[Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively.

[felipevolpone]

  URL: https://github.com/freeipa/freeipa/pull/736
Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.

felipevolpone commented:
"""
I hope it's fine now
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/736#issuecomment-299296983
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From b1077cf41709f9ac9c28181e71a8ff07daf87d15 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 4 May 2017 17:11:31 -0300
Subject: [PATCH] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 31 +++---
 ipatests/test_xmlrpc/test_cert_plugin.py | 37 
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 9f90107..3a9747d 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -705,7 +705,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -791,8 +793,10 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+gn_value = (gn.value if isinstance(gn.value, list)
+ else [gn.value])
+if not _emails_are_valid(gn_value,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -860,6 +864,27 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+if not any(principal_emails):
+return False
+
+def lower_domain(email):
+email_splited = email.split('@', 1)
+email_splited[1] = email_splited[1].lower()
+
+return '@'.join(email_splited)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 0b8277b..8039b9b 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -253,6 +253,43 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_email_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+from collections import namedtuple
+NameAttr = namedtuple('NameAttr', 'value')
+
+subject_addrs = [NameAttr(u'a...@email.com')]
+result = _emails_are_valid(subject_addrs, [], [u'a...@email.com'])
+assert True is result, result
+
+san_addrs = [NameAttr(u'a...@email.com'),
+ NameAttr(u'anot...@email.com')]
+result = _emails_are_valid([], san_addrs, [u'a...@email.com'])
+assert True is result, result
+
+result = _emails_are_valid([], [], [u'a...@email.com'])
+assert False is result, result
+
+subject_addrs = [NameAttr(u'a...@email.com')]
+san_addrs = [NameAttr(u'a...@email.com')]
+result = _emails_are_valid(subject_addrs, san_addrs, [])
+assert False is result, result
+
+subject_addrs = [NameAttr(u'invalidEmailAddress')]
+san_addrs = [NameAttr(u'va...@email.com')]
+result = _emails_are_valid(subject_addrs, san_addrs, 

[Freeipa-devel] [freeipa PR#764][opened] Basic uninstaller for the CA

[rcritten]

   URL: https://github.com/freeipa/freeipa/pull/764
Author: rcritten
 Title: #764: Basic uninstaller for the CA
Action: opened

PR body:
"""
This in response to watching users flounder with repeated failed replica 
installations and ipa-ca-install attempts that require a complete uninstall. 
Review it with whatever priority you desire.

This is meant ONLY to be able to re-try an installation if the
CA cloning fails for some reason. It is not intended to be used
to remove the CA as a service on a given master.

This is to avoid having to stand up a whole new master just
because the CA installation failed.

https://pagure.io/freeipa/issue/6595
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/764/head:pr764
git checkout pr764
From da470e73eb3100777e983cc31a3566390e66efc2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 4 May 2017 14:45:49 -0400
Subject: [PATCH] Basic uninstaller for the CA

This is meant ONLY to be able to re-try an installation if the
CA cloning fails for some reason. It is not intended to be used
to remove the CA as a service on a given master.

This is to avoid having to stand up a whole new master just
because the CA installation failed.

https://pagure.io/freeipa/issue/6595
---
 install/tools/ipa-ca-install| 72 -
 ipaserver/install/cainstance.py | 10 --
 2 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..97e9959 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -24,6 +24,7 @@ import shutil
 import tempfile
 
 from ipalib.install.kinit import kinit_keytab
+from ipapython.dn import DN
 from ipapython import ipautil
 
 from ipaserver.install import installutils
@@ -31,12 +32,14 @@ from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
 from ipaserver.install import cainstance, service
+from ipaserver.install import krainstance
 from ipapython import version
-from ipalib import api
+from ipalib import api, errors
 from ipalib.constants import DOMAIN_LEVEL_0
 from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipaplatform.paths import paths
+from ipaplatform import services
 
 log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
 REPLICA_INFO_TOP_DIR = None
@@ -44,6 +47,8 @@ REPLICA_INFO_TOP_DIR = None
 def parse_options():
 usage = "%prog [options] REPLICA_FILE"
 parser = IPAOptionParser(usage=usage, version=version.VERSION)
+parser.add_option("--uninstall", dest="uninstall", action="store_true",
+  default=False, help="uninstall the CA")
 parser.add_option("-d", "--debug", dest="debug", action="store_true",
   default=False, help="gather extra debugging information")
 parser.add_option("-p", "--password", dest="password", sensitive=True,
@@ -254,6 +259,67 @@ def install(safe_options, options, filename):
 pass
 
 
+def uninstall(options):
+# Uninstaller meant only for blown replica installations.
+
+# Does NOT remove replication agreements or the ipaca backend.
+
+ca_instance = cainstance.CAInstance(api.env.realm)
+
+if not cainstance.is_ca_installed_locally():
+ca_instance.print_msg(
+"CA does not appear to be installed on this host."
+)
+
+kra = krainstance.KRAInstance(api.env.realm)
+if kra.is_installed():
+sys.exit("Cannot deal with KRA at this time.")
+
+if options.unattended:
+ca_instance.print_msg(
+"Ignoring unattended uninstall request.\n"
+)
+ca_instance.print_msg(
+"This is for failed installs only, do not use otherwise."
+)
+if not ipautil.user_input("Are you sure you want to continue with the "
+  "uninstall procedure?", False):
+ca_instance.print_msg("Aborting uninstall operation.")
+sys.exit(0)
+
+# Note that I'm completely ignoring the replication agreement so it
+# doesn't matter what domain level this is. This is based on the
+# (bad) assumption that this is only being executed to fix a blown
+# install and not to remove the CA as a component.
+
+# TODO: Figure out what is going on with serial # ranges
+
+ca_instance.print_msg("Shutting down CA")
+ca_instance.stop_instance()
+
+try:
+ca.uninstall()
+except Exception as e:
+root_logger.debug("CA uninstall failed with %s", e)
+
+# certmonger is stopped as a side-effect of unintalling the CA
+cmonger = services.knownservices.certmonger
+cmonger.start()
+
+ca_instance.print_msg("Removing CA from list of services")
+dn = DN(('cn', 'CA'), ('cn', api.env.host), ('cn', 'masters'),
+ 

[Freeipa-devel] [freeipa PR#763][edited] Dogtag fail

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/763
Author: stlaz
 Title: #763: Dogtag fail
Action: edited

 Changed field: title
Original value:
"""
Dogtag fail
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#763][opened] Dogtag fail

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/763
Author: stlaz
 Title: #763: Dogtag fail
Action: opened

PR body:
"""
**Make CA/KRA fail when they don't start**

Since all the services throw exceptions when we're unable to
start/restart them, CA/KRA should not be an exception to it.

**Fix wrong message on Dogtag instances stop**

https://pagure.io/freeipa/issue/6766
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/763/head:pr763
git checkout pr763
From c3ab7b00b28bd349119371a214a3a3a22ab4c133 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 4 May 2017 14:58:46 +0200
Subject: [PATCH 1/2] Make CA/KRA fail when they don't start

Since all the services throw exceptions when we're unable to
start/restart them, CA/KRA should not be an exception to it.

https://pagure.io/freeipa/issue/6766
---
 ipaserver/install/dogtaginstance.py | 16 ++--
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 356358a..f79031b 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -156,22 +156,10 @@ def clean_pkispawn_files(self):
   ignore_errors=True)
 
 def restart_instance(self):
-try:
-self.restart('pki-tomcat')
-except Exception:
-self.log.debug(traceback.format_exc())
-self.log.critical(
-"Failed to restart the Dogtag instance."
-"See the installation log for details.")
+self.restart('pki-tomcat')
 
 def start_instance(self):
-try:
-self.start('pki-tomcat')
-except Exception:
-self.log.debug(traceback.format_exc())
-self.log.critical(
-"Failed to restart the Dogtag instance."
-"See the installation log for details.")
+self.start('pki-tomcat')
 
 def stop_instance(self):
 try:

From fd1b004ea772fff154199f79a2750eaf45fab14e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 4 May 2017 15:00:33 +0200
Subject: [PATCH 2/2] Fix wrong message on Dogtag instances stop

https://pagure.io/freeipa/issue/6766
---
 ipaserver/install/dogtaginstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index f79031b..831d996 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -167,7 +167,7 @@ def stop_instance(self):
 except Exception:
 self.log.debug(traceback.format_exc())
 self.log.critical(
-"Failed to restart the Dogtag instance."
+"Failed to stop the Dogtag instance."
 "See the installation log for details.")
 
 def enable_client_auth_to_db(self, config):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/761
Author: felipevolpone
 Title: #761: Fixing adding authenticator indicators to host
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/761/head:pr761
git checkout pr761
From ac19e97b02c65a4728239a134e5d2bc39a08672f Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 4 May 2017 09:51:07 -0300
Subject: [PATCH] Fixing adding authenticator indicators to host

The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911
---
 ipaserver/plugins/host.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index dcadd54..15bd25d 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -920,7 +920,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = _entry_attrs['objectclass']
-if 'ieee802device' not in obj_classes:
+if 'ieee802device' not in [item.lower() for item in obj_classes]:
 obj_classes.append('ieee802device')
 entry_attrs['objectclass'] = obj_classes
 
@@ -940,7 +940,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshhost' not in obj_classes:
+if 'ipasshhost' not in [item.lower() for item in obj_classes]:
 obj_classes.append('ipasshhost')
 
 update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
@@ -949,14 +949,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
+if 'krbticketpolicyaux' not in [item.lower() for item in
+entry_attrs['objectclass']]:
 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
 if 'krbprincipalauthind' in entry_attrs:
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
+if 'krbprincipalaux' not in [item.lower() for item in
+ entry_attrs['objectclass']]:
 entry_attrs['objectclass'].append('krbprincipalaux')
 
 add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host

pvoborni commented:
"""
I'd fix it on all places in host-mod:
```
  885  raise errors.ACIError(info=msg)
  886  obj_classes = entry_attrs_old['objectclass']
  887: if 'krbprincipalaux' not in obj_classes:
  888  obj_classes.append('krbprincipalaux')
  889  entry_attrs['objectclass'] = obj_classes
  ...
  921  _entry_attrs = ldap.get_entry(dn, ['objectclass'])
  922  obj_classes = _entry_attrs['objectclass']
  923: if 'ieee802device' not in obj_classes:
  924  obj_classes.append('ieee802device')
  925  entry_attrs['objectclass'] = obj_classes
  ...
  941  _entry_attrs = ldap.get_entry(dn, ['objectclass'])
  942  obj_classes = entry_attrs['objectclass'] = 
_entry_attrs['objectclass']
  943: if 'ipasshhost' not in obj_classes:
  944  obj_classes.append('ipasshhost')
```

so that the plugin would be consistent. Rest of framework can be fixed other 
time.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/761#issuecomment-299172235
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#753][closed] Check CA status: add HTTP timeout

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/753
Author: MartinBasti
 Title: #753: Check CA status: add HTTP timeout
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/753/head:pr753
git checkout pr753
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#753][comment] Check CA status: add HTTP timeout

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/753
Title: #753: Check CA status: add HTTP timeout

MartinBasti commented:
"""
master:

* 20f7689079328aeef42b62a359b303f531db5666 http_request: add timeout option
* 05984f171b0b41681254c95380a0598e4208a201 ca_status: add HTTP timeout 30 
seconds


ipa-4-5:

* 48bb3cb69c000cea3f28bd5b44072d0fe9caa7a2 http_request: add timeout option
* 68ce9aa2addb6048333e723f771132f5da7dd38f ca_status: add HTTP timeout 30 
seconds


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/753#issuecomment-299167248
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#753][+pushed] Check CA status: add HTTP timeout

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/753
Title: #753: Check CA status: add HTTP timeout

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#753][+ack] Check CA status: add HTTP timeout

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/753
Title: #753: Check CA status: add HTTP timeout

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From de75aafdb0de58e57d452b1bc6b69d60d56dfd50 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Make jinja2 an optional dependency and csrgen an optional plugin
* Make otptoken_yubikey an optional plugin

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  3 +--
 tox.ini   |  4 ++--
 4 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 0140fd5..ac947e7 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -50,11 +50,9 @@
 ],
 },
 install_requires=[
-"cffi",
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
 "qrcode",
 "six",
 ],
@@ -66,6 +64,7 @@
 extras_require={
 "install": ["ipaplatform"],
 "otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
diff --git a/tox.ini b/tox.ini
index ccface9..931b125 100644
--- a/tox.ini
+++ b/tox.ini
@@ -13,7 +13,7 @@ changedir={envdir}
 setenv=
 HOME={envtmpdir}
 deps=
-ipaclient
+ipaclient[csrgen]
 ipatests
 commands=
 {envbindir}/ipa --help
@@ -22,7 +22,7 @@ commands=
 [testenv:pylint2]
 basepython=python2.7
 deps=
-ipaclient[otptoken_yubikey]
+ipaclient[csrgen,otptoken_yubikey]
 pylint
 commands=
 {envpython} -m pylint \
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages

[olivergs]

  URL: https://github.com/freeipa/freeipa/pull/756
Title: #756: Added plugins directory to paclient subpackages

olivergs commented:
"""
I also opened this https://bugzilla.redhat.com/show_bug.cgi?id=1446744
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/756#issuecomment-299146326
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/716
Title: #716: Fix minor typos

stlaz commented:
"""
Except for the one change I pointed out, this is all OK with me. The only thing 
I am not sure is whether we can go changing the doc texts in 
`ipaclient/remote_plugins/2_*/*.py` since these are kept for backward 
compatibility but I hope someone can clear this out for me.
If you could possibly remove the change at the line I noted, I will ACK this as 
soon as we can be sure about those changes in the `remote_plugins/` directory.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/716#issuecomment-299122208
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#762][opened] fix managed-entries printing IPA not installed

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/762
Author: stlaz
 Title: #762: fix managed-entries printing IPA not installed
Action: opened

PR body:
"""
ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.

https://pagure.io/freeipa/issue/6928
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/762/head:pr762
git checkout pr762
From 85deb5f7323fbeb490ae3d2195811b80a1844ad8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 4 May 2017 09:42:36 +0200
Subject: [PATCH] fix managed-entries printing IPA not installed

ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.

https://pagure.io/freeipa/issue/6928
---
 install/tools/ipa-managed-entries | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index 731dcc3..4aceee5 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -20,6 +20,7 @@
 
 from __future__ import print_function
 
+import os
 import re
 import sys
 from optparse import OptionParser  # pylint: disable=deprecated-module
@@ -193,4 +194,6 @@ def main():
 return retval
 
 if __name__ == '__main__':
+if not os.geteuid() == 0:
+sys.exit("\nMust be run as root\n")
 installutils.run_script(main, operation_name='ipa-managed-entries')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/756
Title: #756: Added plugins directory to paclient subpackages

MartinBasti commented:
"""
Opened issue: https://pagure.io/freeipa/issue/6927
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/756#issuecomment-299116620
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#726][comment] Add check for directory name

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/726
Title: #726: Add check for directory name

stlaz commented:
"""
Obviously we can't push this until the tests pass.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/726#issuecomment-299112001
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/757
Title: #757: ca, kra install: validate DM password

stlaz commented:
"""
There will be no more sys.exits. This patchset shall not be ACKed until all 
have been removed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/757#issuecomment-29913
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host

stlaz commented:
"""
```
* Module ipaserver.plugins.host

ipaserver/plugins/host.py:887: [C0303(trailing-whitespace), ] Trailing 
whitespace)
```
\+ wrong author in the commit
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/761#issuecomment-299104113
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code