[Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split
Hi, So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver, but dcerpc.py imports python-samba which -ipaserver does not depend on. So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that ipa-server-install wants to import adtrustinstance and fails to run if it's not installed. Traceback (most recent call last): File "/usr/sbin/ipa-server-install", line 25, in from ipaserver.install.server import Server File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py", line 8, in from .upgrade import upgrade_check, upgrade File "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py", line 49, in from ipaserver.install import adtrustinstance ImportError: cannot import name adtrustinstance So what to do here? I can't remember exactly what problems I hit when everything was in python-ipaserver while testing 4.3.0, but I think they were about the samba stuff.. and don't want to test again without asking first. Should the upgrader stuff be split? -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Title: #403: Add new ipa passwd-generate command redhatrises commented: """ Thanks @abbra The command would have been `ipa passwd-generate --user user1` without piping any commands to it and would have kept the initial password as well as only run as an IPA admin. I also had forgotten about using `--random`. Will look at `ipa-advise` at some point in the future. Closing this PR for now. """ See the full comment at https://github.com/freeipa/freeipa/pull/403#issuecomment-280749987 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#403][closed] Add new ipa passwd-generate command
URL: https://github.com/freeipa/freeipa/pull/403 Author: redhatrises Title: #403: Add new ipa passwd-generate command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/403/head:pr403 git checkout pr403 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb
URL: https://github.com/freeipa/freeipa/pull/453 Author: tiran Title: #453: Cleanup certdb Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/453/head:pr453 git checkout pr453 From 29e1c390fe8e998aabbdd89a72da08cbf0ee4a25 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 9 Feb 2017 14:55:45 +0100 Subject: [PATCH] Cleanup certdb * use with statement to open/close files * prefer fchmod/fchown when a file descriptor is available * set permission before data is written to file * remove chdir() hack with proper cwd argument to ipautil.run() Do not ever change the working directory of a program. It's a really bad idea. Just consider what is going to happen if two threads or two different parts of a process decide to own control over the working directory? Signed-off-by: Christian Heimes --- ipaserver/install/certs.py | 147 - 1 file changed, 65 insertions(+), 82 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bca2504..c3543b3 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -96,10 +96,6 @@ def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None, self.host_name = host_name self.ca_subject = ca_subject self.subject_base = subject_base -try: -self.cwd = os.getcwd() -except OSError as e: -raise RuntimeError("Unable to determine the current directory: %s" % str(e)) self.cacert_name = get_ca_nickname(self.realm) @@ -142,10 +138,8 @@ def passwd_fname(self): def __del__(self): if self.reqdir is not None: shutil.rmtree(self.reqdir, ignore_errors=True) -try: -os.chdir(self.cwd) -except OSError: -pass +self.reqdir = None +self.nssdb.close() def setup_cert_request(self): """ @@ -162,23 +156,21 @@ def setup_cert_request(self): self.certreq_fname = self.reqdir + "/tmpcertreq" self.certder_fname = self.reqdir + "/tmpcert.der" -# When certutil makes a request it creates a file in the cwd, make -# sure we are in a unique place when this happens -os.chdir(self.reqdir) - -def set_perms(self, fname, write=False, uid=None): -if uid: -pent = pwd.getpwnam(uid) -os.chown(fname, pent.pw_uid, pent.pw_gid) -else: -os.chown(fname, self.uid, self.gid) +def set_perms(self, fname, write=False): perms = stat.S_IRUSR if write: perms |= stat.S_IWUSR -os.chmod(fname, perms) +if hasattr(fname, 'fileno'): +os.fchown(fname.fileno(), self.uid, self.gid) +os.fchmod(fname.fileno(), perms) +else: +os.chown(fname, self.uid, self.gid) +os.chmod(fname, perms) def run_certutil(self, args, stdin=None, **kwargs): -return self.nssdb.run_certutil(args, stdin, **kwargs) +# When certutil makes a request it creates a file in the cwd, make +# sure we are in a unique place when this happens +return self.nssdb.run_certutil(args, stdin, cwd=self.reqdir, **kwargs) def run_signtool(self, args, stdin=None): with open(self.passwd_fname, "r") as f: @@ -186,24 +178,23 @@ def run_signtool(self, args, stdin=None): new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password] new_args = new_args + args -ipautil.run(new_args, stdin) +ipautil.run(new_args, stdin, cwd=self.reqdir) def create_noise_file(self): if ipautil.file_exists(self.noise_fname): os.remove(self.noise_fname) -f = open(self.noise_fname, "w") -f.write(ipautil.ipa_generate_password()) -self.set_perms(self.noise_fname) +with open(self.noise_fname, "w") as f: +self.set_perms(f) +f.write(ipautil.ipa_generate_password()) def create_passwd_file(self, passwd=None): ipautil.backup_file(self.passwd_fname) -f = open(self.passwd_fname, "w") -if passwd is not None: -f.write("%s\n" % passwd) -else: -f.write(ipautil.ipa_generate_password()) -f.close() -self.set_perms(self.passwd_fname) +with open(self.passwd_fname, "w") as f: +self.set_perms(f) +if passwd is not None: +f.write("%s\n" % passwd) +else: +f.write(ipautil.ipa_generate_password()) def create_certdbs(self): self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode, @@ -241,20 +232,21 @@ def export_ca_cert(self, nickname, create_pkcs12=False): # export the CA cert for use with other apps ipautil.backup_file(cacert_fname) root_nicknames =
[Freeipa-devel] [freeipa PR#442][closed] Add option to run tests in-tree and out-of-tree mode
URL: https://github.com/freeipa/freeipa/pull/442 Author: tiran Title: #442: Add option to run tests in-tree and out-of-tree mode Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/442/head:pr442 git checkout pr442 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#442][comment] Add option to run tests in-tree and out-of-tree mode
URL: https://github.com/freeipa/freeipa/pull/442 Title: #442: Add option to run tests in-tree and out-of-tree mode tiran commented: """ Not useful or relevant any more. """ See the full comment at https://github.com/freeipa/freeipa/pull/442#issuecomment-280708021 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#442][+rejected] Add option to run tests in-tree and out-of-tree mode
URL: https://github.com/freeipa/freeipa/pull/442 Title: #442: Add option to run tests in-tree and out-of-tree mode Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#479][opened] Merge AD trust installer into composite ones
URL: https://github.com/freeipa/freeipa/pull/479 Author: martbab Title: #479: Merge AD trust installer into composite ones Action: opened PR body: """ This PR implements setup of Samba/Winbind as a part of server/replica install. I will update installation tests in a separate PR in order not to inflate an already sizeable amount of code touched in this one. I also updated man pages of ipa-server/replica-install, but since the entries are a bit chatty, it may be a good idea to write a more terse option descriptions and provide a link to `ipa-adtrust-install` for more thorough explanation. The commits from https://github.com/freeipa/freeipa/pull/457 are on the bottom of the branch in order to provide working AD trust installer in cases where admin password is not provided. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/479/head:pr479 git checkout pr479 From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 3 Feb 2017 17:14:20 +0100 Subject: [PATCH 01/15] allow for more flexibility when requesting service keytab The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/service.py | 41 ++--- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index b9d1ffc..80bb4bb 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -540,22 +540,35 @@ def _add_service_principal(self): except errors.DuplicateEntry: pass +def clean_previous_keytab(self, keytab=None): +if keytab is None: +keytab = self.keytab + +self.fstore.backup_file(keytab) +try: +os.unlink(keytab) +except OSError: +pass + +def set_keytab_owner(self, keytab=None, owner=None): +if keytab is None: +keytab = self.keytab +if owner is None: +owner = self.service_user + +pent = pwd.getpwnam(owner) +os.chown(keytab, pent.pw_uid, pent.pw_gid) + def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): """ -backup and remove old service keytab (if present) and fetch a new one -using ipa-getkeytab. This assumes that the service principal is already -created in LDAP. By default GSSAPI authentication is used unless: +retrieve service keytab using ipa-getkeytab. This assumes that the +service principal is already created in LDAP. By default GSSAPI +authentication is used unless: * LDAPI socket is used and effective process UID is 0, then autobind is used by EXTERNAL SASL mech * self.dm_password is not none, then DM credentials are used to fetch keytab """ -self.fstore.backup_file(keytab) -try: -os.unlink(keytab) -except OSError: -pass - args = [paths.IPA_GETKEYTAB, '-k', keytab, '-p', principal, @@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): ipautil.run(args, nolog=nolog) def _request_service_keytab(self): -if any(attr is None for attr in (self.principal, self.keytab, - self.service_user)): +if any(attr is None for attr in (self.principal, self.keytab)): raise NotImplementedError( "service must have defined principal " -"name, keytab, and username") +"name and keytab") self._add_service_principal() +self.clean_previous_keytab() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - -pent = pwd.getpwnam(self.keytab_user) -os.chown(self.keytab, pent.pw_uid, pent.pw_gid) +self.set_keytab_owner() class SimpleServiceInstance(Service): From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 17 Feb 2017 14:31:55 +0100 Subject: [PATCH 02/15] Make request_service_keytab into a public method a cosmetic change: we had private method comprising of calls to public ones, which did not make much sense in our case https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/dsinstance.py | 6 +++--- ipaserver/install/httpinstance.py | 2 +- ipaserver/install/service.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 9172b65..bf80ae0 100644 ---
[Freeipa-devel] [freeipa PR#368][+pushed] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][closed] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Author: pvomacka Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/368/head:pr368 git checkout pr368 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1a96e7f9e737941480436269668ccde0a50395f9 https://fedorahosted.org/freeipa/changeset/6c6c68df544ac1046741d91dfdc59ef8d96b863c """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280703637 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Author: tiran Title: #472: Packaging: Add placeholder packages Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/472/head:pr472 git checkout pr472 From 61f40dcc205710cf04dcfe9dab7b68d7acfa04e2 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Thu, 16 Feb 2017 15:27:49 +0100 Subject: [PATCH 1/3] Packaging: Add placeholder packages The ipa and freeipa packages are placeholders to prevent PyPI squashing attacks and reserve the names for future use. `pip install ipa` installs ipaclient. Signed-off-by: Christian Heimes --- Makefile.am | 4 +++- Makefile.python.am| 21 + configure.ac | 3 +++ packaging/Makefile.am | 10 ++ packaging/freeipa/Makefile.am | 3 +++ packaging/freeipa/README.txt | 2 ++ packaging/freeipa/setup.cfg | 6 ++ packaging/freeipa/setup.py| 23 +++ packaging/ipa/Makefile.am | 3 +++ packaging/ipa/README.txt | 2 ++ packaging/ipa/setup.cfg | 6 ++ packaging/ipa/setup.py| 23 +++ 12 files changed, 97 insertions(+), 9 deletions(-) create mode 100644 packaging/Makefile.am create mode 100644 packaging/freeipa/Makefile.am create mode 100644 packaging/freeipa/README.txt create mode 100644 packaging/freeipa/setup.cfg create mode 100755 packaging/freeipa/setup.py create mode 100644 packaging/ipa/Makefile.am create mode 100644 packaging/ipa/README.txt create mode 100644 packaging/ipa/setup.cfg create mode 100755 packaging/ipa/setup.py diff --git a/Makefile.am b/Makefile.am index 30ad9bb..a6faa11 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ ACLOCAL_AMFLAGS = -I m4 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ @@ -206,6 +206,8 @@ $(WHEELBUNDLEDIR): mkdir -p $(WHEELBUNDLEDIR) bdist_wheel: $(WHEELDISTDIR) + $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1; + $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1; for dir in $(IPACLIENT_SUBDIRS); do \ $(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \ done diff --git a/Makefile.python.am b/Makefile.python.am index 665893f..9c34fe3 100644 --- a/Makefile.python.am +++ b/Makefile.python.am @@ -1,5 +1,6 @@ pkgname = $(shell basename "$(abs_srcdir)") pkgpythondir = $(pythondir)/$(pkgname) +pkginstall = true if VERBOSE_MAKE VERBOSITY="--verbose" @@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py --build-base "$(abs_builddir)/build" install-exec-local: $(top_builddir)/ipasetup.py - $(PYTHON) $(srcdir)/setup.py \ - $(VERBOSITY) \ - install \ - --prefix "$(DESTDIR)$(prefix)" \ - --single-version-externally-managed \ - --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ - --optimize 1 + if [ "x$(pkginstall)" = "xtrue" ]; then \ + $(PYTHON) $(srcdir)/setup.py \ + $(VERBOSITY) \ + install \ + --prefix "$(DESTDIR)$(prefix)" \ + --single-version-externally-managed \ + --record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \ + --optimize 1; \ + fi uninstall-local: - cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf + if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \ + cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \ + fi rm -rf "$(DESTDIR)$(pkgpythondir)" clean-local: $(top_builddir)/ipasetup.py diff --git a/configure.ac b/configure.ac index 44dc11b..f48ba14 100644 --- a/configure.ac +++ b/configure.ac @@ -577,6 +577,9 @@ AC_CONFIG_FILES([ ipaserver/Makefile ipatests/Makefile ipatests/man/Makefile +packaging/Makefile +packaging/freeipa/Makefile +packaging/ipa/Makefile po/Makefile.in po/Makefile.hack util/Makefile diff --git a/packaging/Makefile.am b/packaging/Makefile.am new file mode 100644 index 000..5725ed9 --- /dev/null +++ b/packaging/Makefile.am @@ -0,0 +1,10 @@ +# This file will be processed with automake-1.7 to create Makefile.in +# +AUTOMAKE_OPTIONS = 1.7 subdir-objects + +NULL = + +SUBDIRS = \ + freeipa \ + ipa \ + $(NULL) diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am new file mode 100644 index 000..15d86ce --- /dev/null +++ b/packaging/freeipa/Makefile.am @@ -0,0 +1,3 @@ +include $(top_srcdir)/Makefile.python.am + +pkginstall = false diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt new file mode 100644 index 000..b58448f --- /dev/null +++ b/packaging/freeipa/README.txt
[Freeipa-devel] [freeipa PR#368][+ack] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ ACK given that Martin did functional testing """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280700948 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages tiran commented: """ At the moment wheels are not required for RPM building. python-wheel is not available on RHEL, but I can work around it. Should the RPM spec file only contain dependencies for RPM packaging or also dependencies for general development and general packaging? I can create placeholder modules for ipaserver, ipaplatform and ipatests, too. It's going to be a bit more tricky. Let's see... """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280690085 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#478][opened] [4.4] Do not configure PKI ajp redirection to use "::1"
URL: https://github.com/freeipa/freeipa/pull/478 Author: flo-renaud Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1" Action: opened PR body: """ When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/478/head:pr478 git checkout pr478 From bd406539f48eb9ab9bc84413dcbdddae8422c412 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Fri, 17 Feb 2017 15:59:57 +0100 Subject: [PATCH] [4.4] Do not configure PKI ajp redirection to use "::1" When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 --- freeipa.spec.in | 4 ++-- ipaserver/install/cainstance.py | 4 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 8a8e3a5..8081a93 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -161,8 +161,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= 10.3.5-6 -Requires: pki-kra >= 10.3.5-6 +Requires: pki-ca >= 10.3.5-11 +Requires: pki-kra >= 10.3.5-11 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c8c7c28..6bf5917 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -578,10 +578,6 @@ def __spawn_instance(self): config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) config.set("CA", "pki_external_step_two", "True") -# PKI IPv6 Configuration -config.add_section("Tomcat") -config.set("Tomcat", "pki_ajp_host", "::1") - # Generate configuration file with open(cfg_file, "wb") as f: config.write(f) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server tiran commented: """ Thanks for your contribution. I added your patch to my PR. On my system I ran into a minor issue. Some C99 types like ```uint8_t``` were not defined and I had to include ```stdint.h```. By the way I'm just going to ignore your snidely and snarky comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280687364 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab martbab commented: """ I have added some commits to cope with changes made during privliege spearation work """ See the full comment at https://github.com/freeipa/freeipa/pull/457#issuecomment-280681170 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ I'm not an expert about how PyPI is working, but shouldn't be there also placeholder packages for: - ipaserver - ipaplatform - ipatests How about [free]ipa-server and friends, can a bad person use this for an attack when somebody uses `pip install freeipa-server` ? """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280682669 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Author: tiran Title: #364: Client-only builds with --disable-server Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/364/head:pr364 git checkout pr364 From f8714aa599a216a3eb4a2a93f464f512516570a7 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Tue, 3 Jan 2017 14:32:05 +0100 Subject: [PATCH 1/3] Client-only builds with --disable-server https://fedorahosted.org/freeipa/ticket/6517 --- Makefile.am | 9 +++- configure.ac | 159 +-- server.m4| 131 3 files changed, 172 insertions(+), 127 deletions(-) create mode 100644 server.m4 diff --git a/Makefile.am b/Makefile.am index 30ad9bb..b12a77e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,14 @@ ACLOCAL_AMFLAGS = -I m4 +if ENABLE_SERVER +SERVER_SUBDIRS = daemons init install ipaserver +else +SERVER_SUBDIRS = +endif IPACLIENT_SUBDIRS = ipaclient ipalib ipapython -SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po +SUBDIRS = asn1 util client contrib po \ + $(IPACLIENT_SUBDIRS) ipaplatform ipatests $(SERVER_SUBDIRS) + MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \ ignore_import_errors.pyc ignore_import_errors.pyo \ diff --git a/configure.ac b/configure.ac index 44dc11b..6192e4b 100644 --- a/configure.ac +++ b/configure.ac @@ -24,6 +24,17 @@ LT_INIT AC_HEADER_STDC +PKG_PROG_PKG_CONFIG + +AC_ARG_ENABLE([server], +[ --disable-serverDisable server support], +[case "${enableval}" in + yes) enable_server=true ;; + no) enable_server=false ;; + *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;; +esac],[enable_server=true]) +AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue]) + AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) dnl --- @@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr]) PKG_CHECK_MODULES([NSS], [nss]) dnl --- -dnl - Check for DS slapi plugin -dnl --- - -# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h -SAVE_CPPFLAGS=$CPPFLAGS -CPPFLAGS=$NSPR_CFLAGS -AC_CHECK_HEADER(dirsrv/slapi-plugin.h) -if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then - AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)]) -fi -AC_CHECK_HEADER(dirsrv/repl-session-plugin.h) -if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then - AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)]) -fi -CPPFLAGS=$SAVE_CPPFLAGS - -if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then - AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)]) -fi - -dnl --- dnl - Check for KRB5 dnl --- PKG_CHECK_MODULES([KRB5], [krb5]) -AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) -KRAD_LIBS="-lkrad" -krb5rundir="${localstatedir}/run/krb5kdc" -AC_SUBST(KRAD_LIBS) -AC_SUBST(krb5rundir) AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])]) AC_CHECK_MEMBER( @@ -105,11 +89,6 @@ dnl --- PKG_CHECK_MODULES([CRYPTO], [libcrypto]) dnl --- -dnl - Check for UUID library -dnl --- -PKG_CHECK_MODULES([UUID], [uuid]) - -dnl --- dnl - Check for Python dnl --- @@ -122,69 +101,6 @@ if test "x$PYTHON" = "x" ; then fi dnl --- -dnl Check for ndr_krb5pac and other samba libraries -dnl --- - -PKG_PROG_PKG_CONFIG() -PKG_CHECK_MODULES([TALLOC], [talloc]) -PKG_CHECK_MODULES([TEVENT], [tevent]) -PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac]) -PKG_CHECK_MODULES([NDRNBT], [ndr_nbt]) -PKG_CHECK_MODULES([NDR], [ndr]) -PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) -SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba" -AC_SUBST(SAMBA40EXTRA_LIBPATH) - -bck_cflags="$CFLAGS" -CFLAGS="$NDRPAC_CFLAGS" -AC_CHECK_MEMBER( -[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid], -
[Freeipa-devel] [freeipa PR#457][synchronized] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
URL: https://github.com/freeipa/freeipa/pull/457 Author: martbab Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/457/head:pr457 git checkout pr457 From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 3 Feb 2017 17:14:20 +0100 Subject: [PATCH 1/4] allow for more flexibility when requesting service keytab The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/service.py | 41 ++--- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index b9d1ffc..80bb4bb 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -540,22 +540,35 @@ def _add_service_principal(self): except errors.DuplicateEntry: pass +def clean_previous_keytab(self, keytab=None): +if keytab is None: +keytab = self.keytab + +self.fstore.backup_file(keytab) +try: +os.unlink(keytab) +except OSError: +pass + +def set_keytab_owner(self, keytab=None, owner=None): +if keytab is None: +keytab = self.keytab +if owner is None: +owner = self.service_user + +pent = pwd.getpwnam(owner) +os.chown(keytab, pent.pw_uid, pent.pw_gid) + def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): """ -backup and remove old service keytab (if present) and fetch a new one -using ipa-getkeytab. This assumes that the service principal is already -created in LDAP. By default GSSAPI authentication is used unless: +retrieve service keytab using ipa-getkeytab. This assumes that the +service principal is already created in LDAP. By default GSSAPI +authentication is used unless: * LDAPI socket is used and effective process UID is 0, then autobind is used by EXTERNAL SASL mech * self.dm_password is not none, then DM credentials are used to fetch keytab """ -self.fstore.backup_file(keytab) -try: -os.unlink(keytab) -except OSError: -pass - args = [paths.IPA_GETKEYTAB, '-k', keytab, '-p', principal, @@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False): ipautil.run(args, nolog=nolog) def _request_service_keytab(self): -if any(attr is None for attr in (self.principal, self.keytab, - self.service_user)): +if any(attr is None for attr in (self.principal, self.keytab)): raise NotImplementedError( "service must have defined principal " -"name, keytab, and username") +"name and keytab") self._add_service_principal() +self.clean_previous_keytab() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - -pent = pwd.getpwnam(self.keytab_user) -os.chown(self.keytab, pent.pw_uid, pent.pw_gid) +self.set_keytab_owner() class SimpleServiceInstance(Service): From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 17 Feb 2017 14:31:55 +0100 Subject: [PATCH 2/4] Make request_service_keytab into a public method a cosmetic change: we had private method comprising of calls to public ones, which did not make much sense in our case https://fedorahosted.org/freeipa/ticket/6638 --- ipaserver/install/dsinstance.py | 6 +++--- ipaserver/install/httpinstance.py | 2 +- ipaserver/install/service.py | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 9172b65..bf80ae0 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn, self.__common_setup(enable_ssl=(not self.promote)) self.step("restarting directory server", self.__restart_instance) -self.step("creating DS keytab", self._request_service_keytab) +self.step("creating DS keytab", self.request_service_keytab) if self.promote: if self.pkcs12_info: self.step("configuring TLS for DS instance", self.__enable_ssl) @@ -1221,8 +1221,8 @@ def __set_domain_level(self): if self.domainlevel is not
[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages
URL: https://github.com/freeipa/freeipa/pull/472 Title: #472: Packaging: Add placeholder packages MartinBasti commented: """ Shouldn't we have build dependency on `python[3]-wheel` without it `bdist_wheel` target is not working """ See the full comment at https://github.com/freeipa/freeipa/pull/472#issuecomment-280679788 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ It looks like @tiran does not want to move this PR forward. So here is a link to patch which does not misuse client-only build and add configure time option to install ipatests. https://paste.fedoraproject.org/paste/~u7iDljnMTvinxmLFoc25V5M1UNdIGYhyRLivL9gydE=/ As part of this work I found out that 4 dependencies can be simply moved to server only build: `libuuid`, `DIRSRV`, `libsss_idmap`, `libsss_nss_idmap`. Result => Client only build require less C-dependencies. LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280675665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox MartinBasti commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280669975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From 7a8212217891ad2f9453b82d136cf30ad0b0dd74 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/debian/paths.py | 1 - ipaplatform/redhat/tasks.py | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' +KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index 5cbe9b8..ad0e13c 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -89,7 +89,6 @@ class DebianPathNamespace(BasePathNamespace): VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec" OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db" IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" -KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, -POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) +KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From 4cec7509d7601c155e8182ad9cfdb4eecfc33c70 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/redhat/tasks.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' +KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, -POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) +KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d05d1115e409962fee3576a4bfc5cecfacef4fd3 """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280661655 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][+pushed] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][closed] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Author: npmccallum Title: #477: Use RemoveOnStop to cleanup systemd sockets Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/477/head:pr477 git checkout pr477 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][+rejected] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][+ack] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets tiran commented: """ RemoveonStop was added in systemd-214. Let me figure which version is on RHEL. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket npmccallum commented: """ This PR can be closed. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280660092 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets tiran commented: """ RemoveonStop was added in systemd-214. Let me figure which version is on RHEL. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Title: #477: Use RemoveOnStop to cleanup systemd sockets npmccallum commented: """ This PR supersedes PR #469. """ See the full comment at https://github.com/freeipa/freeipa/pull/477#issuecomment-280659813 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#477][opened] Use RemoveOnStop to cleanup systemd sockets
URL: https://github.com/freeipa/freeipa/pull/477 Author: npmccallum Title: #477: Use RemoveOnStop to cleanup systemd sockets Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/477/head:pr477 git checkout pr477 From cc7763c8456c28b79222920d304d41d264f3b6ca Mon Sep 17 00:00:00 2001 From: Nathaniel McCallumDate: Fri, 17 Feb 2017 09:10:14 -0500 Subject: [PATCH] Use RemoveOnStop to cleanup systemd sockets --- daemons/ipa-otpd/ipa-otpd.socket.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in index ce3596d..e98a73f 100644 --- a/daemons/ipa-otpd/ipa-otpd.socket.in +++ b/daemons/ipa-otpd/ipa-otpd.socket.in @@ -3,7 +3,7 @@ Description=ipa-otpd socket [Socket] ListenStream=@krb5rundir@/DEFAULT.socket -ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket +RemoveOnStop=true SocketMode=0600 Accept=true -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions
URL: https://github.com/freeipa/freeipa/pull/471 Title: #471: Fix some privilege separation regressions tiran commented: """ @HonzaCholasta, we got merge conflicts. """ See the full comment at https://github.com/freeipa/freeipa/pull/471#issuecomment-280659419 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket npmccallum commented: """ We shouldn't use either. We should use RemoveOnStop= now. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280657734 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket simo5 commented: """ @tiran I do not know, @npmccallum may know. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280656899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" MartinBasti commented: """ Please create a backport PR for IPA 4.4.x """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-280656391 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/eaa87c75b9f57500265b2dc9480b996b2b92e1e3 """ See the full comment at https://github.com/freeipa/freeipa/pull/395#issuecomment-280656272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][closed] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Author: flo-renaud Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/395/head:pr395 git checkout pr395 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][+pushed] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From f12cd62b561891c428ce0540c45e7a1ca71784a3 Mon Sep 17 00:00:00 2001 From: Simo SorceDate: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/redhat/tasks.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..17106f1 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=/tmp/krb5-httpd Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..a5f0077 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,6 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, -POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#395][+ack] Configure PKI ajp redirection to use "localhost" instead of "::1"
URL: https://github.com/freeipa/freeipa/pull/395 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ Uhm I just tried setting KRB5CCNAME=/tmp/krb5_httpd in my install and ... I found out we do not actually generate an httpd ccache, so why are we trying to destroy the ccache again ? Anyway, I am going to add this Environment line to the unit file just in case, so that we can address the issue if we ever need a ccache. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280655007 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop simo5 commented: """ I guess we can simply set KRB5CCNAME=/tmp/krb5_httpd in the unit file and we should be ok then. @martbab or @mbasti, can you try that ? If it solves your scenario we can change this PR to replace the POST with that Env in the unit file. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280653150 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#454][closed] Move AD trust installation code to a separate module
URL: https://github.com/freeipa/freeipa/pull/454 Author: martbab Title: #454: Move AD trust installation code to a separate module Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/454/head:pr454 git checkout pr454 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#454][+pushed] Move AD trust installation code to a separate module
URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module
URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/98bf0cc9663ac281247ac8d9ee8488e3ab8102eb """ See the full comment at https://github.com/freeipa/freeipa/pull/454#issuecomment-280637842 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#454][+ack] Move AD trust installation code to a separate module
URL: https://github.com/freeipa/freeipa/pull/454 Title: #454: Move AD trust installation code to a separate module Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox
URL: https://github.com/freeipa/freeipa/pull/368 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox pvoborni commented: """ Code LGTM, but I did not tests the behavior, so cannot give ACK now. """ See the full comment at https://github.com/freeipa/freeipa/pull/368#issuecomment-280628318 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed
URL: https://github.com/freeipa/freeipa/pull/470 Title: #470: WebUI: Size limit warning on details pages fixed pvoborni commented: """ Would it be better to suppress the warning and use sensible size limit. I.e. the entity select doesn't need to show all entries. I'm afraid that it might have negative performance impact. """ See the full comment at https://github.com/freeipa/freeipa/pull/470#issuecomment-280627755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#25][closed] Added install check before executing ipa-* command
URL: https://github.com/freeipa/freeipa/pull/25 Author: Akasurde Title: #25: Added install check before executing ipa-* command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/25/head:pr25 git checkout pr25 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#476][opened] vault: cache the transport certificate on client
URL: https://github.com/freeipa/freeipa/pull/476 Author: HonzaCholasta Title: #476: vault: cache the transport certificate on client Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6652 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/476/head:pr476 git checkout pr476 From 0c51e0a6ab0cb4e08a8720f6eb45ba8b244682af Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Fri, 17 Feb 2017 11:25:17 +0100 Subject: [PATCH] vault: cache the transport certificate on client https://fedorahosted.org/freeipa/ticket/6652 --- ipaclient/plugins/vault.py | 173 --- ipaclient/remote_plugins/__init__.py | 3 +- ipaclient/remote_plugins/schema.py | 12 +-- ipalib/constants.py | 14 +++ 4 files changed, 158 insertions(+), 44 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 9efb1f1..52ffbd8 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -20,15 +20,17 @@ from __future__ import print_function import base64 +import errno import getpass import io import json import os import sys +import tempfile from cryptography.fernet import Fernet, InvalidToken from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.serialization import load_pem_public_key,\ @@ -37,12 +39,21 @@ import nss.nss as nss from ipaclient.frontend import MethodOverride +from ipalib import x509 +from ipalib.constants import USER_CACHE_PATH from ipalib.frontend import Local, Method, Object from ipalib.util import classproperty from ipalib import api, errors from ipalib import Bytes, Flag, Str from ipalib.plugable import Registry from ipalib import _ +from ipapython.dnsutil import DNSName +from ipapython.ipa_log_manager import log_mgr + +logger = log_mgr.get_logger(__name__) + +TRANSPORT_CERT_CACHE_PATH = ( +os.path.join(USER_CACHE_PATH, 'ipa', 'kra-transport-certs')) def validated_read(argname, filename, mode='r', encoding=None): @@ -169,6 +180,58 @@ def decrypt(data, symmetric_key=None, private_key=None): message=_('Invalid credentials')) +def get_cached_transport_cert(domain): +basename = DNSName(domain).ToASCII() + '.pem' +filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename) + +try: +try: +return x509.load_certificate_from_file(filename) +except EnvironmentError as e: +if e.errno != errno.ENOENT: +raise +except Exception as e: +logger.warning("Failed to load %s: %s", filename, e) + +raise KeyError(domain) + + +def set_cached_transport_cert(domain, cert): +basename = DNSName(domain).ToASCII() + '.pem' +filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename) + +try: +data = cert.public_bytes(serialization.Encoding.PEM) +try: +os.makedirs(TRANSPORT_CERT_CACHE_PATH) +except EnvironmentError as e: +if e.errno != errno.EEXIST: +raise +with tempfile.NamedTemporaryFile(dir=TRANSPORT_CERT_CACHE_PATH, + delete=False) as f: +f.write(data) +os.rename(f.name, filename) +except Exception as e: +logger.warning("Failed to save %s: %s", filename, e) + + +def del_cached_transport_cert(domain): +basename = DNSName(domain).ToASCII() + '.pem' +filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename) + +try: +try: +os.remove(filename) +return +except EnvironmentError as e: +if e.errno != errno.ENOENT: +raise +except Exception as e: +logger.warning("Failed to remove %s: %s", filename, e) + +raise KeyError(domain) + + @register(no_fail=True) class _fake_vault(Object): name = 'vault' @@ -765,27 +828,12 @@ def forward(self, *args, **options): # initialize NSS database nss.nss_init(api.env.nss_dir) -# retrieve transport certificate -config = self.api.Command.vaultconfig_show()['result'] -transport_cert_der = config['transport_cert'] -nss_transport_cert = nss.Certificate(transport_cert_der) - # generate session key mechanism = nss.CKM_DES3_CBC_PAD slot = nss.get_best_slot(mechanism) key_length = slot.get_best_key_length(mechanism) session_key = slot.key_gen(mechanism, None, key_length) -# wrap session key with transport certificate -# pylint: disable=no-member -public_key = nss_transport_cert.subject_public_key_info.public_key -#
[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Akasurde commented: """ @MartinBasti Thanks for your comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624790 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Akasurde commented: """ @stlaz Thanks for your comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624689 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c913f810715705c560ae8bd05a33084785f59583 """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624523 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][+pushed] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][closed] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install stlaz commented: """ Wonderful, thank you for your patch. """ See the full comment at https://github.com/freeipa/freeipa/pull/421#issuecomment-280624285 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][+ack] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Title: #421: Update warning message for replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 From d0a8a4404159ca92970a3e03b92c65512854c3a1 Mon Sep 17 00:00:00 2001 From: Abhijeet KasurdeDate: Mon, 30 Jan 2017 19:22:12 +0530 Subject: [PATCH] Update warning message for replica install New warning message in replica install describes more about "insufficient privilege" error Fixes https://fedorahosted.org/freeipa/ticket/6352 Signed-off-by: Abhijeet Kasurde --- ipaserver/install/server/replicainstall.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 0d3a69f..84e86a9 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1245,7 +1245,11 @@ def promote_check(installer): except errors.ACIError: root_logger.debug(traceback.format_exc()) -raise ScriptError("\nInsufficient privileges to promote the server.") +raise ScriptError("\nInsufficient privileges to promote the server." + "\nPossible issues:" + "\n- A user has insufficient privileges" + "\n- This client has insufficient privileges " + "to become an IPA replica") except errors.LDAPError: root_logger.debug(traceback.format_exc()) raise ScriptError("\nUnable to connect to LDAP server %s" % -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][+pushed] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/53c8e9a53f026d83d5328896d1ea0cf72690cf24 """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280623004 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][closed] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Author: MartinBasti Title: #429: [py3] ipactl restart: log httplib failues as debug Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/429/head:pr429 git checkout pr429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ That's my point. Why is the ccache file not stored in ```PrivateTmp```? The ccache can be removed at any time. It doesn't have to be retained. ```PrivateTmp``` solves the issue for us. We just have to figure out how to combine ```tmpfiles.d``` with ```PrivateTmp``` to create ```/var/run/apache``` in private temp. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280621569 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server lslebodn commented: """ On (17/02/17 01:12), Petr Vobornik wrote: >I still fail to see why we should care about `make dist` with `configure >--disable-server` this is not a combination of options which should be used >together, there is no point in it except theoretical exercise. > `make dist` works >> then I will need to send PR to fix client-only build and it will not install >> ipatests with --disable-server. > >Why? The main problem with `client-only` build and `ipatests` is that there are not test for it. * all integration test assume that server will be installed first and not that server is already available somewhere. * unit test should be run as part of build (e.g. `make check`) So there is not any reason to install `ipatests` for client only build. Client only build was tested just in downstream :-( LS """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280621474 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ @tiran we do use PrivateTmp already. This is not about PrivateTmp, though, because we don't store credentials caches in a private tmp. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280618508 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop tiran commented: """ How about we use systemd PrivateTmp for temporary files? It is not only more secure but it also automatically removes all temporary files when the service is stopped: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280617436 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket tiran commented: """ Would you rather use ```/usr/bin/rm -f``` to only ignore missing files but propagate permission errors? I'm not sure why unlink was used in favor of rm. @simo5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280604757 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Title: #468: Remove non-sensical kdestroy on https stop abbra commented: """ Yes, when namespaced /tmp is used, unit file does not have any view into that. """ See the full comment at https://github.com/freeipa/freeipa/pull/468#issuecomment-280604409 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests
URL: https://github.com/freeipa/freeipa/pull/475 Author: tiran Title: #475: Add options to run only ipaclient unittests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/475/head:pr475 git checkout pr475 From e9a2ebd82cc4a3e612d068258bece9ddf202914f Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Fri, 17 Feb 2017 08:39:54 +0100 Subject: [PATCH] Add options to run only ipaclient unittests A new option for ipa-run-tests makes the test runner ignore subdirectories or skips tests that depend on the ipaserver package or on a running framework for RPC integration tests. The new option enables testing of client-only builds. $ ipatests/ipa-run-tests --ipaclient-unittests ... platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1 collected 451 items test_util.py util.py .. test_ipaclient/test_csrgen.py ..... test_ipalib/test_aci.py ... test_ipalib/test_backend.py test_ipalib/test_base.py ... test_ipalib/test_capabilities.py . test_ipalib/test_cli.py ... test_ipalib/test_config.py ... test_ipalib/test_crud.py ... test_ipalib/test_errors.py ... test_ipalib/test_frontend.py test_ipalib/test_messages.py test_ipalib/test_output.py ... test_ipalib/test_parameters.py . test_ipalib/test_plugable.py test_ipalib/test_rpc.py .. test_ipalib/test_text.py . test_ipalib/test_x509.py ... test_ipapython/test_cookie.py test_ipapython/test_dn.py ... test_ipapython/test_ipautil.py .. test_ipapython/test_ipavalidate.py .. test_ipapython/test_kerberos.py .. test_ipapython/test_keyring.py .. test_ipapython/test_ssh.py ... test_pkcs10/test_pkcs10.py . https://fedorahosted.org/freeipa/ticket/6517 Signed-off-by: Christian Heimes --- ipatests/conftest.py | 63 +- ipatests/setup.py | 1 - ipatests/test_ipaclient/test_csrgen.py | 1 + ipatests/test_ipalib/test_rpc.py | 2 ++ ipatests/util.py | 15 ++-- 5 files changed, 78 insertions(+), 4 deletions(-) diff --git a/ipatests/conftest.py b/ipatests/conftest.py index 511d7b7..6c13e23 100644 --- a/ipatests/conftest.py +++ b/ipatests/conftest.py @@ -3,17 +3,26 @@ # from __future__ import print_function +import fnmatch import os import pprint +import re import sys +import pytest + from ipalib import api from ipalib.cli import cli_plugins try: +import ipaplatform +except ImportError: +ipaplatform = None +try: import ipaserver except ImportError: ipaserver = None +HERE = os.path.dirname(os.path.abspath(__file__)) pytest_plugins = [ 'ipatests.pytest_plugins.additional_config', @@ -31,6 +40,7 @@ 'tier1: functional API tests', 'cs_acceptance: Acceptance test suite for Dogtag Certificate Server', 'ds_acceptance: Acceptance test suite for 389 Directory Server', +'skip_ipaclient_unittest: Skip in ipaclient unittest mode', ] @@ -46,6 +56,28 @@ 'install/share' ] + +SKIP_IPASERVER_PATTERNS = [ +# fnmatch patterns +'test_cmdline/*', +'test_install/*', +'test_integration/*', +'test_ipaserver/*', +'test_webui/*', +'test_xmlrpc/*' +] + +if ipaplatform is None: +# test depends on ipaplatform +SKIP_IPASERVER_PATTERNS.append('test_ipaclient/test_csrgen.py') + +SKIP_IPASERVER_RE = re.compile( +'(' + +'|'.join(fnmatch.translate(pat) for pat in SKIP_IPASERVER_PATTERNS) + +')' +) + + INIVALUES = { 'python_classes': ['test_', 'Test'], 'python_files': ['test_*.py'], @@ -75,13 +107,27 @@ def pytest_configure(config): config.option.doctestmodules = True +def pytest_addoption(parser): +group = parser.getgroup("IPA integration tests") +group.addoption( +'--ipaclient-unittests', +help='Run ipaclient unit tests only (no RPC and ipaserver)', +action='store_true' +) + + def pytest_cmdline_main(config): api.bootstrap( context=u'cli', in_server=False, in_tree=True, fallback=False ) for klass in cli_plugins: api.add_plugin(klass) -api.finalize() + +# XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has +# been resolved. +if ipaserver is not None: +api.finalize() + if config.option.verbose: print('api.env: ') pprint.pprint({k: api.env[k] for k in api.env}) @@ -89,3 +135,18 @@ def
[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug stlaz commented: """ Thanks, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280602243 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][+ack] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug MartinBasti commented: """ Ticket corrected, commit msg ammended """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280601652 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][synchronized] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Author: MartinBasti Title: #429: [py3] ipactl restart: log httplib failues as debug Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/429/head:pr429 git checkout pr429 From 06181a8276edfdaf64402a29faf0cb26fda269bd Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 31 Jan 2017 22:51:31 +0100 Subject: [PATCH] ipactl restart: log httplib failues as debug There are several excerptions ConnectionRefusedError raised before ipactl is able to connect to dogtag after restart. These exception should be logged on debug level until timeout is reached. https://fedorahosted.org/freeipa/ticket/6674 --- ipapython/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 01fc5cb..b171754 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -209,7 +209,7 @@ def _httplib_request( http_body = res.read() conn.close() except Exception as e: -root_logger.exception("httplib request failed:") +root_logger.debug("httplib request failed:", exc_info=True) raise NetworkError(uri=uri, error=str(e)) root_logger.debug('response status %d',http_status) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install
URL: https://github.com/freeipa/freeipa/pull/421 Author: Akasurde Title: #421: Update warning message for replica install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/421/head:pr421 git checkout pr421 From b3508ec22b69df42ad78298a8a2e85a0a845ff69 Mon Sep 17 00:00:00 2001 From: Abhijeet KasurdeDate: Mon, 30 Jan 2017 19:22:12 +0530 Subject: [PATCH] Update warning message for replica install New warning message in replica install describes more about "insufficient privilege" error Fixes https://fedorahosted.org/freeipa/ticket/6352 Signed-off-by: Abhijeet Kasurde --- ipaserver/install/server/replicainstall.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 0d3a69f..9b9bc05 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -1245,7 +1245,11 @@ def promote_check(installer): except errors.ACIError: root_logger.debug(traceback.format_exc()) -raise ScriptError("\nInsufficient privileges to promote the server.") +raise ScriptError("\nInsufficient privileges to promote the server." + "\nPossible issues:" + "\n- A user has insufficient privileges" + "\n- This Client has insufficient privileges " + "to become an IPA replica") except errors.LDAPError: root_logger.debug(traceback.format_exc()) raise ScriptError("\nUnable to connect to LDAP server %s" % -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug
URL: https://github.com/freeipa/freeipa/pull/429 Title: #429: [py3] ipactl restart: log httplib failues as debug stlaz commented: """ I don't see what this has to do with Py3. The issue is the same on Py2. Swap the ticket for the one of @tiran and I'll ack this. If this gets triaged for 4.4 as well we can backport it later. """ See the full comment at https://github.com/freeipa/freeipa/pull/429#issuecomment-280600572 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b3c41f21e51e5389d95b5486dcdfdc3f9a8b0424 """ See the full comment at https://github.com/freeipa/freeipa/pull/394#issuecomment-280599222 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][closed] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Author: Akasurde Title: #394: Add fix for ipa plugins command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/394/head:pr394 git checkout pr394 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][+pushed] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#394][+ack] Add fix for ipa plugins command
URL: https://github.com/freeipa/freeipa/pull/394 Title: #394: Add fix for ipa plugins command Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/66867319d903f7693a535471d3b81716a258ce9d """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280597487 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][comment] Add password file to certutil calls in ipapython.certdb module
URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: Add password file to certutil calls in ipapython.certdb module MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ca457eb5ce12291f555f1bf771114d6d7d191987 https://fedorahosted.org/freeipa/changeset/b20b0489ea06931bfa7d46bdbd6623bc3f09219b """ See the full comment at https://github.com/freeipa/freeipa/pull/446#issuecomment-280597237 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][+pushed] Add password file to certutil calls in ipapython.certdb module
URL: https://github.com/freeipa/freeipa/pull/446 Title: #446: Add password file to certutil calls in ipapython.certdb module Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#446][closed] Add password file to certutil calls in ipapython.certdb module
URL: https://github.com/freeipa/freeipa/pull/446 Author: stlaz Title: #446: Add password file to certutil calls in ipapython.certdb module Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/446/head:pr446 git checkout pr446 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server pvoborni commented: """ I still fail to see why we should care about `make dist` with `configure --disable-server` this is not a combination of options which should be used together, there is no point in it except theoretical exercise. > then I will need to send PR to fix client-only build and it will not install > ipatests with --disable-server. Why? """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-280596786 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Title: #464: Bump required python-cryptography version stlaz commented: """ @martbab Sure, done. """ See the full comment at https://github.com/freeipa/freeipa/pull/464#issuecomment-280596751 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version
URL: https://github.com/freeipa/freeipa/pull/464 Author: stlaz Title: #464: Bump required python-cryptography version Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/464/head:pr464 git checkout pr464 From 0f2477c98be82817736dbfe6cb94ecc0cf7a423f Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Thu, 16 Feb 2017 16:14:24 +0100 Subject: [PATCH] Bump python-cryptography version in ipasetup.py.in When bumping version of python-cryptography in freeipa.spec.in, ipasetup.py.in was forgotten about. https://fedorahosted.org/freeipa/ticket/6631 --- ipasetup.py.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipasetup.py.in b/ipasetup.py.in index c221e0d..915f0ed 100644 --- a/ipasetup.py.in +++ b/ipasetup.py.in @@ -63,7 +63,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0): PACKAGE_VERSION = { -'cryptography': 'cryptography >= 1.3.1', +'cryptography': 'cryptography >= 1.4', 'dnspython': 'dnspython >= 1.15', 'gssapi': 'gssapi >= 1.2.0', 'ipaclient': 'ipaclient == {}'.format(VERSION), -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users
URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/79b3fbf97d66adb1f5c960e5473b90f85cbe145a """ See the full comment at https://github.com/freeipa/freeipa/pull/465#issuecomment-280595632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#465][+pushed] Tests: search for disabled users
URL: https://github.com/freeipa/freeipa/pull/465 Title: #465: Tests: search for disabled users Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#465][closed] Tests: search for disabled users
URL: https://github.com/freeipa/freeipa/pull/465 Author: MartinBasti Title: #465: Tests: search for disabled users Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/465/head:pr465 git checkout pr465 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#396][+pushed] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Title: #396: Explicitly remove support of SSLv2 MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ac6f573a3014aa09811ca1559d470afe75eadbec """ See the full comment at https://github.com/freeipa/freeipa/pull/396#issuecomment-280595283 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#474][comment] Update man page of ipa-server-install
URL: https://github.com/freeipa/freeipa/pull/474 Title: #474: Update man page of ipa-server-install Akasurde commented: """ @martbab @stlaz Thanks for review """ See the full comment at https://github.com/freeipa/freeipa/pull/474#issuecomment-280595269 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#396][closed] Explicitly remove support of SSLv2
URL: https://github.com/freeipa/freeipa/pull/396 Author: stlaz Title: #396: Explicitly remove support of SSLv2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/396/head:pr396 git checkout pr396 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches
URL: https://github.com/freeipa/freeipa/pull/473 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches MartinBasti commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c https://fedorahosted.org/freeipa/changeset/d0642bfa55e9c24429675f623bc0e35824bc9fb0 """ See the full comment at https://github.com/freeipa/freeipa/pull/473#issuecomment-280593308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code