[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization

2016-11-25 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/266
Title: #266: ipapython: simplify Env object initialization

pvoborni commented:
"""
I don't understand the "Nevermind this PR then.".

fixing ticket 6482 is good but fixing ticket 6408 is required event more for  
@tiran work, right?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/266#issuecomment-262991677
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#213][edited] Build system refactoring phase 3

2016-11-25 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/213
Author: pspacek
 Title: #213: Build system refactoring phase 3
Action: edited

 Changed field: body
Original value:
"""
This monster patch-set refactors most of build system and moves most of the 
logic from SPEC file to build system.

It is not yet complete, missing parts are:
- [ ] Python 3 support (fix in #272)
- [ ] Client-only build is not supported
- [x] IPA_VERSION_IS_GIT_SNAPSHOT does not work (fix in #226)

These will be sorted out later on but the review of the patch set can begin.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality

2016-11-25 Thread apophys 
  URL: https://github.com/freeipa/freeipa/pull/200
Title: #200: Test: basic kerberos over http functionality

apophys commented:
"""
Please rebase the commits in the right order.

What will happen when the hosts in the topology have both IPv4 and IPv6 stacks 
when you disable ports for only one? Is the IPA server serving on both network 
stacks?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/200#issuecomment-262982688
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#264][closed] Python3 pylint fixes

2016-11-25 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/264
Author: tiran
 Title: #264: Python3 pylint fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/264/head:pr264
git checkout pr264
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#264][comment] Python3 pylint fixes

2016-11-25 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/264
Title: #264: Python3 pylint fixes

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/38e8719f728e6d54289507fe2c7f79f9272c45c0
https://fedorahosted.org/freeipa/changeset/7fef9cbec725beed62eb425449083c59416ed975
https://fedorahosted.org/freeipa/changeset/fef6f18aa27c3c5286c48dce4419db6ff9ac967b
https://fedorahosted.org/freeipa/changeset/6bbbce44733761fda1fc588397b8baddbc7f8de3
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/264#issuecomment-262977665
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
From 93febb46330e233dcfcd7659975350d9598d79a2 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 23 Nov 2016 13:55:14 +0100
Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until
 required

Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 135 ++--
 ipapython/ipautil.py|  71 ---
 2 files changed, 97 insertions(+), 109 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..2c3c4a4 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -33,10 +33,11 @@ import sys
 import os
 import signal
 import tempfile
+import select
 import socket
 import time
 import threading
-import errno
+import traceback
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
@@ -44,11 +45,12 @@ import gssapi
 from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
-RESPONDERS = [ ]
+RESPONDER = None
 QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
+
 class SshExec(object):
 def __init__(self, user, addr):
 self.user = user
@@ -94,6 +96,7 @@ class CheckedPort(object):
 self.port_type = port_type
 self.description = description
 
+
 BASE_PORTS = [
 CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
 CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -110,6 +113,7 @@ def print_info(msg):
 if not QUIET:
 print(msg)
 
+
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -209,6 +213,7 @@ def parse_options():
 
 return safe_options, options
 
+
 def logging_setup(options):
 log_file = None
 
@@ -217,16 +222,6 @@ def logging_setup(options):
 
 standard_logging_setup(log_file, debug=options.debug)
 
-def clean_responders(responders):
-if not responders:
-return
-
-for responder in responders:
-responder.stop()
-
-for responder in responders:
-responder.join()
-responders.remove(responder)
 
 def sigterm_handler(signum, frame):
 # do what SIGINT does (raise a KeyboardInterrupt)
@@ -234,6 +229,7 @@ def sigterm_handler(signum, frame):
 if callable(sigint_handler):
 sigint_handler(signum, frame)
 
+
 def configure_krb5_conf(realm, kdc, filename):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
@@ -281,32 +277,95 @@ def configure_krb5_conf(realm, kdc, filename):
 
 krbconf.newConf(filename, opts)
 
+
 class PortResponder(threading.Thread):
 
-def __init__(self, port, port_type, socket_timeout=1):
+PROTO = {socket.SOCK_STREAM: 'tcp',
+ socket.SOCK_DGRAM: 'udp'}
+
+def __init__(self, ports):
+"""
+ports: a list of CheckedPort
+"""
 super(PortResponder, self).__init__()
-self.port = port
-self.port_type = port_type
-self.socket_timeout = socket_timeout
-self._stop_request = False
+self.ports = ports
+self._sockets = []
+self._close = False
+self.responder_data = 'FreeIPA'
 
 def run(self):
-while not self._stop_request:
+root_logger.debug('Starting listening thread.')
+
+for port in self.ports:
+self._bind_to_port(port.port, port.port_type)
+
+while not self._close:
+ready_socks, _socks1, _socks2 = select.select(
+self._sockets, [], [], 1)
+if ready_socks:
+ready_sock = ready_socks[0]
+self._respond(ready_sock)
+
+for sock in self._sockets:
+port = sock.getsockname()[1]
+proto = PortResponder.PROTO[sock.type]
+sock.close()
+root_logger.debug('%(port)d %(proto)s: Stopped listening' %
+  dict(port=port, proto=proto))
+
+def _bind_to_port(self, port, socket_type):
+#

[Freeipa-devel] [freeipa PR#101][synchronized] Improved vault-show error message

2016-11-25 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/101
Author: stlaz
 Title: #101: Improved vault-show error message
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/101/head:pr101
git checkout pr101
From fd39db9f8263ffbfd41791fffaf4514d9ce01953 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 25 Nov 2016 15:46:29 +0100
Subject: [PATCH 1/2] Added kwargs to handle_not_found method

Adding kwargs allows invocation options to be passed to
handle_not_found() to improve 'Not found' messages.

https://fedorahosted.org/freeipa/ticket/5950
---
 ipaserver/plugins/automount.py |  2 +-
 ipaserver/plugins/baseldap.py  | 23 ---
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py
index c4cf2d6..a5be853 100644
--- a/ipaserver/plugins/automount.py
+++ b/ipaserver/plugins/automount.py
@@ -568,7 +568,7 @@ def get_dn(self, *keys, **kwargs):
 
 return dn
 
-def handle_not_found(self, *keys):
+def handle_not_found(self, *keys, **kwargs):
 pkey = keys[-1]
 key = pkey.split(self.rdn_separator)[0]
 info = self.rdn_separator.join(pkey.split(self.rdn_separator)[1:])
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 5770641..66b555e 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -750,7 +750,7 @@ def get_password_attributes(self, ldap, dn, entry_attrs):
 except errors.NotFound:
 entry_attrs[attr] = False
 
-def handle_not_found(self, *keys):
+def handle_not_found(self, *keys, **kwargs):
 pkey = ''
 if self.primary_key:
 pkey = keys[-1]
@@ -1013,7 +1013,7 @@ def process_attr_options(self, entry_attrs, dn, keys, options):
 dn, needldapattrs
 )
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 # Provide a nice error message when user tries to delete an
 # attribute that does not exist on the entry (and user is not
@@ -1218,7 +1218,7 @@ def execute(self, *keys, **options):
 entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(
 entry_attrs.dn, attrs_list)
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 self.obj.get_indirect_members(entry_attrs, attrs_list)
 
@@ -1318,7 +1318,7 @@ def execute(self, *keys, **options):
 dn, attrs_list
 )
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 self.obj.get_indirect_members(entry_attrs, attrs_list)
 
@@ -1459,7 +1459,7 @@ def execute(self, *keys, **options):
 if not rdnupdate:
 raise e
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 try:
 entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(
@@ -1540,12 +1540,12 @@ def delete_subtree(base_dn):
 try:
 self._exc_wrapper(nkeys, options, ldap.delete_entry)(base_dn)
 except errors.NotFound:
-self.obj.handle_not_found(*nkeys)
+self.obj.handle_not_found(*nkeys, **options)
 
 try:
 self._exc_wrapper(nkeys, options, ldap.delete_entry)(dn)
 except errors.NotFound:
-self.obj.handle_not_found(*nkeys)
+self.obj.handle_not_found(*nkeys, **options)
 except errors.NotAllowedOnNonLeaf:
 if not self.subtree_delete:
 raise
@@ -1702,7 +1702,7 @@ def execute(self, *keys, **options):
 dn, attrs_list
 )
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 self.obj.get_indirect_members(entry_attrs, attrs_list)
 
@@ -1803,7 +1803,7 @@ def execute(self, *keys, **options):
 dn, attrs_list
 )
 except errors.NotFound:
-self.obj.handle_not_found(*keys)
+self.obj.handle_not_found(*keys, **options)
 
 self.obj.get_indirect_members(entry_attrs, attrs_list)
 
@@ -2022,7 +2022,8 @@ def execute(self, *args, **options):
 except errors.EmptyResult:
 (entries, truncated) = ([], False)
 except errors.NotFound:
-self.api.Object[self.obj.parent_object].handle_not_found(*keys)
+self.api.Object[self.obj.parent_object].handle_not_found(
+*keys, **options)
 
 for callback in

[Freeipa-devel] [freeipa PR#101][comment] Improved vault-show error message

2016-11-25 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/101
Title: #101: Improved vault-show error message

stlaz commented:
"""
Seems like nobody objected so far.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/101#issuecomment-262971504
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#225][comment] tests: Added basic tests for certs in idoverrides

2016-11-25 Thread apophys 
  URL: https://github.com/freeipa/freeipa/pull/225
Title: #225: tests: Added basic tests for certs in idoverrides

apophys commented:
"""
Please address the inline comments
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/225#issuecomment-262961820
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes

2016-11-25 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

pspacek commented:
"""
Oh, you are right, I was mixing `CONFIG_STATUS_DEPEDENCIES` and 
`AC_CONFIG_FILES`. Sorry!

So please let me explain the problem with `AC_CONFIG_FILES`:
`AC_CONFIG_FILES` properly substitutes variables only in Makefiles, as 
explained in [Autoconf v2.69 manual chapter 4.8.2 Installation Directory 
Variables](https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html).

Yes, we can use `AC_CONFIG_FILES` so all variables can used for substitution, 
but in that case only subset of all usable variables will be substituted 
correctly. I do not think that it is right approach.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/268#issuecomment-262955693
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

2016-11-25 Thread Jan Cholasta 

Bump, Sumit, have you seen my comments? I haven't heard back from you.

On 17.10.2016 09:50, Jan Cholasta wrote:

Hi,

On 13.10.2016 18:52, Sumit Bose wrote:

On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote:

On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote:

Hi,

I've started to write a SSSD design page about enhancing the current
mapping of certificates to users and how to select/match a suitable
certificate if multiple certificates are on a Smartcard.

My currently thoughts and idea and be found at
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates

and for your convenience below as well.

Comments and suggestions are welcome. Please let me know about
concerns,
alternatives and missing use-cases/user-stories.

bye,
Sumit



Hi,

Rob, Fraser, Alexander, thank you for your comments. I think both the
issuer specific matching and the OID in the SUBJECT matching are good
ideas. I updated the design page accordingly. The changes can be shown
with
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=9_version=6


The updated version can be found below as well. Of course more
comments and
suggestions are still very welcome.



I did another update. A "Compatibility with Active Director" section is
added which made me realize that there are use-cases for using the
issuer in the mapping as well and the sub-strings in LDAP search filters
might be useful as well.

The changes can be seen with
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=10_version=9


Please let me know your comments and suggestions.

bye,
Sumit

= Matching and Mapping Certificates =

Related ticket(s):
 *
http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping


=== Problem statement ===
 Mapping 
Currently it is required that a certificate used for authentication is
either stored in the LDAP user entry or in a matching override. This
might not always be applicable and other ways are needed to relate a
user with a certificate.

 Matching 
Even if SSSD will support multiple certificates on a Smartcard in the
context of https://fedorahosted.org/sssd/ticket/3050 it might be
necessary to restrict (or relax) the current certificate selection in
certain environments.

=== Use cases ===
 Mapping 
In some environments it might not be possible or would cause unwanted
effort to add certificates to the LDAP entry of the users to allow
Smartcard based authentication. Reasons might be:
* Certificates/Smartcards are issued externally
* LDAP schema extension is not possible or not allowed

 Matching 
A user might have multiple certificate on a Smartcard which are
suitable for authentication. But on some host in the environment only
certificates from a specific CA (while all other CAs are trusted as
well) or with some special extension should be valid for login.

=== Overview of the solution ===
To match a certificate a language/syntax has to be defined which
allows to reference items from the certificate and compare the values
with the expected data. To map the certificates to a user the
language/syntax should allow to relate certificate items with LDAP
attributes so that the value(s) from the certificate item can be used
in a LDAP search filter.


Note that in some cases it might be possible to map a certificate to a
user without having to do an extra LDAP search, for example when the
certificate contains the principal name of the user. Does the design
allow this? Or is there no extra LDAP search?




=== Implementation details ===
 Matching 
The pkinit plugin of MIT Kerberos must find a suitable certificate
from a Smartcard as well and has defined the following syntax (see the
pkinit_cert_match section of the krb5.conf man page or
http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html
for details). The main components are

* regular-expression
* regular-expression
* regular-expression
* extended-key-usage-list
* key-usage-list

and can be grouped together with a prefixed '&&' (and) or '`||`' (or)
operator ('&&' is the default). If multiple rules are given they are
iterated with the order in the config file as long as a rule matches
exactly one certificate.

'''Question: MIT Kerberos use case-sensitive matching and POSIX
Extended Regular Expression syntax, shall we do the same?'''

While  and  are (imo) already quite flexible I can
see some potential extensions for the other components.


I don't think regular expressions are a particularly good choice for DN
matching. It is difficult to express assertions which are quite natural
for DNs (matching multi-attribute RDNs, matching the same attribute type
by different identifiers, respecting the defined matching rules of
attribute types) and at the same time it is easy to express assertions
which do not make much sense for DNs (matching substrings in attribute
names, matching accross multiple syntactical

[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes

2016-11-25 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

tiran commented:
"""
You gave a good reason to not use ```CONFIG_STATUS_DEPEDENCIES``` and I agree 
with your reasoning. I don't see a case against ```AC_CONFIG_FILE```, though. 
```config.status``` substitution feature is more powerful than manual sed 
rules. I'm worried that we are going to run into problems in the future. It's 
surprising that some files can use all ```@VAR@``` substitutions and some only 
a limited subset.

Your patch already introduces proper dependencies for ```ipasetup.py``` and 
```version.py```. Why not introduce a build rule for these files in 
```Makefile.python.am```?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/268#issuecomment-262952627
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#252][comment] Use namespace-aware meta importer for ipaplatform

2016-11-25 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/252
Title: #252: Use namespace-aware meta importer for ipaplatform

stlaz commented:
"""
It is not AFAIK. I noted that in https://fedorahosted.org/freeipa/ticket/6474 
comment and there's also discussion about this in 
https://github.com/freeipa/freeipa/pull/271. Closing this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/252#issuecomment-262951316
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][reopened] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
From bc334adfffdfaa120d9c7dd6c5691d5755a442f4 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 23 Nov 2016 13:55:14 +0100
Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until
 required

Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 135 ++--
 ipapython/ipautil.py|  71 ---
 2 files changed, 97 insertions(+), 109 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..d950793 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -33,10 +33,11 @@ import sys
 import os
 import signal
 import tempfile
+import select
 import socket
 import time
 import threading
-import errno
+import traceback
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
@@ -44,11 +45,12 @@ import gssapi
 from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
-RESPONDERS = [ ]
+RESPONDER = None
 QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
+
 class SshExec(object):
 def __init__(self, user, addr):
 self.user = user
@@ -94,6 +96,7 @@ class CheckedPort(object):
 self.port_type = port_type
 self.description = description
 
+
 BASE_PORTS = [
 CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
 CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -110,6 +113,7 @@ def print_info(msg):
 if not QUIET:
 print(msg)
 
+
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -209,6 +213,7 @@ def parse_options():
 
 return safe_options, options
 
+
 def logging_setup(options):
 log_file = None
 
@@ -217,16 +222,6 @@ def logging_setup(options):
 
 standard_logging_setup(log_file, debug=options.debug)
 
-def clean_responders(responders):
-if not responders:
-return
-
-for responder in responders:
-responder.stop()
-
-for responder in responders:
-responder.join()
-responders.remove(responder)
 
 def sigterm_handler(signum, frame):
 # do what SIGINT does (raise a KeyboardInterrupt)
@@ -234,6 +229,7 @@ def sigterm_handler(signum, frame):
 if callable(sigint_handler):
 sigint_handler(signum, frame)
 
+
 def configure_krb5_conf(realm, kdc, filename):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
@@ -281,32 +277,95 @@ def configure_krb5_conf(realm, kdc, filename):
 
 krbconf.newConf(filename, opts)
 
+
 class PortResponder(threading.Thread):
 
-def __init__(self, port, port_type, socket_timeout=1):
+PROTO = {socket.SOCK_STREAM: 'tcp',
+ socket.SOCK_DGRAM: 'udp'}
+
+def __init__(self, ports):
+"""
+ports: a list of CheckedPort
+"""
 super(PortResponder, self).__init__()
-self.port = port
-self.port_type = port_type
-self.socket_timeout = socket_timeout
-self._stop_request = False
+self.ports = ports
+self._sockets = []
+self._close = False
+self.responder_data = 'FreeIPA'
 
 def run(self):
-while not self._stop_request:
+root_logger.debug('Starting listening thread.')
+
+for port in self.ports:
+self._bind_to_port(port.port, port.port_type)
+
+while not self._close:
+ready_socks, _socks1, _socks2 = select.select(
+self._sockets, [], [], 1)
+if ready_socks:
+ready_sock = ready_socks[0]
+self._respond(ready_sock)
+
+for sock in self._sockets:
+port = sock.getsockname()[1]
+proto = PortResponder.PROTO[sock.type]
+sock.close()
+root_logger.debug('%(port)d %(proto)s: Stopped listening' %
+  dict(port=port, proto=proto))
+
+def _bind_to_port(self, port, socket_type):
+#

[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes

2016-11-25 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

pspacek commented:
"""
I already described problems with `AC_CONFIG_FILE` in 
https://github.com/freeipa/freeipa/pull/251#issuecomment-261470338 a week ago, 
including envisioned move from `AC_CONFIG_FILE` to `Makefile.am`.

Please propose a solution which does not have problems mentioned in 
https://github.com/freeipa/freeipa/pull/251#issuecomment-261470338 so we can 
consider it.


For the record, this sed replacement is nothing unusual. The sed replacement is 
what [Autoconf v2.69 manual chapter 4.8.2 Installation Directory 
Variables](https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Installation-Directory-Variables.html)
 recommends and is already used all over the place in the build system (init 
directory, daemons/ipa-otpd, and elsewhere).

It is pitty that you did not comment on envisioned direction a week ago, nor a 
three days ago when first version of this PR was published.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/268#issuecomment-262948252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][closed] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes

2016-11-25 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

tiran commented:
"""
I don't like the approach and prefer ```AC_CONFIG_FILE``` over manual sed for 
templating. You only have to add a couple of rules like 

```
# Makefile.python.am
$(top_builddir)/ipasetup.py: $(top_builddir)/config.status 
$(top_builddir)/ipasetup.py.in
$(MAKE) -C $(top_builddir) $(@F)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/268#issuecomment-262940339
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
From cc9d298efe702241ee9f5390d262175b9d230469 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 23 Nov 2016 13:55:14 +0100
Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until
 required

Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 132 +---
 ipapython/ipautil.py|  71 ---
 2 files changed, 94 insertions(+), 109 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..30070e6 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -33,10 +33,11 @@ import sys
 import os
 import signal
 import tempfile
+import select
 import socket
 import time
 import threading
-import errno
+import traceback
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
@@ -44,11 +45,12 @@ import gssapi
 from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
-RESPONDERS = [ ]
+RESPONDER = None
 QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
+
 class SshExec(object):
 def __init__(self, user, addr):
 self.user = user
@@ -94,6 +96,7 @@ class CheckedPort(object):
 self.port_type = port_type
 self.description = description
 
+
 BASE_PORTS = [
 CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
 CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -110,6 +113,7 @@ def print_info(msg):
 if not QUIET:
 print(msg)
 
+
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -209,6 +213,7 @@ def parse_options():
 
 return safe_options, options
 
+
 def logging_setup(options):
 log_file = None
 
@@ -217,16 +222,6 @@ def logging_setup(options):
 
 standard_logging_setup(log_file, debug=options.debug)
 
-def clean_responders(responders):
-if not responders:
-return
-
-for responder in responders:
-responder.stop()
-
-for responder in responders:
-responder.join()
-responders.remove(responder)
 
 def sigterm_handler(signum, frame):
 # do what SIGINT does (raise a KeyboardInterrupt)
@@ -234,6 +229,7 @@ def sigterm_handler(signum, frame):
 if callable(sigint_handler):
 sigint_handler(signum, frame)
 
+
 def configure_krb5_conf(realm, kdc, filename):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
@@ -281,32 +277,92 @@ def configure_krb5_conf(realm, kdc, filename):
 
 krbconf.newConf(filename, opts)
 
+
 class PortResponder(threading.Thread):
 
-def __init__(self, port, port_type, socket_timeout=1):
+PROTO = {socket.SOCK_STREAM: 'tcp',
+ socket.SOCK_DGRAM: 'udp'}
+
+def __init__(self, ports):
+"""
+ports: a list of CheckedPort
+"""
 super(PortResponder, self).__init__()
-self.port = port
-self.port_type = port_type
-self.socket_timeout = socket_timeout
-self._stop_request = False
+self.ports = ports
+self._sockets = []
+self._close = False
+self.responder_data = 'FreeIPA'
 
 def run(self):
-while not self._stop_request:
+root_logger.debug('Starting listening thread.')
+
+for port in self.ports:
+self._bind_to_port(port.port, port.port_type)
+
+while not self._close:
+ready_socks, _socks1, _socks2 = select.select(
+self._sockets, [], [], 1)
+if ready_socks:
+ready_sock = ready_socks[0]
+self._respond(ready_sock)
+
+for sock in self._sockets:
+port = sock.getsockname()[1]
+proto = PortResponder.PROTO[sock.type]
+sock.close()
+root_logger.debug('%(port)d %(proto)s: Stopped listening' %
+  dict(port=port, proto=proto))
+
+def _bind_to_port(self, port, socket_type):
+#

[Freeipa-devel] [freeipa PR#268][+ack] Build system must regenerate file when template changes

2016-11-25 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#268][comment] Build system must regenerate file when template changes

2016-11-25 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/268
Title: #268: Build system must regenerate file when template changes

mbasti-rh commented:
"""
works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/268#issuecomment-262939243
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-25 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

stlaz commented:
"""
@jcholast Thanks, I'll add it as a comment to that ticket so that it's more 
visible to a potential community :)
@tiran I already did the review, the conflicts are very easily resolvable 
(ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can 
see where you're heading and I guess it'd be better to split the PR for the 
future, although I prefer 1 PR for 1 ticket if that is doable and it is in this 
case. Can you please rather check if it matches your use-case and bless this PR 
with functional ACK so that we can get it pushed?

edit: Removed the LGTM till the outlined necessary issues are fixed, I expect 
that to come with the rebase.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-25 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

stlaz commented:
"""
@jcholast Thanks, I'll add it as a comment to that ticket so that it's more 
visible to a potential community :) + LGTM
@tiran I already did the review, the conflicts are very easily resolvable 
(ntpconf was moved, two functions are moved from ipa_replica_prepare.) I can 
see where you're heading and I guess it'd be better to split the PR for the 
future, although I prefer 1 PR for 1 ticket if that is doable and it is in this 
case. Can you please rather check if it matches your use-case and bless this PR 
with functional ACK so that we can get it pushed?

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-262936876
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#274][opened] Improve the robustness FreeIPA's i18n module and its tests

2016-11-25 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/274
Author: martbab
 Title: #274: Improve the robustness FreeIPA's i18n module and its tests
Action: opened

PR body:
"""
Prevent false positive errors reported by `ipatests/i18n.py` and
`ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the
environment.

Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve
the robustness.

https://fedorahosted.org/freeipa/ticket/6512
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/274/head:pr274
git checkout pr274
From 23d62a4de47d85d3c2400b1aa85d3539fae6703b Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 25 Nov 2016 12:16:27 +0100
Subject: [PATCH] Improve the robustness FreeIPA's i18n module and its tests

Prevent false positive errors reported by `ipatests/i18n.py` and
`ipatests/test_ipalib/test_text.py` when LANGUAGE env variable is set in the
environment.

Additionally, also set LC_ALL and LC_MESSAGES during checks to further improve
the robustness.

https://fedorahosted.org/freeipa/ticket/6512
---
 ipatests/i18n.py  |  5 -
 ipatests/test_ipalib/test_text.py | 34 --
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/ipatests/i18n.py b/ipatests/i18n.py
index 8c6e641..37a90dd 100755
--- a/ipatests/i18n.py
+++ b/ipatests/i18n.py
@@ -600,8 +600,11 @@ def test_translations(po_file, lang, domain, locale_dir):
 # use a dummy language not associated with any real language,
 # but the setlocale function demands the locale be a valid
 # known locale, Zambia Xhosa is a reasonable choice :)
+locale_envs = ('LANGUAGE', 'LC_ALL', 'LC_MESSAGES', 'LANG')
 
-os.environ['LANG'] = lang
+os.environ.update(
+{locale_env: lang for locale_env in locale_envs}
+)
 
 # Create a gettext translation object specifying our domain as
 # 'ipa' and the locale_dir as 'test_locale' (i.e. where to
diff --git a/ipatests/test_ipalib/test_text.py b/ipatests/test_ipalib/test_text.py
index d510646..3d72d2b 100644
--- a/ipatests/test_ipalib/test_text.py
+++ b/ipatests/test_ipalib/test_text.py
@@ -52,11 +52,36 @@ def test_create_translation():
 
 
 class test_TestLang(object):
+lang_env_vars = {'LC_ALL', 'LC_MESSAGES', 'LANGUAGE', 'LANG'}
+
+def setup_lang(self):
+"""
+Set all env variables used by gettext to localize translation files
+to xh_ZA
+"""
+self.lang = 'xh_ZA'
+self.saved_locale = {
+k: v for k, v in os.environ.items() if k in self.lang_env_vars}
+
+os.environ.update(
+{env_var: self.lang for env_var in self.lang_env_vars}
+)
+
+def teardown_lang(self):
+"""
+Revert the locale settings to original values. If the original env
+variable was not set before, it will be popped off os.environ
+"""
+for env_var in self.lang_env_vars:
+if env_var not in self.saved_locale:
+os.environ.pop(env_var, None)
+
+os.environ.update(self.saved_locale)
+
 def setup(self):
 self.tmp_dir = None
-self.saved_lang  = None
+self.setup_lang()
 
-self.lang = 'xh_ZA'
 self.domain = 'ipa'
 
 self.pot_basename = '%s.pot' % self.domain
@@ -64,7 +89,6 @@ def setup(self):
 self.mo_basename = '%s.mo' % self.domain
 
 self.tmp_dir = tempfile.mkdtemp()
-self.saved_lang  = os.environ['LANG']
 
 self.locale_dir = os.path.join(self.tmp_dir, 'test_locale')
 self.msg_dir = os.path.join(self.locale_dir, self.lang, 'LC_MESSAGES')
@@ -93,8 +117,7 @@ def setup(self):
 self.po_file_iterate = po_file_iterate
 
 def teardown(self):
-if self.saved_lang is not None:
-os.environ['LANG'] = self.saved_lang
+self.teardown_lang()
 
 if self.tmp_dir is not None:
 shutil.rmtree(self.tmp_dir)
@@ -107,7 +130,6 @@ def test_test_lang(self):
 # but the setlocale function demands the locale be a valid
 # known locale, Zambia Xhosa is a reasonable choice :)
 
-os.environ['LANG'] = self.lang
 
 # Create a gettext translation object specifying our domain as
 # 'ipa' and the locale_dir as 'test_locale' (i.e. where to
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Pytest plugins moved to Pagure

2016-11-25 Thread Petr Viktorin 

Hello,

I've moved these Pytest plugins, originally developed for FreeIPA, from 
Fedorahosted to Pagure:


https://pagure.io/python-pytest-sourceorder
https://pagure.io/python-pytest-multihost
https://pagure.io/python-pytest-beakerlib

As I don't actively monitor the freeipa-devel list any more, I'd like to 
ask everyone to start any *new* conversations about the plugins in 
Pagure Issues (or Pull Requests).



Thanks for letting me use the list until now!


--
Petr Viktorin

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-25 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
From 964243fd4020d338b156f6c8c4055404e6e8c884 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 23 Nov 2016 13:55:14 +0100
Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until
 required

Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 134 +---
 ipapython/ipautil.py|  71 ---
 2 files changed, 94 insertions(+), 111 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 4045e41..4e970a8 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -33,10 +33,11 @@ import sys
 import os
 import signal
 import tempfile
+import select
 import socket
 import time
 import threading
-import errno
+import traceback
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
@@ -44,11 +45,12 @@ import gssapi
 from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
-RESPONDERS = [ ]
+RESPONDER = None
 QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
+
 class SshExec(object):
 def __init__(self, user, addr):
 self.user = user
@@ -94,6 +96,7 @@ class CheckedPort(object):
 self.port_type = port_type
 self.description = description
 
+
 BASE_PORTS = [
 CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
 CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -110,6 +113,7 @@ def print_info(msg):
 if not QUIET:
 print(msg)
 
+
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -209,6 +213,7 @@ def parse_options():
 
 return safe_options, options
 
+
 def logging_setup(options):
 log_file = None
 
@@ -217,16 +222,6 @@ def logging_setup(options):
 
 standard_logging_setup(log_file, debug=options.debug)
 
-def clean_responders(responders):
-if not responders:
-return
-
-for responder in responders:
-responder.stop()
-
-for responder in responders:
-responder.join()
-responders.remove(responder)
 
 def sigterm_handler(signum, frame):
 # do what SIGINT does (raise a KeyboardInterrupt)
@@ -234,6 +229,7 @@ def sigterm_handler(signum, frame):
 if callable(sigint_handler):
 sigint_handler(signum, frame)
 
+
 def configure_krb5_conf(realm, kdc, filename):
 
 krbconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer")
@@ -281,32 +277,92 @@ def configure_krb5_conf(realm, kdc, filename):
 
 krbconf.newConf(filename, opts)
 
+
 class PortResponder(threading.Thread):
 
-def __init__(self, port, port_type, socket_timeout=1):
+PROTO = {socket.SOCK_STREAM: 'tcp',
+ socket.SOCK_DGRAM: 'udp'}
+
+def __init__(self, ports):
+"""
+ports: a list of CheckedPort
+"""
 super(PortResponder, self).__init__()
-self.port = port
-self.port_type = port_type
-self.socket_timeout = socket_timeout
-self._stop_request = False
+self.ports = ports
+self._sockets = []
+self._close = False
+self.responder_data = 'FreeIPA'
 
 def run(self):
-while not self._stop_request:
+root_logger.debug('Starting listening thread.')
+
+for port in self.ports:
+self._bind_to_port(port.port, port.port_type)
+
+while not self._close:
+ready_socks, _socks1, _socks2 = select.select(
+self._sockets, [], [], 1)
+if ready_socks:
+ready_sock = ready_socks[0]
+self._respond(ready_sock)
+
+for sock in self._sockets:
+port = sock.getsockname()[1]
+proto = PortResponder.PROTO[sock.type]
+sock.close()
+root_logger.debug('%(port)d %(proto)s: Stopped listening' %
+  dict(port=port, proto=proto))
+
+def _bind_to_port(self, port, socket_type):
+#

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-25 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

jcholast commented:
"""
@stlaz, [this thread at 
freeipa-devel](https://www.redhat.com/archives/freeipa-devel/2016-November/msg00776.html)
 should answer your question.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-262918453
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#273][opened] Build: workaround bug while calling parallel make from rpmbuild

2016-11-25 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/273
Author: pspacek
 Title: #273: Build: workaround bug while calling parallel make from rpmbuild
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6418
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/273/head:pr273
git checkout pr273
From 734d949e83be8cfd7ab8cde481438ebf37848f26 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 25 Nov 2016 10:23:34 +0100
Subject: [PATCH] Build: workaround bug while calling parallel make from
 rpmbuild

https://fedorahosted.org/freeipa/ticket/6418
---
 freeipa.spec.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index c683ad3..2b7694d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -692,7 +692,8 @@ export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
 %configure --with-vendor-suffix=-%{release}
-%make_build
+# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
+%make_build -Onone
 
 
 %check
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#269][comment] Prevent denial of replication updates during CA replica install

2016-11-25 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/269
Title: #269: Prevent denial of replication updates during CA replica install

flo-renaud commented:
"""
Hi,
thanks for the patch! Everything works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/269#issuecomment-262912639
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#222][closed] Fix ipa-replica-install when upgrade from ca-less to ca-full

2016-11-25 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/222
Author: flo-renaud
 Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/222/head:pr222
git checkout pr222
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#222][+pushed] Fix ipa-replica-install when upgrade from ca-less to ca-full

2016-11-25 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/222
Title: #222: Fix ipa-replica-install when upgrade from ca-less to ca-full

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs

2016-11-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e617f895e70e6812836870f504af6e22a5dc7def
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/231#issuecomment-262902105
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][+pushed] Do not log DM password in ca/kra installation logs

2016-11-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][closed] Do not log DM password in ca/kra installation logs

2016-11-25 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/231
Author: stlaz
 Title: #231: Do not log DM password in ca/kra installation logs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/231/head:pr231
git checkout pr231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][+ack] Do not log DM password in ca/kra installation logs

2016-11-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-25 Thread Martin Basti 



On 24.11.2016 20:31, Gabe Alford wrote:
On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti > wrote:




On 24.11.2016 16:11, Gabe Alford wrote:

On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti > wrote:



On 24.11.2016 07:06, David Kupka wrote:

On 22/11/16 23:15, Gabe Alford wrote:

I would say that it is worth keeping in FreeIPA. I
know myself and some
customers use its functionality by having the clients
sync to the IPA
servers and have the servers sync to the NTP source.
This way if the NTP
source ever gets disrupted for long periods of time
(which has happened in
my environment) the client time drifts with the
authentication source. This
is the way that AD often works and is configured.


Hello Gabe,
I agree that it's common practice to synchronize all
nodes in network with single source in order to have the
same time and save bandwidth. Also I understand that it's
comfortable to let FreeIPA installer take care of it.
But I don't think FreeIPA should do it IMO this is job
for Ansible or similar tool. Also the problem is that in
some situations FreeIPA installer makes it worse.

Example:

1. Install FreeIPA server (ipa1.example.org
)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org
) of FreeIPA server to increase
redundancy


Why not have NTP look at a _srv_records?


Do ntpclients support this natively?  I just found some ugly hacks
for chrony, i.e extra service that is dynamically changing config
file.
But yes this may be way too, but dirty.


You are right. It is an ugly. I wonder if we can push to make it not 
so ugly so that _srv_ is used for both Chrony and NTP which IMO makes 
those two products better. If not and the desire is truly to get rid 
of chrony/ntp configuration on the client side, what about adding 
Chrony and NTP configuration to ipa-advise?


And I realized that this may be applicable only if IPA is installed with 
integrated DNS, when IPA automatically updates system services DNS 
records. With external DNS we will bother admins to create SRV records, 
so it is the same as creating DHCP configuration.


we can add it to ipa-advise.

Martin^2


Now all the clients have ipa1.example.org
 as the only server in
/etc/ntp.conf. If the first FreeIPA server becomes
unreachable all clients will be able to contact KDC on
the other server thanks to DNS autodiscovery in libkrb5
but will be unable to synchronize time.


This can be resolved by DHCP configured NTP. When NTP server
changed, you just change DHCPd config and hosts conf will be
synced.
We may keep NTP on IPA server side configured, but I'm voting
for removing it from clients and document+endorse people to
use DHCP (anyway distros have always enabled some time
synchronization so it should naturally work without even in
small deployments)


If NTP is still configured on the IPA server, this may be less of
an issue. Not everyone has/is/will be using ansible. Also in
secure environments, DHCP
is not allowed/used at all.

Also NTP is somehow incompatible with containers, usually
containers have time synchronized from host, and by default
IPA client container don't do NTP configuration.


Isn't that what the --no-ntp option in the client is for anyway?


Let deprecate it in 4.5

Martin^2




On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta
> wrote:

On 22.11.2016 13:06, Petr Spacek wrote:

On 22.11.2016 12:15, David Kupka wrote:

Hello everyone!

Is it worth to keep configuring NTP in
FreeIPA?

In usual environment there're no special
requirements for time
synchronization
and the distribution default (be it ntpd,
chrony or anything else) will
just
work. Any tampering with the
configuration can't make it any better.

In environment with special requirements
(network