date:20161124

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

2016-11-24 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 773304e4f3b68da29251fd0f4971aee936d93020 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 23 +-
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..caf0ddc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -48,7 +48,9 @@
 from ipalib import api
 from ipalib import util
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython import ipautil
 
 if six.PY3:
 unicode = str
@@ -56,7 +58,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index c2fe599..a3c8e95 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -272,13 +272,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-paths.OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -290,7 +285,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 26755ee..a7c740d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -743,44 +743,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) =

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-11-24 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

frasertweedale commented:
"""
@tomaskrizek thanks for reviewing.  Updated tests and change the 
`--certificate-out` metavar to `FILE`. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-262872744
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-24 Thread Gabe Alford

On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti  wrote:

>
>
> On 24.11.2016 16:11, Gabe Alford wrote:
>
> On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti  wrote:
>
>>
>>
>> On 24.11.2016 07:06, David Kupka wrote:
>>
>>> On 22/11/16 23:15, Gabe Alford wrote:
>>>
 I would say that it is worth keeping in FreeIPA. I know myself and some
 customers use its functionality by having the clients sync to the IPA
 servers and have the servers sync to the NTP source. This way if the NTP
 source ever gets disrupted for long periods of time (which has happened
 in
 my environment) the client time drifts with the authentication source.
 This
 is the way that AD often works and is configured.

>>>
>>> Hello Gabe,
>>> I agree that it's common practice to synchronize all nodes in network
>>> with single source in order to have the same time and save bandwidth. Also
>>> I understand that it's comfortable to let FreeIPA installer take care of it.
>>> But I don't think FreeIPA should do it IMO this is job for Ansible or
>>> similar tool. Also the problem is that in some situations FreeIPA installer
>>> makes it worse.
>>>
>>> Example:
>>>
>>> 1. Install FreeIPA server (ipa1.example.org)
>>> 2. Install FreeIPA client on all nodes in network
>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase
>>> redundancy
>>>
>>
> Why not have NTP look at a _srv_records?
>
>
> Do ntpclients support this natively?  I just found some ugly hacks for
> chrony, i.e extra service that is dynamically changing config file.
> But yes this may be way too, but dirty.
>
>
You are right. It is an ugly. I wonder if we can push to make it not so
ugly so that _srv_ is used for both Chrony and NTP which IMO makes those
two products better. If not and the desire is truly to get rid of
chrony/ntp configuration on the client side, what about adding Chrony and
NTP configuration to ipa-advise?


>
>
>> Now all the clients have ipa1.example.org as the only server in
>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients
>>> will be able to contact KDC on the other server thanks to DNS autodiscovery
>>> in libkrb5 but will be unable to synchronize time.
>>>
>>>
>> This can be resolved by DHCP configured NTP. When NTP server changed, you
>> just change DHCPd config and hosts conf will be synced.
>> We may keep NTP on IPA server side configured, but I'm voting for
>> removing it from clients and document+endorse people to use DHCP (anyway
>> distros have always enabled some time synchronization so it should
>> naturally work without even in small deployments)
>>
>
> If NTP is still configured on the IPA server, this may be less of an
> issue. Not everyone has/is/will be using ansible. Also in secure
> environments, DHCP
> is not allowed/used at all.
>
>
>
>> Also NTP is somehow incompatible with containers, usually containers have
>> time synchronized from host, and by default IPA client container don't do
>> NTP configuration.
>>
>
> Isn't that what the --no-ntp option in the client is for anyway?
>
>
>>
>> Let deprecate it in 4.5
>>
>> Martin^2
>>
>>
>>
>>
 On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta 
 wrote:

 On 22.11.2016 13:06, Petr Spacek wrote:
>
> On 22.11.2016 12:15, David Kupka wrote:
>>
>> Hello everyone!
>>>
>>> Is it worth to keep configuring NTP in FreeIPA?
>>>
>>> In usual environment there're no special requirements for time
>>> synchronization
>>> and the distribution default (be it ntpd, chrony or anything else)
>>> will
>>> just
>>> work. Any tampering with the configuration can't make it any better.
>>>
>>> In environment with special requirements (network disconnected from
>>> public
>>> internet, nodes disconnected from topology for longer time, ...) time
>>> synchronization must be taken care of accordingly by system
>>> administrator and
>>> FreeIPA simply can't help here.
>>>
>>> Also there are problems and weird behavior with the current FreeIPA
>>> installers:
>>>
>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the
>>> ones
>>> specified by user or resolved from DNS. If none were provided nor
>>> resolved the
>>> FreeIPA server specified/resolved during installation it used. This
>>> leads in
>>> just single server in the configuration and no time synchronization
>>> when
>>> this
>>> server is down/decommissioned.
>>>
>>> * ipa-client-install replaces the NTP configuration. If there was any
>>> parts
>>> previously edited by system administrator it's lost.
>>>
>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to
>>> /etc/ntp.conf.
>>> What's the point in doing that? These servers're already in the
>>> configuration
>>> file installed with ntp package.
>>>
>>> I have NTP-related

[Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3

2016-11-24 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/213
Author: pspacek
 Title: #213: Build system refactoring phase 3
Action: edited

 Changed field: body
Original value:
"""
This monster patch-set refactors most of build system and moves most of the 
logic from SPEC file to build system.

It is not yet complete, missing parts are:
- [ ] Python 3 support
- [ ] Client-only build is not supported
- [x] IPA_VERSION_IS_GIT_SNAPSHOT does not work (fix in #226)

These will be sorted out later on but the review of the patch set can begin.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-24 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From bb1ac496aeb43c19af16a8281352eb701d9ebb6d Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 146 +---
 1 file changed, 97 insertions(+), 49 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index c683ad3..b472c18 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -267,6 +267,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -684,6 +715,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -691,9 +727,32 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 %make_build
 
+%if 0%{?with_python3}
+pushd %{_builddir}/freeipa-%{version}-python3
+export PYTHON=%{__python3}
+# Workaround: make sure all shebangs are pointing to Python 3
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+%configure --with-vendor-suffix=-%{release}
+popd
+%endif # with_python3
 
 %check
 %if ! %{ONLY_CLIENT}
@@ -712,16 +771,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 # (These are typically configuration files created by IPA installer.)
 # All other artifacts

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-24 Thread Petr Spacek

On 24.11.2016 17:14, Martin Basti wrote:
> If NTP is still configured on the IPA server, this may be less of an issue.
> Not everyone has/is/will be using ansible. Also in secure environments, DHCP
> is not allowed/used at all.

If DHCP is not good enough for your environment then you *must not* use
standard NTP, otherwise you just broke all the security.

Standard NTP is not more secure than DHCP.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#222][comment] Fix ipa-replica-install when upgrade from ca-less to ca-full

2016-11-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/222
Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full

tomaskrizek commented:
"""
Works just like expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/222#issuecomment-262819990
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
AFAIK the build won't run pylint twice with the correct Python version. You 
could replace the configure option for pylint and the pylint command with:

```
$(PYTHON) -m pylint
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-262817204
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][opened] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-24 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: opened

PR body:
"""
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From 7ab796b3801290c9ffa6f313743148e748597803 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 146 +---
 1 file changed, 97 insertions(+), 49 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index c683ad3..65fb67c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -267,6 +267,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -684,6 +715,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -691,9 +727,32 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 %make_build
 
+%if

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-11-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

tomaskrizek commented:
"""
Please update the xmlrpc tests to reflect the extra certificate attributes (~12 
failed tests in `test_xmlrpc/test_ca_plugin.py`, `test_caacl_plugin.py` and 
`test_caacl_profile_enforcement.py`).

There are also a couple tests failing with ACIError:

ACIError: Insufficient access: Principal 'srv/santest-host-1...' is not 
permitted to use CA 'default-profile-subca' with profile 'caIPAserviceCert' for 
certificate issuance.

I also found the `--certificate-out` option a bit confusing. At first I thought 
I should provide the certificate name to be exported. Perhaps the help text 
could be improved to make it clear the used should provide a file name?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-262813919
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-24 Thread Martin Basti




On 24.11.2016 16:11, Gabe Alford wrote:
On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti > wrote:




On 24.11.2016 07:06, David Kupka wrote:

On 22/11/16 23:15, Gabe Alford wrote:

I would say that it is worth keeping in FreeIPA. I know
myself and some
customers use its functionality by having the clients sync
to the IPA
servers and have the servers sync to the NTP source. This
way if the NTP
source ever gets disrupted for long periods of time (which
has happened in
my environment) the client time drifts with the
authentication source. This
is the way that AD often works and is configured.


Hello Gabe,
I agree that it's common practice to synchronize all nodes in
network with single source in order to have the same time and
save bandwidth. Also I understand that it's comfortable to let
FreeIPA installer take care of it.
But I don't think FreeIPA should do it IMO this is job for
Ansible or similar tool. Also the problem is that in some
situations FreeIPA installer makes it worse.

Example:

1. Install FreeIPA server (ipa1.example.org
)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org
) of FreeIPA server to increase
redundancy


Why not have NTP look at a _srv_records?


Do ntpclients support this natively?  I just found some ugly hacks for 
chrony, i.e extra service that is dynamically changing config file.

But yes this may be way too, but dirty.



Now all the clients have ipa1.example.org
 as the only server in /etc/ntp.conf.
If the first FreeIPA server becomes unreachable all clients
will be able to contact KDC on the other server thanks to DNS
autodiscovery in libkrb5 but will be unable to synchronize time.


This can be resolved by DHCP configured NTP. When NTP server
changed, you just change DHCPd config and hosts conf will be synced.
We may keep NTP on IPA server side configured, but I'm voting for
removing it from clients and document+endorse people to use DHCP
(anyway distros have always enabled some time synchronization so
it should naturally work without even in small deployments)


If NTP is still configured on the IPA server, this may be less of an 
issue. Not everyone has/is/will be using ansible. Also in secure 
environments, DHCP

is not allowed/used at all.

Also NTP is somehow incompatible with containers, usually
containers have time synchronized from host, and by default IPA
client container don't do NTP configuration.


Isn't that what the --no-ntp option in the client is for anyway?


Let deprecate it in 4.5

Martin^2




On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta
> wrote:

On 22.11.2016 13:06, Petr Spacek wrote:

On 22.11.2016 12:15, David Kupka wrote:

Hello everyone!

Is it worth to keep configuring NTP in FreeIPA?

In usual environment there're no special
requirements for time
synchronization
and the distribution default (be it ntpd,
chrony or anything else) will
just
work. Any tampering with the configuration
can't make it any better.

In environment with special requirements
(network disconnected from
public
internet, nodes disconnected from topology for
longer time, ...) time
synchronization must be taken care of
accordingly by system
administrator and
FreeIPA simply can't help here.

Also there are problems and weird behavior
with the current FreeIPA
installers:

* ipa-client-install replaces all servers in
/etc/ntp.conf with the ones
specified by user or resolved from DNS. If
none were provided nor
resolved the
FreeIPA server specified/resolved during
installation it used. This
leads in
just single server in the configuration and no
time synchronization when
this

[Freeipa-devel] [freeipa PR#211][comment] IPA Allows Password Reuse with History value defined when admin reset…

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/211
Title: #211: IPA Allows Password Reuse with History value defined when admin 
reset…

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c223130d5f429278202aaf8bf87af53911a3b448
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/211#issuecomment-262807431
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#211][closed] IPA Allows Password Reuse with History value defined when admin reset…

2016-11-24 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/211
Author: tbordaz
 Title: #211: IPA Allows Password Reuse with History value defined when admin 
reset…
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/211/head:pr211
git checkout pr211
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#211][+ack] IPA Allows Password Reuse with History value defined when admin reset…

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/211
Title: #211: IPA Allows Password Reuse with History value defined when admin 
reset…

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#252][comment] Use namespace-aware meta importer for ipaplatform

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/252
Title: #252: Use namespace-aware meta importer for ipaplatform

martbab commented:
"""
Is this PR valid given that we discussed to remove ipaplatform dependency from 
client-side modules?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/252#issuecomment-262805720
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Freeipa-users] ipalib authentication

2016-11-24 Thread Standa Laznicka


On 11/24/2016 04:27 PM, Adam Bishop wrote:

I'm writing a bit of code using ipalib directly, I'm a little stuck on 
authentication though.

It works fine if grab a Kerberos ticket with kinit then run the code 
interactively, but I'd like to run this as a daemon which makes maintaining a 
ticket tricky.

What other options are there for authenticating to the API, avoiding calling 
external tools like curl or kinit?

Regards,

Adam Bishop

   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under Company No. 5747339, VAT No. GB 
197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, 
BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 2881024, VAT 
number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, 
Bristol BS2 0JA. T 0203 697 5800.



Hello Adam,

Nice to see someone interested in FreeIPA development. For questions 
about developing FreeIPA, feel free to contact other developers at 
freeipa-devel@redhat.com (in CC). You can also create a pull request on 
GitHub (https://github.com/freeipa/freeipa) if you'd like to share your 
code with the community.


As for your question, would it be feasible to use keytabs? Sure, you 
still have to perform kinit but there's no user action required (except 
for maintaining the keytab, of course).


Standa

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8

2016-11-24 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/263
Author: tiran
 Title: #263: Backwards compatibility with setuptools 0.9.8
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/263/head:pr263
git checkout pr263
From f8e6624c172eb1678f1160dae86b7e5b809fd2ab Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 22 Nov 2016 16:08:46 +0100
Subject: [PATCH] Backwards compatibility with setuptools 0.9.8

Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 31 +--
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index fac4b25..e844279 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -50,16 +50,27 @@ class build_py(setuptools_build_py):
 return setuptools_build_py.build_module(self, module,
 module_file, package)
 
+import setuptools
+
+VERSION = '@VERSION@'
+
+SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split("."))
+
+# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix
+# PEP 440 was introduced in setuptools 8.
+if SETUPTOOLS_VERSION < (8, 0, 0):
+VERSION = VERSION.split('+')[0]
+
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 0.9',
 'dnspython': 'dnspython >= 1.11.1',
 'gssapi': 'gssapi > 1.1.2',
-'ipaclient': 'ipaclient == @VERSION@',
-'ipalib': 'ipalib == @VERSION@',
-'ipaplatform': 'ipaplatform == @VERSION@',
-'ipapython': 'ipapython == @VERSION@',
-'ipaserver': 'ipaserver == @VERSION@',
+'ipaclient': 'ipaclient == {}'.format(VERSION),
+'ipalib': 'ipalib == {}'.format(VERSION),
+'ipaplatform': 'ipaplatform == {}'.format(VERSION),
+'ipapython': 'ipapython == {}'.format(VERSION),
+'ipaserver': 'ipaserver == {}'.format(VERSION),
 'kdcproxy': 'kdcproxy >= 0.3',
 'netifaces': 'netifaces >= 0.10.4',
 'python-nss': 'python-nss >= 0.16',
@@ -70,7 +81,7 @@ PACKAGE_VERSION = {
 
 
 common_args = dict(
-version="@VERSION@",
+version=VERSION,
 license="GPLv3",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
@@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
+# Env markers like ":python_version<'3.3'" are not supported by
+# setuptools < 18.0.
+if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
+for k in list(setup_kwargs['extras_require']):
+if k.startswith(':'):
+req = setup_kwargs.setdefault('install_requires', [])
+req.extend(setup_kwargs['extras_require'].pop(k))
+
 os.chdir(local_path)
 try:
 # BEFORE importing distutils, remove MANIFEST. distutils doesn't
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/270
Title: #270: Test: uniqueness of certificate renewal master

martbab commented:
"""
I have suggested some improvements in your code inline. Also, can we actually 
do this test as a part of other test suite or is it necessary to create a new 
one?

Also the commit message does not really state the purpose clearly.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/270#issuecomment-262804317
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/265
Title: #265: Add main guards to a couple of Python scripts

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a8376a244758494db31341442bc2163e1807b7ac
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/265#issuecomment-262802339
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][closed] Add main guards to a couple of Python scripts

2016-11-24 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/265
Author: tiran
 Title: #265: Add main guards to a couple of Python scripts
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/265/head:pr265
git checkout pr265
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][+pushed] Add main guards to a couple of Python scripts

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/265
Title: #265: Add main guards to a couple of Python scripts

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][+ack] Add main guards to a couple of Python scripts

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/265
Title: #265: Add main guards to a couple of Python scripts

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6409abf1a60f3548203e6607a2b157ff72af2c89
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-262801283
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][closed] Break ipaplatform / ipalib import cycle of hell

2016-11-24 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/258
Author: tiran
 Title: #258: Break ipaplatform / ipalib import cycle of hell
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/258/head:pr258
git checkout pr258
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][+pushed] Break ipaplatform / ipalib import cycle of hell

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts

2016-11-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/265
Title: #265: Add main guards to a couple of Python scripts

tiran commented:
"""
Not really. I had the patch around since 
91920e7cb48cbf143ae281c9c073df14b2c2dddf
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/265#issuecomment-262799192
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-24 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

jcholast commented:
"""
@tiran, how much granular PRs would you prefer? As @stlaz pointed out, there 
isn't actually much going on in this PR besides moving stuff around.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-262798189
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-24 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

jcholast commented:
"""
I'm OK with it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-262797665
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/258
Title: #258: Break ipaplatform / ipalib import cycle of hell

mbasti-rh commented:
"""
ACK from me if @jcholast is not against it
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/258#issuecomment-262797034
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#264][-ack] Python3 pylint fixes

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/264
Title: #264: Python3 pylint fixes

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8

2016-11-24 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/263
Author: tiran
 Title: #263: Backwards compatibility with setuptools 0.9.8
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/263/head:pr263
git checkout pr263
From 6fe7e95b2e6715378103506a45ef630dad0db863 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 22 Nov 2016 16:08:46 +0100
Subject: [PATCH] Backwards compatibility with setuptools 0.9.8

Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 31 +--
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index fac4b25..2f6ed96 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -50,16 +50,27 @@ class build_py(setuptools_build_py):
 return setuptools_build_py.build_module(self, module,
 module_file, package)
 
+import setuptools
+
+VERSION = '@VERSION@'
+
+SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split("."))
+
+# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix
+# PEP 440 was introduced in setuptools 8.
+if SETUPTOOLS_VERSION < (8, 0, 0):
+VERSION = VERSION.split('+')[0]
+
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 0.9',
 'dnspython': 'dnspython >= 1.11.1',
 'gssapi': 'gssapi > 1.1.2',
-'ipaclient': 'ipaclient == @VERSION@',
-'ipalib': 'ipalib == @VERSION@',
-'ipaplatform': 'ipaplatform == @VERSION@',
-'ipapython': 'ipapython == @VERSION@',
-'ipaserver': 'ipaserver == @VERSION@',
+'ipaclient': 'ipaclient == {}'.format(VERSION),
+'ipalib': 'ipalib == {}'.format(VERSION),
+'ipaplatform': 'ipaplatform == {}'.format(VERSION),
+'ipapython': 'ipapython == {}'.format(VERSION),
+'ipaserver': 'ipaserver == {}'.format(VERSION),
 'kdcproxy': 'kdcproxy >= 0.3',
 'netifaces': 'netifaces >= 0.10.4',
 'python-nss': 'python-nss >= 0.16',
@@ -70,7 +81,7 @@ PACKAGE_VERSION = {
 
 
 common_args = dict(
-version="@VERSION@",
+version=VERSION,
 license="GPLv3",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
@@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
+# Env markers like ":python_version<'3.3'" are not supported by
+# setuptools < 18.0.
+if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
+for k in list(setup_kwargs['extras_require']):
+if k.startswith(':'):
+req = setup_kwargs.setdefault('install_requires', [])
+req.extend(setup_kwargs['extras_require'].pop(key))
+
 os.chdir(local_path)
 try:
 # BEFORE importing distutils, remove MANIFEST. distutils doesn't
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][-ack] Backwards compatibility with setuptools 0.9.8

2016-11-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/263
Title: #263: Backwards compatibility with setuptools 0.9.8

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][comment] Replace LooseVersion with pkg_resource.parse_version

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2cbaf156045769b54150e4d4c3c1071f164a16fb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/254#issuecomment-262792360
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][+pushed] Replace LooseVersion with pkg_resource.parse_version

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#254][+ack] Replace LooseVersion with pkg_resource.parse_version

2016-11-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/254
Title: #254: Replace LooseVersion with pkg_resource.parse_version

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

tiran commented:
"""
The PR is too large. Please split it up in multiple small PRs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-262789735
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri

2016-11-24 Thread pspacek

  URL: https://github.com/freeipa/freeipa/pull/113
Title: #113: ipalib.constants: Remove default domain, realm, basedn, 
xmlrpc_uri, ldap_uri

pspacek commented:
"""
Honza will take care of this as part of ipalib cleanup for the Integration 
Improvements project.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/113#issuecomment-262787493
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#268][synchronized] Build system must regenerate file when template changes

2016-11-24 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/268
Author: pspacek
 Title: #268: Build system must regenerate file when template changes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/268/head:pr268
git checkout pr268
From 51b1df22525f97e393cfa7ad63ea6e268ac0 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 22 Nov 2016 12:32:27 +0100
Subject: [PATCH 1/6] Build: properly integrate ipa-version.h.in into build
 system

AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498
---
 configure.ac|  3 ++-
 daemons/Makefile.am | 11 +++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 8b8f556..c178b12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -372,6 +372,8 @@ AC_SUBST([NUM_VERSION], [IPA_NUM_VERSION])
 AC_SUBST(VENDOR_SUFFIX)
 AC_SUBST([VERSION], [IPA_VERSION])
 AC_SUBST([GIT_VERSION], [IPA_GIT_VERSION])
+# used by Makefile.am for files depending on templates
+AC_SUBST([CONFIG_STATUS])
 
 dnl ---
 dnl Finish
@@ -506,7 +508,6 @@ AC_CONFIG_FILES([
 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile
 daemons/ipa-slapi-plugins/ipa-range-check/Makefile
 daemons/ipa-slapi-plugins/topology/Makefile
-daemons/ipa-version.h
 freeipa.spec
 init/systemd/Makefile
 init/tmpfilesd/Makefile
diff --git a/daemons/Makefile.am b/daemons/Makefile.am
index a3d4d1d..2967917 100644
--- a/daemons/Makefile.am
+++ b/daemons/Makefile.am
@@ -12,10 +12,21 @@ if HAVE_GCC
 endif
 export AM_CFLAGS
 
+nodist_noinst_HEADERS = ipa-version.h
+noinst_HEADERS = ipa-version.h.in
+
 SUBDIRS =			\
+	.			\
 	dnssec			\
 	ipa-kdb			\
 	ipa-slapi-plugins	\
 	ipa-sam			\
 	ipa-otpd		\
 	$(NULL)
+
+ipa-version.h: ipa-version.h.in $(top_builddir)/$(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@DATA_VERSION[@]|$(DATA_VERSION)|g'	\
+		-e 's|@NUM_VERSION[@]|$(NUM_VERSION)|g'		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		$< > $@

From 386b815d306c1b34df159574cd2c16991394fc26 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 22 Nov 2016 15:45:53 +0100
Subject: [PATCH 2/6] Build: properly integrate freeipa.spec.in into build
 system

AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498
---
 Makefile.am  | 10 +-
 configure.ac |  1 -
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 07e998c..c2826ae 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,6 +30,7 @@ EXTRA_DIST = .mailmap \
 	 COPYING.openssl \
 	 contrib \
 	 doc \
+	 freeipa.spec.in \
 	 pylintrc \
 	 pytest.ini
 
@@ -45,6 +46,13 @@ clean-local:
 	rpms _rpms-body srpms _srpms-body
 RPMBUILD ?= $(abs_builddir)/rpmbuild
 TARBALL = $(PACKAGE)-$(VERSION).tar.gz
+
+freeipa.spec: freeipa.spec.in $(top_builddir)/$(CONFIG_STATUS)
+	$(AM_V_GEN)sed		\
+		-e 's|@VERSION[@]|$(VERSION)|g'			\
+		-e 's|@VENDOR_SUFFIX[@]|$(VENDOR_SUFFIX)|g'	\
+		$< > $@
+
 rpmroot:
 	mkdir -p $(RPMBUILD)/BUILD
 	mkdir -p $(RPMBUILD)/RPMS
@@ -85,7 +93,7 @@ dist-hook: $(VERSION_BAKEIN_TARGET)
 	echo "$(TARBALL)" > $(top_builddir)/.tarball_name
 	echo "$(VERSION)" > $(top_builddir)/.version
 
-_rpms-prep: dist-gzip rpmroot rpmdistdir
+_rpms-prep: dist-gzip rpmroot rpmdistdir freeipa.spec
 	cp $(top_builddir)/$$(cat $(top_builddir)/.tarball_name) $(RPMBUILD)/SOURCES/
 	rm -f $(top_builddir)/.tarball_name
 
diff --git a/configure.ac b/configure.ac
index c178b12..9666997 100644
--- a/configure.ac
+++ b/configure.ac
@@ -508,7 +508,6 @@ AC_CONFIG_FILES([
 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile
 daemons/ipa-slapi-plugins/ipa-range-check/Makefile
 daemons/ipa-slapi-plugins/topology/Makefile
-freeipa.spec
 init/systemd/Makefile
 init/tmpfilesd/Makefile
 init/Makefile

From 2a7578ccbeb0ce1c3e7d937716964e3cd1128e72 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 22 Nov 2016 16:07:32 +0100
Subject: [PATCH 3/6] Build: properly integrate loader.js into build system

AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498
---
 Makefile.am | 8 ++--
 configure.ac| 1 -
 install/ui/src/libs/Makefile.am | 9 +
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index c2826ae..ad0ccd3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -158,11 +158,15 @@ pylint:
 	PYTHONPATH=$(top_srcdir) $(PYLINT) \

[Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/263
Title: #263: Backwards compatibility with setuptools 0.9.8

mbasti-rh commented:
"""
Please add ticket to commit message
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/263#issuecomment-262786953
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][+ack] Backwards compatibility with setuptools 0.9.8

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/263
Title: #263: Backwards compatibility with setuptools 0.9.8

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#264][+ack] Python3 pylint fixes

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/264
Title: #264: Python3 pylint fixes

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#265][comment] Add main guards to a couple of Python scripts

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/265
Title: #265: Add main guards to a couple of Python scripts

mbasti-rh commented:
"""
Is this part of PIP effort? If yes then commit misses ticket

otherwise ACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/265#issuecomment-262776482
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] client-only FreeIPA build

2016-11-24 Thread Lukas Slebodnik

On (24/11/16 10:27), Petr Spacek wrote:
>On 23.11.2016 13:53, Lukas Slebodnik wrote:
>> On (22/11/16 11:25), Rob Crittenden wrote:
>>> Lukas Slebodnik wrote:
 On (22/11/16 16:29), Petr Spacek wrote:
> On 22.11.2016 16:27, Jan Cholasta wrote:
>> Hi,
>>
>> On 22.11.2016 16:04, Petr Spacek wrote:
>>> Hello,
>>>
>>> the recent changes with regard to
>>> http://www.freeipa.org/page/V4/Integration_Improvements
>>> beg a question whether we should invest into supporting client-only 
>>> builds in
>>> FreeIPA build system.
>>>
>>> Note that the Integration efforts don't really apply. The client-only
>>> install is for doing client enrollment and integration can mean lots of
>>> things.
>>>
>>>
>>> Right now, FreeIPA can be built on all architectures we care about so 
>>> there is
>>> no incentive to invest into client-only build - this applies to 
>>> binary/RPM
>>> builds.
>>
>> Client-only build lowers the barrier for porting IPA to new platforms 
>> (porting
>> only client code is *much* easier than porting the whole thing), so I 
>> would
>> very much prefer if we kept it.
>
> Understood.
>
 Agree about portability

 But upstream spec file needn't have such relicts.
 The upstream spec file is pure fedora specific.
>>>
>>> The upstream spec is what is used to document and verify that the
>>> client-only build actually works.
>>>
>>> I also think it is a worthy goal to maintain.
>>>
>> Maintaing is not enough. It would be also good to test it.
>> 
>> And maybe it might be much simpler to have separate
>> spec file for client only build. Because too many if conditions
>> does not improve readability of spec file. But that's up to
>> others to decide what would be simpler.
>
>The maintenance cost you mention is the only con I can see.
>
>I think that if we decide to support it, client-only support should be part of
>configure machinery. It would enable packagers to simply run
>./configure --disable-server && make install
>and have the client installed. It would make easy to package it for whatever
>distro.
>
I didn't mention anything about spec file only solution
for client only build.

But too many optional features does not improve readability
in spec file.

We have many optional features in upstream sssd spec file.
e.g.
%configure \

   //snip

--disable-static \
--disable-rpath \
%if %{with sssd_user}
--with-sssd-user=sssd \
%endif
%{with_initscript} \
%{?with_syslog} \
%{?with_cifs_utils_plugin_option} \
%{?with_python3_option} \
%{?enable_polkit_rules_option} \
%{?enable_systemtap_opt} \
%{?experimental}

But there are also optional features which
are not coverent in umpstrema spec file
otherwise the spec file would not be maintanable.

e.g. --with-samba

But as I mention in previous mail its up to you
to decide whether client only build should
be handled in upstream spec file or in separate spec file.

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

2016-11-24 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

pvoborni commented:
"""
If I understand it correctly,  the review is stalled for some time given that 
there is misalignment if this pull request is needed. As described in 
Christian's design page: 
http://www.freeipa.org/page/V4/Integration_Improvements#API_for_local_configuration_directory
 there is clear method how to do it with current code. 

**So this cannot be regarded as a blocker for the whole effort.** 

It is only a convenience method for people who rather uses env variable instead 
of conf dir option. 

From maintenance perspective it is just another use case to support.  


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-262754088
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#257][comment] Don't ship install subpackages with wheels

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/257
Title: #257: Don't ship install subpackages with wheels

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/526bcea705d04895aa6b09bce996ac340783d1d0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/257#issuecomment-262745293
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#257][closed] Don't ship install subpackages with wheels

2016-11-24 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/257
Author: tiran
 Title: #257: Don't ship install subpackages with wheels
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/257/head:pr257
git checkout pr257
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#257][+ack] Don't ship install subpackages with wheels

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/257
Title: #257: Don't ship install subpackages with wheels

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#257][+pushed] Don't ship install subpackages with wheels

2016-11-24 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/257
Title: #257: Don't ship install subpackages with wheels

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#270][opened] Test: uniqueness of certificate renewal master

2016-11-24 Thread ofayans

   URL: https://github.com/freeipa/freeipa/pull/270
Author: ofayans
 Title: #270: Test: uniqueness of certificate renewal master
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6504
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/270/head:pr270
git checkout pr270
From f526caf5cba7ebc7907155f045981ed4daf8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 24 Nov 2016 11:14:15 +0100
Subject: [PATCH] Test: uniqueness of certificate renewal master

https://fedorahosted.org/freeipa/ticket/6504
---
 ipatests/test_integration/test_renewal_master.py | 45 
 1 file changed, 45 insertions(+)
 create mode 100644 ipatests/test_integration/test_renewal_master.py

diff --git a/ipatests/test_integration/test_renewal_master.py b/ipatests/test_integration/test_renewal_master.py
new file mode 100644
index 000..2a4d699
--- /dev/null
+++ b/ipatests/test_integration/test_renewal_master.py
@@ -0,0 +1,45 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+
+
+class TestRenewalMaster(IntegrationTest):
+
+topology = 'star'
+num_replicas = 1
+
+@classmethod
+def uninstall(cls, mh):
+super(TestRenewalMaster, cls).uninstall(mh)
+
+def test_replica_not_marked_as_renewal_master(self):
+"""
+https://fedorahosted.org/freeipa/ticket/5902
+"""
+master = self.master
+suffix = ",".join(["dc=%s" % i for i in master.domain.name.split('.')])
+result = master.run_command([
+"ldapsearch", "-Y", "GSSAPI", "-b",
+"cn=masters,cn=ipa,cn=etc,%s" % suffix,
+"(ipaConfigString=caRenewalMaster)"
+])
+assert("numResponses: 2" in result.stdout_text), (
+"Unexpected number of responces in"
+" the command stdout: %s" % result.stdout_text)
+assert("numEntries: 1" in result.stdout_text), (
+"Unexpected number of renewal master entries in"
+" the command stdout: %s" % result.stdout_text)
+# Test that after master uninstallation, replica overtakes the cert
+# renewal master role
+tasks.uninstall_master(master)
+result1 = self.replicas[0].run_command([
+"ldapsearch", "-Y", "GSSAPI", "-b",
+"cn=masters,cn=ipa,cn=etc,%s" % suffix,
+"(ipaConfigString=caRenewalMaster)"
+])
+assert("numEntries: 1" in result1.stdout_text), (
+"Unexpected number of renewal master entries in"
+" the command stdout: %s" % result.stdout_text)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch]pytest-multihost: Add external_ip parameter to specify external_ip when using openstack

2016-11-24 Thread Petr Viktorin


On 11/17/2016 02:39 PM, Niranjan wrote:

Greetings,

When using pytest multihost to connect with hosts provisioned in
openstack, it's required to have ability for the test to use floating 
ip[external
ip]. This patch adds another attribute external_ip parameter under hosts .


Hello,
The patch adds no tests (or documentation) for this functionality, so 
I'm a bit unclear about how exactly it should work. Should I attempt to 
add the tests for it?


Specifically, what should happen when 'extenal_ip' is not specified in 
the configuration? I believe it should be either None or a copy of the 
ip. With this patch, it's set to the string `None`; I think that's a bug.



--
Petr Viktorin

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] client-only FreeIPA build

2016-11-24 Thread Petr Spacek

On 23.11.2016 13:53, Lukas Slebodnik wrote:
> On (22/11/16 11:25), Rob Crittenden wrote:
>> Lukas Slebodnik wrote:
>>> On (22/11/16 16:29), Petr Spacek wrote:
 On 22.11.2016 16:27, Jan Cholasta wrote:
> Hi,
>
> On 22.11.2016 16:04, Petr Spacek wrote:
>> Hello,
>>
>> the recent changes with regard to
>> http://www.freeipa.org/page/V4/Integration_Improvements
>> beg a question whether we should invest into supporting client-only 
>> builds in
>> FreeIPA build system.
>>
>> Note that the Integration efforts don't really apply. The client-only
>> install is for doing client enrollment and integration can mean lots of
>> things.
>>
>>
>> Right now, FreeIPA can be built on all architectures we care about so 
>> there is
>> no incentive to invest into client-only build - this applies to 
>> binary/RPM
>> builds.
>
> Client-only build lowers the barrier for porting IPA to new platforms 
> (porting
> only client code is *much* easier than porting the whole thing), so I 
> would
> very much prefer if we kept it.

 Understood.

>>> Agree about portability
>>>
>>> But upstream spec file needn't have such relicts.
>>> The upstream spec file is pure fedora specific.
>>
>> The upstream spec is what is used to document and verify that the
>> client-only build actually works.
>>
>> I also think it is a worthy goal to maintain.
>>
> Maintaing is not enough. It would be also good to test it.
> 
> And maybe it might be much simpler to have separate
> spec file for client only build. Because too many if conditions
> does not improve readability of spec file. But that's up to
> others to decide what would be simpler.

The maintenance cost you mention is the only con I can see.

I think that if we decide to support it, client-only support should be part of
configure machinery. It would enable packagers to simply run
./configure --disable-server && make install
and have the client installed. It would make easy to package it for whatever
distro.

Of course, upstream spec will be a good reference for packaging but IMHO we
should keep separated build & install matters from packaging.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-24 Thread Martin Basti




On 24.11.2016 07:06, David Kupka wrote:

On 22/11/16 23:15, Gabe Alford wrote:

I would say that it is worth keeping in FreeIPA. I know myself and some
customers use its functionality by having the clients sync to the IPA
servers and have the servers sync to the NTP source. This way if the NTP
source ever gets disrupted for long periods of time (which has 
happened in
my environment) the client time drifts with the authentication 
source. This

is the way that AD often works and is configured.


Hello Gabe,
I agree that it's common practice to synchronize all nodes in network 
with single source in order to have the same time and save bandwidth. 
Also I understand that it's comfortable to let FreeIPA installer take 
care of it.
But I don't think FreeIPA should do it IMO this is job for Ansible or 
similar tool. Also the problem is that in some situations FreeIPA 
installer makes it worse.


Example:

1. Install FreeIPA server (ipa1.example.org)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org) of FreeIPA server to increase 
redundancy


Now all the clients have ipa1.example.org as the only server in 
/etc/ntp.conf. If the first FreeIPA server becomes unreachable all 
clients will be able to contact KDC on the other server thanks to DNS 
autodiscovery in libkrb5 but will be unable to synchronize time.




This can be resolved by DHCP configured NTP. When NTP server changed, 
you just change DHCPd config and hosts conf will be synced.
We may keep NTP on IPA server side configured, but I'm voting for 
removing it from clients and document+endorse people to use DHCP (anyway 
distros have always enabled some time synchronization so it should 
naturally work without even in small deployments)


Also NTP is somehow incompatible with containers, usually containers 
have time synchronized from host, and by default IPA client container 
don't do NTP configuration.


Let deprecate it in 4.5

Martin^2




On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta  
wrote:



On 22.11.2016 13:06, Petr Spacek wrote:


On 22.11.2016 12:15, David Kupka wrote:


Hello everyone!

Is it worth to keep configuring NTP in FreeIPA?

In usual environment there're no special requirements for time
synchronization
and the distribution default (be it ntpd, chrony or anything else) 
will

just
work. Any tampering with the configuration can't make it any better.

In environment with special requirements (network disconnected from
public
internet, nodes disconnected from topology for longer time, ...) time
synchronization must be taken care of accordingly by system
administrator and
FreeIPA simply can't help here.

Also there are problems and weird behavior with the current FreeIPA
installers:

* ipa-client-install replaces all servers in /etc/ntp.conf with 
the ones

specified by user or resolved from DNS. If none were provided nor
resolved the
FreeIPA server specified/resolved during installation it used. This
leads in
just single server in the configuration and no time 
synchronization when

this
server is down/decommissioned.

* ipa-client-install replaces the NTP configuration. If there was any
parts
previously edited by system administrator it's lost.

* ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to 
/etc/ntp.conf.

What's the point in doing that? These servers're already in the
configuration
file installed with ntp package.

I have NTP-related WIP patches that solve some of the issues but in
general I
would prefer to remove the whole thing together with documenting 
"Please

make
sure that time on all FreeIPA servers and clients is synchronized. On
most
distributions this was already done during system installation."

Can we mark NTP options deprecated in 4.5 and remove them and stop
touching
any time syncing service in 4.6?



Considering that default config is just fine for normal cases, and 
given

how
poorly integrated it is into FreeIPA, I agree with David. FreeIPA 
should

get
out of configuration management business.



+1

--
Jan Cholasta


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code










--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

52 matches

Mail list logo