[Freeipa-devel] [freeipa PR#405][opened] ipa-restore must stop tracking PKINIT cert in the preparation phase

2017-01-19 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/405
Author: flo-renaud
 Title: #405: ipa-restore must stop tracking PKINIT cert in the preparation 
phase
Action: opened

PR body:
"""
ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/405/head:pr405
git checkout pr405
From 121388c4d8f7ce3fd6ba172904bd30564268db58 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 20 Jan 2017 08:33:22 +0100
Subject: [PATCH] ipa-restore must stop tracking PKINIT cert in the preparation
 phase

ipa-restore calls certmonger to stop tracking the PKI certs, HTTP and DS certs.
It must also stop tracking the newly introduced PKINIT cert (stored in
/var/kerberos/krb5kdc/kdc.crt).

Otherwise the restore operation ends up with PKINIT cert tracked twice and
uninstallation fails.

https://fedorahosted.org/freeipa/ticket/6570
---
 ipaserver/install/ipa_restore.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 2fae215..89cf9e6 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -41,7 +41,7 @@
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
get_cs_replication_manager)
 from ipaserver.install import installutils
-from ipaserver.install import dsinstance, httpinstance, cainstance
+from ipaserver.install import dsinstance, httpinstance, cainstance, krbinstance
 from ipapython import ipaldap
 import ipapython.errors
 from ipaplatform.constants import constants
@@ -821,6 +821,8 @@ def cert_restore_prepare(self):
 # When IPA is not installed, DS NSS DB does not exist
 pass
 
+krbinstance.KrbInstance().stop_tracking_certs()
+
 for basename in ('cert8.db', 'key3.db', 'secmod.db', 'pwdfile.txt'):
 filename = os.path.join(paths.IPA_NSSDB_DIR, basename)
 try:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-19 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Here's what I did
```
# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
# rm -rf /var/lib/ipa/radb
# ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla
...
  [28/45]: retrieving DS Certificate
  [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for 
more information
# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20170120063423':
status: CA_UNREACHABLE
ca-error: Server at 
https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will 
retry: 907 (RPC failed at server.  cannot connect to 
'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': 
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, 
unsupported format.).
stuck: no
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS
 Certificate 
DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert'
CA: IPA
issuer: 
subject: 
expires: unknown
pre-save command: 
post-save command: 
track: yes
auto-renew: yes
# certutil -d /var/lib/ipa/radb -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key 
database is in an old, unsupported format.
# stat /var/lib/ipa/radb
stat: cannot stat '/var/lib/ipa/radb': No such file or directory
```
Here's the full replica install log: http://pastebin.com/kwj8nFcC
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][synchronized] Add new ipa passwd-generate command

2017-01-19 Thread redhatrises 
   URL: https://github.com/freeipa/freeipa/pull/403
Author: redhatrises
 Title: #403: Add new ipa passwd-generate command
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/403/head:pr403
git checkout pr403
From a7157c8f83ca544664431a05e3db8171fa9fa27e Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 19 Jan 2017 21:04:57 -0700
Subject: [PATCH] Add new ipa passwd-generate command

Adds new `ipa passwd-generate` command which has the ability to create
complex passwords using the refactored ipa_generate_password function
which is useful for deriving secure passwords for system/service accounts
rather than relying on system administrators to come up with their own
form of password.
---
 API.txt | 11 +++
 VERSION.m4  |  4 +--
 ipaserver/plugins/passwd.py | 75 -
 3 files changed, 87 insertions(+), 3 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..f0ec2ae 100644
--- a/API.txt
+++ b/API.txt
@@ -3461,6 +3461,16 @@ option: Str('version?')
 output: Output('result', type=[])
 output: Output('summary', type=[, ])
 output: Output('value', type=[])
+command: passwd_generate/1
+args: 0,7,1
+option: Int('digits?', autofill=True, default=1)
+option: Int('entropy?', autofill=True, default=0)
+option: Int('length?', autofill=True, default=8)
+option: Int('lowercase?', autofill=True, default=1)
+option: Int('special?', autofill=True, default=1)
+option: Int('uppercase?', autofill=True, default=1)
+option: Str('version?')
+output: Output('summary', type=[, ])
 command: permission_add/1
 args: 1,21,3
 arg: Str('cn', cli_name='name')
@@ -6546,6 +6556,7 @@ default: param/1
 default: param_find/1
 default: param_show/1
 default: passwd/1
+default: passwd_generate/1
 default: permission/1
 default: permission_add/1
 default: permission_add_member/1
diff --git a/VERSION.m4 b/VERSION.m4
index 36929ee..c4fd931 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 217)
-# Last change: Add options to write lightweight CA cert or chain to file
+define(IPA_API_VERSION_MINOR, 218)
+# Last change: Add new command line option to generate a password
 
 
 
diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py
index 8cac145..35322b8 100644
--- a/ipaserver/plugins/passwd.py
+++ b/ipaserver/plugins/passwd.py
@@ -21,7 +21,7 @@
 
 from ipalib import api, errors, krb_utils
 from ipalib import Command
-from ipalib import Password
+from ipalib import Password, Int
 from ipalib import _
 from ipalib import output
 from ipalib.parameters import Principal
@@ -29,6 +29,7 @@
 from ipalib.request import context
 from ipapython import kerberos
 from ipapython.dn import DN
+from ipapython.ipautil import ipa_generate_password
 from ipaserver.plugins.baseuser import normalize_user_principal
 from ipaserver.plugins.service import validate_realm
 
@@ -147,3 +148,75 @@ def execute(self, principal, password, current_password, **options):
 result=True,
 value=principal,
 )
+
+
+@register()
+class passwd_generate(Command):
+__doc__ = _("Autogenerate a password.")
+
+takes_options = (
+Int('uppercase',
+label=_('Uppercase'),
+doc=_('Number of uppercase characters'),
+default=1,
+autofill=True,
+required=False,
+),
+Int('lowercase',
+label=_('Lowercase'),
+doc=_('Number of lowercase characters'),
+default=1,
+autofill=True,
+required=False,
+),
+Int('digits',
+label=_('Digits'),
+doc=_('Number of digits'),
+default=1,
+autofill=True,
+required=False,
+),
+Int('special',
+label=_('Special characters'),
+doc=_('Number of special characters'),
+default=1,
+autofill=True,
+required=False,
+),
+Int('length',
+label=_('Length'),
+doc=_('Password Length'),
+default=8,
+autofill=True,
+required=False,
+),
+Int('entropy',
+label=_('Entropy'),
+doc=_('Number of entropy bits'),
+default=0,
+autofill=True,
+required=False,
+),
+)
+
+has_output = (
+output.summary,
+)
+
+def execute(self, *keys, **options):
+pwd_length = options.get('length')
+entropy = options.get('entropy')
+ucase = options.get('uppercase')
+lcase = options.get('lowercase')
+

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-19 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I cannot get a replica install to fail like your did, can you post some logs ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

MartinBasti commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-273845743
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#376][comment] client install: correctly report all failures

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/376
Title: #376: client install: correctly report all failures

stlaz commented:
"""
I suspect we are suffering the same "always return 0" error as we've already 
got reported in other installers, right?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/376#issuecomment-273838624
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/fa7aaef1de2c97ac9d24925ca9adb25c7151055f
https://fedorahosted.org/freeipa/changeset/91c050b4e093802d8c6b510a22d6e435faba965f
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-273827674
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][closed] Tests : User Tracker creation of user with minimal values

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/181
Author: gkaihorodova
 Title: #181: Tests : User Tracker creation of user with minimal values
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/181/head:pr181
git checkout pr181
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][+pushed] Tests : User Tracker creation of user with minimal values

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][+pushed] Tests: Stage User Tracker implementation

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/210
Title: #210: Tests: Stage User Tracker implementation

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/210
Title: #210: Tests: Stage User Tracker implementation

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a336de630e9d1ef95a507cc3ee9200c001ab9193
https://fedorahosted.org/freeipa/changeset/c391f6ba58a61e046e49e1b4526b62d7ce250301
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/210#issuecomment-273826976
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][closed] Tests: Stage User Tracker implementation

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/210
Author: gkaihorodova
 Title: #210: Tests: Stage User Tracker implementation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/210/head:pr210
git checkout pr210
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#404][edited] tests: Add LDAP URI to ldappasswd explicitly

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/404
Author: dkupka
 Title: #404: tests: Add LDAP URI to ldappasswd explicitly
Action: edited

 Changed field: title
Original value:
"""
tests: Add LDAP URI to ldappasswd explicitelly
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e04b75cb9e71fb2b9faa49aea7f2244b01fddbcb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/373#issuecomment-273811327
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][+pushed] ipaplatform: Add Debian platform module.

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][closed] ipaplatform: Add Debian platform module.

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/373
Author: tjaalton
 Title: #373: ipaplatform: Add Debian platform module.
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/373/head:pr373
git checkout pr373
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/31] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/31] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/31] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:01:29 +0100
Subject: [PATCH 04/31]

[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

MartinBasti commented:
"""
@tiran we found the issue that caues random test fails, @HonzaCholasta will 
provide PR with fix, that should be pushed before these commits
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/393#issuecomment-273805191
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

stlaz commented:
"""
The patch seems fine, I could have some nitpicks but nothing really imporant. 
ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/373#issuecomment-273803873
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][+ack] ipaplatform: Add Debian platform module.

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

stlaz commented:
"""
@tiran I would like to test this in a Vagrant box before pushing it
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/373#issuecomment-273796530
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

stlaz commented:
"""
@tiran I would like to test this in a Vagrant box before pushing it
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/373#issuecomment-273796530
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#373][comment] ipaplatform: Add Debian platform module.

2017-01-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/373
Title: #373: ipaplatform: Add Debian platform module.

tiran commented:
"""
@stlaz the patch looks fine to me now. I can't comment on the path values, 
though. Do you like to see additional modifications?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/373#issuecomment-273781036
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages

2017-01-19 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add placeholder and IPA commands packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 297f9612fc366084f02e8d7229cc488bb24d9dcd Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 9 Jan 2017 11:02:25 +0100
Subject: [PATCH] Packaging: Add placeholder and IPA commands packages

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore|   7 ++
 Makefile.am   |   5 +-
 Makefile.python.am|  34 +--
 Makefile.pythonbuild.am   |  32 +++
 configure.ac  |   4 +
 packaging/Makefile.am |  11 +++
 packaging/freeipa/Makefile.am |   1 +
 packaging/freeipa/README.txt  |   2 +
 packaging/freeipa/setup.cfg   |   6 ++
 packaging/freeipa/setup.py|  36 +++
 packaging/ipa/Makefile.am |   1 +
 packaging/ipa/README.txt  |   2 +
 packaging/ipa/setup.cfg   |   6 ++
 packaging/ipa/setup.py|  36 +++
 packaging/ipacommands/MANIFEST.in |  25 +
 packaging/ipacommands/Makefile.am |  72 ++
 packaging/ipacommands/setup.cfg   |   5 +
 packaging/ipacommands/setup.py| 194 ++
 18 files changed, 446 insertions(+), 33 deletions(-)
 create mode 100644 Makefile.pythonbuild.am
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py
 create mode 100644 packaging/ipacommands/MANIFEST.in
 create mode 100644 packaging/ipacommands/Makefile.am
 create mode 100644 packaging/ipacommands/setup.cfg
 create mode 100644 packaging/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 04553fd..249f158 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,3 +112,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/packaging/ipacommands/COPYING
+/packaging/ipacommands/Contributors.txt
+/packaging/ipacommands/asn1
+/packaging/ipacommands/client
+/packaging/ipacommands/ipasetup.py
+/packaging/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..e25cea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..96b0050 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,22 +1,6 @@
-pkgname = $(shell basename "$(abs_srcdir)")
-pkgpythondir = $(pythondir)/$(pkgname)
-
-if VERBOSE_MAKE
-VERBOSITY="--verbose"
-else
-VERBOSITY="--quiet"
-endif !VERBOSE_MAKE
+include $(top_srcdir)/Makefile.pythonbuild.am
 
-# hack to handle back-in-the-hierarchy depedency on ipasetup.py
-.PHONY: $(top_builddir)/ipasetup.py
-$(top_builddir)/ipasetup.py:
-	(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
-
-all-local: $(top_builddir)/ipasetup.py
-	cd $(srcdir); $(PYTHON) setup.py \
-		$(VERBOSITY) \
-		build \
-		--build-base "$(abs_builddir)/build"
+pkgpythondir = $(pythondir)/$(pkgname)
 
 install-exec-local: $(top_builddir)/ipasetup.py
 	$(PYTHON) $(srcdir)/setup.py \
@@ -31,14 +15,6 @@ uninstall-local:
 	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
-clean-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) "$(srcdir)/setup.py" clean --all
-	rm -rf "$(srcdir)/build" "$(srcdir)/dist"

[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitelly

2017-01-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/404
Title: #404: tests: Add LDAP URI to ldappasswd explicitelly

tiran commented:
"""
```ipatests/test_integration/util.py``` calls ldappasswd without ```-H``` 
option, too. Related to the issue at hand, ```ipaserver/install/service.py``` 
has a similar issue with ldapmodify.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/404#issuecomment-273774110
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/382
Author: MartinBasti
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/16] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-01-19 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 64ff3f9db5211ccd3c5124a5eadaf29084370534 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   6 +-
 configure.ac | 251 +--
 server.m4| 119 
 3 files changed, 211 insertions(+), 165 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..24d31c8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,11 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po
+
+if ENABLE_SERVER
+SUBDIRS += daemons init install ipaserver
+endif
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 6cd3a89..744bcee 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
-  AC_CHECK_LIB([$LIBPDB_NAME],
-

[Freeipa-devel] [freeipa PR#372][+rejected] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-19 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I can confirm that the ldapi error occurs every other install. I can 
also confirm that it does not occur during the initial server install on a 
clean machine, so I agree it can be fixed later.

* CA-less install is still broken. To reproduce the bug, make sure to delete 
all certificates from `/etc/httpd/alias` before running the install, otherwise 
[ticket 4639](https://fedorahosted.org/freeipa/ticket/4639) will hide the bug. 
I use:
  ```bash
  certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | 
xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
  ```

* Replica install fails when `/var/lib/ipa/radb` does not exist prior to 
running the install:
  ```
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
  ```

* `/var/lib/ipa/radb` should be removed on uninstall.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-273737162
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

tiran commented:
"""
I have opened ticket https://fedorahosted.org/freeipa/ticket/6624 to track the 
matter.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-273735484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

MartinBasti commented:
"""
I left json_decode() only in places where external JSON request are coming, all 
other internal usages of JSON should be in utf-8 encoding.

Other requests are out of scope of this PR and should be resolved in separate 
tickets/PRs
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-273733412
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/382
Author: MartinBasti
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/16] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

MartinBasti commented:
"""
I left json_decode() only in places where external JSON request are coming, all 
other internal usages of JSON should be in utf-8 encoding.

Other requests are out of scope of this PR and should be resolved in separate 
tickets/PRs
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-273733412
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/382
Author: MartinBasti
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 3fe24269ceebe72c97b2a181e1c522e4968e4d5b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From bce5b4bd3de2c2d98c53695294a661d2c6b2a95f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From bd2df6b979d88d407e455047076f78e932a43f1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/16] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From d34f4dd4a9ec63ee2129e62bcb1d0b26d6db3aca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

2017-01-19 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 65b1b0695ee17e88fab9d6fc0821a6b247b11669 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 184 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  17 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   9 +
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 +-
 ipaserver/plugins/certmap.py   | 357 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 843 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a87fec1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn:

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-19 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

tiran commented:
"""
Let's reiterate. It's obviously wrong to assume that request data such as JSON 
are encoded as UTF-8. It can be just any encoding. Outside the Western world, 
JSON and XML are often encoded as UTF-16.

That doesn't mean we have to support other encodings than UTF-8 right now. It's 
fine to restrict requests and responses to UTF-8 as only supported encoding. 
The check should be performed early in the WSGI layer. A client sends can send 
the request type as part of the content type. The framework should check for 
the presence of an encoding hint and refuse encodings that are 
```encoding.lower() not in {'utf8', 'utf-8'}```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-273730248
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#404][opened] tests: Add LDAP URI to ldappasswd explicitelly

2017-01-19 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/404
Author: dkupka
 Title: #404: tests: Add LDAP URI to ldappasswd explicitelly
Action: opened

PR body:
"""
Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/404/head:pr404
git checkout pr404
From 7cc4014b13e3e8eb7266b395f78e17a50e4d124f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-01-19 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

stlaz commented:
"""
- I think we may need to discuss the support on Monday meeting, generally I 
think SSL 3.0 and TLS 1.0 should not be supported but there might be troubles 
with connectivity to legacy IPA servers
- Yes, although in that case we would have to fail instead of falling back to 
"reasonable defaults" as Env object attribute values cannot be changed once set
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-273717304
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code