[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

simo5 commented:
"""
@martbab your concerns should be addressed in this revision
I also started adding upgrade code, but it is still not fully tested.
In the process I locally get 2 pylint errors about the hostname property used 
on 2 out of 3 Principal() objects in cert.py, I am sorta baffled at why that 
is, but it is late here, so I decided to push the code and see if anyone has an 
idea.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265598252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 7bab75c3bdd59b16879c0f48f7293deb495666d9 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  52 +
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  19 +
 ipaserver/plugins/cert.py|  80 +++-
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 293 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl

[Freeipa-devel] [freeipa PR#320][synchronized] add missing attribute to ipaca replica during CA topology update

2016-12-07 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/320
Author: martbab
 Title: #320: add missing attribute to ipaca replica during CA topology update
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/320/head:pr320
git checkout pr320
From 96f60d0464b8956382892fc5f04bea1d5fc62b02 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 7 Dec 2016 13:47:14 +0100
Subject: [PATCH 1/2] Revert "upgrade: add replica bind DN group check interval
 to CA topology config"

This reverts commit 8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9 since it
leads to errors in upgrade of first master.

https://fedorahosted.org/freeipa/ticket/6508
---
 install/share/ca-topology.uldif | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 8fe38e7..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -12,4 +12,3 @@ default: cn: ca
 
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
-add: nsds5replicabinddngroupcheckinterval: 60

From 9f5df06ab38ac83da8b1cdf4fda2763828f57305 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 7 Dec 2016 14:00:09 +0100
Subject: [PATCH 2/2] add missing attribute to ipaca replica during CA topology
 update

'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.

https://fedorahosted.org/freeipa/ticket/6508
---
 ipaserver/install/plugins/update_ca_topology.py | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
index d76849b..f82926b 100644
--- a/ipaserver/install/plugins/update_ca_topology.py
+++ b/ipaserver/install/plugins/update_ca_topology.py
@@ -2,8 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
+from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
+from ipapython.dn import DN
 from ipaserver.install import certs, cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
@@ -31,4 +33,24 @@ def execute(self, **options):
 
 ld.update([paths.CA_TOPOLOGY_ULDIF])
 
+ldap = self.api.Backend.ldap2
+
+ca_replica_dn = DN(
+('cn', 'replica'),
+('cn', 'o=ipaca'),
+('cn', 'mapping tree'),
+('cn', 'config'))
+
+check_interval_attr = 'nsds5replicabinddngroupcheckinterval'
+default_check_interval = ['60']
+
+try:
+ca_replica_entry = ldap.get_entry(ca_replica_dn)
+except errors.NotFound:
+pass
+else:
+if check_interval_attr not in ca_replica_entry:
+ca_replica_entry[check_interval_attr] = default_check_interval
+ldap.update_entry(ca_replica_entry)
+
 return False, []
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#320][opened] add missing attribute to ipaca replica during CA topology update

2016-12-07 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/320
Author: martbab
 Title: #320: add missing attribute to ipaca replica during CA topology update
Action: opened

PR body:
"""
The previous fix for missing 'nsds5replicabinddngroupcheckinterval' fails when
the first CA master is being set up. The attribute addition from update file
has to be moved to the update plugin with a proper logic that determines the
presence of o=ipaca replica entry.

https://fedorahosted.org/freeipa/ticket/6508
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/320/head:pr320
git checkout pr320
From eb099a0fbcd4738e03f1e85e3ac35416ac3eac4b Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 7 Dec 2016 13:47:14 +0100
Subject: [PATCH 1/2] Revert "upgrade: add replica bind DN group check interval
 to CA topology config"

This reverts commit 8c6a10ceddb4fce9a3dd4a334e6804800b5c89f9 since it
leads to errors in upgrade of first master.

https://fedorahosted.org/freeipa/ticket/6508
---
 install/share/ca-topology.uldif | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/ca-topology.uldif b/install/share/ca-topology.uldif
index 8fe38e7..fea591b 100644
--- a/install/share/ca-topology.uldif
+++ b/install/share/ca-topology.uldif
@@ -12,4 +12,3 @@ default: cn: ca
 
 dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
 onlyifexist: nsds5replicabinddngroup: cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
-add: nsds5replicabinddngroupcheckinterval: 60

From fb073be6c7d1aab0778c3e46c192409ca6d4243f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 7 Dec 2016 14:00:09 +0100
Subject: [PATCH 2/2] add missing attribute to ipaca replica during CA topology
 update

'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.

https://fedorahosted.org/freeipa/ticket/6508
---
 ipaserver/install/plugins/update_ca_topology.py | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/ipaserver/install/plugins/update_ca_topology.py b/ipaserver/install/plugins/update_ca_topology.py
index d76849b..f82926b 100644
--- a/ipaserver/install/plugins/update_ca_topology.py
+++ b/ipaserver/install/plugins/update_ca_topology.py
@@ -2,8 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
+from ipalib import errors
 from ipalib import Registry
 from ipalib import Updater
+from ipapython.dn import DN
 from ipaserver.install import certs, cainstance
 from ipaserver.install import ldapupdate
 from ipaplatform.paths import paths
@@ -31,4 +33,24 @@ def execute(self, **options):
 
 ld.update([paths.CA_TOPOLOGY_ULDIF])
 
+ldap = self.api.Backend.ldap2
+
+ca_replica_dn = DN(
+('cn', 'replica'),
+('cn', 'o=ipaca'),
+('cn', 'mapping tree'),
+('cn', 'config'))
+
+check_interval_attr = 'nsds5replicabinddngroupcheckinterval'
+default_check_interval = ['60']
+
+try:
+ca_replica_entry = ldap.get_entry(ca_replica_dn)
+except errors.NotFound:
+pass
+else:
+if check_interval_attr not in ca_replica_entry:
+ca_replica_entry[check_interval_attr] = default_check_interval
+ldap.update_entry(ca_replica_entry)
+
 return False, []
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/292
Title: #292: Increase the timeout waiting for certificate issuance in installer

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9e3c17c6ded868b4261aa76137c703a4fb866578
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/292#issuecomment-265485148
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][+pushed] Increase the timeout waiting for certificate issuance in installer

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/292
Title: #292: Increase the timeout waiting for certificate issuance in installer

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][closed] Increase the timeout waiting for certificate issuance in installer

2016-12-07 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/292
Author: flo-renaud
 Title: #292: Increase the timeout waiting for certificate issuance in installer
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/292/head:pr292
git checkout pr292
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#292][+ack] Increase the timeout waiting for certificate issuance in installer

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/292
Title: #292: Increase the timeout waiting for certificate issuance in installer

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

mbasti-rh commented:
"""
Ok if Petr agree we can go with your proposal
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265481358
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
PS: I'd rather not run both linters in parallel. We use pylint in parallel 
mode, which runs as many workers as CPU cores. ```make pylint``` already uses 
up 90-100% CPU cycles on all cores.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265480425
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
It's easily possible with my proposal, just saying:

```make pylint PYTHON=python3```
```make pylint PYTHON=python2```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265479049
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][+pushed] ipautil: check for open ports on all resolved IPs

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/284
Title: #284: ipautil: check for open ports on all resolved IPs

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][comment] ipautil: check for open ports on all resolved IPs

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/284
Title: #284: ipautil: check for open ports on all resolved IPs

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a24cd01304aaef77b66d0e178585c9ec8bbce9b5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/284#issuecomment-265478337
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][closed] ipautil: check for open ports on all resolved IPs

2016-12-07 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/284
Author: tomaskrizek
 Title: #284: ipautil: check for open ports on all resolved IPs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/284/head:pr284
git checkout pr284
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

mbasti-rh commented:
"""
I had discussion with Petr, and currently we cannot run both pylints in build 
system and it is not easy to add it there.

So we have to manually override pylint versions in travis tests, so I would 
stay with the current version of commits
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265477567
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Reading Attributes from LDAP Client

2016-12-07 Thread Rob Crittenden 
Chad Cravens wrote:
> Hello:
> 
> We are working with RedHat IDM and I'm trying to understand how
> Permissions and Roles are represented/stored in the LDAP Directory
> Server. What we would like to do is create roles in the web GUI and
> programmatically retrieve the Roles and Permissions, as well as who they
> are associated with, programmatically using an LDAP client (written in C).
> 
> Any guidance on how to do such a thing would be greatly appreciated, thanks!

Retrieve the role and look at the member and memberof attributes.

A member is a direct member of the role and will be (from memory) only
user or group DNs.

To see what the role can do you'll need to examine the container of the
memberof DN to know why type of thing it is (privilege or permission).

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Reading Attributes from LDAP Client

2016-12-07 Thread Chad Cravens 
Hello:

We are working with RedHat IDM and I'm trying to understand how Permissions
and Roles are represented/stored in the LDAP Directory Server. What we
would like to do is create roles in the web GUI and programmatically
retrieve the Roles and Permissions, as well as who they are associated
with, programmatically using an LDAP client (written in C).

Any guidance on how to do such a thing would be greatly appreciated, thanks!

-- 
Kindest Regards,
Chad Cravens
(843) 291-8340

[image: http://www.ossys.com] 
[image: http://www.linkedin.com/company/open-source-systems-llc]
   [image:
https://www.facebook.com/OpenSrcSys] 
   [image: https://twitter.com/OpenSrcSys] 
 [image: http://www.youtube.com/OpenSrcSys]
   [image: http://www.ossys.com/feed]
   [image: cont...@ossys.com] 
Chad Cravens
(843) 291-8340
chad.crav...@ossys.com
http://www.ossys.com
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

mbasti-rh commented:
"""
Or we can run both pylints as far as we wants py2/3 compatible versions
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265472634
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

mbasti-rh commented:
"""
But we build both 2/3 versions at once
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265469455
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs

2016-12-07 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/284
Author: tomaskrizek
 Title: #284: ipautil: check for open ports on all resolved IPs
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/284/head:pr284
git checkout pr284
From 29b7f6c4d17911f760f0031f31edfa2881e2223d Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 29 Nov 2016 18:19:07 +0100
Subject: [PATCH] ipautil: check for open ports on all resolved IPs

When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.

https://fedorahosted.org/freeipa/ticket/6522
---
 install/tools/ipa-replica-conncheck |  5 +++--
 ipapython/ipautil.py| 44 -
 2 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 934744d..04e23de 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -381,8 +381,9 @@ def port_check(host, port_list):
 ports_udp_warning = []  # conncheck could not verify that port is open
 for port in port_list:
 try:
-port_open = ipautil.host_port_open(host, port.port,
-port.port_type, socket_timeout=CONNECT_TIMEOUT)
+port_open = ipautil.host_port_open(
+host, port.port, port.port_type,
+socket_timeout=CONNECT_TIMEOUT, log_errors=True)
 except socket.gaierror:
 raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host)
 if port_open:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index f85fa0d..f061e79 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -55,6 +55,12 @@
 GEN_TMP_PWD_LEN = 12  # only for OTP password that is manually retyped by user
 
 
+PROTOCOL_NAMES = {
+socket.SOCK_STREAM: 'tcp',
+socket.SOCK_DGRAM: 'udp'
+}
+
+
 class UnsafeIPAddress(netaddr.IPAddress):
 """Any valid IP address with or without netmask."""
 
@@ -866,15 +872,21 @@ def user_input(prompt, default = None, allow_empty = True):
 return ret
 
 
-def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):
+def host_port_open(host, port, socket_type=socket.SOCK_STREAM,
+   socket_timeout=None, log_errors=False):
+"""
+host: either hostname or IP address;
+  if hostname is provided, port MUST be open on ALL resolved IPs
+
+returns True is port is open, False otherwise
+"""
+port_open = True
+
+# port has to be open on ALL resolved IPs
 for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):
 af, socktype, proto, _canonname, sa = res
 try:
-try:
-s = socket.socket(af, socktype, proto)
-except socket.error:
-s = None
-continue
+s = socket.socket(af, socktype, proto)
 
 if socket_timeout is not None:
 s.settimeout(socket_timeout)
@@ -884,15 +896,27 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=No
 if socket_type == socket.SOCK_DGRAM:
 s.send('')
 s.recv(512)
-
-return True
 except socket.error:
-pass
+port_open = False
+
+if log_errors:
+msg = ('Failed to connect to port %(port)d %(proto)s on '
+   '%(addr)s' % dict(port=port,
+ proto=PROTOCOL_NAMES[socket_type],
+ addr=sa[0]))
+
+# Do not log udp failures as errors (to be consistent with
+# the rest of the code that checks for open ports)
+if socket_type == socket.SOCK_DGRAM:
+root_logger.warning(msg)
+else:
+root_logger.error(msg)
 finally:
 if s:
 s.close()
+s = None
 
-return False
+return port_open
 
 
 def reverse_record_exists(ip_address):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

tiran commented:
"""
It makes more sense to follow the principal *test what you build, build what 
you test*. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265460797
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-12-07 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

jcholast commented:
"""
@Akasurde, `Knob()` already handles metavar properly, you need to work on the 
interface between the installer and `optparse` - `ipapython.install.cli`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-265447065
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-12-07 Thread Akasurde 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

Akasurde commented:
"""
@jcholast @mbasti-rh I will work on modifying `Knob()` to handle metavar
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-265446264
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-07 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From 27e72f6512147a91e575b0ba0e6006cc7b185902 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  47 +---
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/plugins/cert.py|  77 +++
 ipaserver/plugins/dogtag.py  |   2 +
 17 files changed, 272 insertions(+), 63 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
Please replace this by something sane,
```
return sha1(ipautil.ipa_generate_password()).hexdigest()
```

security by obscurity worked well in Roman empire, but now please generate 
directly password with entropy 128bits without using sha1
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

mbasti-rh commented:
"""
NACK

You replaced os.random() by ipa_generate_password, but ipa_generate password 
does not generate random bytes but random printable characters (entropy--) so 
you have to recalculate a new password length accordingly or edit 
ipa_generate_password function to generate random bytes.

Also I noticed you removed base64encoding, are you sure that places where it 
was used can handle all bytes characters (nonprintable, etc)? I would stay with 
base64 there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-265438520
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#318][opened] server install: fix external CA install

2016-12-07 Thread jcholast 
   URL: https://github.com/freeipa/freeipa/pull/318
Author: jcholast
 Title: #318: server install: fix external CA install
Action: opened

PR body:
"""
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/318/head:pr318
git checkout pr318
From ae5f464174f3ade82336a58a860b275a464095a6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 30 Nov 2016 13:55:38 +0100
Subject: [PATCH] server install: fix external CA install

Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392
---
 ipaclient/install/client.py |   3 +
 ipalib/install/service.py   |   4 --
 ipaserver/install/ca.py |   1 -
 ipaserver/install/ipa_server_install.py |  10 ++--
 ipaserver/install/server/__init__.py| 100 +++-
 ipaserver/install/server/install.py |   3 -
 6 files changed, 54 insertions(+), 67 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0954c2b..0eec5bd 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -3571,6 +3571,9 @@ class ClientInstall(ClientInstallInterface,
 Client installer
 """
 
+replica_file = None
+dm_password = None
+
 ca_cert_files = knob(
 bases=ClientInstallInterface.ca_cert_files,
 )
diff --git a/ipalib/install/service.py b/ipalib/install/service.py
index 2544e5b..fc430fb 100644
--- a/ipalib/install/service.py
+++ b/ipalib/install/service.py
@@ -146,7 +146,6 @@ def domain_name(self, value):
 str, None,
 description="a file generated by ipa-replica-prepare",
 )
-replica_file = enroll_only(replica_file)
 replica_file = replica_install_only(replica_file)
 
 dm_password = knob(
@@ -154,8 +153,6 @@ def domain_name(self, value):
 sensitive=True,
 description="Directory Manager password (for the existing master)",
 )
-dm_password = enroll_only(dm_password)
-dm_password = replica_install_only(dm_password)
 
 
 class ServiceAdminInstallInterface(ServiceInstallInterface):
@@ -175,4 +172,3 @@ class ServiceAdminInstallInterface(ServiceInstallInterface):
 sensitive=True,
 )
 admin_password = enroll_only(admin_password)
-admin_password = replica_install_only(admin_password)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index efc8c87..4f64d99 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -338,7 +338,6 @@ class CAInstallInterface(dogtag.DogtagInstallInterface,
 ['-w']),
 )
 admin_password = enroll_only(admin_password)
-admin_password = replica_install_only(admin_password)
 
 external_ca = knob(
 None,
diff --git a/ipaserver/install/ipa_server_install.py b/ipaserver/install/ipa_server_install.py
index 3b6cb81..e708040 100644
--- a/ipaserver/install/ipa_server_install.py
+++ b/ipaserver/install/ipa_server_install.py
@@ -15,16 +15,16 @@ class CompatServerMasterInstall(ServerMasterInstall):
 no_sudo = False
 request_cert = False
 
-new_dm_password = knob(
+dm_password = knob(
 # pylint: disable=no-member
-bases=ServerMasterInstall.new_dm_password,
+bases=ServerMasterInstall.dm_password,
 cli_names=['--ds-password', '-p'],
 )
 
-new_admin_password = knob(
+admin_password = knob(
 # pylint: disable=no-member
-bases=ServerMasterInstall.new_admin_password,
-cli_names=(list(ServerMasterInstall.new_admin_password.cli_names) +
+bases=ServerMasterInstall.admin_password,
+cli_names=(list(ServerMasterInstall.admin_password.cli_names) +
['-a']),
 )
 
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index c518ec9..0237702 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -21,7 +21,6 @@
 prepares,
 prepare_only,
 replica_install_only)
-from ipalib.util import validate_domain_name
 from ipapython import ipautil
 from ipapython.dnsutil import check_zone_overlap
 from ipapython.install import typing
@@ -72,22 +71,6 @@ class ServerInstallInterface(client.ClientInstallInterface,

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-12-07 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

jcholast commented:
"""
@mbasti-rh, I don't care as long as it's done right (i.e. without hardcoding 
`cli_metavar` in knob definitions).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-265432383
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Note: this PR also depends on and includes commits from #206
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#316][closed] Fix error in permission-find post_callback search

2016-12-07 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/316
Author: stlaz
 Title: #316: Fix error in permission-find post_callback search
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/316/head:pr316
git checkout pr316
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#316][comment] Fix error in permission-find post_callback search

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/316
Title: #316: Fix error in permission-find post_callback search

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0c044cb084780ee45860169dd5d12689cf05fa49
https://fedorahosted.org/freeipa/changeset/a77627dd8cca43bd1131a7e186de0ab159763761
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/316#issuecomment-265430295
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#316][+pushed] Fix error in permission-find post_callback search

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/316
Title: #316: Fix error in permission-find post_callback search

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#316][+ack] Fix error in permission-find post_callback search

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/316
Title: #316: Fix error in permission-find post_callback search

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][opened] Unify password generation across FreeIPA

2016-12-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/317
Author: stlaz
 Title: #317: Unify password generation across FreeIPA
Action: opened

PR body:
"""
When installing FreeIPA in FIPS mode I noticed that there were often different 
ways of generating passwords in different spots raising the same issue with 
password requirements. Handling password generation at one centralized spot 
should allow us handle any password requirements issues at this very spot.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/317/head:pr317
git checkout pr317
From d214b72d6b2299df29540151a86671b361f16167 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:05:42 +0100
Subject: [PATCH] Unify password generation across FreeIPA

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 8 ++--
 ipaserver/install/dogtaginstance.py| 3 +--
 ipaserver/install/dsinstance.py| 5 +
 ipaserver/install/httpinstance.py  | 5 ++---
 ipaserver/install/server/replicainstall.py | 3 +--
 ipaserver/secrets/store.py | 2 +-
 6 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 45602ba..8673a48 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -25,7 +25,6 @@
 import xml.dom.minidom
 import pwd
 import base64
-from hashlib import sha1
 import fcntl
 import time
 import datetime
@@ -159,9 +158,6 @@ def set_perms(self, fname, write=False, uid=None):
 perms |= stat.S_IWUSR
 os.chmod(fname, perms)
 
-def gen_password(self):
-return sha1(ipautil.ipa_generate_password()).hexdigest()
-
 def run_certutil(self, args, stdin=None, **kwargs):
 return self.nssdb.run_certutil(args, stdin, **kwargs)
 
@@ -177,7 +173,7 @@ def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
 f = open(self.noise_fname, "w")
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password())
 self.set_perms(self.noise_fname)
 
 def create_passwd_file(self, passwd=None):
@@ -186,7 +182,7 @@ def create_passwd_file(self, passwd=None):
 if passwd is not None:
 f.write("%s\n" % passwd)
 else:
-f.write(self.gen_password())
+f.write(ipautil.ipa_generate_password())
 f.close()
 self.set_perms(self.passwd_fname)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f4856c7..b2a569a 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -18,7 +18,6 @@
 #
 
 import base64
-import binascii
 import ldap
 import os
 import shutil
@@ -428,7 +427,7 @@ def __add_admin_to_group(self, group):
 
 def setup_admin(self):
 self.admin_user = "admin-%s" % self.fqdn
-self.admin_password = binascii.hexlify(os.urandom(16))
+self.admin_password = ipautil.ipa_generate_password(pwd_len=16)
 self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1be5ac7..09708dc 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -506,7 +506,7 @@ def __setup_sub_dict(self):
 idrange_size = None
 self.sub_dict = dict(FQDN=self.fqdn, SERVERID=self.serverid,
  PASSWORD=self.dm_password,
- RANDOM_PASSWORD=self.generate_random(),
+ RANDOM_PASSWORD=ipautil.ipa_generate_password(),
  SUFFIX=self.suffix,
  REALM=self.realm, USER=DS_USER,
  SERVER_ROOT=server_root, DOMAIN=self.domain,
@@ -773,9 +773,6 @@ def __host_nis_groups(self):
 def __add_enrollment_module(self):
 self._ldap_mod("enrollment-conf.ldif", self.sub_dict)
 
-def generate_random(self):
-return ipautil.ipa_generate_password()
-
 def __enable_ssl(self):
 dirname = config_dirname(self.serverid)
 dsdb = certs.CertDB(self.realm, nssdir=dirname, subject_base=self.subject_base)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 15c3107..e822b3c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,7 +19,6 @@
 
 from __future__ import print_function
 
-import binascii
 import os
 import os.path
 import pwd
@@ -314,9 +313,9 @@ def create_cert_db(self):
 ipautil.backup_file(nss_path)
 
 # Create the password file for this db
-hex_str = binascii.hexlify(os.urandom(10))
+password = ipautil.ipa_generate_password(pwd_len=10)
 f = os.open(pwd_file,

[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

mbasti-rh commented:
"""
@jcholast any update? Should reject this PR and wait for `argparse` or fix it 
with `optparse` as well?  IMO fixing it now is better for UX, we dont know when 
or if we migrate to argparse.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-265427657
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#284][comment] ipautil: check for open ports on all resolved IPs

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/284
Title: #284: ipautil: check for open ports on all resolved IPs

mbasti-rh commented:
"""
needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/284#issuecomment-265426083
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir().

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/294
Title: #294: client, platform: Use paths.SSH* instead of get_config_dir().

mbasti-rh commented:
"""
@tjaalton just one nitpick, otherwise it looks good to me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/294#issuecomment-265425410
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-07 Thread pspacek 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

pspacek commented:
"""
@simo5 Please extend the design page with image description which explains each 
of the steps. There are numbers and letters in the image which are not 
explained anywhere. A detailed end-to-end example of interaction could be 
useful for detailed review. Thank you!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265424963
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-07 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

martbab commented:
"""
I have a few small comments on this PR, nothing serious.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-265425006
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#312][closed] bindinstance: use data in named.conf to determine configuration status

2016-12-07 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/312
Author: martbab
 Title: #312: bindinstance: use data in named.conf to determine configuration 
status
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/312/head:pr312
git checkout pr312
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#312][comment] bindinstance: use data in named.conf to determine configuration status

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/312
Title: #312: bindinstance: use data in named.conf to determine configuration 
status

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f0e09c42b76f229486e5dea097cd2b660243
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/bf28d79afeff4575adc9ba0618b5acbf0cf51009
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/312#issuecomment-265424471
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#312][+pushed] bindinstance: use data in named.conf to determine configuration status

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/312
Title: #312: bindinstance: use data in named.conf to determine configuration 
status

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

jcholast commented:
"""
@frasertweedale, yep, I'm aware of that - `cert-find` does the same. Not a big 
deal IMO since it has to be explicitly requested by the user. But tickets are 
certainly a good idea.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265420461
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#316][opened] Fix error in permission-find post_callback search

2016-12-07 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/316
Author: stlaz
 Title: #316: Fix error in permission-find post_callback search
Action: opened

PR body:
"""
This pull requests fixes a bug introduced when fixing a different issue in 
https://github.com/freeipa/freeipa/commit/29aa4877eec89894cc3a6e50c4b6817a713d3177
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/316/head:pr316
git checkout pr316
From 209a62febff8ae835cf6bb74c5a00e8a817078d7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 7 Dec 2016 11:51:19 +0100
Subject: [PATCH 1/2] Generalize filter generation in LDAPSearch

Make it easier to generate search filters properly
and in a unified way in any inheriting method

https://fedorahosted.org/freeipa/ticket/5640
---
 ipaserver/plugins/baseldap.py | 54 +++
 1 file changed, 34 insertions(+), 20 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 5770641..9d6bfc7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1922,6 +1922,38 @@ def get_options(self):
 for option in self.get_member_options(attr):
 yield option
 
+def get_attr_filter(self, ldap, **options):
+"""
+Returns a MATCH_ALL filter containing all required attributes from the
+options
+"""
+search_kw = self.args_options_2_entry(**options)
+search_kw['objectclass'] = self.obj.object_class
+return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+def get_term_filter(self, ldap, term):
+"""
+Returns a filter to search for a value (term) in any of the
+search attributes of an entry.
+"""
+if self.obj.search_attributes:
+search_attrs = self.obj.search_attributes
+else:
+search_attrs = self.obj.default_attributes
+if self.obj.search_attributes_config:
+config = ldap.get_ipa_config()
+config_attrs = config.get(
+self.obj.search_attributes_config, [])
+if len(config_attrs) == 1 and (
+  isinstance(config_attrs[0], six.string_types)):
+search_attrs = config_attrs[0].split(',')
+
+search_kw = {}
+for a in search_attrs:
+search_kw[a] = term
+
+return ldap.make_filter(search_kw, exact=False)
+
 def get_member_filter(self, ldap, **options):
 filter = ''
 for attr in self.member_attributes:
@@ -1981,26 +2013,8 @@ def execute(self, *args, **options):
 attrs_list.difference_update(self.obj.attribute_members)
 attrs_list = list(attrs_list)
 
-if self.obj.search_attributes:
-search_attrs = self.obj.search_attributes
-else:
-search_attrs = self.obj.default_attributes
-if self.obj.search_attributes_config:
-config = ldap.get_ipa_config()
-config_attrs = config.get(
-self.obj.search_attributes_config, [])
-if len(config_attrs) == 1 and (
-isinstance(config_attrs[0], six.string_types)):
-search_attrs = config_attrs[0].split(',')
-
-search_kw['objectclass'] = self.obj.object_class
-attr_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
-
-search_kw = {}
-for a in search_attrs:
-search_kw[a] = term
-term_filter = ldap.make_filter(search_kw, exact=False)
-
+attr_filter = self.get_attr_filter(ldap, **options)
+term_filter = self.get_term_filter(ldap, term)
 member_filter = self.get_member_filter(ldap, **options)
 
 filter = ldap.combine_filters(

From 0ffd604e30c66235af86c6bb76105ef210ceb80f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 7 Dec 2016 11:53:31 +0100
Subject: [PATCH 2/2] Fix permission-find with sizelimit set

If permission-find is fired with an argument and sizelimit set
a message about truncation will be sent along with the result
as the search in post_callback() does general search instead
of having its filter properly set.

https://fedorahosted.org/freeipa/ticket/5640
---
 ipaserver/plugins/permission.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 0bd75b0..dd2a018 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -1306,6 +1306,13 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
 filters.append(ldap.make_filter_from_attr('cn',
   options['name'],
   exact=False))
+index = tuple(self.args).index('criteria')
+try:
+term = args[index]
+

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2016-12-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Updated branch, hopefully lint will be happy.
While there I discovered dcerpc.py ws using the HTTP keytab, after discussing 
with @abbra we decided to just remove such use for now and see later if we need 
any changes. The use was rare and in the importnat cases we have already a 
better option in the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

frasertweedale commented:
"""
@jcholast returning cert and chain in `ca_find` when `--all` is given will 
incur `n * 2` additional round-trips to Dogtag where `n` = number of 
IPA-managed CAs.  I am hesitant to do it unless/until Dogtag provides a better 
way.  Let's open tickets.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread frasertweedale 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

frasertweedale commented:
"""
@jcholast returning cert and chain in `ca_find` when `--all` is given will 
incur `n * 2` additional round-trips to Dogtag.  I am hesitant to do it 
unless/until Dogtag provides a better way.  Let's open tickets.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 6cd841134829dc51b7698752897e184f9ea462c8 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 23 +-
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 43 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..caf0ddc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -48,7 +48,9 @@
 from ipalib import api
 from ipalib import util
 from ipalib import errors
+from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython import ipautil
 
 if six.PY3:
 unicode = str
@@ -56,7 +58,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +149,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+paths.OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index af98a77..6599a69 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index bf79821..29acd7e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -749,44 +749,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-os.close(chain_fd)
-(_rdn, subject_dn) =

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

simo5 commented:
"""
Sorry I thought this PR was the priv sep one, I have fixes for this, pushing in 
a moment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265407701
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-07 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

simo5 commented:
"""
Yes, getting there, be patient, I discovered other stuff as I fixed pylint per 
single patch :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265406741
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/206
Title: #206: Properly handle multiple cookies in rpcclient

mbasti-rh commented:
"""
could you please fix PEP8?
```
./ipalib/rpc.py:702:80: E501 line too long (93 > 79 characters)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/206#issuecomment-265400122
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/293
Title: #293: Run out-of-tree tests in Travis CI

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5ecaea6bc4f49c2665597ca38fc52f4fae8a9d24
https://fedorahosted.org/freeipa/changeset/6d6fbc010ec2b607a11e0ff69c8cbdcd3c1d47d9
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/293#issuecomment-265399332
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][+pushed] Run out-of-tree tests in Travis CI

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/293
Title: #293: Run out-of-tree tests in Travis CI

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][closed] Run out-of-tree tests in Travis CI

2016-12-07 Thread mbasti-rh 
   URL: https://github.com/freeipa/freeipa/pull/293
Author: martbab
 Title: #293: Run out-of-tree tests in Travis CI
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/293/head:pr293
git checkout pr293
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][+ack] Run out-of-tree tests in Travis CI

2016-12-07 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/293
Title: #293: Run out-of-tree tests in Travis CI

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI

2016-12-07 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/293
Title: #293: Run out-of-tree tests in Travis CI

stlaz commented:
"""
Good. I see the tests pass now and both @tiran's nitpicks and @mbasti-rh's 
comment have been resolved, so an ACK is in order.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/293#issuecomment-265398313
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

jcholast commented:
"""
Could you make `ca-find` return the cert/chain as well if (and only if) `--all` 
is specified? Do not add the `--chain` and `--certificate-out` options to it 
though. This is for consistency with `cert-find`, `host-find`, `service-find`, 
etc. Not a blocker.

Also see inline comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-07 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

mbasti-rh commented:
"""
I would like rather explicit pylint version than autodetection
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-265392287
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-07 Thread jcholast 
  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

jcholast commented:
"""
But could you make `ca-find` return the cert/chain as well if (and only if) 
`--all` is specified? Do not add the `--chain` and `--certificate-out` options 
to it though. This is for consistency with `cert-find`, `host-find`, 
`service-find`, etc. Not a blocker.

Also see inline comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code