Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Jan Cholasta 

On 30.11.2016 16:09, Rob Crittenden wrote:

David Kupka wrote:

On 29/11/16 18:10, Alexander Bokovoy wrote:

Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.



As Petr already pointed out, since Fedora 16 chronyd is enabled by
default and ipa-client-install doesn't configure time synchronization
when chronyd is enabled.

I believe that majority of users haven't used '--force-ntpd' and since
it still worked they haven't filed any ticket.

IMO in this case no bug reports means no users rather than no bugs or
requests.

Unfortunately, this is just my guess and AFAIK we don't have any data
from users showing how they use FreeIPA.


For argument's sake, let's say NTP configuration in the client is
dropped and managed by the OS or other administrators.

What implication does this have for configuring NTP server on masters?
Would that be stopped as well? What about existing installs?


I think there should be no implication, the server is a completely 
different thing.


The only thing I would maybe do is to detect if there is an existing NTP 
server configuration and if there is, do not touch it.




I don't believe there is a precedence for removing a service from IPA.

rob




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Simo Sorce 
On Wed, 2016-11-30 at 16:57 +0100, David Kupka wrote:
> Upgrades to 4.x will revert configuration if done by FreeIPA.

Why would you revert a perfectly valid configuration ?
I can understand that you wan to stop managing the server, but I do not
see why you should un-configure it.

> I think it's actually that simple. The only hard part is reaching the 
> agreement.

I still think we need to offer the NTP option even if not on by default,
so on upgrade we would have to keep maintaining it.

Keep in mind that NTP is extremely important, still, in virtualized
environment and PoC environment where you must assure, with your own
means, that clocks are synchronized. Testing environments are often very
broken, reason why we also offer a DNS server.
And a testing environment generally give you the first impression, so if
it breaks horrible (as it does when clocks are not in sync then people
just stop caring and do not move to production.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
+1 for my trick

Since I disabled the import warnings for samba bindings in fef6f18aa, pylint is 
passing under Python 3, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-263954366
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][closed] Require python-cryptography >= 1.3.1

2016-11-30 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/290
Author: tiran
 Title: #290: Require python-cryptography >= 1.3.1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/290/head:pr290
git checkout pr290
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/290
Title: #290: Require python-cryptography >= 1.3.1

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/289982e02fa6bef700fe2c1900ddbed864876faa
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/290#issuecomment-263922200
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][+ack] Require python-cryptography >= 1.3.1

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/290
Title: #290: Require python-cryptography >= 1.3.1

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][+pushed] Require python-cryptography >= 1.3.1

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/290
Title: #290: Require python-cryptography >= 1.3.1

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0

2016-11-30 Thread frozencemetery 
  URL: https://github.com/freeipa/freeipa/pull/289
Title: #289: Require python-gssapi >= 1.2.0

frozencemetery commented:
"""
We (the python-gssapi team) do not believe that is correct.  This problem with 
enum34 is fixed in the latest 1.1.z release (1.1.4).

We also do have CI that runs on every commit, so every released version should 
be stable, though 1.2.0 is also a great version.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/289#issuecomment-263917633
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#1][comment] Port bind-dyndb-ldap to BIND 9.11

2016-11-30 Thread pspacek 
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1
Title: #1: Port bind-dyndb-ldap to BIND 9.11

pspacek commented:
"""
Pushed to master:

2649ef1da1cbfc1203337665c4e589e1fe75f04b BIND 9.11: Remove #if blocks for older 
BIND versions.
8178f3cf856829c081a663a2e3f4d77ecc2db6b1 BIND 9.11: Add wrapper for new DB API 
method nodefullname.
da9bc9b157a5ddc9a70147bf8df94e2bebb05c07 BIND 9.11: Port to new dyndb API.
08da3390cfc0985abdc0f791115f0f595e915df6 BIND 9.11: use new public header 
isc/errno.h instead of private isc/errno2result.h
4424cc349142dc7501eabaf352cf2ce59c34d7cb Fix error handling in 
syncrepl_update() to avoid hung mctx.
c3bfe1a62ac4f8a73207bf4e80d64a4a3a58d9e4 Remove obsolete options: cache_ttl, 
psearch, serial_autoincrement, zone_refresh.
e7cb75353d1b8fec6f063e4edaf5ead5b784e10d Use ISC configuration parser for dyndb 
section.
7c8d8e553932ad1ce05d6fb8b4e845d4fdf7d6c2 Print configuration grammar when a 
configuration error is detected.
189c1850582bac964877764e7f0828d083a1d384 Migrate README to Markdown syntax: 
create README.md
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/1#issuecomment-263915947
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#1][closed] Port bind-dyndb-ldap to BIND 9.11

2016-11-30 Thread pspacek 
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/1
Author: pspacek
 Title: #1: Port bind-dyndb-ldap to BIND 9.11
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/1/head:pr1
git checkout pr1
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][synchronized] Require python-cryptography >= 1.3.1

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/290
Author: tiran
 Title: #290: Require python-cryptography >= 1.3.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/290/head:pr290
git checkout pr290
From fa40d5247dbc742ac7fe8a4d42b37d8df4004710 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 30 Nov 2016 11:10:36 +0100
Subject: [PATCH] Require python-cryptography >= 1.3.1

python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.

Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in | 12 ++--
 ipasetup.py.in  |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index bdf510f..15c3e68 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -113,8 +113,8 @@ BuildRequires:  python-cffi
 %if 0%{?with_lint}
 BuildRequires:  samba-python
 BuildRequires:  python-setuptools
-# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires:  python-cryptography >= 0.6
+# 1.3: oldest PyPI version that still compiles with recent OpenSSL
+BuildRequires:  python-cryptography >= 1.3.1
 BuildRequires:  python-gssapi >= 1.2.0
 BuildRequires:  pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -510,7 +510,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography >= 0.9
+Requires: python-cryptography >= 1.3.1
 Requires: python-netaddr
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
@@ -559,7 +559,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
-Requires: python3-cryptography
+Requires: python3-cryptography >= 1.3.1
 Requires: python3-netaddr
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
@@ -633,7 +633,7 @@ Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
 Requires: python-sssdconfig
-Requires: python2-cryptography
+Requires: python2-cryptography >= 1.3.1
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -667,7 +667,7 @@ Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: ldns-utils
 Requires: python3-sssdconfig
-Requires: python3-cryptography
+Requires: python3-cryptography >= 1.3.1
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 08c9178..2200e4b 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -52,7 +52,7 @@ class build_py(setuptools_build_py):
 
 
 PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 0.9',
+'cryptography': 'cryptography >= 1.3.1',
 'dnspython': 'dnspython >= 1.13',
 'gssapi': 'gssapi > 1.2.0',
 'ipaclient': 'ipaclient == @VERSION@',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread David Kupka 

On 30/11/16 16:09, Rob Crittenden wrote:

David Kupka wrote:

On 29/11/16 18:10, Alexander Bokovoy wrote:

Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.



As Petr already pointed out, since Fedora 16 chronyd is enabled by
default and ipa-client-install doesn't configure time synchronization
when chronyd is enabled.

I believe that majority of users haven't used '--force-ntpd' and since
it still worked they haven't filed any ticket.

IMO in this case no bug reports means no users rather than no bugs or
requests.

Unfortunately, this is just my guess and AFAIK we don't have any data
from users showing how they use FreeIPA.


For argument's sake, let's say NTP configuration in the client is
dropped and managed by the OS or other administrators.

What implication does this have for configuring NTP server on masters?
Would that be stopped as well? What about existing installs?

I don't believe there is a precedence for removing a service from IPA.

rob



Well, everything was done for the first time at some point in history.

I would prefer removing it from server too.

I imagine it this way:
0. We agree that NTP as FreeIPA service will be dropped in 4.x
1. We add big fat warning to nearest release (currently 4.5) that 
FreeIPA will stop supporting NTP as its service on server and client and 
if NTP was configured by FreeIPA (we can tell from sysrestore) upgrade 
will revert those changes.
2. New installations of 4.x will not configure NTP on server nor client. 
Upgrades to 4.x will revert configuration if done by FreeIPA.


I think it's actually that simple. The only hard part is reaching the 
agreement.


While I understand that the value of FreeIPA is entirely in taking care 
of non-trivial services and orchestrating them in a way most comfortable 
for the administrator I think configuring NTP is:

 * reasonably easy (<5 lines on client, <10 lines on server),
 * unnecessary in most cases (distributions defaults or 
DHCP+NetworkManager just work)

and so not worth keeping in FreeIPA.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][+ack] ipautil: check for open ports on all resolved IPs

2016-11-30 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/284
Title: #284: ipautil: check for open ports on all resolved IPs

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs

2016-11-30 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/284
Author: tomaskrizek
 Title: #284: ipautil: check for open ports on all resolved IPs
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/284/head:pr284
git checkout pr284
From d85861c7b24d7e1bf21ed55d9cb9d7add1580e2f Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 29 Nov 2016 18:19:07 +0100
Subject: [PATCH] ipautil: check for open ports on all resolved IPs

When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.

https://fedorahosted.org/freeipa/ticket/6522
---
 install/tools/ipa-replica-conncheck |  5 +++--
 ipapython/ipautil.py| 44 -
 2 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 544116e..9a30385 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -315,8 +315,9 @@ def port_check(host, port_list):
 ports_udp_warning = []  # conncheck could not verify that port is open
 for port in port_list:
 try:
-port_open = ipautil.host_port_open(host, port.port,
-port.port_type, socket_timeout=CONNECT_TIMEOUT)
+port_open = ipautil.host_port_open(
+host, port.port, port.port_type,
+socket_timeout=CONNECT_TIMEOUT, log_errors=True)
 except socket.gaierror:
 raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
 if port_open:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 1c95a81..73056e5 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -55,6 +55,12 @@
 GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 
 
+PROTOCOL_NAMES = {
+socket.SOCK_STREAM: 'tcp',
+socket.SOCK_DGRAM: 'udp'
+}
+
+
 class UnsafeIPAddress(netaddr.IPAddress):
 """Any valid IP address with or without netmask."""
 
@@ -866,15 +872,21 @@ def user_input(prompt, default = None, allow_empty = True):
 return ret
 
 
-def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
+   socket_timeout=None, log_errors=False):
+"""
+host: either hostname or IP address;
+  if hostname is provided, port MUST be open on ALL resolved IPs
+
+returns True is port is open, False otherwise
+"""
+port_open = True
+
+# port has to be open on ALL resolved IPs
 for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):
 af, socktype, proto, _canonname, sa = res
 try:
-try:
-s = socket.socket(af, socktype, proto)
-except socket.error:
-s = None
-continue
+s = socket.socket(af, socktype, proto)
 
 if socket_timeout is not None:
 s.settimeout(socket_timeout)
@@ -884,15 +896,27 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No
 if socket_type == socket.SOCK_DGRAM:
 s.send('')
 s.recv(512)
-
-return True
 except socket.error:
-pass
+port_open = False
+
+if log_errors:
+msg = ('Failed to connect to port %(port)d %(proto)s on '
+   '%(addr)s' % dict(port=port,
+ proto=PROTOCOL_NAMES[socket_type],
+ addr=sa[0]))
+
+# Do not log udp failures as errors (to be consistent with
+# the rest of the code that checks for open ports)
+if socket_type == socket.SOCK_DGRAM:
+root_logger.warning(msg)
+else:
+root_logger.error(msg)
 finally:
 if s:
 s.close()
+s = None
 
-return False
+return port_open
 
 def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None):
 host = None   # all available interfaces
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][+pushed] Wheel bundles fixes

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][closed] Wheel bundles fixes

2016-11-30 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/287
Author: tiran
 Title: #287: Wheel bundles fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/287/head:pr287
git checkout pr287
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/235f68524767c1eb2e12fb6d1d9f6a520414c583
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/287#issuecomment-263907173
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][+pushed] Check the result of cert request in replica installer

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/263
Author: tiran
 Title: #263: Backwards compatibility with setuptools 0.9.8
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/263/head:pr263
git checkout pr263
From 5ed592d08488a50990992616e9728f1b530d391d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 22 Nov 2016 16:08:46 +0100
Subject: [PATCH] Backwards compatibility with setuptools 0.9.8

Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 31 +--
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index 08c9178..8e1dc21 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -50,16 +50,27 @@ class build_py(setuptools_build_py):
 return setuptools_build_py.build_module(self, module,
 module_file, package)
 
+import setuptools
+
+VERSION = '@VERSION@'
+
+SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split("."))
+
+# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix
+# PEP 440 was introduced in setuptools 8.
+if SETUPTOOLS_VERSION < (8, 0, 0):
+VERSION = VERSION.split('+')[0]
+
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 0.9',
 'dnspython': 'dnspython >= 1.13',
 'gssapi': 'gssapi > 1.2.0',
-'ipaclient': 'ipaclient == @VERSION@',
-'ipalib': 'ipalib == @VERSION@',
-'ipaplatform': 'ipaplatform == @VERSION@',
-'ipapython': 'ipapython == @VERSION@',
-'ipaserver': 'ipaserver == @VERSION@',
+'ipaclient': 'ipaclient == {}'.format(VERSION),
+'ipalib': 'ipalib == {}'.format(VERSION),
+'ipaplatform': 'ipaplatform == {}'.format(VERSION),
+'ipapython': 'ipapython == {}'.format(VERSION),
+'ipaserver': 'ipaserver == {}'.format(VERSION),
 'kdcproxy': 'kdcproxy >= 0.3',
 'netifaces': 'netifaces >= 0.10.4',
 'pyldap': 'pyldap >= 2.4.15',
@@ -70,7 +81,7 @@ PACKAGE_VERSION = {
 
 
 common_args = dict(
-version="@VERSION@",
+version=VERSION,
 license="GPLv3",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
@@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
+# Env markers like ":python_version<'3.3'" are not supported by
+# setuptools < 18.0.
+if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
+for k in list(setup_kwargs['extras_require']):
+if k.startswith(':'):
+req = setup_kwargs.setdefault('install_requires', [])
+req.extend(setup_kwargs['extras_require'].pop(k))
+
 os.chdir(local_path)
 try:
 # BEFORE importing distutils, remove MANIFEST. distutils doesn't
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][closed] Check the result of cert request in replica installer

2016-11-30 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/285
Author: flo-renaud
 Title: #285: Check the result of cert request in replica installer
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/285/head:pr285
git checkout pr285
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][synchronized] ipa-replica-conncheck: do not close listening ports until required

2016-11-30 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/267
Author: tomaskrizek
 Title: #267: ipa-replica-conncheck: do not close listening ports until required
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/267/head:pr267
git checkout pr267
From 97d7ba26117cad07ebd7bd56bcf6efb4a479c492 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 23 Nov 2016 13:55:14 +0100
Subject: [PATCH] ipa-replica-conncheck: do not close listening ports until
 required

Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487
---
 install/tools/ipa-replica-conncheck | 151 +++-
 ipapython/ipautil.py|  71 -
 2 files changed, 113 insertions(+), 109 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 544116e..2413754 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -31,14 +31,16 @@ from ipaserver.install import installutils
 from optparse import OptionGroup, OptionValueError
 # pylint: enable=deprecated-module
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
+import copy
 import sys
 import os
 import signal
 import tempfile
+import select
 import socket
 import time
 import threading
-import errno
+import traceback
 from socket import SOCK_STREAM, SOCK_DGRAM
 import distutils.spawn
 from ipaplatform.paths import paths
@@ -46,11 +48,12 @@ import gssapi
 from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
-RESPONDERS = [ ]
+RESPONDER = None
 QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
+
 class SshExec(object):
 def __init__(self, user, addr):
 self.user = user
@@ -96,6 +99,7 @@ class CheckedPort(object):
 self.port_type = port_type
 self.description = description
 
+
 BASE_PORTS = [
 CheckedPort(389, SOCK_STREAM, "Directory Service: Unsecure port"),
 CheckedPort(636, SOCK_STREAM, "Directory Service: Secure port"),
@@ -112,6 +116,7 @@ def print_info(msg):
 if not QUIET:
 print(msg)
 
+
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -211,6 +216,7 @@ def parse_options():
 
 return safe_options, options
 
+
 def logging_setup(options):
 log_file = None
 
@@ -219,16 +225,6 @@ def logging_setup(options):
 
 standard_logging_setup(log_file, debug=options.debug)
 
-def clean_responders(responders):
-if not responders:
-return
-
-for responder in responders:
-responder.stop()
-
-for responder in responders:
-responder.join()
-responders.remove(responder)
 
 def sigterm_handler(signum, frame):
 # do what SIGINT does (raise a KeyboardInterrupt)
@@ -236,6 +232,7 @@ def sigterm_handler(signum, frame):
 if callable(sigint_handler):
 sigint_handler(signum, frame)
 
+
 def configure_krb5_conf(realm, kdc, filename):
 
 krbconf = ipaclient.install.ipachangeconf.IPAChangeConf("IPA Installer")
@@ -283,32 +280,107 @@ def configure_krb5_conf(realm, kdc, filename):
 
 krbconf.newConf(filename, opts)
 
+
 class PortResponder(threading.Thread):
 
-def __init__(self, port, port_type, socket_timeout=1):
+PROTO = {socket.SOCK_STREAM: 'tcp',
+ socket.SOCK_DGRAM: 'udp'}
+
+def __init__(self, ports):
+"""
+ports: a list of CheckedPort
+"""
 super(PortResponder, self).__init__()
-self.port = port
-self.port_type = port_type
-self.socket_timeout = socket_timeout
-self._stop_request = False
+# copy ports to avoid the need to synchronize it between threads
+self.ports = copy.deepcopy(ports)
+self._sockets = []
+self._close = False
+self._close_lock = threading.Lock()
+self.responder_data = 'FreeIPA'
+self.ports_open = threading.Condition()
 
 def run(self):
-while not self._stop_request:
+root_logger.debug('Starting listening thread.')
+
+for port in self.ports:
+self._bind_to_port(port.port, port.port_type)
+with self.ports_open:
+root_logger.debug('Ports opened, notify original thread')
+self.ports_open.notify()
+
+while not self._is_closing():
+

[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/dbb98765d73519289ee22f3de1a5ccde140f6f5d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/285#issuecomment-263904080
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/263
Title: #263: Backwards compatibility with setuptools 0.9.8

martbab commented:
"""
Please reabse this PR and add ticket to the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/263#issuecomment-263903379
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

tomaskrizek commented:
"""
I wasn't able to fully test this since there is an issue with building 
`bdist_wheel`. But since ipaplatform dependency has been removed, it seems to 
be all right.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/287#issuecomment-263903162
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/267
Title: #267: ipa-replica-conncheck: do not close listening ports until required

mbasti-rh commented:
"""
needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/267#issuecomment-263903284
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][+ack] Wheel bundles fixes

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][+pushed] Require python-gssapi >= 1.2.0

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/289
Title: #289: Require python-gssapi >= 1.2.0

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][+pushed] Test: basic kerberos over http functionality

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/200
Title: #200: Test: basic kerberos over http functionality

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#200][comment] Test: basic kerberos over http functionality

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/200
Title: #200: Test: basic kerberos over http functionality

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c7fd46e42a9f5b4676415910b800e0340f77dc88
https://fedorahosted.org/freeipa/changeset/503d0929e9265dfc0c6c28ac49146b72a0a7edea
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/200#issuecomment-263902720
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][comment] Require python-cryptography >= 1.3.1

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/290
Title: #290: Require python-cryptography >= 1.3.1

martbab commented:
"""
Please rebase the PR so we can do clean merge, it should be simple conflict 
resolution.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/290#issuecomment-263902430
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Alexander Bokovoy 

On ke, 30 marras 2016, Rob Crittenden wrote:

David Kupka wrote:

On 29/11/16 18:10, Alexander Bokovoy wrote:

Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.



As Petr already pointed out, since Fedora 16 chronyd is enabled by
default and ipa-client-install doesn't configure time synchronization
when chronyd is enabled.

I believe that majority of users haven't used '--force-ntpd' and since
it still worked they haven't filed any ticket.

IMO in this case no bug reports means no users rather than no bugs or
requests.

Unfortunately, this is just my guess and AFAIK we don't have any data
from users showing how they use FreeIPA.


For argument's sake, let's say NTP configuration in the client is
dropped and managed by the OS or other administrators.

What implication does this have for configuring NTP server on masters?
Would that be stopped as well? What about existing installs?

Here is the problem: in Kerberos realm services must have time
synchronized with KDC. The patches from StefW which added ability to
record a time skew between the Kerberos client and KDC do not apply to
Kerberos client - Kerberos service communication.

Given that IPA clients can host Kerberos services (at the very least,
SSH is such a service), this practically means they need to have a time
source that is synchronized with the KDC(s) they are talking to.

To me this means we should not really remove NTP configuration but
instead expand ntpd support to cover chronyd as well.



I don't believe there is a precedence for removing a service from IPA.

Neither do I.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][comment] Require python-gssapi >= 1.2.0

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/289
Title: #289: Require python-gssapi >= 1.2.0

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8559791e0d520f4a3503e35d1975ac31448b1390
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/289#issuecomment-263901279
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][closed] Require python-gssapi >= 1.2.0

2016-11-30 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/289
Author: tiran
 Title: #289: Require python-gssapi >= 1.2.0
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/289/head:pr289
git checkout pr289
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][+ack] Require python-gssapi >= 1.2.0

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/289
Title: #289: Require python-gssapi >= 1.2.0

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

tiran commented:
"""
@tomaskrizek thanks! I rebased the PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/287#issuecomment-263898074
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][synchronized] Wheel bundles fixes

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/287
Author: tiran
 Title: #287: Wheel bundles fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/287/head:pr287
git checkout pr287
From 34f9b60a625852cf2566a758136aca9e291e2b09 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 30 Nov 2016 10:19:18 +0100
Subject: [PATCH] Wheel bundles fixes

* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes 
---
 Makefile.am| 4 ++--
 ipaclient/setup.py | 2 +-
 ipalib/setup.py| 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index f9922bb..a7c74b0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
-IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po
+IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 0183aaf..c413fc5 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,7 +54,7 @@
 "six",
 ],
 extras_require={
-"ipaclient.install": ["ipaplatform"],
+"install": ["ipaplatform"],
 "otptoken_yubikey": ["yubico", "usb"]
 }
 )
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 4be3eb1..36b06fc 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -48,6 +48,6 @@
 "wheel",
 ],
 extras_require={
-"ipalib.install": ["ipaplatform"],
+"install": ["ipaplatform"],
 },
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

tomaskrizek commented:
"""
PR needs a rebase to fix `extra_requires` -> `extras_require` typo.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/287#issuecomment-263896997
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread Rob Crittenden 
David Kupka wrote:
> On 29/11/16 18:10, Alexander Bokovoy wrote:
>> Still, bug reports and users' complaints is the only external measure we
>> have. There are close to nothing in complaints about NTP functionality,
>> other than requests to support chronyd and a better discover of existing
>> NTP setups. I don't think that requires dramatic action like removal of
>> NTP support at all.
>>
> 
> As Petr already pointed out, since Fedora 16 chronyd is enabled by
> default and ipa-client-install doesn't configure time synchronization
> when chronyd is enabled.
> 
> I believe that majority of users haven't used '--force-ntpd' and since
> it still worked they haven't filed any ticket.
> 
> IMO in this case no bug reports means no users rather than no bugs or
> requests.
> 
> Unfortunately, this is just my guess and AFAIK we don't have any data
> from users showing how they use FreeIPA.

For argument's sake, let's say NTP configuration in the client is
dropped and managed by the OS or other administrators.

What implication does this have for configuring NTP server on masters?
Would that be stopped as well? What about existing installs?

I don't believe there is a precedence for removing a service from IPA.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#267][+ack] ipa-replica-conncheck: do not close listening ports until required

2016-11-30 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/267
Title: #267: ipa-replica-conncheck: do not close listening ports until required

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][+ack] Backwards compatibility with setuptools 0.9.8

2016-11-30 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/263
Title: #263: Backwards compatibility with setuptools 0.9.8

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts

2016-11-30 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/280
Title: #280: Set explicit confdir option for global contexts

pvoborni commented:
"""
If I understand Christian right, it is not disagreement about something which 
needs to be done. But rather a proposal to address rest of the scripts later in 
other pull request. So that we can push this PR to unblock subsequent reviews.

Is it correct? If so can be proceed with checking if current code is OK and 
finished rest in other PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/280#issuecomment-263891701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#283][closed] [ipa-4-4] Prevent denial of replication updates during CA replica install

2016-11-30 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/283
Author: martbab
 Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica 
install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/283/head:pr283
git checkout pr283
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#283][+pushed] [ipa-4-4] Prevent denial of replication updates during CA replica install

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/283
Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica 
install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/283
Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica 
install

martbab commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9
https://fedorahosted.org/freeipa/changeset/9502ee5fb84edf40422bd0bc38949b03e4171f4d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/283#issuecomment-263890231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#283][comment] [ipa-4-4] Prevent denial of replication updates during CA replica install

2016-11-30 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/283
Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica 
install

flo-renaud commented:
"""
Hi,
the patch works as expected. Thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/283#issuecomment-263888532
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#283][+ack] [ipa-4-4] Prevent denial of replication updates during CA replica install

2016-11-30 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/283
Title: #283: [ipa-4-4] Prevent denial of replication updates during CA replica 
install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs

2016-11-30 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/284
Author: tomaskrizek
 Title: #284: ipautil: check for open ports on all resolved IPs
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/284/head:pr284
git checkout pr284
From b8f099f0c9f8141df8d8aec28e0cf939b8d3a555 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 29 Nov 2016 18:19:07 +0100
Subject: [PATCH] ipautil: check for open ports on all resolved IPs

When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.

https://fedorahosted.org/freeipa/ticket/6522
---
 install/tools/ipa-replica-conncheck |  5 +++--
 ipapython/ipautil.py| 44 -
 2 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 544116e..9a30385 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -315,8 +315,9 @@ def port_check(host, port_list):
 ports_udp_warning = []  # conncheck could not verify that port is open
 for port in port_list:
 try:
-port_open = ipautil.host_port_open(host, port.port,
-port.port_type, socket_timeout=CONNECT_TIMEOUT)
+port_open = ipautil.host_port_open(
+host, port.port, port.port_type,
+socket_timeout=CONNECT_TIMEOUT, log_errors=True)
 except socket.gaierror:
 raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
 if port_open:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 1c95a81..24a42e9 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -55,6 +55,12 @@
 GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 
 
+PROTOCOL_NAMES = {
+socket.SOCK_STREAM: 'tcp',
+socket.SOCK_DGRAM: 'udp'
+}
+
+
 class UnsafeIPAddress(netaddr.IPAddress):
 """Any valid IP address with or without netmask."""
 
@@ -866,15 +872,21 @@ def user_input(prompt, default = None, allow_empty = True):
 return ret
 
 
-def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
+   socket_timeout=None, log_errors=False):
+"""
+host: either hostname or IP address;
+  if hostname is provided, port MUST be open on ALL resolved IPs
+
+returns True is port is open, False otherwise
+"""
+port_open = True
+
+# port has to be open on ALL resolved IPs
 for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):
 af, socktype, proto, _canonname, sa = res
 try:
-try:
-s = socket.socket(af, socktype, proto)
-except socket.error:
-s = None
-continue
+s = socket.socket(af, socktype, proto)
 
 if socket_timeout is not None:
 s.settimeout(socket_timeout)
@@ -884,15 +896,27 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No
 if socket_type == socket.SOCK_DGRAM:
 s.send('')
 s.recv(512)
-
-return True
 except socket.error:
-pass
+port_open = False
+
+if log_errors:
+msg = ('Failed to connect to port %(port)d %(proto)s on '
+   '%(addr)s' % dict(port=port,
+ proto=PROTOCOL_NAMES[socket_type],
+ addr=sa[0]))
+
+# Do not log udp failures as errors (to be consistent with
+# the rest of the code that checks for open ports)
+if socket_type == socket.SOCK_DGRAM:
+root_logger.debug(msg)
+else:
+root_logger.error(msg)
 finally:
 if s:
 s.close()
+s = None
 
-return False
+return port_open
 
 def bind_port_responder(port, socket_type=socket.SOCK_STREAM, socket_timeout=None, responder_data=None):
 host = None   # all available interfaces
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][+ack] Check the result of cert request in replica installer

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#263][synchronized] Backwards compatibility with setuptools 0.9.8

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/263
Author: tiran
 Title: #263: Backwards compatibility with setuptools 0.9.8
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/263/head:pr263
git checkout pr263
From c29798777108b598c3fde58bd3315e13d9036f31 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 22 Nov 2016 16:08:46 +0100
Subject: [PATCH] Backwards compatibility with setuptools 0.9.8

Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 31 +--
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index 0d11135..629a911 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -50,16 +50,27 @@ class build_py(setuptools_build_py):
 return setuptools_build_py.build_module(self, module,
 module_file, package)
 
+import setuptools
+
+VERSION = '@VERSION@'
+
+SETUPTOOLS_VERSION = tuple(int(v) for v in setuptools.__version__.split("."))
+
+# backwards compatibility with setuptools 0.9.8, split off +gitHASH suffix
+# PEP 440 was introduced in setuptools 8.
+if SETUPTOOLS_VERSION < (8, 0, 0):
+VERSION = VERSION.split('+')[0]
+
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 0.9',
 'dnspython': 'dnspython >= 1.13',
 'gssapi': 'gssapi > 1.1.2',
-'ipaclient': 'ipaclient == @VERSION@',
-'ipalib': 'ipalib == @VERSION@',
-'ipaplatform': 'ipaplatform == @VERSION@',
-'ipapython': 'ipapython == @VERSION@',
-'ipaserver': 'ipaserver == @VERSION@',
+'ipaclient': 'ipaclient == {}'.format(VERSION),
+'ipalib': 'ipalib == {}'.format(VERSION),
+'ipaplatform': 'ipaplatform == {}'.format(VERSION),
+'ipapython': 'ipapython == {}'.format(VERSION),
+'ipaserver': 'ipaserver == {}'.format(VERSION),
 'kdcproxy': 'kdcproxy >= 0.3',
 'netifaces': 'netifaces >= 0.10.4',
 'pyldap': 'pyldap >= 2.4.15',
@@ -70,7 +81,7 @@ PACKAGE_VERSION = {
 
 
 common_args = dict(
-version="@VERSION@",
+version=VERSION,
 license="GPLv3",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
@@ -126,6 +137,14 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
+# Env markers like ":python_version<'3.3'" are not supported by
+# setuptools < 18.0.
+if 'extras_require' in setup_kwargs and SETUPTOOLS_VERSION < (18, 0, 0):
+for k in list(setup_kwargs['extras_require']):
+if k.startswith(':'):
+req = setup_kwargs.setdefault('install_requires', [])
+req.extend(setup_kwargs['extras_require'].pop(k))
+
 os.chdir(local_path)
 try:
 # BEFORE importing distutils, remove MANIFEST. distutils doesn't
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

tiran commented:
"""
@martbab The wheel bundle and packages need some documentation. I have started 
some docs but they are not finished..
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263875159
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

mbasti-rh commented:
"""
LGTM

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/285#issuecomment-263870742
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-30 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
@mbasti-rh @jcholast @tiran 
If you want I can replace the `--with-pytlint` option with `--enable-pylint` 
option (without parameters) and use cheimes's trick with `$(PYTHON) -m pylint` 
so the Pylint always follows the Python version you used for particular build. 
Up to you.

(Just keep in mind that build needs to be done under Python 2 till samba-python 
bindings are ported to Python 3.)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-263868961
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-30 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
Fixed. Now `with_pylint` section contains nested section `with_python3`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-263868364
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#291][+pushed] replica install: track the RA agent certificate again

2016-11-30 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/291
Title: #291: replica install: track the RA agent certificate again

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#291][comment] replica install: track the RA agent certificate again

2016-11-30 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/291
Title: #291: replica install: track the RA agent certificate again

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/4221266562778806f02748fee2dfbd814261f2b4
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/291#issuecomment-263867421
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#291][closed] replica install: track the RA agent certificate again

2016-11-30 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/291
Author: jcholast
 Title: #291: replica install: track the RA agent certificate again
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/291/head:pr291
git checkout pr291
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer

2016-11-30 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

flo-renaud commented:
"""
Thanks for the suggestion. I added certmonger's request status in the exception 
message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/285#issuecomment-263865840
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][synchronized] Check the result of cert request in replica installer

2016-11-30 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/285
Author: flo-renaud
 Title: #285: Check the result of cert request in replica installer
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/285/head:pr285
git checkout pr285
From 8bbca8a93bc713d64d43692689ab827106527019 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 29 Nov 2016 21:15:29 +0100
Subject: [PATCH] Check the result of cert request in replica installer

When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.

Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:

  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORCertificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

https://fedorahosted.org/freeipa/ticket/6514
---
 ipalib/install/certmonger.py |  3 ++-
 ipaserver/install/certs.py   | 12 +---
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 6f0948a..3ea900b 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -312,9 +312,10 @@ def request_and_wait_for_cert(
 state = wait_for_request(reqId, timeout=60)
 ca_error = get_request_value(reqId, 'ca-error')
 if state != 'MONITORING' or ca_error:
-raise RuntimeError("Certificate issuance failed")
+raise RuntimeError("Certificate issuance failed ({})".format(state))
 return reqId
 
+
 def request_cert(
 nssdb, nickname, subject, principal, passwd_fname=None,
 dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index ab2379b..45602ba 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -647,13 +647,11 @@ def export_pem_cert(self, nickname, location):
 def request_service_cert(self, nickname, principal, host, pwdconf=False):
 if pwdconf:
 self.create_password_conf()
-reqid = certmonger.request_cert(nssdb=self.secdir,
-nickname=nickname,
-principal=principal,
-subject=host,
-passwd_fname=self.passwd_fname)
-# Now wait for the cert to appear. Check three times then abort
-certmonger.wait_for_request(reqid, timeout=60)
+certmonger.request_and_wait_for_cert(nssdb=self.secdir,
+ nickname=nickname,
+ principal=principal,
+ subject=host,
+ passwd_fname=self.passwd_fname)
 
 
 class _CrossProcessLock(object):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-11-30 Thread pspacek 
   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From f7beaa42acb6ebba8ff71326144510e0fc631606 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH 1/2] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 148 +---
 1 file changed, 97 insertions(+), 51 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6847bed..bf9c788 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -267,6 +267,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -684,6 +715,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -691,10 +727,33 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
 %make_build -Onone
 
+%if 0%{?with_python3}
+pushd %{_builddir}/freeipa-%{version}-python3
+export PYTHON=%{__python3}
+# Workaround: make sure all shebangs are pointing to Python 3
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+%configure --with-vendor-suffix=-%{release}
+popd
+%endif # with_python3
 
 %check
 %if ! %{ONLY_CLIENT}
@@ -713,16 +772,25 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 #

[Freeipa-devel] [freeipa PR#291][+ack] replica install: track the RA agent certificate again

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/291
Title: #291: replica install: track the RA agent certificate again

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][closed] Adjustments for setup requirements

2016-11-30 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/255
Author: tiran
 Title: #255: Adjustments for setup requirements
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/255/head:pr255
git checkout pr255
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ed9645b2ac58fd4664810f05970ea258c7948420
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263862693
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][+pushed] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][+ack] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/280
Title: #280: Set explicit confdir option for global contexts

tiran commented:
"""
- [X] 
```daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True,
 log=None)  # no logging to file```
- [X] ```daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, 
log=None)  # no logging to file```
- [X] 
```daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, 
log=None)  # no logging to file```
- [ ] ```doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None)```
- [ ] ```doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', 
debug=env.debug, log=None) (ref:wsgi-app-bootstrap)```
- [X] ```install/restart_scripts/renew_ra_cert:39:
api.bootstrap(in_server=True, context='restart')```
- [X] ```install/tools/ipa-adtrust-install:269:api.bootstrap(**cfg)```
- [X] ```install/tools/ipa-ca-install:262:api.bootstrap(in_server=True, 
ra_plugin='dogtag')```
- [ ] ```install/tools/ipa-compat-manage:105:api.bootstrap(context='cli', 
in_server=True, debug=options.debug)```
- [ ] ```install/tools/ipa-csreplica-manage:418:api.bootstrap(**api_env)```
- [X] ```install/tools/ipa-dns-install:139:api.bootstrap(**cfg)```
- [ ] ```install/tools/ipa-managed-entries:75:api.bootstrap(context='cli', 
debug=options.debug)```
- [X] ```install/tools/ipa-nis-manage:118:api.bootstrap(context='cli', 
debug=options.debug, in_server=True)```
- [X] ```install/tools/ipa-replica-manage:1512:api.bootstrap(**api_env)```
- [ ] ```ipaserver/dnssec/ldapkeydb.py:417:
ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file```
- [ ] ```ipaserver/advise/base.py:238:api.bootstrap(in_server=False, 
context='cli')```
- [ ] ```ipaserver/advise/base.py:240:
advise_api.bootstrap(in_server=False, context='cli')```
- [ ] ```ipaserver/install/ipa_cacert_manage.py:99:
api.bootstrap(in_server=True)```
- [ ] ```ipaserver/install/ipa_kra_install.py:80:
api.bootstrap(in_server=True)```
- [ ] ```ipaserver/install/ipa_otptoken_import.py:512:
api.bootstrap(in_server=True)```
- [ ] ```ipaserver/install/ipa_replica_prepare.py:183:
api.bootstrap(in_server=True)```
- [ ] ```ipaserver/install/ipa_server_certinstall.py:102:
api.bootstrap(in_server=True)```
- [ ] ```ipatests/test_ipaserver/test_ldap.py:114:
myapi.bootstrap(context='cli', in_server=True)```
- [ ] ```ipatests/test_ipaserver/test_serverroles.py:472:
test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri)```
- [ ] ```lite-server.py:130:(options, args) = 
api.bootstrap_with_global_options(parser, context='lite')```

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/280#issuecomment-263861585
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

martbab commented:
"""
Installing python-wheel worked, thanks. I have discovered some other missing 
dependencies in minimal Docker container. I will investigate them some more and 
open a ticket. I think there is no need to add python-wheel to BuildRequires 
now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263860989
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

tomaskrizek commented:
"""
Functional ACK. If it's possible, it would be nice to have a bit more info in 
the error msg as @mbasti-rh pointed out.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/285#issuecomment-263859423
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

mbasti-rh commented:
"""
Thanks
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/286#issuecomment-263859193
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/288
Title: #288: Fix missing translation string

mbasti-rh commented:
"""
Hello, could you please remove `fix miss translation in Chinese` and `Delete 
zh_CN.po` from this PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/288#issuecomment-263858753
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

tiran commented:
"""
The bdist_wheel command requires the Python wheel package installed in the 
system. Since setup.py no longer contains ```setup_requires=["wheel"]```, the 
dependency is no longer resolved automatically by setuptools.

Does it makes sense to include the dependency in freeipa.spec as build 
requirement? Technically it's not a build requirement for RPMs.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263857749
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

martbab commented:
"""
Thank you.

It seems that 'bdist_wheel' target is broken in your PR:

```
# make bdist_wheel 
mkdir -p ./dist/wheels
for dir in ipaclient ipalib ipaplatform ipapython; do \
make  -C ${dir} bdist_wheel || exit 1; \
done
make[1]: Entering directory '/freeipa/ipaclient'
(cd .. && make  ipasetup.py)
make[2]: Entering directory '/freeipa'
sed \
-e 's|@VERSION[@]|4.4.90.dev201611301151+git785f924|g'  
\
ipasetup.py.in > ipasetup.py
make[2]: Leaving directory '/freeipa'
rm -rf ../dist/wheels/ipaclient*.whl
/usr/bin/python "./setup.py" bdist_wheel --dist-dir=../dist/wheels
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help

error: invalid command 'bdist_wheel'
Makefile:586: recipe for target 'bdist_wheel' failed
make[1]: *** [bdist_wheel] Error 1
make[1]: Leaving directory '/freeipa/ipaclient'
Makefile:1172: recipe for target 'bdist_wheel' failed
make: *** [bdist_wheel] Error 1
```

Do i need some of your other pull-requests to build wheels or this is a genuine 
issue?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263856069
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#291][opened] replica install: track the RA agent certificate again

2016-11-30 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/291
Author: jcholast
 Title: #291: replica install: track the RA agent certificate again
Action: opened

PR body:
"""
During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top
of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.

Put the call back so that the certificate is tracked after replica install.

https://fedorahosted.org/freeipa/ticket/6392
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/291/head:pr291
git checkout pr291
From 0de63c3588c09bde309a409ba57fd7778663850a Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 30 Nov 2016 12:25:24 +0100
Subject: [PATCH] replica install: track the RA agent certificate again

During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top
of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.

Put the call back so that the certificate is tracked after replica install.

https://fedorahosted.org/freeipa/ticket/6392
---
 ipaserver/install/cainstance.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 1aa6b8d..6b2b272 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -647,7 +647,7 @@ def enable_pkix(self):
'NSS_ENABLE_PKIX_VERIFY', '1',
quotes=False, separator='=')
 
-def import_ra_cert(self, rafile, configure_renewal=True):
+def import_ra_cert(self, rafile):
 """
 Cloned RAs will use the same RA agent cert as the master so we
 need to import from a PKCS#12 file.
@@ -663,11 +663,15 @@ def import_ra_cert(self, rafile, configure_renewal=True):
 finally:
 os.remove(agent_name)
 
+self.configure_agent_renewal()
+
 def __import_ra_key(self):
 custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn,
  realm=self.realm)
 custodia.import_ra_key(self.master_host)
 
+self.configure_agent_renewal()
+
 def __create_ca_agent(self):
 """
 Create CA agent, assign a certificate, and add the user to
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values

2016-11-30 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/181
Author: gkaihorodova
 Title: #181: Tests : User Tracker creation of user with minimal values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/181/head:pr181
git checkout pr181
From 65608285943b7c0a43dfc9e28a81e23ff58bdabc Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Mon, 24 Oct 2016 11:27:01 +0200
Subject: [PATCH] User Tracker: creation of user with minimal values

Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/tracker/user_plugin.py | 40 +
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 4485fd9..669b9bb 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -62,22 +62,40 @@ class UserTracker(KerberosAliasMixin, Tracker):
 
 primary_keys = {u'uid', u'dn'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+ in the init method """
+
+if not isinstance(givenname, (str, unicode)) and len(givenname) > 0:
+raise ValueError("No name provided: %s" % givenname)
+if not isinstance(sn, (str, unicode)) and len(sn) > 0:
+raise ValueError("No name provided: %s" % sn)
+
 super(UserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn)
 
 self.kwargs = kwargs
 
-def make_create_command(self):
-""" Make function that crates a user using user-add """
-return self.make_command(
-'user_add', self.uid,
-givenname=self.givenname,
-sn=self.sn, **self.kwargs
-)
+def make_create_command(self, force=None):
+
+""" Make function that creates a user using user-add
+with all set of attributes and with minimal values,
+where uid is not specified """
+
+if self.uid is not None:
+return self.make_command(
+'user_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'user_add', givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self, no_preserve=True, preserve=False):
 """ Make function that deletes a user using user-del """
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

2016-11-30 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 074d38a611ee4d4edc2afa857563cf0e09527115 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 23 +-
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..caf0ddc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -48,7 +48,9 @@
 from ipalib import api
 from ipalib import util
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython import ipautil
 
 if six.PY3:
 unicode = str
@@ -56,7 +58,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 5344e37..9b989ef 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -237,13 +237,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -255,7 +250,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 505232c..a3751d1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -745,44 +745,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) =

[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation

2016-11-30 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/210
Author: gkaihorodova
 Title: #210: Tests: Stage User Tracker implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/210/head:pr210
git checkout pr210
From 1a9ff854ae85667fc95cab8fc3a7a1ee6cfd2d94 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 2 Nov 2016 15:02:30 +0100
Subject: [PATCH 1/2] Tests: Stage User Tracker implementation

Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 36 ++--
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 82d7e06..10caff2 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -61,23 +61,43 @@ class StageUserTracker(Tracker):
 find_keys = retrieve_keys - {u'has_keytab', u'has_password'}
 find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not isinstance(givenname, (str, unicode)) and len(givenname) > 0:
+raise ValueError("No name provided: %s" % givenname)
+if not isinstance(sn, (str, unicode)) and len(sn) > 0:
+raise ValueError("No name provided: %s" % givenname)
+
 super(StageUserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(
 ('uid', self.uid), api.env.container_stageuser, api.env.basedn)
 
 self.kwargs = kwargs
 
 def make_create_command(self, options=None):
-""" Make function that creates a staged user using stageuser-add """
+""" Make function that creates a staged user using stageuser-add
+with all set of attributes and with minimal values,
+where uid is not specified  """
+
 if options is not None:
 self.kwargs = options
-return self.make_command('stageuser_add', self.uid,
- givenname=self.givenname,
- sn=self.sn, **self.kwargs)
+if self.uid is not None:
+return self.make_command(
+'stageuser_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'stageuser_add',
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self):
 """ Make function that deletes a staged user using stageuser-del """

From f82f208b0030edb7c605a1da3a41adf62bf82323 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 30 Nov 2016 11:27:34 +0100
Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values

Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 4a859e8..95cb26a 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -85,6 +85,11 @@ def stageduser(request):
 return tracker.make_fixture(request)
 
 
+@pytest.fixture(scope='class')
+def stageduser_min(request):
+tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin')
+return tracker.make_fixture(request)
+
 @pytest.fixture(scope='class', params=options_ok, ids=options_ids)
 def stageduser2(request):
 tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param)
@@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser):
 
 @pytest.mark.tier1
 class TestStagedUser(XMLRPC_test):
+def test_create_with_min_values(self, stageduser_min):
+""" Create user with uid not specified """
+stageduser_min.ensure_missing()
+command = stageduser_min.make_create_command()
+command()
+
 def test_create_duplicate(self, stageduser):
 stageduser.ensure_exists()
 command = stageduser.make_create_command()
-- 
Manage your

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

tiran commented:
"""
I opened PR #289 and #290.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263840863
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/182
Author: tiran
 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/182/head:pr182
git checkout pr182
From 3805dfba1dc222f3cd6cc6299bfe97c70e3e8bae Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 28 Nov 2016 16:24:33 +0100
Subject: [PATCH 1/2] Set explicit confdir option for global contexts

Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes 
---
 client/ipa-client-automount |  1 +
 install/certmonger/dogtag-ipa-ca-renew-agent-submit |  2 +-
 install/migration/migration.py  |  3 ++-
 install/oddjob/com.redhat.idm.trust-fetch-domains   |  4 +++-
 install/restart_scripts/renew_ca_cert   |  2 +-
 install/restart_scripts/restart_dirsrv  |  3 ++-
 install/restart_scripts/stop_pkicad |  3 ++-
 install/share/copy-schema-to-ca.py  |  2 +-
 install/share/wsgi.py   |  6 --
 install/tools/ipa-httpd-kdcproxy|  3 ++-
 install/tools/ipa-replica-conncheck |  4 +++-
 install/tools/ipactl|  5 -
 ipaclient/install/client.py |  1 +
 ipaclient/install/ipa_certupdate.py |  2 +-
 ipaserver/install/ipa_backup.py |  2 +-
 ipaserver/install/ipa_ldap_updater.py   |  2 +-
 ipaserver/install/ipa_restore.py|  1 +
 ipaserver/install/ipa_server_upgrade.py |  2 +-
 ipaserver/install/ipa_winsync_migrate.py|  3 ++-
 ipaserver/install/ldapupdate.py |  4 +++-
 ipaserver/install/server/install.py |  2 ++
 ipaserver/install/server/replicainstall.py  | 19 +--
 22 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 0dd15b3..18914bd 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -384,6 +384,7 @@ def main():
 
 cfg = dict(
 context='cli_installer',
+confdir=paths.ETC_IPA,
 in_server=False,
 debug=options.debug,
 verbose=0,
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7389a5e..2e137ad 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -494,7 +494,7 @@ def main():
 'ipaCACertRenewal': renew_ca_cert,
 }
 
-api.bootstrap(in_server=True, context='renew')
+api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
 api.finalize()
 api.Backend.ldap2.connect()
 
diff --git a/install/migration/migration.py b/install/migration/migration.py
index 4743279..73e4777 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -24,6 +24,7 @@
 import errno
 from wsgiref.util import request_uri
 
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import ipaldap
@@ -72,7 +73,7 @@ def application(environ, start_response):
 
 # API object only for configuration, finalize() not needed
 api = create_api(mode=None)
-api.bootstrap(context='server', in_server=True)
+api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True)
 try:
 bind(api.env.ldap_uri, api.env.basedn,
  form_data['username'].value, form_data['password'].value)
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index a0d8a31..e5c2e8c 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipaplatform.constants import constants
+from ipaplatform.paths import paths
 import sys
 import os
 import pwd
@@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None)
 env._finalize_core(**dict(DEFAULT_CONFIG))
 
 # Initialize the API with the proper debug level
-api.bootstrap(in_server=True, debug=env.debug, log=None, context='server')
+api.bootstrap(in_server=True, debug=env.debug, log=None,
+  context='server',

[Freeipa-devel] [freeipa PR#255][synchronized] Adjustments for setup requirements

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/255
Author: tiran
 Title: #255: Adjustments for setup requirements
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/255/head:pr255
git checkout pr255
From 785f924cab5eab2473aeef4ea57e0a31f5f0b222 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 17 Nov 2016 16:43:17 +0100
Subject: [PATCH] Adjustments for setup requirements

* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
---
 ipaclient/setup.py   |  7 +++
 ipalib/setup.py  |  1 +
 ipaplatform/setup.py |  3 ---
 ipapython/setup.py   |  4 +---
 ipaserver/setup.py   |  2 +-
 ipasetup.py.in   |  4 ++--
 ipatests/setup.py| 18 +-
 7 files changed, 17 insertions(+), 22 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index fb6ed0d..0183aaf 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -48,13 +48,12 @@
 "ipalib",
 "ipapython",
 "python-nss",
+"python-yubico",
+"pyusb",
 "qrcode",
 "six",
 ],
-setup_requires=[
-"wheel",
-],
-extra_requires={
+extras_require={
 "ipaclient.install": ["ipaplatform"],
 "otptoken_yubikey": ["yubico", "usb"]
 }
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 85932fc..4be3eb1 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -40,6 +40,7 @@
 "ipapython",
 "netaddr",
 "pyasn1",
+"pyasn1-modules",
 "python-nss",
 "six",
 ],
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index b28ac8c..9c47da7 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -47,7 +47,4 @@
 "python-nss",
 "six",
 ],
-setup_requires=[
-"wheel",
-],
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index c413ffa..86e4131 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -51,10 +51,8 @@
 "requests",
 "six",
 ],
-setup_requires=[
-"wheel",
-],
 extras_require={
 ":python_version<'3'": ["enum34"],
+"install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 3635832..528b901 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -56,9 +56,9 @@
 "ipapython",
 "lxml",
 "netaddr",
-"memcache",
 "pyasn1",
 "pyldap",
+"python-memcached",
 "python-nss",
 "six",
 # not available on PyPI
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..0d11135 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -62,10 +62,10 @@ PACKAGE_VERSION = {
 'ipaserver': 'ipaserver == @VERSION@',
 'kdcproxy': 'kdcproxy >= 0.3',
 'netifaces': 'netifaces >= 0.10.4',
-'python-nss': 'python-nss >= 0.16',
 'pyldap': 'pyldap >= 2.4.15',
+'python-nss': 'python-nss >= 0.16',
+'python-yubico': 'python-yubico >= 1.2.3',
 'qrcode': 'qrcode >= 5.0',
-# 'yubico': 'yubico >= 1.2.3',
 }
 
 
diff --git a/ipatests/setup.py b/ipatests/setup.py
index 26f0124..2b592cd 100644
--- a/ipatests/setup.py
+++ b/ipatests/setup.py
@@ -59,24 +59,24 @@
 },
 install_requires=[
 "cryptography",
-"dbus-python",
 "dnspython",
-"dogtag-pki",
+"gssapi",
 "ipaclient",
 "ipalib",
 "ipaplatform",
 "ipapython",
-"ipaserver",
 "nose",
+"polib",
 "pyldap",
 "pytest",
-"python-gssapi",
+"pytest_multihost",
 "python-nss",
-"selenium",
 "six",
-"yaml",
-],
-setup_requires=[
-"wheel",
 ],
+extras_require={
+"integration": ["dbus-python", "pyyaml", "ipaserver"],
+"ipaserver": ["ipaserver"],
+"webui": ["selenium", "pyyaml", "ipaserver"],
+"xmlrpc": ["ipaserver"],
+}
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation

2016-11-30 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/210
Author: gkaihorodova
 Title: #210: Tests: Stage User Tracker implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/210/head:pr210
git checkout pr210
From 1a9ff854ae85667fc95cab8fc3a7a1ee6cfd2d94 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 2 Nov 2016 15:02:30 +0100
Subject: [PATCH] Tests: Stage User Tracker implementation

Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 36 ++--
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 82d7e06..10caff2 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -61,23 +61,43 @@ class StageUserTracker(Tracker):
 find_keys = retrieve_keys - {u'has_keytab', u'has_password'}
 find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not isinstance(givenname, (str, unicode)) and len(givenname) > 0:
+raise ValueError("No name provided: %s" % givenname)
+if not isinstance(sn, (str, unicode)) and len(sn) > 0:
+raise ValueError("No name provided: %s" % givenname)
+
 super(StageUserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(
 ('uid', self.uid), api.env.container_stageuser, api.env.basedn)
 
 self.kwargs = kwargs
 
 def make_create_command(self, options=None):
-""" Make function that creates a staged user using stageuser-add """
+""" Make function that creates a staged user using stageuser-add
+with all set of attributes and with minimal values,
+where uid is not specified  """
+
 if options is not None:
 self.kwargs = options
-return self.make_command('stageuser_add', self.uid,
- givenname=self.givenname,
- sn=self.sn, **self.kwargs)
+if self.uid is not None:
+return self.make_command(
+'stageuser_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'stageuser_add',
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self):
 """ Make function that deletes a staged user using stageuser-del """
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#290][opened] Require python-cryptography >= 1.3.1

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/290
Author: tiran
 Title: #290: Require python-cryptography >= 1.3.1
Action: opened

PR body:
"""
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.

Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/290/head:pr290
git checkout pr290
From fb4700e12572d8fbf8ac6019d5c2ac0d0dcdd22c Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 30 Nov 2016 11:10:36 +0100
Subject: [PATCH] Require python-cryptography >= 1.3.1

python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.

Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in | 12 ++--
 ipasetup.py.in  |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6847bed..ae08d0c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -113,8 +113,8 @@ BuildRequires:  python-cffi
 %if 0%{?with_lint}
 BuildRequires:  samba-python
 BuildRequires:  python-setuptools
-# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires:  python-cryptography >= 0.6
+# 1.3: oldest PyPI version that still compiles with recent OpenSSL
+BuildRequires:  python-cryptography >= 1.3.1
 BuildRequires:  python-gssapi
 BuildRequires:  pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -510,7 +510,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography >= 0.9
+Requires: python-cryptography >= 1.3.1
 Requires: python-netaddr
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
@@ -559,7 +559,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
-Requires: python3-cryptography
+Requires: python3-cryptography >= 1.3.1
 Requires: python3-netaddr
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
@@ -633,7 +633,7 @@ Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
 Requires: python-sssdconfig
-Requires: python2-cryptography
+Requires: python2-cryptography >= 1.3.1
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -667,7 +667,7 @@ Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: ldns-utils
 Requires: python3-sssdconfig
-Requires: python3-cryptography
+Requires: python3-cryptography >= 1.3.1
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..2220b97 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -52,7 +52,7 @@ class build_py(setuptools_build_py):
 
 
 PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 0.9',
+'cryptography': 'cryptography >= 1.3.1',
 'dnspython': 'dnspython >= 1.13',
 'gssapi': 'gssapi > 1.1.2',
 'ipaclient': 'ipaclient == @VERSION@',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#289][opened] Require python-gssapi >= 1.2.0

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/289
Author: tiran
 Title: #289: Require python-gssapi >= 1.2.0
Action: opened

PR body:
"""
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.

Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/289/head:pr289
git checkout pr289
From 28d4a1f245bb53c842d112bf1cf5b574cc1fa2bc Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 30 Nov 2016 11:01:57 +0100
Subject: [PATCH] Require python-gssapi >= 1.2.0

The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.

Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in | 12 ++--
 ipasetup.py.in  |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6847bed..bdf510f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -115,7 +115,7 @@ BuildRequires:  samba-python
 BuildRequires:  python-setuptools
 # 0.6: serialization.load_pem_private_key, load_pem_public_key
 BuildRequires:  python-cryptography >= 0.6
-BuildRequires:  python-gssapi
+BuildRequires:  python-gssapi >= 1.2.0
 BuildRequires:  pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
 BuildRequires:  python2-polib
@@ -187,7 +187,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2.0
 Requires: acl
 Requires: memcached
 Requires: python-memcached
@@ -250,7 +250,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
 Requires: python-ldap >= 2.4.15
 Requires: python-lxml
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2.0
 Requires: python-sssdconfig
 Requires: python-pyasn1
 Requires: dbus-python
@@ -374,7 +374,7 @@ Requires: certmonger >= 0.78
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2.0
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
@@ -505,7 +505,7 @@ Provides: python2-ipapython = %{version}-%{release}
 Provides: python2-ipaplatform = %{version}-%{release}
 %{?python_provide:%python_provide python2-ipaplatform}
 Requires: %{name}-common = %{version}-%{release}
-Requires: python-gssapi >= 1.1.2
+Requires: python-gssapi >= 1.2.0
 Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
@@ -554,7 +554,7 @@ Provides: python3-ipapython = %{version}-%{release}
 Provides: python3-ipaplatform = %{version}-%{release}
 %{?python_provide:%python_provide python3-ipaplatform}
 Requires: %{name}-common = %{version}-%{release}
-Requires: python3-gssapi >= 1.1.2
+Requires: python3-gssapi >= 1.2.0
 Requires: gnupg
 Requires: keyutils
 Requires: python3-pyOpenSSL
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 1db4857..7d326c8 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -54,7 +54,7 @@ class build_py(setuptools_build_py):
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 0.9',
 'dnspython': 'dnspython >= 1.13',
-'gssapi': 'gssapi > 1.1.2',
+'gssapi': 'gssapi > 1.2.0',
 'ipaclient': 'ipaclient == @VERSION@',
 'ipalib': 'ipalib == @VERSION@',
 'ipaplatform': 'ipaplatform == @VERSION@',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese

2016-11-30 Thread shanyin 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

shanyin commented:
"""
Ok, I have just sent a PR. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/286#issuecomment-263831788
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-30 Thread David Kupka 

On 29/11/16 18:10, Alexander Bokovoy wrote:

On ti, 29 marras 2016, Petr Spacek wrote:

On 29.11.2016 16:02, Rob Crittenden wrote:

Petr Spacek wrote:

On 29.11.2016 09:11, Jan Cholasta wrote:

On 28.11.2016 20:57, Rob Crittenden wrote:

David Kupka wrote:

On 22/11/16 23:15, Gabe Alford wrote:

I would say that it is worth keeping in FreeIPA. I know myself
and some
customers use its functionality by having the clients sync to
the IPA
servers and have the servers sync to the NTP source. This way if
the NTP
source ever gets disrupted for long periods of time (which has
happened in
my environment) the client time drifts with the authentication
source.
This
is the way that AD often works and is configured.


Hello Gabe,
I agree that it's common practice to synchronize all nodes in
network
with single source in order to have the same time and save
bandwidth.
Also I understand that it's comfortable to let FreeIPA installer
take
care of it.
But I don't think FreeIPA should do it IMO this is job for
Ansible or
similar tool. Also the problem is that in some situations FreeIPA
installer makes it worse.

Example:

1. Install FreeIPA server (ipa1.example.org)
2. Install FreeIPA client on all nodes in network
3. Install replica (ipa2.example.org) of FreeIPA server to increase
redundancy

Now all the clients have ipa1.example.org as the only server in
/etc/ntp.conf. If the first FreeIPA server becomes unreachable all
clients will be able to contact KDC on the other server thanks to
DNS
autodiscovery in libkrb5 but will be unable to synchronize time.


Remember that the goal of IPA was to herd together a bunch of
software
to make hard things easier. This included dealing with the 5-minute
Kerberos window so ntp was configured on the client and server
(which is
less of any issue now).

When making changes you have to ask yourself who are you making this
easier for: you or the user.

Yes, getting NTP right is hard, but does it meet the 80/20 rule in
terms
of success? I'd think so. I

If someone wants to configure it using Ansible they can use the
--no-ntp. If they want to use different time servers they can pass in
--ntp-server. But by default IMHO it should do something sane to
give a
good experience.


I think to do something sane is exactly the point of this, and the
sanest
thing we can do is to not touch NTP configuration at all:

  * if the NTP configuration obtained via DHCP works, we can't make
it any
better by touching it, only worse,
  * if the default NTP configuration shipped with the distribution
works, we
again can't make it any better by touching it,
  * if we are running inside container, time is synchronized by
other means
and we should not touch NTP configuration at all,
  * if neither the default NTP configuration nor the NTP configuration
obtained via DHCP works and we are not running inside container, we
may
attempt to fix the configuration, but it will not be permanent and
will work
only for this specific host.

I think the first 3 points cover 99% of real-life deployments, and
yet we are
optimized towards the remaining 1%, with the potential of breaking the
configuration for the 99%. This is far from sane IMHO.


+1 for Honza's point.

Current NTP code is works only for initial setup and silently breaks
synchronization later on. Most importantly it breaks synchronization
as soon
as admin removes old replicas and replaces them with new ones -
there is no
mechanism to update the records in the client configuration (and SRV
discovery
is not supported by clients).

I.e. when admin decommission replicas which were around at the time
of client
installation, the NTP on client will silently break. This would not
happen if
you did not touch it.

(This also implicitly means that IPA-configured NTP is broken on all
clients
in topologies which were completely migrated from RHEL 6 to RHEL 7.)

Either DHCP or default distro config would solve the problem better.


That's fair but where are the huge pile of bugs, tickets and user
e-mails complaining about time? Or has nobody noticed yet?


Hard to say. There might be multiple reasons for this. E.g.

- Starting with Fedora 16, there is Chronyd installed by default. IPA
client
installer does not configure Chronyd by default so there is nothing to
break.

- DHCP integration still modifies IPA-generated ntp.conf.

- Users who care might use configuration management tool.

Still, bug reports and users' complaints is the only external measure we
have. There are close to nothing in complaints about NTP functionality,
other than requests to support chronyd and a better discover of existing
NTP setups. I don't think that requires dramatic action like removal of
NTP support at all.



As Petr already pointed out, since Fedora 16 chronyd is enabled by 
default and ipa-client-install doesn't configure time synchronization 
when chronyd is enabled.


I believe that majority of users haven't used '--force-ntpd' and since 
it still worked they haven't filed any ticket.


IMO in

[Freeipa-devel] [freeipa PR#280][synchronized] Set explicit confdir option for global contexts

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/280
Author: tiran
 Title: #280: Set explicit confdir option for global contexts
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/280/head:pr280
git checkout pr280
From 86ddbbe5f69519b07f24d825507cff84f86407d9 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 28 Nov 2016 16:24:33 +0100
Subject: [PATCH 1/2] Set explicit confdir option for global contexts

Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes 
---
 client/ipa-client-automount |  1 +
 install/certmonger/dogtag-ipa-ca-renew-agent-submit |  2 +-
 install/migration/migration.py  |  3 ++-
 install/oddjob/com.redhat.idm.trust-fetch-domains   |  4 +++-
 install/restart_scripts/renew_ca_cert   |  2 +-
 install/restart_scripts/restart_dirsrv  |  3 ++-
 install/restart_scripts/stop_pkicad |  3 ++-
 install/share/copy-schema-to-ca.py  |  2 +-
 install/share/wsgi.py   |  6 --
 install/tools/ipa-httpd-kdcproxy|  3 ++-
 install/tools/ipa-replica-conncheck |  4 +++-
 install/tools/ipactl|  5 -
 ipaclient/install/client.py |  1 +
 ipaclient/install/ipa_certupdate.py |  2 +-
 ipaserver/install/ipa_backup.py |  2 +-
 ipaserver/install/ipa_ldap_updater.py   |  2 +-
 ipaserver/install/ipa_restore.py|  1 +
 ipaserver/install/ipa_server_upgrade.py |  2 +-
 ipaserver/install/ipa_winsync_migrate.py|  3 ++-
 ipaserver/install/ldapupdate.py |  4 +++-
 ipaserver/install/server/install.py |  2 ++
 ipaserver/install/server/replicainstall.py  | 19 +--
 22 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index 0dd15b3..18914bd 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -384,6 +384,7 @@ def main():
 
 cfg = dict(
 context='cli_installer',
+confdir=paths.ETC_IPA,
 in_server=False,
 debug=options.debug,
 verbose=0,
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7389a5e..2e137ad 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -494,7 +494,7 @@ def main():
 'ipaCACertRenewal': renew_ca_cert,
 }
 
-api.bootstrap(in_server=True, context='renew')
+api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
 api.finalize()
 api.Backend.ldap2.connect()
 
diff --git a/install/migration/migration.py b/install/migration/migration.py
index 4743279..73e4777 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -24,6 +24,7 @@
 import errno
 from wsgiref.util import request_uri
 
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 from ipapython import ipaldap
@@ -72,7 +73,7 @@ def application(environ, start_response):
 
 # API object only for configuration, finalize() not needed
 api = create_api(mode=None)
-api.bootstrap(context='server', in_server=True)
+api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True)
 try:
 bind(api.env.ldap_uri, api.env.basedn,
  form_data['username'].value, form_data['password'].value)
diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains
index a0d8a31..e5c2e8c 100755
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@@ -8,6 +8,7 @@ from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
 from ipaplatform.constants import constants
+from ipaplatform.paths import paths
 import sys
 import os
 import pwd
@@ -95,7 +96,8 @@ env._bootstrap(debug=options.debug, log=None)
 env._finalize_core(**dict(DEFAULT_CONFIG))
 
 # Initialize the API with the proper debug level
-api.bootstrap(in_server=True, debug=env.debug, log=None, context='server')
+api.bootstrap(in_server=True, debug=env.debug, log=None,
+  context='server',

[Freeipa-devel] [freeipa PR#285][comment] Check the result of cert request in replica installer

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/285
Title: #285: Check the result of cert request in replica installer

mbasti-rh commented:
"""
Can we add cert state to error message? `raise RuntimeError("Certificate 
issuance failed")`  is not too much detailed in `request_and_wait_for_cert`.

Something like:
```
"Certificate issuance failed (CA_UNREACHABLE)"
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/285#issuecomment-263825114
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension

2016-11-30 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

tomaskrizek commented:
"""
@frasertweedale Oh, I didn't realize the DN in SAN matches the LDAP DN, while 
the Subject DN does not.

In that case, this PR makes sense to me as is. I also don't see the need to 
validate Subject DN and SAN DN differently, since they use different 
representation (subject is a more generic identifier, as @tiran pointed out; 
while SAN DN should be the unique LDAP DN identifier).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/228#issuecomment-263550747
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][comment] Wheel bundles fixes

2016-11-30 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/287
Title: #287: Wheel bundles fixes

tiran commented:
"""
Fixup for #271
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/287#issuecomment-263823717
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#287][opened] Wheel bundles fixes

2016-11-30 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/287
Author: tiran
 Title: #287: Wheel bundles fixes
Action: opened

PR body:
"""
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/287/head:pr287
git checkout pr287
From 2d79fd4050539cc4c2d095cf37320b55b7a62313 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 30 Nov 2016 10:19:18 +0100
Subject: [PATCH] Wheel bundles fixes

* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
  subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes 
---
 Makefile.am| 4 ++--
 ipaclient/setup.py | 2 +-
 ipalib/setup.py| 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index f9922bb..a7c74b0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
-IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po
+IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index fb6ed0d..cd7a2c5 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -55,7 +55,7 @@
 "wheel",
 ],
 extra_requires={
-"ipaclient.install": ["ipaplatform"],
+"install": ["ipaplatform"],
 "otptoken_yubikey": ["yubico", "usb"]
 }
 )
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 85932fc..1dc5214 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -47,6 +47,6 @@
 "wheel",
 ],
 extras_require={
-"ipalib.install": ["ipaplatform"],
+"install": ["ipaplatform"],
 },
 )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging

2016-11-30 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/276
Author: tomaskrizek
 Title: #276: replica-conncheck: improve error msg + logging
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/276/head:pr276
git checkout pr276
From d46e1a38bb65e20439a6772fbba08df7c4fcef11 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Fri, 25 Nov 2016 17:23:29 +0100
Subject: [PATCH 1/2] replica-conncheck: improve error message during
 replicainstall

Replica conncheck may fail for other reasons then network
misconfiguration. For example, an incorrect admin password might be
provided. Since conncheck is ran as a separate script in quiet mode,
no insightful error message can be displayed.

https://fedorahosted.org/freeipa/ticket/6497
---
 ipaserver/install/replication.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index ba35c49..35066c2 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -105,7 +105,7 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
 if result.returncode != 0:
 raise ScriptError(
 "Connection check failed!"
-"\nPlease fix your network settings according to error messages above."
+"\nSee /var/log/ipareplica-conncheck.log for more information."
 "\nIf the check results are not valid it can be skipped with --skip-conncheck parameter.")
 else:
 print("Connection check OK")

From 91b20a812cf699f9fedb1be63006369f58e4e0e6 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Fri, 25 Nov 2016 17:27:16 +0100
Subject: [PATCH 2/2] replica-conncheck: improve message logging

Make sure all messages displayed on screen to the user can be found
in the log as well. The messages are also logged if the script is ran
in quiet mode.

https://fedorahosted.org/freeipa/ticket/6497
---
 install/tools/ipa-replica-conncheck | 98 +++--
 1 file changed, 51 insertions(+), 47 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 7ec1ef8..083aa07 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -47,7 +47,6 @@ from cryptography.hazmat.primitives import serialization
 
 CONNECT_TIMEOUT = 5
 RESPONDERS = [ ]
-QUIET = False
 CCACHE_FILE = None
 KRB5_CONFIG = None
 
@@ -60,7 +59,7 @@ class SshExec(object):
 def __call__(self, command, verbose=False):
 # Bail if ssh is not installed
 if self.cmd is None:
-print("WARNING: ssh not installed, skipping ssh test")
+root_logger.warning("WARNING: ssh not installed, skipping ssh test")
 return ('', '', 0)
 
 tmpf = tempfile.NamedTemporaryFile()
@@ -108,10 +107,6 @@ BASE_PORTS = [
  ]
 
 
-def print_info(msg):
-if not QUIET:
-print(msg)
-
 def parse_options():
 def ca_cert_file_callback(option, opt, value, parser):
 if not os.path.exists(value):
@@ -205,10 +200,6 @@ def parse_options():
 if not options.hostname:
 options.hostname = socket.getfqdn()
 
-if options.quiet:
-global QUIET
-QUIET = True
-
 return safe_options, options
 
 def logging_setup(options):
@@ -217,7 +208,8 @@ def logging_setup(options):
 if os.getegid() == 0 and options.log_to_file:
 log_file = paths.IPAREPLICA_CONNCHECK_LOG
 
-standard_logging_setup(log_file, debug=options.debug)
+standard_logging_setup(log_file, verbose=(not options.quiet),
+   debug=options.debug, console_format='%(message)s')
 
 def clean_responders(responders):
 if not responders:
@@ -328,13 +320,14 @@ def port_check(host, port_list):
 else:
 ports_failed.append(port)
 result = "FAILED"
-print_info("   %s (%d): %s" % (port.description, port.port, result))
+root_logger.info("   %s (%d): %s" % (port.description, port.port, result))
 
 if ports_udp_warning:
-print("The following UDP ports could not be verified as open: %s" \
-% ", ".join(str(port.port) for port in ports_udp_warning))
-print("This can happen if they are already bound to an application")
-print("and ipa-replica-conncheck cannot attach own UDP responder.")
+root_logger.warning(
+("The following UDP ports could not be verified as open: %s\n"
+ "This can happen if they are already bound to an application\n"
+ "and ipa-replica-conncheck cannot attach own UDP responder.")
+% ", ".join(str(port.port) for port in ports_udp_warning))
 
 if ports_failed:
 msg_ports = []
@@ -362,29 +355,34 @@ def main():
   "PKI-CA: Directory Service port"))
 
 if

[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

mbasti-rh commented:
"""
This:
```
-label='Group search fields',
 +label=_('Group search fields'),
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/286#issuecomment-263819271
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese

2016-11-30 Thread shanyin 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

shanyin commented:
"""
Ok, it was already translated in zanata. But what do you mean about you said 
"what I meant was to send fixing of missing translations strings as separated 
PR" in #174?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/286#issuecomment-263817736
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][+rejected] fix miss translation in Chinese

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][closed] fix miss translation in Chinese

2016-11-30 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/286
Author: shanyin
 Title: #286: fix miss translation in Chinese
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/286/head:pr286
git checkout pr286
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/286
Title: #286: fix miss translation in Chinese

mbasti-rh commented:
"""
We automatically add translations to IPA from zanata before releasing. If it is 
translated in zanata it will appear in next release.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/286#issuecomment-263815960
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#275][comment] Enhance __repr__ method of Principal

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/275
Title: #275: Enhance __repr__ method of Principal

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/38cc40ddb5bf965801500bb4f66fd965b12e3c88
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/275#issuecomment-263814999
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#275][closed] Enhance __repr__ method of Principal

2016-11-30 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/275
Author: martbab
 Title: #275: Enhance __repr__ method of Principal
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/275/head:pr275
git checkout pr275
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#275][+pushed] Enhance __repr__ method of Principal

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/275
Title: #275: Enhance __repr__ method of Principal

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#255][comment] Adjustments for setup requirements

2016-11-30 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/255
Title: #255: Adjustments for setup requirements

martbab commented:
"""
As I said, if 0.9 break your PyPI work feel freee to bump it but please split 
the version bumps into a separate commit on top of ipasetup fixes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/255#issuecomment-263813183
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-30 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/271
Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient

mbasti-rh commented:
"""
master:

9117a5d5a6ae7b3b97407e46f81a06c387974d7f paths: remove DEV_NULL
8e5d2c7014ff6371a3b306e666c301aea1f7a488 custodiainstance: automatic restart on 
config file update
a1f260d021bf5d018e634438fde6b7c81ebbbcef ipapython: move dnssec, p11helper and 
secrets to ipaserver
26c46a447f82b4cf37a5076b72cf6328857d5f35 ipapython: move certmonger and 
sysrestore to ipalib.install
f919ab4ee0ec26d77ee6978e75de5daba4073402 certdb: use a temporary file to pass 
password to pk12util
d6b755e3fcaf32158f4ee36d45e3344b4a03fbc2 ipautil: remove SHARE_DIR and 
PLUGIN_SHARE_DIR
7b966e8577fdb56f069cf26a6ab4d6c77b8743b9 ipautil: remove get_domain_name()
d911f493482d29829199cce2f91f88a9b53369e1 ipautil: remove the timeout argument 
of run()
75b70e3f0d52a9c98f443d3fc2f7cef92bdc7b1a ipautil: move is_fips_enabled() to 
ipaplatform.tasks
7d5c680ace7ccea3b0f7f1471cf8dbc07b3da5a1 ipautil: move kinit functions to 
ipalib.install
6e50fae9ec6dea35e12a65dbc46228a1e6276e07 ipautil: move file encryption 
functions to installutils
528012fe8a8976961203021ef36353b7a4c3b8a8 ipapython: remove hard dependency on 
ipaplatform
a2c58889735c794cd1e93331c755b6f9ba273773 ipalib: move certstore to the install 
subpackage
977050c66bccd7b8cf468c115d73250505a01034 constants: remove CACERT
d43b57d2ce8552ed4977dcc33667b4226feb ipalib: remove hard dependency on 
ipapython
70c3cd7f482bee7d5ad12062daa7ad6181a29094 ipaclient: move install modules to the 
install subpackage
a260fd8058d757b631dd4eb39ee8a58b91cf2efb ipaclient: remove hard dependency on 
ipaplatform
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/271#issuecomment-263810669
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#271][closed] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient

2016-11-30 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/271
Author: jcholast
 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and 
ipaclient
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/271/head:pr271
git checkout pr271
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

  1   2   >