[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/209
Title: #209: Enumerate available options in IPA installer

HonzaCholasta commented:
"""
Works for me, although you should probably keep the changes to `ipa-ca-install` 
from the original patch (using the `argparse` format, of course).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/209#issuecomment-270061547
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
* Dogtag certificates and RA certificate renewal is broken:
  ```
ca-error: Server at 
"https://vm-226.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca/profileProcess; 
replied: 1: You did not provide a valid certificate for this operation
  ```
  This is because certmonger's 
`/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit` expects an `ipaCert` in 
`/etc/httpd/alias`.

* CA-less server install fails:
  ```
[13/21]: publish CA cert
[error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias 
-L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 
255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Command '/usr/bin/certutil -d /etc/httpd/alias -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
  ```
  2017-01-03T05:21:43Z DEBUG Starting external process
  2017-01-03T05:21:43Z DEBUG args=/usr/bin/certutil -d /var/lib/ipa/radb -L -n 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a
  2017-01-03T05:21:43Z DEBUG Process finished, return code=255
  2017-01-03T05:21:43Z DEBUG stdout=
  2017-01-03T05:21:43Z DEBUG stderr=certutil: Could not find cert: 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA
  : PR_FILE_NOT_FOUND_ERROR: File not found
  ```
  If I work around the above, it fails further down with:
  ```
  trying https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json
  Forwarding 'schema' to json server 
'https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json'
  No valid Negotiate header in server response
  The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!
  ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
The ipa-server-install command failed. See /var/log/ipaserver-install.log for 
more information
  ```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-270059781
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#362][comment] Clarify meaning of --domain and --realm in installers

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/362
Title: #362: Clarify meaning of --domain and --realm in installers

frasertweedale commented:
"""
All of my comments from #352 were addressed.

@stlaz you were the only other person to review #352 and request changes, so I 
assume
you have addressed those too, in which case: ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/362#issuecomment-270050075
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/355
Author: frasertweedale
 Title: #355: Set up DS TLS on replica in CA-less topology
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/355/head:pr355
git checkout pr355
From d1ff655281116b0a74f5a1c5c491c3f2247317a4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 20 Dec 2016 23:29:22 +1000
Subject: [PATCH 1/2] Set up DS TLS on replica in CA-less topology

Fixes: https://fedorahosted.org/freeipa/ticket/6226
---
 ipaserver/install/dsinstance.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index bcfcb05..2ac1041 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 
 self.step("creating DS keytab", self._request_service_keytab)
 if self.promote:
-if self.ca_is_configured:
+if self.pkcs12_info:
+self.step("configuring ssl for ds instance", self.__enable_ssl)
+else:
 self.step("retrieving DS Certificate", self.__get_ds_cert)
 self.step("restarting directory server", self.__restart_instance)
 

From 7e347d7641a29f9e94251adc97c15a8bcee70230 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 3 Jan 2017 12:04:20 +1000
Subject: [PATCH 2/2] dsinstance: minor string fixes

Fixes: https://fedorahosted.org/freeipa/ticket/6586
---
 ipaserver/install/dsinstance.py | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2ac1041..a0fdc4a 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -278,7 +278,7 @@ def __common_setup(self, enable_ssl=False):
 self.step("creating indices", self.__create_indices)
 self.step("enabling referential integrity plugin", self.__add_referint_module)
 if enable_ssl:
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 self.step("configuring certmap.conf", self.__certmap_conf)
 self.step("configure new location for managed entries", self.__repoint_managed_entries)
 self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
@@ -351,7 +351,7 @@ def create_instance(self, realm_name, fqdn, domain_name,
 def enable_ssl(self):
 self.steps = []
 
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 self.step("restarting directory server", self.__restart_instance)
 self.step("adding CA certificate entry", self.__upload_ca_cert)
 
@@ -391,7 +391,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 self.step("creating DS keytab", self._request_service_keytab)
 if self.promote:
 if self.pkcs12_info:
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 else:
 self.step("retrieving DS Certificate", self.__get_ds_cert)
 self.step("restarting directory server", self.__restart_instance)
@@ -559,9 +559,9 @@ def __create_instance(self):
 root_logger.debug("calling setup-ds.pl")
 try:
 ipautil.run(args)
-root_logger.debug("completed creating ds instance")
+root_logger.debug("completed creating DS instance")
 except ipautil.CalledProcessError as e:
-raise RuntimeError("failed to create ds instance %s" % e)
+raise RuntimeError("failed to create DS instance %s" % e)
 
 # check for open port 389 from now on
 self.open_ports.append(389)
@@ -1024,7 +1024,8 @@ def uninstall(self):
 try:
 services.knownservices.dirsrv.restart(ds_instance, wait=False)
 except Exception as e:
-root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
+root_logger.error(
+'Unable to restart DS instance %s: %s', ds_instance, e)
 
 def stop_tracking_certificates(self, serverid=None):
 if serverid is None:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/355
Author: frasertweedale
 Title: #355: Set up DS TLS on replica in CA-less topology
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/355/head:pr355
git checkout pr355
From d1ff655281116b0a74f5a1c5c491c3f2247317a4 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 20 Dec 2016 23:29:22 +1000
Subject: [PATCH 1/2] Set up DS TLS on replica in CA-less topology

Fixes: https://fedorahosted.org/freeipa/ticket/6226
---
 ipaserver/install/dsinstance.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index bcfcb05..2ac1041 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -390,7 +390,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 
 self.step("creating DS keytab", self._request_service_keytab)
 if self.promote:
-if self.ca_is_configured:
+if self.pkcs12_info:
+self.step("configuring ssl for ds instance", self.__enable_ssl)
+else:
 self.step("retrieving DS Certificate", self.__get_ds_cert)
 self.step("restarting directory server", self.__restart_instance)
 

From 4780278fd3006187ca809f60b5f397c8d2dd6187 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 3 Jan 2017 12:04:20 +1000
Subject: [PATCH 2/2] dsinstance: minor string fixes

Fixes: https://fedorahosted.org/freeipa/ticket/6586
---
 ipaserver/install/dsinstance.py | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 2ac1041..5b0d91c 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -278,7 +278,7 @@ def __common_setup(self, enable_ssl=False):
 self.step("creating indices", self.__create_indices)
 self.step("enabling referential integrity plugin", self.__add_referint_module)
 if enable_ssl:
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 self.step("configuring certmap.conf", self.__certmap_conf)
 self.step("configure new location for managed entries", self.__repoint_managed_entries)
 self.step("configure dirsrv ccache", self.configure_dirsrv_ccache)
@@ -351,7 +351,7 @@ def create_instance(self, realm_name, fqdn, domain_name,
 def enable_ssl(self):
 self.steps = []
 
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 self.step("restarting directory server", self.__restart_instance)
 self.step("adding CA certificate entry", self.__upload_ca_cert)
 
@@ -391,7 +391,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 self.step("creating DS keytab", self._request_service_keytab)
 if self.promote:
 if self.pkcs12_info:
-self.step("configuring ssl for ds instance", self.__enable_ssl)
+self.step("configuring TLS for DS instance", self.__enable_ssl)
 else:
 self.step("retrieving DS Certificate", self.__get_ds_cert)
 self.step("restarting directory server", self.__restart_instance)
@@ -559,9 +559,9 @@ def __create_instance(self):
 root_logger.debug("calling setup-ds.pl")
 try:
 ipautil.run(args)
-root_logger.debug("completed creating ds instance")
+root_logger.debug("completed creating DS instance")
 except ipautil.CalledProcessError as e:
-raise RuntimeError("failed to create ds instance %s" % e)
+raise RuntimeError("failed to create DS instance %s" % e)
 
 # check for open port 389 from now on
 self.open_ports.append(389)
@@ -1024,7 +1024,7 @@ def uninstall(self):
 try:
 services.knownservices.dirsrv.restart(ds_instance, wait=False)
 except Exception as e:
-root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
+root_logger.error('Unable to restart DS instance %s: %s', ds_instance, e)
 
 def stop_tracking_certificates(self, serverid=None):
 if serverid is None:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/361
Title: #361: This PR implements a number of improvements for our Travis CI:

martbab commented:
"""
Bump for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/361#issuecomment-269991386
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#362][synchronized] Clarify meaning of --domain and --realm in installers

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/362
Author: stlaz
 Title: #362: Clarify meaning of --domain and --realm in installers
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/362/head:pr362
git checkout pr362
From c3232015baf2f519bd887f2f70082e031a1a31cd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 2 Jan 2017 13:22:07 +0100
Subject: [PATCH] Clarify meaning of --domain and --realm in installers

Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574
---
 client/man/ipa-client-install.1 | 31 ++---
 install/tools/man/ipa-dns-install.1 | 27 --
 install/tools/man/ipa-replica-install.1 | 38 ++
 install/tools/man/ipa-server-install.1  | 41 +
 ipalib/install/service.py   |  6 +++--
 5 files changed, 64 insertions(+), 79 deletions(-)

diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 9ae0b8b..319952c 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -1,22 +1,7 @@
 .\" A man page for ipa-client-install
-.\" Copyright (C) 2008 Red Hat, Inc.
+.\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
 .\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation, either version 3 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful, but
-.\" WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\" General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program.  If not, see .
-.\"
-.\" Author: Rob Crittenden 
-.\"
-.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-client\-install \- Configure an IPA client
 .SH "SYNOPSIS"
@@ -84,13 +69,21 @@ Consequences of the re\-enrollment on the host entry:
 .SS "BASIC OPTIONS"
 .TP
 \fB\-\-domain\fR=\fIDOMAIN\fR
-Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased name of an IPA Kerberos realm name.
+
+When no \-\-server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+
+The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value.
 .TP
 \fB\-\-server\fR=\fISERVER\fR
 Set the FQDN of the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
+
+Under normal circumstances, this option is not needed as the list of servers is retrieved from the primary IPA DNS domain.
 .TP
 \fB\-\-realm\fR=\fIREALM_NAME\fR
-Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
+The Kerberos realm of an existing IPA deployment. Usually it is an upper-cased name of the primary DNS domain used by the IPA installation.
+
+Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
 .TP
 \fB\-\-fixed\-primary\fR
 Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf.
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index ad937cc..3ae9f6d 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -1,20 +1,5 @@
 .\" A man page for ipa-dns-install
-.\" Copyright (C) 2010 Red Hat, Inc.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General 

[Freeipa-devel] [freeipa PR#362][opened] Clarify meaning of --domain and --realm in installers

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/362
Author: stlaz
 Title: #362: Clarify meaning of --domain and --realm in installers
Action: opened

PR body:
"""
This is my take on original https://github.com/freeipa/freeipa/pull/352. I hope 
I fixed all the mentioned issues + I added some missing articles.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/362/head:pr362
git checkout pr362
From 0c30326cdef516131540b755d689034ebf2d33ac Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 2 Jan 2017 13:22:07 +0100
Subject: [PATCH] Clarify meaning of --domain and --realm in installers

Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574
---
 client/man/ipa-client-install.1 | 31 ++---
 install/tools/man/ipa-dns-install.1 | 27 --
 install/tools/man/ipa-replica-install.1 | 38 ++
 install/tools/man/ipa-server-install.1  | 41 +
 ipalib/install/service.py   |  6 +++--
 5 files changed, 64 insertions(+), 79 deletions(-)

diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 9ae0b8b..319952c 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -1,22 +1,7 @@
 .\" A man page for ipa-client-install
-.\" Copyright (C) 2008 Red Hat, Inc.
+.\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
 .\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation, either version 3 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful, but
-.\" WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\" General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program.  If not, see .
-.\"
-.\" Author: Rob Crittenden 
-.\"
-.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-client-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-client\-install \- Configure an IPA client
 .SH "SYNOPSIS"
@@ -84,13 +69,21 @@ Consequences of the re\-enrollment on the host entry:
 .SS "BASIC OPTIONS"
 .TP
 \fB\-\-domain\fR=\fIDOMAIN\fR
-Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased name of an IPA Kerberos realm name.
+
+When no \-\-server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+
+The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value.
 .TP
 \fB\-\-server\fR=\fISERVER\fR
 Set the FQDN of the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
+
+Under normal circumstances, this option is not needed as the list of servers is retrieved from the primary IPA DNS domain.
 .TP
 \fB\-\-realm\fR=\fIREALM_NAME\fR
-Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
+The Kerberos realm of an existing IPA deployment. Usually it is an upper-cased name of the primary DNS domain used by the IPA installation.
+
+Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
 .TP
 \fB\-\-fixed\-primary\fR
 Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf.
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index ad937cc..3ae9f6d 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -1,20 +1,5 @@
 .\" A man page for ipa-dns-install

[Freeipa-devel] [freeipa PR#350][comment] spec file: revert to the previous Release tag

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/350
Title: #350: spec file: revert to the previous Release tag

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/eb1f05d598d821f8e7eb5b8cfe606f570052f263
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/350#issuecomment-269958484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#350][closed] spec file: revert to the previous Release tag

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/350
Author: HonzaCholasta
 Title: #350: spec file: revert to the previous Release tag
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/350/head:pr350
git checkout pr350
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#350][+pushed] spec file: revert to the previous Release tag

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/350
Title: #350: spec file: revert to the previous Release tag

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#350][+ack] spec file: revert to the previous Release tag

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/350
Title: #350: spec file: revert to the previous Release tag

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#350][comment] spec file: revert to the previous Release tag

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/350
Title: #350: spec file: revert to the previous Release tag

stlaz commented:
"""
I also appreciate the dist information, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/350#issuecomment-269950104
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#209][synchronized] Enumerate available options in IPA installer

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/209
Author: Akasurde
 Title: #209: Enumerate available options in IPA installer
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/209/head:pr209
git checkout pr209
From ce8e4174f4af7d092158bf589c69cd747ce5061c Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Wed, 2 Nov 2016 16:36:17 +0530
Subject: [PATCH] Enumerate available options in IPA installer

Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options

Fixes https://fedorahosted.org/freeipa/ticket/5435

Signed-off-by: Abhijeet Kasurde 
---
 ipapython/install/cli.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipapython/install/cli.py b/ipapython/install/cli.py
index b6f872e..441c875 100644
--- a/ipapython/install/cli.py
+++ b/ipapython/install/cli.py
@@ -179,6 +179,8 @@ def add_options(cls, parser, positional=False):
 elif issubclass(knob_scalar_type, enum.Enum):
 kwargs['type'] = 'choice'
 kwargs['choices'] = [i.value for i in knob_scalar_type]
+kwargs['metavar'] = "{{{0}}}".format(
+",".join(kwargs['choices']))
 else:
 kwargs['nargs'] = 1
 kwargs['callback_args'] = (knob_scalar_type,)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#298][+rejected] ipaldap: handle binary encoding option transparently

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/298
Title: #298: ipaldap: handle binary encoding option transparently

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

[Jan Cholasta]

On 18.10.2016 07:34, Jan Cholasta wrote:

On 17.10.2016 16:50, Rob Crittenden wrote:

Jan Cholasta wrote:

Hi,

On 13.10.2016 18:52, Sumit Bose wrote:

= Issuer specific matching =
Although the MIT Kerberos rules allow to select the issuer of a
certificate there are use cases where a more specific selection is
needed. E.g. if there are some default matching rules for all issuers
and some other issuer specific rules where the default rules should
not apply. To make this possible with the above scheme the default
rules must have an  clause which matches all but the issuer
with the specific rules. Writing regular-expressions to not match a
specific string or a list of strings is at least error-prone if not
impossible.

To make it easier to define issuer specific rules and default rules at
the same time and optional issuer string can be added to the rule to
indicate that for the given issuer only those rules should be
considered. Given the use-case I think it is acceptable to require
that the full issuer must be specified here in LDAP order (see below)
and case-sensitive matching is used.


This could also be solved by adding priority to rules - if two rules
match, the one with higher priority (the issuer specific rule) is
preferred over the one with lower priority (the default rule). IMO this
is better than an optional issuer string as it offers greater
flexibility.


The use cases I've seen haven't had to do with priority, though that
would be a nice enhancement, but with only allowing certificates issued
by a specific CA to be allowed (this is pretty common in web servers).
Being able to say "only do the matching on certificates issued by foo"
is valuable.


Sure, I'm not suggesting that matching by issuer should be removed, only
that rule precedence should not be determined by the issuer field setting.



Bump. Sumit, what is your opinion on this?

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Certificate Identity Mapping

[Jan Cholasta]

On 16.12.2016 09:34, Florence Blanc-Renaud wrote:

On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote:

Hi,

I have started a feature description for the Certificate Identity
Mapping at the following location:
http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

This is a first step, focusing on the interface we would like to
provide. It still contains open questions, some of which are linked to
the corresponding design on SSSD side:
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates


https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities



Comments, concerns and suggestions are welcome. Thanks!

Flo.



Hi,

the design page for Certificate Identity Mapping [1] has been updated
with a schema proposal and an example of configuration data.

Please share your comments, concerns, suggestions before January 7, so
that we can finalize the API and start the implementation.
Thanks,
Flo.


1) I'm not fan of host-mod --certmapping-prompt-username. IMO it would 
be better to base this on group membership, which would allow automember 
to be used.


A possible solution would be to introduce a CoS-based policy object, 
similar to pwpolicy, but for hosts:


certmappolicy-mod [HOSTGROUP] --prompt-username=Boolean
certmappolicy-add HOSTGROUP --prompt-username=Boolean
certmappolicy-del HOSTGROUP

HOSTGROUP can be ommited in certmappolicy-mod, in which case the default 
policy is modified. This would allow removing --prompt-username and 
--enable-local-prompt-policy from certmappingconfig.



2) Nitpick: could we please rename certmapping* to certmap*? Not only 
would it be quicker to type in the command line, but also named 
consistently with selinuxusermap.



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code