[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys

2017-04-04 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
 Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From 5d9103248e510a3c64314fe59284a8420a6f3a67 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys

In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce 
---
 ipaserver/install/custodiainstance.py | 25 -
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..d60276a 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
 
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
 from ipaserver.secrets.client import CustodiaClient
 from ipaplatform.paths import paths
 from ipaplatform.constants import constants
@@ -18,6 +19,7 @@
 import os
 import stat
 import tempfile
+import time
 import pwd
 
 
@@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name):
 cli = self.__CustodiaClient(server=master_host_name)
 cli.fetch_key('dm/DMHash')
 
+def __wait_keys(self, host, timeout=300):
+ldap_uri = 'ldap://%s' % host
+principal = 'host/%s@%s' % (self.fqdn, self.realm)
+deadline = int(time.time()) + timeout
+root_logger.info("Waiting up to {} seconds to see our keys "
+ "appear on host: {}".format(timeout, host))
+
+konn = KEMLdap(ldap_uri)
+while True:
+try:
+konn.get_key(KEY_USAGE_ENC, principal)
+return
+except Exception:
+if int(time.time()) > deadline:
+raise
+time.sleep(1)
+
 def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
 # Fecth all needed certs one by one, then combine them in a single
 # p12 file
@@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
 prefix = data['prefix']
 certlist = data['list']
 
+# Before we attempt to fetch keys from this host, make sure our public
+# keys have been replicated there.
+self.__wait_keys(ca_host)
+
 cli = self.__CustodiaClient(server=ca_host)
 
 # Temporary nssdb
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-04-04 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

simo5 commented:
"""
Nevermind they are not duplicates.
I'll fix the commit message.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys

2017-04-04 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/679
Title: #679: Make sure remote hosts have our keys

pvoborni commented:
"""
Shouldn't the ticket number be: https://pagure.io/freeipa/issue/6838 ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/679#issuecomment-291553067
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#667][comment] idrange-add: properly handle empty --dom-name option

2017-04-04 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/667
Title: #667: idrange-add: properly handle empty --dom-name option

flo-renaud commented:
"""
Hi @stlaz 
I fixed the commit message.

In contrary to what I told you offline, you need to configure an AD trust with 
ipa-adtrust-install and ipa trust-add ... in order to reproduce the original 
issue. My bad...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/667#issuecomment-291540393
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#667][edited] idrange-add: properly handle empty --dom-name option

2017-04-04 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/667
Author: flo-renaud
 Title: #667: idrange-add: properly handle empty --dom-name option
Action: edited

 Changed field: title
Original value:
"""
idrange-mod: properly handle empty --dom-name option
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#667][edited] idrange-mod: properly handle empty --dom-name option

2017-04-04 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/667
Author: flo-renaud
 Title: #667: idrange-mod: properly handle empty --dom-name option
Action: edited

 Changed field: body
Original value:
"""
When idrange-mod is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#667][synchronized] idrange-mod: properly handle empty --dom-name option

2017-04-04 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/667
Author: flo-renaud
 Title: #667: idrange-mod: properly handle empty --dom-name option
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/667/head:pr667
git checkout pr667
From be273e1a9a8f7f3d17029b71054091bc3d44edeb Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 28 Mar 2017 16:02:45 +0200
Subject: [PATCH] idrange-add: properly handle empty --dom-name option

When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404
---
 ipaserver/plugins/idrange.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 5b88a6b..c8ea95a 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -411,7 +411,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 
 # This needs to stay in options since there is no
 # ipanttrusteddomainname attribute in LDAP
-if 'ipanttrusteddomainname' in options:
+if options.get('ipanttrusteddomainname'):
 if is_set('ipanttrusteddomainsid'):
 raise errors.ValidationError(name='ID Range setup',
 error=_('Options dom-sid and dom-name '
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#667][comment] idrange-mod: properly handle empty --dom-name option

2017-04-04 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/667
Title: #667: idrange-mod: properly handle empty --dom-name option

stlaz commented:
"""
LGTM, except you're talking about `idrange-mod` in the commit message but are 
fixing `idrange-add` (`idrange-mod` does not have the option at all).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/667#issuecomment-291523802
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing

2017-04-04 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/677
Title: #677: cert: defer cert-find result post-processing

stlaz commented:
"""
What worries me the most is that the tests are green even though this is 
potentially a serious problem.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/677#issuecomment-291471139
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#690][opened] server-install: remove broken no-pkinit check

2017-04-04 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/690
Author: stlaz
 Title: #690: server-install: remove broken no-pkinit check
Action: opened

PR body:
"""
Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.

https://pagure.io/freeipa/issue/6807
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/690/head:pr690
git checkout pr690
From 1eac866d04d804a77bded2e8768d4125f555c8a9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 4 Apr 2017 10:41:23 +0200
Subject: [PATCH] server-install: remove broken no-pkinit check

Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.

https://pagure.io/freeipa/issue/6807
---
 ipaserver/install/server/install.py | 5 -
 1 file changed, 5 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index d7eb0bf..714b86f 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -513,11 +513,6 @@ def install_check(installer):
 dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
 
 if options.pkinit_cert_files:
-if not options.no_pkinit:
-raise ScriptError("Cannot create KDC PKINIT certificate and use "
-  "provided external PKINIT certificate at the "
-  "same time. Please choose one of them.")
-
 if options.pkinit_pin is None:
 options.pkinit_pin = read_password(
 "Enter Kerberos KDC private key unlock",
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up

2017-04-04 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/684
Title: #684: httpinstance: make sure NSS database is backed up

HonzaCholasta commented:
"""
master:

* 5f5a3b29dba7cc736ba334aefb55484baeefeb76 httpinstance: make sure NSS database 
is backed up


ipa-4-5:

* 471dfcbe1cc3f319da788add3661cb6d63e3c0f0 httpinstance: make sure NSS database 
is backed up


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/684#issuecomment-291428766
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#684][+pushed] httpinstance: make sure NSS database is backed up

2017-04-04 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/684
Title: #684: httpinstance: make sure NSS database is backed up

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#684][closed] httpinstance: make sure NSS database is backed up

2017-04-04 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/684
Author: HonzaCholasta
 Title: #684: httpinstance: make sure NSS database is backed up
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/684/head:pr684
git checkout pr684
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][opened] Sort SRV records by priority

2017-04-04 Thread alex-zel 
   URL: https://github.com/freeipa/freeipa/pull/689
Author: alex-zel
 Title: #689: Sort SRV records by priority
Action: opened

PR body:
"""
In some cases where multiple SRV records are present, LDAP and Kerberos records 
were returned in different order, causing replication issues in a multi master 
enviorment.

## Replication:
DNS configuration (using PfSense):
```
srv-host=_kerberos._udp.example.com,server01.example.com,88,0,1
srv-host=_kerberos._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._tcp.example.com,server01.example.com,88,0,1
srv-host=_kerberos-master._udp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._tcp.example.com,server01.example.com,88,0,1
srv-host=_kpasswd._udp.example.com,server01.example.com,88,0,1
srv-host=_ldap._tcp.example.com,server01.example.com,389,0,1
srv-host=_kerberos._udp.example.com,server02.example.com,88,0,2
srv-host=_kerberos._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._tcp.example.com,server02.example.com,88,0,2
srv-host=_kerberos-master._udp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._tcp.example.com,server02.example.com,88,0,2
srv-host=_kpasswd._udp.example.com,server02.example.com,88,0,2
srv-host=_ldap._tcp.example.com,server02.example.com,389,0,2
txt-record=_kerberos.example.com,EXAMPLE.COM
```

Client installation:
Host record is added beforehand from web UI on server01.example.com ONLY.
`/usr/sbin/ipa-client-install --force-join --principal=bind_user 
--password=bind_pass --hostname=`hostname -f` --unattended`

/var/log/ipaclient-install.log:

> 2017-04-02T10:54:09Z DEBUG [IPA Discovery]
> 2017-04-02T10:54:09Z DEBUG Starting IPA discovery with domain=None, 
> servers=None, hostname=client01.example.com
> 2017-04-02T10:54:09Z DEBUG Start searching for LDAP SRV record in 
> "example.com" (domain of the hostname) and its sub-domains
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of _ldap._tcp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 389 server01.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 389 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG [Kerberos realm search]
> 2017-04-02T10:54:09Z DEBUG Search DNS for TXT record of _kerberos.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record not found: NoAnswer
> 2017-04-02T10:54:09Z DEBUG Search DNS for SRV record of 
> _kerberos._udp.example.com
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 2 88 server02.example.com.
> 2017-04-02T10:54:09Z DEBUG DNS record found: 0 1 88 server01.example.com.

Notice the records are not in the same order, ipa-client-install did not return 
any error and the client machine could see user, groups, netgroups, but users 
could not authenticate.
Looking at the web UI, server01.example.com shows the client is not enrolled 
and no kerberos key is present, but server02.example.com shows the client is 
enrolled and has a key.

In cases were either server01 or server02 were returned first in IPA Discovery 
the installation and replication went fine.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/689/head:pr689
git checkout pr689
From 283da88845c65d5cd3b4ce6b5e32c17fc3c5fb98 Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov 
Date: Tue, 4 Apr 2017 09:42:10 +0300
Subject: [PATCH] Sort SRV records by priority

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.
---
 ipaclient/install/ipadiscovery.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..b30e7de 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -22,13 +22,14 @@
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns import resolver, rdatatype
 from dns.exception import DNSException
+from dns import resolver, rdatatype
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
+from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
+answers = sorted(answers, key=attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#687][synchronized] Add pki_pin only when needed

2017-04-04 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/687
Author: stlaz
 Title: #687: Add pki_pin only when needed
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/687/head:pr687
git checkout pr687
From 429f8dae4ea3b53894068d37e49ae2a5a05c29a0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 3 Apr 2017 14:08:46 +0200
Subject: [PATCH] Add pki_pin only when needed

If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.

https://pagure.io/freeipa/issue/6839
---
 ipaserver/install/cainstance.py  | 10 +++---
 ipaserver/install/krainstance.py | 10 +++---
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 2d33a97..1d44c0d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -541,9 +541,13 @@ def __spawn_instance(self):
 # CA key algorithm
 config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
 
-# generate pin which we know can be used for FIPS NSS database
-pki_pin = ipautil.ipa_generate_password()
-config.set("CA", "pki_pin", pki_pin)
+if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
+os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
+# generate pin which we know can be used for FIPS NSS database
+pki_pin = ipautil.ipa_generate_password()
+config.set("CA", "pki_pin", pki_pin)
+else:
+pki_pin = None
 
 if self.clone:
 
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 6fa4f0f..c39d687 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -235,9 +235,13 @@ def __spawn_instance(self):
 "KRA", "pki_share_dbuser_dn",
 str(DN(('uid', 'pkidbuser'), ('ou', 'people'), ('o', 'ipaca'
 
-# generate pin which we know can be used for FIPS NSS database
-pki_pin = ipautil.ipa_generate_password()
-config.set("KRA", "pki_pin", pki_pin)
+if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and
+os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)):
+# generate pin which we know can be used for FIPS NSS database
+pki_pin = ipautil.ipa_generate_password()
+config.set("KRA", "pki_pin", pki_pin)
+else:
+pki_pin = None
 
 _p12_tmpfile_handle, p12_tmpfile_name = tempfile.mkstemp(dir=paths.TMP)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#684][+ack] httpinstance: make sure NSS database is backed up

2017-04-04 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/684
Title: #684: httpinstance: make sure NSS database is backed up

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up

2017-04-04 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/684
Title: #684: httpinstance: make sure NSS database is backed up

stlaz commented:
"""
Without this patch, I encountered a different issue but with the same root 
cause. The patch fixes it, so ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/684#issuecomment-291411099
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#681][closed] Fix ipadiscovery

2017-04-04 Thread alex-zel 
   URL: https://github.com/freeipa/freeipa/pull/681
Author: alex-zel
 Title: #681: Fix ipadiscovery
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/681/head:pr681
git checkout pr681
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#681][synchronized] Fix ipadiscovery

2017-04-04 Thread alex-zel 
   URL: https://github.com/freeipa/freeipa/pull/681
Author: alex-zel
 Title: #681: Fix ipadiscovery
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/681/head:pr681
git checkout pr681
From 3ac30ca118685134dd38b07e4b55ecbb4c880a3a Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov 
Date: Sun, 2 Apr 2017 11:53:11 +0300
Subject: [PATCH 1/3] ipadiscovery sort SRV record by priority

Sort SRV records for LDAP/KRB based on priority.
---
 ipaclient/install/ipadiscovery.py | 22 --
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..c6fc240 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -492,7 +492,16 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 root_logger.debug("Search DNS for SRV record of %s", qname)
 
 try:
-answers = resolver.query(qname, rdatatype.SRV)
+answers = []
+			dns_answers = resolver.query(qname, rdatatype.SRV)
+			for answer in dns_answers:
+if not len(answers):
+	answers.append(answer)
+else:
+	i = 0
+	while i < len(answers) and answer.priority > answers[i].priority:
+		i += 1
+	answers.insert(i, answer)
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []
@@ -521,7 +530,16 @@ def ipadnssearchkrbrealm(self, domain=None):
 root_logger.debug("Search DNS for TXT record of %s", qname)
 
 try:
-answers = resolver.query(qname, rdatatype.TXT)
+answers = []
+			dns_answers = resolver.query(qname, rdatatype.SRV)
+			for answer in dns_answers:
+if not len(answers):
+	answers.append(answer)
+else:
+	i = 0
+	while i < len(answers) and answer.priority > answers[i].priority:
+		i += 1
+	answers.insert(i, answer)
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []

From 993c99868f3e033122bfe6fc95f53c701243d3f0 Mon Sep 17 00:00:00 2001
From: Alex Zel 
Date: Sun, 2 Apr 2017 12:04:11 +0300
Subject: [PATCH 2/3] fix indentation

---
 ipaclient/install/ipadiscovery.py | 36 ++--
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index c6fc240..4f18398 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -493,15 +493,15 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = []
-			dns_answers = resolver.query(qname, rdatatype.SRV)
-			for answer in dns_answers:
-if not len(answers):
-	answers.append(answer)
-else:
-	i = 0
-	while i < len(answers) and answer.priority > answers[i].priority:
-		i += 1
-	answers.insert(i, answer)
+dns_answers = resolver.query(qname, rdatatype.SRV)
+for answer in dns_answers:
+if not len(answers):
+answers.append(answer)
+else:
+i = 0
+while i < len(answers) and answer.priority > answers[i].priority:
+i += 1
+answers.insert(i, answer)
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []
@@ -531,15 +531,15 @@ def ipadnssearchkrbrealm(self, domain=None):
 
 try:
 answers = []
-			dns_answers = resolver.query(qname, rdatatype.SRV)
-			for answer in dns_answers:
-if not len(answers):
-	answers.append(answer)
-else:
-	i = 0
-	while i < len(answers) and answer.priority > answers[i].priority:
-		i += 1
-	answers.insert(i, answer)
+dns_answers = resolver.query(qname, rdatatype.SRV)
+for answer in dns_answers:
+if not len(answers):
+answers.append(answer)
+else:
+i = 0
+while i < len(answers) and answer.priority > answers[i].priority:
+i += 1
+answers.insert(i, answer)
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []

From 73fc5dc8cf1b8c6f34ff767079aa2209b26c2aa1 Mon Sep 17 00:00:00 2001
From: Alex Zel 
Date: Tue, 4 Apr 2017 08:57:04 +0300
Subject: [PATCH 3/3] Update ipadiscovery.py

---
 ipaclient/install/ipadiscovery.py | 24 
 1 file changed, 4 insertions(+), 20 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index