date:20170124

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

2017-01-24 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

frasertweedale commented:
"""
@martbab the paste looks like gobbledygook; it's gzipped.

We will see it in action soon enough :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-275016649
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread frozencemetery

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

frozencemetery commented:
"""
There was talk of exporting a minor dal version but I think upstream explicitly 
doesn't want it.

freeipa.spec.in should be modified if I understand correctly; otherwise this 
looks good.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274919521
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

2017-01-24 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

pvoborni commented:
"""
Maybe the lite-server approach is great and other people would appreciate that. 
I shouldn't be the one to judge it.  

What about demonstrating it to the rest of the team and showing the value? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274869463
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][+ack] Improvements in {get|set}_directive functions

2017-01-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

2017-01-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

tomaskrizek commented:
"""
I wasn't able to find any more issues with the quoting of certificate names. 
The directive quoting seems to work properly now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-274867155
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][synchronized] Client-side CSR autogeneration (take 2)

2017-01-24 Thread LiptonB

   URL: https://github.com/freeipa/freeipa/pull/337
Author: LiptonB
 Title: #337: Client-side CSR autogeneration (take 2)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/337/head:pr337
git checkout pr337
From 4ead459036761600c43c414cb91a21c591ad906a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 1/8] Add code to generate scripts that generate CSRs

Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899
---
 configure.ac   |   1 +
 freeipa.spec.in|   9 +
 install/share/Makefile.am  |   1 +
 install/share/csr/templates/ipa_macros.tmpl|  42 +++
 install/share/csrgen/Makefile.am   |  27 ++
 install/share/csrgen/templates/certutil_base.tmpl  |  14 +
 install/share/csrgen/templates/openssl_base.tmpl   |  35 +++
 install/share/csrgen/templates/openssl_macros.tmpl |  29 ++
 ipaclient/csrgen.py| 320 +
 ipaclient/plugins/csrgen.py| 116 
 ipalib/errors.py   |  28 ++
 ipaplatform/base/paths.py  |   1 +
 12 files changed, 623 insertions(+)
 create mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csrgen/Makefile.am
 create mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen.py
 create mode 100644 ipaclient/plugins/csrgen.py

diff --git a/configure.ac b/configure.ac
index e8a4701..01fc81e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -530,6 +530,7 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
+install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c4420a0..8396105 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -147,6 +147,7 @@ BuildRequires:  python-sssdconfig
 BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
+BuildRequires:  python2-jinja2
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -602,6 +603,7 @@ Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
+Requires: python2-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -1208,6 +1210,13 @@ fi
 %{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/profiles
 %{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csrgen
+%dir %{_usr}/share/ipa/csrgen/templates
+%{_usr}/share/ipa/csrgen/templates/*.tmpl
+%dir %{_usr}/share/ipa/csrgen/profiles
+%{_usr}/share/ipa/csrgen/profiles/*.json
+%dir %{_usr}/share/ipa/csrgen/rules
+%{_usr}/share/ipa/csrgen/rules/*.json
 %dir %{_usr}/share/ipa/html
 %{_usr}/share/ipa/html/ffconfig.js
 %{_usr}/share/ipa/html/ffconfig_page.js
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 10de84d..715912d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
 
 SUBDIRS =  \
 	advise\
+	csrgen\
 	profiles			\
 	schema.d			\
 	$(NULL)
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 000..e790d4e
--- /dev/null
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -0,0 +1,42 @@
+{% set rendersyntax = {} %}
+
+{% set renderdata = {} %}
+
+{# Wrapper for syntax rules. We render the contents of the rule into a
+variable, so that if we find that none of the contained data rules rendered we
+can suppress the whole syntax rule. That is, a syntax rule is rendered either
+if no data rules are specified (unusual) or if at least one of the data rules
+rendered successfully. #}
+{% macro syntaxrule() -%}
+{% do rendersyntax.update(none=true, any=false) -%}
+{% set contents -%}
+{{ caller() -}}
+{% endset -%}
+{% if rendersyntax['none'] or rendersyntax['any'] -%}
+{{ contents -}}
+{% endif -%}
+{% endmacro %}
+
+{# Wrapper for data rules. A data rule is rendered only when all of the data
+fields it contains have data available. #}
+{% macro datarule() -%}
+{% do rendersyntax.update(none=false) -%}
+{% do renderdata.update(all=true) -%}
+{% set contents -%}
+{{ caller() -}}
+{%

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-24 Thread LiptonB

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

LiptonB commented:
"""
@HonzaCholasta, I think we're on the same page, then. I removed the dogtag 
profile and the validation from the `profile_id` parameter, and rebased the PR 
against master.

For the `cert-request --autogenerate` functionality, I will think about where 
in the CSR profile to store a link to the IPA profile to use.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-274837474
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-24 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-24 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

stlaz commented:
"""
Removed the ACK label since this is not yet reviewed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-274833994
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-24 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From b758cf15199a42a707c1028a29ec4772d24589eb Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/4] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt   |  16 +-
 API.txt   | 154 +
 VERSION.m4|   4 +-
 install/share/73certmap.ldif  |  17 ++
 install/share/Makefile.am |   1 +
 install/updates/73-certmap.update |  27 +++
 install/updates/Makefile.am   |   1 +
 ipalib/constants.py   |   2 +
 ipaserver/install/dsinstance.py   |   1 +
 ipaserver/plugins/baseuser.py |  11 +-
 ipaserver/plugins/certmap.py  | 345 ++
 ipaserver/plugins/user.py | 173 ++-
 12 files changed, 745 insertions(+), 7 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..ec2eeca 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbprincipalkey || passwordhistory ||

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

2017-01-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

tiran commented:
"""
I put some effort into the dev server because I find it very useful during 
development. The werkzeug WSGI adds some useful features, e.g. auto-reloader 
and through-the-web debugger (soon). I can maintain a copy of the dev server 
for me personally but I'd rather have a copy in the source tree. It doesn't 
have to be ```/lite-server.py```. How about ```contrib/dev-server```?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274834789
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][-ack] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-24 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok, with this latest push I can install servers and replicas both with CA and 
CA-less.
I cannot reproduce the failure @HonzaCholasta sees, so from my side I am done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274832504
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#10][closed] Client-side CSR autogeneration

2017-01-24 Thread LiptonB

   URL: https://github.com/freeipa/freeipa/pull/10
Author: LiptonB
 Title: #10: Client-side CSR autogeneration
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/10/head:pr10
git checkout pr10
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
No, no minor DAL version. That's why I had to resort to structure member checks 
in autoconf.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274827207
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

2017-01-24 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

pvoborni commented:
"""
When I was still developing server-side then I used lsyncd to rsync files from 
my local laptop working git repo to their location on vm in a lab. 

So the process for me was just:
* change file
* restart httpd
* test

Lite sever covers only API changes. Solution above covered also installs and 
updates (to some extend). So it was much more usable because API changes is 
only a small part of FreeIPA development.

For Web UI, there is older /install/ui/util/sync.sh which does similar thing.

Build system refactoring enabled to use `make install` method

```
$ mkdir /tmp/vm
$ sshfs -o transform_symlinks root@:/ /tmp/vm
$ make install DESTDIR=/tmp/vm
```
This covers all use cases. So it might be better to talk if we should rather 
promote this method with e.g. containerized IPA instance. 

I.e. Before we ACK or NACK this PR. I'd rather have a conversation, what is the 
issue and what is the right solution. How we can make the whole process better. 
And then update http://www.freeipa.org/page/Contribute/Code which is rather 
obsolete and doesn't describe any method.





"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274826574
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
I checked and can't find it ... facepalm

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274826331
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
Doesn't kdb.h also export a MINOR version to test against ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274823821
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
@simo5 spec dependencies are separate from the code -- the spec will not help 
on Debian, for example.
We need both the spec dependencies and the proper checks in the code.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274810069
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
Also I know you can use ifdefs to avoid copy large parts of the 
structure initialization but I would prefer 3 separate full inits based only on 
ifdefs on the DAL version numbers.
in pseudo:
if v5:
  vtable = { ... }
elif v6.0:
  vtable = { ... }
elid v6.1:
  vtable = { ... }
else:
  error!

Those tables cannot change so using ifdefs in them can only risk to introduce 
bugs in one of the versions rather than help reduce code duplication.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274808126
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

simo5 commented:
"""
abbra, we should also change how spec deps work
I asked @rharwood to add a provides that is the dal version number
we should stop having a dep on the krb5 major version number and instead have a 
dependecy on this provide
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274806881
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

2017-01-24 Thread rcritten

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

rcritten commented:
"""
Right, and IMHO that development process is inefficient and prone to error. 
Rather than copying bits around and doing full installs over and over you can 
run the server in-tree and have vastly improved debugging available. 

Certainly a "final" test of a full server install loop is necessary but for 
initial development and testing the lite-server is far easier and efficient. At 
one time the tests were also run almost exclusively in-tree (which was faster 
at the time).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274803025
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates

2017-01-24 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d84edc43e55c2f7c30614a4a5268aeb58e33a087
https://fedorahosted.org/freeipa/changeset/85834abad655c6aed54c0253bc194ece81d78774
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/359#issuecomment-274794236
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][+pushed] dogtag: search past the first 100 certificates

2017-01-24 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

MartinBasti commented:
"""
Rebased, ready to be reviewed 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/393#issuecomment-274790391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 7916e9756da15bbeb06256101b8316c5e8dc9f80 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 16:54:25 +0100
Subject: [PATCH 01/15] py3: session.py decode server name to str

This fix is temporal because Memcache will be removed soon, so it is
more workaround than fix

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 85deb15..020dcc1 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -828,7 +828,7 @@ def get_server_statistics(self):
 result = {}
 stats = self.mc.get_stats()
 for server in stats:
-match = self.mc_server_stat_name_re.search(server[0])
+match = self.mc_server_stat_name_re.search(server[0].decode())
 if match:
 name = match.group(1)
 result[name] = server[1]

From be4ab4f89262f33d71b4bf29937deef09e2527e8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:13:52 +0100
Subject: [PATCH 02/15] py3: rpcserver: decode input because json requires
 string

json library parses string so input must be decoded

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1da4ec4..7f800ac 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -195,7 +195,7 @@ def read_input(environ):
 length = int(environ.get('CONTENT_LENGTH'))
 except (ValueError, TypeError):
 return
-return environ['wsgi.input'].read(length)
+return environ['wsgi.input'].read(length).decode('utf-8')
 
 
 def params_2_args_options(params):

From 11c15490e6ee911d386b94282300a2435b60e822 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:15:49 +0100
Subject: [PATCH 03/15] Py3: Fix undefined variable

Variable 'e' has only local scope in except block in Py3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 7f800ac..306d085 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -404,7 +404,7 @@ def wsgi_execute(self, environ):
   type(self).__name__,
   principal,
   name,
-  type(e).__name__)
+  type(error).__name__)
 
 version = options.get('version', VERSION_WITHOUT_CAPABILITIES)
 return self.marshal(result, error, _id, version)

From 2a8cd79a2291300d26470af2cd27dd197271a632 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:24:16 +0100
Subject: [PATCH 04/15] py3: session: fix r/w ccache data

ccache contains binary data, so it should be read and write in binary
mode

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 020dcc1..0f3a9ad 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -21,6 +21,7 @@
 import os
 import re
 import time
+import io
 
 # pylint: disable=import-error
 from six.moves.urllib.parse import urlparse
@@ -1228,9 +1229,8 @@ def load_ccache_data(ccache_name):
 scheme, name = krb5_parse_ccache(ccache_name)
 if scheme == 'FILE':
 root_logger.debug('reading ccache data from file "%s"', name)
-src = open(name)
-ccache_data = src.read()
-src.close()
+with io.open(name, "rb") as src:
+ccache_data = src.read()
 return ccache_data
 else:
 raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name)
@@ -1239,9 +1239,8 @@ def bind_ipa_ccache(ccache_data, scheme='FILE'):
 if scheme == 'FILE':
 name = _get_krbccache_pathname()
 root_logger.debug('storing ccache data into file "%s"', name)
-dst = open(name, 'w')
-dst.write(ccache_data)
-dst.close()
+with io.open(name, 'wb') as dst:
+dst.write(ccache_data)
 else:
 raise ValueError('ccache scheme "%s" unsupported', scheme)
 

From 36f849e2c876c6418db99d8cf72b54026d32a18f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 12 Jan 2017 18:50:56 +0100
Subject: [PATCH 05/15] py3: WSGI executioners must return bytes in list

WSGI prints TypeError into error log when IPA doesn't return bytes in
list as result

[Freeipa-devel] [freeipa PR#382][+pushed] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][comment] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/23239bccc18f2fdc10431134a1c6a777f450704e
https://fedorahosted.org/freeipa/changeset/e0641092770530e3b93c00de415172751d031210
https://fedorahosted.org/freeipa/changeset/63b5d4a8594c5c6bc9ade69996fbbc1bcf19a2bf
https://fedorahosted.org/freeipa/changeset/bbe8849a654ed0764e1834f24d1837df41a79881
https://fedorahosted.org/freeipa/changeset/7ae5e5f66919141821fdffbd6f8683c6d7afddd7
https://fedorahosted.org/freeipa/changeset/0d4074b4f1a57ed6545d819aa5a48e4b35237568
https://fedorahosted.org/freeipa/changeset/2547bca8df69e6c4d5f4c67a63fbc3c06ccc95c6
https://fedorahosted.org/freeipa/changeset/232ceed5bbfb0afa45078d8e95b84dabe4d7cafd
https://fedorahosted.org/freeipa/changeset/c0b5c6709d9e3a51117994fc8b605ba54e6263d7
https://fedorahosted.org/freeipa/changeset/51578882fc8456788d69a57de1a1d45ead58ba14
https://fedorahosted.org/freeipa/changeset/0a1d7f2e01819ad6e4a19d0416b3a01883dea7d0
https://fedorahosted.org/freeipa/changeset/4b148c8ca3d022020fa6caccf02729c090c8dbcb
https://fedorahosted.org/freeipa/changeset/746d4ffc583a847834a592150644fa4270486c89
https://fedorahosted.org/freeipa/changeset/1e0f98a146ecedf84b8e3e07fbd41a897ddd399d
https://fedorahosted.org/freeipa/changeset/0eb5a0e0ec2d232d2921ae5f9e8d0885146a5610
https://fedorahosted.org/freeipa/changeset/18337bf7f7c31a47fe0c7280f82fca043b548bd5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/382#issuecomment-274790051
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][closed] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/382
Author: MartinBasti
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][+ack] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-24 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/382
Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 79df0fa37b859ff78e38221efc81b7863b00329a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/31] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From 1ec0ddc6803235a96603cda8b7982856b243bdad Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/31] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From 1a171af5e114a7cb20dac3eb83ccd54e9dbe264c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/31] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From 131da939e38bded1ffb991062b7581c7a3b498e7 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:01:29 +0100
Subject: [PATCH 04/31]

[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates

2017-01-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

tomaskrizek commented:
"""
We examined the WebUI side and it behaves as expected - the size limit is 
respected when viewing certificates.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/359#issuecomment-274779025
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][+ack] dogtag: search past the first 100 certificates

2017-01-24 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][synchronized] [py3] pki: add missing depedency pki-base[-python3]

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/336
Author: MartinBasti
 Title: #336: [py3] pki: add missing depedency pki-base[-python3]
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/336/head:pr336
git checkout pr336
From c533c75f709a12f60d72493aeca805fc1e8a949d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Dec 2016 12:28:25 +0100
Subject: [PATCH 1/2] [py3]pki: add missing depedency pki-base[-python3]

FreeIPA server modules requires pki module

https://fedorahosted.org/freeipa/ticket/4985
---
 freeipa.spec.in | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a7e05f3..8e3753a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -173,8 +173,7 @@ BuildRequires:  python3-qrcode-core >= 5.0.0
 BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
-# 10.2.1: crypto.NSSCryptoProvider(password_file)
-BuildRequires:  pki-base-python3 >= 10.2.1
+BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
@@ -303,6 +302,7 @@ Requires: dbus-python
 Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
+Requires: pki-base >= 10.3.5-6
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -332,6 +332,7 @@ Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: rpm-libs
+Requires: pki-base-python3
 
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,

From 44a7db234a82437bd4271c48626310b5879dff8d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 15 Dec 2016 17:20:35 +0100
Subject: [PATCH 2/2] pki-base: use pki-base-python2 as dependency

pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.

Source: chei...@redhat.com

https://fedorahosted.org/freeipa/ticket/4985
---
 freeipa.spec.in | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8e3753a..615efe6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -137,8 +137,7 @@ BuildRequires:  python-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python-yubico
 # pki Python package
-# 10.2.1: crypto.NSSCryptoProvider(password_file)
-BuildRequires:  pki-base >= 10.2.1
+BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
@@ -302,7 +301,7 @@ Requires: dbus-python
 Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
-Requires: pki-base >= 10.3.5-6
+Requires: pki-base-python2
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#401][+ack] [4.4] Wait until http principal entry is replicated to replica

2017-01-24 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/401
Title: #401: [4.4] Wait until http principal entry is replicated to replica

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#401][comment] [4.4] Wait until http principal entry is replicated to replica

2017-01-24 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/401
Title: #401: [4.4] Wait until http principal entry is replicated to replica

stlaz commented:
"""
Seems to work in the problematic ca-less environment, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/401#issuecomment-274774373
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][comment] ipaldap: properly escape raw binary values in LDAP filters

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/408
Title: #408: ipaldap: properly escape raw binary values in LDAP filters

MartinBasti commented:
"""
Works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/408#issuecomment-274770016
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][+pushed] ipaldap: properly escape raw binary values in LDAP filters

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/408
Title: #408: ipaldap: properly escape raw binary values in LDAP filters

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][+ack] ipaldap: properly escape raw binary values in LDAP filters

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/408
Title: #408: ipaldap: properly escape raw binary values in LDAP filters

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][comment] ipaldap: properly escape raw binary values in LDAP filters

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/408
Title: #408: ipaldap: properly escape raw binary values in LDAP filters

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/84a9611cb885f04c72cd657c3a3e7bc4aff39d93
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/408#issuecomment-274770296
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][closed] ipaldap: properly escape raw binary values in LDAP filters

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/408
Author: HonzaCholasta
 Title: #408: ipaldap: properly escape raw binary values in LDAP filters
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/408/head:pr408
git checkout pr408
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][synchronized] [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)

2017-01-24 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/382
Author: MartinBasti
 Title: #382: [Py3] ipa-server-install fixes (working NTP, DS, CA install steps)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 79df0fa37b859ff78e38221efc81b7863b00329a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 01/16] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From 1ec0ddc6803235a96603cda8b7982856b243bdad Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 10 Jan 2017 13:45:11 +0100
Subject: [PATCH 02/16] py3: service.py: replace mkstemp by NamedTemporaryFile

NamedTemporaryfile can be used in more pythonic way and file can be
opened in textual mode that is required with PY3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 7 ---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..fbe3f23 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -208,9 +208,10 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 args += ["-H", ldap_uri]
 
 if dm_password:
-[pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
-os.close(pw_fd)
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as pw_file:
+pw_file.write(dm_password)
+pw_name = pw_file.name
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root
 elif os.getegid() != 0:

From 1a171af5e114a7cb20dac3eb83ccd54e9dbe264c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 03/16] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 5a28026..ceb7bf3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -587,14 +587,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From 131da939e38bded1ffb991062b7581c7a3b498e7 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017

[Freeipa-devel] [freeipa PR#412][opened] Define template version in certmap.conf

2017-01-24 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/412
Author: flo-renaud
 Title: #412: Define template version in certmap.conf
Action: opened

PR body:
"""
A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/412/head:pr412
git checkout pr412
From 087a4fde9d25ea3d1a3f6156c9ce6e0c411de0dd Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 23 Jan 2017 18:06:53 +0100
Subject: [PATCH] Define template version in certmap.conf

A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354
---
 install/share/certmap.conf.template | 4 
 ipaserver/install/server/upgrade.py | 5 -
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/install/share/certmap.conf.template b/install/share/certmap.conf.template
index d59b095..bf4f4d0 100644
--- a/install/share/certmap.conf.template
+++ b/install/share/certmap.conf.template
@@ -1,3 +1,7 @@
+# VERSION 3 - DO NOT REMOVE THIS LINE
+#
+# This file is managed by IPA and will be overwritten on upgrades.
+#
 #
 # This file configures how a certificate is mapped to an LDAP entry.  See the
 # documentation for more information on this file.
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 068db21..50b09d5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -156,6 +156,9 @@ def upgrade_file(sub_dict, filename, template, add=False):
 if new < 0:
 root_logger.error("%s not found." % template)
 
+if new == 0:
+root_logger.error("Template %s is not versioned." % template)
+
 if old == 0:
 # The original file does not have a VERSION entry. This means it's now
 # managed by IPA, but previously was not.
@@ -1562,7 +1565,7 @@ def upgrade_configuration():
 
 subject_base = find_subject_base()
 if subject_base:
-sub_dict['SUBJECT_BASE'] = subject_base
+sub_dict['ISSUER_DN'] = 'CN=Certificate Authority,' + subject_base
 
 ca = cainstance.CAInstance(
 api.env.realm, certs.NSS_DIR, host_name=api.env.host)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

abbra commented:
"""
Thanks for the suggestions. I've updated the configure check to explicitly warn 
when both .free_principal and .free_principal_e_data are missing. DAL version 5 
had .free_principal and we do not support any other DAL versions yet, so this 
should be enough.

I also merged definitions of the kdb_function_table for both DAL versions by 
adding corresponding initializers in the right places wrapped with the 
#ifdef-s. I think it will be better than the current duplication, considering 
we need to support three different API variations.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274754127
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][synchronized] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread abbra

   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From a6c00131fa4fce1c93954e6f13cf21f45f45a3f4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

https://fedorahosted.org/freeipa/ticket/6619
---
 configure.ac | 21 
 daemons/ipa-kdb/ipa_kdb.c| 46 
 daemons/ipa-kdb/ipa_kdb.h|  2 ++
 daemons/ipa-kdb/ipa_kdb_principals.c | 42 ++--
 4 files changed, 62 insertions(+), 49 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6cd3a89..e2f71d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,27 @@ krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+	-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..4784d0a 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,10 +625,14 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
-#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 5) || (KRB5_KDB_DAL_MAJOR_VERSION == 6)
 kdb_vftabl kdb_function_table = {
 .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+#ifdef HAVE_KDB_FREEPRINCIPAL_EDATA
+.min_ver = 1,
+#else
 .min_ver = 0,
+#endif
 .init_library = ipadb_init_library,
 .fini_library = ipadb_fini_library,
 .init_module = ipadb_init_module,
@@ -636,7 +640,11 @@ kdb_vftabl kdb_function_table = {
 .create = ipadb_create,
 .get_age = ipadb_get_age,
 .get_principal = ipadb_get_principal,
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+/* The order is important, DAL version 6 removed
+ * the free_principal callback */
 .free_principal = ipadb_free_principal,
+#endif
 .put_principal = ipadb_put_principal,
 .delete_principal = ipadb_delete_principal,
 .iterate = ipadb_iterate,
@@ -655,36 +663,12 @@ kdb_vftabl kdb_function_table = {
 .check_transited_realms = ipadb_check_transited_realms,
 .check_policy_as = ipadb_check_policy_as,
 .audit_as_req = ipadb_audit_as_req,
-.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
-};
-
-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6
-kdb_vftabl kdb_function_table = {
-.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
-.min_ver = 0,
-.init_library = ipadb_init_library,
-.fini_library = ipadb_fini_library,
-.init_module = ipadb_init_module,
-.fini_module = ipadb_fini_module,
-.create = ipadb_create,
-.get_age = ipadb_get_age,
-.get_principal = ipadb_get_principal,
-.put_principal = ipadb_put_principal,
-.delete_principal = ipadb_delete_principal,
-.iterate = ipadb_iterate,
-.create_policy = ipadb_create_pwd_policy,
-.get_policy = ipadb_get_pwd_policy,
-.put_policy = ipadb_put_pwd_policy,
-.iter_policy = ipadb_iterate_pwd_policy,
-.delete_policy = ipadb_delete_pwd_policy,
-.fetch_master_key = ipadb_fetch_master_key,
-.store_master_key_list =

[Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/353
Title: #353: [RFE] Pwdpolicy

martbab commented:
"""
LGTM, but the PR needs some more love since it breaks CI.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/353#issuecomment-274750406
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

martbab commented:
"""
LGTM, it would be nice if you could temporarily sneak in some breaking commit 
so that we can see how the paste looks like.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-274747924
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][comment] Remove deprecated ipa-upgradeconfig command

2017-01-24 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/411
Title: #411: Remove deprecated ipa-upgradeconfig command

Akasurde commented:
"""
@martbab Thanks for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/411#issuecomment-274746405
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#406][comment] _resolve_records: fix assert, nameserver_ip can be none

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/406
Title: #406: _resolve_records: fix assert, nameserver_ip can be none

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ccea23138ba6e9b54c08d472341ddbd64ffc45df
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/406#issuecomment-274745599
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#406][+pushed] _resolve_records: fix assert, nameserver_ip can be none

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/406
Title: #406: _resolve_records: fix assert, nameserver_ip can be none

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#406][closed] _resolve_records: fix assert, nameserver_ip can be none

2017-01-24 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/406
Author: MartinBasti
 Title: #406: _resolve_records: fix assert, nameserver_ip can be none
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/406/head:pr406
git checkout pr406
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#406][+ack] _resolve_records: fix assert, nameserver_ip can be none

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/406
Title: #406: _resolve_records: fix assert, nameserver_ip can be none

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][+rejected] ipatests: unresolvable nested netgroups

2017-01-24 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][closed] Remove deprecated ipa-upgradeconfig command

2017-01-24 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/411
Author: Akasurde
 Title: #411: Remove deprecated ipa-upgradeconfig command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/411/head:pr411
git checkout pr411
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][comment] Remove deprecated ipa-upgradeconfig command

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/411
Title: #411: Remove deprecated ipa-upgradeconfig command

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c56e02b3c5257edbfd3709848ca7eda07e271e38
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/411#issuecomment-274744170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][+pushed] Remove deprecated ipa-upgradeconfig command

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/411
Title: #411: Remove deprecated ipa-upgradeconfig command

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][+ack] Remove deprecated ipa-upgradeconfig command

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/411
Title: #411: Remove deprecated ipa-upgradeconfig command

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#410][comment] ipa-kdb: support KDB DAL version 6.1

2017-01-24 Thread sumit-bose

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

sumit-bose commented:
"""
Are there any plans how to handle 6.0? Should configure at least show a warning 
if KRB5_KDB_DAL_MAJOR_VERSION == 6 but no free e_data callback was found?

Should the .min_ver in the kdb_function_table be set to '1' if there is a free 
e_data callback?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/410#issuecomment-274743181
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-24 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, replica install still fails for me in the same way as before.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274741477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-24 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

HonzaCholasta commented:
"""
@LiptonB, I think certificate profiles and CSR generation profiles / templates 
*should* be associated, but not by sharing the same logical `certprofile` 
object, as it creates an unwarranted dependency on Dogtag. Instead CSR 
templates should be represented by their own dedicated objects separate from 
`certprofile` objects, which can contain a reference to the default CSR 
template object. This way it will be possible to extend `cert-request` as you 
described, but it will also be possible to generate a CSR and submit it to an 
external CA, even in CA-less IPA deployment.

As for `userCert`, removing just the dogtag profile but keeping the CSR 
template is exactly what I meant.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-274740750
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][closed] ipatests: unresolvable nested netgroups

2017-01-24 Thread apophys

   URL: https://github.com/freeipa/freeipa/pull/196
Author: apophys
 Title: #196: ipatests: unresolvable nested netgroups
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/196/head:pr196
git checkout pr196
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups

2017-01-24 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

apophys commented:
"""
Yes.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/196#issuecomment-274738684
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

2017-01-24 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

martbab commented:
"""
@rcritten AFAIK most of us develop plugins locally, then build RPMs which we 
sync to a VM, install IPA server and use ipa-run-tests to test the new plugin. 
I personally used lite-server only once or twice when I started out with my 
contribution.

We had some discussion earlier in which we concluded that lite-server is not 
used anymore and should be removed (this is probably what @pvoborni is 
referring to). If you can provide compelling arguments against this decision 
then we can reconsider. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274738523
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

63 matches

Mail list logo