[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitly

2017-01-25 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/404
Title: #404: tests: Add LDAP URI to ldappasswd explicitly

dkupka commented:
"""
@tiran Nice catch, I've added it to ipaserver/install/service.py, too. but I 
would rather not extend this outside of tests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/404#issuecomment-275153569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-25 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
With this last rebase I can install again both ca and ca-less without issues.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#404][comment] tests: Add LDAP URI to ldappasswd explicitly

2017-01-25 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/404
Title: #404: tests: Add LDAP URI to ldappasswd explicitly

dkupka commented:
"""
@tiran Nice catch, I've added it to ipaserver/install/service.py, too. but I 
would rather not extend this outside of tests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/404#issuecomment-275153569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#404][synchronized] tests: Add LDAP URI to ldappasswd explicitly

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/404
Author: dkupka
 Title: #404: tests: Add LDAP URI to ldappasswd explicitly
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/404/head:pr404
git checkout pr404
From d530c8ba1c86dc7e33fad04ad20c03617dd2fce9 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/test_integration/util.py | 3 ++-
 ipatests/util.py  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py
index 179f672..181e675 100644
--- a/ipatests/test_integration/util.py
+++ b/ipatests/test_integration/util.py
@@ -21,6 +21,7 @@
 import re
 
 from ipaplatform.paths import paths
+from ipalib import api
 from ipalib.constants import DEFAULT_CONFIG
 
 def run_repeatedly(host, command, assert_zero_rc=True, test=None,
@@ -86,5 +87,5 @@ def ldappasswd_user_change(user, oldpw, newpw, master):
 userdn = "uid={},{},{}".format(user, container_user, basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 master.run_command(args)
diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#404][synchronized] tests: Add LDAP URI to ldappasswd explicitly

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/404
Author: dkupka
 Title: #404: tests: Add LDAP URI to ldappasswd explicitly
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/404/head:pr404
git checkout pr404
From ed601611bb132ce399548051257cb7185ad237e5 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/test_integration/util.py | 2 +-
 ipatests/util.py  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py
index 179f672..ea5c820 100644
--- a/ipatests/test_integration/util.py
+++ b/ipatests/test_integration/util.py
@@ -86,5 +86,5 @@ def ldappasswd_user_change(user, oldpw, newpw, master):
 userdn = "uid={},{},{}".format(user, container_user, basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 master.run_command(args)
diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From 29767acc613c28711db5383c5a3b266f69316188 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From 7cf43ea8033694b9c20625cb3015c2cb8755fef2 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/4] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 184 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  17 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   9 +
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 +-
 ipaserver/plugins/certmap.py   | 357 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 843 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a87fec1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn:

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-25 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

tomaskrizek commented:
"""
**ACK** for z-stream with the patched PKI.

Waiting for the PKI release and bump of `Requires` to ack and merge upstream.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-275066963
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

2017-01-25 Thread Tomas Krizek 
On 01/25/2017 12:46 PM, Tomas Krizek wrote:
> On 01/13/2017 05:44 PM, Petr Vobornik wrote:
>> On 01/13/2017 03:49 PM, Rob Crittenden wrote:
>>> Tomas Krizek wrote:
 On 01/12/2017 04:17 PM, Rob Crittenden wrote:
> Tomas Krizek wrote:
>> On 12/19/2016 04:41 PM, Standa Laznicka wrote:
>>> On 12/19/2016 03:07 PM, John Dennis wrote:
 On 12/19/2016 03:12 AM, Standa Laznicka wrote:
> On 12/16/2016 03:23 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> Hello,
>>>
>>> I started a design page for FreeIPA on FIPS-enabled systems:
>>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS
>>>
>>> Me and Tomáš are still investigating what of all things will need to
>>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I
>>> managed
>>> to install and run patched FreeIPA server and client and connect 
>>> them
>>> together.
>>>
>>> There are some issues with NSS when trying to create an HTTPS 
>>> request
>>> (apparently, NSS requires an NSS database password to set up an SSL
>>> connection). I am actually thinking of removing NSSConnection from
>>> the
>>> client altogether.
>> Can you expand on this a bit? NSS should only need a pin when it 
>> needs
>> access to a private key. What connection(s) are you talking about, 
>> and
>> what would you replace NSSConnection with?
>>
>> rob
> Hello Rob,
>
> Thank you for this excellent question, in order to cut the email
> short I
> seem to have omitted quite a few information.
>
> One of the very first problems I had with FreeIPA with FIPS was that
> NSS
> was always asking for password/pin. I was discussing this with the NSS
> guys on their IRC chat last week and it turns out that NSS tries to
> create a private key every time you want to use it as a backend for an
> SSL connection on FIPS. I still don't think this is quite right so I
> may
> open a bugzilla for that.
 I don't understand, I thought the case you were having problems with
 was the FreeIPA client, not the server. I assume when you use the
 term "backend" you mean server, and yes when NSS is in server mode it
 will access to keys. So isn't the problem NSS is not being
 initialized correctly so that it recognizes it is in client mode and
 not server mode?

>>> What I meant was "a client backend for an SSL connection" - we're
>>> using NSS implementation of SSL (via python-nss) for HTTPS connections
>>> from client to server during which we're getting a CA cert from an NSS
>>> database but this eventually leads to a password prompt.
> Anyway, the guys suggested me that we could try to create the database
> with an empty password and everything will work. I don't quite like
> that, too, but it's at least something if you don't want the `ipa`
> command to always bug you for password you have no way knowing if
> you're
> just a regular user.
>
> What I think would be a better way to go is to use
> httplib.HTTPSConnection. We have the needed certificates in
> /etc/ipa/ca.crt anyway so why not use them instead. We had a 
> discussion
> with Honza this morning and it seems that with this approach we may 
> get
> rid of the NSSConnection class altogether (although I still need to
> check a few spots) and start the process of moving away from NSS which
> was discussed some year ago in an internal mailing list (for some
> reason).
>
> Will be happy to hear thoughts on this,
> Standa
 I'm not a big fan of NSS, it has it's issues. As the author of the
 Python binding I'm quite aware of all the nasty behaviors NSS has and
 needs to be worked around. I wouldn't be sad to see it go but OpenSSL
 has it's own issues too. If you remove NSS you're also removing the
 option to support smart cards, HSM's etc. Perhaps before removing
 functionality it would be good to assess what the requirements are.

>>> I'm sorry I generalized too much, the original topic was moving away
>>> from python-nss (of which I am even more sorry as you're the author).
>>>
>> We could use some ideas on how to handle replica installations in FIPS.
>>
>> We might use some flag in LDAP to indicate that a topology is
>> FIPS-enabled. It seems like a good idea to force all servers in
>> FIPS-enabled topology to also be FIPS-enabled. At the start of replica
>> installation, a check could be performed to verify the FIPS topology
>> status is the same as the current system's FIPS

[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1

2017-01-25 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 7916e9756da15bbeb06256101b8316c5e8dc9f80 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 16:54:25 +0100
Subject: [PATCH 01/15] py3: session.py decode server name to str

This fix is temporal because Memcache will be removed soon, so it is
more workaround than fix

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 85deb15..020dcc1 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -828,7 +828,7 @@ def get_server_statistics(self):
 result = {}
 stats = self.mc.get_stats()
 for server in stats:
-match = self.mc_server_stat_name_re.search(server[0])
+match = self.mc_server_stat_name_re.search(server[0].decode())
 if match:
 name = match.group(1)
 result[name] = server[1]

From be4ab4f89262f33d71b4bf29937deef09e2527e8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:13:52 +0100
Subject: [PATCH 02/15] py3: rpcserver: decode input because json requires
 string

json library parses string so input must be decoded

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1da4ec4..7f800ac 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -195,7 +195,7 @@ def read_input(environ):
 length = int(environ.get('CONTENT_LENGTH'))
 except (ValueError, TypeError):
 return
-return environ['wsgi.input'].read(length)
+return environ['wsgi.input'].read(length).decode('utf-8')
 
 
 def params_2_args_options(params):

From 11c15490e6ee911d386b94282300a2435b60e822 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:15:49 +0100
Subject: [PATCH 03/15] Py3: Fix undefined variable

Variable 'e' has only local scope in except block in Py3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 7f800ac..306d085 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -404,7 +404,7 @@ def wsgi_execute(self, environ):
   type(self).__name__,
   principal,
   name,
-  type(e).__name__)
+  type(error).__name__)
 
 version = options.get('version', VERSION_WITHOUT_CAPABILITIES)
 return self.marshal(result, error, _id, version)

From 2a8cd79a2291300d26470af2cd27dd197271a632 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:24:16 +0100
Subject: [PATCH 04/15] py3: session: fix r/w ccache data

ccache contains binary data, so it should be read and write in binary
mode

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 020dcc1..0f3a9ad 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -21,6 +21,7 @@
 import os
 import re
 import time
+import io
 
 # pylint: disable=import-error
 from six.moves.urllib.parse import urlparse
@@ -1228,9 +1229,8 @@ def load_ccache_data(ccache_name):
 scheme, name = krb5_parse_ccache(ccache_name)
 if scheme == 'FILE':
 root_logger.debug('reading ccache data from file "%s"', name)
-src = open(name)
-ccache_data = src.read()
-src.close()
+with io.open(name, "rb") as src:
+ccache_data = src.read()
 return ccache_data
 else:
 raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name)
@@ -1239,9 +1239,8 @@ def bind_ipa_ccache(ccache_data, scheme='FILE'):
 if scheme == 'FILE':
 name = _get_krbccache_pathname()
 root_logger.debug('storing ccache data into file "%s"', name)
-dst = open(name, 'w')
-dst.write(ccache_data)
-dst.close()
+with io.open(name, 'wb') as dst:
+dst.write(ccache_data)
 else:
 raise ValueError('ccache scheme "%s" unsupported', scheme)
 

From 36f849e2c876c6418db99d8cf72b54026d32a18f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 12 Jan 2017 18:50:56 +0100
Subject: [PATCH 05/15] py3: WSGI executioners must return bytes in list

WSGI prints TypeError into error log when IPA doesn't return bytes in
list as result

[Freeipa-devel] [freeipa PR#413][synchronized] Complete stageuser API

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/413
Author: dkupka
 Title: #413: Complete stageuser API
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/413/head:pr413
git checkout pr413
From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 

From b7c90dfdabfc6229cbe6d33efe326bcca5873958 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 18 Jan 2017 13:24:29 +0100
Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert

Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623
---
 API.txt| 24 
 ipaserver/plugins/baseuser.py  | 36 +++-
 ipaserver/plugins/stageuser.py | 14 ++
 ipaserver/plugins/user.py  | 42 +-
 4 files changed, 78 insertions(+), 38 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..182daa8 100644
--- a/API.txt
+++ b/API.txt
@@ -4751,6 +4751,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_add_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_add_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -4882,6 +4893,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_remove_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_remove_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -6661,10 +6683,12 @@ default: sidgen_was_run/1
 default: stageuser/1
 default: stageuser_activate/1
 default: stageuser_add/1
+default: stageuser_add_cert/1
 default: stageuser_add_manager/1
 default: stageuser_del/1
 default: stageuser_find/1
 default: stageuser_mod/1
+default: stageuser_remove_cert/1
 default: stageuser_remove_manager/1
 default: stageuser_show/1
 default: sudocmd/1
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 85ad417..75cf7d8 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@
 from .baseldap import (
 DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
 LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember,
-LDAPRemoveMember)
+LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption)
 from ipaserver.plugins.service import (
validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
@@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute):
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
 return dn
+
+
+class baseuser_add_cert(LDAPAddAttributeViaOption):
+attribute = 'usercertificate'
+
+def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
+ **options):
+self.obj.convert_usercertificate_pre(entry_attrs)
+
+return dn
+
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+assert isinstance(dn, DN)
+
+self.obj.convert_usercertificate_post(entry_attrs, **options)
+
+return dn
+
+
+class

[Freeipa-devel] [freeipa PR#347][+pushed] Improvements in {get|set}_directive functions

2017-01-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

2017-01-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e1ed8b5eff40331ba532d37f3fb08814d8a55b77
https://fedorahosted.org/freeipa/changeset/517d43e78b8d8ea0b796a6ff6a379236eaae21df
https://fedorahosted.org/freeipa/changeset/2831b30e9a9de947481c058d8d32e174f951b1c0
https://fedorahosted.org/freeipa/changeset/86f4a93fb3aeb6742acab5abaa1c17b525ea4223
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-275115080
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][closed] Improvements in {get|set}_directive functions

2017-01-25 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/347
Author: martbab
 Title: #347: Improvements in {get|set}_directive functions
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/347/head:pr347
git checkout pr347
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#353][comment] [RFE] Pwdpolicy

2017-01-25 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/353
Title: #353: [RFE] Pwdpolicy

simo5 commented:
"""
I found two subtle bugs that cause the install failure, with the rebased 
patches install completes correctly for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/353#issuecomment-275106444
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-25 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok reproduced, it is not clar how to me yet, but at some point ca.crt get 
zeroed out and that's why the ldap command fails, investigating
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#353][synchronized] [RFE] Pwdpolicy

2017-01-25 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/353
Author: simo5
 Title: #353: [RFE] Pwdpolicy
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/353/head:pr353
git checkout pr353
From a7213592a0b643a63dbdc8bff5bae08f30448b7b Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 16 Dec 2016 07:12:45 -0500
Subject: [PATCH 1/2] Add code to retrieve results from multiple bases

Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce 
---
 daemons/ipa-kdb/ipa_kdb.h|  10 
 daemons/ipa-kdb/ipa_kdb_common.c | 103 +++
 2 files changed, 113 insertions(+)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1fdb409..e1f46c6 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -174,6 +174,16 @@ int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
 int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
  LDAPDerefRes **results);
 
+struct ipadb_multires;
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r);
+void ipadb_multires_free(struct ipadb_multires *r);
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r);
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any);
+
 /* PRINCIPALS FUNCTIONS */
 krb5_error_code ipadb_get_principal(krb5_context kcontext,
 krb5_const_principal search_for,
diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 7438f35..5995efe 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -610,3 +610,106 @@ int ipadb_ldap_deref_results(LDAP *lcontext, LDAPMessage *le,
 ldap_controls_free(ctrls);
 return ret;
 }
+
+struct ipadb_multires {
+LDAP *lcontext;
+LDAPMessage **res;
+LDAPMessage *next;
+ssize_t cursor;
+ssize_t count;
+};
+
+krb5_error_code ipadb_multires_init(LDAP *lcontext, struct ipadb_multires **r)
+{
+*r = malloc(sizeof(struct ipadb_multires));
+if (!*r) return ENOMEM;
+(*r)->lcontext = lcontext;
+(*r)->res = NULL;
+(*r)->next = NULL;
+(*r)->cursor = -1;
+(*r)->count = 0;
+
+return 0;
+}
+
+void ipadb_multires_free(struct ipadb_multires *r)
+{
+for (int i = 0; i < r->count; i++) {
+ldap_msgfree(r->res[i]);
+}
+free(r);
+}
+
+LDAPMessage *ipadb_multires_next_entry(struct ipadb_multires *r)
+{
+if (r->count == 0) return NULL;
+
+if (r->next) {
+r->next = ldap_next_entry(r->lcontext, r->next);
+}
+if (r->next == NULL) {
+if (r->cursor >= r->count - 1) {
+return NULL;
+}
+r->cursor++;
+r->next = ldap_first_entry(r->lcontext, r->res[r->cursor]);
+}
+
+return r->next;
+}
+
+krb5_error_code ipadb_multibase_search(struct ipadb_context *ipactx,
+   char **basedns, int scope,
+   char *filter, char **attrs,
+   struct ipadb_multires **res,
+   bool any)
+{
+int ret;
+
+ret = ipadb_multires_init(ipactx->lcontext, res);
+if (ret != 0) return ret;
+
+ret = ipadb_check_connection(ipactx);
+if (ret != 0)
+return ipadb_simple_ldap_to_kerr(ret);
+
+for (int b = 0; basedns[b]; b++) {
+LDAPMessage *r;
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+_timeout, LDAP_NO_LIMIT, );
+
+/* first test if we need to retry to connect */
+if (ret != 0 &&
+ipadb_need_retry(ipactx, ret)) {
+ldap_msgfree(r);
+ret = ldap_search_ext_s(ipactx->lcontext, basedns[b], scope,
+filter, attrs, 0, NULL, NULL,
+_timeout, LDAP_NO_LIMIT, );
+}
+
+if (ret != 0) break;
+
+if (ldap_count_entries(ipactx->lcontext, r) > 0) {
+void *tmp = realloc((*res)->res, (((*res)->count + 1) *
+sizeof(LDAPMessage *)));
+if (tmp == NULL) {
+ret = ENOMEM;
+break;
+}
+(*res)->res = tmp;
+(*res)->res[(*res)->count] = r;
+(*res)->count++;
+
+if (any) break;
+}
+}
+
+if (ret != 0) {
+

[Freeipa-devel] [freeipa PR#347][synchronized] Improvements in {get|set}_directive functions

2017-01-25 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/347
Author: martbab
 Title: #347: Improvements in {get|set}_directive functions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/347/head:pr347
git checkout pr347
From 245fbdca0a1cc4223e9fc204abc86710502a693c Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 16 Dec 2016 12:14:20 +0100
Subject: [PATCH 1/4] Fix the installutils.set_directive docstring

Add missing parameter descriptions and fix incorrect indentation

https://fedorahosted.org/freeipa/ticket/6460
---
 ipaserver/install/installutils.py | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 0d8a574..7f96eb2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -388,11 +388,14 @@ def set_directive(filename, directive, value, quotes=True, separator=' ',
 
 This has only been tested with nss.conf
 
-   :param directive: directive name
-   :param value: value of the directive
-   :param quotes: whether to quote `value` in `quote_char`. If true, then
-the `quote_char` are first escaped to avoid unparseable directives
-   :param quote_char: the character used for quoting `value`
+:param filename: input filename
+:param directive: directive name
+:param value: value of the directive
+:param quotes: whether to quote `value` in `quote_char`. If true, then
+the `quote_char` are first escaped to avoid unparseable directives.
+:param separator: character serving as separator between directive and
+value
+:param quote_char: the character used for quoting `value`
 """
 
 def format_directive(directive, value, separator, quotes, quote_char):

From 66284ffef287addaf85d8bd45ba1f30e72b5965b Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 16 Dec 2016 13:34:57 +0100
Subject: [PATCH 2/4] installutils: improve directive value parsing in
 `get_directive`

`get_directive` value parsing was improved in order to bring its logic
more in-line to changes in `set_directive`: a specified quoting
character is now unquoted and stripped from the retrieved value. The
function will now also error out when malformed directive is
encountered.

https://fedorahosted.org/freeipa/ticket/6460
---
 ipaserver/install/installutils.py | 19 +--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 7f96eb2..4f93372 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -436,16 +436,31 @@ def format_directive(directive, value, separator, quotes, quote_char):
 fd.close()
 os.chown(filename, st.st_uid, st.st_gid) # reset perms
 
+
 def get_directive(filename, directive, separator=' '):
 """
 A rather inefficient way to get a configuration directive.
+
+:param filename: input filename
+:param directive: directive name
+:param separator: separator between directive and value
+:param quote_char: the characters that are used in this particular config
+file to quote values. This character will be stripped and unescaped
+from the raw value.
+
+:returns: The (unquoted) value if the directive was found, None otherwise
 """
 fd = open(filename, "r")
 for line in fd:
 if line.lstrip().startswith(directive):
 line = line.strip()
-result = line.split(separator, 1)[1]
-result = result.strip('"')
+
+(directive, sep, value) = line.partition(separator)
+if not sep or not value:
+raise ValueError("Malformed directive: {}".format(line))
+
+result = value.strip().strip(quote_char)
+result = ipautil.unescape_seq(quote_char, result)[0]
 result = result.strip(' ')
 fd.close()
 return result

From 6b62a01843f9f01be1ae09e6880e384e50700f06 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 10 Jan 2017 17:15:33 +0100
Subject: [PATCH 3/4] Delegate directive value quoting/unquoting to separate
 functions

Separate functions were added to installutils module to quote/unquote a
string in arbitrary characters.

`installutils.get/set_directive` functions will use them to enclose
the directive values in double quotes/strip the double quotes from
retrieved values to maintain the original behavior.

These functions can be used also for custom quoting/unquoting of
retrieved values when desired.

https://fedorahosted.org/freeipa/ticket/6460
---
 ipaserver/install/installutils.py | 70 ---
 1 file changed, 43 insertions(+), 27 deletions(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

2017-01-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

martbab commented:
"""
Thank's, let's hope that all this code will be replaced by some proper 
configuration parsing mechanism in the future.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-275099477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#413][synchronized] Complete stageuser API

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/413
Author: dkupka
 Title: #413: Complete stageuser API
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/413/head:pr413
git checkout pr413
From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 

From edb52e84f3d1c59d7057855de50f795755ce9a44 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 18 Jan 2017 13:24:29 +0100
Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert

Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623
---
 API.txt| 24 
 ipaserver/plugins/baseuser.py  | 36 +++-
 ipaserver/plugins/stageuser.py | 14 ++
 ipaserver/plugins/user.py  | 38 --
 4 files changed, 77 insertions(+), 35 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..182daa8 100644
--- a/API.txt
+++ b/API.txt
@@ -4751,6 +4751,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_add_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_add_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -4882,6 +4893,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_remove_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_remove_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -6661,10 +6683,12 @@ default: sidgen_was_run/1
 default: stageuser/1
 default: stageuser_activate/1
 default: stageuser_add/1
+default: stageuser_add_cert/1
 default: stageuser_add_manager/1
 default: stageuser_del/1
 default: stageuser_find/1
 default: stageuser_mod/1
+default: stageuser_remove_cert/1
 default: stageuser_remove_manager/1
 default: stageuser_show/1
 default: sudocmd/1
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 85ad417..75cf7d8 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@
 from .baseldap import (
 DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
 LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember,
-LDAPRemoveMember)
+LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption)
 from ipaserver.plugins.service import (
validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
@@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute):
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
 return dn
+
+
+class baseuser_add_cert(LDAPAddAttributeViaOption):
+attribute = 'usercertificate'
+
+def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
+ **options):
+self.obj.convert_usercertificate_pre(entry_attrs)
+
+return dn
+
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+assert isinstance(dn, DN)
+
+self.obj.convert_usercertificate_post(entry_attrs, **options)
+
+return dn
+
+
+class

[Freeipa-devel] [freeipa PR#401][closed] [4.4] Wait until http principal entry is replicated to replica

2017-01-25 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/401
Author: MartinBasti
 Title: #401: [4.4] Wait until http principal entry is replicated to replica
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/401/head:pr401
git checkout pr401
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#401][comment] [4.4] Wait until http principal entry is replicated to replica

2017-01-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/401
Title: #401: [4.4] Wait until http principal entry is replicated to replica

martbab commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/3d0a0728766aed7245427b9eaf210e31fd40e440
https://fedorahosted.org/freeipa/changeset/5bddcdb47b40baeae7379e00e8d87297ed3f1cd4
https://fedorahosted.org/freeipa/changeset/74020d07dbf14202f696a0c8521829abc735d4c7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/401#issuecomment-275098857
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#401][+pushed] [4.4] Wait until http principal entry is replicated to replica

2017-01-25 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/401
Title: #401: [4.4] Wait until http principal entry is replicated to replica

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#393][synchronized] [Py3] allow to run wsgi - part1

2017-01-25 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/393
Author: MartinBasti
 Title: #393: [Py3] allow to run wsgi - part1
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/393/head:pr393
git checkout pr393
From 7916e9756da15bbeb06256101b8316c5e8dc9f80 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 16:54:25 +0100
Subject: [PATCH 01/15] py3: session.py decode server name to str

This fix is temporal because Memcache will be removed soon, so it is
more workaround than fix

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 85deb15..020dcc1 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -828,7 +828,7 @@ def get_server_statistics(self):
 result = {}
 stats = self.mc.get_stats()
 for server in stats:
-match = self.mc_server_stat_name_re.search(server[0])
+match = self.mc_server_stat_name_re.search(server[0].decode())
 if match:
 name = match.group(1)
 result[name] = server[1]

From be4ab4f89262f33d71b4bf29937deef09e2527e8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:13:52 +0100
Subject: [PATCH 02/15] py3: rpcserver: decode input because json requires
 string

json library parses string so input must be decoded

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1da4ec4..7f800ac 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -195,7 +195,7 @@ def read_input(environ):
 length = int(environ.get('CONTENT_LENGTH'))
 except (ValueError, TypeError):
 return
-return environ['wsgi.input'].read(length)
+return environ['wsgi.input'].read(length).decode('utf-8')
 
 
 def params_2_args_options(params):

From 11c15490e6ee911d386b94282300a2435b60e822 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:15:49 +0100
Subject: [PATCH 03/15] Py3: Fix undefined variable

Variable 'e' has only local scope in except block in Py3

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/rpcserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 7f800ac..306d085 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -404,7 +404,7 @@ def wsgi_execute(self, environ):
   type(self).__name__,
   principal,
   name,
-  type(e).__name__)
+  type(error).__name__)
 
 version = options.get('version', VERSION_WITHOUT_CAPABILITIES)
 return self.marshal(result, error, _id, version)

From 2a8cd79a2291300d26470af2cd27dd197271a632 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 11 Jan 2017 17:24:16 +0100
Subject: [PATCH 04/15] py3: session: fix r/w ccache data

ccache contains binary data, so it should be read and write in binary
mode

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/session.py | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/ipaserver/session.py b/ipaserver/session.py
index 020dcc1..0f3a9ad 100644
--- a/ipaserver/session.py
+++ b/ipaserver/session.py
@@ -21,6 +21,7 @@
 import os
 import re
 import time
+import io
 
 # pylint: disable=import-error
 from six.moves.urllib.parse import urlparse
@@ -1228,9 +1229,8 @@ def load_ccache_data(ccache_name):
 scheme, name = krb5_parse_ccache(ccache_name)
 if scheme == 'FILE':
 root_logger.debug('reading ccache data from file "%s"', name)
-src = open(name)
-ccache_data = src.read()
-src.close()
+with io.open(name, "rb") as src:
+ccache_data = src.read()
 return ccache_data
 else:
 raise ValueError('ccache scheme "%s" unsupported (%s)', scheme, ccache_name)
@@ -1239,9 +1239,8 @@ def bind_ipa_ccache(ccache_data, scheme='FILE'):
 if scheme == 'FILE':
 name = _get_krbccache_pathname()
 root_logger.debug('storing ccache data into file "%s"', name)
-dst = open(name, 'w')
-dst.write(ccache_data)
-dst.close()
+with io.open(name, 'wb') as dst:
+dst.write(ccache_data)
 else:
 raise ValueError('ccache scheme "%s" unsupported', scheme)
 

From 36f849e2c876c6418db99d8cf72b54026d32a18f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 12 Jan 2017 18:50:56 +0100
Subject: [PATCH 05/15] py3: WSGI executioners must return bytes in list

WSGI prints TypeError into error log when IPA doesn't return bytes in
list as result

[Freeipa-devel] [freeipa PR#413][opened] Complete stageuser API

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/413
Author: dkupka
 Title: #413: Complete stageuser API
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6623
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/413/head:pr413
git checkout pr413
From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
 user, api.env.container_user, api.env.basedn)
 
 args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-'-s', newpw, '-x']
+'-s', newpw, '-x', '-H', api.env.ldap_uri]
 return run(args)
 
 

From edb52e84f3d1c59d7057855de50f795755ce9a44 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 18 Jan 2017 13:24:29 +0100
Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert

Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623
---
 API.txt| 24 
 ipaserver/plugins/baseuser.py  | 36 +++-
 ipaserver/plugins/stageuser.py | 14 ++
 ipaserver/plugins/user.py  | 38 --
 4 files changed, 77 insertions(+), 35 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..182daa8 100644
--- a/API.txt
+++ b/API.txt
@@ -4751,6 +4751,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_add_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_add_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -4882,6 +4893,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: stageuser_remove_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[, ])
+output: PrimaryKey('value')
 command: stageuser_remove_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -6661,10 +6683,12 @@ default: sidgen_was_run/1
 default: stageuser/1
 default: stageuser_activate/1
 default: stageuser_add/1
+default: stageuser_add_cert/1
 default: stageuser_add_manager/1
 default: stageuser_del/1
 default: stageuser_find/1
 default: stageuser_mod/1
+default: stageuser_remove_cert/1
 default: stageuser_remove_manager/1
 default: stageuser_show/1
 default: sudocmd/1
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 85ad417..75cf7d8 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@
 from .baseldap import (
 DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
 LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember,
-LDAPRemoveMember)
+LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption)
 from ipaserver.plugins.service import (
validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
@@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute):
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
 return dn
+
+
+class baseuser_add_cert(LDAPAddAttributeViaOption):
+attribute = 'usercertificate'
+
+def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
+ **options):
+self.obj.convert_usercertificate_pre(entry_attrs)
+
+return dn
+
+def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+assert isinstance(dn, DN)
+
+self.obj.convert_usercertificate_post(entry_attrs,

Re: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question

2017-01-25 Thread Tomas Krizek 


On 01/13/2017 05:44 PM, Petr Vobornik wrote:
> On 01/13/2017 03:49 PM, Rob Crittenden wrote:
>> Tomas Krizek wrote:
>>> On 01/12/2017 04:17 PM, Rob Crittenden wrote:
 Tomas Krizek wrote:
> On 12/19/2016 04:41 PM, Standa Laznicka wrote:
>> On 12/19/2016 03:07 PM, John Dennis wrote:
>>> On 12/19/2016 03:12 AM, Standa Laznicka wrote:
 On 12/16/2016 03:23 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> Hello,
>>
>> I started a design page for FreeIPA on FIPS-enabled systems:
>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS
>>
>> Me and Tomáš are still investigating what of all things will need to
>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I
>> managed
>> to install and run patched FreeIPA server and client and connect them
>> together.
>>
>> There are some issues with NSS when trying to create an HTTPS request
>> (apparently, NSS requires an NSS database password to set up an SSL
>> connection). I am actually thinking of removing NSSConnection from
>> the
>> client altogether.
> Can you expand on this a bit? NSS should only need a pin when it needs
> access to a private key. What connection(s) are you talking about, and
> what would you replace NSSConnection with?
>
> rob
 Hello Rob,

 Thank you for this excellent question, in order to cut the email
 short I
 seem to have omitted quite a few information.

 One of the very first problems I had with FreeIPA with FIPS was that
 NSS
 was always asking for password/pin. I was discussing this with the NSS
 guys on their IRC chat last week and it turns out that NSS tries to
 create a private key every time you want to use it as a backend for an
 SSL connection on FIPS. I still don't think this is quite right so I
 may
 open a bugzilla for that.
>>> I don't understand, I thought the case you were having problems with
>>> was the FreeIPA client, not the server. I assume when you use the
>>> term "backend" you mean server, and yes when NSS is in server mode it
>>> will access to keys. So isn't the problem NSS is not being
>>> initialized correctly so that it recognizes it is in client mode and
>>> not server mode?
>>>
>> What I meant was "a client backend for an SSL connection" - we're
>> using NSS implementation of SSL (via python-nss) for HTTPS connections
>> from client to server during which we're getting a CA cert from an NSS
>> database but this eventually leads to a password prompt.
 Anyway, the guys suggested me that we could try to create the database
 with an empty password and everything will work. I don't quite like
 that, too, but it's at least something if you don't want the `ipa`
 command to always bug you for password you have no way knowing if
 you're
 just a regular user.

 What I think would be a better way to go is to use
 httplib.HTTPSConnection. We have the needed certificates in
 /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion
 with Honza this morning and it seems that with this approach we may get
 rid of the NSSConnection class altogether (although I still need to
 check a few spots) and start the process of moving away from NSS which
 was discussed some year ago in an internal mailing list (for some
 reason).

 Will be happy to hear thoughts on this,
 Standa
>>> I'm not a big fan of NSS, it has it's issues. As the author of the
>>> Python binding I'm quite aware of all the nasty behaviors NSS has and
>>> needs to be worked around. I wouldn't be sad to see it go but OpenSSL
>>> has it's own issues too. If you remove NSS you're also removing the
>>> option to support smart cards, HSM's etc. Perhaps before removing
>>> functionality it would be good to assess what the requirements are.
>>>
>> I'm sorry I generalized too much, the original topic was moving away
>> from python-nss (of which I am even more sorry as you're the author).
>>
> We could use some ideas on how to handle replica installations in FIPS.
>
> We might use some flag in LDAP to indicate that a topology is
> FIPS-enabled. It seems like a good idea to force all servers in
> FIPS-enabled topology to also be FIPS-enabled. At the start of replica
> installation, a check could be performed to verify the FIPS topology
> status is the same as the current system's FIPS status. However, this
> proposal has a flaw. It is possible to simply install a FIPS-enabled
> replica and then turn FIPS off. This would result in non-FIPS systems
> being part of a FIPS-enabled

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-25 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 107 
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 279 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..9343f9a
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,107 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import itertools
+import pytest
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+def

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-25 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

tomaskrizek commented:
"""
**ACK** for z-stream with the patched PKI.

Waiting for the PKI release and bump of `Requires` to ack and merge upstream.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-275066963
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-25 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

pvoborni commented:
"""
Yes, but in different patch please.  PKI with the fix was not released yet. So 
it should not block review of this patch. We can leave the ticket open until it 
is bumped.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-275065152
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-01-25 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

tomaskrizek commented:
"""
Since the bug is completely fixed on the PKI side, shouldn't we bump the 
`Requires` to require the fixed version of PKI?

Installation in IPV6-only environment will not work without the updated PKI, 
since 127.0.0.1 was used as a default before 
[3a49b9b3738befc03914b0a96aad61f9650fb935](https://git.fedorahosted.org/cgit/pki.git/commit/?id=3a49b9b3738befc03914b0a96aad61f9650fb935).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-275062210
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-01-25 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, it turns out the request fails not on the replica, but on the initial 
master, so it's actually `ipa-server-install` which is broken - if you install 
server from current master and replica from this PR it works fine. Steps to 
reproduce:
```
server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r 
ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U
...
replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' 
| xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'"
replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb
replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server 
vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla
```

Note that you won't actually be able to do the above, as the 
`ipa-server-install` step will fail with:
```
Restarting the KDC
Please add records in this file to your DNS system: 
/tmp/ipa.system.records.xLK2pI.db
Unable to set admin password Command '/usr/bin/ldappasswd -h 
vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y 
/var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP 
uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'
 returned non-zero exit status 1
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA 
server
Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server.
This may mean that the remote server is not up or is not reachable due to 
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly 
after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
This does not happen with current master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-275044170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code