[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs

2016-11-21 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

tomaskrizek commented:
"""
I agree. We need to re-add `self.dm_password` to `nolog_list`, just like it was 
before I removed it 
[here](https://github.com/freeipa/freeipa/commit/9340a1417acf120fed3e9ffbe9d658d3456743a1#diff-36dfe273a301d6b5ea2bbcf89c7cd661L167)

There is no reason to change it. I originally removed the line, because I 
thought I could remove `dm_password` from `DogtagInstance` all together, but 
that turned out not to be the case.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/231#issuecomment-262171995
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC]

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/244
Title: #244: Add templating to ipaplatform path [RFC]

jcholast commented:
"""
Also LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/244#issuecomment-262162424
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

jcholast commented:
"""
The original code is broken by design IMO. The API object is used only to get 
the configured service startup timeout and to guess our DS instance name. None 
of this is platform specific, so I would prefer if we removed this from 
`ipaplatform` altogether instead of "just" fixing the import issue.

Anyway, given that the current plan is to make `ipaclient` _not_ depend on 
`ipaplatform`, is this change still necessary?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-262161616
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

tiran commented:
"""
setuptool's version parser does not support slicing. I need to find another 
solution for ```verify_client_version()```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/254#issuecomment-262022304
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/223
Title: #223: LDAP refactoring: remove admin_conn

mbasti-rh commented:
"""
LGTM and Works for me, but I have to make sure that things I wrote inline 
won''t happen
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/223#issuecomment-262019068
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/223
Title: #223: LDAP refactoring: remove admin_conn

mbasti-rh commented:
"""
LGTM and Works for me, but I have to make sure that things I wrote inline 
didn't happen
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/223#issuecomment-262019068
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

martbab commented:
"""
It seems that your changes broke IPA upgrade:

```
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
ipa : ERRORUpgrade failed with 'SetuptoolsVersion' object has no 
attribute 'version'
  [error] RuntimeError: 'SetuptoolsVersion' object has no attribute 'version'
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Update failed: 'SetuptoolsVersion' object has no attribute 'version'
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
11-21 18:49 ipadocker.cli ERRORCommand ipa-server-install -U --domain 
ipa.test --realm IPA.TEST -p Secret123 -a Secret123 --setup-dns 
--auto-forwarders failed (exit code 1)
```
Traceback in ipaserver-install.log:

```
# tail -n 50  /var/log/ipaserver-install.log 
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, 
in __runner
exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 510, 
in _handle_execute_exception
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, 
in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 471, 
in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 468, 
in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 705, 
in _configure
next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 481, 
in __runner
exc_handler(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 510, 
in _handle_execute_exception
self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 568, 
in _handle_exception
self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, 
in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 565, 
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 500, 
in _handle_exception
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 471, 
in __runner
step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 468, 
in 
step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, 
in run_generator_with_yield_from
six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, 
in run_generator_with_yield_from
value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, 
in _install
for _nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", 
line 575, in main
master_install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 265, in decorated
func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 851, in install
ds.apply_updates()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
693, in apply_updates
raise RuntimeError("Update failed: %s" % e)

2016-11-21T17:49:45Z DEBUG The ipa-server-install command failed, exception: 
RuntimeError: Update failed: 'SetuptoolsVersion' object has no attribute 
'version'
2016-11-21T17:49:45Z ERROR Update failed: 'SetuptoolsVersion' object has no 
attribute 'version'
2016-11-21T17:49:45Z ERROR The ipa-server-install command failed. See 
/var/log/ipaserver-install.log for more information
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/254#issuecomment-262018483
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

mbasti-rh commented:
"""
I found some changes in versions of dependencies I don't like, because there is 
no explanation why it is needed and it is out of sync between specfile and 
setup.py 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-262015124
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#249][+pushed] Remove references to ds_newinst.pl

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/249
Title: #249: Remove references to ds_newinst.pl

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC]

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/244
Title: #244: Add templating to ipaplatform path [RFC]

mbasti-rh commented:
"""
Can you finish this PR? It can be tested and possibly merged
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/244#issuecomment-261997481
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#249][closed] Remove references to ds_newinst.pl

2016-11-21 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/249
Author: frasertweedale
 Title: #249: Remove references to ds_newinst.pl
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/249/head:pr249
git checkout pr249
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#249][comment] Remove references to ds_newinst.pl

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/249
Title: #249: Remove references to ds_newinst.pl

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/687ebd18a1927cd6dcbb6cb884b979096c8a44aa
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/249#issuecomment-262000279
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#212][+pushed] KRA: don't add KRA container when KRA replica

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/212
Title: #212: KRA: don't add KRA container when KRA replica

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#212][closed] KRA: don't add KRA container when KRA replica

2016-11-21 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/212
Author: mbasti-rh
 Title: #212: KRA: don't add KRA container when KRA replica
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/212/head:pr212
git checkout pr212
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/212
Title: #212: KRA: don't add KRA container when KRA replica

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/61094a2a20f5cacdb7c87940d0db8d8593a87505
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/212#issuecomment-261998716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#256][comment] Pylint: whitelist packages with extension modules

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/256
Title: #256: Pylint: whitelist packages with extension modules

mbasti-rh commented:
"""
LGTM, I'll test it tomorrow
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/256#issuecomment-261997895
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

mbasti-rh commented:
"""
LGTM, except the inline comment I made,  I'll test it tomorrow
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-261995638
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#259][comment] Minor fixes for IPAVersion class

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/259
Title: #259: Minor fixes for IPAVersion class

mbasti-rh commented:
"""
LGTM, I'll test tomorrow
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/259#issuecomment-261995775
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#261][+rejected] upgrade: do not set HTTP and DS principals explicitly

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/261
Title: #261: upgrade: do not set HTTP and DS principals explicitly

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#260][closed] Build: fix path in ipa-ods-exporter.socket unit file

2016-11-21 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/260
Author: pspacek
 Title: #260: Build: fix path in ipa-ods-exporter.socket unit file
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/260/head:pr260
git checkout pr260
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#251][+rejected] Add rebuild rule for template files

2016-11-21 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/251
Title: #251: Add rebuild rule for template files

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#251][comment] Add rebuild rule for template files

2016-11-21 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/251
Title: #251: Add rebuild rule for template files

pspacek commented:
"""
I'm going to provide a proper fix as agreed on meeting today.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/251#issuecomment-261987023
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#262][closed] upgrade: do not explicitly set principal for services

2016-11-21 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/262
Author: tomaskrizek
 Title: #262: upgrade: do not explicitly set principal for services
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/262/head:pr262
git checkout pr262
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 21.11.2016 15:25, Jan Cholasta wrote:

On 21.11.2016 15:07, Christian Heimes wrote:

On 2016-11-21 14:44, Petr Spacek wrote:

3.3 ipaplatform auto-configuration

I'm not sure if guessing platform from ID_LIKE is really a good
idea. It
might work fine for centos -> rhel, but in general we can't really
assume it will always work, as the platforms listed in ID_LIKE
might not
be similar enough to the one in ID. I would rather add an ipaplatform
subpackage for every supported platform (including CentOS) than depend
on error-prone guesswork.


Can you show me a real-world example for your statement that ID_LIKE is
error-prone?

Your proposal doesn't scale. There are tons of Debian spins with their
own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
Do you want to maintain an exhaustive list of all Debian and Ubuntu
variants?


Can we agree that it would be much better to get rid of platform
depedency in
client libraries and be done with this philosophical debate?


+1



Yes, that would be my preferable solution, too. But it's a lot of work
and I don't have any spare time to work on a redesign of ipaplatform /
ipalib. Who is going to do it?


I'm going to look into this.



Christian





--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/262
Title: #262: upgrade: do not explicitly set principal for services

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2793cdc8593c40d8318ec3685408ade6bf9a5320
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/262#issuecomment-261964850
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#262][+ack] upgrade: do not explicitly set principal for services

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/262
Title: #262: upgrade: do not explicitly set principal for services

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#261][comment] upgrade: do not set HTTP and DS principals explicitly

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/261
Title: #261: upgrade: do not set HTTP and DS principals explicitly

martbab commented:
"""
Closing this as duplicate of https://github.com/freeipa/freeipa/pull/262
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/261#issuecomment-261964093
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/262
Title: #262: upgrade: do not explicitly set principal for services

martbab commented:
"""
Heh, I have opened https://github.com/freeipa/freeipa/pull/262 for this same 
issue recently. Since you assigned yourself to the ticket and filled all 
required fields you win this race :).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/262#issuecomment-261956701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn

2016-11-21 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/223
Author: tomaskrizek
 Title: #223: LDAP refactoring: remove admin_conn
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/223/head:pr223
git checkout pr223
From bedcc0dcc2e51164cb02a97c4ef6942d6cf6bbbd Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 9 Nov 2016 12:53:14 +0100
Subject: [PATCH 1/2] services: replace admin_conn with api.Backend.ldap2

Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-adtrust-install|  6 +--
 ipaserver/install/adtrustinstance.py | 79 +---
 ipaserver/install/bindinstance.py| 10 ++--
 ipaserver/install/cainstance.py  | 22 -
 ipaserver/install/dnskeysyncinstance.py  |  6 +--
 ipaserver/install/dogtaginstance.py  | 16 +++
 ipaserver/install/dsinstance.py  | 18 
 ipaserver/install/httpinstance.py|  9 ++--
 ipaserver/install/kra.py |  7 +--
 ipaserver/install/krbinstance.py | 13 +++---
 ipaserver/install/odsexporterinstance.py |  4 +-
 ipaserver/install/opendnssecinstance.py  |  6 +--
 ipaserver/install/service.py | 44 --
 13 files changed, 120 insertions(+), 120 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 8eed519..8b75d5c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -411,7 +411,7 @@ def main():
 try:
 # Search only masters which have support for domain levels
 # because only these masters will have SSSD recent enough to support AD trust agents
-entries_m, _truncated = smb.admin_conn.find_entries(
+entries_m, _truncated = api.Backend.ldap2.find_entries(
 filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
 base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
 except errors.NotFound:
@@ -421,7 +421,7 @@ def main():
print(unicode(e))
 
 try:
-   entries_a, _truncated = smb.admin_conn.find_entries(
+   entries_a, _truncated = api.Backend.ldap2.find_entries(
filter="", base_dn=agents_dn, attrs_list=['member'],
scope=ldap.SCOPE_BASE)
 except errors.NotFound:
@@ -470,7 +470,7 @@ def main():
 # Add the CIFS and host principals to the 'adtrust agents' group
 # as 389-ds only operates with GroupOfNames, we have to use
 # the principal's proper dn as defined in self.cifs_agent
-service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
+service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member",
 [x[1] for x in new_agents])
 print("""
 WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index cab5a72..632052a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -200,7 +200,7 @@ def __add_admin_sids(self):
 admin_group_dn = DN(('cn', 'admins'), api.env.container_group,
 self.suffix)
 try:
-dom_entry = self.admin_conn.get_entry(self.smb_dom_dn)
+dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn)
 except errors.NotFound:
 self.print_msg("Samba domain object not found")
 return
@@ -211,13 +211,13 @@ def __add_admin_sids(self):
 return
 
 try:
-admin_entry = self.admin_conn.get_entry(admin_dn)
+admin_entry = api.Backend.ldap2.get_entry(admin_dn)
 except errors.NotFound:
 self.print_msg("IPA admin object not found")
 return
 
 try:
-admin_group_entry = self.admin_conn.get_entry(admin_group_dn)
+admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn)
 except errors.NotFound:
 self.print_msg("IPA admin group object not found")
 return
@@ -226,9 +226,10 @@ def __add_admin_sids(self):
 self.print_msg("Admin SID already set, nothing to do")
 else:
 try:
-self.admin_conn.modify_s(admin_dn, \
-[(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
- (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
+api.Backend.ldap2.modify_s(
+admin_dn,
+[(ldap.MOD_ADD, "objectclass", self.OBJC_USER),
+

[Freeipa-devel] [freeipa PR#262][opened] upgrade: do not explicitly set principal for services

2016-11-21 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/262
Author: tomaskrizek
 Title: #262: upgrade: do not explicitly set principal for services
Action: opened

PR body:
"""
After installer refactoring, principal is a property of service.

https://fedorahosted.org/freeipa/ticket/6500
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/262/head:pr262
git checkout pr262
From cc05ba167fe6cea47da7f48ab1d50033c8a8d58b Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 21 Nov 2016 10:37:22 +0100
Subject: [PATCH] upgrade: do not explicitly set principal for services

After installer refactoring, principal is a property of service.

https://fedorahosted.org/freeipa/ticket/6500
---
 ipaserver/install/server/upgrade.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5f61015..d93b908 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1589,7 +1589,6 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.fqdn = fqdn
 http.realm = api.env.realm
-http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
 
@@ -1612,7 +1611,6 @@ def upgrade_configuration():
 ds.fqdn = fqdn
 ds.realm = api.env.realm
 ds.suffix = ipautil.realm_to_suffix(api.env.realm)
-ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm)
 
 ds_enable_sidgen_extdom_plugins(ds)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#262][comment] upgrade: do not explicitly set principal for services

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/262
Title: #262: upgrade: do not explicitly set principal for services

martbab commented:
"""
Heh, I have opened PR#261 for this same issue recently. Since you assigned 
yourself to the ticket and filled all required fields you win this race :).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/262#issuecomment-261956701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#223][comment] LDAP refactoring: remove admin_conn

2016-11-21 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/223
Title: #223: LDAP refactoring: remove admin_conn

tomaskrizek commented:
"""
Depends on #262 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/223#issuecomment-261956124
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 21.11.2016 14:15, Christian Heimes wrote:

On 2016-11-21 13:31, Jan Cholasta wrote:

Hi,

On 11.11.2016 15:25, Christian Heimes wrote:

Hello,

I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.

http://www.freeipa.org/page/V4/Integration_Improvements


3.1 API for local configuration directory

"Both approaches have some disadvantages. A user must repeat the -e
option in every call to ipa or create a shell alias. It's both tedious
and error-prone."

This is pretty subjective. I don't think it's error-prone at all, since
it is explicit and you always know what confdir value will be used in
the ipa command just by looking at its arguments, as opposed to the
environment variable, which makes the configuration implicit and
depending on *sane* environment and is equivalent to preferring global
variables to function arguments in Python code.


It's not implicit. The env var has to be set explicitly just like you
have to use -e confdir explicitly in every call.


Yes, you need to set it explicitly, but then it is implicitly inherited 
by the command. And just like with global variables, you might have a 
hard time tracking down where it was set and why if you din't set it 
yourself, especially if you are a casual user and not a developer like us.





That being said, this whole section is filled with one-sided "facts" and
simply ignores everything else, which might lead the reader to believe
that the environment variable is something required, while it is in fact
just a nice-to-have convenience feature. A good design should include
both sides of an argument, even if you don't agree with one.

BTW, shell alias works perfectly fine in your virtualenv example above
in the design.


No, it does not work perfectly fine. By default shell aliases are
limited to interactive shells.


Last time I checked virtualenv provided an interactive shell.


My proposal also works with Python
subprocess module, a C program with execve(), Makefile, Ansible local
command, non-interactive shell script...


... which are all more or less write-once, so the env variable provides 
very little benefit over the command line option.





3.2.1 Build and runtime requirements

How are we going to detect and report missing runtime dependencies?
Currently if they are not installed, the code will fail at random places
during execution with an often cryptic error message. I think this is
unacceptable, and since there is no way specify external dependencies
using setuptools (right?), it needs to be done in our code during
package import (or other suitable place).


Instead of detecting missing dependencies, we document requirements and
treat users as adults.


We do all kinds of runtime checks in our commands - are you saying we 
should just remove them all, because the users are adults?



Runtime checks are a performance issue. Since
wheels don't execute code at installation time, we can't check for
missing dependencies during installation.


In other words, we will provide broken packages in PyPI, at least 
compared to our downstream packages. Is this really the normal thing to 
do for PyPI packages with external dependencies?





3.3 ipaplatform auto-configuration

I'm not sure if guessing platform from ID_LIKE is really a good idea. It
might work fine for centos -> rhel, but in general we can't really
assume it will always work, as the platforms listed in ID_LIKE might not
be similar enough to the one in ID. I would rather add an ipaplatform
subpackage for every supported platform (including CentOS) than depend
on error-prone guesswork.


Can you show me a real-world example for your statement that ID_LIKE is
error-prone?

Your proposal doesn't scale. There are tons of Debian spins with their
own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
Do you want to maintain an exhaustive list of all Debian and Ubuntu
variants?


Yes, I'm aware of that, I was hoping we could find some sort of compromise.



Christian




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 21.11.2016 15:07, Christian Heimes wrote:

On 2016-11-21 14:44, Petr Spacek wrote:

3.3 ipaplatform auto-configuration

I'm not sure if guessing platform from ID_LIKE is really a good idea. It
might work fine for centos -> rhel, but in general we can't really
assume it will always work, as the platforms listed in ID_LIKE might not
be similar enough to the one in ID. I would rather add an ipaplatform
subpackage for every supported platform (including CentOS) than depend
on error-prone guesswork.


Can you show me a real-world example for your statement that ID_LIKE is
error-prone?

Your proposal doesn't scale. There are tons of Debian spins with their
own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
Do you want to maintain an exhaustive list of all Debian and Ubuntu
variants?


Can we agree that it would be much better to get rid of platform depedency in
client libraries and be done with this philosophical debate?


+1



Yes, that would be my preferable solution, too. But it's a lot of work
and I don't have any spare time to work on a redesign of ipaplatform /
ipalib. Who is going to do it?

Christian


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Christian Heimes 
On 2016-11-21 14:44, Petr Spacek wrote:
>>> 3.3 ipaplatform auto-configuration
>>>
>>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
>>> might work fine for centos -> rhel, but in general we can't really
>>> assume it will always work, as the platforms listed in ID_LIKE might not
>>> be similar enough to the one in ID. I would rather add an ipaplatform
>>> subpackage for every supported platform (including CentOS) than depend
>>> on error-prone guesswork.
>>
>> Can you show me a real-world example for your statement that ID_LIKE is
>> error-prone?
>>
>> Your proposal doesn't scale. There are tons of Debian spins with their
>> own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
>> Do you want to maintain an exhaustive list of all Debian and Ubuntu
>> variants?
> 
> Can we agree that it would be much better to get rid of platform depedency in
> client libraries and be done with this philosophical debate?

Yes, that would be my preferable solution, too. But it's a lot of work
and I don't have any spare time to work on a redesign of ipaplatform /
ipalib. Who is going to do it?

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

martbab commented:
"""
Well that is what I was pointing at, by adding both DM and admin passwords to 
the parent method's default `nolog_list`, you are future-proofing the code 
because all spawn-instance calls will be safe. But maybe I am missing something.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/231#issuecomment-261943789
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#191][+pushed] Exclude testing ipa.pot file from zanata

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/191
Title: #191: Exclude testing ipa.pot file from zanata

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#191][closed] Exclude testing ipa.pot file from zanata

2016-11-21 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/191
Author: mbasti-rh
 Title: #191: Exclude testing ipa.pot file from zanata
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/191/head:pr191
git checkout pr191
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#191][comment] Exclude testing ipa.pot file from zanata

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/191
Title: #191: Exclude testing ipa.pot file from zanata

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ad32bf147ed6996c0967bb8e8cfb803113ceaf5f
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/76d4368ff9885a1e92bac2df75fefd49e7657c0d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/191#issuecomment-261942763
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#191][+ack] Exclude testing ipa.pot file from zanata

2016-11-21 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/191
Title: #191: Exclude testing ipa.pot file from zanata

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Petr Spacek 
On 21.11.2016 14:15, Christian Heimes wrote:
> On 2016-11-21 13:31, Jan Cholasta wrote:
>> Hi,
>>
>> On 11.11.2016 15:25, Christian Heimes wrote:
>>> Hello,
>>>
>>> I have released the first version of a new design document. It describes
>>> how I'm going to improve integration of FreeIPA's client libraries
>>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
>>>
>>> http://www.freeipa.org/page/V4/Integration_Improvements
>>
>> 3.1 API for local configuration directory
>>
>> "Both approaches have some disadvantages. A user must repeat the -e
>> option in every call to ipa or create a shell alias. It's both tedious
>> and error-prone."
>>
>> This is pretty subjective. I don't think it's error-prone at all, since
>> it is explicit and you always know what confdir value will be used in
>> the ipa command just by looking at its arguments, as opposed to the
>> environment variable, which makes the configuration implicit and
>> depending on *sane* environment and is equivalent to preferring global
>> variables to function arguments in Python code.
> 
> It's not implicit. The env var has to be set explicitly just like you
> have to use -e confdir explicitly in every call.
> 
>> That being said, this whole section is filled with one-sided "facts" and
>> simply ignores everything else, which might lead the reader to believe
>> that the environment variable is something required, while it is in fact
>> just a nice-to-have convenience feature. A good design should include
>> both sides of an argument, even if you don't agree with one.
>>
>> BTW, shell alias works perfectly fine in your virtualenv example above
>> in the design.
> 
> No, it does not work perfectly fine. By default shell aliases are
> limited to interactive shells. My proposal also works with Python
> subprocess module, a C program with execve(), Makefile, Ansible local
> command, non-interactive shell script...
> 
>> 3.2.1 Build and runtime requirements
>>
>> How are we going to detect and report missing runtime dependencies?
>> Currently if they are not installed, the code will fail at random places
>> during execution with an often cryptic error message. I think this is
>> unacceptable, and since there is no way specify external dependencies
>> using setuptools (right?), it needs to be done in our code during
>> package import (or other suitable place).
> 
> Instead of detecting missing dependencies, we document requirements and
> treat users as adults. Runtime checks are a performance issue. Since
> wheels don't execute code at installation time, we can't check for
> missing dependencies during installation.
> 
>> 3.3 ipaplatform auto-configuration
>>
>> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
>> might work fine for centos -> rhel, but in general we can't really
>> assume it will always work, as the platforms listed in ID_LIKE might not
>> be similar enough to the one in ID. I would rather add an ipaplatform
>> subpackage for every supported platform (including CentOS) than depend
>> on error-prone guesswork.
> 
> Can you show me a real-world example for your statement that ID_LIKE is
> error-prone?
> 
> Your proposal doesn't scale. There are tons of Debian spins with their
> own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
> Do you want to maintain an exhaustive list of all Debian and Ubuntu
> variants?

Can we agree that it would be much better to get rid of platform depedency in
client libraries and be done with this philosophical debate?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

2016-11-21 Thread apophys 
  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

apophys commented:
"""
I think in this case we can go with keyword arguments only. Most of the uses of 
the tracker in the tests do it already. What I will need in the case of keyword 
arguments is an explicit check for some non-empty unicode string for the 
required attributes in the __init__ method.

All of this applies to `StageUserTracker` in #210 as well
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-261940072
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Christian Heimes 
On 2016-11-21 13:31, Jan Cholasta wrote:
> Hi,
> 
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It describes
>> how I'm going to improve integration of FreeIPA's client libraries
>> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
>>
>> http://www.freeipa.org/page/V4/Integration_Improvements
> 
> 3.1 API for local configuration directory
> 
> "Both approaches have some disadvantages. A user must repeat the -e
> option in every call to ipa or create a shell alias. It's both tedious
> and error-prone."
> 
> This is pretty subjective. I don't think it's error-prone at all, since
> it is explicit and you always know what confdir value will be used in
> the ipa command just by looking at its arguments, as opposed to the
> environment variable, which makes the configuration implicit and
> depending on *sane* environment and is equivalent to preferring global
> variables to function arguments in Python code.

It's not implicit. The env var has to be set explicitly just like you
have to use -e confdir explicitly in every call.

> That being said, this whole section is filled with one-sided "facts" and
> simply ignores everything else, which might lead the reader to believe
> that the environment variable is something required, while it is in fact
> just a nice-to-have convenience feature. A good design should include
> both sides of an argument, even if you don't agree with one.
> 
> BTW, shell alias works perfectly fine in your virtualenv example above
> in the design.

No, it does not work perfectly fine. By default shell aliases are
limited to interactive shells. My proposal also works with Python
subprocess module, a C program with execve(), Makefile, Ansible local
command, non-interactive shell script...

> 3.2.1 Build and runtime requirements
> 
> How are we going to detect and report missing runtime dependencies?
> Currently if they are not installed, the code will fail at random places
> during execution with an often cryptic error message. I think this is
> unacceptable, and since there is no way specify external dependencies
> using setuptools (right?), it needs to be done in our code during
> package import (or other suitable place).

Instead of detecting missing dependencies, we document requirements and
treat users as adults. Runtime checks are a performance issue. Since
wheels don't execute code at installation time, we can't check for
missing dependencies during installation.

> 3.3 ipaplatform auto-configuration
> 
> I'm not sure if guessing platform from ID_LIKE is really a good idea. It
> might work fine for centos -> rhel, but in general we can't really
> assume it will always work, as the platforms listed in ID_LIKE might not
> be similar enough to the one in ID. I would rather add an ipaplatform
> subpackage for every supported platform (including CentOS) than depend
> on error-prone guesswork.

Can you show me a real-world example for your statement that ID_LIKE is
error-prone?

Your proposal doesn't scale. There are tons of Debian spins with their
own ID. For example my Raspberry Pi has ID=raspbian and ID_LIKE=debian.
Do you want to maintain an exhaustive list of all Debian and Ubuntu
variants?

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#261][opened] upgrade: do not set HTTP and DS principals explicitly

2016-11-21 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/261
Author: martbab
 Title: #261: upgrade: do not set HTTP and DS principals explicitly
Action: opened

PR body:
"""
In ipa-server-upgrade, HTTP and DS principals are explicitly constructed from
realm, fqdn, and service prefix. This is no neither required nor desirable,
since the principal is now a read-only property which constructs the principal
name in the same way.

https://fedorahosted.org/freeipa/ticket/6500
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/261/head:pr261
git checkout pr261
From a4657323da629ced2d083c132a521ca707a43955 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 21 Nov 2016 13:52:57 +0100
Subject: [PATCH] upgrade: do not set HTTP and DS principals explicitly

In ipa-server-upgrade, HTTP and DS principals are explicitly constructed from
realm, fqdn, and service prefix. This is no neither required nor desirable,
since the principal is now a read-only property which constructs the principal
name in the same way.

https://fedorahosted.org/freeipa/ticket/6500
---
 ipaserver/install/server/upgrade.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5f61015..d93b908 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1589,7 +1589,6 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.fqdn = fqdn
 http.realm = api.env.realm
-http.principal = "HTTP/%s@%s" % (http.fqdn, http.realm)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
 
@@ -1612,7 +1611,6 @@ def upgrade_configuration():
 ds.fqdn = fqdn
 ds.realm = api.env.realm
 ds.suffix = ipautil.realm_to_suffix(api.env.realm)
-ds.principal = "ldap/%s@%s" % (ds.fqdn, ds.realm)
 
 ds_enable_sidgen_extdom_plugins(ds)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system

2016-11-21 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/238
Title: #238: Build system refactoring phase 8: update translation system

pspacek commented:
"""
@tiran You are right, I forgot to remove the `config.rpath` when 
`AM_GNU_GETTEXT_VERSION` macro was introduced. This version fixes this problem 
by removing `config.rpath` from Git.

@lslebodn We can do this change in some later PR. I do not want to mix it with 
translation system changes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/238#issuecomment-261927883
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#260][+ack] Build: fix path in ipa-ods-exporter.socket unit file

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/260
Title: #260: Build: fix path in ipa-ods-exporter.socket unit file

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

Hi,

On 11.11.2016 15:25, Christian Heimes wrote:

Hello,

I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.

http://www.freeipa.org/page/V4/Integration_Improvements


3.1 API for local configuration directory

"Both approaches have some disadvantages. A user must repeat the -e 
option in every call to ipa or create a shell alias. It's both tedious 
and error-prone."


This is pretty subjective. I don't think it's error-prone at all, since 
it is explicit and you always know what confdir value will be used in 
the ipa command just by looking at its arguments, as opposed to the 
environment variable, which makes the configuration implicit and 
depending on *sane* environment and is equivalent to preferring global 
variables to function arguments in Python code.


That being said, this whole section is filled with one-sided "facts" and 
simply ignores everything else, which might lead the reader to believe 
that the environment variable is something required, while it is in fact 
just a nice-to-have convenience feature. A good design should include 
both sides of an argument, even if you don't agree with one.


BTW, shell alias works perfectly fine in your virtualenv example above 
in the design.



3.2.1 Build and runtime requirements

How are we going to detect and report missing runtime dependencies? 
Currently if they are not installed, the code will fail at random places 
during execution with an often cryptic error message. I think this is 
unacceptable, and since there is no way specify external dependencies 
using setuptools (right?), it needs to be done in our code during 
package import (or other suitable place).



3.3 ipaplatform auto-configuration

I'm not sure if guessing platform from ID_LIKE is really a good idea. It 
might work fine for centos -> rhel, but in general we can't really 
assume it will always work, as the platforms listed in ID_LIKE might not 
be similar enough to the one in ID. I would rather add an ipaplatform 
subpackage for every supported platform (including CentOS) than depend 
on error-prone guesswork.



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#260][opened] Build: fix path in ipa-ods-exporter.socket unit file

2016-11-21 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/260
Author: pspacek
 Title: #260: Build: fix path in ipa-ods-exporter.socket unit file
Action: opened

PR body:
"""
This fixes regression caused by incorrect
daemons/dnssec/ipa-ods-exporter.socket.in path template introduced
in commit 312e780041fc9025ca3c189e6c9fcb54c7340714.

https://fedorahosted.org/freeipa/ticket/6495
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/260/head:pr260
git checkout pr260
From 01297ca51491f7f2e85a111b3e8bc96c52f2e825 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 21 Nov 2016 12:20:08 +0100
Subject: [PATCH] Build: fix path in ipa-ods-exporter.socket unit file

This fixes regression caused by incorrect
daemons/dnssec/ipa-ods-exporter.socket.in path template introduced
in commit 312e780041fc9025ca3c189e6c9fcb54c7340714.

https://fedorahosted.org/freeipa/ticket/6495
---
 daemons/dnssec/ipa-ods-exporter.socket.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/dnssec/ipa-ods-exporter.socket.in b/daemons/dnssec/ipa-ods-exporter.socket.in
index ffc6994..ec58da9 100644
--- a/daemons/dnssec/ipa-ods-exporter.socket.in
+++ b/daemons/dnssec/ipa-ods-exporter.socket.in
@@ -1,5 +1,5 @@
 [Socket]
-ListenStream=@localstatedir@/opendnssec/engine.sock
+ListenStream=@localstatedir@/run/opendnssec/engine.sock
 
 [Install]
 WantedBy=sockets.target
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Christian Heimes 
On 2016-11-21 11:38, Jan Cholasta wrote:
> On 21.11.2016 11:04, Christian Heimes wrote:
>> On 2016-11-21 10:46, Jan Cholasta wrote:
>>> On 21.11.2016 10:32, Christian Heimes wrote:
 On 2016-11-21 10:26, Jan Cholasta wrote:
> On 11.11.2016 18:28, Christian Heimes wrote:
>> On 2016-11-11 17:46, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2016 15:25, Christian Heimes wrote:
 Hello,

 I have released the first version of a new design document. It
 describes
 how I'm going to improve integration of FreeIPA's client libraries
 (ipalib, ipapython, ipaclient, ipaplatform) for third party
 developers.

 http://www.freeipa.org/page/V4/Integration_Improvements

 Regards,
 Christian



>>>
>>> Hello, I have a few questions:
>>>
>>> 1) dynamic platform files
>>>
>>> Currently all RHEL/fedora-derived platforms work with the same
>>> rhel/fedora packages. How do you want to achieve this with dynamic
>>> platform files, do you want to keep mappings between platforms and
>>> platform file? What about distributions that have in /etc/release
>>> just mess?
>>
>> I don't use /etc/releases but /etc/os-release. There is no mapping
>> involved. If a distribution has no /etc/os-release or a messed up
>> /etc/os-release, then it needs to be fixed by the distribution.
>> It's a
>> common standard and all relevant distributions support this standard.
>>
>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel
>>
>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora
>>
>> CentOS has ID=centos and ID_LIKE="rhel fedora"
>> -> ipaplatform.rhel
>>
>> Even my Raspberry has an /etc/os-release with ID=raspbian and
>> ID_LIKE=debian -> error, soon ipaplatform.debian
>
> There is more to ipaplatform than /etc/os-release offers. How do you
> differentiate between e.g. "Debian with SysV init" and "Debian with
> systemd"?

 Timo,

 do you support FreeIPA on Debian variants with SysV init?
>>>
>>> This is not an issue of what is supported now, but rather what is
>>> supportable in the future. Even if Debian with SysV init is not
>>> supported ATM, someone might want to add support for it in the future,
>>> and the design should not prevent them from doing so.
>>
>> My proposal does not prevent sysv init support. In fact it makes it even
>> easier to support it. In case Debian SysV Init does not have a distinct
>> ID in /etc/os-release, I can easily add some additional check like
>>
>> if platform == 'debian' and os.path.realpath('/sbin/init') !=
>> '/usr/lib/systemd/systemd':
>> platform = 'debian_sysvinit'
> 
> I didn't mean to say it does prevent it, just that it should be noted in
> the design page.

I have updated http://www.freeipa.org/page/V4/Integration_Improvements#Scope

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 21.11.2016 11:04, Christian Heimes wrote:

On 2016-11-21 10:46, Jan Cholasta wrote:

On 21.11.2016 10:32, Christian Heimes wrote:

On 2016-11-21 10:26, Jan Cholasta wrote:

On 11.11.2016 18:28, Christian Heimes wrote:

On 2016-11-11 17:46, Martin Basti wrote:



On 11.11.2016 15:25, Christian Heimes wrote:

Hello,

I have released the first version of a new design document. It
describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party
developers.

http://www.freeipa.org/page/V4/Integration_Improvements

Regards,
Christian





Hello, I have a few questions:

1) dynamic platform files

Currently all RHEL/fedora-derived platforms work with the same
rhel/fedora packages. How do you want to achieve this with dynamic
platform files, do you want to keep mappings between platforms and
platform file? What about distributions that have in /etc/release
just mess?


I don't use /etc/releases but /etc/os-release. There is no mapping
involved. If a distribution has no /etc/os-release or a messed up
/etc/os-release, then it needs to be fixed by the distribution. It's a
common standard and all relevant distributions support this standard.

RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel

Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora

CentOS has ID=centos and ID_LIKE="rhel fedora"
-> ipaplatform.rhel

Even my Raspberry has an /etc/os-release with ID=raspbian and
ID_LIKE=debian -> error, soon ipaplatform.debian


There is more to ipaplatform than /etc/os-release offers. How do you
differentiate between e.g. "Debian with SysV init" and "Debian with
systemd"?


Timo,

do you support FreeIPA on Debian variants with SysV init?


This is not an issue of what is supported now, but rather what is
supportable in the future. Even if Debian with SysV init is not
supported ATM, someone might want to add support for it in the future,
and the design should not prevent them from doing so.


My proposal does not prevent sysv init support. In fact it makes it even
easier to support it. In case Debian SysV Init does not have a distinct
ID in /etc/os-release, I can easily add some additional check like

if platform == 'debian' and os.path.realpath('/sbin/init') !=
'/usr/lib/systemd/systemd':
platform = 'debian_sysvinit'


I didn't mean to say it does prevent it, just that it should be noted in 
the design page.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with pkg_resource.parse_version

2016-11-21 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/254
Author: tiran
 Title: #254: Replace LooseVersion with pkg_resource.parse_version
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/254/head:pr254
git checkout pr254
From 19d679da287222ff5d700a2aa789be15db7e059e Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 21 Nov 2016 10:24:17 +0100
Subject: [PATCH] Replace LooseVersion with pkg_resources.parse_version

pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.

https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity.

aserver.install.krbinstance parses package version. I changed the module
to use tasks.parse_ipa_version().

Signed-off-by: Christian Heimes 
---
 ipaclient/remote_plugins/compat.py | 13 ++---
 ipalib/capabilities.py |  6 +++---
 ipalib/frontend.py | 16 +---
 ipalib/plugable.py |  7 +++
 ipaserver/install/krbinstance.py   |  6 +++---
 ipaserver/install/server/replicainstall.py | 10 +-
 6 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/ipaclient/remote_plugins/compat.py b/ipaclient/remote_plugins/compat.py
index 984eecd..20304fb 100644
--- a/ipaclient/remote_plugins/compat.py
+++ b/ipaclient/remote_plugins/compat.py
@@ -2,12 +2,12 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-from distutils.version import LooseVersion
 import importlib
 import os
 import re
 import sys
 
+from pkg_resources import parse_version
 import six
 
 from ipaclient.frontend import ClientCommand, ClientMethod
@@ -58,7 +58,7 @@ def get_package(server_info, client):
 server_info['version'] = server_version
 server_info.update_validity()
 
-server_version = LooseVersion(server_version)
+server_version = parse_version(server_version)
 
 package_names = {}
 base_name = __name__.rpartition('.')[0]
@@ -66,15 +66,14 @@ def get_package(server_info, client):
 for name in os.listdir(base_dir):
 package_dir = os.path.join(base_dir, name)
 if name.startswith('2_') and os.path.isdir(package_dir):
-package_version = name.replace('_', '.')
+package_version = parse_version(name.replace('_', '.'))
 package_names[package_version] = '{}.{}'.format(base_name, name)
 
 package_version = None
-for version in sorted(package_names, key=LooseVersion):
-if (package_version is None or
-LooseVersion(package_version) < LooseVersion(version)):
+for version in sorted(package_names):
+if package_version is None or package_version < version:
 package_version = version
-if LooseVersion(version) >= server_version:
+if version >= server_version:
 break
 
 package_name = package_names[package_version]
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
index 7ddaea2..7c1ab39 100644
--- a/ipalib/capabilities.py
+++ b/ipalib/capabilities.py
@@ -25,7 +25,7 @@
 versions they were introduced in.
 """
 
-from distutils import version
+from pkg_resources import parse_version
 
 VERSION_WITHOUT_CAPABILITIES = u'2.51'
 
@@ -64,6 +64,6 @@ def client_has_capability(client_version, capability):
 :param client_version: The API version string reported by the client
 """
 
-version_tuple = version.LooseVersion(client_version)
+version = parse_version(client_version)
 
-return version_tuple >= version.LooseVersion(capabilities[capability])
+return version >= parse_version(capabilities[capability])
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index c94d174..d581a51 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -20,9 +20,7 @@
 """
 Base classes for all front-end plugins.
 """
-
-from distutils import version
-
+from pkg_resources import parse_version
 import six
 
 from ipapython.version import API_VERSION
@@ -770,16 +768,20 @@ def verify_client_version(self, client_version):
 If the client minor version is less than or equal to the server
 then let the request proceed.
 """
-server_ver = version.LooseVersion(API_VERSION)
-ver = version.LooseVersion(client_version)
+server_ver = parse_version(API_VERSION)
+ver = parse_version(client_version)
 if len(ver.version) < 2:
-raise VersionError(cver=ver.version, sver=server_ver.version, server= self.env.xmlrpc_uri)
+raise VersionError(cver=ver.version,
+   sver=server_ver.version,
+   server=self.env.xmlrpc_uri)
 client_major = ver.version[0]

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Christian Heimes 
On 2016-11-21 10:46, Jan Cholasta wrote:
> On 21.11.2016 10:32, Christian Heimes wrote:
>> On 2016-11-21 10:26, Jan Cholasta wrote:
>>> On 11.11.2016 18:28, Christian Heimes wrote:
 On 2016-11-11 17:46, Martin Basti wrote:
>
>
> On 11.11.2016 15:25, Christian Heimes wrote:
>> Hello,
>>
>> I have released the first version of a new design document. It
>> describes
>> how I'm going to improve integration of FreeIPA's client libraries
>> (ipalib, ipapython, ipaclient, ipaplatform) for third party
>> developers.
>>
>> http://www.freeipa.org/page/V4/Integration_Improvements
>>
>> Regards,
>> Christian
>>
>>
>>
>
> Hello, I have a few questions:
>
> 1) dynamic platform files
>
> Currently all RHEL/fedora-derived platforms work with the same
> rhel/fedora packages. How do you want to achieve this with dynamic
> platform files, do you want to keep mappings between platforms and
> platform file? What about distributions that have in /etc/release
> just mess?

 I don't use /etc/releases but /etc/os-release. There is no mapping
 involved. If a distribution has no /etc/os-release or a messed up
 /etc/os-release, then it needs to be fixed by the distribution. It's a
 common standard and all relevant distributions support this standard.

 RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel

 Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora

 CentOS has ID=centos and ID_LIKE="rhel fedora"
 -> ipaplatform.rhel

 Even my Raspberry has an /etc/os-release with ID=raspbian and
 ID_LIKE=debian -> error, soon ipaplatform.debian
>>>
>>> There is more to ipaplatform than /etc/os-release offers. How do you
>>> differentiate between e.g. "Debian with SysV init" and "Debian with
>>> systemd"?
>>
>> Timo,
>>
>> do you support FreeIPA on Debian variants with SysV init?
> 
> This is not an issue of what is supported now, but rather what is
> supportable in the future. Even if Debian with SysV init is not
> supported ATM, someone might want to add support for it in the future,
> and the design should not prevent them from doing so.

My proposal does not prevent sysv init support. In fact it makes it even
easier to support it. In case Debian SysV Init does not have a distinct
ID in /etc/os-release, I can easily add some additional check like

if platform == 'debian' and os.path.realpath('/sbin/init') !=
'/usr/lib/systemd/systemd':
platform = 'debian_sysvinit'

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Timo Aaltonen 
On 21.11.2016 11:32, Christian Heimes wrote:
> On 2016-11-21 10:26, Jan Cholasta wrote:
>> On 11.11.2016 18:28, Christian Heimes wrote:
>>> On 2016-11-11 17:46, Martin Basti wrote:


 On 11.11.2016 15:25, Christian Heimes wrote:
> Hello,
>
> I have released the first version of a new design document. It
> describes
> how I'm going to improve integration of FreeIPA's client libraries
> (ipalib, ipapython, ipaclient, ipaplatform) for third party developers.
>
> http://www.freeipa.org/page/V4/Integration_Improvements
>
> Regards,
> Christian
>
>
>

 Hello, I have a few questions:

 1) dynamic platform files

 Currently all RHEL/fedora-derived platforms work with the same
 rhel/fedora packages. How do you want to achieve this with dynamic
 platform files, do you want to keep mappings between platforms and
 platform file? What about distributions that have in /etc/release
 just mess?
>>>
>>> I don't use /etc/releases but /etc/os-release. There is no mapping
>>> involved. If a distribution has no /etc/os-release or a messed up
>>> /etc/os-release, then it needs to be fixed by the distribution. It's a
>>> common standard and all relevant distributions support this standard.
>>>
>>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel
>>>
>>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora
>>>
>>> CentOS has ID=centos and ID_LIKE="rhel fedora"
>>> -> ipaplatform.rhel
>>>
>>> Even my Raspberry has an /etc/os-release with ID=raspbian and
>>> ID_LIKE=debian -> error, soon ipaplatform.debian
>>
>> There is more to ipaplatform than /etc/os-release offers. How do you
>> differentiate between e.g. "Debian with SysV init" and "Debian with
>> systemd"?
> 
> Timo,
> 
> do you support FreeIPA on Debian variants with SysV init?

No, it shouldn't be possible to run it with SysV either because at least
389 depends on systemd and doesn't ship sysvinit scripts.


-- 
t



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#223][synchronized] LDAP refactoring: remove admin_conn

2016-11-21 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/223
Author: tomaskrizek
 Title: #223: LDAP refactoring: remove admin_conn
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/223/head:pr223
git checkout pr223
From bedcc0dcc2e51164cb02a97c4ef6942d6cf6bbbd Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 9 Nov 2016 12:53:14 +0100
Subject: [PATCH 1/3] services: replace admin_conn with api.Backend.ldap2

Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.

https://fedorahosted.org/freeipa/ticket/6461
---
 install/tools/ipa-adtrust-install|  6 +--
 ipaserver/install/adtrustinstance.py | 79 +---
 ipaserver/install/bindinstance.py| 10 ++--
 ipaserver/install/cainstance.py  | 22 -
 ipaserver/install/dnskeysyncinstance.py  |  6 +--
 ipaserver/install/dogtaginstance.py  | 16 +++
 ipaserver/install/dsinstance.py  | 18 
 ipaserver/install/httpinstance.py|  9 ++--
 ipaserver/install/kra.py |  7 +--
 ipaserver/install/krbinstance.py | 13 +++---
 ipaserver/install/odsexporterinstance.py |  4 +-
 ipaserver/install/opendnssecinstance.py  |  6 +--
 ipaserver/install/service.py | 44 --
 13 files changed, 120 insertions(+), 120 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 8eed519..8b75d5c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -411,7 +411,7 @@ def main():
 try:
 # Search only masters which have support for domain levels
 # because only these masters will have SSSD recent enough to support AD trust agents
-entries_m, _truncated = smb.admin_conn.find_entries(
+entries_m, _truncated = api.Backend.ldap2.find_entries(
 filter="(&(objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*))",
 base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
 except errors.NotFound:
@@ -421,7 +421,7 @@ def main():
print(unicode(e))
 
 try:
-   entries_a, _truncated = smb.admin_conn.find_entries(
+   entries_a, _truncated = api.Backend.ldap2.find_entries(
filter="", base_dn=agents_dn, attrs_list=['member'],
scope=ldap.SCOPE_BASE)
 except errors.NotFound:
@@ -470,7 +470,7 @@ def main():
 # Add the CIFS and host principals to the 'adtrust agents' group
 # as 389-ds only operates with GroupOfNames, we have to use
 # the principal's proper dn as defined in self.cifs_agent
-service.add_principals_to_group(smb.admin_conn, agents_dn, "member",
+service.add_principals_to_group(api.Backend.ldap2, agents_dn, "member",
 [x[1] for x in new_agents])
 print("""
 WARNING: you MUST restart (e.g. ipactl restart) the following IPA masters in order
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index cab5a72..632052a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -200,7 +200,7 @@ def __add_admin_sids(self):
 admin_group_dn = DN(('cn', 'admins'), api.env.container_group,
 self.suffix)
 try:
-dom_entry = self.admin_conn.get_entry(self.smb_dom_dn)
+dom_entry = api.Backend.ldap2.get_entry(self.smb_dom_dn)
 except errors.NotFound:
 self.print_msg("Samba domain object not found")
 return
@@ -211,13 +211,13 @@ def __add_admin_sids(self):
 return
 
 try:
-admin_entry = self.admin_conn.get_entry(admin_dn)
+admin_entry = api.Backend.ldap2.get_entry(admin_dn)
 except errors.NotFound:
 self.print_msg("IPA admin object not found")
 return
 
 try:
-admin_group_entry = self.admin_conn.get_entry(admin_group_dn)
+admin_group_entry = api.Backend.ldap2.get_entry(admin_group_dn)
 except errors.NotFound:
 self.print_msg("IPA admin group object not found")
 return
@@ -226,9 +226,10 @@ def __add_admin_sids(self):
 self.print_msg("Admin SID already set, nothing to do")
 else:
 try:
-self.admin_conn.modify_s(admin_dn, \
-[(ldap.MOD_ADD, "objectclass", self.OBJC_USER), \
- (ldap.MOD_ADD, self.ATTR_SID, dom_sid + "-500")])
+api.Backend.ldap2.modify_s(
+admin_dn,
+[(ldap.MOD_ADD, "objectclass", self.OBJC_USER),
+

[Freeipa-devel] [freeipa PR#212][+ack] KRA: don't add KRA container when KRA replica

2016-11-21 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/212
Title: #212: KRA: don't add KRA container when KRA replica

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#212][comment] KRA: don't add KRA container when KRA replica

2016-11-21 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/212
Title: #212: KRA: don't add KRA container when KRA replica

stlaz commented:
"""
ACK, works on both DLs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/212#issuecomment-261890178
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 21.11.2016 10:32, Christian Heimes wrote:

On 2016-11-21 10:26, Jan Cholasta wrote:

On 11.11.2016 18:28, Christian Heimes wrote:

On 2016-11-11 17:46, Martin Basti wrote:



On 11.11.2016 15:25, Christian Heimes wrote:

Hello,

I have released the first version of a new design document. It
describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.

http://www.freeipa.org/page/V4/Integration_Improvements

Regards,
Christian





Hello, I have a few questions:

1) dynamic platform files

Currently all RHEL/fedora-derived platforms work with the same
rhel/fedora packages. How do you want to achieve this with dynamic
platform files, do you want to keep mappings between platforms and
platform file? What about distributions that have in /etc/release
just mess?


I don't use /etc/releases but /etc/os-release. There is no mapping
involved. If a distribution has no /etc/os-release or a messed up
/etc/os-release, then it needs to be fixed by the distribution. It's a
common standard and all relevant distributions support this standard.

RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel

Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora

CentOS has ID=centos and ID_LIKE="rhel fedora"
-> ipaplatform.rhel

Even my Raspberry has an /etc/os-release with ID=raspbian and
ID_LIKE=debian -> error, soon ipaplatform.debian


There is more to ipaplatform than /etc/os-release offers. How do you
differentiate between e.g. "Debian with SysV init" and "Debian with
systemd"?


Timo,

do you support FreeIPA on Debian variants with SysV init?


This is not an issue of what is supported now, but rather what is 
supportable in the future. Even if Debian with SysV init is not 
supported ATM, someone might want to add support for it in the future, 
and the design should not prevent them from doing so.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

tiran commented:
"""
thx @mbasti-rh . I took care of it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-261889771
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][synchronized] Break ipaplatform / ipalib import cycle of hell

2016-11-21 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/258
Author: tiran
 Title: #258: Break ipaplatform / ipalib import cycle of hell
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/258/head:pr258
git checkout pr258
From 1896b0da9c6a1eb748232898686c68977fb753ed Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 18 Nov 2016 15:42:23 +0100
Subject: [PATCH] Break ipaplatform / ipalib import cycle of hell

Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes 
---
 ipaclient/install/client.py|  8 
 ipaclient/ntpconf.py   | 11 ++-
 ipaplatform/base/services.py   | 22 +++---
 ipaplatform/fedora/services.py | 10 +-
 ipaplatform/redhat/services.py | 29 ++---
 ipaplatform/redhat/tasks.py|  4 ++--
 ipaplatform/rhel/services.py   | 10 +-
 ipaserver/install/adtrustinstance.py   |  6 +++---
 ipaserver/install/bindinstance.py  |  2 +-
 ipaserver/install/dns.py   |  2 +-
 ipaserver/install/httpinstance.py  |  4 ++--
 ipaserver/install/installutils.py  |  2 +-
 ipaserver/install/ipa_restore.py   |  2 +-
 ipaserver/install/opendnssecinstance.py|  2 +-
 ipaserver/install/server/replicainstall.py |  2 +-
 ipaserver/install/server/upgrade.py| 10 +-
 ipaserver/install/service.py   |  2 +-
 ipaserver/install/upgradeinstance.py   |  3 ++-
 ipaserver/plugins/dns.py   |  2 +-
 ipaserver/plugins/server.py|  2 +-
 20 files changed, 72 insertions(+), 63 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index b24a989..d18d8bb 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2822,7 +2822,7 @@ def _install(options):
 root_logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
 
 if options.sssd:
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
 try:
 sssd.restart()
 except CalledProcessError:
@@ -3139,7 +3139,7 @@ def uninstall(options):
 
 root_logger.info(
 "IPA domain removed from current one, restarting SSSD service")
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
 try:
 sssd.restart()
 except CalledProcessError:
@@ -3153,7 +3153,7 @@ def uninstall(options):
 "Other domains than IPA domain found, IPA domain was removed "
 "from /etc/sssd/sssd.conf.")
 
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
 try:
 sssd.restart()
 except CalledProcessError:
@@ -3172,7 +3172,7 @@ def uninstall(options):
 "Redundant SSSD configuration file "
 "/etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted")
 
-sssd = services.service('sssd')
+sssd = services.service('sssd', api)
 try:
 sssd.stop()
 except CalledProcessError:
diff --git a/ipaclient/ntpconf.py b/ipaclient/ntpconf.py
index 9a7db65..c78f807 100644
--- a/ipaclient/ntpconf.py
+++ b/ipaclient/ntpconf.py
@@ -16,11 +16,12 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 #
+import os
+import shutil
 
+from ipalib import api
 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger
-import shutil
-import os
 from ipaplatform.tasks import tasks
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -189,7 +190,7 @@ def check_timedate_services():
 if service == 'ntpd':
 continue
 # Make sure that the service is not enabled
-instance = services.service(service)
+instance = services.service(service, api)
 if instance.is_enabled() or instance.is_running():
 raise NTPConflictingService(conflicting_service=instance.service_name)
 
@@ -201,7 +202,7 @@ def force_ntpd(statestore):
 for service in services.timedate_services:
 if service == 'ntpd':
 continue
-instance = services.service(service)
+instance = services.service(service, api)
 enabled = instance.is_enabled()
 running = instance.is_running()
 
@@ -224,7 +225,7 @@ def restore_forced_ntpd(statestore):
 if service == 'ntpd':
 continue
 if statestore.has_state(service):
-

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Christian Heimes 
On 2016-11-21 10:26, Jan Cholasta wrote:
> On 11.11.2016 18:28, Christian Heimes wrote:
>> On 2016-11-11 17:46, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2016 15:25, Christian Heimes wrote:
 Hello,

 I have released the first version of a new design document. It
 describes
 how I'm going to improve integration of FreeIPA's client libraries
 (ipalib, ipapython, ipaclient, ipaplatform) for third party developers.

 http://www.freeipa.org/page/V4/Integration_Improvements

 Regards,
 Christian



>>>
>>> Hello, I have a few questions:
>>>
>>> 1) dynamic platform files
>>>
>>> Currently all RHEL/fedora-derived platforms work with the same
>>> rhel/fedora packages. How do you want to achieve this with dynamic
>>> platform files, do you want to keep mappings between platforms and
>>> platform file? What about distributions that have in /etc/release
>>> just mess?
>>
>> I don't use /etc/releases but /etc/os-release. There is no mapping
>> involved. If a distribution has no /etc/os-release or a messed up
>> /etc/os-release, then it needs to be fixed by the distribution. It's a
>> common standard and all relevant distributions support this standard.
>>
>> RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel
>>
>> Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora
>>
>> CentOS has ID=centos and ID_LIKE="rhel fedora"
>> -> ipaplatform.rhel
>>
>> Even my Raspberry has an /etc/os-release with ID=raspbian and
>> ID_LIKE=debian -> error, soon ipaplatform.debian
> 
> There is more to ipaplatform than /etc/os-release offers. How do you
> differentiate between e.g. "Debian with SysV init" and "Debian with
> systemd"?

Timo,

do you support FreeIPA on Debian variants with SysV init?

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

tiran commented:
"""
Back to  ```parse_version```!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/254#issuecomment-261886678
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][edited] Replace LooseVersion with pkg_resource.parse_version

2016-11-21 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/254
Author: tiran
 Title: #254: Replace LooseVersion with pkg_resource.parse_version
Action: edited

 Changed field: title
Original value:
"""
Replace LooseVersion with parse_ipa_version()
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][synchronized] Replace LooseVersion with parse_ipa_version()

2016-11-21 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/254
Author: tiran
 Title: #254: Replace LooseVersion with parse_ipa_version()
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/254/head:pr254
git checkout pr254
From afd3511aae0d7489dad69b9520fc7384f71b6f52 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 21 Nov 2016 10:24:17 +0100
Subject: [PATCH] Replace LooseVersion with pkg_resources.parse_version

pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.

https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity.

aserver.install.krbinstance parses package version. I changed the module
to use tasks.parse_ipa_version().

Signed-off-by: Christian Heimes 
---
 ipaclient/remote_plugins/compat.py | 13 ++---
 ipalib/capabilities.py |  6 +++---
 ipalib/frontend.py | 16 +---
 ipalib/plugable.py |  7 +++
 ipaserver/install/krbinstance.py   |  6 +++---
 ipaserver/install/server/replicainstall.py | 10 +-
 6 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/ipaclient/remote_plugins/compat.py b/ipaclient/remote_plugins/compat.py
index 984eecd..20304fb 100644
--- a/ipaclient/remote_plugins/compat.py
+++ b/ipaclient/remote_plugins/compat.py
@@ -2,12 +2,12 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-from distutils.version import LooseVersion
 import importlib
 import os
 import re
 import sys
 
+from pkg_resources import parse_version
 import six
 
 from ipaclient.frontend import ClientCommand, ClientMethod
@@ -58,7 +58,7 @@ def get_package(server_info, client):
 server_info['version'] = server_version
 server_info.update_validity()
 
-server_version = LooseVersion(server_version)
+server_version = parse_version(server_version)
 
 package_names = {}
 base_name = __name__.rpartition('.')[0]
@@ -66,15 +66,14 @@ def get_package(server_info, client):
 for name in os.listdir(base_dir):
 package_dir = os.path.join(base_dir, name)
 if name.startswith('2_') and os.path.isdir(package_dir):
-package_version = name.replace('_', '.')
+package_version = parse_version(name.replace('_', '.'))
 package_names[package_version] = '{}.{}'.format(base_name, name)
 
 package_version = None
-for version in sorted(package_names, key=LooseVersion):
-if (package_version is None or
-LooseVersion(package_version) < LooseVersion(version)):
+for version in sorted(package_names):
+if package_version is None or package_version < version:
 package_version = version
-if LooseVersion(version) >= server_version:
+if version >= server_version:
 break
 
 package_name = package_names[package_version]
diff --git a/ipalib/capabilities.py b/ipalib/capabilities.py
index 7ddaea2..7c1ab39 100644
--- a/ipalib/capabilities.py
+++ b/ipalib/capabilities.py
@@ -25,7 +25,7 @@
 versions they were introduced in.
 """
 
-from distutils import version
+from pkg_resources import parse_version
 
 VERSION_WITHOUT_CAPABILITIES = u'2.51'
 
@@ -64,6 +64,6 @@ def client_has_capability(client_version, capability):
 :param client_version: The API version string reported by the client
 """
 
-version_tuple = version.LooseVersion(client_version)
+version = parse_version(client_version)
 
-return version_tuple >= version.LooseVersion(capabilities[capability])
+return version >= parse_version(capabilities[capability])
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index c94d174..0815427 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -20,9 +20,7 @@
 """
 Base classes for all front-end plugins.
 """
-
-from distutils import version
-
+from pkg_resources import parse_version
 import six
 
 from ipapython.version import API_VERSION
@@ -770,16 +768,20 @@ def verify_client_version(self, client_version):
 If the client minor version is less than or equal to the server
 then let the request proceed.
 """
-server_ver = version.LooseVersion(API_VERSION)
-ver = version.LooseVersion(client_version)
+server_ver = parse_version(API_VERSION)
+ver = parse_version(client_version)
 if len(ver.version) < 2:
-raise VersionError(cver=ver.version, sver=server_ver.version, server= self.env.xmlrpc_uri)
+raise VersionError(cver=ver.version,
+   sver=server_ver.version,
+   server= self.env.xmlrpc_uri)
 client_major = ver.version[0]

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Jan Cholasta 

On 11.11.2016 18:28, Christian Heimes wrote:

On 2016-11-11 17:46, Martin Basti wrote:



On 11.11.2016 15:25, Christian Heimes wrote:

Hello,

I have released the first version of a new design document. It describes
how I'm going to improve integration of FreeIPA's client libraries
(ipalib, ipapython, ipaclient, ipaplatform) for third party developers.

http://www.freeipa.org/page/V4/Integration_Improvements

Regards,
Christian





Hello, I have a few questions:

1) dynamic platform files

Currently all RHEL/fedora-derived platforms work with the same
rhel/fedora packages. How do you want to achieve this with dynamic
platform files, do you want to keep mappings between platforms and
platform file? What about distributions that have in /etc/release just mess?


I don't use /etc/releases but /etc/os-release. There is no mapping
involved. If a distribution has no /etc/os-release or a messed up
/etc/os-release, then it needs to be fixed by the distribution. It's a
common standard and all relevant distributions support this standard.

RHEL has ID=rhel and no ID_LIKE -> ipaplatform.rhel

Fedora has ID=fedora and no ID_LIKE -> ipaplatform.fedora

CentOS has ID=centos and ID_LIKE="rhel fedora"
-> ipaplatform.rhel

Even my Raspberry has an /etc/os-release with ID=raspbian and
ID_LIKE=debian -> error, soon ipaplatform.debian


There is more to ipaplatform than /etc/os-release offers. How do you 
differentiate between e.g. "Debian with SysV init" and "Debian with 
systemd"?





2) if I understand correctly, you want to separate client installer code
and client CLI code. In past we had freeipa-admintools but it was
removed because it was really tightly bounded to installed client. Do
you want to revive it and make it independent?


My proposal does not affect distribution packaging (rpm, deb) at all. It
is purely about Python packaging.

The client installer and client CLI code are already separated. The
Python wheels will only contain what 'python setup.py bdist_wheel' spits
out for ipaclient, ipalib, ipaplatform and ipapython. The 'ipa' CLI is
part of the ipaclient Python package.


3) why instead of environ variable we cannot have specified paths with
priority where IPA config can be located?
For example:
1) ./.ipa.conf
2) ~/.ipa.conf
3) /etc/ipa/default.conf  <-- as last resort


For Ansible, testing etc. I need an arbitrary amount of config
*directories* and full control. I don't like the idea that the current
working directory affects how commands work. It has too many security
implications, e.g. we have to verify that the file belongs to the
current user. The check must be TOCTOU safe, too. Env vars are easier to
control, more secure and less fragile.

Christian






--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/247
Title: #247: Add 'ipa local-env' subcommand

jcholast commented:
"""
Reopened 6490.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/247#issuecomment-261881844
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#259][comment] Minor fixes for IPAVersion class

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/259
Title: #259: Minor fixes for IPAVersion class

tiran commented:
"""
I pulled the fix from PR #254
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/259#issuecomment-261881543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#259][opened] Minor fixes for IPAVersion class

2016-11-21 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/259
Author: tiran
 Title: #259: Minor fixes for IPAVersion class
Action: opened

PR body:
"""
Py3: classes with __eq__ must provide __hash__ function or set __hash__
to None.
Comparison function like __eq__ must signal unsupported types by
returning NotImplemented. Python turns this in a proper TypeError.
Make the version member read-only and cache _bytes represention.

https://fedorahosted.org/freeipa/ticket/6473

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/259/head:pr259
git checkout pr259
From d9d55de476d0a0ca152f7825b7e4f921b5461728 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 18 Nov 2016 12:24:09 +0100
Subject: [PATCH] Minor fixes for IPAVersion class

Py3: classes with __eq__ must provide __hash__ function or set __hash__
to None.
Comparison function like __eq__ must signal unsupported types by
returning NotImplemented. Python turns this in a proper TypeError.
Make the version member read-only and cache _bytes represention.

https://fedorahosted.org/freeipa/ticket/6473

Signed-off-by: Christian Heimes 
---
 ipaplatform/redhat/tasks.py | 16 +++-
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index dbe005a..5d627be 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -83,20 +83,26 @@ def selinux_enabled():
 class IPAVersion(object):
 
 def __init__(self, version):
-self.version = version
+self._version = version
+self._bytes = version.encode('utf-8')
 
 @property
-def _bytes(self):
-return self.version.encode('utf-8')
+def version(self):
+return self._version
 
 def __eq__(self, other):
-assert isinstance(other, IPAVersion)
+if not isinstance(other, IPAVersion):
+return NotImplemented
 return _librpm.rpmvercmp(self._bytes, other._bytes) == 0
 
 def __lt__(self, other):
-assert isinstance(other, IPAVersion)
+if not isinstance(other, IPAVersion):
+return NotImplemented
 return _librpm.rpmvercmp(self._bytes, other._bytes) < 0
 
+def __hash__(self):
+return hash(self._version)
+
 
 class RedHatTaskNamespace(BaseTaskNamespace):
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/247
Title: #247: Add 'ipa local-env' subcommand

tiran commented:
"""
@jcholast Please open a ticket.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/247#issuecomment-261879797
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/247
Title: #247: Add 'ipa local-env' subcommand

jcholast commented:
"""
Sorry, but this is wrong. `ipa env` is supposed to return local settings unless 
run with `--server`. Why was it not fixed instead of adding a new redundant 
command?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/247#issuecomment-261878779
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/113
Title: #113: ipalib.constants: Remove default domain, realm, basedn, 
xmlrpc_uri, ldap_uri

jcholast commented:
"""
Actually it should be created from domain name, which is the primary identifier 
of an IPA domain, not from realm name.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/113#issuecomment-261875920
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-11-21 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

mbasti-rh commented:
"""
@jcholast I know, but it doesn't fill `metavar` with choices. I don't know when 
we will migrate to argparse, so I think until that we can extend it to show 
choices with optparse too
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-261874595
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN

2016-11-21 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/245
Title: #245: Allow full customisability of IPA CA subject DN

tiran commented:
"""
@frasertweedale I don't have a clue, either. Let's ignore the message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/245#issuecomment-261874375
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-11-21 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

jcholast commented:
"""
@mbasti-rh: `knob()` already handles choices, it's the built-in `optparse` 
module which does not display them. Once the installer code is migrated to 
`argparse`, this problem will go away.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-261873288
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code