Date: Thu, 13 Oct 2016 10:39:29 +0800 Subject: [PATCH 2/2] fix the attribute name for dnsTemplateAttribute --- doc/schema.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/schema.ldif b/doc/schema.ldif index ee20f02..77c5b0e 100644 --- a/doc/schema.ldif +++ b/doc/schema.ldif @@ -365,7 +365,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.31 EQUALITY caseIgnoreMatch SINGLE-VALUE ) # -olcattributeTypes: ( 2.16.840.1.113730.3.8.5.29 +attributeTypes: ( 2.16.840.1.113730.3.8.5.29 NAME 'idnsTemplateAttribute' DESC 'Template attribute for dynamic attribute generation' EQUALITY caseIgnoreIA5Match -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Heimdal Kerberos support for client
Petr Spacek wrote: Hello list, I just noticed that client/configure.ac contains some checks to detect and support Heimdal Kerberos libraries. Was it tested? Does it work? Can I drop it? :-) Wow, that's some old code. Only Simo would know if it was ever tested or ever worked. I suppose since theoretically the client can be built separately theoretically it might do the right thing in some cases. Seems like enough of a corner case to me that I'd remove it, given it is likely untested these last 9 years or so. I'll give Simo the final say though. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Heimdal Kerberos support for client
Hello list, I just noticed that client/configure.ac contains some checks to detect and support Heimdal Kerberos libraries. Was it tested? Does it work? Can I drop it? :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] links to docs in the messages from code
Hello FreeIPA developers, looking at freeipa-users mailing list, a lot of questions could be answered by just quick glance to the docs. I wonder if we should add links HTML version of docs on access.redhat.com to the messages generated by the code. If we really want, we can make these platform-specific, but I would not even bother with it. Fedora & CentOS & RHEL users end up on the very same page, only the way how then find it is different (mailing list vs. Google vs. paid support). Examples: a) Installation without DNS could end up with message like this: Do not forget to finish post-installation steps listed on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns b) Failed connection check could print link to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports c) Failed DNS check could mention link https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs d) Failed attempt to find AD DC could print a link to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings etc. What do you think about this? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap pvoborni commented: """ I don't think the patternfly package can be included in Fedora as is. It internally bundles several packages, some of them already packaged (jquery, fontawesome-fonts, OpenSans-fonts). Additionally tha package puts files on non-standard place. Some info about Fedora packaging: * https://fedoraproject.org/wiki/Packaging:JavaScript * https://fedoraproject.org/wiki/Packaging:Web_Assets """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-253276778 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap redhatrises commented: """ > @redhatrises Thank you for the comment and the link. I agree that it would be > really nice, but unfortunately there is no PatternFly package in Fedora. @pvomacka you're right. I should have checked. They do exist in the Patternfly Copr repos: https://copr.fedorainfracloud.org/coprs/patternfly/ Not sure if those can be used or a request needs to be made to include those RPMs into Fedora? """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-253272562 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap pvomacka commented: """ @redhatrises Thank you for the comment and the link. I agree that it would be really nice, but unfortunately there is no PatternFly package in Fedora. Anyway, I would be happy to do a review of a PatternFly package. """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-253262288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][comment] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template mzidek-rh commented: """ Forgot to add a comment. I updated the patch according to jcholast's comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/157#issuecomment-253261173 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][comment] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Title: #156: cert: add revocation reason back to cert-find output pvomacka commented: """ I found one difference in output of cert-find command before and after this patch, it behaves differently only with --raw option. In output of the command without your commit there is following line: revoked: True . With your changes this line is missing. Tried using this command (the same behaviour is in API): ipa cert-find --user='test_user' --raw (--all) Would it be possible to keep there also this information? """ See the full comment at https://github.com/freeipa/freeipa/pull/156#issuecomment-253252364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Building refactoring branches in copr
Hello everyone, as we already agreed we will have branches for our refactoring efforts somewhere and we will build them in copr so then can be easily consumed by CI and also everyone else willing to test them. I already put together simple script that pulls new patches makes srpm and submits it to copr build system. In order to avoid everyone else inventing the same wheel I can add all the refactoring branches, create copr repos and run the script with cron. If you would like me to take care about your refactoring branch just send me its location and consider it done. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][synchronized] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Author: mzidek-rh Title: #157: git: Add commit template Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/157/head:pr157 git checkout pr157 From 6780d0fd78a53a5b9d38c4a9f37bfbb3e7e5a6b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?=Date: Wed, 12 Oct 2016 13:28:18 +0200 Subject: [PATCH] git: Add commit template In order to use the commit template, run the following command: git config commit.template .git-commit-template --- .git-commit-template | 8 1 file changed, 8 insertions(+) create mode 100644 .git-commit-template diff --git a/.git-commit-template b/.git-commit-template new file mode 100644 index 000..67f5f41 --- /dev/null +++ b/.git-commit-template @@ -0,0 +1,8 @@ +# Try to keep the subject line within 52 chars | +# Also please try to not exceed 72 characters of length for the body --| + +component: Subject + +Explanation + +https://fedorahosted.org/freeipa/ticket/ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][opened] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Author: jcholast Title: #159: spec file: clean up BuildRequires Action: opened PR body: """ Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. **spec file: do not include BuildRequires for lint by default** Lint is never executed from rpmbuild, so the BuildRequires for lint are purely informational. Include them only if %with_lint RPM macro is specified. **pylint: enable the import-error check** Check for import errors with pylint to make sure new python package dependencies are not overlooked. **ipaserver: remove ipalib import from setup.py** Instead of importing ipalib to get IPA version string, create setup.py from a template and have the version string automatically filled in. This makes it possible to build the ipaserver package without having to have ipalib dependencies installed. **makeapi, makeaci: do not fail on missing imports** Add import hook to makeapi and makeaci which makes them ignore import errors in modules in our source tree and instead print a warning. This makes it possible to build IPA without having to have most of our runtime dependencies installed. **client: remove unused libcurl build dependency** **pwpolicy: do not run klist on import** On pwpolicy module import, "klist -V" is run to determine if the installed krb5 version supports account lockout (>= 1.8). Remove the check, as we require a krb5 version which does support account lockout (1.12). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/159/head:pr159 git checkout pr159 From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 13:20:32 +0200 Subject: [PATCH 1/7] spec file: clean up BuildRequires Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. --- freeipa.spec.in | 125 +--- 1 file changed, 75 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..c44929b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -43,82 +43,107 @@ URL:http://www.freeipa.org/ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.13 -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcurl-devel +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext BuildRequires: python-devel +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +%if 0%{?rhel} +BuildRequires: samba-devel >= 4.0.0 +%else +BuildRequires: samba-devel >= 2:4.0.0 +%endif +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libuuid-devel BuildRequires: python-ldap -BuildRequires: python-setuptools -BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 -# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 -BuildRequires: python2-polib -BuildRequires:
Re: [Freeipa-devel] Feature branches for sub-team efforts
On ke, 12 loka 2016, David Kupka wrote: On 11/10/16 16:27, Alexander Bokovoy wrote: On ti, 11 loka 2016, Petr Vobornik wrote: On 10/11/2016 03:50 PM, Alexander Bokovoy wrote: On ti, 11 loka 2016, Petr Vobornik wrote: Hi List, we discussed locally a proposal about creating a feature branch for each sub-team effort in our main git. Currently it would be for the 4 ongoing refactoring efforts + Simo's work Why? It will allow each developer to create a pull request against the feature branch and thus it will enable iterative development by multiple devs without affecting other sub-teams. When the feature(refactoring) is finished, the branch would be rebased on master and merged there. Note: rebases can be done as needed - e.g. when other subteam finishes its work. Concerns: 1. Upstream git repo would be full of such branches. - This can be mitigated by deleting the feature branches when their are released or merged(up to discussion) Don't put them in the upstream git repo. Let people decide where they want to have them -- all Fedora contributors have access to fedorapeople.org git hosting and there is github one button click ('Clone') away from the github mirror. It is not a problem to keep a separate git branch published this way. It is not a matter of making the code public. That can be done easily as you write. Other alternative is own branch in GitHub fork. May be I misunderstand you -- if you just want people to propose merge requests on github with pre-defined names, then that's just fine. Basically it's all about review. Example use case: More than 1 devs are working on a same big effort. This effort will probably consists of 10s of commits. The big effort is divided into smaller ones which can be implemented and reviewed separately. In our previous mode, the sub task would be merged to master it is reviewed and ACKed. But now we cannot do that. We want to merge the whole big task at once when it is finishes and tested. One dev could probably have a branch on personal fork of FreeIPA on GitHub which would work as the feature branch. Other team members would create pull requests against it. In such case we would loose mail notifications and would have to extend our tooling because ipatool can use only one upstream on push. So I still think this is not a problem. If people can agree which git repo clone will be primary one and submit merge requests against it, then there is no problem in having that git repo's branch to be submitted as the pull request against the main git repo. This way you'll get all the changes seen at the pull request sync time. From my POV, when we create the refactoring branches in upstream we get this for free: * our minimal but convenient CI (lint + build on each PR) * mail notifications * tooling (ipatool pr-push XYZ -b refactoring-xyz just works) When creating them elsewhere we get: * confusion (no team-wide notifications, each effort in other fork) * manual rebasing and pushing This is rehashing of what Petr wrote already. And I understand the benefits of it. However, I don't like one part of the proposal: removing branches from upstream when feature is merged. This is heavily against accountability -- we should never remove anything from the primary git tree. Also, this churn of branches creates a lot of issues in terms of maintaining internal git datastore as you'll need to clean it from time to time. At this point I don't really see how benefits could outweigh the negatives in the longer term. Thousands of projects are working with separate git trees and do pull requests without negative of having to keep all the temporary feature branches in the main git tree. Why can't we? So I think it's best to create the branches in upstream repo. I don't care about names and also I don't care what happens with them after the effort is done. -- David Kupka -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Feature branches for sub-team efforts
On 11/10/16 16:27, Alexander Bokovoy wrote: On ti, 11 loka 2016, Petr Vobornik wrote: On 10/11/2016 03:50 PM, Alexander Bokovoy wrote: On ti, 11 loka 2016, Petr Vobornik wrote: Hi List, we discussed locally a proposal about creating a feature branch for each sub-team effort in our main git. Currently it would be for the 4 ongoing refactoring efforts + Simo's work Why? It will allow each developer to create a pull request against the feature branch and thus it will enable iterative development by multiple devs without affecting other sub-teams. When the feature(refactoring) is finished, the branch would be rebased on master and merged there. Note: rebases can be done as needed - e.g. when other subteam finishes its work. Concerns: 1. Upstream git repo would be full of such branches. - This can be mitigated by deleting the feature branches when their are released or merged(up to discussion) Don't put them in the upstream git repo. Let people decide where they want to have them -- all Fedora contributors have access to fedorapeople.org git hosting and there is github one button click ('Clone') away from the github mirror. It is not a problem to keep a separate git branch published this way. It is not a matter of making the code public. That can be done easily as you write. Other alternative is own branch in GitHub fork. May be I misunderstand you -- if you just want people to propose merge requests on github with pre-defined names, then that's just fine. Basically it's all about review. Example use case: More than 1 devs are working on a same big effort. This effort will probably consists of 10s of commits. The big effort is divided into smaller ones which can be implemented and reviewed separately. In our previous mode, the sub task would be merged to master it is reviewed and ACKed. But now we cannot do that. We want to merge the whole big task at once when it is finishes and tested. One dev could probably have a branch on personal fork of FreeIPA on GitHub which would work as the feature branch. Other team members would create pull requests against it. In such case we would loose mail notifications and would have to extend our tooling because ipatool can use only one upstream on push. So I still think this is not a problem. If people can agree which git repo clone will be primary one and submit merge requests against it, then there is no problem in having that git repo's branch to be submitted as the pull request against the main git repo. This way you'll get all the changes seen at the pull request sync time. From my POV, when we create the refactoring branches in upstream we get this for free: * our minimal but convenient CI (lint + build on each PR) * mail notifications * tooling (ipatool pr-push XYZ -b refactoring-xyz just works) When creating them elsewhere we get: * confusion (no team-wide notifications, each effort in other fork) * manual rebasing and pushing So I think it's best to create the branches in upstream repo. I don't care about names and also I don't care what happens with them after the effort is done. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
1) Can you just turn off dirsrv on replica instead of doing iptables magic? 2) NACK No more eval() ever in code, use 'getattr', 'get' or whatever in the object that can be used. +evalhost = eval("args[0].%s" % host) Martin^2 On 12.10.2016 14:03, Oleg Fayans wrote: Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: IIUC, this will turn off the machine completely, how is cleanup done then. AFAIK our tests cannot turn on machine again and run cleanup, so you will not be able to run more tests on the same topology without manual cleanup and manual start. +replica = self.replicas[0] +replica.run_command(['poweroff']) IMO would be better to just call 'ipactl stop' instead of 'poweroff' Agreed! Fixed. Martin^2 *Automated ipa-replica-manage del tests* 1) +replica.run_command(['ipactl', 'stop']) +time.sleep(3) Why do you need sleep here? Removed, it was left from the old "poweroff" approach 2) +ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname) +replica_ruvs = ruvid_re.findall(result.stdout_text) +master.run_command(['ipa-replica-manage', 'clean-ruv', 'f', +'-p', master.config.dirman_password, +replica_ruvs[0]]) Because you are using re.findall(), without any match you will receive IndexError here replica_ruvs[0]. IMO it deserves assert before Implemented the assert which checks that the output contains enough replica RUVs 3) assert(replica.hostname in result1.stdout_text) I think that this is error prone. What if there is just error 'could not connect to replica ', or something similar. instead of listing/cleaning/whatever operation was executed. I think that it should be more specific regexp than just finding a replica name substring (Yes In IPA we dont always print error so stderr) I'm not sure, but probably there might be cases when non critical error happen and exist status is still 0 Agree. Implemented a regex-based search 4) +replica.run_command(['poweroff']) +time.sleep(3) There should not be poweroff, probably sleep could be removed too. Gone * Automated clean-ruv subcommand test* 1) PEP8, 2 new lines expected ./ipatests/test_integration/test_topology.py:163:1: E302 expected 2 blank lines, found 0 ./ipatests/test_integration/test_topology.py:182:80: E501 line too long (85 > 79 characters) Fixed 2) I dont like doing assert just with count of occurences of substring in STDOUT, would be possible to improve this somehow? Maybe, but frankly, I don't see how. In this case we are making sure that both simple and CA-specific RUVs of a replica are displayed. The format of the output is strict: Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id Certificate Server Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id If we do not see 2 occurrences of the replica hostname than definitely something went wrong 3) I'm not sure if clean-ruv is instant operations or there is some magic happening in background (we have abort-clean-ruv). Maybe some sleep should be there, but this needs investigation. +assert(replica.hostname in
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap redhatrises commented: """ @pvomacka should this use the patternfly RPM rather than having the code copied here as well? See https://www.redhat.com/archives/patternfly/2014-July/msg00017.html """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-253200408 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap redhatrises commented: """ @pvomacka should this use the patternfly RPM rather than having the code copied here as well? See https://www.redhat.com/archives/patternfly/2014-July/msg00017.html """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-253200408 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: IIUC, this will turn off the machine completely, how is cleanup done then. AFAIK our tests cannot turn on machine again and run cleanup, so you will not be able to run more tests on the same topology without manual cleanup and manual start. +replica = self.replicas[0] +replica.run_command(['poweroff']) IMO would be better to just call 'ipactl stop' instead of 'poweroff' Agreed! Fixed. Martin^2 *Automated ipa-replica-manage del tests* 1) +replica.run_command(['ipactl', 'stop']) +time.sleep(3) Why do you need sleep here? Removed, it was left from the old "poweroff" approach 2) +ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname) +replica_ruvs = ruvid_re.findall(result.stdout_text) +master.run_command(['ipa-replica-manage', 'clean-ruv', 'f', +'-p', master.config.dirman_password, +replica_ruvs[0]]) Because you are using re.findall(), without any match you will receive IndexError here replica_ruvs[0]. IMO it deserves assert before Implemented the assert which checks that the output contains enough replica RUVs 3) assert(replica.hostname in result1.stdout_text) I think that this is error prone. What if there is just error 'could not connect to replica ', or something similar. instead of listing/cleaning/whatever operation was executed. I think that it should be more specific regexp than just finding a replica name substring (Yes In IPA we dont always print error so stderr) I'm not sure, but probably there might be cases when non critical error happen and exist status is still 0 Agree. Implemented a regex-based search 4) +replica.run_command(['poweroff']) +time.sleep(3) There should not be poweroff, probably sleep could be removed too. Gone * Automated clean-ruv subcommand test* 1) PEP8, 2 new lines expected ./ipatests/test_integration/test_topology.py:163:1: E302 expected 2 blank lines, found 0 ./ipatests/test_integration/test_topology.py:182:80: E501 line too long (85 > 79 characters) Fixed 2) I dont like doing assert just with count of occurences of substring in STDOUT, would be possible to improve this somehow? Maybe, but frankly, I don't see how. In this case we are making sure that both simple and CA-specific RUVs of a replica are displayed. The format of the output is strict: Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id Certificate Server Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id If we do not see 2 occurrences of the replica hostname than definitely something went wrong 3) I'm not sure if clean-ruv is instant operations or there is some magic happening in background (we have abort-clean-ruv). Maybe some sleep should be there, but this needs investigation. +assert(replica.hostname in result2.stdout_text), ( +"The wrong RUV was deleted") +result3 = master.run_command(['ipa-replica-manage', 'list-ruv', + '-p', master.config.dirman_password]) +assert(result3.stdout_text.count(replica.hostname) == 1), ( +"CA RUV of the
[Freeipa-devel] [freeipa PR#157][comment] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template mzidek-rh commented: """ Sure, that was a copy paste mistake in itself :) . Patch updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/157#issuecomment-253193300 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][synchronized] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Author: mzidek-rh Title: #157: git: Add commit template Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/157/head:pr157 git checkout pr157 From 3e6b55ffc271c08f66b19a8b3fcfbc430a570a84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?=Date: Wed, 12 Oct 2016 13:28:18 +0200 Subject: [PATCH] git: Add commit template In order to use the commit template, run the following command: git config commit.template .git-commit-template --- .git-commit-template | 9 + 1 file changed, 9 insertions(+) create mode 100644 .git-commit-template diff --git a/.git-commit-template b/.git-commit-template new file mode 100644 index 000..a5818a3 --- /dev/null +++ b/.git-commit-template @@ -0,0 +1,9 @@ +COMPONENT: Subject + +Explanation + +Resolves: +https://fedorahosted.org/freeipa/ticket/ + +# Try to keep the subject line within 52 chars | +# Also please try to not exceed 72 characters of length for the body --| -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][comment] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template martbab commented: """ Could you please change the link in the template to: https://fedorahosted.org/freeipa/ticket/ just to avoid copy-paste errors when filling in ticket No.? """ See the full comment at https://github.com/freeipa/freeipa/pull/157#issuecomment-253191997 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][comment] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Title: #157: git: Add commit template mzidek-rh commented: """ This is the same commit template we use in SSSD. Maybe it will be helpful for FreeIPA too. """ See the full comment at https://github.com/freeipa/freeipa/pull/157#issuecomment-253190654 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#157][opened] git: Add commit template
URL: https://github.com/freeipa/freeipa/pull/157 Author: mzidek-rh Title: #157: git: Add commit template Action: opened PR body: """ In order to use the commit template, run the following command: git config commit.template .git-commit-template """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/157/head:pr157 git checkout pr157 From a9a889b57b2df63629a3e3a3ddb5cca7d2ed1c46 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?=Date: Wed, 12 Oct 2016 13:28:18 +0200 Subject: [PATCH] git: Add commit template In order to use the commit template, run the following command: git config commit.template .git-commit-template --- .git-commit-template | 9 + 1 file changed, 9 insertions(+) create mode 100644 .git-commit-template diff --git a/.git-commit-template b/.git-commit-template new file mode 100644 index 000..8648238 --- /dev/null +++ b/.git-commit-template @@ -0,0 +1,9 @@ +COMPONENT: Subject + +Explanation + +Resolves: +https://fedorahosted.org/sssd/ticket/ + +# Try to keep the subject line within 52 chars | +# Also please try to not exceed 72 characters of length for the body --| -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][opened] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Author: jcholast Title: #156: cert: add revocation reason back to cert-find output Action: opened PR body: """ In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were accidentally removed from cert-find output. In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and `revoked` were added back. Add back `revocation_reason` as well. https://fedorahosted.org/freeipa/ticket/6269 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/156/head:pr156 git checkout pr156 From 149d5ea68acf1bb003e3dbc3bcac6d9f2e4b4e7e Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 12:58:46 +0200 Subject: [PATCH] cert: add revocation reason back to cert-find output In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were accidentally removed from cert-find output. In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and `revoked` were added back. Add back `revocation_reason` as well. https://fedorahosted.org/freeipa/ticket/6269 --- ipaserver/plugins/cert.py | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index e65cf1f..d13974e 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -1231,16 +1231,17 @@ def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options): obj = {'serial_number': serial_number} else: obj = ra_obj -obj['issuer'] = issuer -obj['subject'] = DN(ra_obj['subject']) -obj['revoked'] = ( -ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) - if all: -ra_obj = ra.get_certificate(str(serial_number)) -if not raw: +obj.update(ra.get_certificate(str(serial_number))) + +if not raw: +obj['issuer'] = issuer +obj['subject'] = DN(ra_obj['subject']) +obj['revoked'] = ( +ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) +if all: obj['certificate'] = ( -ra_obj['certificate'].replace('\r\n', '')) +obj['certificate'].replace('\r\n', '')) self.obj._parse(obj) obj['cacn'] = ca_obj['cn'][0] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#155][synchronized] Build system cleanup
URL: https://github.com/freeipa/freeipa/pull/155 Author: pspacek Title: #155: Build system cleanup Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/155/head:pr155 git checkout pr155 From e641d9cf9b9e596bd335f89080eaf79d019fee73 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 12 Oct 2016 10:52:43 +0200 Subject: [PATCH 1/7] Build: add missing KRB5_LIBS to daemons/ipa-otpd It was working accidentally because krb5 libs are part of OPENLDAP_LIBS. --- daemons/ipa-otpd/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..946b882 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ +AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@ +AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ @KRB5_LIBS@ noinst_HEADERS = internal.h libexec_PROGRAMS = ipa-otpd From f6feb2765f66ad3cf64849a2b508229e2802c23b Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 10:57:57 +0200 Subject: [PATCH 2/7] Build: modernize Kerberos library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. libkrad does not have package config file so we keep the old way here. --- daemons/configure.ac | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 5c5a104..1d0209d 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -54,15 +54,11 @@ dnl --- dnl - Check for KRB5 dnl --- -AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([krb5.h not found])]) +PKG_CHECK_MODULES([KRB5], [krb5], [], [AC_MSG_ERROR([libkrb5 not found])]) AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krb5, main, [], [AC_MSG_ERROR([libkrb5 not found])]) -AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto]) AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) -KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err" KRAD_LIBS="-lkrad" krb5rundir="${localstatedir}/run/krb5kdc" -AC_SUBST(KRB5_LIBS) AC_SUBST(KRAD_LIBS) AC_SUBST(krb5rundir) From 2d7bb09e5a161cba81881b9be375b801bb280d48 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 10:58:22 +0200 Subject: [PATCH 3/7] Build: modernize UUID library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. --- daemons/configure.ac | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 1d0209d..34773f9 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -135,10 +135,7 @@ AC_SUBST(SSL_LIBS) dnl --- dnl - Check for UUID library dnl --- -AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([uuid/uuid.h not found])]) - -AC_CHECK_LIB(uuid, uuid_generate_time, [UUID_LIBS="-luuid"]) -AC_SUBST(UUID_LIBS) +PKG_CHECK_MODULES([UUID], [uuid], [], [AC_MSG_ERROR([libuuid not found])]) dnl --- dnl - Check for Python From 2855f61fda02c9ba00d1ebcbfd1c1cb7b1e5a3f0 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 11:01:02 +0200 Subject: [PATCH 4/7] Build: modernize crypto library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. --- daemons/configure.ac| 9 ++--- daemons/ipa-sam/Makefile.am | 3 ++- daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 4 ++-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 34773f9..958f01c 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -125,12 +125,7 @@ AC_SUBST(LDAP_LIBS) dnl --- dnl - Check for OpenSSL Crypto library dnl ---
[Freeipa-devel] [freeipa PR#154][+pushed] [ipa-4-4] Rebase: Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/154 Title: #154: [ipa-4-4] Rebase: Tests: Fix cert revocation tests Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#154][closed] [ipa-4-4] Rebase: Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/154 Author: mirielka Title: #154: [ipa-4-4] Rebase: Tests: Fix cert revocation tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/154/head:pr154 git checkout pr154 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#154][comment] [ipa-4-4] Rebase: Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/154 Title: #154: [ipa-4-4] Rebase: Tests: Fix cert revocation tests mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/afabdd365a35e0e454997ff021152422bcbcf785 https://fedorahosted.org/freeipa/changeset/c8cdc6a9e6cf68f67d2e8df5aa7b22e13c26 """ See the full comment at https://github.com/freeipa/freeipa/pull/154#issuecomment-253180869 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#154][+ack] [ipa-4-4] Rebase: Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/154 Title: #154: [ipa-4-4] Rebase: Tests: Fix cert revocation tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] HBAC for AD users Active Directory trust setup
On ke, 12 loka 2016, rajat gupta wrote: Hi, thank you for answering. I this case i need to create multiple group in AD side. like user1 have only "server1.example.com" and "server2.example.com" access and some other user have some other server access. Then only the my HBAC rule will be implemented to particular group and every time i need to add user in AD side on particular group if I want to give some other server access to user. And i don't want do like this. It is up to you what you want to implement. The means are all there. But read my responses on the freeipa-users@ to understand why we implemented it this way. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] HBAC for AD users Active Directory trust setup
Hi, thank you for answering. I this case i need to create multiple group in AD side. like user1 have only "server1.example.com" and "server2.example.com" access and some other user have some other server access. Then only the my HBAC rule will be implemented to particular group and every time i need to add user in AD side on particular group if I want to give some other server access to user. And i don't want do like this. On Wed, Oct 12, 2016 at 11:05 AM, Alexander Bokovoywrote: > On ke, 12 loka 2016, rajat gupta wrote: > >> Hi, >> >> Normally HBAC for AD users should be done through an external group. >> > You should use freeipa-users@ mailing list for these questions. > > And start with documentation: https://access.redhat.com/docu > mentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/ > Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html-single/Windows_Integration_Guide/index.html > > > >> So for example if we have 500+ users on AD and only 100 user are >> administrator and they have Linux server access. >> >> I want to set the HBAC and sudo rules for users. So user have correct >> access server access and sudo rights and I am using the *Active Directory >> trust setup* >> >> In this case i need to add all of the 100 users on in Freeipa as external >> group. >> >> for example :- user1 user name in AD >> >> *user1-external* external group in IPA for trusted domain users >> *user1 :- *POSIX group for external >> > No, you don't need to do that. All you need to do is to create a group > on AD side where your users to access Linux systems would be added and > then add that group to the external group on IPA side. > > Do we have document for implementing the HBAC and Sudo Rules for external >> group. >> > See above documentation and discussions on freeipa-users@ mailing list. > > -- > / Alexander Bokovoy > -- *Rajat Gupta * -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#155][opened] Build system cleanup
URL: https://github.com/freeipa/freeipa/pull/155 Author: pspacek Title: #155: Build system cleanup Action: opened PR body: """ This is first step in build system refactoring effort. This patch set contains cleanup patches for daemons/configure.ac. After the cleanup, the file will be "promoted" to top-level configure.ac and merged with other configure.ac files in subdirectories. I did not touch other configure.ac files on purpose as these mostly duplicate daemons/configure.ac and will be simply dropped later on. From functional perspective, there should not be any visible changes. FreeIPA should build as before, using the same horrible Makefile. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/155/head:pr155 git checkout pr155 From e641d9cf9b9e596bd335f89080eaf79d019fee73 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Wed, 12 Oct 2016 10:52:43 +0200 Subject: [PATCH 1/6] Build: add missing KRB5_LIBS to daemons/ipa-otpd It was working accidentally because krb5 libs are part of OPENLDAP_LIBS. --- daemons/ipa-otpd/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..946b882 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ +AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ @KRB5_CFLAGS@ +AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ @KRB5_LIBS@ noinst_HEADERS = internal.h libexec_PROGRAMS = ipa-otpd From f6feb2765f66ad3cf64849a2b508229e2802c23b Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 10:57:57 +0200 Subject: [PATCH 2/6] Build: modernize Kerberos library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. libkrad does not have package config file so we keep the old way here. --- daemons/configure.ac | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 5c5a104..1d0209d 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -54,15 +54,11 @@ dnl --- dnl - Check for KRB5 dnl --- -AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([krb5.h not found])]) +PKG_CHECK_MODULES([KRB5], [krb5], [], [AC_MSG_ERROR([libkrb5 not found])]) AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krb5, main, [], [AC_MSG_ERROR([libkrb5 not found])]) -AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto]) AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) -KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err" KRAD_LIBS="-lkrad" krb5rundir="${localstatedir}/run/krb5kdc" -AC_SUBST(KRB5_LIBS) AC_SUBST(KRAD_LIBS) AC_SUBST(krb5rundir) From 2d7bb09e5a161cba81881b9be375b801bb280d48 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 10:58:22 +0200 Subject: [PATCH 3/6] Build: modernize UUID library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. --- daemons/configure.ac | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index 1d0209d..34773f9 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -135,10 +135,7 @@ AC_SUBST(SSL_LIBS) dnl --- dnl - Check for UUID library dnl --- -AC_CHECK_HEADERS(uuid/uuid.h,,[AC_MSG_ERROR([uuid/uuid.h not found])]) - -AC_CHECK_LIB(uuid, uuid_generate_time, [UUID_LIBS="-luuid"]) -AC_SUBST(UUID_LIBS) +PKG_CHECK_MODULES([UUID], [uuid], [], [AC_MSG_ERROR([libuuid not found])]) dnl --- dnl - Check for Python From 2855f61fda02c9ba00d1ebcbfd1c1cb7b1e5a3f0 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 12 Oct 2016 11:01:02 +0200 Subject: [PATCH 4/6] Build: modernize crypto library detection Use package config instead of checking headers. Package config is faster because it does not invoke compiler and guarantees proper linking flags because these are provided by package maintainer instead of hardcoded into build system. --- daemons/configure.ac| 9 ++---
[Freeipa-devel] [freeipa PR#153][closed] [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1
URL: https://github.com/freeipa/freeipa/pull/153 Author: martbab Title: #153: [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/153/head:pr153 git checkout pr153 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#153][comment] [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1
URL: https://github.com/freeipa/freeipa/pull/153 Title: #153: [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1 mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/2b2fc1abf1844b807e50b99f0912fa10d9169eca """ See the full comment at https://github.com/freeipa/freeipa/pull/153#issuecomment-253161249 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#153][+pushed] [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1
URL: https://github.com/freeipa/freeipa/pull/153 Title: #153: [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#153][+ack] [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1
URL: https://github.com/freeipa/freeipa/pull/153 Title: #153: [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package
On 10.10.2016 10:28, Martin Basti wrote: > https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6 > > > Please set karma accordingly > > > Traceback: > > ... > > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 426, in update_dns_records > self.update_base_records(), > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 377, in update_base_records > base_zone = self.get_base_records() > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 328, in get_base_records > include_kerberos_realm=include_kerberos_realm > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 179, in _add_base_dns_records_for_server > self.__add_kerberos_txt_rec(zone_obj) > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 165, in __add_kerberos_txt_rec > rdataset.add(rd, ttl=86400) # FIXME: use TTL from config > File "/usr/lib/python2.7/site-packages/dns/rdataset.py", line 129, in add > super(Rdataset, self).add(rd) > File "/usr/lib/python2.7/site-packages/dns/set.py", line 49, in add > if item not in self.items: > File "/usr/lib/python2.7/site-packages/dns/rdata.py", line 217, in __eq__ > return self._cmp(other) == 0 > File "/usr/lib/python2.7/site-packages/dns/rdata.py", line 203, in _cmp > our = self.to_digestable(dns.name.root) > File "/usr/lib/python2.7/site-packages/dns/rdata.py", line 174, in > to_digestable > self.to_wire(f, None, origin) > File "/usr/lib/python2.7/site-packages/dns/rdtypes/txtbase.py", line 75, in > to_wire > file.write(s) > > 2016-10-10T04:44:05Z DEBUG The ipa-replica-install command failed, exception: > TypeError: 'unicode' does not have the buffer interface > 2016-10-10T04:44:05Z ERROR 'unicode' does not have the buffer interface > > > I'll investigate if IPA using it wrong or there is new error introduced in > pyhton-dns For archaeologists: Fix https://github.com/freeipa/freeipa/pull/150 was merged. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] HBAC for AD users Active Directory trust setup
On ke, 12 loka 2016, rajat gupta wrote: Hi, Normally HBAC for AD users should be done through an external group. You should use freeipa-users@ mailing list for these questions. And start with documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html So for example if we have 500+ users on AD and only 100 user are administrator and they have Linux server access. I want to set the HBAC and sudo rules for users. So user have correct access server access and sudo rights and I am using the *Active Directory trust setup* In this case i need to add all of the 100 users on in Freeipa as external group. for example :- user1 user name in AD *user1-external* external group in IPA for trusted domain users *user1 :- *POSIX group for external No, you don't need to do that. All you need to do is to create a group on AD side where your users to access Linux systems would be added and then add that group to the external group on IPA side. Do we have document for implementing the HBAC and Sudo Rules for external group. See above documentation and discussions on freeipa-users@ mailing list. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#154][opened] [ipa-4-4] Rebase: Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/154 Author: mirielka Title: #154: [ipa-4-4] Rebase: Tests: Fix cert revocation tests Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/154/head:pr154 git checkout pr154 From e6558c65188d1fa5003de24e29e64ea6be0f2bfb Mon Sep 17 00:00:00 2001 From: Lenka DoudovaDate: Thu, 6 Oct 2016 08:51:03 +0200 Subject: [PATCH 1/2] Tests: Remove invalid certplugin tests A bunch of certplugin tests were testing number of revoked certificates with various revocation reasons. Since existence of revoked certificates often depends on other parts of IdM than IPA, it is not really valid to check their presence unless creation of revoked certificate is intentionally tested. https://fedorahosted.org/freeipa/ticket/6349 --- ipatests/test_xmlrpc/test_cert_plugin.py | 75 +--- 1 file changed, 1 insertion(+), 74 deletions(-) diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 2598e0b..70cef5d 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -296,80 +296,7 @@ def test_0006_find_this_short_host_exact(self): res = api.Command['cert_find'](subject=self.short, exactly=True) assert 'count' in res and res['count'] == 0 -def test_0007_find_revocation_reason_0(self): -""" -Find all certificates with revocation reason 0 -""" -res = api.Command['cert_find'](revocation_reason=0) -assert 'count' in res and res['count'] == 0 - -def test_0008_find_revocation_reason_1(self): -""" -Find all certificates with revocation reason 1 -""" -res = api.Command['cert_find'](revocation_reason=1) -assert 'count' in res and res['count'] == 0 - -def test_0009_find_revocation_reason_2(self): -""" -Find all certificates with revocation reason 2 -""" -res = api.Command['cert_find'](revocation_reason=2) -assert 'count' in res and res['count'] == 0 - -def test_0010_find_revocation_reason_3(self): -""" -Find all certificates with revocation reason 3 -""" -res = api.Command['cert_find'](revocation_reason=3) -assert 'count' in res and res['count'] == 0 - -def test_0011_find_revocation_reason_4(self): -""" -Find all certificates with revocation reason 4 - -There is no way to know in advance how many revoked certificates -we'll have but in the context of make-test we'll have at least one. -""" -res = api.Command['cert_find'](revocation_reason=4) -assert 'count' in res and res['count'] >= 1 - -def test_0012_find_revocation_reason_5(self): -""" -Find all certificates with revocation reason 5 -""" -res = api.Command['cert_find'](revocation_reason=5) -assert 'count' in res and res['count'] == 0 - -def test_0013_find_revocation_reason_6(self): -""" -Find all certificates with revocation reason 6 -""" -res = api.Command['cert_find'](revocation_reason=6) -assert 'count' in res and res['count'] == 0 - -# There is no revocation reason #7 - -def test_0014_find_revocation_reason_8(self): -""" -Find all certificates with revocation reason 8 -""" -res = api.Command['cert_find'](revocation_reason=8) -assert 'count' in res and res['count'] == 0 - -def test_0015_find_revocation_reason_9(self): -""" -Find all certificates with revocation reason 9 -""" -res = api.Command['cert_find'](revocation_reason=9) -assert 'count' in res and res['count'] == 0 - -def test_0016_find_revocation_reason_10(self): -""" -Find all certificates with revocation reason 10 -""" -res = api.Command['cert_find'](revocation_reason=10) -assert 'count' in res and res['count'] == 0 +# tests 0007 to 0016 removed def test_0017_find_by_issuedon(self): """ From a9050a73d0d76917b689f27670455855cca9f6c8 Mon Sep 17 00:00:00 2001 From: Lenka Doudova Date: Tue, 11 Oct 2016 11:33:16 +0200 Subject: [PATCH 2/2] Tests: Certificate revocation Providing tests for certificate revocation to replace deleted tests from test_cert_find. https://fedorahosted.org/freeipa/ticket/6349 --- ipatests/test_xmlrpc/test_cert_plugin.py | 80 ++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py index 70cef5d..02750c0 100644 --- a/ipatests/test_xmlrpc/test_cert_plugin.py +++ b/ipatests/test_xmlrpc/test_cert_plugin.py @@ -78,12 +78,11 @@ def is_db_configured(): # running as the lite-server.
[Freeipa-devel] [freeipa PR#153][opened] [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1
URL: https://github.com/freeipa/freeipa/pull/153 Author: martbab Title: #153: [ipa-4-4 only] disable warnings reported by pylint-1.6.4-1 Action: opened PR body: """ Pylint shipped in Fedora 25 reports 'trailing-newlines' and 'consider-iterating-dictionary' warnings which break FreeIPA builds. On ipa-4-4 branch it is safer to just disable these warnings so as to not mess with code considered stable https://fedorahosted.org/freeipa/ticket/6391 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/153/head:pr153 git checkout pr153 From e59b7670bbd468107d6a7e90c593aa5b974a3bc3 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Wed, 12 Oct 2016 10:52:46 +0200 Subject: [PATCH] disable warnings reported by pylint-1.6.4-1 Pylint shipped in Fedora 25 reports 'trailing-newlines' and 'consider-iterating-dictionary' warnings which break FreeIPA builds. On ipa-4-4 branch it is safer to just disable these warnings so as to not mess with code considered stable https://fedorahosted.org/freeipa/ticket/6391 --- pylintrc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pylintrc b/pylintrc index bb9c636..085e62a 100644 --- a/pylintrc +++ b/pylintrc @@ -87,7 +87,9 @@ disable= misplaced-comparison-constant, unneeded-not, not-a-mapping, -singleton-comparison +singleton-comparison, +trailing-newlines, +consider-iterating-dictionary [REPORTS] -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] HBAC for AD users Active Directory trust setup
Hi, Normally HBAC for AD users should be done through an external group. So for example if we have 500+ users on AD and only 100 user are administrator and they have Linux server access. I want to set the HBAC and sudo rules for users. So user have correct access server access and sudo rights and I am using the *Active Directory trust setup* In this case i need to add all of the 100 users on in Freeipa as external group. for example :- user1 user name in AD *user1-external* external group in IPA for trusted domain users *user1 :- *POSIX group for external Do we have document for implementing the HBAC and Sudo Rules for external group. Or is there any other best way to implement the HBAC and Sudo Rules on AD users. -- *Rajat Gupta* -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#137][+pushed] Test: disabled wrong client domain tests for domlevel 0
URL: https://github.com/freeipa/freeipa/pull/137 Title: #137: Test: disabled wrong client domain tests for domlevel 0 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#137][closed] Test: disabled wrong client domain tests for domlevel 0
URL: https://github.com/freeipa/freeipa/pull/137 Author: ofayans Title: #137: Test: disabled wrong client domain tests for domlevel 0 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/137/head:pr137 git checkout pr137 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#137][comment] Test: disabled wrong client domain tests for domlevel 0
URL: https://github.com/freeipa/freeipa/pull/137 Title: #137: Test: disabled wrong client domain tests for domlevel 0 mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8b0faa25d1c47f605bc6c91933469bb2370276c1 ipa-4-4: https://fedorahosted.org/freeipa/changeset/1a27d3037fa6fbbddcdfb08fe41690bf534e6f7b """ See the full comment at https://github.com/freeipa/freeipa/pull/137#issuecomment-253156632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][closed] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Author: mirielka Title: #140: Tests: Fix cert revocation tests Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/140/head:pr140 git checkout pr140 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][+pushed] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Fix cert revocation tests Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Fix cert revocation tests mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c9c92e3a7f4961d91e0395daf17f5aeb34c20178 https://fedorahosted.org/freeipa/changeset/8f04d1a793b8ff01804bc03eac9b7aaa4f7a7f78 """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-253154795 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Fix cert revocation tests mbasti-rh commented: """ `Tests: Certificate revocation` doesn't apply to ipa-4-4 branch, please open separate PR against IPA 4.4 """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-253154655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][comment] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fb85230e25bd37a2a02a9d90793f337aad40a037 ipa-4-4: https://fedorahosted.org/freeipa/changeset/1b6ba5283e4980da7bd5f1d98b5518062a4c61ad """ See the full comment at https://github.com/freeipa/freeipa/pull/142#issuecomment-253154169 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][closed] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Author: dkupka Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/142/head:pr142 git checkout pr142 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][+pushed] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#152][+pushed] Fix warnings reported by pylint in rawhide
URL: https://github.com/freeipa/freeipa/pull/152 Title: #152: Fix warnings reported by pylint in rawhide Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#152][closed] Fix warnings reported by pylint in rawhide
URL: https://github.com/freeipa/freeipa/pull/152 Author: martbab Title: #152: Fix warnings reported by pylint in rawhide Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/152/head:pr152 git checkout pr152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#152][comment] Fix warnings reported by pylint in rawhide
URL: https://github.com/freeipa/freeipa/pull/152 Title: #152: Fix warnings reported by pylint in rawhide mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/29829cc55a6be697abf881ea7867ef834bb66be7 https://fedorahosted.org/freeipa/changeset/71f642f75132fe30b40062ce5abc8558a275b9bb """ See the full comment at https://github.com/freeipa/freeipa/pull/152#issuecomment-253153404 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][+ack] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][comment] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Fix cert revocation tests pvomacka commented: """ Works correctly. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/140#issuecomment-253139511 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#140][+ack] Tests: Fix cert revocation tests
URL: https://github.com/freeipa/freeipa/pull/140 Title: #140: Tests: Fix cert revocation tests Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#152][+ack] Fix warnings reported by pylint in rawhide
URL: https://github.com/freeipa/freeipa/pull/152 Title: #152: Fix warnings reported by pylint in rawhide Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#142][synchronized] CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling
URL: https://github.com/freeipa/freeipa/pull/142 Author: dkupka Title: #142: CheckedIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/142/head:pr142 git checkout pr142 From b2d757c0656f1883125f7ed42d9763031b7f8acb Mon Sep 17 00:00:00 2001 From: David KupkaDate: Thu, 6 Oct 2016 13:31:52 +0200 Subject: [PATCH] UnsafeIPAddress: Implement __(g|s)etstate__ and to ensure proper (un)pickling Missing attributes in instance created by pickle.load cause AttributeError in second part of ipa-server-install --external-ca. https://fedorahosted.org/freeipa/ticket/6385 --- ipapython/ipautil.py | 22 ++ 1 file changed, 22 insertions(+) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 41544a1..6aeb7f9 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -127,6 +127,17 @@ def __init__(self, addr): super(UnsafeIPAddress, self).__init__(addr, flags=self.netaddr_ip_flags) +def __getstate__(self): +state = { +'_net': self._net, +'super_state': super(UnsafeIPAddress, self).__getstate__(), +} +return state + +def __setstate__(self, state): +super(UnsafeIPAddress, self).__setstate__(state['super_state']) +self._net = state['_net'] + class CheckedIPAddress(UnsafeIPAddress): """IPv4 or IPv6 address with additional constraints. @@ -205,6 +216,17 @@ def __init__(self, addr, match_local=False, parse_netmask=True, self.prefixlen = self._net.prefixlen +def __getstate__(self): +state = { +'prefixlen': self.prefixlen, +'super_state': super(CheckedIPAddress, self).__getstate__(), +} +return state + +def __setstate__(self, state): +super(CheckedIPAddress, self).__setstate__(state['super_state']) +self.prefixlen = state['prefixlen'] + def is_network_addr(self): return self == self._net.network -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code