date:20161214

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
Server roles page is broken too, or at least it looks weird, probably server 
names are missing
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-267114366
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
NACK: DNS records page is broken
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-267106705
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][closed] [4.3] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/342
Author: dkupka
 Title: #342: [4.3] password policy: Add explicit default password policy for 
hosts and services
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/342/head:pr342
git checkout pr342
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][comment] [4.3] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/342
Title: #342: [4.3] password policy: Add explicit default password policy for 
hosts and services

dkupka commented:
"""
Fixed upstream
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/42263a5a729096135702c0b974f255a058c0cdaf
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/342#issuecomment-267095446
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][+pushed] [4.3] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/342
Title: #342: [4.3] password policy: Add explicit default password policy for 
hosts and services

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][+ack] [4.3] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/342
Title: #342: [4.3] password policy: Add explicit default password policy for 
hosts and services

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][closed] [4.4] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/344
Author: dkupka
 Title: #344: [4.4] password policy: Add explicit default password policy for 
hosts and services
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/344/head:pr344
git checkout pr344
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][+pushed] [4.4] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/344
Title: #344: [4.4] password policy: Add explicit default password policy for 
hosts and services

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][comment] [4.4] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/344
Title: #344: [4.4] password policy: Add explicit default password policy for 
hosts and services

dkupka commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/08e7af9f0f8acac3dcd8dde1eee53261e5d25f1f
https://fedorahosted.org/freeipa/changeset/171bc3e6853f905184584e414cefa4f7296c02ea
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/344#issuecomment-267094656
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#343][comment] [4.3] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/343
Title: #343: [4.3] certprofile-mod: correctly authorise config update

mbasti-rh commented:
"""
Fixed upstream
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/278d7cf4708f1c6ac05d5fcb21db582d9aa7bab3
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/343#issuecomment-267093601
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#343][+ack] [4.3] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/343
Title: #343: [4.3] certprofile-mod: correctly authorise config update

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#343][closed] [4.3] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/343
Author: mbasti-rh
 Title: #343: [4.3] certprofile-mod: correctly authorise config update
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/343/head:pr343
git checkout pr343
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#343][+pushed] [4.3] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/343
Title: #343: [4.3] certprofile-mod: correctly authorise config update

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#340][synchronized] schema_cache: Make handling of string compatible with python3

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/340
Author: dkupka
 Title: #340: schema_cache: Make handling of string compatible with python3
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/340/head:pr340
git checkout pr340
From 2f4982ed1255ce56fb56cf23671d85ce0b28cc6b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 14 Dec 2016 17:19:52 +0100
Subject: [PATCH] schema_cache: Make handling of string compatible with python3

https://fedorahosted.org/freeipa/ticket/6559
---
 ipaclient/remote_plugins/schema.py | 22 +-
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 02364ca..15c03f4 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -6,6 +6,7 @@
 import contextlib
 import errno
 import fcntl
+import io
 import json
 import os
 import sys
@@ -373,7 +374,7 @@ def __init__(self, client, fingerprint=None):
 self._dict = {}
 self._namespaces = {}
 self._help = None
-self._file = six.StringIO()
+self._file = six.BytesIO()
 
 for ns in self.namespaces:
 self._dict[ns] = {}
@@ -407,7 +408,7 @@ def __init__(self, client, fingerprint=None):
 def _open(self, filename, mode):
 path = os.path.join(self._DIR, filename)
 
-with open(path, mode) as f:
+with io.open(path, mode) as f:
 if mode.startswith('r'):
 fcntl.flock(f, fcntl.LOCK_SH)
 else:
@@ -454,7 +455,7 @@ def _fetch(self, client, ignore_cache=False):
 
 def _read_schema(self, fingerprint):
 self._file.truncate(0)
-with self._open(fingerprint, 'r') as f:
+with self._open(fingerprint, 'rb') as f:
 self._file.write(f.read())
 
 with zipfile.ZipFile(self._file, 'r') as schema:
@@ -504,21 +505,24 @@ def _write_schema(self, fingerprint):
 ns = value
 for member in ns:
 path = '{}/{}'.format(key, member)
-schema.writestr(path, json.dumps(ns[member]))
+schema.writestr(path,
+json.dumps(ns[member]).encode('utf-8'))
 else:
-schema.writestr(key, json.dumps(value))
+schema.writestr(key, json.dumps(value).encode('utf-8'))
 
-schema.writestr('_help',
-json.dumps(self._generate_help(self._dict)))
+schema.writestr(
+'_help',
+json.dumps(self._generate_help(self._dict)).encode('utf-8')
+)
 
 self._file.seek(0)
-with self._open(fingerprint, 'w') as f:
+with self._open(fingerprint, 'wb') as f:
 f.truncate(0)
 f.write(self._file.read())
 
 def _read(self, path):
 with zipfile.ZipFile(self._file, 'r') as zf:
-return json.loads(zf.read(path))
+return json.loads(zf.read(path).decode('utf-8'))
 
 def read_namespace_member(self, namespace, member):
 value = self._dict[namespace][member]
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#341][+pushed] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/341
Title: #341: certprofile-mod: correctly authorise config update

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#341][comment] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/341
Title: #341: certprofile-mod: correctly authorise config update

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/fec4c32ff15a96736740cf7d2f713a21af0b227e
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/c12a52f0d78b30931713a3548b22e799d41f3622
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/341#issuecomment-267093122
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#341][closed] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/341
Author: mbasti-rh
 Title: #341: certprofile-mod: correctly authorise config update
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/341/head:pr341
git checkout pr341
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#341][+ack] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/341
Title: #341: certprofile-mod: correctly authorise config update

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][+ack] [4.4] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/344
Title: #344: [4.4] password policy: Add explicit default password policy for 
hosts and services

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][edited] [4.4] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/344
Author: dkupka
 Title: #344: [4.4] password policy: Add explicit default password policy for 
hosts and services
Action: edited

 Changed field: title
Original value:
"""
 password policy: Add explicit default password policy for hosts and services
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#344][opened] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/344
Author: dkupka
 Title: #344:  password policy: Add explicit default password policy for hosts 
and services
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/344/head:pr344
git checkout pr344
From 2d0333dace7884e7050bb99cd682d3cc1d401482 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH 1/2] password policy: Add explicit default password policy for
 hosts and services

Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561
---
 install/updates/20-default_password_policy.update | 133 ++
 install/updates/Makefile.am   |   1 +
 ipaserver/install/service.py  |   1 +
 3 files changed, 135 insertions(+)
 create mode 100644 install/updates/20-default_password_policy.update

diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 000..b1f9754
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 100
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn:

[Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/335
Title: #335: Add compatibility code to retrieve headers

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/397f2be9dfd6475127742c0b710b37b443d97d67
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/335#issuecomment-267088796
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#335][closed] Add compatibility code to retrieve headers

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/335
Author: simo5
 Title: #335: Add compatibility code to retrieve headers
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/335/head:pr335
git checkout pr335
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#335][+pushed] Add compatibility code to retrieve headers

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/335
Title: #335: Add compatibility code to retrieve headers

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#335][+ack] Add compatibility code to retrieve headers

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/335
Title: #335: Add compatibility code to retrieve headers

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#338][+pushed] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/338
Title: #338:  password policy: Add explicit default password policy for hosts 
and services

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#338][closed] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/338
Author: dkupka
 Title: #338:  password policy: Add explicit default password policy for hosts 
and services
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/338/head:pr338
git checkout pr338
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#338][comment] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

  URL: https://github.com/freeipa/freeipa/pull/338
Title: #338:  password policy: Add explicit default password policy for hosts 
and services

dkupka commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6f1d927467e7907fd1991f88388d96c67c9bff61
https://fedorahosted.org/freeipa/changeset/b1a20599c4f9fdcd208998694185b65460126703
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/338#issuecomment-267086391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][edited] [4.3] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/342
Author: dkupka
 Title: #342: [4.3] password policy: Add explicit default password policy for 
hosts and services
Action: edited

 Changed field: title
Original value:
"""
password policy: Add explicit default password policy for hosts and services
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#343][opened] [4.3] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/343
Author: mbasti-rh
 Title: #343: [4.3] certprofile-mod: correctly authorise config update
Action: opened

PR body:
"""
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/343/head:pr343
git checkout pr343
From 2b5ce7bd98585a76ce745a027ea8226d34be940b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 15 Nov 2016 14:02:54 +1000
Subject: [PATCH] certprofile-mod: correctly authorise config update

Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560
---
 ipalib/plugins/certprofile.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index ce56ec2..3afcb18 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -326,6 +326,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
 reason=_('Certificate profiles cannot be renamed'))
 if 'file' in options:
+# ensure operator has permission to update a certprofile
+if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
+raise errors.ACIError(info=_(
+"Insufficient privilege to modify a certificate profile."))
+
 with self.api.Backend.ra_certprofile as profile_api:
 profile_api.disable_profile(keys[0])
 try:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#339][comment] freeipa-4.4.3: update translations

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/339
Title: #339: freeipa-4.4.3: update translations

martbab commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/2a2652187eaddec5d2a9cd757cec5874597213bc
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/339#issuecomment-267084622
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#339][+pushed] freeipa-4.4.3: update translations

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/339
Title: #339: freeipa-4.4.3: update translations

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#339][closed] freeipa-4.4.3: update translations

2016-12-14 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/339
Author: mbasti-rh
 Title: #339: freeipa-4.4.3: update translations
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/339/head:pr339
git checkout pr339
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#339][+ack] freeipa-4.4.3: update translations

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/339
Title: #339: freeipa-4.4.3: update translations

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#338][+ack] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/338
Title: #338:  password policy: Add explicit default password policy for hosts 
and services

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#342][opened] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/342
Author: dkupka
 Title: #342: password policy: Add explicit default password policy for hosts 
and services
Action: opened

PR body:
"""
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/342/head:pr342
git checkout pr342
From 3d98a72cbccb182b745c05ece6ed9802370c782b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH] password policy: Add explicit default password policy for
 hosts and services

Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561
---
 install/updates/20-default_password_policy.update | 133 ++
 install/updates/Makefile.am   |   1 +
 ipaserver/install/service.py  |   1 +
 3 files changed, 135 insertions(+)
 create mode 100644 install/updates/20-default_password_policy.update

diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 000..b1f9754
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 100
+default:krbPwdPolicyReference: cn=Default Host Password

[Freeipa-devel] [freeipa PR#341][opened] certprofile-mod: correctly authorise config update

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/341
Author: mbasti-rh
 Title: #341: certprofile-mod: correctly authorise config update
Action: opened

PR body:
"""
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/341/head:pr341
git checkout pr341
From 3b64673de8309bdd98171c4e23d1b177e855e033 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 15 Nov 2016 14:02:54 +1000
Subject: [PATCH] certprofile-mod: correctly authorise config update

Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560
---
 ipaserver/plugins/certprofile.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
index f446607..2bd3311 100644
--- a/ipaserver/plugins/certprofile.py
+++ b/ipaserver/plugins/certprofile.py
@@ -310,6 +310,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
 reason=_('Certificate profiles cannot be renamed'))
 if 'file' in options:
+# ensure operator has permission to update a certprofile
+if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
+raise errors.ACIError(info=_(
+"Insufficient privilege to modify a certificate profile."))
+
 with self.api.Backend.ra_certprofile as profile_api:
 profile_api.disable_profile(keys[0])
 try:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#340][opened] schema_cache: Make handling of string compatible with python3

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/340
Author: dkupka
 Title: #340: schema_cache: Make handling of string compatible with python3
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6559
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/340/head:pr340
git checkout pr340
From 0ca08b5a65c3985ed1288029042fcf15bde7e513 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 14 Dec 2016 17:19:52 +0100
Subject: [PATCH] schema_cache: Make handling of string compatible with python3

https://fedorahosted.org/freeipa/ticket/6559
---
 ipaclient/remote_plugins/schema.py | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 02364ca..7b0d2ec 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -6,6 +6,7 @@
 import contextlib
 import errno
 import fcntl
+import io
 import json
 import os
 import sys
@@ -373,7 +374,7 @@ def __init__(self, client, fingerprint=None):
 self._dict = {}
 self._namespaces = {}
 self._help = None
-self._file = six.StringIO()
+self._file = six.BytesIO()
 
 for ns in self.namespaces:
 self._dict[ns] = {}
@@ -407,7 +408,7 @@ def __init__(self, client, fingerprint=None):
 def _open(self, filename, mode):
 path = os.path.join(self._DIR, filename)
 
-with open(path, mode) as f:
+with io.open(path, mode) as f:
 if mode.startswith('r'):
 fcntl.flock(f, fcntl.LOCK_SH)
 else:
@@ -454,7 +455,7 @@ def _fetch(self, client, ignore_cache=False):
 
 def _read_schema(self, fingerprint):
 self._file.truncate(0)
-with self._open(fingerprint, 'r') as f:
+with self._open(fingerprint, 'rb') as f:
 self._file.write(f.read())
 
 with zipfile.ZipFile(self._file, 'r') as schema:
@@ -504,21 +505,21 @@ def _write_schema(self, fingerprint):
 ns = value
 for member in ns:
 path = '{}/{}'.format(key, member)
-schema.writestr(path, json.dumps(ns[member]))
+schema.writestr(path, json.dumps(ns[member]).encode('utf-8'))
 else:
-schema.writestr(key, json.dumps(value))
+schema.writestr(key, json.dumps(value).encode('utf-8'))
 
 schema.writestr('_help',
-json.dumps(self._generate_help(self._dict)))
+json.dumps(self._generate_help(self._dict)).encode('utf-8'))
 
 self._file.seek(0)
-with self._open(fingerprint, 'w') as f:
+with self._open(fingerprint, 'wb') as f:
 f.truncate(0)
 f.write(self._file.read())
 
 def _read(self, path):
 with zipfile.ZipFile(self._file, 'r') as zf:
-return json.loads(zf.read(path))
+return json.loads(zf.read(path).decode('utf-8'))
 
 def read_namespace_member(self, namespace, member):
 value = self._dict[namespace][member]
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#339][edited] freeipa-4.4.3: update translations

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/339
Author: mbasti-rh
 Title: #339: freeipa-4.4.3: update translations
Action: edited

 Changed field: body
Original value:
"""

"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#338][opened] password policy: Add explicit default password policy for hosts and services

2016-12-14 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/338
Author: dkupka
 Title: #338:  password policy: Add explicit default password policy for hosts 
and services
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/338/head:pr338
git checkout pr338
From 03f68b4829442ec734f04755c3426c76e3b9661d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH 1/2] password policy: Add explicit default password policy for
 hosts and services

Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.

The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.

https://fedorahosted.org/freeipa/ticket/6561
---
 install/updates/20-default_password_policy.update | 133 ++
 install/updates/Makefile.am   |   1 +
 ipaserver/install/service.py  |   1 +
 3 files changed, 135 insertions(+)
 create mode 100644 install/updates/20-default_password_policy.update

diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 000..b1f9754
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 100
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn:

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

martbab commented:
"""
From Travis CI logs it looks like a correct branch was fetched this time.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-267069024
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][opened] [py3] pki: add missing depedency pki-base[-python3]

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/336
Author: mbasti-rh
 Title: #336: [py3] pki: add missing depedency pki-base[-python3]
Action: opened

PR body:
"""
FreeIPA server modules requires pki module

https://fedorahosted.org/freeipa/ticket/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/336/head:pr336
git checkout pr336
From 34c9eb22938c82f20f2faa40d2c5e4ff8ac853b7 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 12:28:25 +0100
Subject: [PATCH] [py3]pki: add missing depedency pki-base[-python3]

FreeIPA server modules requires pki module

https://fedorahosted.org/freeipa/ticket/4985
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..cacab43 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -297,6 +297,7 @@ Requires: dbus-python
 Requires: python-dns >= 1.13
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
+Requires: pki-base >= 10.3.5-6
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -326,6 +327,7 @@ Requires: python3-dbus
 Requires: python3-dns >= 1.11.1
 Requires: python3-kdcproxy >= 0.3
 Requires: rpm-libs
+Requires: pki-base-python3 >= 10.3.5-6
 
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/335
Title: #335: Add compatibility code to retrieve headers

mbasti-rh commented:
"""
Works for me, just waiting for travis :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/335#issuecomment-267055413
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#335][opened] Add compatibility code to retrieve headers

2016-12-14 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/335
Author: simo5
 Title: #335: Add compatibility code to retrieve headers
Action: opened

PR body:
"""
The recent fixes for getting cookies from headers broken python3.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/335/head:pr335
git checkout pr335
From a118d6f3dcd31102e0f5e5b6a0c962b811290bfb Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 14 Dec 2016 06:20:15 -0500
Subject: [PATCH] Add compatibility code to retrieve headers

Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.

https://fedorahosted.org/freeipa/ticket/6558

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index bd25e6f..921f5cb 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -729,7 +729,11 @@ def store_session_cookie(self, cookie_header):
 pass
 
 def parse_response(self, response):
-self.store_session_cookie(response.msg.getheaders('Set-Cookie'))
+if six.PY2:
+header = response.msg.getheaders('Set-Cookie')
+else:
+header = response.msg.get_all('Set-Cookie')
+self.store_session_cookie(header)
 return SSLTransport.parse_response(self, response)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/334
Author: mbasti-rh
 Title: #334: Py3: Fix ToASCII method
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/334/head:pr334
git checkout pr334
From e5825f44dafc4fb96965fb90d2f0442846970a71 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 10:12:05 +0100
Subject: [PATCH 1/2] Py3: Fix ToASCII method

in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5935
---
 freeipa.spec.in  | 20 ++--
 ipapython/dnsutil.py |  5 -
 ipasetup.py.in   |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..73210b7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -126,8 +126,8 @@ BuildRequires:  python-memcached
 BuildRequires:  python-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python-yubico
 # pki Python package
@@ -163,8 +163,8 @@ BuildRequires:  python3-memcached
 BuildRequires:  python3-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python3-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python3-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
 # 10.2.1: crypto.NSSCryptoProvider(password_file)
@@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0
 Requires: python-sssdconfig
 Requires: python-pyasn1
 Requires: dbus-python
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0
 Requires: python3-sssdconfig
 Requires: python3-pyasn1
 Requires: python3-dbus
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -482,7 +482,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -504,7 +504,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -598,7 +598,7 @@ Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
 Requires: python-custodia
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -648,7 +648,7 @@ Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-custodia
 Requires: python3-requests
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
 Requires: python3-pyusb
 
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 16549c8..ba0f0aa 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -71,7 +71,10 @@ def __str__(self):
 
 def ToASCII(self):
 #method named by RFC 3490 and python standard library
-return self.to_text().decode('ascii')  # must be unicode string
+res = self.to_text()
+if six.PY2:
+return res.decode('ascii')  # must be unicode string in Python 2
+return res
 
 def canonicalize(self):
 return DNSName(super(DNSName, self).canonicalize())
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 6a33fb8..c221e0d 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 1.3.1',
-'dnspython': 'dnspython >= 1.13',
+'dnspython': 'dnspython >= 1.15',
 'gssapi': 'gssapi >= 1.2.0',
 'ipaclient': 'ipaclient == {}'.format(VERSION),
 'ipalib': 'ipalib == {}'.format(VERSION),

From d110bd8fd42e1546f8c8de2fe755b482d1b2cfdd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 12:09:34 +0100
Subject: [PATCH 2/2] zonemgr_callback: py3 fix

str and bytes cannot be concatenated in Py3

https://fedorahosted.org/freeipa/ticket/5990
---
 ipapython/dnsutil.py  | 4 +++-
 ipaserver/install/bindinstance.py | 4 ++--
 2 files

[Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method

2016-12-14 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/334
Title: #334: Py3: Fix ToASCII method

tiran commented:
"""
I left a comment
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/334#issuecomment-267039776
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#333][synchronized] Remove named-pkcs11 workarounds from DNSSEC tests.

2016-12-14 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/333
Author: pspacek
 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/333/head:pr333
git checkout pr333
From c433291234be6f1d51197b94bdaf8202c342b663 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 13 Dec 2016 16:43:52 +0100
Subject: [PATCH] Remove named-pkcs11 workarounds from DNSSEC tests.

As far as I can tell the tests are passing for some time in Jenkins so
maybe a bug in some underlying component was fixed. Let's remove
workarounds to make tests actually test real setups.

https://fedorahosted.org/freeipa/ticket/5348
---
 ipatests/test_integration/test_dnssec.py | 82 
 1 file changed, 82 deletions(-)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 56380dd..1ffa268 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -6,7 +6,6 @@
 import dns.resolver
 import dns.name
 import time
-import pytest
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
@@ -106,7 +105,6 @@ def test_if_zone_is_signed_master(self):
 ]
 self.master.run_command(args)
 
-tasks.restart_named(self.master, self.replicas[0])
 # test master
 assert wait_until_record_is_signed(
 self.master.ip, test_zone, self.log, timeout=100
@@ -127,7 +125,6 @@ def test_if_zone_is_signed_replica(self):
 ]
 self.replicas[0].run_command(args)
 
-tasks.restart_named(self.replicas[0])
 # test replica
 assert wait_until_record_is_signed(
 self.replicas[0].ip, test_zone_repl, self.log, timeout=300
@@ -173,7 +170,6 @@ def test_disable_reenable_signing_master(self):
 ]
 self.master.run_command(args)
 
-tasks.restart_named(self.master)
 # test master
 assert wait_until_record_is_signed(
 self.master.ip, test_zone, self.log, timeout=100
@@ -221,8 +217,6 @@ def test_disable_reenable_signing_replica(self):
 ]
 self.master.run_command(args)
 
-tasks.restart_named(self.master, self.replicas[0])
-
 # test master
 assert wait_until_record_is_signed(
 self.master.ip, test_zone_repl, self.log, timeout=100
@@ -238,77 +232,6 @@ def test_disable_reenable_signing_replica(self):
 assert dnskey_old != dnskey_new, "DNSKEY should be different"
 
 
-class TestZoneSigningWithoutNamedRestart(IntegrationTest):
-"""Test whether https://fedorahosted.org/freeipa/ticket/5348 is already
-fixed. If the issue is not fixed, the test will expectedly fail. When
-fixed, it will pass, which will cause the whole run to become "red"
-"""
-num_replicas = 1
-topology = 'star'
-
-@classmethod
-def install(cls, mh):
-tasks.install_master(cls.master, setup_dns=False)
-args = [
-"ipa-dns-install",
-"--dnssec-master",
-"--forwarder", cls.master.config.dns_forwarder,
-"-U",
-]
-cls.master.run_command(args)
-
-tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
-
-# backup trusted key
-tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
-tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
-
-@classmethod
-def uninstall(cls, mh):
-# restore trusted key
-tasks.restore_files(cls.master)
-tasks.restore_files(cls.replicas[0])
-
-super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh)
-
-@pytest.mark.xfail(strict=True)
-def test_sign_root_zone_no_named_restart(self):
-args = [
-"ipa", "dnszone-add", root_zone, "--dnssec", "true",
-"--skip-overlap-check",
-]
-self.master.run_command(args)
-
-# make BIND happy: add the glue record and delegate zone
-args = [
-"ipa", "dnsrecord-add", root_zone, self.master.hostname,
-"--a-rec=" + self.master.ip
-]
-self.master.run_command(args)
-args = [
-"ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname,
-"--a-rec=" + self.replicas[0].ip
-]
-self.master.run_command(args)
-
-time.sleep(10)  # sleep a bit until data are provided by bind-dyndb-ldap
-
-args = [
-"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
-"--ns-rec=" + self.master.hostname
-]
-self.master.run_command(args)
-# test master
-assert wait_until_record_is_signed(
-self.master.ip, root_zone, self.log, timeout=100
-), "Zone %s is not signed (master)" % root_zone
-
-# test replica
-assert

[Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/313
Title: #313: ipaclient.plugins: Use api_version from internally called commands

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d841a79dc104521f736469eff7154c2f4266082b
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/6ef666ed12fd73026f0f1d49faba152ae27d6082
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/313#issuecomment-267003891
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#313][+pushed] ipaclient.plugins: Use api_version from internally called commands

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/313
Title: #313: ipaclient.plugins: Use api_version from internally called commands

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#313][closed] ipaclient.plugins: Use api_version from internally called commands

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/313
Author: dkupka
 Title: #313: ipaclient.plugins: Use api_version from internally called commands
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/313/head:pr313
git checkout pr313
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#329][+rejected] experiment: did pull/177 break ci?

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/329
Title: #329: experiment: did pull/177 break ci?

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][edited] Py3: Fix ToASCII method

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/334
Author: mbasti-rh
 Title: #334: Py3: Fix ToASCII method
Action: edited

 Changed field: body
Original value:
"""
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5887
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/334
Author: mbasti-rh
 Title: #334: Py3: Fix ToASCII method
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/334/head:pr334
git checkout pr334
From e5825f44dafc4fb96965fb90d2f0442846970a71 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 10:12:05 +0100
Subject: [PATCH] Py3: Fix ToASCII method

in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5935
---
 freeipa.spec.in  | 20 ++--
 ipapython/dnsutil.py |  5 -
 ipasetup.py.in   |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..73210b7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -126,8 +126,8 @@ BuildRequires:  python-memcached
 BuildRequires:  python-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python-yubico
 # pki Python package
@@ -163,8 +163,8 @@ BuildRequires:  python3-memcached
 BuildRequires:  python3-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python3-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python3-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
 # 10.2.1: crypto.NSSCryptoProvider(password_file)
@@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0
 Requires: python-sssdconfig
 Requires: python-pyasn1
 Requires: dbus-python
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0
 Requires: python3-sssdconfig
 Requires: python3-pyasn1
 Requires: python3-dbus
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -482,7 +482,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -504,7 +504,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -598,7 +598,7 @@ Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
 Requires: python-custodia
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -648,7 +648,7 @@ Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-custodia
 Requires: python3-requests
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
 Requires: python3-pyusb
 
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 16549c8..ba0f0aa 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -71,7 +71,10 @@ def __str__(self):
 
 def ToASCII(self):
 #method named by RFC 3490 and python standard library
-return self.to_text().decode('ascii')  # must be unicode string
+res = self.to_text()
+if six.PY2:
+return res.decode('ascii')  # must be unicode string in Python 2
+return res
 
 def canonicalize(self):
 return DNSName(super(DNSName, self).canonicalize())
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 6a33fb8..c221e0d 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 1.3.1',
-'dnspython': 'dnspython >= 1.13',
+'dnspython': 'dnspython >= 1.15',
 'gssapi': 'gssapi >= 1.2.0',
 'ipaclient': 'ipaclient == {}'.format(VERSION),
 'ipalib': 'ipalib == {}'.format(VERSION),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#333][comment] Remove named-pkcs11 workarounds from DNSSEC tests.

2016-12-14 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/333
Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests.

mbasti-rh commented:
"""
Please fix the issue reported by pylint
```
* Module ipatests.test_integration.test_dnssec
ipatests/test_integration/test_dnssec.py:9: [W0611(unused-import), ] Unused 
import pytest)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/333#issuecomment-267000804
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#334][opened] Py3: Fix ToASCII method

2016-12-14 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/334
Author: mbasti-rh
 Title: #334: Py3: Fix ToASCII method
Action: opened

PR body:
"""
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5887
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/334/head:pr334
git checkout pr334
From 17c866c4b170f45a414a65a2dfc3bc85dbf3281c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 10:12:05 +0100
Subject: [PATCH] Py3: Fix ToASCII method

in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.

https://fedorahosted.org/freeipa/ticket/5887
---
 freeipa.spec.in  | 20 ++--
 ipapython/dnsutil.py |  5 -
 ipasetup.py.in   |  2 +-
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..73210b7 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -126,8 +126,8 @@ BuildRequires:  python-memcached
 BuildRequires:  python-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python-yubico
 # pki Python package
@@ -163,8 +163,8 @@ BuildRequires:  python3-memcached
 BuildRequires:  python3-lxml
 # 5.0.0: QRCode.print_ascii
 BuildRequires:  python3-qrcode-core >= 5.0.0
-# 1.13: python-dns URI record support
-BuildRequires:  python3-dns >= 1.13
+# 1.15: python-dns PY3 support (many improvements)
+BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
 # 10.2.1: crypto.NSSCryptoProvider(password_file)
@@ -294,7 +294,7 @@ Requires: python-gssapi >= 1.2.0
 Requires: python-sssdconfig
 Requires: python-pyasn1
 Requires: dbus-python
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -323,7 +323,7 @@ Requires: python3-gssapi >= 1.2.0
 Requires: python3-sssdconfig
 Requires: python3-pyasn1
 Requires: python3-dbus
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: rpm-libs
 
@@ -482,7 +482,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -504,7 +504,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -598,7 +598,7 @@ Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
 Requires: python-custodia
-Requires: python-dns >= 1.13
+Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -648,7 +648,7 @@ Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-custodia
 Requires: python3-requests
-Requires: python3-dns >= 1.11.1
+Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
 Requires: python3-pyusb
 
diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 16549c8..ba0f0aa 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -71,7 +71,10 @@ def __str__(self):
 
 def ToASCII(self):
 #method named by RFC 3490 and python standard library
-return self.to_text().decode('ascii')  # must be unicode string
+res = self.to_text()
+if six.PY2:
+return res.decode('ascii')  # must be unicode string in Python 2
+return res
 
 def canonicalize(self):
 return DNSName(super(DNSName, self).canonicalize())
diff --git a/ipasetup.py.in b/ipasetup.py.in
index 6a33fb8..c221e0d 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -64,7 +64,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 PACKAGE_VERSION = {
 'cryptography': 'cryptography >= 1.3.1',
-'dnspython': 'dnspython >= 1.13',
+'dnspython': 'dnspython >= 1.15',
 'gssapi': 'gssapi >= 1.2.0',
 'ipaclient': 'ipaclient == {}'.format(VERSION),
 'ipalib': 'ipalib == {}'.format(VERSION),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#330][closed] Build: forbid builds in working directories containing white spaces

2016-12-14 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/330
Author: pspacek
 Title: #330: Build: forbid builds in working directories containing white 
spaces
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/330/head:pr330
git checkout pr330
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/330
Title: #330: Build: forbid builds in working directories containing white spaces

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/19aba7c555edf065b9f2fa95142da81b92396264
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/330#issuecomment-266981513
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#330][+pushed] Build: forbid builds in working directories containing white spaces

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/330
Title: #330: Build: forbid builds in working directories containing white spaces

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/330
Title: #330: Build: forbid builds in working directories containing white spaces

martbab commented:
"""
I agree that a safeguard that fails early is sufficient for this corner-case 
unless someone proves us otherwise. PRs are welcome in that case.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/330#issuecomment-266981383
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#330][+ack] Build: forbid builds in working directories containing white spaces

2016-12-14 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/330
Title: #330: Build: forbid builds in working directories containing white spaces

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Travis CI unexpected PEP8 errors

2016-12-14 Thread Martin Babinsky


On 12/14/2016 09:00 AM, Standa Laznicka wrote:

On 12/14/2016 02:53 AM, Ben Lipton wrote:

Hi all,

I'm pretty sure this is unrelated to the CI issues discussed in other
threads recently, but they reminded me that I've been having this odd
issue.

https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most
recent run on my pull request,
https://github.com/freeipa/freeipa/pull/10. For a while now, every
time the CI runs on my PR, it fails due to several PEP8 errors that
are not detected when I run `git diff master -U0 | pep8 --diff` on my
local copy. In fact, the errors are all in files not touched by my PR,
which doesn't make much sense to me based on the behavior of `git diff`.

I noticed that the top of the travis build says:

 - Commit 1f50550
 - #10: Client-side CSR autogeneration
 - Branch master

I'm not sure what the "commit" link actually means, but that commit
seems to have nothing to do with my PR nor the current master. Could
Travis be diffing against the wrong code? Or if not, do you have any
idea what might be causing these failures?

Thanks,
Ben


Hi Ben,

I was going through the Travis CI log of and noticed what might have
caused the issue:

$ cd freeipa/freeipa
$ git fetch origin +refs/pull/109/merge:

It seems that for your pull request #10 (and for some reason for your
pull request only), Travis fetched a different (old) pull request which
it then tried to merge with current master, hence the errors. I don't
think it was testing your code at all.

I do not have an explanation for this other than it might be a Travis
bug, CCing Martin for a better answer.

Standa


Yes indeed for some reason Travis fetches completely wrong PR for tests. 
I have no idea why it does this. I have tried to restart the build with 
the same results.


We will probably have to contact Travis support for this issue. In the 
meanwhile, can you prepare a separate PR from completely new branch with 
the same commits so that we can see if it catches up this time?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

61 matches

Mail list logo