Re: [Freeipa-devel] FreeIPA and wildcard certificates

[Alexander Bokovoy]

On to, 09 helmi 2017, Fraser Tweedale wrote:

On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:

On ke, 08 helmi 2017, Martin Kosek wrote:
> Hi Fraser and the list,
>
> I recently was in a conversation about integrating OpenShift with FreeIPA. One
> of the gaps was around generating a wildcard certificate by FreeIPA that will
> be used in the default OpenShift router for applications that do not deploy 
own
> certificates [1].
>
> Is there any way that FreeIPA can generate it? I was thinking that uploading
> some custom certificate profile in FreeIPA may let us get such certificate...
> Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked 
in
> [2]?
Yes, we need a new RFE. There are checks in IPA that prevent wildcard
certificates to be issued:

- we ensure subject 'cn' of the certificate matches a Kerberos principal
  specified in the request

- we validate that host object exists in IPA when the Kerberos
  principal is host/...

We could lift off these two limitations for 'cn=*,$suffix' but there is
still a need to apply proper ACLs when issuing the cert -- e.g. some
object has to be used for performing access rights check. The wildcard
certificate does not need to be stored anywhere in the tree, but a
check still needs to be done.

For example, for Kerberos PKINIT certificate which is issued to KDC we
don't store public certificate in LDAP either but we do two checks:
- a special KDC certificate profile is used to issue the cert
- a special hostname check is done so that only IPA masters are able to
  request this certificate

For the wildcard certificate I think we could have following:
- use a separate profile for the wildcard, associated with a sub-CA
- hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so 
that
  actual certificate ignores requested CN.
- a special check to be done so that only wildcard-based subject
  alternative names can be added to a wildcard certificate request
- all Kerberos principal / hostname checks are skipped.
- actual ACL check is done by CA ACL.


Issuing wildcard certs is a deprecated practice[1].  I am not
dismissing the needs of OpenShift (or PaaS/IaaS solutions in
general) but I'd like to have a discussion with them about how
they're currently dealing with certs and whether a different
direction other than wildcard certs is feasible.  Martin, who should
I reach out to?  Feel free to copy them into this discussion.

[1] https://tools.ietf.org/html/rfc6125#section-7.2


While it is not recommended to issue wildcard certificates, it is far
from being a deprecated practice. In fact, almost all commercial CAs do
have wildcard certificate product in their portfolio. We also have seen
customers coming to use FreeIPA with wildcard certificates issued by
external CAs. This practice is not going to disappear. 




If we do go ahead with wildcard cert support in FreeIPA, some of my
initial questions are:

- For the OpenShift use case, what is the "parent" domain name and
 is it the same as the IPA domain name?  Is it a subdomain of the
 IPA domain name?

- Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard
 cert under entire IPA domain name.

- Do we need to support issuing "*.${IPA_HOSTNAME}"?  i.e. wildcard
 certs under names of IPA host principals.

Another question would be:

- Do we need to support issuing "hostname.*.${IPA_DOMAIN}"? I.e.
 wildcard cert where a '*' character is not a leftmost label.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA and wildcard certificates

[Martin Kosek]

On 02/09/2017 02:12 AM, Fraser Tweedale wrote:
> On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
>> On ke, 08 helmi 2017, Martin Kosek wrote:
>>> Hi Fraser and the list,
>>>
>>> I recently was in a conversation about integrating OpenShift with FreeIPA. 
>>> One
>>> of the gaps was around generating a wildcard certificate by FreeIPA that 
>>> will
>>> be used in the default OpenShift router for applications that do not deploy 
>>> own
>>> certificates [1].
>>>
>>> Is there any way that FreeIPA can generate it? I was thinking that uploading
>>> some custom certificate profile in FreeIPA may let us get such 
>>> certificate...
>>> Or is the the only way we can add it by adding a new RFE in FreeIPA, 
>>> tracked in
>>> [2]?
>> Yes, we need a new RFE. There are checks in IPA that prevent wildcard
>> certificates to be issued:
>>
>> - we ensure subject 'cn' of the certificate matches a Kerberos principal
>>   specified in the request
>>
>> - we validate that host object exists in IPA when the Kerberos
>>   principal is host/...
>>
>> We could lift off these two limitations for 'cn=*,$suffix' but there is
>> still a need to apply proper ACLs when issuing the cert -- e.g. some
>> object has to be used for performing access rights check. The wildcard
>> certificate does not need to be stored anywhere in the tree, but a
>> check still needs to be done.
>>
>> For example, for Kerberos PKINIT certificate which is issued to KDC we
>> don't store public certificate in LDAP either but we do two checks:
>> - a special KDC certificate profile is used to issue the cert
>> - a special hostname check is done so that only IPA masters are able to
>>   request this certificate
>>
>> For the wildcard certificate I think we could have following:
>> - use a separate profile for the wildcard, associated with a sub-CA
>> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' 
>> so that
>>   actual certificate ignores requested CN.
>> - a special check to be done so that only wildcard-based subject
>>   alternative names can be added to a wildcard certificate request
>> - all Kerberos principal / hostname checks are skipped.
>> - actual ACL check is done by CA ACL.
>>
> Issuing wildcard certs is a deprecated practice[1].  I am not
> dismissing the needs of OpenShift (or PaaS/IaaS solutions in
> general) but I'd like to have a discussion with them about how
> they're currently dealing with certs and whether a different
> direction other than wildcard certs is feasible.  Martin, who should
> I reach out to?  Feel free to copy them into this discussion.

Right now, I am talking to a Solution Architect, i.e. someone who is building
GAed solutions, not developers. This is not something we would change
short-term anyway, this is how current OpenShift v2 or v3 behaves, despite the 
RFC.

While I understand why having certificate *.lab.example.com and using it for my
lab machines is a bad idea and increases the attack vector, I do not see it
that way for OpenShift. There, applications get URL like
".myopenshift.test" and all is routed by one entity, the OpenShift
broker. So the key.cert is on one location, just serving different names that
are provisioned with OpenShift.

I can understand that issuing a new certificate for every application
provisioned by OpenShift and then renewing it complicates the design
significantly. I am trying to be creative and see if current OpenShift could
leverage FreeIPA CA and issue the broker cert, with current profile
capabilities or with small change.

> [1] https://tools.ietf.org/html/rfc6125#section-7.2
> 
> If we do go ahead with wildcard cert support in FreeIPA, some of my
> initial questions are:
> 
> - For the OpenShift use case, what is the "parent" domain name and
>   is it the same as the IPA domain name?  Is it a subdomain of the
>   IPA domain name?
> 
> - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard
>   cert under entire IPA domain name.
> 
> - Do we need to support issuing "*.${IPA_HOSTNAME}"?  i.e. wildcard
>   certs under names of IPA host principals.

I do not know, but I can ask if it is important for you :-)

Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/443
Title: #443: Stronger check for DM password during server install

HonzaCholasta commented:
"""
IMHO you got it backwards - DM password may not comply to NSS requirements for 
passwords, therefore it must not be used as a password for any NSS database 
during server install.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/443#issuecomment-278561684
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#433][synchronized] csrgen: Allow some certificate fields to be specified by the user

[LiptonB]

   URL: https://github.com/freeipa/freeipa/pull/433
Author: LiptonB
 Title: #433: csrgen: Allow some certificate fields to be specified by the user
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/433/head:pr433
git checkout pr433
From 96f4e25a4770bd2076390301adcee53d55086fa2 Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Thu, 28 Jul 2016 16:21:44 -0400
Subject: [PATCH 1/5] csrgen: Implement fields that prompt user for data

Allows some data to be user-specified rather than coming out of the
database. The provided data can be formatted with jinja2 rules just as
database values can.

https://fedorahosted.org/freeipa/ticket/4899
---
 install/share/csrgen/Makefile.am   |  1 +
 .../share/csrgen/rules/dataEmailUserSpecified.json | 16 ++
 ipaclient/csrgen.py| 36 --
 ipaclient/plugins/csrgen.py|  9 --
 ipatests/test_ipaclient/test_csrgen.py | 15 -
 5 files changed, 66 insertions(+), 11 deletions(-)
 create mode 100644 install/share/csrgen/rules/dataEmailUserSpecified.json

diff --git a/install/share/csrgen/Makefile.am b/install/share/csrgen/Makefile.am
index 12c62c4..ad4412e 100644
--- a/install/share/csrgen/Makefile.am
+++ b/install/share/csrgen/Makefile.am
@@ -10,6 +10,7 @@ ruledir = $(IPA_DATA_DIR)/csrgen/rules
 rule_DATA =\
 	rules/dataDNS.json		\
 	rules/dataEmail.json		\
+	rules/dataEmailUserSpecified.json	\
 	rules/dataHostCN.json		\
 	rules/dataUsernameCN.json	\
 	rules/dataSubjectBase.json	\
diff --git a/install/share/csrgen/rules/dataEmailUserSpecified.json b/install/share/csrgen/rules/dataEmailUserSpecified.json
new file mode 100644
index 000..3fb2fb1
--- /dev/null
+++ b/install/share/csrgen/rules/dataEmailUserSpecified.json
@@ -0,0 +1,16 @@
+{
+  "rules": [
+{
+  "helper": "openssl",
+  "template": "email = {{userdata.email}}"
+},
+{
+  "helper": "certutil",
+  "template": "email:{{userdata.email|quote}}"
+}
+  ],
+  "options": {
+"data_source": "userdata.email",
+"prompt": "Email address"
+  }
+}
diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 96100ae..2c1c5fc 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -345,8 +345,9 @@ class CSRGenerator(object):
 def __init__(self, rule_provider):
 self.rule_provider = rule_provider
 
-def csr_script(self, principal, config, profile_id, helper):
-render_data = {'subject': principal, 'config': config}
+def csr_script(self, principal, config, userdata, profile_id, helper):
+render_data = {
+'subject': principal, 'config': config, 'userdata': userdata}
 
 formatter = self.FORMATTERS[helper]()
 rules = self.rule_provider.rules_for_profile(profile_id, helper)
@@ -360,3 +361,34 @@ def csr_script(self, principal, config, profile_id, helper):
 'Template error when formatting certificate data'))
 
 return script
+
+def get_user_prompts(self, profile_id, helper):
+prompts = {}
+syntax_rules = []
+rules = self.rule_provider.rules_for_profile(profile_id, helper)
+
+for field_mapping in rules:
+for rule in field_mapping.data_rules:
+if 'prompt' in rule.options:
+try:
+var = rule.options['data_source']
+except KeyError:
+raise errors.CertificateMappingError(reason=_(
+'Certificate mapping rule %(rule)s has a prompt'
+' but no data_source set') % {'rule': rule.name})
+if var in prompts:
+raise errors.CertificateMappingError(reason=_(
+'More than one data rule in this profile prompts'
+' for the %(item)s data item') % {'item': var})
+var_parts = var.split('.')
+if len(var_parts) != 2 or var_parts[0] != 'userdata':
+raise errors.CertificateMappingError(
+reason=_(
+'Format of variable name in rule %(rule)s is'
+' incorrect. Rules that prompt for data must'
+' use a variable "userdata."') %
+{'rule': rule.name})
+
+prompts[var_parts[1]] = rule.options['prompt']
+
+return prompts
diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 0669a47..d480946 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -82,6 +82,9 @@ def execute(self, *args, **options):
 if not backend.isconnected():
 backend.connect()
 
+generator = CSRGenerator(FileRuleProvider())
+prompts = 

[Freeipa-devel] [freeipa PR#434][synchronized] csrgen: Automate full cert request flow

[LiptonB]

   URL: https://github.com/freeipa/freeipa/pull/434
Author: LiptonB
 Title: #434: csrgen: Automate full cert request flow
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/434/head:pr434
git checkout pr434
From 5b4d2410d960084af766d44c112452604d0816c2 Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Mon, 22 Aug 2016 10:46:02 -0400
Subject: [PATCH 1/3] csrgen: Automate full cert request flow

Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899
---
 API.txt   |  2 +-
 ipaclient/plugins/cert.py | 83 ++-
 ipaserver/plugins/cert.py |  7 ++--
 3 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..ac38514 100644
--- a/API.txt
+++ b/API.txt
@@ -788,7 +788,7 @@ option: Flag('add', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa')
 option: Principal('principal')
-option: Str('profile_id?')
+option: Str('profile_id', autofill=True, default=u'caIPAserviceCert')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('request_type', autofill=True, default=u'pkcs10')
 option: Str('version?')
diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 1075972..339b1d0 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,11 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import subprocess
+import tempfile
+
+import six
+
 from ipaclient.frontend import MethodOverride
 from ipalib import errors
 from ipalib import x509
@@ -27,17 +32,93 @@
 from ipalib.plugable import Registry
 from ipalib.text import _
 
+if six.PY3:
+unicode = str
+
 register = Registry()
 
 
 @register(override=True, no_fail=True)
 class cert_request(MethodOverride):
+takes_options = (
+Str(
+'database?',
+label=_('Path to NSS database'),
+doc=_('Path to NSS database to use for private key'),
+),
+Str(
+'private_key?',
+label=_('Path to private key file'),
+doc=_('Path to PEM file containing a private key'),
+),
+)
+
 def get_args(self):
 for arg in super(cert_request, self).get_args():
 if arg.name == 'csr':
-arg = arg.clone_retype(arg.name, File)
+arg = arg.clone_retype(arg.name, File, required=False)
 yield arg
 
+def forward(self, csr=None, **options):
+database = options.pop('database', None)
+private_key = options.pop('private_key', None)
+
+if csr is None:
+if database:
+helper = u'certutil'
+helper_args = ['-d', database]
+elif private_key:
+helper = u'openssl'
+helper_args = [private_key]
+else:
+raise errors.InvocationError(
+message=u"One of 'database' or 'private_key' is required")
+
+with tempfile.NamedTemporaryFile(
+) as scriptfile, tempfile.NamedTemporaryFile() as csrfile:
+# profile_id is optional for cert_request, but not for
+# cert_get_requestdata, so pass the default explicitly when
+# necessary
+profile_id = options.get('profile_id')
+if profile_id is None:
+profile_id = self.get_default_of('profile_id')
+
+self.api.Command.cert_get_requestdata(
+profile_id=profile_id,
+principal=options.get('principal'),
+out=unicode(scriptfile.name),
+helper=helper)
+
+helper_cmd = [
+'bash', '-e', scriptfile.name, csrfile.name] + helper_args
+
+try:
+subprocess.check_output(helper_cmd)
+except subprocess.CalledProcessError as e:
+raise errors.CertificateOperationError(
+error=(
+_('Error running "%(cmd)s" to generate CSR:'
+  ' %(err)s') %
+{'cmd': ' '.join(helper_cmd), 

Re: [Freeipa-devel] FreeIPA and wildcard certificates

[Fraser Tweedale]

On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
> On ke, 08 helmi 2017, Martin Kosek wrote:
> > Hi Fraser and the list,
> > 
> > I recently was in a conversation about integrating OpenShift with FreeIPA. 
> > One
> > of the gaps was around generating a wildcard certificate by FreeIPA that 
> > will
> > be used in the default OpenShift router for applications that do not deploy 
> > own
> > certificates [1].
> > 
> > Is there any way that FreeIPA can generate it? I was thinking that uploading
> > some custom certificate profile in FreeIPA may let us get such 
> > certificate...
> > Or is the the only way we can add it by adding a new RFE in FreeIPA, 
> > tracked in
> > [2]?
> Yes, we need a new RFE. There are checks in IPA that prevent wildcard
> certificates to be issued:
> 
> - we ensure subject 'cn' of the certificate matches a Kerberos principal
>   specified in the request
> 
> - we validate that host object exists in IPA when the Kerberos
>   principal is host/...
> 
> We could lift off these two limitations for 'cn=*,$suffix' but there is
> still a need to apply proper ACLs when issuing the cert -- e.g. some
> object has to be used for performing access rights check. The wildcard
> certificate does not need to be stored anywhere in the tree, but a
> check still needs to be done.
> 
> For example, for Kerberos PKINIT certificate which is issued to KDC we
> don't store public certificate in LDAP either but we do two checks:
> - a special KDC certificate profile is used to issue the cert
> - a special hostname check is done so that only IPA masters are able to
>   request this certificate
> 
> For the wildcard certificate I think we could have following:
> - use a separate profile for the wildcard, associated with a sub-CA
> - hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' 
> so that
>   actual certificate ignores requested CN.
> - a special check to be done so that only wildcard-based subject
>   alternative names can be added to a wildcard certificate request
> - all Kerberos principal / hostname checks are skipped.
> - actual ACL check is done by CA ACL.
> 
Issuing wildcard certs is a deprecated practice[1].  I am not
dismissing the needs of OpenShift (or PaaS/IaaS solutions in
general) but I'd like to have a discussion with them about how
they're currently dealing with certs and whether a different
direction other than wildcard certs is feasible.  Martin, who should
I reach out to?  Feel free to copy them into this discussion.

[1] https://tools.ietf.org/html/rfc6125#section-7.2

If we do go ahead with wildcard cert support in FreeIPA, some of my
initial questions are:

- For the OpenShift use case, what is the "parent" domain name and
  is it the same as the IPA domain name?  Is it a subdomain of the
  IPA domain name?

- Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard
  cert under entire IPA domain name.

- Do we need to support issuing "*.${IPA_HOSTNAME}"?  i.e. wildcard
  certs under names of IPA host principals.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][closed] ci: send build log to paste.fedoraproject.org

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/370
Author: frasertweedale
 Title: #370: ci: send build log to paste.fedoraproject.org
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/370/head:pr370
git checkout pr370
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

frasertweedale commented:
"""
Superseded by https://github.com/freeipa/freeipa/pull/449 ; closing.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278506829
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

frasertweedale commented:
"""
Conditional ACK: just fix the type `s/moths/months/` in the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

frasertweedale commented:
"""
Conditional ACK: just fix the type `s/moths/months/` in the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278503991
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 157cfa0f6b86c849e88ad543ef25e0aa97bdfd7a Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   9 ++-
 configure.ac | 253 +--
 server.m4| 119 
 3 files changed, 215 insertions(+), 166 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..bc14745 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,14 @@
 ACLOCAL_AMFLAGS = -I m4
 
+if ENABLE_SERVER
+SERVER_SUBDIRS = daemons init install ipaserver
+else
+SERVER_SUBDIRS =
+endif
+
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po $(SERVER_SUBDIRS)
+
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 8fdc731..c5c686b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
-  

[Freeipa-devel] [freeipa PR#452][opened] [ WIP] ipa-run-tests: allow to run tests with server-api

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/452
Author: MartinBasti
 Title: #452: [ WIP] ipa-run-tests: allow to run tests with server-api
Action: opened

PR body:
"""
This allow to test server-api with ipa-run-tests. It is useful because
internal error tracebacks are printed to test output and it is handy to
use it with python -bb option to check BytesWarnings

- I havent tested option parsing in pytest yet, only the code around that 
allows to run server_api
- This can be useful with Travis to see tracebacks directly in test output
- tests may be faster
- we should really rename test_xmlrpc to something like test_api
- I will use this for python -bb testing
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/452/head:pr452
git checkout pr452
From 5844f0ab0a63ea162b46399774cb8ec0ba845706 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 8 Feb 2017 20:03:53 +0100
Subject: [PATCH] ipa-run-tests: allow to run tests with server-api

This allow to test server-api with ipa-run-tests. It is useful because
internal error tracebacks are printed to test output and it is handy to
use it with python -bb option to check BytesWarnings
---
 ipatests/conftest.py| 24 +++-
 ipatests/test_xmlrpc/xmlrpc_test.py | 16 
 2 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 6d8ba60..7e3c0e9 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -71,9 +71,31 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+def truefalse(arg):
+if arg.lower() == 'true':
+return True
+if arg.lower() == 'false':
+return False
+return arg  # triggers an error later
+
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--in-server',
+dest="ipa_in_server",
+type=truefalse,
+choices=(True, False),
+default=False,
+help="Run IPA tests with in-server API (talk directly to LDAP, avoid "
+ "http communications). Requires to run test on "
+ "installed server (default: False)"
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
-context=u'cli', in_server=False, in_tree=True, fallback=False
+context=u'cli', in_server=config.option.ipa_in_server,
+in_tree=True, fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
index 67565b0..7bc4fcc 100644
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
@@ -131,8 +131,12 @@ def fuzzy_set_ci(s):
 return Fuzzy(test=lambda other: set(x.lower() for x in other) == set(y.lower() for y in s))
 
 try:
-if not api.Backend.rpcclient.isconnected():
-api.Backend.rpcclient.connect()
+if api.env.in_server:
+if not api.Backend.ldap2.isconnected():
+api.Backend.ldap2.connect()
+else:
+if not api.Backend.rpcclient.isconnected():
+api.Backend.rpcclient.connect()
 res = api.Command['user_show'](u'notfound')
 except errors.NetworkError:
 server_available = False
@@ -206,8 +210,12 @@ def setup_class(cls):
 if not server_available:
 raise nose.SkipTest('%r: Server not available: %r' %
 (cls.__module__, api.env.xmlrpc_uri))
-if not api.Backend.rpcclient.isconnected():
-api.Backend.rpcclient.connect()
+if api.env.in_server:
+if not api.Backend.ldap2.isconnected():
+api.Backend.ldap2.connect()
+else:
+if not api.Backend.rpcclient.isconnected():
+api.Backend.rpcclient.connect()
 
 @classmethod
 def teardown_class(cls):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
@tomaskrizek @lslebodn Although I don't need ```make dist```, you made me aware 
of a bug in ```Makefile.am```. automake and ```+=``` do not mix well. I moved 
the list into a new var ```SERVER_SUBDIRS```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278416196
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 1c44c2a204e7de6087abda2ac8fe2d2e729aa5b1 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   9 ++-
 configure.ac | 253 +--
 server.m4| 119 
 3 files changed, 215 insertions(+), 166 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..628625f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,14 @@
 ACLOCAL_AMFLAGS = -I m4
 
+if ENABLE_SERVER
+SERVER_SUBDIRS = daemons init install ipaserver
+else
+SERVER_SUBDIRS =
+endif
+
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib $(IPACLIENT_SUBDIRS) ipaplatform ipatests po $(SERVER_SUBDIR)
+
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 8fdc731..c5c686b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = "xpdb" ; then
-  

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tomaskrizek commented:
"""
@tiran Do you need `make dist` for anything?

I'm not aware of any plans to release client-only IPA sources, so I don't think 
it's needed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278413427
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

tomaskrizek commented:
"""
Commit that removed valid_moths property: 
e736e75ce9724ae8298a5b69d093313cd6e62b60
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278411676
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][synchronized] certdb: remove unused keysize property

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/451
Author: tomaskrizek
 Title: #451: certdb: remove unused keysize property
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/451/head:pr451
git checkout pr451
From 6084a2c3651c54a2662f708c803e27aa8d678c64 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 18:28:25 +0100
Subject: [PATCH 1/2] certdb: remove unused keysize property

Keysize property is no longer used anywhere in the code. It was
originally introduced for the request_cert function, which was later
refactored to use a function argument instead.
---
 ipaserver/install/certs.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..e6d0ce2 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -110,7 +110,6 @@ def __init__(
 
 self.cacert_name = get_ca_nickname(self.realm)
 self.valid_months = "120"
-self.keysize = "1024"
 
 # We are going to set the owner of all of the cert
 # files to the owner of the containing directory

From 3877bbb1c6b99b2d639d4dc6ef68af4cd2558181 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 18:54:20 +0100
Subject: [PATCH 2/2] certdb: remove unused valid_moths property

Property valid_months is no longer used anywhere in the code. It was
removed when the selfsign funcionality was dropped.
---
 ipaserver/install/certs.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index e6d0ce2..d484d8a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -109,7 +109,6 @@ def __init__(
 raise RuntimeError("Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
-self.valid_months = "120"
 
 # We are going to set the owner of all of the cert
 # files to the owner of the containing directory
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
See inline comment and issue above; otherwise LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278405529
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

stlaz commented:
"""
If you want to remove them, you may want to check for other properties as well 
(I see `valid_months` at least).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278403244
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][opened] certdb: remove unused keysize property

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/451
Author: tomaskrizek
 Title: #451: certdb: remove unused keysize property
Action: opened

PR body:
"""
Keysize property is no longer used anywhere in the code. It was
originally introduced for the request_cert function, which was later
refactored to use a function argument instead.

---

The value of this property caught my eye, because I don't think we should be 
using 1024bit keys. Fortunately, I discovered this bit of code is obsolete and 
we actually use 2048bit key length by default.

Commit that originally introduced the property: 
158b4e8ff4704b967d4049e2a16f9b32fbb33b80
Commit that removed the usage of the property: 
9182c10b03a7841c9318ad64ae6c5deda77d93d1
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/451/head:pr451
git checkout pr451
From 1de9bfd05dab3cc221b1f72241c71ccbd17ce4d8 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 18:28:25 +0100
Subject: [PATCH] certdb: remove unused keysize property

Keysize property is no longer used anywhere in the code. It was
originally introduced for the request_cert function, which was later
refactored to use a function argument instead.
---
 ipaserver/install/certs.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..e6d0ce2 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -110,7 +110,6 @@ def __init__(
 
 self.cacert_name = get_ca_nickname(self.realm)
 self.valid_months = "120"
-self.keysize = "1024"
 
 # We are going to set the owner of all of the cert
 # files to the owner of the containing directory
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#445][synchronized] Remove is_fips_enabled checks in installers and ipactl

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/445
Author: stlaz
 Title: #445: Remove is_fips_enabled checks in installers and ipactl
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/445/head:pr445
git checkout pr445
From c32abfd848e04734f4bbca715a828ff6814b181c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 08:55:56 +0100
Subject: [PATCH] Remove is_fips_enabled checks in installers and ipactl

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipactl   |  3 ---
 ipaclient/install/client.py|  5 -
 ipaserver/install/server/install.py|  4 
 ipaserver/install/server/replicainstall.py | 13 +++--
 4 files changed, 7 insertions(+), 18 deletions(-)

diff --git a/install/tools/ipactl b/install/tools/ipactl
index c34f1cb..f375a87 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -543,9 +543,6 @@ def main():
 elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
 raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
-if tasks.is_fips_enabled():
-raise IpactlError("Starting IPA server in FIPS mode is not supported")
-
 # check if IPA is configured at all
 try:
 check_IPA_configuration()
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..2b01b0d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1953,11 +1953,6 @@ def install_check(options):
 "You must be root to run ipa-client-install.",
 rval=CLIENT_INSTALL_ERROR)
 
-if tasks.is_fips_enabled():
-raise ScriptError(
-"Installing IPA client in FIPS mode is not supported",
-rval=CLIENT_INSTALL_ERROR)
-
 tasks.check_selinux_status()
 
 if is_ipa_client_installed(fstore, on_master=options.on_master):
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ef943f7..8178d4e 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -304,10 +304,6 @@ def install_check(installer):
 external_ca_file = installer._external_ca_file
 http_ca_cert = installer._ca_cert
 
-if tasks.is_fips_enabled():
-raise RuntimeError(
-"Installing IPA server in FIPS mode is not supported")
-
 tasks.check_selinux_status()
 
 if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..a0d6415 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -527,10 +527,6 @@ def check_remote_version(api):
 
 
 def common_check(no_ntp):
-if tasks.is_fips_enabled():
-raise RuntimeError(
-"Installing IPA server in FIPS mode is not supported")
-
 tasks.check_selinux_status()
 
 if is_ipa_configured():
@@ -659,7 +655,12 @@ def install_check(installer):
 filename = installer.replica_file
 installer._enrollment_performed = False
 
-# check FIPS, selinux status, http and DS ports, NTP conflicting services
+if tasks.is_fips_enabled():
+raise RuntimeError(
+"Installing IPA server in FIPS mode on domain level 0 is not "
+"supported")
+
+# check selinux status, http and DS ports, NTP conflicting services
 common_check(options.no_ntp)
 
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
@@ -949,7 +950,7 @@ def promote_check(installer):
 installer._enrollment_performed = False
 installer._top_dir = tempfile.mkdtemp("ipa")
 
-# check FIPS, selinux status, http and DS ports, NTP conflicting services
+# check selinux status, http and DS ports, NTP conflicting services
 common_check(options.no_ntp)
 
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 06d613cbcba799b0510fd3e4b7245a94de12aa1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 314dee7f389defd7fe53d38a0106552322a8e213 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..540c883 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="--define 'with_python3 0'"
+else
+env_opt=""
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment "RPMBUILD_OPTS=$env_opt" \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 138cb93cfb1f7da5e6e50442efbbf0e40c26d9bc Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 61 ++
 .travis.yml   | 90 ++-
 2 files changed, 150 insertions(+), 1 

[Freeipa-devel] [freeipa PR#431][closed] py3: ldapupdate: fix logging str(bytes) issue

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/431
Author: MartinBasti
 Title: #431: py3: ldapupdate: fix logging str(bytes) issue
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/431/head:pr431
git checkout pr431
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#431][comment] py3: ldapupdate: fix logging str(bytes) issue

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/431
Title: #431: py3: ldapupdate: fix logging str(bytes) issue

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b24787a67fd8b19b9222979a963a8f28b22153ee
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/431#issuecomment-278394914
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][opened] Add FIPS-token password of HTTPD NSS database

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: opened

PR body:
"""
This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 57e65fe8cab8580222f690f84affe1ce14d15263 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..cc1cda5 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -43,6 +43,7 @@
 from ipalib.text import _
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
 
 # Apache needs access to this database so we need to create it
 # where apache can reach
@@ -504,7 +505,11 @@ def create_password_conf(self):
 f = open(self.pwd_conf, "w")
 f.write("internal:")
 pwdfile = open(self.passwd_fname)
-f.write(pwdfile.read())
+password = pwdfile.read()
+f.write(password)
+if tasks.is_fips_enabled():
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
 f.close()
 pwdfile.close()
 self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/448
Title: #448: Tests: Basic coverage with tree root domain

martbab commented:
"""
I have quickly skimmed through code and have one comment. Also, I have noticed 
the extreme code triplication of the test cases. I think that this warrants 
some refactoring first before adding tree-root domain tests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/448#issuecomment-278381632
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
`make dist` failed if configure was executed with `--disable-server`

```
make[3]: Leaving directory '/workdir/freeipa/po'
make[2]: Leaving directory '/workdir/freeipa/po'
 (cd daemons && make  
top_distdir=../freeipa-4.4.90.dev201702081623+git9da17b545 
distdir=../freeipa-4.4.90.dev201702081623+git9da17b545/daemons \
 am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)
make[2]: Entering directory '/workdir/freeipa/daemons'
make[2]: *** No rule to make target 'distdir'.  Stop.
make[2]: Leaving directory '/workdir/freeipa/daemons'
make[1]: *** [Makefile:707: distdir] Error 1
make[1]: Leaving directory '/workdir/freeipa'
make: *** [Makefile:806: dist] Error 2
```

Do we care?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278377302
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][synchronized] Travis CI: Upload the logs from failed jobs to transfer.sh

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/449
Author: martbab
 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/449/head:pr449
git checkout pr449
From ebac37392fef04f77927b395077684c6afa08a9b Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Feb 2017 10:38:57 +0100
Subject: [PATCH] Travis CI: Upload the logs from failed jobs to transfer.sh

When a non-lint job fails, all the relevant logs from the test runner
will be gzipped and uploaded to https://transfer.sh file sharing
service. The download link will then be displayed at the very end of the
Travis build log.
---
 .test_runner_config.yaml | 10 ++
 .travis.yml  | 17 +
 2 files changed, 27 insertions(+)

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index dc08d79..5597be5 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -31,6 +31,16 @@ steps:
   - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
+  - journalctl -b --no-pager > systemd_journal.log
+  - >
+  tar --ignore-failed-read -cvf ${container_working_dir}/var_log.tar
+  /var/log/dirsrv
+  /var/log/httpd
+  /var/log/ipa*-install.log
+  /var/log/krb5kdc.log
+  /var/log/pki
+  systemd_journal.log
+  - chown ${uid}:${gid} ${container_working_dir}/var_log.tar
   configure:
   - ./autogen.sh
   install_packages:
diff --git a/.travis.yml b/.travis.yml
index 6301974..04b766b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -12,6 +12,8 @@ env:
   PEP8_ERROR_LOG="pep8_errors.log"
   CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
   CI_BACKLOG_SIZE=5000
+  CI_RUNNER_LOGS_DIR="/tmp/test-runner-logs"
+  CI_RUNNER_LOG_ARCHIVE="freeipa-ci-pr-${TRAVIS_PULL_REQUEST}-job-${TRAVIS_JOB_NUMBER}.tar.gz"
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
@@ -31,7 +33,22 @@ install:
   git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1
 
 script:
+- mkdir -p $CI_RUNNER_LOGS_DIR
 - travis_wait 50 ./.travis_run_task.sh
 after_failure:
 - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG
 - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG
+- >
+  echo "Archiving CI logs";
+  if [[ "$TASK_TO_RUN" != "lint" ]]; then
+  tar --ignore-failed-read -uvf var_log.tar $CI_RESULTS_LOG $PEP8_ERROR_LOG;
+  gzip var_log.tar;
+  mv var_log.tar.gz $CI_RUNNER_LOG_ARCHIVE;
+
+  transfer_url=$(
+curl --upload-file \
+./$CI_RUNNER_LOG_ARCHIVE \
+https://transfer.sh/${CI_RUNNER_LOG_ARCHIVE}) &&
+echo "Download log archive from ${transfer_url}" ||
+echo "Failed to upload log archive!";
+   fi
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 85cd763e945167db48a675fead0d1bcf29c57440 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 

From d16b76a1d17cacd2ad5025232ad777e372dc8fad Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode

Test for Env object assumes it cannot contain any other keys
than specified in DEFAULT_CONFIG. This does not apply to the fips_mode.
The Env object has to contain all the keys from DEFAULT_CONFIG, but
can also contain extra keys.
---
 ipatests/test_ipalib/test_config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..095f188 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -563,7 +563,7 @@ def test_finalize_core(self):
 # Test using DEFAULT_CONFIG:
 defaults = dict(constants.DEFAULT_CONFIG)
 (o, home) = self.finalize_core(None, **defaults)
-assert list(o) == sorted(defaults)
+assert set(o).issuperset(set(defaults))
 for (key, value) in defaults.items():
 if value is object:
 continue

From 43474741544f7c7b08a810a2a954531fea4d7dca Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..ad43aa2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -509,6 +509,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -521,7 +528,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From 9fc17b6da5f6a2448e85a9ba2cf23c14d45fb4d4 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ad43aa2..4a8b9d6 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -508,29 +509,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager

[Freeipa-devel] [freeipa PR#448][opened] Tests: Basic coverage with tree root domain

[gkaihorodova]

   URL: https://github.com/freeipa/freeipa/pull/448
Author: gkaihorodova
 Title: #448: Tests: Basic coverage with tree root domain
Action: opened

PR body:
"""
Tests: Basic coverage with tree root domain
Extend existing legacy client tests to cover test cases with tree root domain.
https://fedorahosted.org/freeipa/ticket/6489
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/448/head:pr448
git checkout pr448
From ce9226930972e058b4007e126fb4f47c8a7e09f0 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 8 Feb 2017 11:38:08 +0100
Subject: [PATCH] Tests: Basic coverage with tree root domain

Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489
---
 ipatests/test_integration/test_legacy_clients.py | 100 +++
 1 file changed, 100 insertions(+)

diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index 8bd680a..56c6b19 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -58,6 +58,8 @@ class BaseTestLegacyClient(object):
 testuser_gid_regex = None
 subdomain_testuser_uid_regex = None
 subdomain_testuser_gid_regex = None
+treedomain_testuser_uid_regex = None
+treedomain_testuser_gid_regex = None
 
 # To allow custom validation dependent on the trust type
 posix_trust = False
@@ -326,6 +328,91 @@ def test_login_disabled_subdomain_ad_user(self):
 
 assert result.returncode != 0
 
+def test_getent_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available.')
+
+self.clear_sssd_caches()
+testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+result = self.legacy_client.run_command(['getent', 'passwd', testuser])
+
+testuser_regex = "treetestuser@%s:\*:%s:%s:"\
+ "TreeTest User:%s:"\
+ "/bin/sh"\
+ % (re.escape(self.ad_treedomain),
+ self.treedomain_testuser_uid_regex,
+ self.treedomain_testuser_gid_regex,
+ self.homedir_template.format(
+ username='treetestuser',
+ domain=re.escape(self.ad_treedomain))
+ )
+
+assert re.search(testuser_regex, result.stdout_text)
+
+def test_getent_treedomain_ad_group(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available')
+
+self.clear_sssd_caches()
+testgroup = 'treetestgroup@{0}'.format(self.ad_treedomain)
+result = self.legacy_client.run_command(['getent', 'group', testgroup])
+
+testgroup_stdout = "{0}:\*:{1}:".format(testgroup,
+ self.treedomain_testuser_gid_regex)
+
+assert re.search(testgroup_stdout, result.stdout_text)
+
+def test_id_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available')
+
+self.clear_sssd_caches()
+
+testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+testgroup = 'treetestgroup@{0}'.format(self.ad_treedomain)
+
+result = self.legacy_client.run_command(['id', testuser])
+
+# Only for POSIX trust testing does the testuser belong to the
+# testgroup
+
+group_name = '\({}\)'.format(testgroup) if self.posix_trust else ''
+
+uid_regex = "uid={0}\({1}\)".format(self.treedomain_testuser_uid_regex,
+testuser)
+
+gid_regex = "gid={0}{1}".format(self.treedomain_testuser_gid_regex,
+group_name)
+
+group_regex = "groups={0}{1}".format(self.treedomain_testuser_gid_regex,
+  group_name)
+
+assert re.search(uid_regex, result.stdout_text)
+assert re.search(gid_regex, result.stdout_text)
+assert re.search(group_regex, result.stdout_text)
+
+def test_login_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available.')
+
+if not self.master.transport.file_exists('/usr/bin/sshpass'):
+raise nose.SkipTest('Package sshpass not available on %s'
+%self.master.hostname)
+
+testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+result = self.master.run_command(
+'sshpass -p %s '
+'ssh '
+'-o StrictHostKeyChecking=no '
+'-l admin '
+'%s '
+'"echo test"' %
+ (self.legacy_client.config.admin_password,
+ self.legacy_client.external_hostname))
+
+  

[Freeipa-devel] [freeipa PR#431][+ack] py3: ldapupdate: fix logging str(bytes) issue

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/431
Title: #431: py3: ldapupdate: fix logging str(bytes) issue

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][comment] AD trust installer modularization: prelude

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/447
Title: #447: AD trust installer modularization: prelude

abbra commented:
"""
LGTM -- I haven't run the code but read through it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/447#issuecomment-278370312
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 06d613cbcba799b0510fd3e4b7245a94de12aa1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 27cf7f47de77db640a8c17f99cf482469b34f090 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..3637692 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="--define 'with_python3 0'"
+else
+env_opt=""
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment "RPMBUILD_OPTS=\"$env_opt\"" \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 04f2f3763249850a529180f92cb1295ba89f515e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 61 ++
 .travis.yml   | 90 ++-
 2 files changed, 150 

[Freeipa-devel] [freeipa PR#444][synchronized] Allow nsaccountlock to be searched in user-find and user-show commands

[redhatrises]

   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find and user-show 
commands
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/444/head:pr444
git checkout pr444
From 7d05370406628ddc6dfaffeb81b8df31b72ea255 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Wed, 8 Feb 2017 08:30:02 -0700
Subject: [PATCH] Allow nsaccountlock to be searched in user-find and user-show
 commands

This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-show` and `ipa user-find` commands without
break API compatibility.
---
 ipaserver/plugins/user.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 1ef71d2..0194f1b 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -780,6 +780,14 @@ class user_find(baseuser_find):
 ),
 )
 
+def get_options(self):
+for option in super(user_find, self).get_options():
+if option.name == 'nsaccountlock':
+flags = set(option.flags)
+flags.remove('no_option')
+option = option.clone(flags=flags)
+yield option
+
 def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
 assert isinstance(base_dn, DN)
 self.pre_common_callback(ldap, filter, attrs_list, base_dn, scope,
@@ -830,6 +838,14 @@ class user_show(baseuser_show):
 ),
 )
 
+def get_options(self):
+for option in super(user_show, self).get_options():
+if option.name == 'nsaccountlock':
+flags = set(option.flags)
+flags.remove('no_option')
+option = option.clone(flags=flags)
+yield option
+
 def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
 dn = self.obj.get_either_dn(*keys, **options)
 self.pre_common_callback(ldap, dn, attrs_list, *keys, **options)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][opened] AD trust installer modularization: prelude

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/447
Author: martbab
 Title: #447: AD trust installer modularization: prelude
Action: opened

PR body:
"""
This PR is more of a preparatory work for modularization of AD trust installer
code. The code was formatted to conform with PEP-8, explicit exit statements
were replaced with exceptions and a minor pylint issues were fixed.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/447/head:pr447
git checkout pr447
From b0588f7dd7b35e5158e8d583c0ff91b11fac11bf Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 3 Feb 2017 10:33:49 +0100
Subject: [PATCH 1/3] ipa-adtrust-install: format the code for PEP-8 compliance

https://fedorahosted.org/freeipa/ticket/6629
---
 install/tools/ipa-adtrust-install | 225 --
 1 file changed, 144 insertions(+), 81 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 8d927f1..b76efb7 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -51,6 +51,7 @@ if six.PY3:
 
 log_file_name = paths.IPASERVER_INSTALL_LOG
 
+
 def parse_options():
 parser = IPAOptionParser(version=version.VERSION)
 parser.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -66,10 +67,12 @@ def parse_options():
   help="Start value for mapping UIDs and GIDs to RIDs")
 parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
   type=int, default=1,
-  help="Start value of the secondary range for mapping " \
+  help="Start value of the secondary range for mapping "
"UIDs and GIDs to RIDs")
-parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
-  default=False, help="unattended installation never prompts the user")
+parser.add_option("-U", "--unattended", dest="unattended",
+  action="store_true",
+  default=False,
+  help="unattended installation never prompts the user")
 parser.add_option("-a", "--admin-password",
   sensitive=True, dest="admin_password",
   help="admin user kerberos password")
@@ -77,25 +80,29 @@ def parse_options():
   sensitive=True, dest="admin_name", default='admin',
   help="admin user principal")
 parser.add_option("--add-sids", dest="add_sids", action="store_true",
-  default=False, help="Add SIDs for existing users and" \
+  default=False, help="Add SIDs for existing users and"
   " groups as the final step")
 parser.add_option("--add-agents", dest="add_agents", action="store_true",
-  default=False, help="Add IPA masters to a list of hosts allowed to serve" \
-  "information about users from trusted forests")
+  default=False,
+  help="Add IPA masters to a list of hosts allowed to "
+  "serve information about users from trusted forests")
 parser.add_option("--enable-compat",
   dest="enable_compat", default=False, action="store_true",
-  help="Enable support for trusted domains for old clients")
+  help="Enable support for trusted domains for old "
+   "clients")
 
 options, _args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
 
 return safe_options, options
 
+
 def netbios_name_error(name):
 print("\nIllegal NetBIOS name [%s].\n" % name)
 print("Up to 15 characters and only uppercase ASCII letters, digits "
   "and dashes are allowed. Empty string is not allowed.")
 
+
 def read_netbios_name(netbios_default):
 netbios_name = ""
 
@@ -108,7 +115,8 @@ def read_netbios_name(netbios_default):
 if not netbios_default:
 netbios_default = "EXAMPLE"
 while True:
-netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
+netbios_name = ipautil.user_input(
+"NetBIOS domain name", netbios_default, allow_empty=False)
 print("")
 if adtrustinstance.check_netbios_name(netbios_name):
 break
@@ -117,13 +125,17 @@ def read_netbios_name(netbios_default):
 
 return netbios_name
 
+
 def read_admin_password(admin_name):
-print("Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name))
-print("This user is a regular system account used for IPA server administration.")
+print("Configuring cross-realm trusts for IPA server requires password "
+  "for user '%s'." % (admin_name))
+

[Freeipa-devel] [freeipa PR#443][synchronized] Stronger check for DM password during server install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/443
Author: stlaz
 Title: #443: Stronger check for DM password during server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/443/head:pr443
git checkout pr443
From 70d790cc12020a852e1c67c72bb434770ed5cd16 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Dec 2016 16:58:27 +0100
Subject: [PATCH] Stronger check for DM password during server install

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/install.py | 21 +
 1 file changed, 21 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ef943f7..2b0893e 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -54,6 +54,22 @@
 SYSRESTORE_DIR_PATH = paths.SYSRESTORE
 
 
+def check_password_fips_nssdb_compatible(password):
+"""
+Check whether the given password can be used for NSSDB setup in FIPS mode
+"""
+gotnumeric = any(c.isdigit() for c in password[:-1])
+gotupper = any(c.isupper() for c in password[1:])
+gotlower = any(c.islower() for c in password)
+gotspecial = not password.isalnum()
+classes = sum([gotnumeric, gotupper, gotlower, gotspecial])
+if classes < 3:
+raise ValueError("Password must contain at least one character "
+ "from each of three out of these four character "
+ "classes: numeric, uppercase letters, lowercase "
+ "letters and special symbols.")
+
+
 def validate_dm_password(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
@@ -78,6 +94,11 @@ def validate_dm_password(password):
 if password.strip() != password:
 raise ValueError('Password must not start or end with whitespace.')
 
+# DM password is used somewhere during install to set up an NSS database
+# therefore it must comply to NSS in FIPS password requirements
+if tasks.is_fips_enabled():
+check_password_fips_nssdb_compatible(password)
+
 
 def validate_admin_password(password):
 if len(password) < 8:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 06d613cbcba799b0510fd3e4b7245a94de12aa1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 95d57e6580a466693ff737006e9336b671bec95c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..90bc039 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="\"RPMBUILD_OPTS=--define 'with_python3 0'\""
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 23ade9c30793ef61ddecef2c39e254eb87e71d77 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 61 ++
 .travis.yml   | 90 ++-
 2 files changed, 150 

[Freeipa-devel] [freeipa PR#446][edited] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: edited

 Changed field: body
Original value:
"""
With this patchset, ipa-client-install should not ask for NSS database password.

Prerequisite:
https://github.com/freeipa/freeipa/pull/367
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][edited] Certdb passwd

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: Certdb passwd
Action: edited

 Changed field: title
Original value:
"""
Certdb passwd
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#445][opened] Remove is_fips_enabled checks in installers and ipactl

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/445
Author: stlaz
 Title: #445: Remove is_fips_enabled checks in installers and ipactl
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/5695
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/445/head:pr445
git checkout pr445
From 2895c109a64fe3f10ef762ed60671d361c9d085d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 08:55:56 +0100
Subject: [PATCH] Remove is_fips_enabled checks in installers and ipactl

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipactl   |  3 ---
 ipaclient/install/client.py|  5 -
 ipaserver/install/server/install.py|  4 
 ipaserver/install/server/replicainstall.py | 11 ++-
 4 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipactl b/install/tools/ipactl
index c34f1cb..f375a87 100755
--- a/install/tools/ipactl
+++ b/install/tools/ipactl
@@ -543,9 +543,6 @@ def main():
 elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
 raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
-if tasks.is_fips_enabled():
-raise IpactlError("Starting IPA server in FIPS mode is not supported")
-
 # check if IPA is configured at all
 try:
 check_IPA_configuration()
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..2b01b0d 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1953,11 +1953,6 @@ def install_check(options):
 "You must be root to run ipa-client-install.",
 rval=CLIENT_INSTALL_ERROR)
 
-if tasks.is_fips_enabled():
-raise ScriptError(
-"Installing IPA client in FIPS mode is not supported",
-rval=CLIENT_INSTALL_ERROR)
-
 tasks.check_selinux_status()
 
 if is_ipa_client_installed(fstore, on_master=options.on_master):
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ef943f7..8178d4e 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -304,10 +304,6 @@ def install_check(installer):
 external_ca_file = installer._external_ca_file
 http_ca_cert = installer._ca_cert
 
-if tasks.is_fips_enabled():
-raise RuntimeError(
-"Installing IPA server in FIPS mode is not supported")
-
 tasks.check_selinux_status()
 
 if options.master_password:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..bb17878 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -527,10 +527,6 @@ def check_remote_version(api):
 
 
 def common_check(no_ntp):
-if tasks.is_fips_enabled():
-raise RuntimeError(
-"Installing IPA server in FIPS mode is not supported")
-
 tasks.check_selinux_status()
 
 if is_ipa_configured():
@@ -659,7 +655,12 @@ def install_check(installer):
 filename = installer.replica_file
 installer._enrollment_performed = False
 
-# check FIPS, selinux status, http and DS ports, NTP conflicting services
+if tasks.is_fips_enabled():
+raise RuntimeError(
+"Installing IPA server in FIPS mode on domain level 0 is not "
+"supported")
+
+# check selinux status, http and DS ports, NTP conflicting services
 common_check(options.no_ntp)
 
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][opened] Allow nsaccountlock to be searched in user-find and user-show commands

[redhatrises]

   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find and user-show 
commands
Action: opened

PR body:
"""
This patch provides the ability to search and find users who are 
enabled/disabled in `ipa user-show` and `ipa user-find` commands without 
breaking API compatibility.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/444/head:pr444
git checkout pr444
From 18e84015160f911049aa9451651bcf2a8c167204 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Wed, 8 Feb 2017 08:06:00 -0700
Subject: [PATCH] Allow nsaccountlock to be searched in user-find and user-show
 commands

This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-show` and `ipa user-find` commands without
break API compatibility.
---
 ipaserver/plugins/user.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 1ef71d2..f7ac3ef 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -780,6 +780,14 @@ class user_find(baseuser_find):
 ),
 )
 
+def get_options(self):
+for option in super(user_find, self).get_options():
+if options.name == 'nsaccountlock':
+flags = set(option.flags)
+flags.remove('no_option')
+option = option.clone(flags=flags)
+yield option
+
 def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
 assert isinstance(base_dn, DN)
 self.pre_common_callback(ldap, filter, attrs_list, base_dn, scope,
@@ -830,6 +838,14 @@ class user_show(baseuser_show):
 ),
 )
 
+def get_options(self):
+for option in super(user_show, self).get_options():
+if options.name == 'nsaccountlock':
+flags = set(option.flags)
+flags.remove('no_option')
+option = option.clone(flags=flags)
+yield option
+
 def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
 dn = self.obj.get_either_dn(*keys, **options)
 self.pre_common_callback(ldap, dn, attrs_list, *keys, **options)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 06d613cbcba799b0510fd3e4b7245a94de12aa1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 7c5f2fe33ad20259dfe082a5a291c6d0ace8dfe4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..da0b88f 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="'RPMBUILD_OPTS=--define \'with_python3 0\''"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From 97c17b98fc7922f721f70dc4f5f2ccda56623983 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 61 ++
 .travis.yml   | 90 ++-
 2 files changed, 150 

[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

pvoborni commented:
"""
I've added acceptance criteria and user story to the related FreeIPA ticket.   

I miss a "how to use part" - a specific example. This should be in FreeIPA.org 
wiki, e.g. in design page (rest of the design page can be copied user story and 
empty), but the how to use section with both auth methods is a critical part.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/423#issuecomment-278354671
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#426][+pushed] DNSSEC: forwarders validation improvement

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/426
Title: #426: DNSSEC: forwarders validation improvement

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/426
Title: #426: DNSSEC: forwarders validation improvement

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/387a1513bb9dc0dc546753bfaa8a59aae8f30b83
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/426#issuecomment-278351747
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#426][closed] DNSSEC: forwarders validation improvement

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/426
Author: MartinBasti
 Title: #426: DNSSEC: forwarders validation improvement
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/426/head:pr426
git checkout pr426
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][synchronized] [WIP] [Py3] testing both py2/py3 in travis

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/439
Author: MartinBasti
 Title: #439: [WIP] [Py3] testing both py2/py3 in travis
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/439/head:pr439
git checkout pr439
From 06d613cbcba799b0510fd3e4b7245a94de12aa1e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 14:56:39 +0100
Subject: [PATCH 1/3] Build: allow to build only py2 rpms for fedora

This is more or less for testing purposes of py2/py3 compatibility
---
 BUILD.txt   | 5 +
 Makefile.am | 4 ++--
 freeipa.spec.in | 4 
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/BUILD.txt b/BUILD.txt
index 620adc3..9b5ff1d 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -30,6 +30,11 @@ It may be possible to do a simple make install but this has not been
 well-tested. Additional work is done in pre/post install scripts in the ipa
 spec file.
 
+To build only python2 packages on fedora following steps are required:
+$ autoreconf -i
+$ ./configure
+$ make rpms RPMBUILD_OPTS="--define 'with_python3 0'"
+
 Developing plugins
 --
 
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..0ad50e4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -106,7 +106,7 @@ rpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _rpms-body
 
 _rpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -ba $(top_builddir)/$(PACKAGE).spec  $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/RPMS/*/*$$(cat $(top_builddir)/.version)*.rpm $(top_builddir)/dist/rpms/
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
@@ -115,7 +115,7 @@ srpms: $(VERSION_UPDATE_TARGET)
 	$(MAKE) _srpms-body
 
 _srpms-body: _rpms-prep
-	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec
+	rpmbuild --define "_topdir $(RPMBUILD)" -bs $(top_builddir)/$(PACKAGE).spec $(RPMBUILD_OPTS)
 	cp $(RPMBUILD)/SRPMS/*$$(cat $(top_builddir)/.version)*.src.rpm $(top_builddir)/dist/srpms/
 	rm -f rm -f $(top_builddir)/.version
 
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 27a979c..7e77b32 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -2,11 +2,15 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?with_python3:1}
+# with_python3 already defined
+%else
 %if 0%{?rhel}
 %global with_python3 0
 %else
 %global with_python3 1
 %endif
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1

From 7c5f2fe33ad20259dfe082a5a291c6d0ace8dfe4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 17:23:54 +0100
Subject: [PATCH 2/3] Travis: build only py2 packages for py2 testing

We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
---
 .travis.yml |  2 ++
 .travis_run_task.sh | 10 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 6301974..402c3ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -15,8 +15,10 @@ env:
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_xmlrpc/test_[a-k]*.py"
 - TASK_TO_RUN="run-tests"
+  PYTHON=/usr/bin/python2
   TESTS_TO_RUN="test_cmdline
 test_install
 test_ipalib
diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 7d050b0..da0b88f 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -4,10 +4,17 @@
 #
 # NOTE: this script is intended to run in Travis CI only
 
-PYTHON="/usr/bin/python${TRAVIS_PYTHON_VERSION}"
 test_set=""
 developer_mode_opt="--developer-mode"
 
+if [[ $PYTHON == "/usr/bin/python2" ]]
+then
+env_opt="'RPMBUILD_OPTS=--define \'with_python3 0\''"
+else
+env_opt="RPMBUILD_OPTS="
+fi
+
+
 function truncate_log_to_test_failures() {
 # chop off everything in the CI_RESULTS_LOG preceding pytest error output
 # if there are pytest errors in the log
@@ -43,6 +50,7 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 -c $TEST_RUNNER_CONFIG \
 $developer_mode_opt \
 --container-environment "PYTHON=$PYTHON" \
+--container-environment $env_opt \
 --container-image $TEST_RUNNER_IMAGE \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set

From aa180046761cbd7b5ca5c2a213d08d2aa443e4b9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 18:29:08 +0100
Subject: [PATCH 3/3] Travis: enable temporal Py3 testing

This testconfig is temporal until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
---
 .test_runner_config_py3_temp.yaml | 61 ++
 .travis.yml   | 91 ++-
 2 files changed, 151 

[Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/443
Title: #443: Stronger check for DM password during server install

pvoborni commented:
"""
Function check_password_fips_nssdb_compatible  looks like a great candidate for 
unit test.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/443#issuecomment-278350912
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#426][+ack] DNSSEC: forwarders validation improvement

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/426
Title: #426: DNSSEC: forwarders validation improvement

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/440
Title: #440: [Py3] fix various issues in tests related to BytesWarning

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d38540acd614bcaa489023401fc8db7c02cd3892
https://fedorahosted.org/freeipa/changeset/6bb5af7bea21d44b4e5ee20cfaa2f76b12ea0929
https://fedorahosted.org/freeipa/changeset/a5ccdc16cbcec433ef061dfe65515e32c3021ea2
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/440#issuecomment-278346715
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][closed] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/440
Author: MartinBasti
 Title: #440: [Py3] fix various issues in tests related to BytesWarning
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/440/head:pr440
git checkout pr440
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][+pushed] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/440
Title: #440: [Py3] fix various issues in tests related to BytesWarning

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/440
Title: #440: [Py3] fix various issues in tests related to BytesWarning

MartinBasti commented:
"""
The last commit has wrong ticket
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/440#issuecomment-278346559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][comment] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/440
Title: #440: [Py3] fix various issues in tests related to BytesWarning

MartinBasti commented:
"""
The last commit has wrong ticket
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/440#issuecomment-278346559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][synchronized] [Py3] fix various issues in tests related to BytesWarning

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/440
Author: MartinBasti
 Title: #440: [Py3] fix various issues in tests related to BytesWarning
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/440/head:pr440
git checkout pr440
From 2196847478d8cb9b7a6f69db3b20b26360ffe7f1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Feb 2017 15:48:19 +0100
Subject: [PATCH 1/3] py3: DN: fix BytesWarning

User repr() instead of str() for bytes, it has the same effect, but it
is proper way how to print bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/dn.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dn.py b/ipapython/dn.py
index 2f7655d..4e8c22b 100644
--- a/ipapython/dn.py
+++ b/ipapython/dn.py
@@ -452,7 +452,7 @@ def _adjust_indices(start, end, length):
 
 def _normalize_ava_input(val):
 if six.PY3 and isinstance(val, bytes):
-raise TypeError('expected str, got bytes: %s' % val)
+raise TypeError('expected str, got bytes: %r' % val)
 elif not isinstance(val, six.string_types):
 val = val_encode(six.text_type(val))
 elif six.PY2 and isinstance(val, unicode):

From 3f5564741e3eb1927ee34f5c9834d41c6282142d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Feb 2017 16:51:21 +0100
Subject: [PATCH 2/3] py3: get_memberofindirect: fix ByteWarnings

DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py  | 6 --
 ipaserver/plugins/baseldap.py | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 497b947..4de8a21 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -379,8 +379,10 @@ def _set_raw(self, name, value):
 name, value.__class__.__name__, value))
 for (i, item) in enumerate(value):
 if not isinstance(item, bytes):
-raise TypeError("%s[%d] value must be str, got %s object %r" % (
-name, i, item.__class__.__name__, item))
+raise TypeError(
+"%s[%d] value must be bytes, got %s object %r" % (
+name, i, item.__class__.__name__, item)
+)
 
 name = self._add_attr_name(name)
 
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index e7bf43c..94c8547 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -722,7 +722,7 @@ def get_memberofindirect(self, entry):
 direct = set()
 indirect = set(entry.raw.get('memberof', []))
 for group_entry in result:
-dn = str(group_entry.dn)
+dn = str(group_entry.dn).encode('utf-8')
 if dn in indirect:
 indirect.remove(dn)
 direct.add(dn)

From a34e9db9711e8e63a35655b50a2e8fd875018746 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 7 Feb 2017 13:37:56 +0100
Subject: [PATCH 3/3] py3: test_ipaserver: fix BytesWarnings

https://fedorahosted.org/freeipa/ticket/4985
---
 ipatests/test_ipaserver/test_rpcserver.py | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_ipaserver/test_rpcserver.py b/ipatests/test_ipaserver/test_rpcserver.py
index 6cc2472..7ee94d3 100644
--- a/ipatests/test_ipaserver/test_rpcserver.py
+++ b/ipatests/test_ipaserver/test_rpcserver.py
@@ -62,7 +62,7 @@ def test_not_found():
 url = '/ipa/foo/stuff'
 assert_equal(
 f.not_found(None, s, url, None),
-[t % dict(url='/ipa/foo/stuff')]
+[(t % dict(url='/ipa/foo/stuff')).encode('utf-8')]
 )
 assert s.status == '404 Not Found'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -72,7 +72,9 @@ def test_not_found():
 url ='' + 'do_bad_stuff();'
 assert_equal(
 f.not_found(None, s, url, None),
-[t % dict(url='nbsp;scriptdo_bad_stuff();/script')]
+[(t % dict(
+url='nbsp;scriptdo_bad_stuff();/script')
+).encode('utf-8')]
 )
 assert s.status == '404 Not Found'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -86,7 +88,7 @@ def test_bad_request():
 
 assert_equal(
 f.bad_request(None, s, 'illegal request'),
-[t % dict(message='illegal request')]
+[(t % dict(message='illegal request')).encode('utf-8')]
 )
 assert s.status == '400 Bad Request'
 assert s.headers == [('Content-Type', 'text/html; charset=utf-8')]
@@ -100,7 +102,7 @@ def test_internal_error():
 
 assert_equal(
 f.internal_error(None, s, 'request failed'),
-[t % dict(message='request failed')]
+[(t % dict(message='request failed')).encode('utf-8')]
 )
 assert s.status == '500 Internal Server Error'
   

[Freeipa-devel] [freeipa PR#428][synchronized] [Py3] ipa-server-install

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/428
Author: MartinBasti
 Title: #428: [Py3] ipa-server-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/428/head:pr428
git checkout pr428
From 4d367dfa6e02858132f62e5695714939310c1637 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 17:00:42 +0100
Subject: [PATCH 01/11] py3: modify_s: attribute name must be str not bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 37d23d7..3df82b3 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -727,7 +727,7 @@ def modify_s(self, dn, modlist):
 # FIXME: for backwards compatibility only
 assert isinstance(dn, DN)
 dn = str(dn)
-modlist = [(a, self.encode(b), self.encode(c)) for a, b, c in modlist]
+modlist = [(a, b, self.encode(c)) for a, b, c in modlist]
 return self.conn.modify_s(dn, modlist)
 
 @property

From 9a045ddb67760192766923cd5a597227d5a4edda Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 17:33:44 +0100
Subject: [PATCH 02/11] py3: configparser: use raw keyword

configparser.get() changed in python3 and `raw` is now a keyword attribute.

Also it must be set to True, otherwise InterpolationSyntaxError is raised

'''
InterpolationSyntaxError: '%' must be followed by '%' or '(', found:
'%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'
'''

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/kem.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 143caaf..3577975 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -181,7 +181,7 @@ def __init__(self, config=None, ipaconf=paths.IPA_DEFAULT_CONF):
 self.realm = conf.get('global', 'realm')
 self.ldap_uri = config.get('ldap_uri', None)
 if self.ldap_uri is None:
-self.ldap_uri = conf.get('global', 'ldap_uri', None)
+self.ldap_uri = conf.get('global', 'ldap_uri', raw=True)
 self._server_keys = None
 
 def find_key(self, kid, usage):

From 7dcd8723ef638c23b7d22a0f36cf242cc8aef71c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 18:10:37 +0100
Subject: [PATCH 03/11] py3: custodia: basedn must be unicode

basedn in custodia related modules has type bytes, that causes issues in
Py3 when strings were concatenated with bytes

```
malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'"
```

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/common.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/secrets/common.py b/ipaserver/secrets/common.py
index 2b906b6..f3dc320 100644
--- a/ipaserver/secrets/common.py
+++ b/ipaserver/secrets/common.py
@@ -23,7 +23,7 @@ def basedn(self):
 if self._basedn is None:
 conn = self.connect()
 r = conn.search_s('', ldap.SCOPE_BASE)
-self._basedn = r[0][1]['defaultnamingcontext'][0]
+self._basedn = r[0][1]['defaultnamingcontext'][0].decode('utf-8')
 return self._basedn
 
 def connect(self):

From b07246ffe79a5dd00a9ab02c7f6ae23260e4cecd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 18:11:42 +0100
Subject: [PATCH 04/11] py3: kem.py: user bytes with ldap values

python ldap requires bytes as values

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/kem.py | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 3577975..5d784b7 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -130,13 +130,13 @@ def set_key(self, usage, principal, key):
 service_rdn = ('cn', servicename) if servicename != 'host' else DN()
 dn = str(DN(('cn', name), service_rdn, self.keysbase))
 try:
-mods = [('objectClass', ['nsContainer',
- 'ipaKeyPolicy',
- 'ipaPublicKeyObject',
- 'groupOfPrincipals']),
-('cn', name),
-('ipaKeyUsage', RFC5280_USAGE_MAP[usage]),
-('memberPrincipal', principal),
+mods = [('objectClass', [b'nsContainer',
+ b'ipaKeyPolicy',
+ b'ipaPublicKeyObject',
+ b'groupOfPrincipals']),
+('cn', name.encode('utf-8')),
+('ipaKeyUsage', RFC5280_USAGE_MAP[usage].encode('utf-8')),
+('memberPrincipal', 

[Freeipa-devel] [freeipa PR#443][opened] Stronger check for DM password during server install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/443
Author: stlaz
 Title: #443: Stronger check for DM password during server install
Action: opened

PR body:
"""
DM password is used as an NSS database password during server installation, 
therefore it must comply to NSS database requirements for password in FIPS.

https://fedorahosted.org/freeipa/ticket/5695
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/443/head:pr443
git checkout pr443
From 05a7a6c92a8360bd33e843619e789003735abc3f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Dec 2016 16:58:27 +0100
Subject: [PATCH] Stronger check for DM password during server install

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/install.py | 21 +
 1 file changed, 21 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index ef943f7..9ecbd01 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -54,6 +54,22 @@
 SYSRESTORE_DIR_PATH = paths.SYSRESTORE
 
 
+def check_password_fips_nssdb_compatible(password):
+"""
+Check whether the given password can be used for NSSDB setup in FIPS mode
+"""
+gotnumeric = any(c.isdigit() for c in password[:-1])
+gotupper = any(c.isupper() for c in password[1:])
+gotlower = any(c.islower() for c in password)
+gotspecial = password.isalnum()
+classes = sum([gotnumeric, gotupper, gotlower, gotspecial])
+if classes < 3:
+raise ValueError("Password must contain at least one character "
+ "from each of three out of these four character "
+ "classes: numeric, uppercase letters, lowercase "
+ "letters and special symbols.")
+
+
 def validate_dm_password(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
@@ -78,6 +94,11 @@ def validate_dm_password(password):
 if password.strip() != password:
 raise ValueError('Password must not start or end with whitespace.')
 
+# DM password is used somewhere during install to set up an NSS database
+# therefore it must comply to NSS in FIPS password requirements
+if tasks.is_fips_enabled():
+check_password_fips_nssdb_compatible(password)
+
 
 def validate_admin_password(password):
 if len(password) < 8:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
From 2a54c73bb54b63cb966998db8a01b4224264af25 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 13:42:19 +0100
Subject: [PATCH 1/2] DNS: dns-update-system-record can create nsupdate file

Added option --out  creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585
---
 ipaclient/plugins/dns.py | 74 
 1 file changed, 68 insertions(+), 6 deletions(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..b3021ba 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -35,6 +35,7 @@
 from ipalib.parameters import Bool, Str
 from ipalib.plugable import Registry
 from ipalib import _, ngettext
+from ipalib import util
 from ipapython.dnsutil import DNSName
 
 if six.PY3:
@@ -417,6 +418,63 @@ def interactive_prompt_callback(self, kw):
 
 @register(override=True, no_fail=True)
 class dns_update_system_records(MethodOverride):
+record_groups = ('ipa_records', 'location_records')
+
+def get_options(self):
+for option in super(dns_update_system_records, self).get_options():
+yield option
+yield Str(
+'out?',
+include='cli',
+doc=_('file to store DNS records in nsupdate format')
+)
+
+def _standard_output(self, textui, result, labels):
+"""Print output in standard format common across the other plugins"""
+for key in self.record_groups:
+if result.get(key):
+textui.print_indented(u'{}:'.format(labels[key]), indent=1)
+for val in sorted(result[key]):
+textui.print_indented(val, indent=2)
+textui.print_line(u'')
+
+def _nsupdate_output_file(self, file, result, labels):
+"""Store data in nsupdate format in file"""
+def parse_rname_rtype(record):
+"""Get rname and rtype from textual representation of record"""
+l = record.split(' ', 4)
+return l[0], l[3]
+
+already_removed = set()
+for key in self.record_groups:
+if key in result:
+file.write("; {}\n".format(labels[key]))  # comment
+for val in sorted(result[key]):
+# delete old first
+r_name_type = parse_rname_rtype(val)
+if r_name_type not in already_removed:
+# remove it only once
+already_removed.add(r_name_type)
+file.write("update delete {rname} {rtype}\n".format(
+rname=r_name_type[0], rtype=r_name_type[1]
+))
+# add new
+file.write("update add {}\n".format(val))
+file.write("send\n\n")
+
+def forward(self, *keys, **options):
+# pop `out` before sending to server as it is only client side option
+out = options.pop('out', None)
+if out:
+util.check_writable_file(out)
+
+res = super(dns_update_system_records, self).forward(*keys, **options)
+
+if out:
+options['out'] = out
+
+return res
+
 def output_for_cli(self, textui, output, *args, **options):
 output_super = copy.deepcopy(output)
 super_res = output_super.get('result', {})
@@ -431,11 +489,15 @@ def output_for_cli(self, textui, output, *args, **options):
 }
 
 result = output.get('result', {})
-for key in ('ipa_records', 'location_records'):
-if result.get(key):
-textui.print_indented(u'{}:'.format(labels[key]), indent=1)
-for val in sorted(result[key]):
-textui.print_indented(val, indent=2)
-textui.print_line(u'')
+
+self._standard_output(textui, result, labels)
+
+out = options.get('out')  # output to file
+if out:
+try:
+with open(out, "w") as f:
+self._nsupdate_output_file(f, result, labels)
+except (OSError, IOError) as e:
+raise errors.FileError(reason=unicode(e))
 
 return int(not output['value'])

From c772fac83753ca5db4fa4fb5a6cdb80cb128bc05 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 30 Jan 2017 21:18:46 +0100
Subject: [PATCH 2/2] Test: DNS nsupdate from dns-update-system-records

Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585

[Freeipa-devel] [freeipa PR#426][comment] DNSSEC: forwarders validation improvement

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/426
Title: #426: DNSSEC: forwarders validation improvement

MartinBasti commented:
"""
I was thinking about it and I disagree. Checking forwards zone behaves 
differently than check for global forwarders. The validate 
`_dnssec_zone_forwarder_step2` is called aginst an IPA DNS server, so there 
shouln't be that issue as we know how bind is supposed to work.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/426#issuecomment-278326644
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][+pushed] Tests: fix wait_for_replication task

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/424
Title: #424: Tests: fix wait_for_replication task

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][comment] Tests: fix wait_for_replication task

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/424
Title: #424: Tests: fix wait_for_replication task

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ad1a5551d5ec716dc745f39e82d38cc634229cb0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/424#issuecomment-278325879
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][closed] Tests: fix wait_for_replication task

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/424
Author: MartinBasti
 Title: #424: Tests: fix wait_for_replication task
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/424/head:pr424
git checkout pr424
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#442][synchronized] Add option to run tests in-tree and out-of-tree mode

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/442
Author: tiran
 Title: #442: Add option to run tests in-tree and out-of-tree mode
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/442/head:pr442
git checkout pr442
From b000b01d92cab834c808d0c6792d76cd4389893b Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 8 Feb 2017 13:29:38 +0100
Subject: [PATCH] Add option to run tests in-tree and out-of-tree mode

By default ipa-run-tests and pytest auto-detect the presence of
../ipasetup.py.in and run tests in-tree mode when the file exists. The
option can be overriden with ipa-run-tests --in-tree=true/false.

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py | 28 +++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 6d8ba60..df8d919 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,6 +3,8 @@
 #
 from __future__ import print_function
 
+import os
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
@@ -11,6 +13,9 @@
 ipaserver = None
 
 
+HERE = os.path.dirname(os.path.abspath(__file__))
+
+
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
 'ipatests.pytest_plugins.beakerlib',
@@ -71,9 +76,30 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+def truefalse(arg):
+if arg.lower() == 'true':
+return True
+if arg.lower() == 'false':
+return False
+return arg  # triggers an error later
+
+in_tree = os.path.isfile(os.path.join(HERE, os.pardir, 'ipasetup.py.in'))
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--in-tree',
+dest="ipa_in_tree",
+type=truefalse,
+choices=(True, False),
+default=in_tree,
+help="Run IPA tests in-tree (default: auto-detect ../ipasetup.py.in)"
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
-context=u'cli', in_server=False, in_tree=True, fallback=False
+context=u'cli', in_server=False, in_tree=config.option.ipa_in_tree,
+fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#442][opened] Add option to run tests in-tree and out-of-tree mode

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/442
Author: tiran
 Title: #442: Add option to run tests in-tree and out-of-tree mode
Action: opened

PR body:
"""
By default ipa-run-tests and pytest auto-detect the presence of
../ipasetup.py.in and run tests in-tree mode when the file exists. The
option can be overriden with ipa-run-tests --in-tree=true/false.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/442/head:pr442
git checkout pr442
From a6df4c03ddcde95d57879238be3a0e239fe19cd0 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 8 Feb 2017 13:29:38 +0100
Subject: [PATCH] Add option to run tests in-tree and out-of-tree mode

By default ipa-run-tests and pytest auto-detect the presence of
../ipasetup.py.in and run tests in-tree mode when the file exists. The
option can be overriden with ipa-run-tests --in-tree=true/false.

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py | 26 +-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 6d8ba60..70947f7 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -11,6 +11,9 @@
 ipaserver = None
 
 
+HERE = os.path.dirname(os.path.abspath(__file__))
+
+
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
 'ipatests.pytest_plugins.beakerlib',
@@ -71,9 +74,30 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+def truefalse(arg):
+if arg.lower() == 'true':
+return True
+if arg.lower() == 'false':
+return False
+return arg  # triggers an error later
+
+in_tree = os.path.isfile(os.path.join(HERE, os.pardir, 'ipasetup.py.in'))
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--in-tree',
+dest="ipa_in_tree",
+type=truefalse,
+choices=(True, False),
+default=in_tree,
+help="Run IPA tests in-tree (default: auto-detect ../ipasetup.py.in)"
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
-context=u'cli', in_server=False, in_tree=True, fallback=False
+context=u'cli', in_server=False, in_tree=config.option.ipa_in_tree,
+fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#440][+ack] [Py3] fix various issues in tests related to BytesWarning

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/440
Title: #440: [Py3] fix various issues in tests related to BytesWarning

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][comment] Tests: fix wait_for_replication task

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/424
Title: #424: Tests: fix wait_for_replication task

MartinBasti commented:
"""
bump for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/424#issuecomment-278315718
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#424][+ack] Tests: fix wait_for_replication task

[apophys]

  URL: https://github.com/freeipa/freeipa/pull/424
Title: #424: Tests: fix wait_for_replication task

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

martbab commented:
"""
@HonzaCholasta ok in that case I will archive: `/var/log/httpd`, 
`/var/log/dirsrv/`, `/var/log/pki/pki-tomcat`, `ipaserver/client-install.log` 
and a dump from systemd journal. Should be enough.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278304161
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#441][opened] Print test env information

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/441
Author: tiran
 Title: #441: Print test env information
Action: opened

PR body:
"""
Print api.env, uname, euid/egid, cwd and Python version when tests are
run with -v (e.g. ipa-run-tests -v).

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/441/head:pr441
git checkout pr441
From 96636f6c81e68785c2a2a2f39fca1706e686e6ae Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 8 Feb 2017 12:29:33 +0100
Subject: [PATCH] Print test env information

Print api.env, uname, euid/egid, cwd and Python version when tests are
run with -v (e.g. ipa-run-tests -v).

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 6d8ba60..511d7b7 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,6 +3,10 @@
 #
 from __future__ import print_function
 
+import os
+import pprint
+import sys
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
@@ -78,3 +82,10 @@ def pytest_cmdline_main(config):
 for klass in cli_plugins:
 api.add_plugin(klass)
 api.finalize()
+if config.option.verbose:
+print('api.env: ')
+pprint.pprint({k: api.env[k] for k in api.env})
+print("uname: {}".format(os.uname()))
+print("euid: {}, egid: {}".format(os.geteuid(), os.getegid()))
+print("working dir: {}".format(os.path.abspath(os.getcwd(
+print('sys.version: {}'.format(sys.version))
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

HonzaCholasta commented:
"""
@martbab, I would rather not include irrelevant stuff, it's just noise.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278291898
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

frasertweedale commented:
"""
:+1: sounds good.  Take what's there and run with it :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278291532
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][comment] FIPS: replica install check

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/437
Title: #437: FIPS: replica install check

stlaz commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/437#issuecomment-278279899
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From f6c35fff584e2d980b693c4de8f1fc96f34e5805 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/4] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py| 8 
 ipalib/constants.py | 1 +
 2 files changed, 9 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..10433e1 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -215,6 +215,7 @@
 ('script', object),  # sys.argv[0]
 ('bin', object),  # The directory containing the script
 ('home', object),  # $HOME
+('fips_mode', object),  # FIPS-mode of the server
 
 # Vars set in Env._bootstrap():
 ('in_tree', object),  # Whether or not running in-tree (bool)

From cc1411d4cb3c81c2fe5c9180c1646872c96c5c37 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/4] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..c766f4b 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -509,6 +509,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -521,7 +528,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From 7c305086c8e48d3370f94fd138caab2ec1060b16 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 3/4] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index c766f4b..352641f 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -508,29 +509,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
 """
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
 
-:param api: remote API
-
-:raises: ``ScriptError`` if the checks fails
+:param api: api to initiate the RPC client
 """
 client = rpc.jsonclient(api)
 client.finalize()
-
 client.connect()
+
 try:
-env = client.forward(u'env', u'version')['result']
+yield client
 finally:
 client.disconnect()
 
+
+def check_remote_version(client, local_version):
+"""
+Verify remote server's version is not higher than this server's version
+
+:param client: RPC 

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

HonzaCholasta commented:
"""
Right, I suggested https://transfer.sh, because uploading a file there is as 
easy as:
```bash
curl --upload-file ./file https://transfer.sh/file
```
BTW I would not limit ourselves to the few logs @martbab suggested, but upload 
as much as possible: `/var/log/ipa*`, `/var/log/httpd`, `/var/log/dirsrv`, 
`/var/log/pki/pki-tomcat`, `journalctl` dump for all of our services, ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278273110
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][comment] ci: send build log to paste.fedoraproject.org

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

martbab commented:
"""
We were discussing yout PR with @HonzaCholasta yesterday and he suggested that 
we could pack the test runner log, HTTP and dirsrv logs and server installer 
log into an archive and upload it to https://transfer.sh/ a very lightweight 
file hosting site. What do you think?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/370#issuecomment-278263943
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA and wildcard certificates

[Alexander Bokovoy]

On ke, 08 helmi 2017, Martin Kosek wrote:

Hi Fraser and the list,

I recently was in a conversation about integrating OpenShift with FreeIPA. One
of the gaps was around generating a wildcard certificate by FreeIPA that will
be used in the default OpenShift router for applications that do not deploy own
certificates [1].

Is there any way that FreeIPA can generate it? I was thinking that uploading
some custom certificate profile in FreeIPA may let us get such certificate...
Or is the the only way we can add it by adding a new RFE in FreeIPA, tracked in
[2]?

Yes, we need a new RFE. There are checks in IPA that prevent wildcard
certificates to be issued:

- we ensure subject 'cn' of the certificate matches a Kerberos principal
  specified in the request

- we validate that host object exists in IPA when the Kerberos
  principal is host/...

We could lift off these two limitations for 'cn=*,$suffix' but there is
still a need to apply proper ACLs when issuing the cert -- e.g. some
object has to be used for performing access rights check. The wildcard
certificate does not need to be stored anywhere in the tree, but a
check still needs to be done.

For example, for Kerberos PKINIT certificate which is issued to KDC we
don't store public certificate in LDAP either but we do two checks:
- a special KDC certificate profile is used to issue the cert
- a special hostname check is done so that only IPA masters are able to
  request this certificate

For the wildcard certificate I think we could have following:
- use a separate profile for the wildcard, associated with a sub-CA
- hardcode CN default in the profile to always be 'CN=*, O=$SUB_CA_SUBJECT' so 
that
  actual certificate ignores requested CN.
- a special check to be done so that only wildcard-based subject
  alternative names can be added to a wildcard certificate request
- all Kerberos principal / hostname checks are skipped.
- actual ACL check is done by CA ACL.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#428][synchronized] [WIP] [Py3] ipa-server-install

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/428
Author: MartinBasti
 Title: #428: [WIP] [Py3] ipa-server-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/428/head:pr428
git checkout pr428
From 4d367dfa6e02858132f62e5695714939310c1637 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 17:00:42 +0100
Subject: [PATCH 01/11] py3: modify_s: attribute name must be str not bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 37d23d7..3df82b3 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -727,7 +727,7 @@ def modify_s(self, dn, modlist):
 # FIXME: for backwards compatibility only
 assert isinstance(dn, DN)
 dn = str(dn)
-modlist = [(a, self.encode(b), self.encode(c)) for a, b, c in modlist]
+modlist = [(a, b, self.encode(c)) for a, b, c in modlist]
 return self.conn.modify_s(dn, modlist)
 
 @property

From 9a045ddb67760192766923cd5a597227d5a4edda Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 17:33:44 +0100
Subject: [PATCH 02/11] py3: configparser: use raw keyword

configparser.get() changed in python3 and `raw` is now a keyword attribute.

Also it must be set to True, otherwise InterpolationSyntaxError is raised

'''
InterpolationSyntaxError: '%' must be followed by '%' or '(', found:
'%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'
'''

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/kem.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 143caaf..3577975 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -181,7 +181,7 @@ def __init__(self, config=None, ipaconf=paths.IPA_DEFAULT_CONF):
 self.realm = conf.get('global', 'realm')
 self.ldap_uri = config.get('ldap_uri', None)
 if self.ldap_uri is None:
-self.ldap_uri = conf.get('global', 'ldap_uri', None)
+self.ldap_uri = conf.get('global', 'ldap_uri', raw=True)
 self._server_keys = None
 
 def find_key(self, kid, usage):

From 7dcd8723ef638c23b7d22a0f36cf242cc8aef71c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 18:10:37 +0100
Subject: [PATCH 03/11] py3: custodia: basedn must be unicode

basedn in custodia related modules has type bytes, that causes issues in
Py3 when strings were concatenated with bytes

```
malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'"
```

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/common.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/secrets/common.py b/ipaserver/secrets/common.py
index 2b906b6..f3dc320 100644
--- a/ipaserver/secrets/common.py
+++ b/ipaserver/secrets/common.py
@@ -23,7 +23,7 @@ def basedn(self):
 if self._basedn is None:
 conn = self.connect()
 r = conn.search_s('', ldap.SCOPE_BASE)
-self._basedn = r[0][1]['defaultnamingcontext'][0]
+self._basedn = r[0][1]['defaultnamingcontext'][0].decode('utf-8')
 return self._basedn
 
 def connect(self):

From b07246ffe79a5dd00a9ab02c7f6ae23260e4cecd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 18:11:42 +0100
Subject: [PATCH 04/11] py3: kem.py: user bytes with ldap values

python ldap requires bytes as values

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/secrets/kem.py | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 3577975..5d784b7 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -130,13 +130,13 @@ def set_key(self, usage, principal, key):
 service_rdn = ('cn', servicename) if servicename != 'host' else DN()
 dn = str(DN(('cn', name), service_rdn, self.keysbase))
 try:
-mods = [('objectClass', ['nsContainer',
- 'ipaKeyPolicy',
- 'ipaPublicKeyObject',
- 'groupOfPrincipals']),
-('cn', name),
-('ipaKeyUsage', RFC5280_USAGE_MAP[usage]),
-('memberPrincipal', principal),
+mods = [('objectClass', [b'nsContainer',
+ b'ipaKeyPolicy',
+ b'ipaPublicKeyObject',
+ b'groupOfPrincipals']),
+('cn', name.encode('utf-8')),
+('ipaKeyUsage', RFC5280_USAGE_MAP[usage].encode('utf-8')),
+('memberPrincipal', 

[Freeipa-devel] [freeipa PR#428][edited] [WIP] [Py3] ipa-server-install

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/428
Author: MartinBasti
 Title: #428: [WIP] [Py3] ipa-server-install
Action: edited

 Changed field: title
Original value:
"""
[WIP] [Py3] ipa-server-install
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code