[Freeipa-devel] [freeipa PR#782][opened] [WIP] Improving GUI text in "Add DNS Zones" popup

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/782
Author: felipevolpone
 Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup
Action: opened

PR body:
"""
Improving usability of the "Add DNS Zones" popup in Web UI.

Ticket: https://pagure.io/freeipa/issue/6687
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/782/head:pr782
git checkout pr782
From 776528aec528c2169214929e892a225bb088af5d Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 11 May 2017 20:16:31 -0300
Subject: [PATCH] Improving GUI text in "Add DNS Zones" popup

---
 install/ui/src/freeipa/dns.js | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 1be8513..f2b110d 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -294,6 +294,11 @@ return {
 height: 300,
 sections: [
 {
+name: 'dnszone_title',
+label: 'Select the required zone type.',
+fields: []
+},
+{
 name: 'name',
 layout: IPA.dnszone_name_section_layout,
 fields: [
@@ -307,6 +312,7 @@ return {
 $type: 'dnszone_name',
 name: 'name_from_ip',
 radio_name: 'dnszone_name_type',
+required: false,
 validators: ['network']
 }
 ]
@@ -750,9 +756,6 @@ IPA.add_dns_zone_name_policy = function() {
 idnsname_w.input.prop('disabled', false);
 name_from_ip_w.input.prop('disabled', true);
 
-idnsname_f.set_required(true);
-name_from_ip_f.set_required(false);
-
 name_from_ip_f.reset();
 });
 
@@ -760,9 +763,6 @@ IPA.add_dns_zone_name_policy = function() {
 idnsname_w.input.prop('disabled', true);
 name_from_ip_w.input.prop('disabled', false);
 
-idnsname_f.set_required(false);
-name_from_ip_f.set_required(true);
-
 idnsname_f.reset();
 });
 };
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#781][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

  URL: https://github.com/freeipa/freeipa/pull/781
Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN

felipevolpone commented:
"""
Hi everyone, 

after a long long day, I did a great job deleting the branch from PR #773, then 
Github closed it.
If someone knows how to reopen it, great. Otherwise, I create a new branch and 
this new PR. 

Sorry about that :(

Notifying people that were following that thread: @stlaz @MartinBasti 
@frasertweedale @HonzaCholasta @pvoborni 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/781#issuecomment-300944178
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#781][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/781
Author: felipevolpone
 Title: #781: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened

PR body:
"""
The code is not "production-ready", however, I would like to know if I'm on the 
right path.

AFAIK we should check if the SAN extension is provided and if it has DNSName 
info.

Fix: https://pagure.io/freeipa/issue/6663


"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/781/head:pr781
git checkout pr781
From 0bea2f6601915dc4f194953ebfe450bef5ae70b2 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 11 May 2017 20:21:57 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN

---
 ipaserver/plugins/cert.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..09d3dba 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,17 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
+
+has_dns_in_san_ext = False
+if ext_san:
+for gn in x509.process_othernames(ext_san.value):
+if isinstance(gn, cryptography.x509.general_name.DNSName):
+has_dns_in_san_ext = True
+
+if not ext_san or not has_dns_in_san_ext:
+print('Warning: The SAN extension '
+  'should be provided. Please, check the RFC 2818.')
+
 if not _dns_name_matches_principal(cn, principal, principal_obj):
 raise errors.ValidationError(
 name='csr',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][closed] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][synchronized] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Tue, 9 May 2017 17:06:55 -0300
Subject: [PATCH 1/2] warn in cert-request if CSR doesn't contain SAN

---
 ipaserver/plugins/cert.py | 12 
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..aa960ab 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
+
+has_dns_in_san_ext = False
+if ext_san:
+for gn in x509.process_othernames(ext_san.value):
+if isinstance(gn, cryptography.x509.general_name.DNSName):
+has_dns_in_san_ext = True
+
+if not ext_san or not has_dns_in_san_ext:
+print('Warning: The SAN extension '
+  'should be provided. Please, check the RFC 2818.')
+
+
 if not _dns_name_matches_principal(cn, principal, principal_obj):
 raise errors.ValidationError(
 name='csr',

From 9b60d7e904269743e0a4d19821139738db5e02e9 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 11 May 2017 19:53:56 -0300
Subject: [PATCH 2/2] Improving GUI text in "Add DNS Zone" popup.

---
 install/ui/src/freeipa/dns.js | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 1be8513..f2b110d 100644
--- a/install/ui/src/freeipa/dns.js
+++ b/install/ui/src/freeipa/dns.js
@@ -294,6 +294,11 @@ return {
 height: 300,
 sections: [
 {
+name: 'dnszone_title',
+label: 'Select the required zone type.',
+fields: []
+},
+{
 name: 'name',
 layout: IPA.dnszone_name_section_layout,
 fields: [
@@ -307,6 +312,7 @@ return {
 $type: 'dnszone_name',
 name: 'name_from_ip',
 radio_name: 'dnszone_name_type',
+required: false,
 validators: ['network']
 }
 ]
@@ -750,9 +756,6 @@ IPA.add_dns_zone_name_policy = function() {
 idnsname_w.input.prop('disabled', false);
 name_from_ip_w.input.prop('disabled', true);
 
-idnsname_f.set_required(true);
-name_from_ip_f.set_required(false);
-
 name_from_ip_f.reset();
 });
 
@@ -760,9 +763,6 @@ IPA.add_dns_zone_name_policy = function() {
 idnsname_w.input.prop('disabled', true);
 name_from_ip_w.input.prop('disabled', false);
 
-idnsname_f.set_required(false);
-name_from_ip_f.set_required(true);
-
 idnsname_f.reset();
 });
 };
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#777][closed] ipa-kra-install manpage: document domain-level 1

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/777
Author: flo-renaud
 Title: #777: ipa-kra-install manpage: document domain-level 1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/777/head:pr777
git checkout pr777
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#777][+pushed] ipa-kra-install manpage: document domain-level 1

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/777
Title: #777: ipa-kra-install manpage: document domain-level 1

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#777][comment] ipa-kra-install manpage: document domain-level 1

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/777
Title: #777: ipa-kra-install manpage: document domain-level 1

MartinBasti commented:
"""
master:

* f3e1efdcf5db5da2c3c42d3d58be172943f20bce ipa-kra-install manpage: document 
domain-level 1


ipa-4-5:

* 72d2e9e4c312576e1a62e210b4e5d9696bc70609 ipa-kra-install manpage: document 
domain-level 1


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/777#issuecomment-300818344
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][closed] [master, 4.5] Bump version of ipa.conf file

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/779
Author: dkupka
 Title: #779: [master, 4.5] Bump version of ipa.conf file
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/779/head:pr779
git checkout pr779
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][+pushed] [master, 4.5] Bump version of ipa.conf file

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/779
Title: #779: [master, 4.5] Bump version of ipa.conf file

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/779
Title: #779: [master, 4.5] Bump version of ipa.conf file

MartinBasti commented:
"""
master:

* 9d32e61ba548e7e940f165c0ec8df0b4bfd210bd Bump version of ipa.conf file


ipa-4-5:

* 76e5ac59579f36f28bb247bf3173e95e57ee4af4 Bump version of ipa.conf file


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/779#issuecomment-300816972
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][+pushed] [4.5 backport] spec file: bump python-netaddr Requires

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/765
Title: #765: [4.5 backport] spec file: bump python-netaddr Requires

MartinBasti commented:
"""
ipa-4-5:

* ecccd6cb843c44093449cc45a7d94bb14fa65513 spec file: bump python-netaddr 
Requires


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/765#issuecomment-300815982
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#765][closed] [4.5 backport] spec file: bump python-netaddr Requires

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/765
Author: MartinBasti
 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/765/head:pr765
git checkout pr765
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#777][+ack] ipa-kra-install manpage: document domain-level 1

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/777
Title: #777: ipa-kra-install manpage: document domain-level 1

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][+ack] [master, 4.5] Bump version of ipa.conf file

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/779
Title: #779: [master, 4.5] Bump version of ipa.conf file

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From 

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From 

[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/757
Title: #757: ca, kra install: validate DM password

MartinBasti commented:
"""
We have to use `sys.exit()` in this case, because I forgot that CA still uses 
old style installer. Without `sys.exit()` ti will always suggest user to 
uninstall server:

```
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
```

We don't want to uninstall server due typo in password
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/757#issuecomment-300811680
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][synchronized] [master, 4.5] Bump version of ipa.conf file

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/779
Author: dkupka
 Title: #779: [master, 4.5] Bump version of ipa.conf file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/779/head:pr779
git checkout pr779
From 75891c5a98e7acecf7cb85a6d87c4f4cf788ab22 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 11 May 2017 10:17:33 +0200
Subject: [PATCH] Bump version of ipa.conf file

In commit 157831a287c64106eed4 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.

https://pagure.io/freeipa/issue/6860
---
 install/conf/ipa.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 75c122e..a7ca5ce 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 25 - DO NOT REMOVE THIS LINE
+# VERSION 26 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][comment] Fixing the cert-request command comparing whole email address case-sensitively.

[felipevolpone]

  URL: https://github.com/freeipa/freeipa/pull/736
Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.

felipevolpone commented:
"""
Done! Thank you Fraser :)) :+1: 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/736#issuecomment-300789100
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host

[felipevolpone]

  URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host

felipevolpone commented:
"""
Cool :)) thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/761#issuecomment-300788709
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/761
Author: felipevolpone
 Title: #761: Fixing adding authenticator indicators to host
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/761/head:pr761
git checkout pr761
From 9a8dacc8df9fd877df971fa79396796b1b9ae30f Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 11 May 2017 10:26:03 -0300
Subject: [PATCH] Fixing adding authenticator indicators to host

The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911
---
 ipaserver/plugins/host.py | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index dcadd54..1e1f9d8 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -884,7 +884,8 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 msg = 'Principal name already set, it is unchangeable.'
 raise errors.ACIError(info=msg)
 obj_classes = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in obj_classes:
+if 'krbprincipalaux' not in (item.lower() for item in
+ obj_classes):
 obj_classes.append('krbprincipalaux')
 entry_attrs['objectclass'] = obj_classes
 
@@ -920,7 +921,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = _entry_attrs['objectclass']
-if 'ieee802device' not in obj_classes:
+if 'ieee802device' not in (item.lower() for item in obj_classes):
 obj_classes.append('ieee802device')
 entry_attrs['objectclass'] = obj_classes
 
@@ -940,7 +941,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshhost' not in obj_classes:
+if 'ipasshhost' not in (item.lower() for item in obj_classes):
 obj_classes.append('ipasshhost')
 
 update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
@@ -949,14 +950,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
+if 'krbticketpolicyaux' not in (item.lower() for item in
+entry_attrs['objectclass']):
 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
 if 'krbprincipalauthind' in entry_attrs:
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
+if 'krbprincipalaux' not in (item.lower() for item in
+ entry_attrs['objectclass']):
 entry_attrs['objectclass'].append('krbprincipalaux')
 
 add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#736][synchronized] Fixing the cert-request command comparing whole email address case-sensitively.

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/736
Author: felipevolpone
 Title: #736: Fixing the cert-request command comparing whole email address 
case-sensitively.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/736/head:pr736
git checkout pr736
From 6eb1169e3eab36678a2640718a7204a72247be91 Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 11 May 2017 10:20:02 -0300
Subject: [PATCH] Fixing the cert-request comparing whole email address
 case-sensitively.

Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919
---
 ipaserver/plugins/cert.py| 27 ---
 ipatests/test_xmlrpc/test_cert_plugin.py | 23 +++
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..fbda6ca 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -798,7 +798,9 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+csr_emails = [attr.value for attr in email_addrs]
+if not _emails_are_valid(csr_emails,
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -884,8 +886,8 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 "match requested principal") % gn.name)
 elif isinstance(gn, cryptography.x509.general_name.RFC822Name):
 if principal_type == USER:
-if principal_obj and gn.value not in principal_obj.get(
-'mail', []):
+if not _emails_are_valid([gn.value],
+ principal_obj.get('mail', [])):
 raise errors.ValidationError(
 name='csr',
 error=_(
@@ -953,6 +955,25 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 )
 
 
+def _emails_are_valid(csr_emails, principal_emails):
+"""
+Checks if any email address from certificate request does not
+appear in ldap entry, comparing the domain part case-insensitively.
+"""
+
+def lower_domain(email):
+email_splitted = email.split('@', 1)
+if len(email_splitted) > 1:
+email_splitted[1] = email_splitted[1].lower()
+
+return '@'.join(email_splitted)
+
+principal_emails_lower = set(map(lower_domain, principal_emails))
+csr_emails_lower = set(map(lower_domain, csr_emails))
+
+return csr_emails_lower.issubset(principal_emails_lower)
+
+
 def principal_to_principal_type(principal):
 if principal.is_user:
 return USER
diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 51c20b6..0de5b75 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -251,6 +251,29 @@ def test_00010_cleanup(self):
 res = api.Command['service_find'](self.service_princ)
 assert res['count'] == 0
 
+def test_00011_emails_are_valid(self):
+"""
+Verify the different scenarios when checking if any email addr
+from DN or SAN extension does not appear in ldap entry.
+"""
+
+from ipaserver.plugins.cert import _emails_are_valid
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'a...@email.com']
+result = _emails_are_valid(email_addrs, [u'a...@email.com',
+ u'anot...@email.com'])
+assert True == result, result
+
+result = _emails_are_valid([], [u'a...@email.com'])
+assert True == result, result
+
+email_addrs = [u'invalidEmailAddress']
+result = _emails_are_valid(email_addrs, [])
+assert False == result, result
+
 
 @pytest.mark.tier1
 class test_cert_find(XMLRPC_test):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Moving our wiki back to password login

[Martin Kosek]

On 05/09/2017 04:29 PM, Martin Kosek wrote:
> Hello all,
> 
> As some of you noticed, FreeIPA wiki authentication via OpenID was
> broken in the last days. I suspect (but did get reply from Patrick who
> running the Fedora infra yet) that it was caused by Fedora moving to
> mode modern authentication protocol, i.e. from OpenID to OpenID Connect
> (OIDC):
> https://fedoraproject.org/wiki/Infrastructure/Authentication
> 
> Unfortunately, I cannot make the OIDC login for our current FreeIPA
> instance available, given that our wiki runs on OpenShift v2 which uses
> PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26.
> OIDC mediawiki authentication plugin is supported from 1.27 forward.
> 
> So the wiki needs to be either:
> - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance
> - migrated to OpenShift v3 (preferred)
> to unblock us from this situation and get to proper OIDC authentication.
> 
> However, this will need more time and preparation (which I do not even
> have right now). For now, I simply disabled OpenID authentication in our
> wiki and enabled password logins again! Anonymous account creation is
> disabled to avoid spammers. However, given that we now enforce people to
> be in a special group (editors) to fight the spammers, there is actually
> no big functionality lost in this, except having to use yet another
> password.
> 
> To summarize, if you want to access the wiki again, please use the
> password you may have had before we migrated to Fedora OpenID. If you do
> not have the password yet, you should be able to simply reset it before
> logging in and you should get an email (the mail part did not work for
> martbab this afternoon, though). In the worst case, I can reset the
> password for you, just shoot me an email.

After finally reaching Patrick, I found out that Fedora still supports
plain OpenID and it was likely just some interim error. I thus reverted
the patch for simple password login and re-enabled OpenID logins again.

Still, current situation with FreeIPA.org mediawiki version stays, we
will be unable to upgrade the wiki or most of it's plugins until we move
to a newer OpenShift instance.

Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/758
Author: HonzaCholasta
 Title: #758: install: fix CA-less PKINIT
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/758/head:pr758
git checkout pr758
From fb20f2009298f8e6e79b66b028c28b7e35e5ee03 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 27 Apr 2017 09:33:25 +0200
Subject: [PATCH 01/13] certdb: add named trust flag constants

Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831
---
 install/restart_scripts/restart_httpd  |  3 ++-
 install/tools/ipa-replica-conncheck|  4 +++-
 ipaclient/install/client.py|  9 ++---
 ipapython/certdb.py|  9 +++--
 ipaserver/install/ca.py|  2 +-
 ipaserver/install/certs.py |  5 +++--
 ipaserver/install/dsinstance.py|  5 +++--
 ipaserver/install/httpinstance.py  |  5 +++--
 ipaserver/install/ipa_cacert_manage.py | 16 +++-
 ipaserver/install/plugins/upload_cacrt.py  |  2 +-
 ipaserver/install/server/replicainstall.py |  3 ++-
 ipaserver/install/server/upgrade.py|  4 ++--
 12 files changed, 44 insertions(+), 23 deletions(-)

diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index b661b82..cd7f120 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -24,6 +24,7 @@ import traceback
 from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
 from ipaserver.install import certs, installutils
 
 
@@ -36,7 +37,7 @@ def _main():
 nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
 
 # Add trust flag which set certificate trusted for SSL connections.
-db.trust_root_cert(nickname, "P,,")
+db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
 
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index fdbd4f3..5282422 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -549,7 +549,9 @@ def main():
 data = ca_cert.public_bytes(
 serialization.Encoding.DER)
 nss_db.add_cert(
-data, str(DN(ca_cert.subject)), 'C,,')
+data,
+str(DN(ca_cert.subject)),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index abca692..e78be90 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
 if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
 create_ipa_nssdb()
 
-for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
-  ('External CA cert', 'C,,')):
+for nickname, trust_flags in (
+('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
+('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
 try:
 cert = sys_db.get_cert(nickname)
 except RuntimeError:
@@ -2680,7 +2681,9 @@ def _install(options):
 tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
-tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
+tmp_db.add_cert(cert,
+'CA certificate %d' % (i + 1),
+certdb.EXTERNAL_CA_TRUST_FLAGS)
 except CalledProcessError:
 raise ScriptError(
 "Failed to add CA to temporary NSS database.",
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..38f3bf0 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,11 @@
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+EMPTY_TRUST_FLAGS = ',,'
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
 return format % realm
@@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None,
 cert = x509.load_certificate(cert_pem)
 nickname = str(DN(cert.subject))
 data = cert.public_bytes(serialization.Encoding.DER)
-self.add_cert(data, nickname, ',,')
+self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
 
 if extracted_key:
 in_file = 

[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

HonzaCholasta commented:
"""
@stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props 
to @dkupka).

The "preauthentication failed" with `--no-pkinit` is expected indeed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/758#issuecomment-300767441
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#745][comment] tests: add missing dependency iptables

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/745
Title: #745: tests: add missing dependency iptables

MartinBasti commented:
"""
AFAIK nobody complains about this issue except me, and I'm fine with master only
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/745#issuecomment-300766961
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][comment] [master, 4.5] Bump version of ipa.conf file

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/779
Title: #779: [master, 4.5] Bump version of ipa.conf file

MartinBasti commented:
"""
Please use ticket https://pagure.io/freeipa/issue/6860 in commit message
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/779#issuecomment-300763946
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#780][opened] server-del: update defaultServerList in cn=default, ou=profile, $BASE

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/780
Author: flo-renaud
 Title: #780: server-del: update defaultServerList in 
cn=default,ou=profile,$BASE
Action: opened

PR body:
"""
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/780/head:pr780
git checkout pr780
From 44658742b50f39c9d20475ed0d2344b08c508f8c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 11 May 2017 11:41:23 +0200
Subject: [PATCH] server-del: update defaultServerList in
 cn=default,ou=profile,$BASE

ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943
---
 ipaserver/plugins/server.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b1ee472..04a5ff5 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -608,12 +608,12 @@ def _remove_server_principal_references(self, master):
 dn = DN(('cn', 'default'), ('ou', 'profile'), env.basedn)
 ret = conn.get_entry(dn)
 srvlist = ret.single_value.get('defaultServerList', '')
-srvlist = srvlist[0].split()
+srvlist = srvlist.split()
 if master in srvlist:
 srvlist.remove(master)
 attr = ' '.join(srvlist)
-mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)]
-conn.conn.modify_s(str(dn), mod)
+ret['defaultServerList'] = attr
+conn.update_entry(ret)
 except (errors.NotFound, ldap.NO_SUCH_ATTRIBUTE,
 ldap.TYPE_OR_VALUE_EXISTS):
 pass
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#779][opened] [master, 4.5] Bump version of ipa.conf file

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/779
Author: dkupka
 Title: #779: [master, 4.5] Bump version of ipa.conf file
Action: opened

PR body:
"""
In commit 157831a287c64106eed4 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.

https://pagure.io/freeipa/issue/6944
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/779/head:pr779
git checkout pr779
From ecc9e047484e8448b1c769903c9fdb4cdb91934e Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 11 May 2017 10:17:33 +0200
Subject: [PATCH] Bump version of ipa.conf file

In commit 157831a287c64106eed4 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.

https://pagure.io/freeipa/issue/6944
---
 install/conf/ipa.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 75c122e..a7ca5ce 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 25 - DO NOT REMOVE THIS LINE
+# VERSION 26 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code