[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

HonzaCholasta commented:
"""
Upgrade from 4.4.3 asks for a PKCS#12 file password and then fails:
```
  Cleanup : freeipa-server-common-4.4.3-1.fc25.noarch   

 14/16 
  Cleanup : freeipa-client-common-4.4.3-1.fc25.noarch   

 15/16 
  Cleanup : freeipa-common-4.4.3-1.fc25.noarch  

 16/16 
Enter password for PKCS12 file: 
Re-enter password: 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 
'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': 
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information
  Verifying   : freeipa-client-4.4.90.dev201703010721+git5bb660e-0.fc25.x86_64  

  1/16 
  Verifying   : 
freeipa-client-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch   

  2/16 
  Verifying   : freeipa-common-4.4.90.dev201703010721+git5bb660e-0.fc25.noarch  

  3/16 
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-283270033
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
Hi @simo5 
The command must also be able to return matching entries coming from trusted 
domains, and SSSD is able to handle this part for us.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-283265803
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

dkupka commented:
"""
@stlaz Thanks. Then we really rather wait for 0.6.3.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283264733
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#522][edited] dogtag: remove redundant property definition

2017-02-28 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/522
Author: frasertweedale
 Title: #522: dogtag: remove redundant property definition
Action: edited

 Changed field: body
Original value:
"""
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/515
Title: #515: Re-add ipapython.config.config for backwards compatibilty

HonzaCholasta commented:
"""
Could we please revert to the original `IPAConfig` implementation rather than 
wrapping around `api.env`? I know I'm the one who suggested it, but I have 
given it some thought and I would rather not have to import from `ipalib` into 
`ipapython` and keep the original behavior intact.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/515#issuecomment-283260315
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

stlaz commented:
"""
@dkupka Those fixes should allow us to setup trusts again (more or less).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283261093
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#520][comment] Change README to use Markdown

2017-02-28 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/520
Title: #520: Change README to use Markdown

stlaz commented:
"""
https://github.com/freeipa/freeipa/pull/518 ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/520#issuecomment-283261220
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

abbra commented:
"""
nsaccountlock is an operational attribute, not a normal one. I don't like it 
being created all the time. You have to request it explicitly if you want to 
show status of users, not invent a mechanism to always add it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283260530
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/515
Title: #515: Re-add ipapython.config.config for backwards compatibilty

HonzaCholasta commented:
"""
Could we please revert to the original `IPAConfig` implementation rather than 
wrapping around `api.env`? I know I'm the one who suggested it, but I have 
given it some thought and I would rather not have to import from `ipalib` into 
`ipapython` and keep the original behavior intact.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/515#issuecomment-283260315
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

dkupka commented:
"""
@puiterwijk @MartinBasti with the redirection working it's not needed. But I 
should get used to paste links to pagure. Updated.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283260762
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][synchronized] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/511
Author: dkupka
 Title: #511: Bump required version of gssproxy to 0.6.2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/511/head:pr511
git checkout pr511
From 4623a43e11adad1cedc22cecf45b6c02c539528f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Mon, 27 Feb 2017 09:15:13 +0100
Subject: [PATCH] Bump required version of gssproxy to 0.6.2

https://pagure.io/freeipa/issue/6698
---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..f74ffed 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,8 +267,8 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
-# Require 0.6.0 for the new delegation access control features
-Requires: gssproxy >= 0.6.0
+# Require 0.6.2 for https://pagure.io/freeipa/issue/6698
+Requires: gssproxy >= 0.6.2
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

HonzaCholasta commented:
"""
No, it's not the right approach. This is an issue in the framework and that's 
where it needs to be fixed - in the framework - rather than working around the 
issue in every plugin which hits it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283257953
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#523][opened] cert-request: minor refactors

2017-02-28 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/523
Author: frasertweedale
 Title: #523: cert-request: minor refactors
Action: opened

PR body:
"""
A couple of minor refactors done as part of GSS-API work
(https://pagure.io/freeipa/issue/5011).
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/523/head:pr523
git checkout pr523
From 2d85605be3cded5025426ed61e6833fcf9975012 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 25 Jan 2017 15:51:46 +1000
Subject: [PATCH 1/2] Remove redundant principal_type argument

Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.

Part of: https://pagure.io/freeipa/issue/5011
---
 ipaserver/plugins/caacl.py |  8 +++-
 ipaserver/plugins/cert.py  | 13 +
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..ff1178a 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -151,7 +151,13 @@ def _acl_make_rule(principal_type, obj):
 return rule
 
 
-def acl_evaluate(principal_type, principal, ca_id, profile_id):
+def acl_evaluate(principal, ca_id, profile_id):
+if principal.is_user:
+principal_type = 'user'
+elif principal.is_host:
+principal_type = 'host'
+else:
+principal_type = 'service'
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 585a70e..46518d9 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -200,11 +200,9 @@ def ca_enabled_check(_api):
 if not _api.Command.ca_is_enabled()['result']:
 raise errors.NotFound(reason=_('CA is not configured'))
 
-def caacl_check(principal_type, principal, ca, profile_id):
-principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'}
-if not acl_evaluate(
-principal_type_map[principal_type],
-principal, ca, profile_id):
+
+def caacl_check(principal, ca, profile_id):
+if not acl_evaluate(principal, ca, profile_id):
 raise errors.ACIError(info=_(
 "Principal '%(principal)s' "
 "is not permitted to use CA '%(ca)s' "
@@ -599,7 +597,7 @@ def execute(self, csr, all=False, raw=False, **kw):
 if principal_type == KRBTGT:
 ca_kdc_check(ldap, bind_principal.hostname)
 else:
-caacl_check(principal_type, principal, ca, profile_id)
+caacl_check(principal, ca, profile_id)
 
 try:
 csr_obj = pkcs10.load_certificate_request(csr)
@@ -756,8 +754,7 @@ def execute(self, csr, all=False, raw=False, **kw):
 if principal_type == KRBTGT:
 ca_kdc_check(ldap, alt_principal.hostname)
 else:
-caacl_check(principal_type, alt_principal, ca,
-profile_id)
+caacl_check(alt_principal, ca, profile_id)
 
 elif isinstance(gn, (x509.KRB5PrincipalName, x509.UPN)):
 if principal_type == KRBTGT:

From 4aa4ecea14827387d9e9430790d8a453a7fa9c96 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 25 Jan 2017 16:14:59 +1000
Subject: [PATCH 2/2] Extract method to map principal to princpal type

Part of: https://pagure.io/freeipa/issue/5011
---
 ipaserver/plugins/cert.py | 29 ++---
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 46518d9..b53caf4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -558,29 +558,17 @@ def execute(self, csr, all=False, raw=False, **kw):
 
 principal = kw.get('principal')
 principal_string = unicode(principal)
+principal_type = principal_to_principal_type(principal)
 
-if principal.is_user:
-principal_type = USER
-elif principal.is_host:
-principal_type = HOST
-elif principal.service_name == 'krbtgt':
-principal_type = KRBTGT
+if principal_type == KRBTGT:
 if profile_id != self.Backend.ra.KDC_PROFILE:
 raise errors.ACIError(
 info=_("krbtgt certs can use only the %s profile") % (
self.Backend.ra.KDC_PROFILE))
-else:
-principal_type = SERVICE
 
 bind_principal = kerberos.Principal(getattr(context, 'principal'))
 bind_principal_string = unicode(bind_principal)
-
-if bind_principal.is_user:
-bind_principal_type = USER
-elif bind_principal.is_host:
-

[Freeipa-devel] [freeipa PR#522][opened] dogtag: remove redundant property definition

2017-02-28 Thread frasertweedale 
   URL: https://github.com/freeipa/freeipa/pull/522
Author: frasertweedale
 Title: #522: dogtag: remove redundant property definition
Action: opened

PR body:
"""
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/522/head:pr522
git checkout pr522
From f9abbd4e4e950572e1256c7031ee49147826c8c0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 10 Nov 2016 19:05:21 +1000
Subject: [PATCH] dogtag: remove redundant property definition

The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473
---
 ipaserver/plugins/dogtag.py | 20 
 1 file changed, 20 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 6ff6d29..2ceadb5 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1386,26 +1386,6 @@ def raise_certificate_operation_error(self, func_name, err_msg=None, detail=None
 self.error('%s.%s(): %s', type(self).__name__, func_name, err_msg)
 raise errors.CertificateOperationError(error=err_msg)
 
-@cachedproperty
-def ca_host(self):
-"""
-:return:   host
-   as str
-
-Select our CA host.
-"""
-ldap2 = self.api.Backend.ldap2
-if host_has_service(api.env.ca_host, ldap2, "CA"):
-return api.env.ca_host
-if api.env.host != api.env.ca_host:
-if host_has_service(api.env.host, ldap2, "CA"):
-return api.env.host
-host = select_any_master(ldap2)
-if host:
-return host
-else:
-return api.env.ca_host
-
 def _request(self, url, port, **kw):
 """
 :param url: The URL to post to.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#521][edited] Add nsaccountlock to user attributes when a new user is created

2017-02-28 Thread redhatrises 
   URL: https://github.com/freeipa/freeipa/pull/521
Author: redhatrises
 Title: #521: Add nsaccountlock to user attributes when a new user is created
Action: edited

 Changed field: body
Original value:
"""
This adds a the `nsaccountlock` attribute to a user upon account creation. This 
addresses newly created accounts; however, it does not address the issue of 
existing accounts. If `nsaccountlock` does not exist for a user, `ipa user-find 
--disabled=False` should return `Accounts disabled: False`. 

So, the question is how to deal with `nsaccountlock` missing in existing user 
accounts? I am not sure how to extend the framework to return `Accounts 
disabled: False` if `nsaccountlock` is NoneType. 

For more info, see @MartinBasti's post merge comments in #444 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#521][opened] Add nsaccountlock to user attributes when a new user is created

2017-02-28 Thread redhatrises 
   URL: https://github.com/freeipa/freeipa/pull/521
Author: redhatrises
 Title: #521: Add nsaccountlock to user attributes when a new user is created
Action: opened

PR body:
"""
This adds a the `nsaccountlock` attribute to a user upon account creation. This 
addresses newly created accounts; however, it does not address the issue of 
existing accounts. If `nsaccountlock` does not exist for a user, `ipa user-find 
--disabled=False` should return `Accounts disabled: False`. 

So, the question is how to deal with `nsaccountlock` missing in existing user 
accounts? I am not sure how to extend the framework to return `Accounts 
disabled: False` if `nsaccountlock` is NoneType. 

For more info, see @MartinBasti's post merge comments in #444 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/521/head:pr521
git checkout pr521
From a0111657d32a6429b84b7d26e2f2de579241da54 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 28 Feb 2017 13:52:07 -0700
Subject: [PATCH] Add nsaccountlock to user attributes when a new user is
 created

---
 ipaserver/plugins/baseuser.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 75cf7d8..6295f87 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -466,6 +466,7 @@ def pre_common_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
 **options):
 assert isinstance(dn, DN)
 set_krbcanonicalname(entry_attrs)
+convert_nsaccountlock(entry_attrs)
 self.obj.convert_usercertificate_pre(entry_attrs)
 
 def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#520][opened] Change README to use Markdown

2017-02-28 Thread pvoborni 
   URL: https://github.com/freeipa/freeipa/pull/520
Author: pvoborni
 Title: #520: Change README to use Markdown
Action: opened

PR body:
"""
So that it will be nicely formatted on FreeIPA Pagure landing page.
  https://pagure.io/freeipa

Some links were updated as other projects also moved to Pagure.io.

Temporary preview on: https://pagure.io/pvoborni-test
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/520/head:pr520
git checkout pr520
From 773512bcacfac3b2847d952de81ede915eba841d Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Tue, 28 Feb 2017 19:04:03 +0100
Subject: [PATCH] Change README to use Markdown

So that it will be nicely formatted on FreeIPA Pagure landing page.
  https://pagure.io/freeipa

Some links were updated as other projects also moved to Pagure.io.
---
 README| 92 ---
 README.md | 74 ++
 2 files changed, 74 insertions(+), 92 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index ad5b081..000
--- a/README
+++ /dev/null
@@ -1,92 +0,0 @@
-
-   IPA Server
-
-  Overview
-  
-
-  FreeIPA allows Linux administrators to centrally manage identity,
-  authentication and access control aspects of Linux and UNIX systems
-  by providing simple to install and use command line and web based
-  managment tools.
-  FreeIPA is built on top of well known Open Source components and standard
-  protocols with a very strong focus on ease of management and automation
-  of installation and configuration tasks.
-  FreeIPA can seamlessly integrate into an Active Directory environment via
-  cross-realm Kerberos trust or user synchronization.
-
-  Benefits
-  
-
-  FreeIPA:
-  * Allows all your users to access all the machines with the same credentials
-and security settings
-  * Allows users to access personal files transparently from any machine in
-an authenticated and secure way
-  * Uses an advanced grouping mechanism to restrict network access to services
-and files only to specific users
-  * Allows central management of security mechanisms like passwords,
-SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
-  * Enables delegation of selected administrative tasks to other power users
-  * Integrates into Active Directory environments
-
-  Components
-  --
-
-  The FreeIPA project provides unified installation and management
-  tools for the following components:
-
-  * LDAP Server - based on the 389 project (LDAP)
-http://directory.fedoraproject.org/wiki/Main_Page
-
-  * KDC - based on MIT Kerberos implementation
-http://k5wiki.kerberos.org/wiki/Main_Page
-
-  * PKI based on Dogtag project
-http://pki.fedoraproject.org/wiki/PKI_Main_Page
-
-  * Samba libraries for Active Directory integration
-http://www.samba.org/
-
-  * DNS Server based on BIND and the Bind-DynDB-LDAP plugin
-https://www.isc.org/software/bind
-https://fedorahosted.org/bind-dyndb-ldap
-
-
-  Project Website
-  ---
-
-  Releases, announcements and other information can be found on the IPA
-  server project page at .
-
-  Documentation
-  -
-
-  The most up-to-date documentation can be found at
-  .
-
-  Quick Start
-  ---
-
-  To get started quickly, start here:
-  
-
-  Licensing
-  -
-
-  Please see the file called COPYING.
-
-  Contacts
-  
-
- * If you want to be informed about new code releases, bug fixes,
-   security fixes, general news and information about the IPA server
-   subscribe to the freeipa-announce mailing list at
-   .
-
- * If you have a bug report please submit it at:
-   
-
- * If you want to participate in actively developing IPA please
-   subscribe to the freeipa-devel mailing list at
-    or join
-   us in IRC at irc://irc.freenode.net/freeipa
diff --git a/README.md b/README.md
new file mode 100644
index 000..1cbb49e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,74 @@
+FreeIPA Server
+==
+
+FreeIPA allows Linux administrators to centrally manage identity,
+authentication and access control aspects of Linux and UNIX systems
+by providing simple to install and use command line and web based
+managment tools.
+
+FreeIPA is built on top of well known Open Source components and standard
+protocols with a very strong focus on ease of management and automation
+of installation and configuration tasks.
+
+FreeIPA can seamlessly integrate into an Active Directory environment via

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

simo5 commented:
"""
Why do we need to talk to SSSD to do this?
Don't we have all the needed data in LDAP already ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-283115629
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty

2017-02-28 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/515
Title: #515: Re-add ipapython.config.config for backwards compatibilty

tiran commented:
"""
I can add a deprecation warning after we have agreed upon a new API. What's the 
official way to get the values w/o requiring credentials?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/515#issuecomment-283111844
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread puiterwijk 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

puiterwijk commented:
"""
@MartinBasti Yeah, I know. I just figured that since it's not merged yet, we 
might as well just change it :).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283108095
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

MartinBasti commented:
"""
@puiterwijk It shouldn't be an issue with 
https://pagure.io/fedora-infrastructure/issue/5845 fixed :)
but yes since this is not acked yet commit should be updated
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283107213
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2

2017-02-28 Thread puiterwijk 
  URL: https://github.com/freeipa/freeipa/pull/511
Title: #511: Bump required version of gssproxy to 0.6.2

puiterwijk commented:
"""
Perhaps it'd be an idea to update the ticket link in the code to 
https://pagure.io/freeipa/issue/6698 ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/511#issuecomment-283099335
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-28 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

tiran commented:
"""
I pushed an alternative approach that checks for the option and raises skip in 
packages. It needs some extra workaround in the integration plugin.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-283098644
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#515][comment] Re-add ipapython.config.config for backwards compatibilty

2017-02-28 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/515
Title: #515: Re-add ipapython.config.config for backwards compatibilty

MartinBasti commented:
"""
IIRC we agreed that there should be warning that this is deprecated and 
`api.env` should be used instead.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/515#issuecomment-283098177
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests

2017-02-28 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
From e9a2ebd82cc4a3e612d068258bece9ddf202914f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Feb 2017 08:39:54 +0100
Subject: [PATCH 1/2] Add options to run only ipaclient unittests

A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py ..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py   | 63 +-
 ipatests/setup.py  |  1 -
 ipatests/test_ipaclient/test_csrgen.py |  1 +
 ipatests/test_ipalib/test_rpc.py   |  2 ++
 ipatests/util.py   | 15 ++--
 5 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 511d7b7..6c13e23 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,17 +3,26 @@
 #
 from __future__ import print_function
 
+import fnmatch
 import os
 import pprint
+import re
 import sys
 
+import pytest
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
+import ipaplatform
+except ImportError:
+ipaplatform = None
+try:
 import ipaserver
 except ImportError:
 ipaserver = None
 
+HERE = os.path.dirname(os.path.abspath(__file__))
 
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
@@ -31,6 +40,7 @@
 'tier1: functional API tests',
 'cs_acceptance: Acceptance test suite for Dogtag Certificate Server',
 'ds_acceptance: Acceptance test suite for 389 Directory Server',
+'skip_ipaclient_unittest: Skip in ipaclient unittest mode',
 ]
 
 
@@ -46,6 +56,28 @@
 'install/share'
 ]
 
+
+SKIP_IPASERVER_PATTERNS = [
+# fnmatch patterns
+'test_cmdline/*',
+'test_install/*',
+'test_integration/*',
+'test_ipaserver/*',
+'test_webui/*',
+'test_xmlrpc/*'
+]
+
+if ipaplatform is None:
+# test depends on ipaplatform
+SKIP_IPASERVER_PATTERNS.append('test_ipaclient/test_csrgen.py')
+
+SKIP_IPASERVER_RE = re.compile(
+'(' +
+'|'.join(fnmatch.translate(pat) for pat in SKIP_IPASERVER_PATTERNS) +
+')'
+)
+
+
 INIVALUES = {
 'python_classes': ['test_', 'Test'],
 'python_files': ['test_*.py'],
@@ -75,13 +107,27 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--ipaclient-unittests',
+help='Run ipaclient unit tests only (no RPC and ipaserver)',
+action='store_true'
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
 context=u'cli', in_server=False, in_tree=True, fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-api.finalize()
+
+# XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has
+# been resolved.
+if ipaserver is not None:
+api.finalize()
+
 if config.option.verbose:
 print('api.env: ')
 pprint.pprint({k: api.env[k] for k in api.env})
@@ -89,3 +135,18 @@ def

[Freeipa-devel] [freeipa PR#519][comment] WebUI: add sizelimit:0 to cert-find

2017-02-28 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/519
Title: #519: WebUI: add sizelimit:0 to cert-find

pvoborni commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/519#issuecomment-283096563
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
@redhatrises IMO for new users we can always create that attribute in LDAP, 
that should limit bad behavior. I wouldn't add it to user-add, usually you 
wants to create an enabled user, for disabled you can use stage-user.  I hope 
that activating of stage user creates this attribute in LDAP as well.

However this need a discussion, if it is a proper approach is the right.

BTW you can open a new PR we shouldn't continue here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283096060
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-28 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

martbab commented:
"""
Oh my, every time I think about something nice that should work there is some 
corner case that ruins it.

I guess that one way to work around it would be to keep the `try: ... except 
importError` guards in the offending modules and add skip markers like 
`@pytest.mark.skipif(ipaserver is None, "ipaserver module unavailable")` or 
skip whole modules.

As a side note, I really wish that our test suite would be a little less... um, 
special.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-283084101
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-28 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

tiran commented:
"""
I'm not a big fan either. Can you come up with a better solution that does not 
result in import errors? Because the module marker or class markers still 
import the whole module. For client-only tests, ipaserver is not available. For 
Python packaging builds, neither ipaserver nor ipaplatform are available. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-283079924
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread redhatrises 
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

redhatrises commented:
"""
@MartinBasti sorry for the late reply, but yes, this is a bug. If 
'nsaccountlock' doesn't exist, it should return as `Account disabled = False`. 
I know this PR is already closed, but should be add 'nsaccountlock' on `ipa 
user-add`? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-283073133
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-28 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

martbab commented:
"""
I am not a big fan of mixing filename matching and markers in this PR. I feel 
that using only one of those approaches is a more cleaner solution and it seems 
that marking all the tests and then running a subset using the pytest's marker 
selection API loks like the easiest road.

It seems like a daunting task but it may actually be easier given that you can 
mark whole modules[1] or even generate marker dynamically by introspecting node 
IDs during test collection[2].

You can ultimately provide an option as an alias for selecting/deselecting 
markers as needed if you like but the underlying implementation will be cleaner 
as result.

[1] 
http://doc.pytest.org/en/latest/example/markers.html#marking-whole-classes-or-modules
[2] 
http://doc.pytest.org/en/latest/example/markers.html#automatically-adding-markers-based-on-test-names
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-283073142
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-28 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
Fixed another issue with CA-less to CA-full upgrade.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-283057864
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain

2017-02-28 Thread gkaihorodova 
  URL: https://github.com/freeipa/freeipa/pull/448
Title: #448: Tests: Basic coverage with tree root domain

gkaihorodova commented:
"""
Thanks you for review. Let's hope for the best .
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/448#issuecomment-283057505
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain

2017-02-28 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/448
Title: #448: Tests: Basic coverage with tree root domain

martbab commented:
"""
The patch looks ok, let's hope that our CI will play nice with it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/448#issuecomment-283054583
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping

2017-02-28 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/400
Title: #400: WebUI: Certificate Mapping

pvomacka commented:
"""
Hi @flo-renaud 
Thank you for review. 

The issue about certificates is different and here is the fix: 
https://github.com/freeipa/freeipa/pull/519 

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/400#issuecomment-283045651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#518][comment] README to README.md

2017-02-28 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/518
Title: #518: README to README.md

stlaz commented:
"""
I stopped the Travis jobs so that it does not eat the resources it for the 
needy.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/518#issuecomment-283035128
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#519][opened] WebUI: add sizelimit:0 to cert-find

2017-02-28 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/519
Author: pvomacka
 Title: #519: WebUI: add sizelimit:0 to cert-find
Action: opened

PR body:
"""
It was not possible to get all arbitrary certificates which were added
using {user|host|service|idview}-add-cert method. Adding sizelimit:0
to this cert-find command fix the issue. It set sizelimit to unlimited.

https://pagure.io/freeipa/issue/6712
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/519/head:pr519
git checkout pr519
From d6c5c24a06fd4b8174fa09de1487dcc875538148 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 28 Feb 2017 14:00:35 +0100
Subject: [PATCH] WebUI: add sizelimit:0 to cert-find

It was not possible to get all arbitrary certificates which were added
using {user|host|service|idview}-add-cert method. Adding sizelimit:0
to this cert-find command fix the issue. It set sizelimit to unlimited.

https://pagure.io/freeipa/issue/6712
---
 install/ui/src/freeipa/host.js| 1 +
 install/ui/src/freeipa/idviews.js | 1 +
 install/ui/src/freeipa/service.js | 1 +
 install/ui/src/freeipa/user.js| 1 +
 4 files changed, 4 insertions(+)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 87cf264..1dfe05e 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -494,6 +494,7 @@ IPA.host.details_facet = function(spec, no_init) {
 retry: false,
 options: {
 host: [ pkey ],
+sizelimit: 0,
 all: true
 }
 });
diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 1901863..25c043c 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -435,6 +435,7 @@ idviews.id_override_user_details_facet = function(spec) {
 retry: false,
 options: {
 idoverrideuser: [ pkey ],
+sizelimit: 0,
 all: true
 }
 });
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index a6607d2..2533ad0 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -475,6 +475,7 @@ IPA.service.details_facet = function(spec, no_init) {
 retry: false,
 options: {
 service: [ pkey ],
+sizelimit: 0,
 all: true
 }
 });
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 7a08151..628cf8e 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -598,6 +598,7 @@ IPA.user.details_facet = function(spec, no_init) {
 retry: false,
 options: {
 user: [ pkey ],
+sizelimit: 0,
 all: true
 }
 });
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones

2017-02-28 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/479
Title: #479: Merge AD trust installer into composite ones

martbab commented:
"""
I have added a commit that fixes the choeck for missing dependencies in 
composite installers.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/479#issuecomment-283033182
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-02-28 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From 279684608d667d31e919021f4b7ffb397c4a6fcf Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 16 Feb 2017 14:06:08 +0100
Subject: [PATCH 01/13] Refactor the code checking for missing SIDs

Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630
---
 ipaserver/install/adtrust.py | 107 ++-
 1 file changed, 64 insertions(+), 43 deletions(-)

diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 92fe031..69e9834 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -168,6 +168,69 @@ def check_for_installed_deps():
 raise ScriptError("Aborting installation.")
 
 
+def retrieve_entries_without_sid(api):
+"""
+Retrieve a list of entries without assigned SIDs.
+:returns: a list of entries or an empty list if an error occurs
+"""
+# The filter corresponds to ipa_sidgen_task.c LDAP search filter
+filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+base_dn = api.env.basedn
+try:
+root_logger.debug(
+"Searching for objects with missing SID with "
+"filter=%s, base_dn=%s", filter, base_dn)
+entries, _truncated = api.Backend.ldap2.find_entries(
+filter=filter, base_dn=base_dn, attrs_list=[''])
+return entries
+except errors.NotFound:
+# All objects have SIDs assigned
+pass
+except (errors.DatabaseError, errors.NetworkError) as e:
+print("Could not retrieve a list of objects that need a SID "
+  "identifier assigned:")
+print(unicode(e))
+
+return []
+
+
+def retrieve_and_ask_about_sids(api, options):
+entries = []
+if api.Backend.ldap2.isconnected():
+entries = retrieve_entries_without_sid(api)
+else:
+root_logger.debug(
+"LDAP backend not connected, can not retrieve entries "
+"with missing SID")
+
+object_count = len(entries)
+if object_count > 0:
+print("")
+print("WARNING: %d existing users or groups do not have "
+  "a SID identifier assigned." % len(entries))
+print("Installer can run a task to have ipa-sidgen "
+  "Directory Server plugin generate")
+print("the SID identifier for all these users. Please note, "
+  "the in case of a high")
+print("number of users and groups, the operation might "
+  "lead to high replication")
+print("traffic and performance degradation. Refer to "
+  "ipa-adtrust-install(1) man page")
+print("for details.")
+print("")
+if options.unattended:
+print("Unattended mode was selected, installer will "
+  "NOT run ipa-sidgen task!")
+else:
+if ipautil.user_input(
+"Do you want to run the ipa-sidgen task?",
+default=False,
+allow_empty=False):
+options.add_sids = True
+
+
 def install_check(standalone, options, api):
 global netbios_name
 global reset_netbios_name
@@ -225,49 +288,7 @@ def install_check(standalone, options, api):
 options.netbios_name, options.unattended, api)
 
 if not options.add_sids:
-# The filter corresponds to ipa_sidgen_task.c LDAP search filter
-filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
-base_dn = api.env.basedn
-try:
-root_logger.debug(
-"Searching for objects with missing SID with "
-"filter=%s, base_dn=%s", filter, base_dn)
-entries, _truncated = api.Backend.ldap2.find_entries(
-filter=filter, base_dn=base_dn, attrs_list=[''])
-except errors.NotFound:
-# All objects have SIDs assigned
-pass
-except (errors.DatabaseError, errors.NetworkError) as e:
-print("Could not retrieve a list of objects that need a SID "
-  "identifier assigned:")
-print(unicode(e))
-else:
-object_count = len(entries)
-if object_count > 0:
-print("")
-print("WARNING: %d existing users or groups do not have "

[Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-02-28 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

martbab commented:
"""
Now that privilege separation was implemented I have rebased the PR and request 
a proper review of this patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/420#issuecomment-283031432
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][edited] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-02-28 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/420
Author: martbab
 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals
Action: edited

 Changed field: title
Original value:
"""
WIP: Allow login to WebUI using Kerberos aliases/enterprise principals
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][synchronized] WIP: Allow login to WebUI using Kerberos aliases/enterprise principals

2017-02-28 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/420
Author: martbab
 Title: #420: WIP: Allow login to WebUI using Kerberos aliases/enterprise 
principals
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/420/head:pr420
git checkout pr420
From 0061ffcdd28c86106f71f5fb20c1715593229bd4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 22 Sep 2016 09:58:47 +0200
Subject: [PATCH] Allow login to WebUI using Kerberos aliases/enterprise
 principals

The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.

https://fedorahosted.org/freeipa/ticket/6343
---
 ipalib/krb_utils.py| 14 --
 ipaserver/rpcserver.py | 50 --
 2 files changed, 16 insertions(+), 48 deletions(-)

diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index 47d24c9..471009c 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -79,20 +79,6 @@ def krb5_parse_ccache(ccache_name):
 def krb5_unparse_ccache(scheme, name):
 return '%s:%s' % (scheme.upper(), name)
 
-def krb5_format_principal_name(user, realm):
-'''
-Given a Kerberos user principal name and a Kerberos realm
-return the Kerberos V5 user principal name.
-
-:parameters:
-  user
-User principal name.
-  realm
-The Kerberos realm the user exists in.
-:returns:
-  Kerberos V5 user principal name.
-'''
-return '%s@%s' % (user, realm)
 
 def krb5_format_service_principal_name(service, host, realm):
 '''
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 25f2740..983ab62 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -50,13 +50,12 @@
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
 json_encode_binary, json_decode_binary)
-from ipalib.util import normalize_name
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
 from ipalib.backend import Backend
 from ipalib.krb_utils import (
-krb5_format_principal_name,
 get_credentials_if_valid)
+from ipapython import kerberos
 from ipapython import ipautil
 from ipaplatform.paths import paths
 from ipapython.version import VERSION
@@ -872,33 +871,15 @@ def __call__(self, environ, start_response):
 return self.bad_request(environ, start_response, "no user specified")
 
 # allows login in the form user@SERVER_REALM or user@server_realm
-# FIXME: uppercasing may be removed when better handling of UPN
-#is introduced
-
-parts = normalize_name(user)
-
-if "domain" in parts:
-# username is of the form user@SERVER_REALM or user@server_realm
-
-# check whether the realm is server's realm
-# Users from other realms are not supported
-# (they do not have necessary LDAP entry, LDAP connect will fail)
-
-if parts["domain"].upper()==self.api.env.realm:
-user=parts["name"]
-else:
-return self.unauthorized(environ, start_response, '', 'denied')
-
-elif "flatname" in parts:
-# username is of the form NetBIOS\user
-return self.unauthorized(environ, start_response, '', 'denied')
-
-else:
+try:
+user_principal = kerberos.Principal(user)
+except Exception:
 # username is of the form user or of some wild form, e.g.
-# user@REALM1@REALM2 or NetBIOS1\NetBIOS2\user (see normalize_name)
+# user@REALM1@REALM2 or NetBIOS1\NetBIOS2\user
+return self.unauthorized(environ, start_response, '', 'denied')
 
-# wild form username will fail at kinit, so nothing needs to be done
-pass
+if not (user_principal.is_user or user_principal.is_enterprise):
+return self.unauthorized(environ, start_response, '', 'denied')
 
 password = query_dict.get('password', None)
 if password is not None:
@@ -918,7 +899,7 @@ def __call__(self, environ, start_response):
 except OSError:
 pass
 try:
-self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
+self.kinit(unicode(user_principal), password, ipa_ccache_name)
 except PasswordExpired as e:
 return self.unauthorized(environ, start_response, str(e), 'password-expired')
 except InvalidSessionPassword as e:
@@ -944,7 +925,7 @@ def __call__(self, environ, start_response):
 pass
 return result
 
-def kinit(self, user, realm, password, ccache_name):
+def kinit(self, principal, password, ccache_name):
 # get anonymous ccache as an armor for FAST to enable

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-02-28 Thread Alexander Bokovoy 

On ti, 28 helmi 2017, Martin Babinsky wrote:

Hello list,

I have put together a draft of design page describing server-side 
implementation of user short name -> fully-qualified name 
resolution.[1]


In the end I have taken the liberty to change a few aspects of the 
design we have agreed on before and I will be grad if we can discuss 
them further.


Me and Honza have discussed the object that should hold the domain 
resolution order and given the fact that IPA domain can also be a part 
of this list, we have decided that this information is no longer bound 
to trust configuration and should be a part of the global config 
instead.


Also we have purposefully cut down the API only to a raw manipulation 
of the attribute using an option of `ipa config-mod`. The reasons for 
this are twofold:


 * the developer resources are quite scarce and it may be good to 
follow YAGNI[2] principle to implement the dumbest API now and not to 
invest into more high-level interface unless there is a demand for it


 * we can imagine that the manipulation of the domain resolution 
order is a rare operation (ideally only once all trusts are 
established), so I am not convinced that it is worth investing into 
designing higher-level API


I propose we first develop the "dumber" parts first to unblock the 
SSSD part. If we have spare cycle afterwards then we can design and 
implement more bells-and-whistles afterwards.

Looks mostly OK, but there are few comments I have:

- I do not see you mention how validation of the
 ipaDomainResolutionOrder is done. This is important to avoid hard to
 debug issues because SSSD will ignore domains it doesn't know about.

- Space separator initially caused me to look up DNS RFCs as strictly
 speaking domain names can contain any 8-bit octet (while host names
 should follow LDH rule). But then [1] does explicitly say space is not
 allowed in AD domain names.

- "If ipaDomainResolutionOrder is empty then *all* users must use fully
 qualified names." This is not correct with regards to the current
 behavior. I think we should change this to "if
 ipaDomainResolutionOrder is empty, then standard SSSD configuration
 logic applies on each client." This would make current behavior
 compatible with either empty or ipaDomainResolutionOrder value of
 a single IPA domain name.

- There are typos in the page.

[1] 
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers,-domains,-sites,-and-ous


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-28 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
The issues should hopefully be fixed
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-283028836
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#518][opened] README to README.md

2017-02-28 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/518
Author: stlaz
 Title: #518: README to README.md
Action: opened

PR body:
"""
Pagure can't cope with README very well, move to README.md in spirit of 
[SSSD#eed5bc53](https://pagure.io/SSSD/sssd/c/eed5bc53a0c823276523d32e76bc1c264db3837e?branch=master)
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/518/head:pr518
git checkout pr518
From 851f56ec424d134f3ad3cdc5106925758cb533a8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 28 Feb 2017 13:16:24 +0100
Subject: [PATCH 1/2] Deprecate README, add README.md

To make it easier to display the contents of README on the Pagure
homepage, this patch converts the README contents to README.md.
---
 README| 92 ---
 README.md | 77 
 2 files changed, 77 insertions(+), 92 deletions(-)
 delete mode 100644 README
 create mode 100644 README.md

diff --git a/README b/README
deleted file mode 100644
index ad5b081..000
--- a/README
+++ /dev/null
@@ -1,92 +0,0 @@
-
-   IPA Server
-
-  Overview
-  
-
-  FreeIPA allows Linux administrators to centrally manage identity,
-  authentication and access control aspects of Linux and UNIX systems
-  by providing simple to install and use command line and web based
-  managment tools.
-  FreeIPA is built on top of well known Open Source components and standard
-  protocols with a very strong focus on ease of management and automation
-  of installation and configuration tasks.
-  FreeIPA can seamlessly integrate into an Active Directory environment via
-  cross-realm Kerberos trust or user synchronization.
-
-  Benefits
-  
-
-  FreeIPA:
-  * Allows all your users to access all the machines with the same credentials
-and security settings
-  * Allows users to access personal files transparently from any machine in
-an authenticated and secure way
-  * Uses an advanced grouping mechanism to restrict network access to services
-and files only to specific users
-  * Allows central management of security mechanisms like passwords,
-SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
-  * Enables delegation of selected administrative tasks to other power users
-  * Integrates into Active Directory environments
-
-  Components
-  --
-
-  The FreeIPA project provides unified installation and management
-  tools for the following components:
-
-  * LDAP Server - based on the 389 project (LDAP)
-http://directory.fedoraproject.org/wiki/Main_Page
-
-  * KDC - based on MIT Kerberos implementation
-http://k5wiki.kerberos.org/wiki/Main_Page
-
-  * PKI based on Dogtag project
-http://pki.fedoraproject.org/wiki/PKI_Main_Page
-
-  * Samba libraries for Active Directory integration
-http://www.samba.org/
-
-  * DNS Server based on BIND and the Bind-DynDB-LDAP plugin
-https://www.isc.org/software/bind
-https://fedorahosted.org/bind-dyndb-ldap
-
-
-  Project Website
-  ---
-
-  Releases, announcements and other information can be found on the IPA
-  server project page at .
-
-  Documentation
-  -
-
-  The most up-to-date documentation can be found at
-  .
-
-  Quick Start
-  ---
-
-  To get started quickly, start here:
-  
-
-  Licensing
-  -
-
-  Please see the file called COPYING.
-
-  Contacts
-  
-
- * If you want to be informed about new code releases, bug fixes,
-   security fixes, general news and information about the IPA server
-   subscribe to the freeipa-announce mailing list at
-   .
-
- * If you have a bug report please submit it at:
-   
-
- * If you want to participate in actively developing IPA please
-   subscribe to the freeipa-devel mailing list at
-    or join
-   us in IRC at irc://irc.freenode.net/freeipa
diff --git a/README.md b/README.md
new file mode 100644
index 000..af643d0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,77 @@
+# IPA Server
+
+## Overview
+
+FreeIPA allows Linux administrators to centrally manage identity,
+authentication and access control aspects of Linux and UNIX systems
+by providing simple to install and use command line and web based
+managment tools.
+FreeIPA is built on top of well known Open Source components and standard
+protocols with a very strong focus on ease of management and automation
+of installation and configuration tasks.
+FreeIPA can seamlessly integrate into an Active Directory environment via
+cross-realm Kerberos trust or user synchronization.
+
+## Benefits
+
+FreeIPA:
+* Allows all

[Freeipa-devel] Please review: V4/AD user short names design draft

2017-02-28 Thread Martin Babinsky 

Hello list,

I have put together a draft of design page describing server-side 
implementation of user short name -> fully-qualified name resolution.[1]


In the end I have taken the liberty to change a few aspects of the 
design we have agreed on before and I will be grad if we can discuss 
them further.


Me and Honza have discussed the object that should hold the domain 
resolution order and given the fact that IPA domain can also be a part 
of this list, we have decided that this information is no longer bound 
to trust configuration and should be a part of the global config instead.


Also we have purposefully cut down the API only to a raw manipulation of 
the attribute using an option of `ipa config-mod`. The reasons for this 
are twofold:


  * the developer resources are quite scarce and it may be good to 
follow YAGNI[2] principle to implement the dumbest API now and not to 
invest into more high-level interface unless there is a demand for it


  * we can imagine that the manipulation of the domain resolution order 
is a rare operation (ideally only once all trusts are established), so I 
am not convinced that it is worth investing into designing higher-level API


I propose we first develop the "dumber" parts first to unblock the SSSD 
part. If we have spare cycle afterwards then we can design and implement 
more bells-and-whistles afterwards.


[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io

2017-02-28 Thread Petr Vobornik 

On 02/28/2017 12:48 PM, Martin Basti wrote:



On 28.02.2017 12:38, Lukas Slebodnik wrote:

On (28/02/17 12:17), Martin Basti wrote:


On 28.02.2017 12:03, Petr Vobornik wrote:

On 02/28/2017 12:00 PM, Petr Vobornik wrote:

On 02/27/2017 12:46 PM, Petr Vobornik wrote:

Hello list,

today and tomorrow a migration of FreeIPA issue tracker[1] and git
repo
will take place.

It is due to FedoraHosted sunset [2]. Both will be migrated to
pagure.io
[3].

During this migration it won't be possible to add new tickets and
comments to Trac or Pagure.

[1] https://fedorahosted.org/freeipa/
[2]
https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/

[3] https://pagure.io/

Thank you for understanding,

Issue tracker and git repo were migrated. They can be used now.

https://pagure.io/freeipa

Additional steps will follow
- redirection of old URLs to new
- sync with github


Also we need to setup rights for the repo.

I've created group 'freeipa'. My proposal is to add all people who had
git commit rights to the group. Set the group to have 'commit' right on
'freeipa' pagure project.

Former admins can be added as admins to the project directly.

Martin2 is working on setting up sync with Git Hub:
- https://pagure.io/fedora-infrastructure/issue/5844


and

https://pagure.io/fedora-infrastructure/issue/5845

Please do NOT push to old repository, for users of ipatool change your
repositories to pagure and would be good to postpone pushing until
mirroring
to github is enabled.


The best is to asg on fedora-infrastructure to chown the git repo on
fedorahosted, so no one can push changes there.

LS


Petr1 has a reason why it cannot be done, something with copr IIRC



It's something different. My solution was remove people from gitfreeipa 
group so they won't be able to push but that would also remove the 
rights to add packages to our COPR repository.


But IMO, until the sync with github is working, we should allow to push 
to fedora hosted, but only in a 'sync' way: pull from pagure, push to 
fedorahosted


--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io

2017-02-28 Thread Martin Basti 



On 28.02.2017 12:38, Lukas Slebodnik wrote:

On (28/02/17 12:17), Martin Basti wrote:


On 28.02.2017 12:03, Petr Vobornik wrote:

On 02/28/2017 12:00 PM, Petr Vobornik wrote:

On 02/27/2017 12:46 PM, Petr Vobornik wrote:

Hello list,

today and tomorrow a migration of FreeIPA issue tracker[1] and git repo
will take place.

It is due to FedoraHosted sunset [2]. Both will be migrated to
pagure.io
[3].

During this migration it won't be possible to add new tickets and
comments to Trac or Pagure.

[1] https://fedorahosted.org/freeipa/
[2]
https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/
[3] https://pagure.io/

Thank you for understanding,

Issue tracker and git repo were migrated. They can be used now.

https://pagure.io/freeipa

Additional steps will follow
- redirection of old URLs to new
- sync with github


Also we need to setup rights for the repo.

I've created group 'freeipa'. My proposal is to add all people who had
git commit rights to the group. Set the group to have 'commit' right on
'freeipa' pagure project.

Former admins can be added as admins to the project directly.

Martin2 is working on setting up sync with Git Hub:
- https://pagure.io/fedora-infrastructure/issue/5844


and

https://pagure.io/fedora-infrastructure/issue/5845

Please do NOT push to old repository, for users of ipatool change your
repositories to pagure and would be good to postpone pushing until mirroring
to github is enabled.


The best is to asg on fedora-infrastructure to chown the git repo on
fedorahosted, so no one can push changes there.

LS


Petr1 has a reason why it cannot be done, something with copr IIRC

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io

2017-02-28 Thread Lukas Slebodnik 
On (28/02/17 12:17), Martin Basti wrote:
>
>
>On 28.02.2017 12:03, Petr Vobornik wrote:
>> On 02/28/2017 12:00 PM, Petr Vobornik wrote:
>> > On 02/27/2017 12:46 PM, Petr Vobornik wrote:
>> > > Hello list,
>> > > 
>> > > today and tomorrow a migration of FreeIPA issue tracker[1] and git repo
>> > > will take place.
>> > > 
>> > > It is due to FedoraHosted sunset [2]. Both will be migrated to
>> > > pagure.io
>> > > [3].
>> > > 
>> > > During this migration it won't be possible to add new tickets and
>> > > comments to Trac or Pagure.
>> > > 
>> > > [1] https://fedorahosted.org/freeipa/
>> > > [2]
>> > > https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/
>> > > [3] https://pagure.io/
>> > > 
>> > > Thank you for understanding,
>> > 
>> > Issue tracker and git repo were migrated. They can be used now.
>> > 
>> > https://pagure.io/freeipa
>> > 
>> > Additional steps will follow
>> > - redirection of old URLs to new
>> > - sync with github
>> > 
>> 
>> Also we need to setup rights for the repo.
>> 
>> I've created group 'freeipa'. My proposal is to add all people who had
>> git commit rights to the group. Set the group to have 'commit' right on
>> 'freeipa' pagure project.
>> 
>> Former admins can be added as admins to the project directly.
>> 
>> Martin2 is working on setting up sync with Git Hub:
>> - https://pagure.io/fedora-infrastructure/issue/5844
>> 
>
>and
>
>https://pagure.io/fedora-infrastructure/issue/5845
>
>Please do NOT push to old repository, for users of ipatool change your
>repositories to pagure and would be good to postpone pushing until mirroring
>to github is enabled.
>
The best is to asg on fedora-infrastructure to chown the git repo on
fedorahosted, so no one can push changes there.

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io

2017-02-28 Thread Martin Basti 



On 28.02.2017 12:03, Petr Vobornik wrote:

On 02/28/2017 12:00 PM, Petr Vobornik wrote:

On 02/27/2017 12:46 PM, Petr Vobornik wrote:

Hello list,

today and tomorrow a migration of FreeIPA issue tracker[1] and git repo
will take place.

It is due to FedoraHosted sunset [2]. Both will be migrated to 
pagure.io

[3].

During this migration it won't be possible to add new tickets and
comments to Trac or Pagure.

[1] https://fedorahosted.org/freeipa/
[2]
https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/
[3] https://pagure.io/

Thank you for understanding,


Issue tracker and git repo were migrated. They can be used now.

https://pagure.io/freeipa

Additional steps will follow
- redirection of old URLs to new
- sync with github



Also we need to setup rights for the repo.

I've created group 'freeipa'. My proposal is to add all people who had 
git commit rights to the group. Set the group to have 'commit' right 
on 'freeipa' pagure project.


Former admins can be added as admins to the project directly.

Martin2 is working on setting up sync with Git Hub:
- https://pagure.io/fedora-infrastructure/issue/5844



and

https://pagure.io/fedora-infrastructure/issue/5845

Please do NOT push to old repository, for users of ipatool change your 
repositories to pagure and would be good to postpone pushing until 
mirroring to github is enabled.


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][opened] [WIP] Use Custodia 0.3 features

2017-02-28 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: opened

PR body:
"""
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.

Signed-off-by: Christian Heimes 

PR depends on new custodia release.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From 43ecc712f398c3d777ee7d8029b527a7fe43405a Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in  | 13 -
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am|  1 +
 install/tools/ipa-custodia   |  6 ++
 ipaserver/secrets/service.py | 30 ++
 ipasetup.py.in   |  1 +
 6 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5c835ca..5400df9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -148,7 +148,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd-notify and ipaserver.secrets.service
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -184,7 +185,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd-notify and ipaserver.secrets.service
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -361,7 +363,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -608,7 +610,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia >= 0.3
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -657,7 +659,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia >= 0.3
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1110,6 +1112,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify
+ExecStart=@libexecdir@/ipa/ipa-custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index f2c2ce2..493e5ff 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -32,6 +32,7 @@ dist_sbin_SCRIPTS =		\
 
 appdir = $(libexecdir)/ipa/
 dist_app_SCRIPTS =		\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..5deeeff
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from ipaserver.secrets.service import main
+
+if __name__ == '__main__':
+main()
diff --git a/ipaserver/secrets/service.py b/ipaserver/secrets/service.py
new file mode 100644
index 000..f51c46a
--- /dev/null
+++

Re: [Freeipa-devel] Migration of FreeIPA issue tracker - Trac and git repo to pagure.io

2017-02-28 Thread Petr Vobornik 

On 02/27/2017 12:46 PM, Petr Vobornik wrote:

Hello list,

today and tomorrow a migration of FreeIPA issue tracker[1] and git repo
will take place.

It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io
[3].

During this migration it won't be possible to add new tickets and
comments to Trac or Pagure.

[1] https://fedorahosted.org/freeipa/
[2] https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/
[3] https://pagure.io/

Thank you for understanding,


Issue tracker and git repo were migrated. They can be used now.

https://pagure.io/freeipa

Additional steps will follow
- redirection of old URLs to new
- sync with github

--
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat, Inc.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

abbra commented:
"""
One thing I don't like is that SELinux policy requirements aren't mentioned. To 
allow ipaapi user to talk to SSSD dbus interface, you have to have a policy 
that allows this.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-283003886
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
Note: this PR is work in progress. It requires PR#398 Support for Certificate 
Identity Mapping and sssd patches not pushed yet.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-282993240
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][opened] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/516
Author: flo-renaud
 Title: #516: IdM Server: list all Employees with matching Smart Card
Action: opened

PR body:
"""
Implement a new IPA command allowing to retrieve the list of users matching the 
provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA domain 
and from trusted domains. This requires sssd-dbus package to be installed on 
IPA server.

https://fedorahosted.org/freeipa/ticket/6646
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/516/head:pr516
git checkout pr516
From 05f93e155e44aeb00d7af67f02af4e1d5a96bda8 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH 1/2] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  14 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  23 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   2 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 -
 ipaserver/plugins/certmap.py   | 391 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 ++
 15 files changed, 862 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a36d460 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System:

[Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache

2017-02-28 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/488
Title: #488: Speed up client schema cache

tiran commented:
"""
@dkupka Makes sense, I dropped the temporary buffer and replaced the file 
locking logic with tempfile + os.rename.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/488#issuecomment-282991714
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#488][synchronized] Speed up client schema cache

2017-02-28 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/488
Author: tiran
 Title: #488: Speed up client schema cache
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/488/head:pr488
git checkout pr488
From d3c4393c7c97c6084435a6b072cf9dc553bdf4dd Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 20 Feb 2017 20:09:13 +0100
Subject: [PATCH 1/2] Speed up client schema cache

It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m13.608s
user0m10.316s
sys 0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m9.330s
user0m7.635s
sys 0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes 
---
 ipaclient/remote_plugins/schema.py | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 15c03f4..13bdee4 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -458,11 +458,15 @@ def _read_schema(self, fingerprint):
 with self._open(fingerprint, 'rb') as f:
 self._file.write(f.read())
 
+# It's more efficient to read zip file members at once than to open
+# the zip file a couple of times, see #6690.
 with zipfile.ZipFile(self._file, 'r') as schema:
 for name in schema.namelist():
 ns, _slash, key = name.partition('/')
 if ns in self.namespaces:
-self._dict[ns][key] = None
+self._dict[ns][key] = schema.read(name)
+elif name == '_help':
+self._help = schema.read(name)
 
 def __getitem__(self, key):
 try:
@@ -520,16 +524,12 @@ def _write_schema(self, fingerprint):
 f.truncate(0)
 f.write(self._file.read())
 
-def _read(self, path):
-with zipfile.ZipFile(self._file, 'r') as zf:
-return json.loads(zf.read(path).decode('utf-8'))
-
 def read_namespace_member(self, namespace, member):
 value = self._dict[namespace][member]
 
-if value is None:
-path = '{}/{}'.format(namespace, member)
-value = self._dict[namespace][member] = self._read(path)
+if isinstance(value, bytes):
+value = json.loads(value.decode('utf-8'))
+self._dict[namespace][member] = value
 
 return value
 
@@ -537,8 +537,8 @@ def iter_namespace(self, namespace):
 return iter(self._dict[namespace])
 
 def get_help(self, namespace, member):
-if not self._help:
-self._help = self._read('_help')
+if isinstance(self._help, bytes):
+self._help = json.loads(self._help.decode('utf-8'))
 
 return self._help[namespace][member]
 

From 98f596083e1469915f5fd78b9a01164b5beb9d19 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 10:38:07 +0100
Subject: [PATCH 2/2] Drop in-memory copy of schema zip file

The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.

File locking has been replaced with a temporary file and atomic rename.

Signed-off-by: Christian Heimes 
---
 ipaclient/remote_plugins/schema.py | 49 ++
 1 file changed, 18 insertions(+), 31 deletions(-)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 13bdee4..0cdce9d 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -3,13 +3,11 @@
 #
 
 import collections
-import contextlib
 import errno
-import fcntl
-import io
 import json
 import os
 import sys
+import tempfile
 import types
 import zipfile
 
@@ -374,7 +372,6 @@ def __init__(self, client, fingerprint=None):
 self._dict = {}
 self._namespaces = {}
 self._help = None
-self._file = six.BytesIO()
 
 for ns in self.namespaces:
 self._dict[ns] = {}
@@ -404,21 +401,6 @@ def __init__(self, client, fingerprint=None):
 self.fingerprint = fingerprint
 self.ttl = ttl
 
-@contextlib.contextmanager
-def _open(self, filename, mode):
-path = os.path.join(self._DIR, filename)
-
-with io.open(path, mode) as f:
-if mode.startswith('r'):
-fcntl.flock(f, fcntl.LOCK_SH)
-else:
-fcntl.flock(f, fcntl.LOCK_EX)
-
-try:
-yield f
-finally:
-fcntl.flock(f,

[Freeipa-devel] [freeipa PR#400][comment] WebUI: Certificate Mapping

2017-02-28 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/400
Title: #400: WebUI: Certificate Mapping

flo-renaud commented:
"""
Hi @pvomacka 
Thank you for the updated PR.
I probably wongly advised you to replace 'usercertificate' with 'certificate' 
in one extra place where it was not needed, because now the "Certificates" 
field of the user details page does not display any more the full certificates. 
My bad...
Apart from that, everything works as expected. Thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/400#issuecomment-282989454
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#488][comment] Speed up client schema cache

2017-02-28 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/488
Title: #488: Speed up client schema cache

dkupka commented:
"""
@tiran Currently the file is first copied into BytesIO and then all reading is 
done from it. Your modification IMO supersedes the need for the BytesIO copy 
because everything is read into memory at once. Could you remove it?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/488#issuecomment-282983152
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][closed] csrgen: Automate full cert request flow

2017-02-28 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/434
Author: LiptonB
 Title: #434: csrgen: Automate full cert request flow
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/434/head:pr434
git checkout pr434
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][+ack] csrgen: Automate full cert request flow

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/434
Title: #434: csrgen: Automate full cert request flow

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/434
Title: #434: csrgen: Automate full cert request flow

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/39a5d9c5aae77687f67d9be02457733bdfb99ead
https://fedorahosted.org/freeipa/changeset/4350dcdea22fd2284836315d0ae7d38733a7620e
https://fedorahosted.org/freeipa/changeset/ada91c20588046bb147fc701718d3da4d2c080ca
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/434#issuecomment-282980759
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][+pushed] csrgen: Automate full cert request flow

2017-02-28 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/434
Title: #434: csrgen: Automate full cert request flow

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code