Re: [Freeipa-devel] NTP in FreeIPA

[Gabe Alford]

On Thu, Nov 24, 2016 at 9:14 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 24.11.2016 16:11, Gabe Alford wrote:
>
> On Thu, Nov 24, 2016 at 1:29 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 24.11.2016 07:06, David Kupka wrote:
>>
>>> On 22/11/16 23:15, Gabe Alford wrote:
>>>
>>>> I would say that it is worth keeping in FreeIPA. I know myself and some
>>>> customers use its functionality by having the clients sync to the IPA
>>>> servers and have the servers sync to the NTP source. This way if the NTP
>>>> source ever gets disrupted for long periods of time (which has happened
>>>> in
>>>> my environment) the client time drifts with the authentication source.
>>>> This
>>>> is the way that AD often works and is configured.
>>>>
>>>
>>> Hello Gabe,
>>> I agree that it's common practice to synchronize all nodes in network
>>> with single source in order to have the same time and save bandwidth. Also
>>> I understand that it's comfortable to let FreeIPA installer take care of it.
>>> But I don't think FreeIPA should do it IMO this is job for Ansible or
>>> similar tool. Also the problem is that in some situations FreeIPA installer
>>> makes it worse.
>>>
>>> Example:
>>>
>>> 1. Install FreeIPA server (ipa1.example.org)
>>> 2. Install FreeIPA client on all nodes in network
>>> 3. Install replica (ipa2.example.org) of FreeIPA server to increase
>>> redundancy
>>>
>>
> Why not have NTP look at a _srv_records?
>
>
> Do ntpclients support this natively?  I just found some ugly hacks for
> chrony, i.e extra service that is dynamically changing config file.
> But yes this may be way too, but dirty.
>
>
You are right. It is an ugly. I wonder if we can push to make it not so
ugly so that _srv_ is used for both Chrony and NTP which IMO makes those
two products better. If not and the desire is truly to get rid of
chrony/ntp configuration on the client side, what about adding Chrony and
NTP configuration to ipa-advise?


>
>
>> Now all the clients have ipa1.example.org as the only server in
>>> /etc/ntp.conf. If the first FreeIPA server becomes unreachable all clients
>>> will be able to contact KDC on the other server thanks to DNS autodiscovery
>>> in libkrb5 but will be unable to synchronize time.
>>>
>>>
>> This can be resolved by DHCP configured NTP. When NTP server changed, you
>> just change DHCPd config and hosts conf will be synced.
>> We may keep NTP on IPA server side configured, but I'm voting for
>> removing it from clients and document+endorse people to use DHCP (anyway
>> distros have always enabled some time synchronization so it should
>> naturally work without even in small deployments)
>>
>
> If NTP is still configured on the IPA server, this may be less of an
> issue. Not everyone has/is/will be using ansible. Also in secure
> environments, DHCP
> is not allowed/used at all.
>
>
>
>> Also NTP is somehow incompatible with containers, usually containers have
>> time synchronized from host, and by default IPA client container don't do
>> NTP configuration.
>>
>
> Isn't that what the --no-ntp option in the client is for anyway?
>
>
>>
>> Let deprecate it in 4.5
>>
>> Martin^2
>>
>>
>>
>>
>>>> On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta <jchol...@redhat.com>
>>>> wrote:
>>>>
>>>> On 22.11.2016 13:06, Petr Spacek wrote:
>>>>>
>>>>> On 22.11.2016 12:15, David Kupka wrote:
>>>>>>
>>>>>> Hello everyone!
>>>>>>>
>>>>>>> Is it worth to keep configuring NTP in FreeIPA?
>>>>>>>
>>>>>>> In usual environment there're no special requirements for time
>>>>>>> synchronization
>>>>>>> and the distribution default (be it ntpd, chrony or anything else)
>>>>>>> will
>>>>>>> just
>>>>>>> work. Any tampering with the configuration can't make it any better.
>>>>>>>
>>>>>>> In environment with special requirements (network disconnected from
>>>>>>> public
>>>>>>> internet, nodes disconnected from topology for longer time, ...) time
>>>>>>> synchronization must be taken care of accordingly by system
>>>>>>> administrator and
&

Re: [Freeipa-devel] NTP in FreeIPA

[Gabe Alford]

I would say that it is worth keeping in FreeIPA. I know myself and some
customers use its functionality by having the clients sync to the IPA
servers and have the servers sync to the NTP source. This way if the NTP
source ever gets disrupted for long periods of time (which has happened in
my environment) the client time drifts with the authentication source. This
is the way that AD often works and is configured.

On Tue, Nov 22, 2016 at 7:05 AM, Jan Cholasta  wrote:

> On 22.11.2016 13:06, Petr Spacek wrote:
>
>> On 22.11.2016 12:15, David Kupka wrote:
>>
>>> Hello everyone!
>>>
>>> Is it worth to keep configuring NTP in FreeIPA?
>>>
>>> In usual environment there're no special requirements for time
>>> synchronization
>>> and the distribution default (be it ntpd, chrony or anything else) will
>>> just
>>> work. Any tampering with the configuration can't make it any better.
>>>
>>> In environment with special requirements (network disconnected from
>>> public
>>> internet, nodes disconnected from topology for longer time, ...) time
>>> synchronization must be taken care of accordingly by system
>>> administrator and
>>> FreeIPA simply can't help here.
>>>
>>> Also there are problems and weird behavior with the current FreeIPA
>>> installers:
>>>
>>> * ipa-client-install replaces all servers in /etc/ntp.conf with the ones
>>> specified by user or resolved from DNS. If none were provided nor
>>> resolved the
>>> FreeIPA server specified/resolved during installation it used. This
>>> leads in
>>> just single server in the configuration and no time synchronization when
>>> this
>>> server is down/decommissioned.
>>>
>>> * ipa-client-install replaces the NTP configuration. If there was any
>>> parts
>>> previously edited by system administrator it's lost.
>>>
>>> * ipa-server-install adds {0-4}.$PLATFORM.pool.ntp.org to /etc/ntp.conf.
>>> What's the point in doing that? These servers're already in the
>>> configuration
>>> file installed with ntp package.
>>>
>>> I have NTP-related WIP patches that solve some of the issues but in
>>> general I
>>> would prefer to remove the whole thing together with documenting "Please
>>> make
>>> sure that time on all FreeIPA servers and clients is synchronized. On
>>> most
>>> distributions this was already done during system installation."
>>>
>>> Can we mark NTP options deprecated in 4.5 and remove them and stop
>>> touching
>>> any time syncing service in 4.6?
>>>
>>
>> Considering that default config is just fine for normal cases, and given
>> how
>> poorly integrated it is into FreeIPA, I agree with David. FreeIPA should
>> get
>> out of configuration management business.
>>
>
> +1
>
> --
> Jan Cholasta
>
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0008 Do not allow installation in FIPS mode

[Gabe Alford]

On Mon, Jun 27, 2016 at 12:38 AM, Florence Blanc-Renaud 
wrote:

> Hi,
>
> this fix is a port of Bug 1131570 - Do not allow IdM server/replica/client
> installation in a FIPS-140 mode
> It prevents installation of FreeIPA if the host is fips-enabled.
>
> https://fedorahosted.org/freeipa/ticket/5761
>

Shouldn't this be about fixing FreeIPA to allow installation/operation in
FIPS mode rather than disabling it? There are many environments where FIPS
is required, and FreeIPA should support it.

Gabe
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 (update 2) provide more information for "ipa cert-revoke -h"

[Gabe Alford]

Patrice,

Can you please send rebased version of this patch?

Thanks,

Gabe

On Fri, May 6, 2016 at 6:45 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 04.05.2016 14:30, Gabe Alford wrote:
>
> On Wed, May 4, 2016 at 1:35 AM, Patrice Duc-Jacquet < <patdu...@gmail.com>
> patdu...@gmail.com> wrote:
>
>> Hi everyone
>>
>> this is a second update that take into account review feedback.
>>
>> In case the proposal fix is K what are the next step to commit this
>> change. I'm not sure to really understand the process. Thanks and regards
>>
>
> If the fix is good, you receive an ack and a core member of the FreeIPA
> team will take your ack'ed patch and push it to the official git repository.
>
> ACK from me
>
> Gabe
>
> Pat
>>
>>
>> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>
>
>
> Hello, I agree with ACk, but I cannot apply the patch using git am -3, can
> you please send rebased version?
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

[Gabe Alford]

On Tue, May 10, 2016 at 6:47 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 10.05.2016 14:42, Gabe Alford wrote:
>
> On Tue, May 10, 2016 at 6:26 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 10.05.2016 14:13, Gabe Alford wrote:
>>
>> On Tue, May 10, 2016 at 2:00 AM, Martin Basti < <mba...@redhat.com>
>> mba...@redhat.com> wrote:
>>
>>>
>>>
>>> On 04.05.2016 15:14, Gabe Alford wrote:
>>>
>>> On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde <
>>> <akasu...@redhat.com>akasu...@redhat.com> wrote:
>>>
>>>> Hi Gabe,
>>>>
>>>> I am wondering, how are we handling "CalledProcessError" exception ?
>>>>
>>>
>>> I am not sure 100% what you are asking, but from what I understand, the
>>> "CalledProcessError" exception is when a process returns a non-zero exit
>>> status.
>>> However when running 'ipa-nis-manage enable', an exception is never hit
>>> even if portmap is not installed, hence portmap always being enabled.
>>>
>>> So it seems that if the process is not installed, "CalledProcessError"
>>> doesn't catch an error.
>>>
>>> Gabe
>>>
>>> Hello,
>>>
>>> portmap.enable() may raise the "CalledProcessError" in case that
>>> systemct enable failed and we should catch this exception and handle it in
>>> the same way as it is done now. i.e catch that exception and set proper
>>> return state.
>>>
>>> Martin^2
>>>
>>
>> Shouldn't "CalledProcessError" raise an exception in this case? In my
>> testing, it doesn't seem to raise an exception when the service does not
>> even exist on the system.
>>
>> Gabe
>>
>> You are right, there is try-except-pass, so no exception can be raised
>>
>> def __enable(self, instance_name=""):
>> try:
>> ipautil.run([paths.SYSTEMCTL, "enable",
>>  self.service_instance(instance_name)])
>> except ipautil.CalledProcessError:
>> pass
>>
>>
>> Martin
>>
>
> It is also the case for disable(), mask(), unmask(), etc. Should we update
> the exception in __enable() or is there a reason that it just passes at
> exception?
>
> Gabe
>
>
> I dont think that we should chnge behavior there, what I'm missing there
> is proper logging :) If you want you can create ticket for it. Leave
> try-except-pass there, changing this may affect a lot of places, and there
> is no time to fix it in 4.4 release.
>
> Martin^2
>

Sounds good. Do you also want to keep the try-except-pass in ipa-nis-manage
as well or does my patch suffice?

Gabe


>
>
>>
>>
>>>
>>>
>>>
>>>> On 05/04/2016 09:17 AM, Gabe Alford wrote:
>>>>
>>>> Hello,
>>>>
>>>> Fix for <https://fedorahosted.org/freeipa/ticket/5857>
>>>> https://fedorahosted.org/freeipa/ticket/5857
>>>>
>>>> Thanks,
>>>>
>>>> Gabe
>>>>
>>>>
>>>> Thanks,
>>>> Abhijeet Kasurde
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

[Gabe Alford]

On Tue, May 10, 2016 at 6:26 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 10.05.2016 14:13, Gabe Alford wrote:
>
> On Tue, May 10, 2016 at 2:00 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 04.05.2016 15:14, Gabe Alford wrote:
>>
>> On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde < <akasu...@redhat.com>
>> akasu...@redhat.com> wrote:
>>
>>> Hi Gabe,
>>>
>>> I am wondering, how are we handling "CalledProcessError" exception ?
>>>
>>
>> I am not sure 100% what you are asking, but from what I understand, the
>> "CalledProcessError" exception is when a process returns a non-zero exit
>> status.
>> However when running 'ipa-nis-manage enable', an exception is never hit
>> even if portmap is not installed, hence portmap always being enabled.
>>
>> So it seems that if the process is not installed, "CalledProcessError"
>> doesn't catch an error.
>>
>> Gabe
>>
>> Hello,
>>
>> portmap.enable() may raise the "CalledProcessError" in case that systemct
>> enable failed and we should catch this exception and handle it in the same
>> way as it is done now. i.e catch that exception and set proper return state.
>>
>> Martin^2
>>
>
> Shouldn't "CalledProcessError" raise an exception in this case? In my
> testing, it doesn't seem to raise an exception when the service does not
> even exist on the system.
>
> Gabe
>
> You are right, there is try-except-pass, so no exception can be raised
>
> def __enable(self, instance_name=""):
> try:
> ipautil.run([paths.SYSTEMCTL, "enable",
>  self.service_instance(instance_name)])
> except ipautil.CalledProcessError:
> pass
>
>
> Martin
>

It is also the case for disable(), mask(), unmask(), etc. Should we update
the exception in __enable() or is there a reason that it just passes at
exception?

Gabe


>
>
>>
>>
>>
>>> On 05/04/2016 09:17 AM, Gabe Alford wrote:
>>>
>>> Hello,
>>>
>>> Fix for <https://fedorahosted.org/freeipa/ticket/5857>
>>> https://fedorahosted.org/freeipa/ticket/5857
>>>
>>> Thanks,
>>>
>>> Gabe
>>>
>>>
>>> Thanks,
>>> Abhijeet Kasurde
>>>
>>
>>
>>
>>
>>
>
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

[Gabe Alford]

On Tue, May 10, 2016 at 2:00 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 04.05.2016 15:14, Gabe Alford wrote:
>
> On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde < <akasu...@redhat.com>
> akasu...@redhat.com> wrote:
>
>> Hi Gabe,
>>
>> I am wondering, how are we handling "CalledProcessError" exception ?
>>
>
> I am not sure 100% what you are asking, but from what I understand, the
> "CalledProcessError" exception is when a process returns a non-zero exit
> status.
> However when running 'ipa-nis-manage enable', an exception is never hit
> even if portmap is not installed, hence portmap always being enabled.
>
> So it seems that if the process is not installed, "CalledProcessError"
> doesn't catch an error.
>
> Gabe
>
> Hello,
>
> portmap.enable() may raise the "CalledProcessError" in case that systemct
> enable failed and we should catch this exception and handle it in the same
> way as it is done now. i.e catch that exception and set proper return state.
>
> Martin^2
>

Shouldn't "CalledProcessError" raise an exception in this case? In my
testing, it doesn't seem to raise an exception when the service does not
even exist on the system.

Gabe



>
>
>
>> On 05/04/2016 09:17 AM, Gabe Alford wrote:
>>
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5857
>>
>> Thanks,
>>
>> Gabe
>>
>>
>> Thanks,
>> Abhijeet Kasurde
>>
>
>
>
>
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0068] Use ipareplica-ca-install.log instead of ipaserver-ca-install.log

[Gabe Alford]

Yeah. That makes sense. Let's fix it with the other logger tickets.

Gabe

On Tue, May 10, 2016 at 5:47 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 03.05.2016 15:41, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5727. Per comment #7,
> this removes ipaserver-ca-install.log and uses ipareplica-ca-install.log.
>
> Thanks,
>
> Gabe
>
>
> Well, with this patch, ipa-ca-install on ca-less master server will log
> into ipareplica-ca-install.log what is not right. This difference between
> master an replica is somehow unfortunate because those servers are equal
> and it should be logged into ipa-ca-install.log. This is part of other
> logging tickets that has been postponed I think that all tickets should be
> resolved together.
>
> I suggest to postpone this ticket and fix it together with other logger
> tickets.
>
> Do you agree?
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

[Gabe Alford]

On Tue, May 3, 2016 at 11:17 PM, Abhijeet Kasurde <akasu...@redhat.com>
wrote:

> Hi Gabe,
>
> I am wondering, how are we handling "CalledProcessError" exception ?
>

I am not sure 100% what you are asking, but from what I understand, the
"CalledProcessError" exception is when a process returns a non-zero exit
status.
However when running 'ipa-nis-manage enable', an exception is never hit
even if portmap is not installed, hence portmap always being enabled.

So it seems that if the process is not installed, "CalledProcessError"
doesn't catch an error.

Gabe


> On 05/04/2016 09:17 AM, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5857
>
> Thanks,
>
> Gabe
>
>
> Thanks,
> Abhijeet Kasurde
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 (update 2) provide more information for "ipa cert-revoke -h"

[Gabe Alford]

On Wed, May 4, 2016 at 1:35 AM, Patrice Duc-Jacquet 
wrote:

> Hi everyone
>
> this is a second update that take into account review feedback.
>
> In case the proposal fix is K what are the next step to commit this
> change. I'm not sure to really understand the process. Thanks and regards
>

If the fix is good, you receive an ack and a core member of the FreeIPA
team will take your ack'ed patch and push it to the official git repository.

ACK from me

Gabe

Pat
>
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0069] ipa-nis-manage enable: change service name from 'portmap' to 'rpcbind'

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5857

Thanks,

Gabe
From 950da9c812a162569379bd9e530977960e9ab7ca Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 3 May 2016 21:33:33 -0600
Subject: [PATCH] ipa-nis-manage enable: change service name from 'portmap' to
 'rpcbind'

https://fedorahosted.org/freeipa/ticket/5857
---
 install/tools/ipa-nis-manage | 21 ++---
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index 3aa1507b205eaa679edebda2a3705b494369abc3..948aa0046b6eeb0f68dd90390eaca6d5b6c8dba3 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -144,19 +144,18 @@ def main():
 retval = 1
 
 # Enable either the portmap or rpcbind service
-try:
-portmap = services.knownservices.portmap
+portmap = services.knownservices.portmap
+rpcbind = services.knownservices.rpcbind
+
+if portmap.is_installed():
 portmap.enable()
 servicemsg = portmap.service_name
-except ipautil.CalledProcessError as cpe:
-if cpe.returncode == 1:
-try:
-rpcbind = services.knownservices.rpcbind
-rpcbind.enable()
-servicemsg = rpcbind.service_name
-except ipautil.CalledProcessError as cpe:
-print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
-retval = 3
+elif rpcbind.is_installed():
+rpcbind.enable()
+servicemsg = rpcbind.service_name
+else:
+print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
+retval = 3
 
 # The cn=config entry for the plugin may already exist but it
 # could be turned off, handle both cases.
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 provide more information for "ipa cert-revoke -h"

[Gabe Alford]

On Tue, May 3, 2016 at 9:35 AM, Patrice Duc-Jacquet <
patrice.duc.jacq...@gmail.com> wrote:

> On 05/03/2016 04:41 PM, Rob Crittenden wrote:
>
> Gabe Alford wrote:
>>
>>> Hello,
>>>
>>> Thank you for your patch as well.
>>>
>>>  >-doc=_('Reason for revoking the certificate (0-10)'),
>>>  >+doc=_('Reason for revoking the certificate (0-10). See
>>> RFC 5280 (paragraph 5.3.1) for reason details'),
>>>
>>> Rather than just specifying the RFC with the paragraph to go look up,
>>> can you either add the revocation options or say something like:
>>>
>>> +doc=_('Reason for revoking the certificate (0-10). See
>>> \'ipa help cert\' for revocation reason details.'),
>>>
>>> IMO, it is a little annoying to go look up revocation reasons when those
>>> reasons can either be added to the help output or exist already in `ipa
>>> help cert`.
>>>
>>
>> FTR I added it to the top level help because the reasons are used in
>> multiple places and didn't want to duplicate them, and adding them to a
>> specific option help would overload it big time IMHO.
>>
>> rob
>>
>> Hi everyone
> thanks for your valuable comments. I fully agree that it is not
> recommended to duplicate this information. So as Rob suggested, I should
> avoid to add this information to cert_revoke option and thus I plan to
> modify the help message as follow:
>
> doc=_('Reason for revoking the certificate (0-10). Type "ipa help cert"
> for reason details'),
>
> Do you agree with that modification? Thanks in advance and regards
>

I think the modification is fine. One nitpick that I would have is to say
"for revocation reason details."  rather than "for reason details."
Also, don't forget a period after the word "details". :)

Gabe



>
> Pat
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 provide more information for "ipa cert-revoke -h"

[Gabe Alford]

Hello,

Thank you for your patch as well.

>-doc=_('Reason for revoking the certificate (0-10)'),
>+doc=_('Reason for revoking the certificate (0-10). See RFC
5280 (paragraph 5.3.1) for reason details'),

Rather than just specifying the RFC with the paragraph to go look up, can
you either add the revocation options or say something like:

+doc=_('Reason for revoking the certificate (0-10). See \'ipa
help cert\' for revocation reason details.'),

IMO, it is a little annoying to go look up revocation reasons when those
reasons can either be added to the help output or exist already in `ipa
help cert`.

Thanks,

Gabe


On Tue, May 3, 2016 at 8:13 AM, Martin Basti  wrote:

>
>
> On 03.05.2016 16:01, Patrice Duc-Jacquet wrote:
>
> Hi everyone
> this is my first patch. So I may have done thhings nor in  a proper way.
> Please let me know if something is wrong in the proceess I followed. With
> regards
>
> Pat
>
>
> Hello,
>
> thank you for your patch. Please remove changes in .po and .pot files from
> the patch, these files are generated automatically from zanata.
>
> thank you
>
> Martin
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0068] Use ipareplica-ca-install.log instead of ipaserver-ca-install.log

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5727. Per comment #7, this
removes ipaserver-ca-install.log and uses ipareplica-ca-install.log.

Thanks,

Gabe
From 9f8cb593c1b207d96693879fbd8717a78421e157 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 3 May 2016 07:30:13 -0600
Subject: [PATCH] Use ipareplica-ca-install.log instead of
 ipaserver-ca-install.log

https://fedorahosted.org/freeipa/ticket/5727
---
 install/tools/ipa-ca-install | 2 +-
 ipaplatform/base/paths.py| 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1bc5def03bf687a1e4f9fb38a54363b5429c8fc4..2947009f58ba7ef96ec303e7731dc9b3fdfc8ff2 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -280,7 +280,7 @@ def main():
 cainstance.is_ca_installed_locally()):
 sys.exit("CA is already installed on this host.")
 
-standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
+standard_logging_setup(paths.IPAREPLICA_CA_INSTALL_LOG, debug=options.debug)
 root_logger.debug("%s was invoked with options: %s,%s",
   sys.argv[0], safe_options, filename)
 root_logger.debug("IPA version %s", version.VENDOR_VERSION)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..6d07621b8c001a6a1bc6baa8e5bcb775136d7a62 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -304,7 +304,6 @@ class BasePathNamespace(object):
 IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
 IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
 IPARESTORE_LOG = "/var/log/iparestore.log"
-IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
 IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
 IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
 IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Possble FreeIPA Trac Malicious Link

[Gabe Alford]

Hey all,

This is something we may need to watch for. I noticed that a possible
malicious link was added to the FreeIPA Trac start page. You can view it
here: https://fedorahosted.org/freeipa/wiki/WikiStart?action=diff=22.
I changed it back to the original text before the change. I know that the
389 Trac webpage had issues earlier this year with spam. Just an FYI.

Gabe
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0067-0069] Various IPA log fixes

[Gabe Alford]

Hello,

Attached patches fix the following tickets related to IPA log files:

https://fedorahosted.org/freeipa/ticket/5724
https://fedorahosted.org/freeipa/ticket/5726
https://fedorahosted.org/freeipa/ticket/5727

Patch 0067 should be applied first, and patch 0069 applied last.

Thanks,

Gabe
From 5646ee0311e5d9195d5510eb5c20fc9dfa1cb1d7 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 10 Mar 2016 07:08:55 -0700
Subject: [PATCH 1/3] Store IPA logs in one directory - /var/log/ipa

https://fedorahosted.org/freeipa/ticket/5724
---
 freeipa.spec.in   |  2 ++
 ipaplatform/base/paths.py | 26 +-
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 9e277020d70215e052ab6c905b1c6a29ae6cdd4d..a3499ea4947c6c89d3ac232ed22fb0eb7ee6bb4d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -828,6 +828,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb
+mkdir -p %{buildroot}/%{_localstatedir}/log/ipa
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
 install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
@@ -1298,6 +1299,7 @@ fi
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
 %ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
 %dir %{_usr}/share/ipa
+%dir %{_localstatedir}/log/ipa
 %dir %{_localstatedir}/lib/ipa-client
 %dir %{_localstatedir}/lib/ipa-client/sysrestore
 %{_mandir}/man5/default.conf.5.gz
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index bdff4f3934f3250bdfef3f913631b98d55d759b6..76a362b1945e6c1fa6554c9859605012b89d0e88 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -294,19 +294,19 @@ class BasePathNamespace(object):
 SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/access"
 SLAPD_INSTANCE_ERROR_LOG_TEMPLATE = "/var/log/dirsrv/slapd-%s/errors"
 VAR_LOG_HTTPD_DIR = "/var/log/httpd"
-IPABACKUP_LOG = "/var/log/ipabackup.log"
-IPACLIENT_INSTALL_LOG = "/var/log/ipaclient-install.log"
-IPACLIENT_UNINSTALL_LOG = "/var/log/ipaclient-uninstall.log"
-IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipareplica-ca-install.log"
-IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
-IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
-IPARESTORE_LOG = "/var/log/iparestore.log"
-IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
-IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
-IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
-IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
-IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
-IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
+IPABACKUP_LOG = "/var/log/ipa/ipabackup.log"
+IPACLIENT_INSTALL_LOG = "/var/log/ipa/ipaclient-install.log"
+IPACLIENT_UNINSTALL_LOG = "/var/log/ipa/ipaclient-uninstall.log"
+IPAREPLICA_CA_INSTALL_LOG = "/var/log/ipa/ipareplica-ca-install.log"
+IPAREPLICA_CONNCHECK_LOG = "/var/log/ipa/ipareplica-conncheck.log"
+IPAREPLICA_INSTALL_LOG = "/var/log/ipa/ipareplica-install.log"
+IPARESTORE_LOG = "/var/log/ipa/iparestore.log"
+IPASERVER_CA_INSTALL_LOG = "/var/log/ipa/ipaserver-ca-install.log"
+IPASERVER_INSTALL_LOG = "/var/log/ipa/ipaserver-install.log"
+IPASERVER_KRA_INSTALL_LOG = "/var/log/ipa/ipaserver-kra-install.log"
+IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipa/ipaserver-kra-uninstall.log"
+IPASERVER_UNINSTALL_LOG = "/var/log/ipa/ipaserver-uninstall.log"
+IPAUPGRADE_LOG = "/var/log/ipa/ipaupgrade.log"
 KADMIND_LOG = "/var/log/kadmind.log"
 MESSAGES = "/var/log/messages"
 VAR_LOG_PKI_DIR = "/var/log/pki/"
-- 
1.8.3.1

From 6d87d26228424b3a4a25dafefdd60359b71043b2 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 10 Mar 2016 07:10:56 -0700
Subject: [PATCH 2/3] Remove unused ipareplica-ca-install.log

https://fedorahosted.org/freeipa/ticket/5727
---
 install/tools/ipa-ca-install | 2 +-
 ipaplatform/base/paths.py| 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1bc5def03bf687a1e4f9fb38a54363b5429c8fc4..cea2f0ddf392f807bd08198c1b8aa3c3e4cca4bc 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -38,7 +38,7 @@ from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipaplatform.paths import paths
 
-log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
+log_file_name = paths.IPASERVER_CA_INSTALL_LOG
 REPLICA_INFO_TOP_DIR = None
 
 def parse_options():
diff --git a/ipaplatform/base/paths.py 

Re: [Freeipa-devel] [PATCH] 950 webui: remove moot error from webui build

[Gabe Alford]

Ack. Works as expected.

Gabe

On Wed, Jan 27, 2016 at 7:39 AM, Petr Vobornik  wrote:

> add module 'libs/d3' to a list of modules provided by third party libraries
>
> it is provided by d3 library in libs directory
>
> https://fedorahosted.org/freeipa/ticket/5641
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Gabe Alford]

On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti  wrote:

>
>
> On 26.01.2016 14:55, Petr Spacek wrote:
>
>> On 26.1.2016 14:02, Martin Basti wrote:
>>
>>> https://fedorahosted.org/freeipa/ticket/5634
>>>
>>> Patch attached.
>>>
>> It works for me in API, CLI, and Web UI. The warning is shown as expected.
>>
>> Interestingly, Web UI behaves strangely when search limit is hit. This
>> needs
>> more investigation because it happens even without this patch :-)
>>
>> I found different bug there, webUI passes sizelimit: 0 (unlimited), but
> this values is not passed to some searches inside BaseldapSearch which
> raise error, I will file a ticket na provide details there


Works for me as well. However, it would be nice to have what ipasearchlimit
is limited to in the error message as well. So something like:

"Search result has been truncated, the current search limit is set to 10.
Please increase the search limit."

Does this also address https://fedorahosted.org/freeipa/ticket/4022?

Gabe
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Gabe Alford]

On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 26.01.2016 15:17, Petr Spacek wrote:
>
>> On 26.1.2016 15:06, Martin Basti wrote:
>>
>>>
>>> On 26.01.2016 15:00, Gabe Alford wrote:
>>>
>>>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti <mba...@redhat.com
>>>> <mailto:mba...@redhat.com>> wrote:
>>>>
>>>>
>>>>
>>>>  On 26.01.2016 14:55, Petr Spacek wrote:
>>>>
>>>>  On 26.1.2016 14:02, Martin Basti wrote:
>>>>
>>>>  https://fedorahosted.org/freeipa/ticket/5634
>>>>
>>>>  Patch attached.
>>>>
>>>>  It works for me in API, CLI, and Web UI. The warning is shown
>>>>  as expected.
>>>>
>>>>  Interestingly, Web UI behaves strangely when search limit is
>>>>  hit. This needs
>>>>  more investigation because it happens even without this patch
>>>> :-)
>>>>
>>>>  I found different bug there, webUI passes sizelimit: 0
>>>>  (unlimited), but this values is not passed to some searches inside
>>>>  BaseldapSearch which raise error, I will file a ticket na provide
>>>>  details there
>>>>
>>>>
>>>> Works for me as well. However, it would be nice to have what
>>>> ipasearchlimit
>>>> is limited to in the error message as well. So something like:
>>>>
>>> thanks for testing.
>>>
>>> "Search result has been truncated, the current search limit is set to 10.
>>>> Please increase the search limit."
>>>>
>>> Well this is not so easy to achieve in framework, I prefer not to add
>>> number
>>> there, it requires bigger change in framework or an extra ldap search.
>>>
>>>> Does this also address https://fedorahosted.org/freeipa/ticket/4022?
>>>>
>>> It should.
>>>
>> Maybe we can use some generic phrase like:
>> "Search result has been truncated to configured search limit."
>> and avoid advice like 'increase search limit' which may not be possible
>> to do,
>> e.g. because user does not have permission to do that etc.
>>
>
Sounds good.



> Updated patch attached.
>

Ack from me.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 942 webui: add examples to network address validator error message

[Gabe Alford]

LGTM.

Gabe

On Tue, Dec 22, 2015 at 6:06 AM, Petr Vobornik  wrote:

> https://fedorahosted.org/freeipa/ticket/5532
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed

[Gabe Alford]

Fixed. Updated patch attached.

On Wed, Dec 9, 2015 at 2:37 AM, Martin Basti <mba...@redhat.com> wrote:

> NACK
>
> Patch contains syntax error, missing brace
>
> ipaserver/install/server/replicainstall.py:850: [E0001(syntax-error), ]
> invalid syntax)
>
> Martin
>
>
> On 09.12.2015 07:08, Jan Cholasta wrote:
>
>> LGTM
>>
>> On 8.12.2015 17:04, Gabe Alford wrote:
>>
>>> Updated patch attached.
>>>
>>> On Tue, Dec 8, 2015 at 8:27 AM, Martin Basti <mba...@redhat.com
>>> <mailto:mba...@redhat.com>> wrote:
>>>
>>>
>>>
>>> On 08.12.2015 16:26, Gabe Alford wrote:
>>>
>>>> Just to confirm:
>>>>
>>>> if server is installed:
>>>>  Let's stop here and not do anything else
>>>>
>>>> if domain level 0:
>>>>  check if client installed and stop here
>>>>
>>>> Right?
>>>>
>>> yes
>>>
>>>
>>>
>>>>
>>>> On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com
>>>> <mailto:jchol...@redhat.com>> wrote:
>>>>
>>>> On 8.12.2015 16:17, Martin Basti wrote:
>>>>
>>>>
>>>>
>>>> On 08.12.2015 16:14, Jan Cholasta wrote:
>>>>
>>>> On 8.12.2015 16:09, Martin Basti wrote:
>>>>
>>>>
>>>>
>>>> On 01.12.2015 14:57, Gabe Alford wrote:
>>>>
>>>> Sorry guys, I forgot to add a meaningful
>>>> subject to this message.
>>>> Ignore the previous thread start.
>>>>
>>>> -- Forwarded message --
>>>> From: *Gabe Alford* <redhatri...@gmail.com
>>>> <mailto:redhatri...@gmail.com>
>>>> <mailto:redhatri...@gmail.com
>>>> <mailto:redhatri...@gmail.com>>>
>>>> Date: Mon, Nov 30, 2015 at 7:31 PM
>>>> Subject: [PATCH 0065]
>>>> To: freeipa-devel <freeipa-devel@redhat.com
>>>> <mailto:freeipa-devel@redhat.com>
>>>> <mailto:freeipa-devel@redhat.com
>>>> <mailto:freeipa-devel@redhat.com>>>
>>>>
>>>>
>>>> Hello,
>>>>
>>>> Patch fix for the following tickets:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/5022
>>>> https://fedorahosted.org/freeipa/ticket/5320
>>>>
>>>> Thanks,
>>>>
>>>> Gabe
>>>>
>>>>
>>>>
>>>> ACK
>>>>
>>>>
>>>> NACK, you can't install a server over an already
>>>> installed client,
>>>> thus the original check is correct.
>>>>
>>>> Ahh domain level 0, right, but this check can be added
>>>> before the client
>>>> check.
>>>>
>>>>
>>>> Yes.
>>>>
>>>> With domain level 1, this check should stay there IMO.
>>>>
>>>>
>>>> Yes. It should say "IPA server is already configured" rather
>>>> than "IPA replica is already configured", though.
>>>>
>>>> --
>>>> Jan Cholasta
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
From 41af20d4ef76186f4099858e12e6e954d282f70f Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Wed, 9 Dec 2015 06:41:30 -0700
Subject: [PATCH] ipa-replica-install prints incorrect error message when
 replica is already installed

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320
---
 ipaserver/install/server/replicainstall.py | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4554166752ce4e5db2a98a8f495aa061aec963e9..1f4b133e1a11c915b229514456c8624148a741f1 100644
--- a/ipaserv

Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed

[Gabe Alford]

Just to confirm:

if server is installed:
 Let's stop here and not do anything else

if domain level 0:
 check if client installed and stop here

Right?


On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com> wrote:

> On 8.12.2015 16:17, Martin Basti wrote:
>
>>
>>
>> On 08.12.2015 16:14, Jan Cholasta wrote:
>>
>>> On 8.12.2015 16:09, Martin Basti wrote:
>>>
>>>>
>>>>
>>>> On 01.12.2015 14:57, Gabe Alford wrote:
>>>>
>>>>> Sorry guys, I forgot to add a meaningful subject to this message.
>>>>> Ignore the previous thread start.
>>>>>
>>>>> -- Forwarded message --
>>>>> From: *Gabe Alford* <redhatri...@gmail.com
>>>>> <mailto:redhatri...@gmail.com>>
>>>>> Date: Mon, Nov 30, 2015 at 7:31 PM
>>>>> Subject: [PATCH 0065]
>>>>> To: freeipa-devel <freeipa-devel@redhat.com
>>>>> <mailto:freeipa-devel@redhat.com>>
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>> Patch fix for the following tickets:
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/5022
>>>>> https://fedorahosted.org/freeipa/ticket/5320
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Gabe
>>>>>
>>>>>
>>>>>
>>>>> ACK
>>>>
>>>
>>> NACK, you can't install a server over an already installed client,
>>> thus the original check is correct.
>>>
>>> Ahh domain level 0, right, but this check can be added before the client
>> check.
>>
>
> Yes.
>
> With domain level 1, this check should stay there IMO.
>>
>
> Yes. It should say "IPA server is already configured" rather than "IPA
> replica is already configured", though.
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed

[Gabe Alford]

Updated patch attached.

On Tue, Dec 8, 2015 at 8:27 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 08.12.2015 16:26, Gabe Alford wrote:
>
> Just to confirm:
>
> if server is installed:
>  Let's stop here and not do anything else
>
> if domain level 0:
>  check if client installed and stop here
>
> Right?
>
> yes
>
>
>
>
> On Tue, Dec 8, 2015 at 8:20 AM, Jan Cholasta <jchol...@redhat.com> wrote:
>
>> On 8.12.2015 16:17, Martin Basti wrote:
>>
>>>
>>>
>>> On 08.12.2015 16:14, Jan Cholasta wrote:
>>>
>>>> On 8.12.2015 16:09, Martin Basti wrote:
>>>>
>>>>>
>>>>>
>>>>> On 01.12.2015 14:57, Gabe Alford wrote:
>>>>>
>>>>>> Sorry guys, I forgot to add a meaningful subject to this message.
>>>>>> Ignore the previous thread start.
>>>>>>
>>>>>> -- Forwarded message --
>>>>>> From: *Gabe Alford* <redhatri...@gmail.com
>>>>>> <mailto:redhatri...@gmail.com>>
>>>>>> Date: Mon, Nov 30, 2015 at 7:31 PM
>>>>>> Subject: [PATCH 0065]
>>>>>> To: freeipa-devel <freeipa-devel@redhat.com
>>>>>> <mailto:freeipa-devel@redhat.com>>
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Patch fix for the following tickets:
>>>>>>
>>>>>> https://fedorahosted.org/freeipa/ticket/5022
>>>>>> https://fedorahosted.org/freeipa/ticket/5320
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Gabe
>>>>>>
>>>>>>
>>>>>>
>>>>>> ACK
>>>>>
>>>>
>>>> NACK, you can't install a server over an already installed client,
>>>> thus the original check is correct.
>>>>
>>>> Ahh domain level 0, right, but this check can be added before the client
>>> check.
>>>
>>
>> Yes.
>>
>> With domain level 1, this check should stay there IMO.
>>>
>>
>> Yes. It should say "IPA server is already configured" rather than "IPA
>> replica is already configured", though.
>>
>> --
>> Jan Cholasta
>>
>
>
>
From 340a1316d8a71a4a3d7246fa87d2307f34484776 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 8 Dec 2015 08:58:56 -0700
Subject: [PATCH] ipa-replica-install prints incorrect error message when
 replica is already installed

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320
---
 ipaserver/install/server/replicainstall.py | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 4554166752ce4e5db2a98a8f495aa061aec963e9..e3f061a171e48f060464ef8e32630c8ca394c0b8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -31,9 +31,8 @@ from ipaserver.install import (
 bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
 installutils, kra, krainstance, krbinstance, memcacheinstance,
 ntpinstance, otpdinstance, custodiainstance, service)
-from ipaserver.install.installutils import create_replica_config
-from ipaserver.install.installutils import ReplicaConfig
-from ipaserver.install.installutils import load_pkcs12
+from ipaserver.install.installutils import (
+create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
 from ipaserver.install.replication import (
 ReplicationManager, replica_conn_check)
 import SSSDConfig
@@ -423,6 +422,11 @@ def install_check(installer):
 
 tasks.check_selinux_status()
 
+if is_ipa_configured():
+sys.exit("IPA server is already configured on this system.\n"
+ "If you want to reinstall the IPA server, please uninstall "
+ "it first using 'ipa-server-install --uninstall'.")
+
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
 if client_fstore.has_files():
 sys.exit("IPA client is already configured on this system.\n"
@@ -828,6 +832,11 @@ def promote_check(installer):
 
 tasks.check_selinux_status()
 
+if is_ipa_configured():
+sys.exit("IPA server is already configured on this system.\n"
+ "If you want to reinstall the IPA server, please uninstall "
+ "it first using 'ipa-server-install --uninstall'."
+
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
 if not client_fstore.has_files():
 ensure_enrolled(installer)
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065]

[Gabe Alford]

Bump for review.

On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford <redhatri...@gmail.com> wrote:

> Hello,
>
> Patch fix for the following tickets:
>
> https://fedorahosted.org/freeipa/ticket/5022
> https://fedorahosted.org/freeipa/ticket/5320
>
> Thanks,
>
> Gabe
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0065]

[Gabe Alford]

Yup you are right. I meant to bump the other one.

> It is on my TODO list.
Awesome.

On Mon, Dec 7, 2015 at 7:20 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 07.12.2015 14:55, Gabe Alford wrote:
>
> Bump for review.
>
> On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford <redhatri...@gmail.com>
> wrote:
>
>> Hello,
>>
>> Patch fix for the following tickets:
>>
>> https://fedorahosted.org/freeipa/ticket/5022
>> https://fedorahosted.org/freeipa/ticket/5320
>>
>> Thanks,
>>
>> Gabe
>>
>
>
>
> Hello, IIRC you said that we should ignore this in thread
> [PATCH 0065] ipa-replica-install prints incorrect error message when
> replica is already installed
>
> It is on my TODO list.
>
> Martin^2
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] Migrate wget references to curl

[Gabe Alford]

My bad. Copy and paste error. Updated patch attached.

Thanks,

Gabe

On Fri, Dec 4, 2015 at 12:17 PM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 01.12.2015 15:00, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5458
>
> Thanks,
>
> Gabe
>
>
> Hello,
>
> I haven't looked closer, but your patch is causing this:
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [9/27]: creating RA agent certificate database
>   [10/27]: importing CA chain to RA certificate database
>   [11/27]: fixing RA database permissions
>   [12/27]: setting up signing cert profile
>   [13/27]: setting audit signing renewal to 2 years
>   [14/27]: restarting certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [15/27]: requesting RA certificate from CA
>   [16/27]: issuing RA agent certificate
>   [17/27]: adding RA agent as a trusted user
>   [18/27]: authorizing RA to modify profiles
>   [19/27]: configure certmonger for renewals
>   [20/27]: configure certificate renewals
>   [21/27]: configure RA certificate renewal
>   [22/27]: configure Server-Cert certificate renewal
>   [23/27]: Configure HTTP to proxy connections
>   [24/27]: restarting certificate server
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [25/27]: migrating certificate profiles to LDAP
>   [26/27]: importing IPA certificate profiles
>   [27/27]: adding default CA ACL
>
>
> CA is operational and ready, but IPA installer is not able to detect it
> correctly
>
> 2015-12-04T19:08:54Z DEBUG stderr=curl: option --connect-timeout 30: is
> unknown
> curl: try 'curl --help' or 'curl --manual' for more information
>
> Martin^2
>
From bbeac791988e3bc9a2dc98b9d782b397baab4ba1 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Fri, 4 Dec 2015 14:52:03 -0700
Subject: [PATCH] Migrate wget references and usage to curl

https://fedorahosted.org/freeipa/ticket/5458
---
 freeipa.spec.in|  4 ++--
 ipa-client/ipa-install/ipa-client-install  |  2 +-
 ipaplatform/base/paths.py  |  2 +-
 ipaplatform/redhat/services.py |  8 
 ipaserver/advise/plugins/legacy_clients.py | 14 +++---
 ipatests/test_integration/test_advise.py   | 10 +-
 6 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b63f363773b6ca1b0969fa56b369a94092f..0d022a915bb89245c96ab9c02e10a41b38646a9c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -262,7 +262,7 @@ Requires: ntp
 Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
-Requires: wget
+Requires: curl
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.13.1
@@ -330,7 +330,7 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: wget
+Requires: curl
 Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 974dd1da8bf3f5836170ca67d2f4c298e7ec6844..20c9b05532c10b1c5789f26f87c2aebfc9a859b3 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1922,7 +1922,7 @@ def get_ca_certs_from_http(url, warn=True):
 root_logger.debug("trying to retrieve CA cert via HTTP from %s", url)
 try:
 
-stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url])
+stdout, stderr, rc = run([paths.BIN_CURL, "-o", "-", url])
 except CalledProcessError as e:
 raise errors.NoCertificateError(entry=url)
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ee488f9fdef19cb409752d66775bcbee6665ba8..762a38136e6c612767705389ee667b6f2ddab397 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -179,7 +179,7 @@ class BasePathNamespace(object):
 SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
 BIN_TIMEOUT = "/usr/bi

[Freeipa-devel] [PATCH 0066] Migrate wget references to curl

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5458

Thanks,

Gabe
From 490bb5aceb2c1ea3385c15bb85aea5c29c77f70b Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 1 Dec 2015 06:45:59 -0700
Subject: [PATCH] Migrate wget references and usage to curl

https://fedorahosted.org/freeipa/ticket/5458
---
 freeipa.spec.in|  4 ++--
 ipa-client/ipa-install/ipa-client-install  |  2 +-
 ipaplatform/base/paths.py  |  2 +-
 ipaplatform/redhat/services.py |  8 
 ipaserver/advise/plugins/legacy_clients.py | 14 +++---
 ipatests/test_integration/test_advise.py   | 10 +-
 6 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b63f363773b6ca1b0969fa56b369a94092f..0d022a915bb89245c96ab9c02e10a41b38646a9c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -262,7 +262,7 @@ Requires: ntp
 Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
-Requires: wget
+Requires: curl
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.13.1
@@ -330,7 +330,7 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: wget
+Requires: curl
 Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 05a550b11e74db84e46a126798c4db728226865c..2437bb0bc8247a447da99e663bdf39b9fd8cfa61 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1919,7 +1919,7 @@ def get_ca_certs_from_http(url, warn=True):
 root_logger.debug("trying to retrieve CA cert via HTTP from %s", url)
 try:
 
-stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url])
+stdout, stderr, rc = run([paths.BIN_CURL, "-o", "-", url])
 except CalledProcessError as e:
 raise errors.NoCertificateError(entry=url)
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ee488f9fdef19cb409752d66775bcbee6665ba8..762a38136e6c612767705389ee667b6f2ddab397 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -179,7 +179,7 @@ class BasePathNamespace(object):
 SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
 BIN_TIMEOUT = "/usr/bin/timeout"
 UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
-BIN_WGET = "/usr/bin/wget"
+BIN_CURL = "/usr/bin/curl"
 ZIP = "/usr/bin/zip"
 BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
 BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 0902215a56191032a1a65d0c2d05ddd5b7dab67f..7f9e85e37f8f6aac3d20874e04fe5576ed426e3c 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -213,10 +213,10 @@ class RedHatCAService(RedHatService):
 }
 
 args = [
-paths.BIN_WGET,
-'-S', '-O', '-',
-'--timeout=30',
-'--no-check-certificate',
+paths.BIN_CURL,
+'-i', '-o', '-',
+'--connect-timeout 30',
+'-k',
 url
 ]
 
diff --git a/ipaserver/advise/plugins/legacy_clients.py b/ipaserver/advise/plugins/legacy_clients.py
index e673cb45f58901ddee70a0ec6cea62531bba965b..b6e1fc5a1549787fbe2805b0297d79211ae21d77 100644
--- a/ipaserver/advise/plugins/legacy_clients.py
+++ b/ipaserver/advise/plugins/legacy_clients.py
@@ -51,13 +51,13 @@ class config_base_legacy_client(Advice):
 'cacertdir_rehash?format=txt')
 self.log.comment('Download the CA certificate of the IPA server')
 self.log.command('mkdir -p -m 755 /etc/openldap/cacerts')
-self.log.command('wget http://%s/ipa/config/ca.crt -O '
+self.log.command('curl http://%s/ipa/config/ca.crt -o '
  '/etc/openldap/cacerts/ipa.crt\n' % api.env.host)
 
 self.log.comment('Generate hashes for the openldap library')
 self.log.command('command -v cacertdir_rehash')
 self.log.command('if [ $? -ne 0 ] ; then')
-self.log.command(' wget "%s" -O cacertdir_rehash ;' % cacertdir_rehash)
+self.log.command(' curl "%s" -o cacertdir_rehash ;' % cacertdir_rehash)
 self.log.command(' chmod 755 ./cacertdir_rehash ;')
 self.log.command(' ./cacertdir_rehash /etc/openldap/cacerts/ ;')
 self.log.command('else')
@@ -98,7 +98,7 @@ class config_redhat_sssd_before_1_9(config_base_legacy_client):
 self.check_compat_plugin()
 
 self.log.comment('Install required packages via yum')
-self.log.command('yum install -y sssd authconfig wget openssl\n')
+self.log.command('yum install -y sssd authconfig curl openssl\n')
 
 

[Freeipa-devel] [PATCH 0065] ipa-replica-install prints incorrect error message when replica is already installed

[Gabe Alford]

Sorry guys, I forgot to add a meaningful subject to this message. Ignore
the previous thread start.

-- Forwarded message --
From: Gabe Alford <redhatri...@gmail.com>
Date: Mon, Nov 30, 2015 at 7:31 PM
Subject: [PATCH 0065]
To: freeipa-devel <freeipa-devel@redhat.com>


Hello,

Patch fix for the following tickets:

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320

Thanks,

Gabe
From 3e0a6c556a3402bbd0e15a6f113498aae27e2cf4 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Mon, 30 Nov 2015 18:42:14 -0700
Subject: [PATCH] ipa-replica-install prints incorrect error message when
 replica is already installed

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320
---
 ipaserver/install/server/replicainstall.py | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e6d96bbe62c6960ebe94c529a8dac9dd0468d734..51d4e95dd0e4174ced2f18ec278871138a9c3bc3 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -30,8 +30,8 @@ from ipaserver.install import (
 bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
 installutils, kra, krainstance, krbinstance, memcacheinstance,
 ntpinstance, otpdinstance, custodiainstance, service)
-from ipaserver.install.installutils import create_replica_config
-from ipaserver.install.installutils import ReplicaConfig
+from ipaserver.install.installutils import (
+create_replica_config, is_ipa_configured, ReplicaConfig)
 from ipaserver.install.replication import (
 ReplicationManager, replica_conn_check)
 import SSSDConfig
@@ -405,11 +405,10 @@ def install_check(installer):
 
 tasks.check_selinux_status()
 
-client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-if client_fstore.has_files():
-sys.exit("IPA client is already configured on this system.\n"
- "Please uninstall it first before configuring the replica, "
- "using 'ipa-client-install --uninstall'.")
+if is_ipa_configured():
+sys.exit("IPA replica is already configured on this system.\n"
+ "If you want to reinstall the IPA replica, please uninstall "
+ "it first using 'ipa-server-install --uninstall'.")
 
 sstore = sysrestore.StateFile(paths.SYSRESTORE)
 
@@ -759,6 +758,11 @@ def promote_check(installer):
 
 tasks.check_selinux_status()
 
+if is_ipa_configured():
+sys.exit("IPA replica is already configured on this system.\n"
+ "If you want to reinstall the IPA replica, please uninstall "
+ "it first using 'ipa-server-install --uninstall'.")
+
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
 if not client_fstore.has_files():
 sys.exit("IPA client is not configured on this system.\n"
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0065]

[Gabe Alford]

Hello,

Patch fix for the following tickets:

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320

Thanks,

Gabe
From 3e0a6c556a3402bbd0e15a6f113498aae27e2cf4 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Mon, 30 Nov 2015 18:42:14 -0700
Subject: [PATCH] ipa-replica-install prints incorrect error message when
 replica is already installed

https://fedorahosted.org/freeipa/ticket/5022
https://fedorahosted.org/freeipa/ticket/5320
---
 ipaserver/install/server/replicainstall.py | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index e6d96bbe62c6960ebe94c529a8dac9dd0468d734..51d4e95dd0e4174ced2f18ec278871138a9c3bc3 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -30,8 +30,8 @@ from ipaserver.install import (
 bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
 installutils, kra, krainstance, krbinstance, memcacheinstance,
 ntpinstance, otpdinstance, custodiainstance, service)
-from ipaserver.install.installutils import create_replica_config
-from ipaserver.install.installutils import ReplicaConfig
+from ipaserver.install.installutils import (
+create_replica_config, is_ipa_configured, ReplicaConfig)
 from ipaserver.install.replication import (
 ReplicationManager, replica_conn_check)
 import SSSDConfig
@@ -405,11 +405,10 @@ def install_check(installer):
 
 tasks.check_selinux_status()
 
-client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-if client_fstore.has_files():
-sys.exit("IPA client is already configured on this system.\n"
- "Please uninstall it first before configuring the replica, "
- "using 'ipa-client-install --uninstall'.")
+if is_ipa_configured():
+sys.exit("IPA replica is already configured on this system.\n"
+ "If you want to reinstall the IPA replica, please uninstall "
+ "it first using 'ipa-server-install --uninstall'.")
 
 sstore = sysrestore.StateFile(paths.SYSRESTORE)
 
@@ -759,6 +758,11 @@ def promote_check(installer):
 
 tasks.check_selinux_status()
 
+if is_ipa_configured():
+sys.exit("IPA replica is already configured on this system.\n"
+ "If you want to reinstall the IPA replica, please uninstall "
+ "it first using 'ipa-server-install --uninstall'.")
+
 client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
 if not client_fstore.has_files():
 sys.exit("IPA client is not configured on this system.\n"
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp support and restrict, mechanism to krb5

[Gabe Alford]

Bump for push. May need a rebase.

On Wed, Jul 22, 2015 at 7:49 AM, Simo Sorce  wrote:

> - Original Message -
> > From: "Christian Heimes" 
> > To: "freeipa-devel" 
> > Sent: Wednesday, July 22, 2015 9:32:59 AM
> > Subject: [Freeipa-devel] [PATCH 0015] mod_auth_gssapi: Remove ntlmssp
> support and restrict, mechanism to krb5
> >
> > By default mod_auth_gssapi allows all locally available mechanisms. If
> > the gssntlmssp package is installed, it also offers ntlmssp.  This has
> > the annoying side effect that some browser will pop up a
> > username/password request dialog if no Krb5 credentials are available.
> >
> > The patch restricts the mechanism to krb5 and removes ntlmssp and
> > iakerb support from Apache's ipa.conf.
> >
> > The new feature was added to mod_auth_gssapi 1.3.0.
> >
> > https://fedorahosted.org/freeipa/ticket/5114
>
> LGTM
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc. * New York
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0384] ipa-client-automount: Leverage IPAChangeConf to configure the idmapd

[Gabe Alford]

Ack.

Gabe

On Wed, Nov 11, 2015 at 7:22 AM, Tomas Babej  wrote:

> Hi,
>
> Simple regexp substitution caused that the domain directive fell under
> an inapprorpiate section, if the domain directive was not present. Hence
> the idmapd.conf file was not properly parsed.
>
> Use IPAChangeConf to put the directive in its correct place even if it
> the domain directive is missing.
>
> https://fedorahosted.org/freeipa/ticket/5069
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0064] Check if IPA is configured before attempting a winsync migration

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5470

Thanks,

Gabe
From 9e9b8813d069b3a65e16ef90a602bf35feade9c9 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 20 Nov 2015 07:54:30 -0700
Subject: [PATCH] Check if IPA is configured before attempting a winsync
 migration

https://fedorahosted.org/freeipa/ticket/5470
---
 ipaserver/install/ipa_winsync_migrate.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index 87e23fb3698bac0a0371a198d95994ed921ee011..6996c7fbd7954245bb5aabb5fad0d31103e3517f 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -29,7 +29,7 @@ from ipapython.dn import DN
 from ipapython.ipautil import realm_to_suffix, posixify
 from ipapython.ipa_log_manager import log_mgr
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import replication
+from ipaserver.install import replication, installutils
 
 if six.PY3:
 unicode = str
@@ -344,6 +344,13 @@ class WinsyncMigrate(admintool.AdminTool):
 api.bootstrap(in_server=True, context='server')
 api.finalize()
 
+# Check if the IPA server is configured before attempting to migrate
+try:
+installutils.check_server_configuration()
+except RuntimeError as e:
+sys.exit(e)
+
+
 # Setup LDAP connection
 try:
 api.Backend.ldap2.connect()
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0064] Check if IPA is configured before attempting a winsync migration

[Gabe Alford]

Thanks. Updated patch attached.


Gabe

On Fri, Nov 20, 2015 at 10:36 AM, Martin Babinsky <mbabi...@redhat.com>
wrote:

> On 11/20/2015 04:02 PM, Gabe Alford wrote:
>
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5470
>>
>> Thanks,
>>
>> Gabe
>>
>>
>> Hi Gabe,
>
> patch looks good. IMHO it would be better if you moved the check before
> API initialization like so:
>
> """
> @@ -340,6 +340,12 @@ class WinsyncMigrate(admintool.AdminTool):
>  the plumbing.
>  """
>
> +# Check if the IPA server is configured before attempting to
> migrate
> +try:
> +installutils.check_server_configuration()
> +except RuntimeError as e:
> +sys.exit(e)
> +
>  # Finalize API
>  api.bootstrap(in_server=True, context='server')
>  api.finalize()
> """
>
> There's no point in initializing API if there is no server installed.
>
> --
> Martin^3 Babinsky
>
From 62c89fb0bf760bf721d15a309497635a45a98077 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Fri, 20 Nov 2015 11:06:55 -0700
Subject: [PATCH] Check if IPA is configured before attempting a winsync
 migration

https://fedorahosted.org/freeipa/ticket/5470
---
 ipaserver/install/ipa_winsync_migrate.py | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index 87e23fb3698bac0a0371a198d95994ed921ee011..bbd029c81e7a093b3559e374189b79d12395b79c 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -29,7 +29,7 @@ from ipapython.dn import DN
 from ipapython.ipautil import realm_to_suffix, posixify
 from ipapython.ipa_log_manager import log_mgr
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import replication
+from ipaserver.install import replication, installutils
 
 if six.PY3:
 unicode = str
@@ -340,6 +340,12 @@ class WinsyncMigrate(admintool.AdminTool):
 the plumbing.
 """
 
+# Check if the IPA server is configured before attempting to migrate
+try:
+installutils.check_server_configuration()
+except RuntimeError as e:
+sys.exit(e)
+
 # Finalize API
 api.bootstrap(in_server=True, context='server')
 api.finalize()
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1

[Gabe Alford]

Yeah. That's better. Thanks, Martin. Ack.



On Thu, Nov 12, 2015 at 6:02 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 09.11.2015 14:37, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5424
>
> thanks,
>
> Gabe
>
>
> Thank you for you patch, almost ACK, but I propose following changes
> (patch attached) in error message.
>
> Let me know if you agree with the change.
>
> Martin
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0064-0065] ipa-dns-install offers IP addresses from resolv.conf as default forwarder

[Gabe Alford]

Does this also fix https://fedorahosted.org/freeipa/ticket/3926?

On Tue, Nov 10, 2015 at 8:58 AM, Petr Spacek  wrote:

> Hello,
>
> Patch 64:
> ipa-dns-install offer IP addresses from resolv.conf as default forwarders
>
> In non-interactive more option --auto-forwarders can be used to do the
> same. --forward option can be used to supply additional IP addresses.
>
> https://fedorahosted.org/freeipa/ticket/5438
>
>
> Patch 65:
> Remove global variable dns_forwarders from ipaserver.install.dns
> It seems to me that the global thingy is not necessary, so I've ripped it
> out.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0343] Upgrade: enable custodia service during upgrade

[Gabe Alford]

Ack.

Thanks,

Gabe

On Tue, Nov 3, 2015 at 11:18 AM, Martin Basti  wrote:

> https://fedorahosted.org/freeipa/ticket/5429
>
> Patch attached.
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0063] ipa-replica-manage del continues when host does not exist in domain level 1

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5424

thanks,

Gabe
From f2f0deee5ca743518d97efe4f01cc22c0672e87a Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Sun, 8 Nov 2015 17:18:17 -0700
Subject: [PATCH] ipa-replica-manage del continues when host does not exist in
 domain level 1

- Raises error and stops operation unless --cleanup is specified.

https://fedorahosted.org/freeipa/ticket/5424
---
 install/tools/ipa-replica-manage | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index b9998da44dcc1f01c5eb342ee713634de0ee84ee..ccd48eb635a27b5752484ce68b094c2daf7291fa 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -740,7 +740,12 @@ def del_master_managed(realm, hostname, options):
 try:
 api.Command.server_del(hostname_u)
 except errors.NotFound:
-print("Server entry already deleted: %s" % (hostname))
+if not options.cleanup:
+print("%s does not exist. Please specify an actual server or add" \
+  " the\n--cleanup option to force clean up." % (hostname))
+sys.exit(1)
+else:
+print("Server entry already deleted: %s" % (hostname))
 
 # 6. Cleanup
 try:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0062] custodia: ipa-upgrade failed on replica

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5374. I could reproduce it
as the Custodia update file was missing from the updates Makefile which in
turn was not being packaged into the rpms.

Thanks,

Gabe
From 871822779696ece33f36e6940ecc96fc090b7ea2 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Wed, 4 Nov 2015 19:09:58 -0700
Subject: [PATCH] custodia: ipa-upgrade failed on replica

- Add 73-custodia.update to install/updates/Makefile.am

https://fedorahosted.org/freeipa/ticket/5374
---
 install/updates/Makefile.am | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 04ddeb96de4e88d5909f13b13885d3207184e798..6c8fa11e57a7d2119f837932e72ac13b6224aca7 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -51,6 +51,7 @@ app_DATA =\
 	62-ranges.update		\
 	71-idviews.update		\
 	72-domainlevels.update		\
+	73-custodia.update		\
 	73-winsync.update		\
 	90-post_upgrade_plugins.update	\
 	$(NULL)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file

[Gabe Alford]

Can do Alexander. Here is the updated patch.


Gabe

On Fri, Oct 30, 2015 at 12:56 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Thu, 29 Oct 2015, Gabe Alford wrote:
>
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5418
>>
> ACK but can you please add something like this in the commit message:
>
> 
> Remove lockout policy update file because all currently supported
> FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and
> krbPwdLockoutDuration defaulting to 600.
>
> Keeping lockout policy update file prevents from creating a more strict
> policy in environments where it is subject to regulatory compliance.
> 
>
>
>> Thanks,
>>
>> Gabe
>>
>
> From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001
>> From: Gabe <redhatri...@gmail.com>
>> Date: Thu, 29 Oct 2015 20:30:35 -0600
>> Subject: [PATCH] Remove 50-lockout-policy.update file
>>
>> https://fedorahosted.org/freeipa/ticket/5418
>> ---
>> install/updates/50-lockout-policy.update | 4 
>> install/updates/Makefile.am  | 1 -
>> 2 files changed, 5 deletions(-)
>> delete mode 100644 install/updates/50-lockout-policy.update
>>
>> diff --git a/install/updates/50-lockout-policy.update
>> b/install/updates/50-lockout-policy.update
>> deleted file mode 100644
>> index
>> a5730709e2b649466118502ece1cc530c10e0b40..
>> --- a/install/updates/50-lockout-policy.update
>> +++ /dev/null
>> @@ -1,4 +0,0 @@
>> -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
>> -replace:krbPwdLockoutDuration:10::600
>> -replace: krbPwdMaxFailure:3::6
>> -
>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
>> index
>> 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798
>> 100644
>> --- a/install/updates/Makefile.am
>> +++ b/install/updates/Makefile.am
>> @@ -39,7 +39,6 @@ app_DATA =\
>> 45-roles.update \
>> 50-7_bit_check.update   \
>> 50-dogtag10-migration.update\
>> -   50-lockout-policy.update\
>> 50-groupuuid.update \
>> 50-hbacservice.update   \
>> 50-krbenctypes.update   \
>> --
>> 2.4.3
>>
>>
> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>
>
> --
> / Alexander Bokovoy
>
From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Fri, 30 Oct 2015 06:27:11 -0600
Subject: [PATCH] Remove 50-lockout-policy.update file

Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.

Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance

https://fedorahosted.org/freeipa/ticket/5418
---
 install/updates/50-lockout-policy.update | 4 
 install/updates/Makefile.am  | 1 -
 2 files changed, 5 deletions(-)
 delete mode 100644 install/updates/50-lockout-policy.update

diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update
deleted file mode 100644
index a5730709e2b649466118502ece1cc530c10e0b40..
--- a/install/updates/50-lockout-policy.update
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
-replace:krbPwdLockoutDuration:10::600
-replace: krbPwdMaxFailure:3::6
-
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -39,7 +39,6 @@ app_DATA =\
 	45-roles.update			\
 	50-7_bit_check.update	\
 	50-dogtag10-migration.update	\
-	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
 	50-krbenctypes.update		\
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

[Gabe Alford]

Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

thanks,

Gabe

On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek <pspa...@redhat.com> wrote:

> On 30.10.2015 11:10, Alexander Bokovoy wrote:
> > On Fri, 30 Oct 2015, Petr Spacek wrote:
> >> On 30.10.2015 07:54, Alexander Bokovoy wrote:
> >>> On Thu, 29 Oct 2015, Gabe Alford wrote:
> >>>> Hello,
> >>>>
> >>>> Fix for https://fedorahosted.org/freeipa/ticket/5414
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Gabe
> >>>
> >>>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
> >>>> From: Gabe <redhatri...@gmail.com>
> >>>> Date: Thu, 29 Oct 2015 20:28:27 -0600
> >>>> Subject: [PATCH] Incomplete ports for IPA AD Trust
> >>>>
> >>>> https://fedorahosted.org/freeipa/ticket/5414
> >>>> ---
> >>>> install/tools/ipa-adtrust-install | 1 +
> >>>> 1 file changed, 1 insertion(+)
> >>>>
> >>>> diff --git a/install/tools/ipa-adtrust-install
> >>>> b/install/tools/ipa-adtrust-install
> >>>> index
> >>>>
> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
> >>>>
> >>>> 100755
> >>>> --- a/install/tools/ipa-adtrust-install
> >>>> +++ b/install/tools/ipa-adtrust-install
> >>>> @@ -472,6 +472,7 @@ Setup complete
> >>>>
> >>>> You must make sure these network ports are open:
> >>>> \tTCP Ports:
> >>>> +\t  * 135: epmap
> >>>> \t  * 138: netbios-dgm
> >>>> \t  * 139: netbios-ssn
> >>>> \t  * 445: microsoft-ds
> >>> This is good but not complete. What end-point mapper does is creating a
> >>> listener based on the incoming request and access to the listener needs
> >>> to be provided as well. A listener is created currently in the range of
> >>> 1024..1300/TCP but we already have request to make this range
> >>> configurable (it is hard coded right now in Samba code) because with
> >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> >>> https://support.microsoft.com/en-us/kb/929851
> >>>
> >>> We were thinking to add a call out hook on Samba side to call
> >>> firewall-related script that could do hole punching on demand but it is
> >>> not there yet.
> >>>
> >>> What we could do in ipa-adtrust-install, is to add section about
> TCP/UDP
> >>> ports to the manual page and explicitly reference that one in case of
> >>> epmap line:
> >>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> >>>
> >>> We don't have the firewall section in the manpage at all, btw.
> >>>
> >>> What do you think?
> >>
> >> Maybe I'm missing something, but ... Could we simply put current range
> >> 1024..1300/TCP to the installer now and do other changes as Samba
> evolves? I
> >> think that it is good enough as a hotfix and that we do not need to
> >> over-complicate it in the beginning.
> > That's essentially what I said too -- but I want to have firewall
> > requirements documented in the manpage so that they are available
> > beforehand _and_ people actually read them when they are referenced in
> > the output.
> >
> > I'm not asking for anything else here. Documentation is needed.
>
> Thanks for clarification, I was under the impression that you wanted to
> put it
> only into the man page :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Fri, 30 Oct 2015 09:11:00 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/5414
---
 install/tools/ipa-adtrust-install   |  4 
 install/tools/man/ipa-adtrust-install.1 | 25 +
 2 files changed, 29 insertions(+)

diff --git a/install/tools/ipa-adtrus

Re: [Freeipa-devel] [PATCH 0058] interactive installer does not ignore leading/trailing whitespace

[Gabe Alford]

My bad Martin^2. Here is an updated patch.

Gabe

On Thu, Oct 29, 2015 at 7:14 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 28.10.2015 02:35, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5355
>
> Thanks,
>
> Gabe
>
>
> Thank you Gabe, but patch needs more work to be complete:
>
> Bool and integer choices also need to strip whitespaces, see bellow:
>
> Do you want to configure DNS forwarders? [yes]:   no
> Do you want to configure DNS forwarders? [yes]:   no
> Do you want to configure DNS forwarders? [yes]:   no
> Do you want to configure DNS forwarders? [yes]: no
> No DNS forwarders configured
>
> Martin^2
>
>
From f72f14b973d91689e5d139e6cc9e7ed5e5d5a2d6 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Thu, 29 Oct 2015 07:37:36 -0600
Subject: [PATCH] interactive installer does not ignore leading/trailing
 whitespace

https://fedorahosted.org/freeipa/ticket/5355
---
 ipapython/ipautil.py | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index b6fd11338f5f55402d5e4502297866f3b0cc0534..4acdd1a98818bf311a8fef103e7219cc62a28ec1 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -763,7 +763,7 @@ def user_input(prompt, default = None, allow_empty = True):
 try:
 ret = input("%s: " % prompt)
 if allow_empty or ret.strip():
-return ret
+return ret.strip()
 except EOFError:
 if allow_empty:
 return ''
@@ -776,7 +776,7 @@ def user_input(prompt, default = None, allow_empty = True):
 if not ret and (allow_empty or default):
 return default
 elif ret.strip():
-return ret
+return ret.strip()
 except EOFError:
 return default
 
@@ -785,6 +785,7 @@ def user_input(prompt, default = None, allow_empty = True):
 while True:
 try:
 ret = input("%s [%s]: " % (prompt, choice))
+ret = ret.strip()
 if not ret:
 return default
 elif ret.lower()[0] == "y":
@@ -798,6 +799,7 @@ def user_input(prompt, default = None, allow_empty = True):
 while True:
 try:
 ret = input("%s [%s]: " % (prompt, default))
+ret = ret.strip()
 if not ret:
 return default
 ret = int(ret)
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0059] Add Firefox options to ipa-client-install man page

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5375

Thanks,

Gabe
From 4e0dba6b17f78aa7dd631780cbfe7c4bfa9edea4 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Wed, 28 Oct 2015 17:39:40 -0600
Subject: [PATCH] Add Firefox options to ipa-client-install man page

- Update --configure-firefox description in ipa-client-install

https://fedorahosted.org/freeipa/ticket/5375
---
 ipa-client/ipa-install/ipa-client-install | 2 +-
 ipa-client/man/ipa-client-install.1   | 6 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index e38a0f2f970087791b18fff3137bdb1bc9ac2470..14261e57f1fbc01ea57eb7e8160f9c8bf9d282f8 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -182,7 +182,7 @@ def parse_options():
help="Automount location")
 basic_group.add_option("--configure-firefox", dest="configure_firefox",
 action="store_true", default=False,
-help="configure Firefox")
+help="configure Firefox to use IPA domain credentials")
 basic_group.add_option("--firefox-dir", dest="firefox_dir", default=None,
 help="specify directory where Firefox is installed (for example: '/usr/lib/firefox')")
 basic_group.add_option("--ip-address", dest="ip_addresses", default=[],
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1
index cdcc56fee6ce82e0fe00048d52b13d27e8fe3450..494fd4952e130bbe31a717522ec3279c49904a87 100644
--- a/ipa-client/man/ipa-client-install.1
+++ b/ipa-client/man/ipa-client-install.1
@@ -181,6 +181,12 @@ Request certificate for the machine. The certificate will be stored in /etc/ipa/
 Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
 automount location.
 .TP
+\fB\-\-configure\-firefox\fR
+Configure Firefox to use IPA domain credentials.
+.TP
+\fB\-\-firefox\-dir\fR=\fIDIR\fR
+Specify Firefox installation directory. For example: '/usr/lib/firefox'
+.TP
 \fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
 Use \fIIP_ADDRESS\fR in DNS A/ record for this host. May be specified multiple times to add multiple DNS records.
 .TP
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5414

Thanks,

Gabe
From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

https://fedorahosted.org/freeipa/ticket/5414
---
 install/tools/ipa-adtrust-install | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete
 
 You must make sure these network ports are open:
 \tTCP Ports:
+\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5418

Thanks,

Gabe
From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:30:35 -0600
Subject: [PATCH] Remove 50-lockout-policy.update file

https://fedorahosted.org/freeipa/ticket/5418
---
 install/updates/50-lockout-policy.update | 4 
 install/updates/Makefile.am  | 1 -
 2 files changed, 5 deletions(-)
 delete mode 100644 install/updates/50-lockout-policy.update

diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update
deleted file mode 100644
index a5730709e2b649466118502ece1cc530c10e0b40..
--- a/install/updates/50-lockout-policy.update
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
-replace:krbPwdLockoutDuration:10::600
-replace: krbPwdMaxFailure:3::6
-
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -39,7 +39,6 @@ app_DATA =\
 	45-roles.update			\
 	50-7_bit_check.update	\
 	50-dogtag10-migration.update	\
-	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
 	50-krbenctypes.update		\
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0058] interactive installer does not ignore leading/trailing whitespace

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5355

Thanks,

Gabe
From 02434fc8467bbc81313d4bda0cf0e9644c151f00 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 27 Oct 2015 19:17:43 -0600
Subject: [PATCH] interactive installer does not ignore leading/trailing
 whitespace

https://fedorahosted.org/freeipa/ticket/5355
---
 ipapython/ipautil.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index b6fd11338f5f55402d5e4502297866f3b0cc0534..34ff339800d56673f3438a3495cdf4f54d5563d3 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -763,7 +763,7 @@ def user_input(prompt, default = None, allow_empty = True):
 try:
 ret = input("%s: " % prompt)
 if allow_empty or ret.strip():
-return ret
+return ret.strip()
 except EOFError:
 if allow_empty:
 return ''
@@ -776,7 +776,7 @@ def user_input(prompt, default = None, allow_empty = True):
 if not ret and (allow_empty or default):
 return default
 elif ret.strip():
-return ret
+return ret.strip()
 except EOFError:
 return default
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

[Gabe Alford]

Thanks Martin^2. Updated patched attached.

On Wed, Oct 21, 2015 at 2:46 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 20.10.2015 05:17, Gabe Alford wrote:
>
> Bump for re-review.
>
>
> Hello,
>
> thank your for your patch, the patch LGTM, but please use print() as
> function to be python2/3 compatible
>
> Martin^2
>
>
> On Tue, Oct 13, 2015 at 7:15 AM, Gabe Alford <redhatri...@gmail.com>
> wrote:
>
>> No worries Petr. All a part of the review process.
>>
>> I have attached an updated patch that prints only a warning message.
>>
>> thanks,
>>
>> Gabe
>>
>> On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek < <pspa...@redhat.com>
>> pspa...@redhat.com> wrote:
>>
>>> Hello Gabe,
>>>
>>> I would like to apologize for the confusion regarding this patch and the
>>> repeated reworking.
>>>
>>> Unfortunately Honza's position is not mentioned in the ticket so you
>>> could not
>>> know what to do, but Honza is our "installer architect" so he has final
>>> say.
>>>
>>> Petr^2 Spacek
>>>
>>> On 13.10.2015 08:31, Jan Cholasta wrote:
>>> > Hi,
>>> >
>>> > I don't think this is the correct approach. We are aiming to have
>>> idempotent
>>> > installers, which means that running uninstall on a system without IPA
>>> > installed should be a no-op. This is the current behavior, so your
>>> patch is
>>> > actually moving us back.
>>> >
>>> > The proper fix would be to *remove* the check from install (as opposed
>>> to
>>> > adding it to uninstall), but this requires the install code to be
>>> idempotent,
>>> > and we're not there yet.
>>> >
>>> > I'm OK with making this a warning, but don't make it a fatal error
>>> and/or
>>> > require --force.
>>> >
>>> > Honza
>>> >
>>> > On 12.10.2015 17:12, Gabe Alford wrote:
>>> >> Thanks, Petr. Updated patch attached.
>>> >>
>>> >> Gabe
>>> >>
>>> >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com
>>> >> pspa...@redhat.com>> wrote:
>>> >>
>>> >> Hello Gabe,
>>> >>
>>> >> thank you for your patch!
>>> >>
>>> >> Please note that there might be a case where detection
>>> >> is_ipa_configured() is
>>> >> broken but the user still needs to run the uninstall process to
>>> >> clean it up.
>>> >>
>>> >> Could you amend the patch to respect --force option? In that case
>>> the
>>> >> detection should be skipped.
>>> >>
>>> >> Thank you for your time!
>>> >>
>>> >> Petr^2 Spacek
>>> >>
>>> >> On 9.10.2015 19:17, Gabe Alford wrote:
>>> >>  > diff --git a/ipaserver/install/server/install.py
>>> >> b/ipaserver/install/server/install.py
>>> >>  > index
>>> >>
>>> >>
>>> 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858
>>> >>
>>> >> 100644
>>> >>  > --- a/ipaserver/install/server/install.py
>>> >>  > +++ b/ipaserver/install/server/install.py
>>> >>  > @@ -954,6 +954,12 @@ def uninstall_check(installer):
>>> >>  >
>>> >>  >  installer._installation_cleanup = False
>>> >>  >
>>> >>  > +if not is_ipa_configured():
>>> >>  > +print("IPA server is not configured on this
>>> system.\n" +
>>> >>  > +  "If you want to install the IPA server, please
>>> >> install " +
>>> >>  > +  "it using 'ipa-server-install'.")
>>> >>  > +sys.exit(1)
>>> >>  > +
>>> >>  >  fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
>>> >>  >  sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
>>>
>>
>>
>
>
>
>
From 47f82aa203e8302117d0c4c2b1bdcbf50153c021 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Wed, 21 Oct 2015 17:24:25 -0600
Subject: [PATCH] Warn if no installation found when running ipa-server-install
 --uninstall

https://fedorahosted.org/freeipa/ticket/5341
---
 ipaserver/install/server/install.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 3f8ba2027ac210cc5cc9cc706c5d39e01e6de7e4..16539892dcffb3ad0e95aab0c5a3d85f3bb44c48 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -968,6 +968,11 @@ def uninstall_check(installer):
 
 installer._installation_cleanup = False
 
+if not is_ipa_configured():
+print("WARNING:\nIPA server is not configured on this system. "
+  "If you want to install the\nIPA server, please install "
+  "it using 'ipa-server-install'.")
+
 fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
 sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

[Gabe Alford]

Bump for re-review.

On Tue, Oct 13, 2015 at 7:15 AM, Gabe Alford <redhatri...@gmail.com> wrote:

> No worries Petr. All a part of the review process.
>
> I have attached an updated patch that prints only a warning message.
>
> thanks,
>
> Gabe
>
> On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek <pspa...@redhat.com> wrote:
>
>> Hello Gabe,
>>
>> I would like to apologize for the confusion regarding this patch and the
>> repeated reworking.
>>
>> Unfortunately Honza's position is not mentioned in the ticket so you
>> could not
>> know what to do, but Honza is our "installer architect" so he has final
>> say.
>>
>> Petr^2 Spacek
>>
>> On 13.10.2015 08:31, Jan Cholasta wrote:
>> > Hi,
>> >
>> > I don't think this is the correct approach. We are aiming to have
>> idempotent
>> > installers, which means that running uninstall on a system without IPA
>> > installed should be a no-op. This is the current behavior, so your
>> patch is
>> > actually moving us back.
>> >
>> > The proper fix would be to *remove* the check from install (as opposed
>> to
>> > adding it to uninstall), but this requires the install code to be
>> idempotent,
>> > and we're not there yet.
>> >
>> > I'm OK with making this a warning, but don't make it a fatal error
>> and/or
>> > require --force.
>> >
>> > Honza
>> >
>> > On 12.10.2015 17:12, Gabe Alford wrote:
>> >> Thanks, Petr. Updated patch attached.
>> >>
>> >> Gabe
>> >>
>> >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com
>> >> <mailto:pspa...@redhat.com>> wrote:
>> >>
>> >> Hello Gabe,
>> >>
>> >> thank you for your patch!
>> >>
>> >> Please note that there might be a case where detection
>> >> is_ipa_configured() is
>> >> broken but the user still needs to run the uninstall process to
>> >> clean it up.
>> >>
>> >> Could you amend the patch to respect --force option? In that case
>> the
>> >> detection should be skipped.
>> >>
>> >> Thank you for your time!
>> >>
>> >> Petr^2 Spacek
>> >>
>> >> On 9.10.2015 19:17, Gabe Alford wrote:
>> >>  > diff --git a/ipaserver/install/server/install.py
>> >> b/ipaserver/install/server/install.py
>> >>  > index
>> >>
>> >>
>> 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858
>> >>
>> >> 100644
>> >>  > --- a/ipaserver/install/server/install.py
>> >>  > +++ b/ipaserver/install/server/install.py
>> >>  > @@ -954,6 +954,12 @@ def uninstall_check(installer):
>> >>  >
>> >>  >  installer._installation_cleanup = False
>> >>  >
>> >>  > +if not is_ipa_configured():
>> >>  > +print("IPA server is not configured on this system.\n"
>> +
>> >>  > +  "If you want to install the IPA server, please
>> >> install " +
>> >>  > +  "it using 'ipa-server-install'.")
>> >>  > +sys.exit(1)
>> >>  > +
>> >>  >  fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
>> >>  >  sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
>>
>
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

[Gabe Alford]

No worries Petr. All a part of the review process.

I have attached an updated patch that prints only a warning message.

thanks,

Gabe

On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek <pspa...@redhat.com> wrote:

> Hello Gabe,
>
> I would like to apologize for the confusion regarding this patch and the
> repeated reworking.
>
> Unfortunately Honza's position is not mentioned in the ticket so you could
> not
> know what to do, but Honza is our "installer architect" so he has final
> say.
>
> Petr^2 Spacek
>
> On 13.10.2015 08:31, Jan Cholasta wrote:
> > Hi,
> >
> > I don't think this is the correct approach. We are aiming to have
> idempotent
> > installers, which means that running uninstall on a system without IPA
> > installed should be a no-op. This is the current behavior, so your patch
> is
> > actually moving us back.
> >
> > The proper fix would be to *remove* the check from install (as opposed to
> > adding it to uninstall), but this requires the install code to be
> idempotent,
> > and we're not there yet.
> >
> > I'm OK with making this a warning, but don't make it a fatal error and/or
> > require --force.
> >
> > Honza
> >
> > On 12.10.2015 17:12, Gabe Alford wrote:
> >> Thanks, Petr. Updated patch attached.
> >>
> >> Gabe
> >>
> >> On Mon, Oct 12, 2015 at 12:47 AM, Petr Spacek <pspa...@redhat.com
> >> <mailto:pspa...@redhat.com>> wrote:
> >>
> >> Hello Gabe,
> >>
> >> thank you for your patch!
> >>
> >> Please note that there might be a case where detection
> >> is_ipa_configured() is
> >> broken but the user still needs to run the uninstall process to
> >> clean it up.
> >>
> >> Could you amend the patch to respect --force option? In that case
> the
> >> detection should be skipped.
> >>
> >> Thank you for your time!
> >>
> >> Petr^2 Spacek
> >>
> >> On 9.10.2015 19:17, Gabe Alford wrote:
> >>  > diff --git a/ipaserver/install/server/install.py
> >> b/ipaserver/install/server/install.py
> >>  > index
> >>
> >>
> 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858
> >>
> >> 100644
> >>  > --- a/ipaserver/install/server/install.py
> >>  > +++ b/ipaserver/install/server/install.py
> >>  > @@ -954,6 +954,12 @@ def uninstall_check(installer):
> >>  >
> >>  >  installer._installation_cleanup = False
> >>  >
> >>  > +if not is_ipa_configured():
> >>  > +print("IPA server is not configured on this system.\n" +
> >>  > +  "If you want to install the IPA server, please
> >> install " +
> >>  > +  "it using 'ipa-server-install'.")
> >>  > +sys.exit(1)
> >>  > +
> >>  >  fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
> >>  >  sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
>
From 4d8b4b8c09c018f4a870b9f8d89d4e293e81b2cb Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 13 Oct 2015 06:59:01 -0600
Subject: [PATCH] Warn if no installation found when running ipa-server-install
 --uninstall

https://fedorahosted.org/freeipa/ticket/5341
---
 ipaserver/install/server/install.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 13a59a0e6149dc22ded4a895db02516e9360e02b..7186e82e70f86bf3f3be6e0f841daa6bcc8bf386 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -954,6 +954,12 @@ def uninstall_check(installer):
 
 installer._installation_cleanup = False
 
+if not is_ipa_configured():
+msg = ("WARNING:\nIPA server is not configured on this system."
+   "If you want to install the IPA server, please install "
+   "it using 'ipa-server-install'.")
+print textwrap.fill(msg, width=79, replace_whitespace=False)
+
 fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
 sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
 
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

[Gabe Alford]

Thanks Martin,

What about adding no_create and no_update flags?

Gabe

On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 09.10.2015 19:17, Gabe Alford wrote:
>
> Hello,
>
> This patch enables nsaccountlock in user.py cli. It is very handy to be
> able to search and find users with disabled/enabled accounts, etc. That
> said, I couldn't find why it was no_option in the first place, so I am not
> 100% sure if it breaks something or the reasoning behind no_option.
>
> Thanks,
>
> Gabe
>
>
> Hello,
>
> https://fedorahosted.org/freeipa/ticket/5366
>
> This patch allows to enable/disable user via user-mod, and we do not want
> to do this, so NACK for this patch.
> I'm not sure yet how to write it in elegant way.
>
> Martin.
>
From 706d2f533f1bfb60422e26fd02a03967d76bd3b2 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 13 Oct 2015 10:51:20 -0600
Subject: [PATCH] Enable nsaccountlock in user.py for user-find cli usage

---
 API.txt| 8 +++-
 VERSION| 2 +-
 ipalib/plugins/user.py | 3 ++-
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/API.txt b/API.txt
index 4d36a9885157de13529573b3a386b4ef39eba176..9d9cf12e0f924e9a119e85bf7d51dd4646e4a5e2 100644
--- a/API.txt
+++ b/API.txt
@@ -5147,7 +5147,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: user_add
-args: 1,45,3
+args: 1,44,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -5176,7 +5176,6 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req
 option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False)
 option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
 option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False)
 option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False)
@@ -5269,7 +5268,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True)
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True)
 option: Str('not_in_role*', cli_name='not_in_roles', csv=True)
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True)
-option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False)
+option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False)
 option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False)
 option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -5296,7 +5295,7 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: user_mod
-args: 1,46,3
+args: 1,45,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -5324,7 +5323,6 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue
 option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False)
 option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
-option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, required=False)
 option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False)
 option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, required=False)
 option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index e1df4694f678b1fb27da7785b94dc827f0f8f207..895c9533cffd4ee1f5c9

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

[Gabe Alford]

Updated patch attached.

On Tue, Oct 13, 2015 at 10:59 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 13.10.2015 18:53, Gabe Alford wrote:
>
> Thanks Martin,
>
> What about adding no_create and no_update flags?
>
> Gabe
>
> Yes, that may work, also please increment minor version of API and add
> ticket into commit message (https://fedorahosted.org/freeipa/ticket/5366)
> <https://fedorahosted.org/freeipa/ticket/5366>
>
> Thanks.
> Martin
>
>
> On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 09.10.2015 19:17, Gabe Alford wrote:
>>
>> Hello,
>>
>> This patch enables nsaccountlock in user.py cli. It is very handy to be
>> able to search and find users with disabled/enabled accounts, etc. That
>> said, I couldn't find why it was no_option in the first place, so I am not
>> 100% sure if it breaks something or the reasoning behind no_option.
>>
>> Thanks,
>>
>> Gabe
>>
>>
>> Hello,
>>
>> https://fedorahosted.org/freeipa/ticket/5366
>>
>> This patch allows to enable/disable user via user-mod, and we do not want
>> to do this, so NACK for this patch.
>> I'm not sure yet how to write it in elegant way.
>>
>> Martin.
>>
>
>
>
From 9ff0901198bcf900789d0c3a431a2a905093548e Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 13 Oct 2015 11:09:29 -0600
Subject: [PATCH] Enable nsaccountlock in user.py for user-find cli usage

https://fedorahosted.org/freeipa/ticket/5366
---
 API.txt| 8 +++-
 VERSION| 4 ++--
 ipalib/plugins/user.py | 3 ++-
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/API.txt b/API.txt
index 4d36a9885157de13529573b3a386b4ef39eba176..9d9cf12e0f924e9a119e85bf7d51dd4646e4a5e2 100644
--- a/API.txt
+++ b/API.txt
@@ -5147,7 +5147,7 @@ output: Entry('result', , Gettext('A dictionary representing an LDA
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
 command: user_add
-args: 1,45,3
+args: 1,44,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -5176,7 +5176,6 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req
 option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False)
 option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
 option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False)
 option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False)
@@ -5269,7 +5268,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True)
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True)
 option: Str('not_in_role*', cli_name='not_in_roles', csv=True)
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True)
-option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False)
+option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False)
 option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False)
 option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -5296,7 +5295,7 @@ output: ListOfEntries('result', (, ), Gettext('A list
 output: Output('summary', (, ), None)
 output: Output('truncated', , None)
 command: user_mod
-args: 1,46,3
+args: 1,45,3
 arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -5324,7 +5323,6 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue
 option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False)
 option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False

[Freeipa-devel] [PATCH 0058] Remove bind configuration detected question

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5351

Thanks,

Gabe
From 509ea0b496fd3d2361df58b23ce6ec8fb0ac9b64 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 9 Oct 2015 11:02:06 -0600
Subject: [PATCH] Remove bind configuration detected question

https://fedorahosted.org/freeipa/ticket/5351
---
 ipaserver/install/bindinstance.py | 7 ---
 ipaserver/install/dns.py  | 4 
 2 files changed, 11 deletions(-)

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 4c4677590b7120b7f12cb014519f61673dd1d68a..1cbda7c6931c55247bb0207ae91fbbf5363ad867 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -63,13 +63,6 @@ named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;')
 named_conf_include_template = "include \"%(path)s\";\n"
 
 
-def check_inst(unattended):
-if not unattended and os.path.exists(NAMED_CONF):
-msg = "Existing BIND configuration detected, overwrite?"
-return ipautil.user_input(msg, False)
-
-return True
-
 def create_reverse():
 return ipautil.user_input("Do you want to configure the reverse zone?", True)
 
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 099e35dc331722607c8ca02cdbc7a0e66f8c4754..eb09af30b0f78f38ab1948d4dd01264f45dadf7c 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -144,10 +144,6 @@ def install_check(standalone, replica, options, hostname):
 False)):
 sys.exit("Aborted")
 
-# Check bind packages are installed
-if not bindinstance.check_inst(options.unattended):
-sys.exit("Aborting installation.")
-
 if options.disable_dnssec_master:
 _is_master()
 
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5341

Thanks,

Gabe
From 0400bf88987b56d1d3b7a0e665bec525fa81ed02 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 9 Oct 2015 10:48:17 -0600
Subject: [PATCH] Warn if no installation found when running ipa-server-install
 --uninstall

https://fedorahosted.org/freeipa/ticket/5341
---
 ipaserver/install/server/install.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 13a59a0e6149dc22ded4a895db02516e9360e02b..ca93e7a6fd7276d9c0d82eb6f94575730759d858 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -954,6 +954,12 @@ def uninstall_check(installer):
 
 installer._installation_cleanup = False
 
+if not is_ipa_configured():
+print("IPA server is not configured on this system.\n" +
+  "If you want to install the IPA server, please install " +
+  "it using 'ipa-server-install'.")
+sys.exit(1)
+
 fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH)
 sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH)
 
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

[Gabe Alford]

Hello,

This patch enables nsaccountlock in user.py cli. It is very handy to be
able to search and find users with disabled/enabled accounts, etc. That
said, I couldn't find why it was no_option in the first place, so I am not
100% sure if it breaks something or the reasoning behind no_option.

Thanks,

Gabe
From 985f765d2e25d2ce454884cd4a9f66f9005824a7 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 9 Oct 2015 07:22:07 -0600
Subject: [PATCH] Enable nsaccountlock in user.py for cli usage

---
 API.txt| 6 +++---
 VERSION| 2 +-
 ipalib/plugins/user.py | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 4d36a9885157de13529573b3a386b4ef39eba176..b4df75bb66dab43bc9b7c249851f61efcc284e0f 100644
--- a/API.txt
+++ b/API.txt
@@ -5176,7 +5176,7 @@ option: Str('manager', attribute=True, cli_name='manager', multivalue=False, req
 option: Str('mobile', attribute=True, cli_name='mobile', multivalue=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('noprivate', autofill=True, cli_name='noprivate', default=False)
-option: Bool('nsaccountlock', attribute=True, cli_name='nsaccountlock', multivalue=False, required=False)
+option: Bool('nsaccountlock', attribute=True, cli_name='disabled', multivalue=False, required=False)
 option: Str('ou', attribute=True, cli_name='orgunit', multivalue=False, required=False)
 option: Str('pager', attribute=True, cli_name='pager', multivalue=True, required=False)
 option: Str('postalcode', attribute=True, cli_name='postalcode', multivalue=False, required=False)
@@ -5269,7 +5269,7 @@ option: Str('not_in_hbacrule*', cli_name='not_in_hbacrules', csv=True)
 option: Str('not_in_netgroup*', cli_name='not_in_netgroups', csv=True)
 option: Str('not_in_role*', cli_name='not_in_roles', csv=True)
 option: Str('not_in_sudorule*', cli_name='not_in_sudorules', csv=True)
-option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, query=True, required=False)
+option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, query=True, required=False)
 option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, query=True, required=False)
 option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -5324,7 +5324,7 @@ option: Str('mail', attribute=True, autofill=False, cli_name='email', multivalue
 option: Str('manager', attribute=True, autofill=False, cli_name='manager', multivalue=False, required=False)
 option: Str('mobile', attribute=True, autofill=False, cli_name='mobile', multivalue=True, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
-option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='nsaccountlock', multivalue=False, required=False)
+option: Bool('nsaccountlock', attribute=True, autofill=False, cli_name='disabled', multivalue=False, required=False)
 option: Str('ou', attribute=True, autofill=False, cli_name='orgunit', multivalue=False, required=False)
 option: Str('pager', attribute=True, autofill=False, cli_name='pager', multivalue=True, required=False)
 option: Str('postalcode', attribute=True, autofill=False, cli_name='postalcode', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index e1df4694f678b1fb27da7785b94dc827f0f8f207..98b64017f320d1cb5e3015476f894d1ece1d2012 100644
--- a/VERSION
+++ b/VERSION
@@ -91,4 +91,4 @@ IPA_DATA_VERSION=2010061412
 
 IPA_API_VERSION_MAJOR=2
 IPA_API_VERSION_MINOR=156
-# Last change: pvoborni - add vault container commands
+# Last change: galford - enable nssacountlock option in cli
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index cb47cbb4869cb978f87603817033580647cc2d17..802dc35f4321c69460fd13bc1103346ab1e30a50 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -340,8 +340,8 @@ class user(baseuser):
 
 takes_params = baseuser.takes_params + (
 Bool('nsaccountlock?',
+cli_name='disabled',
 label=_('Account disabled'),
-flags=['no_option'],
 ),
 Bool('preserved?',
 label=_('Preserved user'),
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page

[Gabe Alford]

Odd and done. Updated patch attached.

Gabe

On Wed, Sep 23, 2015 at 5:20 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 09/22/2015 03:32 PM, Gabe Alford wrote:
>
>> create mode 100644
>> install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
>>
> Hello,
>
> your patch created new patch :-)
>
> Also there were 3 white space errors, please remove them.
>
> Martin
>
From 8b2e7a7ab20a5fd5c8b6d0be05c0b30539d36cfa Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Wed, 23 Sep 2015 06:50:04 -0600
Subject: [PATCH] dnssec option missing in ipa-dns-install man page

- Add DNSSEC option ipa-replica-install man page as well

https://fedorahosted.org/freeipa/ticket/5300
---
 install/tools/man/ipa-dns-install.1 | 12 
 install/tools/man/ipa-replica-install.1 |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
 \fB\-\-no\-reverse\fR
 Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
+.TP
+\fB\-\-dnssec\-master\fR
+Setup server to be DNSSEC key master.
+.TP
+\fB\-\-disable\-dnssec\-master\fR
+Disable the DNSSEC master on this server.
+.TP
+\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
+Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
+.TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
 
 .SH "EXIT STATUS"
 0 if the command was successful
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page

[Gabe Alford]

Thanks. Updated patch attached.

On Wed, Sep 23, 2015 at 7:14 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 09/23/2015 03:12 PM, Gabe Alford wrote:
>
> Odd and done. Updated patch attached.
>
> Gabe
>
> On Wed, Sep 23, 2015 at 5:20 AM, Martin Basti <mba...@redhat.com> wrote:
>
>>
>>
>> On 09/22/2015 03:32 PM, Gabe Alford wrote:
>>
>>> create mode 100644
>>> install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
>>>
>> Hello,
>>
>> your patch created new patch :-)
>>
>> Also there were 3 white space errors, please remove them.
>>
>> Martin
>>
>
> Thank you, but there is still missing update in ipa-server-install manpage
>
> Martin
>
From a47fa4db2b8b757dbaa1e189fe9b37a0983b Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Wed, 23 Sep 2015 07:32:13 -0600
Subject: [PATCH] dnssec option missing in ipa-dns-install man page

- Add DNSSEC option ipa-replica-install and ipa-server-install man page as well

https://fedorahosted.org/freeipa/ticket/5300
---
 install/tools/man/ipa-dns-install.1 | 12 
 install/tools/man/ipa-replica-install.1 |  3 +++
 install/tools/man/ipa-server-install.1  |  3 +++
 3 files changed, 18 insertions(+)

diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
 \fB\-\-no\-reverse\fR
 Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
+.TP
+\fB\-\-dnssec\-master\fR
+Setup server to be DNSSEC key master.
+.TP
+\fB\-\-disable\-dnssec\-master\fR
+Disable the DNSSEC master on this server.
+.TP
+\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
+Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
+.TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
 
 .SH "EXIT STATUS"
 0 if the command was successful
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 1eaed72119a9cd2f9876d3dc3c4a662782c18a36..2e0ff803c1b185d699f6f15dfb487e455404932e 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -164,6 +164,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
 
 .SS "UNINSTALL OPTIONS"
 .TP
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page

[Gabe Alford]

Thanks! Added and attached updated patch.

Gabe

On Tue, Sep 22, 2015 at 1:17 AM, Martin Basti <mba...@redhat.com> wrote:

>
>
> On 09/21/2015 05:37 PM, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5300
>
> Thanks,
>
> Gabe
>
>
> Thank you!
>
> The option --no-dnssec-validation is used also in ipa-server-install and
> ipa-replica-install, so this option should be documented in multiple
> manpages.
>
> Martin
>
From 6db931c2d12060a5938d5e160f83df8c08cf6889 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 22 Sep 2015 07:28:22 -0600
Subject: [PATCH] dnssec options missing in man pages

- Add DNSSEC options to ipa-dns-install and ipa-replica-install man pages

https://fedorahosted.org/freeipa/ticket/5300
---
 ...tions-missing-in-ipa-dns-install-man-page.patch | 36 ++
 install/tools/man/ipa-dns-install.1| 12 
 install/tools/man/ipa-replica-install.1|  3 ++
 3 files changed, 51 insertions(+)
 create mode 100644 install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch

diff --git a/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
new file mode 100644
index ..d0f3d610dd1f8ef6bb1d1b6385f648cb79cd931b
--- /dev/null
+++ b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
@@ -0,0 +1,36 @@
+From e13330dfdff13101aa625e1651289304bd4d73bf Mon Sep 17 00:00:00 2001
+From: Gabe <redhatri...@gmail.com>
+Date: Mon, 21 Sep 2015 09:30:31 -0600
+Subject: [PATCH] dnssec options missing in ipa-dns-install man page
+
+https://fedorahosted.org/freeipa/ticket/5300
+---
+ install/tools/man/ipa-dns-install.1 | 12 
+ 1 file changed, 12 insertions(+)
+
+diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
+index 23427b1b15ddf21ff1aba5617adab395d2f25112..229aaedfa09cbe3c4590eca5b66e325769a7f642 100644
+--- a/install/tools/man/ipa-dns-install.1
 b/install/tools/man/ipa-dns-install.1
+@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
+ \fB\-\-no\-reverse\fR
+ Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
+ .TP
++\fB\-\-no\-dnssec\-validation\fR
++Disable DNSSEC validation on this server.
++.TP
++\fB\-\-dnssec\-master\fR
++Setup server to be DNSSEC key master.
++.TP
++\fB\-\-disable\-dnssec\-master\fR
++Disable the DNSSEC master on this server.
++.TP
++\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
++Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. 
++.TP
+ \fB\-\-zonemgr\fR
+ The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
+ .TP
+-- 
+1.8.3.1
+
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
 \fB\-\-no\-reverse\fR
 Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
+.TP
+\fB\-\-dnssec\-master\fR
+Setup server to be DNSSEC key master.
+.TP
+\fB\-\-disable\-dnssec\-master\fR
+Disable the DNSSEC master on this server.
+.TP
+\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
+Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
+.TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
 
 .SH "EXIT STATUS"
 0 if the command was successful
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Sorry. I had fixed another mistake and had not read your comment carefully.
Updated patch attached.

Gabe

On Wed, Sep 16, 2015 at 12:23 AM, Jan Cholasta <jchol...@redhat.com> wrote:

> On 15.9.2015 14:42, Gabe Alford wrote:
>
>> Yup. You are right. It was a mistake. Updated patch attached.
>>
>> On Tue, Sep 15, 2015 at 12:46 AM, Jan Cholasta <jchol...@redhat.com
>> <mailto:jchol...@redhat.com>> wrote:
>>
>> On 14.9.2015 14:58, Gabe Alford wrote:
>>
>> Sounds good to me. Updated patch attached.
>>
>> On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com
>> <mailto:pspa...@redhat.com>
>> <mailto:pspa...@redhat.com <mailto:pspa...@redhat.com>>> wrote:
>>
>>  On 14.9.2015 07:23, Jan Cholasta wrote:
>>  > IMO it does, because saying just "-1 is default" is not
>> entirely correct and
>>  > "0 is default" would be confusing, as you pointed out.
>> You might say "0 or -1
>>      > is unlimited" if you think it's clearer.
>>
>>  my +1 to "0 or -1 is unlimited" variant
>>
>>  Petr^2 Spacek
>>
>>
>>   > On 10.9.2015 18:39, Gabe Alford wrote:
>>   >> Oops.. replied without the list.
>>   >>
>>   >> Reason I said -1 is because users might be confused if
>> they
>>  enter `ipa
>>   >> config-mod --searchtimelimit=0`, and both `ipa
>> user-show` and
>>  the webui
>>   >> show -1 instead of 0. I wonder if -1 makes more sense
>> in that
>>  regard?
>>   >> Thoughts? Does "<= 0 is unlimited" make more sense?
>>   >>
>>   >> Thanks,
>>   >>
>>   >> Gabe
>>
>>
>> The doc for ipasearchtimelimit and ipasearchrecordslimit says "-1 is
>> unlimited", but both 0 and -1 is unlimited for them, and the doc for
>> timelimit and sizelimit says "-1 or 0 is unlimited", but only 0 is
>> unlimited for them. Looks like a mistake.
>>
>> --
>> Jan Cholasta
>>
>>
>>
> This hasn't changed since the previous patch and is still wrong, as -1 is
> not supported here:
>
>  Int('timelimit?',
>  label=_('Time Limit'),
> -doc=_('Time limit of search in seconds'),
> +doc=_('Time limit of search in seconds (-1 or 0 is
> unlimited)'),
>  flags=['no_display'],
>  minvalue=0,
>  autofill=False,
>  ),
>  Int('sizelimit?',
>  label=_('Size Limit'),
> -doc=_('Maximum number of entries returned'),
> +doc=_('Maximum number of entries returned (-1 or 0 is
> unlimited)'),
>  flags=['no_display'],
>  minvalue=0,
>  autofill=False,
>
> --
> Jan Cholasta
>
From 1caa56120c9f3cc09b236bef2e0aad218b94365e Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Mon, 21 Sep 2015 06:55:17 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 install/ui/test/data/ipa_init_commands.json |  6 +++---
 install/ui/test/data/ipa_init_objects.json  |  6 +++---
 install/ui/test/data/json_metadata.json |  4 ++--
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 21 +
 ipaserver/plugins/ldap2.py  |  4 ++--
 6 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,7 +2446,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)",
 "flags": [
 "nonempty&quo

[Freeipa-devel] [PATCH 0054] Update FreeIPA package description

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5284

Thanks,

Gabe
From 4f46a069b799f2613dd3b7ae42bb64b998bc2c40 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Mon, 21 Sep 2015 07:56:36 -0600
Subject: [PATCH] Update FreeIPA package description

https://fedorahosted.org/freeipa/ticket/5284
---
 freeipa.spec.in | 64 +++--
 1 file changed, 35 insertions(+), 29 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 614798cc2328a45a205f5ba319e8b683596aa2aa..75cf7f33402b47f952c58efb3f8c3825fa4ecc3c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -104,10 +104,11 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 
 %description
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof).
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
 
 %if ! %{ONLY_CLIENT}
 %package server
@@ -177,12 +178,12 @@ Obsoletes: %{name}-server <= 4.2.0.0
 Conflicts: nss-pam-ldapd < 0.8.4
 
 %description server
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If you are installing an IPA server you need
-to install this package (in other words, most people should NOT install
-this package).
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
 
 
 %package server-dns
@@ -277,11 +278,13 @@ Conflicts: %{alt_name}-client
 Obsoletes: %{alt_name}-client < %{version}
 
 %description client
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If your network uses IPA for authentication,
-this package should be installed on every client machine.
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
 
 
 %package admintools
@@ -296,11 +299,12 @@ Conflicts: %{alt_name}-admintools
 Obsoletes: %{alt_name}-admintools < %{version}
 
 %description admintools
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). This package provides command-line tools for
-IPA administrators.
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+This package provides command-line tools for IPA administrators.
 
 %package python
 Summary: Python libraries used by IPA
@@ -328,11 +332,12 @@ Conflicts: %{alt_name}-python
 Obsoletes: %{alt_name}-python < %{version}
 
 %description python
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If you are using IPA you need to install this
-package.
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and 

[Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5300

Thanks,

Gabe
From e13330dfdff13101aa625e1651289304bd4d73bf Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Mon, 21 Sep 2015 09:30:31 -0600
Subject: [PATCH] dnssec options missing in ipa-dns-install man page

https://fedorahosted.org/freeipa/ticket/5300
---
 install/tools/man/ipa-dns-install.1 | 12 
 1 file changed, 12 insertions(+)

diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 23427b1b15ddf21ff1aba5617adab395d2f25112..229aaedfa09cbe3c4590eca5b66e325769a7f642 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
 \fB\-\-no\-reverse\fR
 Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
+.TP
+\fB\-\-dnssec\-master\fR
+Setup server to be DNSSEC key master.
+.TP
+\fB\-\-disable\-dnssec\-master\fR
+Disable the DNSSEC master on this server.
+.TP
+\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
+Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. 
+.TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Yup. You are right. It was a mistake. Updated patch attached.

On Tue, Sep 15, 2015 at 12:46 AM, Jan Cholasta <jchol...@redhat.com> wrote:

> On 14.9.2015 14:58, Gabe Alford wrote:
>
>> Sounds good to me. Updated patch attached.
>>
>> On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com
>> <mailto:pspa...@redhat.com>> wrote:
>>
>> On 14.9.2015 07:23, Jan Cholasta wrote:
>> > IMO it does, because saying just "-1 is default" is not entirely
>> correct and
>> > "0 is default" would be confusing, as you pointed out. You might
>> say "0 or -1
>> > is unlimited" if you think it's clearer.
>>
>> my +1 to "0 or -1 is unlimited" variant
>>
>> Petr^2 Spacek
>>
>>
>>  > On 10.9.2015 18:39, Gabe Alford wrote:
>>  >> Oops.. replied without the list.
>>  >>
>>  >> Reason I said -1 is because users might be confused if they
>> enter `ipa
>>  >> config-mod --searchtimelimit=0`, and both `ipa user-show` and
>> the webui
>>  >> show -1 instead of 0. I wonder if -1 makes more sense in that
>> regard?
>>  >> Thoughts? Does "<= 0 is unlimited" make more sense?
>>  >>
>>  >> Thanks,
>>  >>
>>  >> Gabe
>>
>>
> The doc for ipasearchtimelimit and ipasearchrecordslimit says "-1 is
> unlimited", but both 0 and -1 is unlimited for them, and the doc for
> timelimit and sizelimit says "-1 or 0 is unlimited", but only 0 is
> unlimited for them. Looks like a mistake.
>
> --
> Jan Cholasta
>
From 0cdf762bbb6cd3a6dcbc3885104e8b4efbd1bcd7 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Tue, 15 Sep 2015 06:38:13 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 install/ui/test/data/ipa_init_commands.json |  6 +++---
 install/ui/test/data/ipa_init_objects.json  |  6 +++---
 install/ui/test/data/json_metadata.json |  4 ++--
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 21 +
 ipaserver/plugins/ldap2.py  |  4 ++--
 6 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,7 +2446,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)",
 "flags": [
 "nonempty"
 ],
@@ -2460,7 +2460,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum number of records to search (-1 is unlimited)",
+"doc": "Maximum number of records to search (-1 or 0 is unlimited)",
 "flags": [
 "nonempty"
 ],
@@ -24018,4 +24018,4 @@
 "methods": {},
 "objects": {}
 }
-}
\ No newline at end of file
+}
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index c8c836926d94dd4c1903aa9a62fa91c11a238e75..ca98a1a22855bfcc306e1a3ed98e398f1b4505b1 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -498,7 +498,7 @@
 {
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)",
 "flags": [],
 "label": "Sear

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Sounds good to me. Updated patch attached.

On Mon, Sep 14, 2015 at 1:34 AM, Petr Spacek <pspa...@redhat.com> wrote:

> On 14.9.2015 07:23, Jan Cholasta wrote:
> > IMO it does, because saying just "-1 is default" is not entirely correct
> and
> > "0 is default" would be confusing, as you pointed out. You might say "0
> or -1
> > is unlimited" if you think it's clearer.
>
> my +1 to "0 or -1 is unlimited" variant
>
> Petr^2 Spacek
>
>
> > On 10.9.2015 18:39, Gabe Alford wrote:
> >> Oops.. replied without the list.
> >>
> >> Reason I said -1 is because users might be confused if they enter `ipa
> >> config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui
> >> show -1 instead of 0. I wonder if -1 makes more sense in that regard?
> >> Thoughts? Does "<= 0 is unlimited" make more sense?
> >>
> >> Thanks,
> >>
> >> Gabe
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
From 99070f93a51c7e03fa9c98b3548420fc589eddc1 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Mon, 14 Sep 2015 06:56:00 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 install/ui/test/data/ipa_init_commands.json |  6 +++---
 install/ui/test/data/ipa_init_objects.json  |  6 +++---
 install/ui/test/data/json_metadata.json |  4 ++--
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 19 ---
 ipaserver/plugins/ldap2.py  |  4 ++--
 6 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..c7f717c357624489d0b7f43fdd01b5bb8b1bcd86 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,7 +2446,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)",
 "flags": [
 "nonempty"
 ],
@@ -2460,7 +2460,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum number of records to search (-1 is unlimited)",
+"doc": "Maximum number of records to search (-1 or 0 is unlimited)",
 "flags": [
 "nonempty"
 ],
@@ -24018,4 +24018,4 @@
 "methods": {},
 "objects": {}
 }
-}
\ No newline at end of file
+}
diff --git a/install/ui/test/data/ipa_init_objects.json b/install/ui/test/data/ipa_init_objects.json
index c8c836926d94dd4c1903aa9a62fa91c11a238e75..ca98a1a22855bfcc306e1a3ed98e398f1b4505b1 100644
--- a/install/ui/test/data/ipa_init_objects.json
+++ b/install/ui/test/data/ipa_init_objects.json
@@ -498,7 +498,7 @@
 {
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)",
+"doc": "Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)",
 "flags": [],
 "label": "Search time limit",
 "maxvalue": 2147483647,
@@ -510,7 +510,7 @@
 {
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum number of records to search (-1 is unlimited)",
+"doc": "Maximum number of records to search (-1 or 0 is unlimited)",
 "flags": [],
 "label": "Search size limit",
 &qu

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Makes sense. I also changed the doc string to reflect -1 as well. Updated
patch attached.

Thanks,

Gabe

On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta <jchol...@redhat.com> wrote:

> On 4.9.2015 14:43, Gabe Alford wrote:
>
>> Bump for review.
>>
>> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford <redhatri...@gmail.com
>> <mailto:redhatri...@gmail.com>> wrote:
>>
>> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta <jchol...@redhat.com
>> <mailto:jchol...@redhat.com>> wrote:
>>
>> On 6.8.2015 21:43, Gabe Alford wrote:
>>
>> Hello,
>>
>> Updated patch attached.
>>
>> - Time limit is -1 for unlimited. I found this
>>
>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
>> in reference to keeping the time limit as -1 for unlimited.
>>
>>
>> This patch does two conflicting things: it coerces time limit of
>> 0 to -1 and at the same time prohibits the user to use 0 for
>> time limit. We should do just one of these and IMHO it should be
>> the coercion of 0 to -1.
>>
>> Sure enough, testing time limit at 0 did not work for
>> unlimited as well
>> as appeared to have negative effects on IPA.
>>
>>
>> This is because the time limit read from ipa config is not
>> converted to int in ldap2.find_entries(), so the coercion does
>> not work. Fix this and 0 will work just fine.
>>
>> Also, I believe that
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
>> specifies unlimited for time limit as -1. (Please correct me
>> if I am wrong.)
>>
>>
>> python-ldap is layers below our API and should not determine
>> what we use for unlimited time limit. I would prefer if we were
>> self-consistent and use 0 for both time limit and size limit.
>>
>>
>> A misunderstanding on my part as I thought it was higher up in the
>> API for some reason. Updated patch attached.
>>
>
> Thanks, this is better, but it turns out I was wrong about coercing -1 to
> 0 in config-mod: in a topology with different versions of IPA servers,
> setting the limits in LDAP to 0 on a newer server with your patch will
> break older servers without your patch:
>
> [user@old]$ ipa user-find
> --
> 1 user matched
> --
>   User login: admin
>   Last name: Administrator
>   Home directory: /home/admin
>   Login shell: /bin/bash
>   UID: 136480
>   GID: 136480
>   Account disabled: False
>   Password: True
>   Kerberos keys available: True
> 
> Number of entries returned 1
> 
>
> [user@new]$ ipa config-mod --searchtimelimit=0 --searchrecordslimit=0
> ...
>
> [user@old]$ ipa user-find
> ---
> 0 users matched
> ---
> 
> Number of entries returned 0
> 
>
> To fix this, we actually need to do the opposite and store -1 in LDAP when
> 0 is specified in config-mod options.
>
> Honza
>
> --
> Jan Cholasta
>
From 715dfae42bbe9e1ca93dee902b100672d6dafc39 Mon Sep 17 00:00:00 2001
From: Gabe <redhatri...@gmail.com>
Date: Thu, 10 Sep 2015 07:51:58 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 install/ui/test/data/ipa_init_commands.json |  4 ++--
 install/ui/test/data/ipa_init_objects.json  |  4 ++--
 install/ui/test/data/json_metadata.json |  2 +-
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 19 ---
 ipaserver/plugins/ldap2.py  |  4 ++--
 6 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..13e3cfe87549b0b58cb86db1e34a8f6e2cfbb7e8 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,7 +2446,7 @@
 "attribute": true,
 "class": "Int",
 "deprecated_cli_aliases": [],
-"doc": "Maximum amount of ti

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Oops.. replied without the list.

Reason I said -1 is because users might be confused if they enter `ipa
config-mod --searchtimelimit=0`, and both `ipa user-show` and the webui
show -1 instead of 0. I wonder if -1 makes more sense in that regard?
Thoughts? Does "<= 0 is unlimited" make more sense?

Thanks,

Gabe


On Thu, Sep 10, 2015 at 8:15 AM, Jan Cholasta <jchol...@redhat.com> wrote:

> I'm not sure about that, I think it should still say 0, because that's
> what we want to use as the unlimited value. If you insist on including -1
> in the docs, maybe we can say "<= 0 is unlimited"?
>
> On 10.9.2015 16:08, Gabe Alford wrote:
>
>> Makes sense. I also changed the doc string to reflect -1 as well.
>> Updated patch attached.
>>
>> Thanks,
>>
>> Gabe
>>
>> On Thu, Sep 10, 2015 at 1:41 AM, Jan Cholasta <jchol...@redhat.com
>> <mailto:jchol...@redhat.com>> wrote:
>>
>> On 4.9.2015 14:43, Gabe Alford wrote:
>>
>> Bump for review.
>>
>> On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford
>> <redhatri...@gmail.com <mailto:redhatri...@gmail.com>
>> <mailto:redhatri...@gmail.com <mailto:redhatri...@gmail.com>>>
>> wrote:
>>
>>  On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta
>> <jchol...@redhat.com <mailto:jchol...@redhat.com>
>>  <mailto:jchol...@redhat.com <mailto:jchol...@redhat.com>>>
>>
>> wrote:
>>
>>  On 6.8.2015 21:43, Gabe Alford wrote:
>>
>>  Hello,
>>
>>  Updated patch attached.
>>
>>  - Time limit is -1 for unlimited. I found this
>>
>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
>>  in reference to keeping the time limit as -1 for
>> unlimited.
>>
>>
>>  This patch does two conflicting things: it coerces time
>> limit of
>>  0 to -1 and at the same time prohibits the user to use
>> 0 for
>>  time limit. We should do just one of these and IMHO it
>> should be
>>  the coercion of 0 to -1.
>>
>>  Sure enough, testing time limit at 0 did not work for
>>  unlimited as well
>>  as appeared to have negative effects on IPA.
>>
>>
>>  This is because the time limit read from ipa config is
>> not
>>  converted to int in ldap2.find_entries(), so the
>> coercion does
>>  not work. Fix this and 0 will work just fine.
>>
>>  Also, I believe that
>>
>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
>>  specifies unlimited for time limit as -1. (Please
>> correct me
>>  if I am wrong.)
>>
>>
>>  python-ldap is layers below our API and should not
>> determine
>>  what we use for unlimited time limit. I would prefer if
>> we were
>>  self-consistent and use 0 for both time limit and size
>> limit.
>>
>>
>>  A misunderstanding on my part as I thought it was higher up
>> in the
>>  API for some reason. Updated patch attached.
>>
>>
>> Thanks, this is better, but it turns out I was wrong about coercing
>> -1 to 0 in config-mod: in a topology with different versions of IPA
>> servers, setting the limits in LDAP to 0 on a newer server with your
>> patch will break older servers without your patch:
>>
>>  [user@old]$ ipa user-find
>>  --
>>  1 user matched
>>  --
>>User login: admin
>>Last name: Administrator
>>Home directory: /home/admin
>>Login shell: /bin/bash
>>UID: 136480
>>GID: 136480
>>Account disabled: False
>>Password: True
>>Kerberos keys available: True
>>  
>>  Number of entries returned 1
>>  
>>
>>  [user@new]$ ipa config-mod --searchtimelimit=0
>> --searchrecordslimit=0
>>  ...
>>
>>  [user@old]$ ipa user-find
>>  ---
>>  0 users matched
>>  ---
>>  
>>  Number of entries returned 0
>>  
>>
>> To fix this, we actually need to do the opposite and store -1 in
>> LDAP when 0 is specified in config-mod options.
>>
>> Honza
>>
>> --
>> Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Bump for review.

On Wed, Aug 12, 2015 at 9:32 AM, Gabe Alford <redhatri...@gmail.com> wrote:

> On Tue, Aug 11, 2015 at 1:34 AM, Jan Cholasta <jchol...@redhat.com> wrote:
>
>> On 6.8.2015 21:43, Gabe Alford wrote:
>>
>>> Hello,
>>>
>>> Updated patch attached.
>>>
>>> - Time limit is -1 for unlimited. I found this
>>> https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html
>>> in reference to keeping the time limit as -1 for unlimited.
>>>
>>
>> This patch does two conflicting things: it coerces time limit of 0 to -1
>> and at the same time prohibits the user to use 0 for time limit. We should
>> do just one of these and IMHO it should be the coercion of 0 to -1.
>>
>> Sure enough, testing time limit at 0 did not work for unlimited as well
>>> as appeared to have negative effects on IPA.
>>>
>>
>> This is because the time limit read from ipa config is not converted to
>> int in ldap2.find_entries(), so the coercion does not work. Fix this and 0
>> will work just fine.
>>
>> Also, I believe that
>>>
>>> http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
>>> specifies unlimited for time limit as -1. (Please correct me if I am
>>> wrong.)
>>>
>>
>> python-ldap is layers below our API and should not determine what we use
>> for unlimited time limit. I would prefer if we were self-consistent and use
>> 0 for both time limit and size limit.
>>
>
> A misunderstanding on my part as I thought it was higher up in the API for
> some reason. Updated patch attached.
>
> Thanks,
>
> Gabe
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0052] Add Chromium configuration note under Chrome section in ssbrowser

[Gabe Alford]

Bump for review

On Wed, Jul 29, 2015 at 7:49 AM, Gabe Alford <redhatri...@gmail.com> wrote:

> Hello,
>
> As Chromium and Chrome are configured similarly but are configured in
> different /etc directories, this patch adds a note to the Chrome section in
> ssbrowser.html stating that.
>
> Thanks,
>
> Gabe
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Hello,

Updated patch attached.

- Time limit is -1 for unlimited. I found this
https://www.redhat.com/archives/freeipa-devel/2011-January/msg00330.html in
reference to keeping the time limit as -1 for unlimited.
Sure enough, testing time limit at 0 did not work for unlimited as well as
appeared to have negative effects on IPA. Also, I believe that
http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
specifies unlimited for time limit as -1. (Please correct me if I am wrong.)

- Size limit is 0 for unlimited per Jan's comment including a conversion
from -1 to 0 if -1 is entered for unlimited size limit.

Actually, 0 means unlimited for size limit, see

http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s

Thanks,

Gabe

On Tue, Aug 4, 2015 at 3:28 AM, Jan Cholasta jchol...@redhat.com wrote:

 Dne 31.7.2015 v 17:08 Gabe Alford napsal(a):

 Updated patch attached.

 Thanks,

 Gabe

 On Thu, Jul 30, 2015 at 7:15 AM, Gabe Alford redhatri...@gmail.com
 mailto:redhatri...@gmail.com wrote:

 On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com
 mailto:jchol...@redhat.com wrote:

 Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a):

 Hi,

 Dne 29.7.2015 v 17:23 Gabe Alford napsal(a):

 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/4023


 Actually, 0 means unlimited for size limit, see
 
 http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
 .


 After reading the ticket I think this should be fixed the other
 way around: make 0 mean unlimited for both time and size limit
 and fix the config plugin and LDAPClient to respect that.


 Thanks for the review. Updated patch attached.


 We still need to accept -1 in config-mod for backward compatibility - when
 received, it should be converted to 0.

 --
 Jan Cholasta

From 73a7fd9f2f3fbfa703da68f1a55bb16e4627ffba Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 6 Aug 2015 13:18:06 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 API.txt | 82 ++---
 VERSION |  2 +-
 install/ui/test/data/ipa_init_commands.json |  4 +-
 install/ui/test/data/ipa_init_objects.json  |  4 +-
 install/ui/test/data/json_metadata.json |  2 +-
 ipalib/plugins/baseldap.py  |  6 +--
 ipalib/plugins/config.py|  7 ++-
 7 files changed, 56 insertions(+), 51 deletions(-)

diff --git a/API.txt b/API.txt
index 2e19d6b2f1e16cc1c89d71ed7d443145426a28e3..19c7857bee7cd7fb63c96a130b53946612f0c74e 100644
--- a/API.txt
+++ b/API.txt
@@ -273,7 +273,7 @@ option: IA5Str('automountinformation', attribute=True, autofill=False, cli_name=
 option: IA5Str('automountkey', attribute=True, autofill=False, cli_name='key', multivalue=False, query=True, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -337,7 +337,7 @@ option: Str('cn', attribute=True, autofill=False, cli_name='location', multivalu
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -412,7 +412,7 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -556,7 +556,7 @@ option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: StrEnum

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Updated patch attached.

Thanks,

Gabe

On Thu, Jul 30, 2015 at 7:15 AM, Gabe Alford redhatri...@gmail.com wrote:

 On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com wrote:

 Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a):

 Hi,

 Dne 29.7.2015 v 17:23 Gabe Alford napsal(a):

 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/4023


 Actually, 0 means unlimited for size limit, see
 
 http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
 .


 After reading the ticket I think this should be fixed the other way
 around: make 0 mean unlimited for both time and size limit and fix the
 config plugin and LDAPClient to respect that.


 Thanks for the review. Updated patch attached.


 --
 Jan Cholasta



From 953f5bd85ee7d1ac6fee3034fda63b9a5783b418 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 31 Jul 2015 09:06:05 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 API.txt |  4 ++--
 VERSION |  4 ++--
 install/ui/test/data/ipa_init_commands.json | 10 +-
 install/ui/test/data/ipa_init_objects.json  | 10 +-
 install/ui/test/data/json_metadata.json |  8 
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 10 +-
 7 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/API.txt b/API.txt
index 2e19d6b2f1e16cc1c89d71ed7d443145426a28e3..ef1aa080c9b4c0139dc4fe77c27f47c7b6d91226 100644
--- a/API.txt
+++ b/API.txt
@@ -778,8 +778,8 @@ option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac
 option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False)
 option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False)
 option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False)
-option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=-1, multivalue=False, required=False)
-option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
+option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=0, multivalue=False, required=False)
+option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=0, multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
 option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled'))
diff --git a/VERSION b/VERSION
index ca43f3e0c06880d355c068514134187c5edda175..f31498b39c53bd41fff20fc7a3d9de9a6bdf4397 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=148
-# Last change: ftweedal - add --out option to user-show
+IPA_API_VERSION_MINOR=149
+# Last change: galford - Change ipasearchtimelime and ipasearchrecordslimit to 0 for unlimited
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..477d7cf75aabd5c23dbf91a6305bfcbb9fbf5b1b 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,13 +2446,13 @@
 attribute: true,
 class: Int,
 deprecated_cli_aliases: [],
-doc: Maximum amount of time (seconds) for a search ( 0, or -1 for unlimited),
+doc: Maximum amount of time (seconds) for a search ( 0, or 0 for unlimited),
 flags: [
 nonempty
 ],
 label: Search time limit,
 maxvalue: 2147483647,
-minvalue: -1,
+minvalue: 0,
 name: ipasearchtimelimit,
 type: int
 },
@@ -2460,13 +2460,13 @@
 attribute: true,
 class: Int,
 deprecated_cli_aliases

Re: [Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

On Thu, Jul 30, 2015 at 1:32 AM, Jan Cholasta jchol...@redhat.com wrote:

 Dne 30.7.2015 v 09:23 Jan Cholasta napsal(a):

 Hi,

 Dne 29.7.2015 v 17:23 Gabe Alford napsal(a):

 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/4023


 Actually, 0 means unlimited for size limit, see
 
 http://www.python-ldap.org/doc/html/ldap.html#ldap.LDAPObject.search_ext_s
 .


 After reading the ticket I think this should be fixed the other way
 around: make 0 mean unlimited for both time and size limit and fix the
 config plugin and LDAPClient to respect that.


Thanks for the review. Updated patch attached.


 --
 Jan Cholasta

From 58e95a7eebe6e333786d9bd6b798490bdae25941 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 30 Jul 2015 07:04:06 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and
 ipasesarchsizelimit for unlimited minvalue

https://fedorahosted.org/freeipa/ticket/4023
---
 API.txt |  4 ++--
 VERSION |  4 ++--
 install/ui/test/data/ipa_init_commands.json | 10 +-
 install/ui/test/data/ipa_init_objects.json  | 10 +-
 install/ui/test/data/json_metadata.json |  8 
 ipalib/plugins/baseldap.py  |  4 ++--
 ipalib/plugins/config.py| 10 +-
 7 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/API.txt b/API.txt
index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..90e52a686eb73af8af87b6065868d641e7e868ec 100644
--- a/API.txt
+++ b/API.txt
@@ -778,8 +778,8 @@ option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac
 option: Int('ipamaxusernamelength', attribute=True, autofill=False, cli_name='maxusername', minvalue=1, multivalue=False, required=False)
 option: Bool('ipamigrationenabled', attribute=True, autofill=False, cli_name='enable_migration', multivalue=False, required=False)
 option: Int('ipapwdexpadvnotify', attribute=True, autofill=False, cli_name='pwdexpnotify', minvalue=0, multivalue=False, required=False)
-option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=-1, multivalue=False, required=False)
-option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=-1, multivalue=False, required=False)
+option: Int('ipasearchrecordslimit', attribute=True, autofill=False, cli_name='searchrecordslimit', minvalue=0, multivalue=False, required=False)
+option: Int('ipasearchtimelimit', attribute=True, autofill=False, cli_name='searchtimelimit', minvalue=0, multivalue=False, required=False)
 option: Str('ipaselinuxusermapdefault', attribute=True, autofill=False, cli_name='ipaselinuxusermapdefault', multivalue=False, required=False)
 option: Str('ipaselinuxusermaporder', attribute=True, autofill=False, cli_name='ipaselinuxusermaporder', multivalue=False, required=False)
 option: StrEnum('ipauserauthtype', attribute=True, autofill=False, cli_name='user_auth_type', csv=True, multivalue=True, required=False, values=(u'password', u'radius', u'otp', u'disabled'))
diff --git a/VERSION b/VERSION
index 678d1f8a7e588d480b16441e12e4d527d9c1cd98..837ee846f330779bbaa5fa43311a74c13b013690 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=147
-# Last change: mbasti - Consolidate DNS RR in API and schema
+IPA_API_VERSION_MINOR=148
+# Last change: galford - Change ipasearchtimelime and ipasearchrecordslimit to 0 for unlimited
diff --git a/install/ui/test/data/ipa_init_commands.json b/install/ui/test/data/ipa_init_commands.json
index 743f508e2a733b766008bdd21838454ef7df8c21..477d7cf75aabd5c23dbf91a6305bfcbb9fbf5b1b 100644
--- a/install/ui/test/data/ipa_init_commands.json
+++ b/install/ui/test/data/ipa_init_commands.json
@@ -2446,13 +2446,13 @@
 attribute: true,
 class: Int,
 deprecated_cli_aliases: [],
-doc: Maximum amount of time (seconds) for a search ( 0, or -1 for unlimited),
+doc: Maximum amount of time (seconds) for a search ( 0, or 0 for unlimited),
 flags: [
 nonempty
 ],
 label: Search time limit,
 maxvalue: 2147483647,
-minvalue: -1,
+minvalue: 0,
 name: ipasearchtimelimit,
 type: int
 },
@@ -2460,13 +2460,13 @@
 attribute: true,
 class: Int,
 deprecated_cli_aliases: [],
-doc: Maximum number of records to search (-1 is unlimited),
+doc: Maximum

[Freeipa-devel] [PATH 0053] Inconsistency between ipasearchrecordslimit and --sizelimit

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4023

Thanks,

Gabe
From cba4b0d90f65be7734a977cb84f96f378e1c91d0 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Wed, 29 Jul 2015 09:04:32 -0600
Subject: [PATCH] Standardize minvalue for ipasearchrecordlimit and sizelimit
 for unlimited option

https://fedorahosted.org/freeipa/ticket/4023
---
 API.txt| 164 ++---
 VERSION|   4 +-
 ipalib/plugins/baseldap.py |   8 +--
 3 files changed, 88 insertions(+), 88 deletions(-)

diff --git a/API.txt b/API.txt
index 6ab30ddab41715fdbccb4f37aa1852621bca62b4..e588fe538251e84e26358abfb507dd7fce8c597f 100644
--- a/API.txt
+++ b/API.txt
@@ -272,8 +272,8 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: IA5Str('automountinformation', attribute=True, autofill=False, cli_name='info', multivalue=False, query=True, required=False)
 option: IA5Str('automountkey', attribute=True, autofill=False, cli_name='key', multivalue=False, query=True, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('sizelimit?', autofill=False, minvalue=-1)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -336,8 +336,8 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: Str('cn', attribute=True, autofill=False, cli_name='location', multivalue=False, primary_key=True, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('sizelimit?', autofill=False, minvalue=-1)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -411,8 +411,8 @@ option: IA5Str('automountmapname', attribute=True, autofill=False, cli_name='map
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('sizelimit?', autofill=False, minvalue=-1)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -555,8 +555,8 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',))
-option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('sizelimit?', autofill=False, minvalue=-1)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',))
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
@@ -711,8 +711,8 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult
 option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
-option: Int('sizelimit?', autofill=False, minvalue=0)
-option: Int('timelimit?', autofill=False, minvalue=0)
+option: Int('sizelimit?', autofill=False, minvalue=-1)
+option: Int('timelimit?', autofill=False, minvalue=-1)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
 output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -831,8 +831,8 @@ option: Int('cospriority', attribute=True, autofill=False, 

[Freeipa-devel] [PATCH 0052] Add Chromium configuration note under Chrome section in ssbrowser

[Gabe Alford]

Hello,

As Chromium and Chrome are configured similarly but are configured in
different /etc directories, this patch adds a note to the Chrome section in
ssbrowser.html stating that.

Thanks,

Gabe
From a7fb316d3cc273531947768e6b93c656a6bad1bb Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Wed, 29 Jul 2015 07:38:15 -0600
Subject: [PATCH] Add Chromium configuration note to ssbrowser

- As Chromium and Chrome share most of the same code base but are
  configured in different locations, add a note showing the different
  configuration locations.

A part of https://fedorahosted.org/freeipa/ticket/823
---
 install/html/ssbrowser.html | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/html/ssbrowser.html b/install/html/ssbrowser.html
index 685800e16e6e77c70adf905acfca2996513d1e1d..b88deac900fb1d5a1a5960741512593f9b7f3b15 100644
--- a/install/html/ssbrowser.html
+++ b/install/html/ssbrowser.html
@@ -134,6 +134,11 @@
 /code/div
 /li
 /ol
+ol
+p
+strongNote:/strong If using Chromium, use code/etc/chromium/policies/managed//code instead of code/etc/opt/chrome/policies/managed//code for the two SPNEGO Chrome configuration steps above.
+/p
+/ol
 
 h2Internet Explorer/h2
 p
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi

[Gabe Alford]

Hello,

   Would you mind formatting your patch following the format described
at http://www.freeipa.org/page/Contribute/Patch_Format and attach the patch
to this thread? Please attach your patch to the corresponding trac ticket
as well.

thanks,

Gabe

On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek msima...@redhat.com
wrote:

 - Original Message -
  From: Christian Heimes chei...@redhat.com
  To: freeipa-devel@redhat.com, msima...@redhat.com
  Sent: Tuesday, July 21, 2015 2:23:06 PM
  Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library
 to python-gssapi
 
  On 2015-07-21 14:02, Michael Simacek wrote:
   Hi,
  
   This is a first part of my effort to port FreeIPA from
 Python3-incompatible
   Kerberos libraries to python-gssapi. This patch should replace
   python-kerberos
   with python-gssapi (both use C GSSAPI behind the scenes).
 
def _handle_exception(self, e, service=None):
   -(major, minor) = ipautil.get_gsserror(e)
   -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
   +# kerberos library coerced error codes to signed, gssapi uses
   unsigned
   +minor = e.min_code - (1  32)
   +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 
  The unsigned to sign conversion is not correct. Although it doesn't make
  a difference here, please use the technical correct way:
 
  minor = e.min_code
  if minor  (1  31):
  minor -= 1  32
 
  or if you prefer hex:
 
  if minor  0x8000:
  minor -= 0x1
 

 Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi
 everywhere, such coercions won't be needed.

 --
 Michael Simacek



 From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001
 From: Michael Simacek msima...@redhat.com
 Date: Thu, 16 Jul 2015 18:22:00 +0200
 Subject: [PATCH] Port from python-kerberos library to python-gssapi

 kerberos library doesn't support Python 3 and probably never will.
 python-gssapi library is Python 3 compatible.
 ---
  BUILD.txt|  2 +-
  freeipa.spec.in  |  2 +-
  ipalib/rpc.py| 44 +++-
  ipalib/util.py   | 14 +++---
  ipapython/ipautil.py | 17 -
  5 files changed, 32 insertions(+), 47 deletions(-)

 diff --git a/BUILD.txt b/BUILD.txt
 index 6a28beb..53012b1 100644
 --- a/BUILD.txt
 +++ b/BUILD.txt
 @@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel
 libtalloc-devel \
  libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel
 krb5-devel \
  krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \
  autoconf automake m4 libtool gettext python-devel python-ldap \
 -python-setuptools python-krbV python-nss python-netaddr python-kerberos \
 +python-setuptools python-krbV python-nss python-netaddr python-gssapi \
  python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python
 python-memcached \
  sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \
  check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \
 diff --git a/freeipa.spec.in b/freeipa.spec.in
 index fef20e1..5e10022 100644
 --- a/freeipa.spec.in
 +++ b/freeipa.spec.in
 @@ -72,7 +72,7 @@ BuildRequires:  python-krbV
  BuildRequires:  python-nss
  BuildRequires:  python-cryptography
  BuildRequires:  python-netaddr
 -BuildRequires:  python-kerberos = 1.1-14
 +BuildRequires:  python-gssapi = 1.1.1
  BuildRequires:  python-rhsm
  BuildRequires:  pyOpenSSL
  BuildRequires:  pylint = 1.0
 diff --git a/ipalib/rpc.py b/ipalib/rpc.py
 index 466b49a..9e8c97d 100644
 --- a/ipalib/rpc.py
 +++ b/ipalib/rpc.py
 @@ -44,7 +44,7 @@ from urllib2 import urlparse

  from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy,
  Transport, ProtocolError, MININT, MAXINT)
 -import kerberos
 +import gssapi
  from dns import resolver, rdatatype
  from dns.exception import DNSException
  from nss.error import NSPRError
 @@ -510,24 +510,29 @@ class KerbTransport(SSLTransport):
  
  Handles Kerberos Negotiation authentication to an XML-RPC server.
  
 -flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
 +flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,
 +
 [gssapi.RequirementFlag.mutual_authentication,
 +
  gssapi.RequirementFlag.out_of_sequence_detection])

  def _handle_exception(self, e, service=None):
 -(major, minor) = ipautil.get_gsserror(e)
 -if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 +# kerberos library coerced error codes to signed, gssapi uses
 unsigned
 +minor = e.min_code
 +if minor  (1  31):
 +minor -= 1  32
 +if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
  raise errors.ServiceError(service=service)
 -elif minor[1] == KRB5_FCC_NOFILE:
 +elif minor == KRB5_FCC_NOFILE:
  raise errors.NoCCacheError()
 -elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:
 +elif minor == 

Re: [Freeipa-devel] Finishing the Community Portal

[Gabe Alford]

On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum npmccal...@redhat.com
wrote:

 I definitely see both models finding use.


+1


 - Original Message -
  Yeah, user creation requires manual intervention; an admin has to move
  the user from staging to the main user tree.
 
  It could be pretty easily modified to allow totally automated self
  sign-up though
 

 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert

[Gabe Alford]

Thanks, Martin. Update patch attached.

I was getting an 'No newline at the end of file' in my environment hence an
extra '\n' at the end.
Please let me know if you see the same thing.

Thanks,

Gabe

On Wed, Jul 1, 2015 at 2:54 AM, Martin Basti mba...@redhat.com wrote:

  On 01/07/15 09:05, Martin Basti wrote:

 On 30/06/15 17:31, Gabe Alford wrote:

  On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote:

   On 16/06/15 16:58, Gabe Alford wrote:

  I know you guys are busy. Bump for review.

  Thanks,

  Gabe

 On Tue, May 26, 2015 at 8:16 AM, Gabe Alford  redhatri...@gmail.com
 redhatri...@gmail.com wrote:

   Hello,

  Fix for https://fedorahosted.org/freeipa/ticket/3809

  Thanks,

  Gabe




   I'm getting certificate on server without extra '\n' at the end.

 So certificate files are not the same.


  I assume you did a diff of the server /etc/ipa/ca.crt and the client
 /etc/ipa/ca.crt, right? Did you setup a server and then connect a client
 (just wonder what your steps were so that I can also reproduce)?


 Yes. I did that.

 I will retest it today.

  Retested and ca.cert on client has extra '\n' at the end.




 --
 Martin Basti




 --
 Martin Basti





 --
 Martin Basti


From b63860a9dd8db042f07796ea9fefc13b619b1b8b Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Wed, 8 Jul 2015 08:02:10 -0600
Subject: [PATCH] Fix client ca.crt to match the server's cert

https://fedorahosted.org/freeipa/ticket/3809
---
 ipalib/x509.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index edd73ebdc3b3732d326cd8f414bc957f1e4deb87..092d451c66801ff9311e5af4146678dd949d15cc 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -264,7 +264,7 @@ def make_pem(data):
 Convert a raw base64-encoded blob into something that looks like a PE
 file with lines split to 64 characters and proper headers.
 
-pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
+pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
 return '-BEGIN CERTIFICATE-\n' + \
 pemcert + \
 '\n-END CERTIFICATE-'
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert

[Gabe Alford]

On Tue, Jun 30, 2015 at 8:51 AM, Martin Basti mba...@redhat.com wrote:

  On 16/06/15 16:58, Gabe Alford wrote:

  I know you guys are busy. Bump for review.

  Thanks,

  Gabe

 On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com
 wrote:

   Hello,

  Fix for https://fedorahosted.org/freeipa/ticket/3809

  Thanks,

  Gabe




  I'm getting certificate on server without extra '\n' at the end.

 So certificate files are not the same.


I assume you did a diff of the server /etc/ipa/ca.crt and the client
/etc/ipa/ca.crt, right? Did you setup a server and then connect a client
(just wonder what your steps were so that I can also reproduce)?



 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert

[Gabe Alford]

I know you guys are busy. Bump for review.

Thanks,

Gabe

On Tue, May 26, 2015 at 8:16 AM, Gabe Alford redhatri...@gmail.com wrote:

 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/3809

 Thanks,

 Gabe

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

[Gabe Alford]

How should ​
https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be
handled where the user cleared out the db cache?

On Fri, Jun 5, 2015 at 9:08 AM, Jakub Hrozek jhro...@redhat.com wrote:

 On Fri, Jun 05, 2015 at 05:03:08PM +0200, Martin Basti wrote:
  On 05/06/15 16:13, Gabe Alford wrote:
  Hello,
  
   Fix for https://fedorahosted.org/freeipa/ticket/5049
  
  Thanks,
  
  Gabe
  
  
  Thank you.
 
  I dont think we should remove all SSSD caches.
 
  SSSD can have configured several providers not just IPA.
  IMO we should remove only IPA related caches, but wait for SSSD guys for
  their opinion.

 You could use the python configAPI SSSD has to query which SSSD domains
 are active.

 But if the uninstall script removes sss from nsswitch.conf maybe it's
 enough to remove the memcache (/var/lib/sss/mc/), the persistent cache
 will not be reachable at all.

 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

[Gabe Alford]

Thanks. Updated patch attached.

On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek jhro...@redhat.com wrote:

 On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote:
  How should ​
  https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be
  handled where the user cleared out the db cache?

 Ah, I confused that one with another issue Jan Pazdziora had, which was
 incidentally about client uninstall as well.

 In that case, you can just remove the single ldb file that corresponds
 to the domain that the client is leaving. Maybe it would be safer to mv
 the files instead of remove them, but I guess if you run --uninstall,
 you really want just to purge everything..

 btw do the ipa installer tools support multiple domains at all?

 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

From 40f7c3780baaf0b42d10c94c8527c9359a42247f Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 5 Jun 2015 11:27:46 -0600
Subject: [PATCH] Clear SSSD caches when uninstalling the client

https://fedorahosted.org/freeipa/ticket/5049
---
 ipa-client/ipa-install/ipa-client-install | 13 +
 ipaplatform/base/paths.py |  1 +
 2 files changed, 14 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 63e3c9800791f3d29c977d63815c4291f5a235b9..a7a4e9780081559398bbbaa5b0e062dabb9e6f98 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -628,6 +628,19 @@ def uninstall(options, env):
 Failed to remove krb5/LDAP configuration: %s, str(e))
 return CLIENT_INSTALL_ERROR
 
+# Clean up the SSSD cache before SSSD service is stopped or restarted
+remove_file(paths.SSSD_MC_GROUP)
+remove_file(paths.SSSD_MC_PASSWD)
+
+ipa_domain = domain.get_option('ipa_domain')
+sssd_domain_ldb = cache_ + ipa_domain + .ldb
+sssd_ldb_file = os.path.join(paths.SSSD_DB, sssd_domain_ldb)
+remove_file(sssd_ldb_file)
+
+sssd_domain_ccache = ccache_ + ipa_domain.upper()
+sssd_ccache_file = os.path.join(paths.SSSD_DB, sssd_domain_ccache)
+remove_file(sssd_domain_ccache)
+
 # Next if-elif-elif construction deals with sssd.conf file.
 # Old pre-IPA domains are preserved due merging the old sssd.conf
 # during the installation of ipa-client but any new domains are
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ba87523b5619188f02bdad6c23d2446a2c4b0f2..8bee3e7c5862a3815987fa1bd55fa90e25b95ebc 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -289,6 +289,7 @@ class BasePathNamespace(object):
 KRA_BACKUP_KEYS_P12 = /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12
 KRACERT_P12 = /root/kracert.p12
 SAMBA_DIR = /var/lib/samba/
+SSSD_DB = /var/lib/sss/db
 SSSD_MC_GROUP = /var/lib/sss/mc/group
 SSSD_MC_PASSWD = /var/lib/sss/mc/passwd
 SSSD_PUBCONF_KNOWN_HOSTS = /var/lib/sss/pubconf/known_hosts
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0050] Fix client ca.crt to match the server's cert

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/3809

Thanks,

Gabe
From b6a852f82e9335ac04fb5d9b96f31013fb2a3bdb Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Tue, 26 May 2015 08:06:12 -0600
Subject: [PATCH] Fix client ca.crt to match the server's cert

https://fedorahosted.org/freeipa/ticket/3809
---
 ipalib/x509.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index a87dbf4130c60b1b1daf8bbb2ffb81c208f2529c..5f94478194939ee2c5ac01dbeaae1edb9f4d14a0 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -264,10 +264,10 @@ def make_pem(data):
 Convert a raw base64-encoded blob into something that looks like a PE
 file with lines split to 64 characters and proper headers.
 
-pemcert = '\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
+pemcert = '\r\n'.join([data[x:x+64] for x in range(0, len(data), 64)])
 return '-BEGIN CERTIFICATE-\n' + \
 pemcert + \
-'\n-END CERTIFICATE-'
+'\n-END CERTIFICATE-\n'
 
 def normalize_certificate(rawcert):
 
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0048] fix ipa help command output errors

[Gabe Alford]

Hello,

This should fix https://fedorahosted.org/freeipa/ticket/3584, and as
requested in the ticket, this should also fix
https://fedorahosted.org/freeipa/ticket/2284

Thanks,

Gabe
From 3d4e7b60287f30e70455facb0035fa30df913c34 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 22 May 2015 07:52:58 -0600
Subject: [PATCH] Fix ipa help command output errors

- Allow ipa help command to run when ipa-client-install is not configured
- Do not print traceback when pipe is broken

https://fedorahosted.org/freeipa/ticket/3584
https://fedorahosted.org/freeipa/ticket/2284
---
 ipalib/cli.py | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index fc6e2303919d4db724d97f839d9a1b71752dfc10..52529ea02c35a8119a5fb2397d7302d170e81526 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -799,7 +799,10 @@ class help(frontend.Local):
 
 def _writer(self, outfile):
 def writer(string=''):
-print  outfile, unicode(string)
+try:
+print  outfile, unicode(string)
+except IOError:
+pass
 return writer
 
 def print_topics(self, outfile):
@@ -1333,7 +1336,7 @@ def run(api):
 api.register(klass)
 api.load_plugins()
 api.finalize()
-if not 'config_loaded' in api.env:
+if not 'config_loaded' in api.env and not 'help' in argv:
 raise NotConfiguredError()
 sys.exit(api.Backend.cli.run(argv))
 except KeyboardInterrupt:
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0048] fix ipa help command output errors

[Gabe Alford]

On Fri, May 22, 2015 at 9:01 AM, Martin Basti mba...@redhat.com wrote:

  On 22/05/15 16:08, Gabe Alford wrote:

  Hello,

  This should fix https://fedorahosted.org/freeipa/ticket/3584, and as
 requested in the ticket, this should also fix
 https://fedorahosted.org/freeipa/ticket/2284

  Thanks,

  Gabe


  Thank you!

 IMO your first part of fix only mask issue, not solving it.

 This could be way, but I did not test it.

 out_encoding = getattr(outfile, 'encoding', None)
 if out_encoding is None:
 out_encoding = 'utf-8'
 print  outfile,  unicode(string).encode(out_encoding)


I'm confused and maybe missing something here. If I run `ipa help dns |
bad_command`, shouldn't the command fail with only the following?

-bash: bad: command not found




 Can you split this patch into 2 separate patches for each ticket please?


Done


 Martin^2

 --
 Martin Basti


From bea5786dbf6363c6bae541c347b3dd98d7dc23bd Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 22 May 2015 09:19:03 -0600
Subject: [PATCH] Allow ipa help command to run when ipa-client-install is not
 configured

https://fedorahosted.org/freeipa/ticket/3584
---
 ipalib/cli.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index fc6e2303919d4db724d97f839d9a1b71752dfc10..398b5486339ad6930b7b11a53a2b7e6d90903371 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -1333,7 +1333,7 @@ def run(api):
 api.register(klass)
 api.load_plugins()
 api.finalize()
-if not 'config_loaded' in api.env:
+if not 'config_loaded' in api.env and not 'help' in argv:
 raise NotConfiguredError()
 sys.exit(api.Backend.cli.run(argv))
 except KeyboardInterrupt:
-- 
1.8.3.1

From 7b12c4a2818e776f48045eca51027fd5f6df6286 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 22 May 2015 09:25:08 -0600
Subject: [PATCH] Do not print traceback when pipe is broken

https://fedorahosted.org/freeipa/ticket/2284
---
 ipalib/cli.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 398b5486339ad6930b7b11a53a2b7e6d90903371..52529ea02c35a8119a5fb2397d7302d170e81526 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -799,7 +799,10 @@ class help(frontend.Local):
 
 def _writer(self, outfile):
 def writer(string=''):
-print  outfile, unicode(string)
+try:
+print  outfile, unicode(string)
+except IOError:
+pass
 return writer
 
 def print_topics(self, outfile):
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent

[Gabe Alford]

Thanks Petr. I thought I had grepped all that out. Guess I didn't do it
from the top of the tree.

Updated patch attached.

On Tue, May 5, 2015 at 5:15 AM, Petr Vobornik pvobo...@redhat.com wrote:

 On 04/30/2015 07:43 PM, Gabe Alford wrote:

 Thanks Kyle and Petr.

 Update patch attached.


 Renaming the buttons also requires to update webui integration tests in
 ipatests/test_webui, quick search:
   ipatests/test_webui/test_realmdomains.py:42,48
   ipatests/test_webui/ui_driver.py:1221,1246,1464,1483




 On Wed, Apr 29, 2015 at 7:59 AM, Kyle Baker kyba...@redhat.com wrote:


 - Original Message -

 On 04/27/2015 03:03 PM, Gabe Alford wrote:

 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/4926

 Thanks,

 Gabe


 PatternFly has new recommendations for terminology and wording [1]. I'm
 not entirely sure if the usage of 'save' here is good. PF defines 'edit'
 as the recommended term. The page doesn't say if 'save' is not
 recommended, though. Save seems to me as a confirmation of editing.


 Yes I think save would be best here based on the message given.

 Thanks for checking out the Terminology screen!


 Kyle, could you advise what is the best term for reflecting user changes
 and for confirmation of this action?

 Technical notes:
 1. it would be better to add a new string and then use it in the button
 instead of having 'Save' text for '@i18n:buttons.update' definition.

 2. String changes in internal.py should be also reflected in
 install/ui/test/data/ipa_init.json (for static web ui demo).

 3. optional: in addition to text change, buttons and related actions
 could also be renamed (same reasons as in 1). It's more proper but much
 more complicated.


 [1]

 https://www.patternfly.org/styles/terminology-and-wording/#action-labels

 --
 Petr Vobornik





 --
 Petr Vobornik

From 03863c17968a182b5e1857c0cb57ebb956576021 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Tue, 5 May 2015 06:33:27 -0600
Subject: [PATCH] Unsaved changes dialog internally inconsistent

https://fedorahosted.org/freeipa/ticket/4926
---
 install/ui/src/freeipa/details.js| 30 +++---
 install/ui/src/freeipa/dns.js|  2 +-
 install/ui/src/freeipa/ipa.js|  8 
 install/ui/test/data/ipa_init.json   |  2 ++
 install/ui/util/make-ui.sh   |  2 +-
 ipalib/plugins/internal.py   |  2 ++
 ipatests/test_webui/test_realmdomains.py |  4 ++--
 ipatests/test_webui/ui_driver.py |  8 
 8 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index 7aa4c0ef6541900d6fa5b14b16ec964b50349015..e428dc90875a1ad567a13f379aa5ca079e47b672 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -453,8 +453,8 @@ exp.facet_policies = IPA.facet_policies = function(spec) {
  * - sets name, title, label if not present
  * - adds default actions and related buttons
  *   - refresh
- *   - reset
- *   - update
+ *   - revert
+ *   - save
  * - adds dirty state evaluator
  *
  * @member details
@@ -472,21 +472,21 @@ exp.details_facet_pre_op = function(spec, context) {
 spec.actions = spec.actions || [];
 spec.actions.unshift(
 'refresh',
-'reset',
-'update');
+'revert',
+'save');
 
 spec.control_buttons = spec.control_buttons || [];
 
 if (!spec.no_update) {
 spec.control_buttons.unshift(
 {
-name: 'reset',
-label: '@i18n:buttons.reset',
+name: 'revert',
+label: '@i18n:buttons.revert',
 icon: 'fa-undo'
 },
 {
-name: 'update',
-label: '@i18n:buttons.update',
+name: 'save',
+label: '@i18n:buttons.save',
 icon: 'fa-upload'
 });
 }
@@ -1404,8 +1404,8 @@ exp.refresh_action = IPA.refresh_action = function(spec) {
 exp.reset_action = IPA.reset_action = function(spec) {
 
 spec = spec || {};
-spec.name = spec.name || 'reset';
-spec.label = spec.label || '@i18n:buttons.reset';
+spec.name = spec.name || 'revert';
+spec.label = spec.label || '@i18n:buttons.revert';
 spec.enable_cond = spec.enable_cond || ['dirty'];
 
 var that = IPA.action(spec);
@@ -1426,8 +1426,8 @@ exp.reset_action = IPA.reset_action = function(spec) {
 exp.update_action = IPA.update_action = function(spec) {
 
 spec = spec || {};
-spec.name = spec.name || 'update';
-spec.label = spec.label || '@i18n:buttons.update';
+spec.name = spec.name || 'save';
+spec.label = spec.label || '@i18n:buttons.save';
 spec.needs_confirm = spec.needs_confirm !== undefined ? spec.needs_confirm : false;
 spec.enable_cond = spec.enable_cond || ['dirty'];
 
@@ -2007,8 +2007,8 @@ exp.register = function() {
 var f = reg.facet;
 
 a.register

Re: [Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent

[Gabe Alford]

Thanks Kyle and Petr.

Update patch attached.

On Wed, Apr 29, 2015 at 7:59 AM, Kyle Baker kyba...@redhat.com wrote:


 - Original Message -
  On 04/27/2015 03:03 PM, Gabe Alford wrote:
   Hello,
  
   Fix for https://fedorahosted.org/freeipa/ticket/4926
  
   Thanks,
  
   Gabe
  
 
  PatternFly has new recommendations for terminology and wording [1]. I'm
  not entirely sure if the usage of 'save' here is good. PF defines 'edit'
  as the recommended term. The page doesn't say if 'save' is not
  recommended, though. Save seems to me as a confirmation of editing.

 Yes I think save would be best here based on the message given.

 Thanks for checking out the Terminology screen!

 
  Kyle, could you advise what is the best term for reflecting user changes
  and for confirmation of this action?
 
  Technical notes:
  1. it would be better to add a new string and then use it in the button
  instead of having 'Save' text for '@i18n:buttons.update' definition.
 
  2. String changes in internal.py should be also reflected in
  install/ui/test/data/ipa_init.json (for static web ui demo).
 
  3. optional: in addition to text change, buttons and related actions
  could also be renamed (same reasons as in 1). It's more proper but much
  more complicated.
 
 
  [1]
 https://www.patternfly.org/styles/terminology-and-wording/#action-labels
  --
  Petr Vobornik
 

From 45ea1a7804b76f73a3a83b1452f83b5895614986 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 30 Apr 2015 11:39:34 -0600
Subject: [PATCH] Unsaved changes dialog internally inconsistent

https://fedorahosted.org/freeipa/ticket/4926
---
 install/ui/src/freeipa/details.js  | 30 +++---
 install/ui/src/freeipa/dns.js  |  2 +-
 install/ui/src/freeipa/ipa.js  |  8 
 install/ui/test/data/ipa_init.json |  2 ++
 ipalib/plugins/internal.py |  2 ++
 5 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index 7aa4c0ef6541900d6fa5b14b16ec964b50349015..e428dc90875a1ad567a13f379aa5ca079e47b672 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -453,8 +453,8 @@ exp.facet_policies = IPA.facet_policies = function(spec) {
  * - sets name, title, label if not present
  * - adds default actions and related buttons
  *   - refresh
- *   - reset
- *   - update
+ *   - revert
+ *   - save
  * - adds dirty state evaluator
  *
  * @member details
@@ -472,21 +472,21 @@ exp.details_facet_pre_op = function(spec, context) {
 spec.actions = spec.actions || [];
 spec.actions.unshift(
 'refresh',
-'reset',
-'update');
+'revert',
+'save');
 
 spec.control_buttons = spec.control_buttons || [];
 
 if (!spec.no_update) {
 spec.control_buttons.unshift(
 {
-name: 'reset',
-label: '@i18n:buttons.reset',
+name: 'revert',
+label: '@i18n:buttons.revert',
 icon: 'fa-undo'
 },
 {
-name: 'update',
-label: '@i18n:buttons.update',
+name: 'save',
+label: '@i18n:buttons.save',
 icon: 'fa-upload'
 });
 }
@@ -1404,8 +1404,8 @@ exp.refresh_action = IPA.refresh_action = function(spec) {
 exp.reset_action = IPA.reset_action = function(spec) {
 
 spec = spec || {};
-spec.name = spec.name || 'reset';
-spec.label = spec.label || '@i18n:buttons.reset';
+spec.name = spec.name || 'revert';
+spec.label = spec.label || '@i18n:buttons.revert';
 spec.enable_cond = spec.enable_cond || ['dirty'];
 
 var that = IPA.action(spec);
@@ -1426,8 +1426,8 @@ exp.reset_action = IPA.reset_action = function(spec) {
 exp.update_action = IPA.update_action = function(spec) {
 
 spec = spec || {};
-spec.name = spec.name || 'update';
-spec.label = spec.label || '@i18n:buttons.update';
+spec.name = spec.name || 'save';
+spec.label = spec.label || '@i18n:buttons.save';
 spec.needs_confirm = spec.needs_confirm !== undefined ? spec.needs_confirm : false;
 spec.enable_cond = spec.enable_cond || ['dirty'];
 
@@ -2007,8 +2007,8 @@ exp.register = function() {
 var f = reg.facet;
 
 a.register('refresh', exp.refresh_action);
-a.register('reset', exp.reset_action);
-a.register('update', exp.update_action);
+a.register('revert', exp.reset_action);
+a.register('save', exp.update_action);
 a.register('object', exp.object_action);
 a.register('enable', exp.enable_action);
 a.register('disable', exp.disable_action);
@@ -2026,4 +2026,4 @@ exp.register = function() {
 phases.on('registration', exp.register);
 
 return exp;
-});
\ No newline at end of file
+});
diff --git a/install/ui/src/freeipa/dns.js b/install/ui/src/freeipa/dns.js
index 7b66c8674a761a67025d1c4cfe3f7126b2cf9f68

[Freeipa-devel] [PATCH 0046] Remove unneeded --ip-address option in ipa-adtrust-install

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4575

Thanks,

Gabe
From 6c9ac52a18df8bbce33db09c16494159258ff104 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Wed, 15 Apr 2015 09:18:58 -0600
Subject: [PATCH] Remove unneeded ip-address option in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/4575
---
 install/tools/ipa-adtrust-install   | 25 +
 install/tools/man/ipa-adtrust-install.1 |  3 ---
 ipaserver/install/adtrustinstance.py|  4 +---
 3 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 6e55bbe3e57f1c609398dc571e90cb8677d91a33..3f8f2105bcaf15bc577aeb87ca4bb0d068909b6e 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -39,8 +39,6 @@ def parse_options():
 parser = IPAOptionParser(version=version.VERSION)
 parser.add_option(-d, --debug, dest=debug, action=store_true,
   default=False, help=print debugging information)
-parser.add_option(--ip-address, dest=ip_address,
-  type=ip, ip_local=True, help=Master Server IP Address)
 parser.add_option(--netbios-name, dest=netbios_name,
   help=NetBIOS name of the IPA domain)
 parser.add_option(--no-msdcs, dest=no_msdcs, action=store_true,
@@ -291,37 +289,16 @@ def main():
 options.enable_compat = enable_compat_tree()
 
 # Check we have a public IP that is associated with the hostname
-ip = None
 try:
 hostaddr = resolve_host(api.env.host)
 if len(hostaddr)  1:
 print  sys.stderr, The server hostname resolves to more than one address:
 for addr in hostaddr:
 print  sys.stderr,   %s % addr
-
-if options.ip_address:
-if str(options.ip_address) not in hostaddr:
-print  sys.stderr, Address passed in --ip-address did not match any resolved
-print  sys.stderr, address!
-sys.exit(1)
-print Selected IP address:, str(options.ip_address)
-ip = options.ip_address
-else:
-if options.unattended:
-print  sys.stderr, Please use --ip-address option to specify the address
-sys.exit(1)
-else:
-ip = read_ip_address(api.env.host, fstore)
-else:
-ip = hostaddr and ipautil.CheckedIPAddress(hostaddr[0], match_local=True)
 except Exception, e:
-print Error: Invalid IP Address %s: %s % (ip, e)
 print Aborting installation
 sys.exit(1)
 
-ip_address = str(ip)
-root_logger.debug(will use ip_address: %s\n, ip_address)
-
 admin_password = options.admin_password
 if not (options.unattended or admin_password):
 admin_password = read_admin_password(options.admin_name)
@@ -406,7 +383,7 @@ def main():
 smb = adtrustinstance.ADTRUSTInstance(fstore)
 smb.realm = api.env.realm
 smb.autobind = ipaldap.AUTOBIND_ENABLED
-smb.setup(api.env.host, ip_address, api.env.realm, api.env.domain,
+smb.setup(api.env.host, api.env.realm, api.env.domain,
   netbios_name, reset_netbios_name,
   options.rid_base, options.secondary_rid_base,
   options.no_msdcs, options.add_sids,
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index b0aa8ceefc34698329b2a13d3adbcb204f08b3a9..a32eefb0e2dd4334b6dc3597b3643743ead56847 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -41,9 +41,6 @@ might be affected as well.
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed
 .TP
-\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
-The IP address of the IPA server. If not provided then this is determined based on the hostname of the server.
-.TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined
 based on the leading component of the DNS domain name. Running
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index b4d644fdbf784dd7936adc8eb085f4825cab797e..92c05f26a10c8f90bbe62ae9f6723d5e22ff3833 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -108,7 +108,6 @@ class ADTRUSTInstance(service.Service):
 FALLBACK_GROUP_NAME = u'Default SMB Group'
 
 def __init__(self, fstore=None):
-self.ip_address = None
 self.netbios_name = None
 self.reset_netbios_name = None
 self.no_msdcs = None
@@ -774,11 +773,10 @@ class ADTRUSTInstance(service.Service):
  LDAPI_SOCKET = self.ldapi_socket,
  FQDN = self.fqdn)
 
-def setup(self, fqdn, ip_address, realm_name, domain_name, netbios_name,
+ 

[Freeipa-devel] [PATCH 0047] Unsaved changes dialog inconsistent

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4926

Thanks,

Gabe
From 053f7dd53e9d1acd6dec4688ab515f138d832ef4 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Mon, 27 Apr 2015 06:49:25 -0600
Subject: [PATCH] Unsaved changes dialog internally inconsistent

- Change Update button text to Save
- Change Reset button text to Revert

https://fedorahosted.org/freeipa/ticket/4926
---
 ipalib/plugins/internal.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index b85f2d077110128963e26ccf0f43e21141c46f4a..a88d0b8bf3f4632faf98e269363c6e9b523eefa1 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -218,14 +218,14 @@ class i18n_messages(Command):
 ok: _(OK),
 refresh: _(Refresh),
 remove: _(Delete),
-reset: _(Reset),
+reset: _(Revert),
 reset_password_and_login: _(Reset Password and Login),
 restore: _(Restore),
 retry: _(Retry),
 revoke: _(Revoke),
 set: _(Set),
 unapply: (Un-apply),
-update: _(Update),
+update: _(Save),
 view: _(View),
 },
 details: {
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0082] Update python-yubico dependency version

[Gabe Alford]

Ack.

Thanks,

Gabe

On Wed, Apr 22, 2015 at 1:45 PM, Nathaniel McCallum npmccal...@redhat.com
wrote:

 On Tue, 2015-03-31 at 10:25 -0400, Nathaniel McCallum wrote:
  This change enables support for all current YubiKey hardware.

 Can someone please review this patch?

 Nathaniel

 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 001] Remove recommendation from ipa-adtrust-install

[Gabe Alford]

Ack from me.

Thanks,

Gabe

On Fri, Apr 10, 2015 at 7:35 AM, Thorsten Scherf tsch...@redhat.com wrote:



 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install

[Gabe Alford]

Stupid me. I realized that chronyd was running which messed up my testing
and such (sorry about that). New patch attached that implements 'else'

On Tue, Apr 7, 2015 at 2:32 AM, Martin Basti mba...@redhat.com wrote:

  On 02/04/15 17:47, Gabe Alford wrote:

  On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote:

   On 30/03/15 15:25, Gabe Alford wrote:

   Hello,

  With the merging of ticket 4842
 https://fedorahosted.org/freeipa/ticket/4842, I believe that half of
 ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been
 done. This patch just adds a message that says that NTP configuration was
 skipped which I believe should finish 3092
 https://fedorahosted.org/freeipa/ticket/3092.

  Thanks,

  Gabe


   Hello, thank you for the patch.

 1)
 IMO there should be:
 if *not* options.conf_ntp


  So, if --no-ntp is not specified, print message that the client is
 skipping NTP sync?

 Yes, or did I miss something? I though the message should be shown only if
 --no-ntp option is used.

 With your current patch:

 # ipa-client-install --no-ntp
 no ntp related output
 no INFO msg: skipping...

 # ipa-client-install
 output omitted /
 Attempting to sync time using ntpd.  Will timeout after 15 seconds
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Please check that 123 UDP port is opened.
 Skipping synchronizing time with IPA NTP server.
 output omitted /

 But in this case the client did synchronization with NTP (which failed),
 IMO the message Skipping ... should not be there.
 This message is shown even the synchronization with NTP is successful.



  2)
 wouldnt be better to use just else?


  I actually ran ipa-client-install with no options on a system where I
 used 'else', and it printed the skipping NTP sync when it should not have.
  That is why the patch does not use 'else'.

 Interesting, I expected the messages only on client installed on IPA
 server, or with using --no-ntp option




 Martin

 --
 Martin Basti



 --
 Martin Basti


From 4422cab165a648d8657be70d1deea1b0a834f183 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Tue, 7 Apr 2015 08:54:30 -0600
Subject: [PATCH] Add message for skipping NTP configuration during client
 install

https://fedorahosted.org/freeipa/ticket/3092
---
 ipa-client/ipa-install/ipa-client-install | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index e31d83dc98d411d281c9913af6cd45b41e2b51a1..1590a08600bbb1b2fd7f4c3338b5060156d7dc38 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2343,6 +2343,8 @@ def install(options, env, fstore, statestore):
 root_logger.warning(Unable to sync time with IPA NTP  +
 server, assuming the time is in sync. Please check  +
 that 123 UDP port is opened.)
+else:
+root_logger.info('Skipping synchronizing time with IPA NTP server.')
 
 if not options.unattended:
 if (options.principal is None and options.password is None and
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install

[Gabe Alford]

On Thu, Apr 2, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote:

  On 30/03/15 15:25, Gabe Alford wrote:

   Hello,

  With the merging of ticket 4842
 https://fedorahosted.org/freeipa/ticket/4842, I believe that half of
 ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been done.
 This patch just adds a message that says that NTP configuration was skipped
 which I believe should finish 3092
 https://fedorahosted.org/freeipa/ticket/3092.

  Thanks,

  Gabe


  Hello, thank you for the patch.

 1)
 IMO there should be:
 if *not* options.conf_ntp


So, if --no-ntp is not specified, print message that the client is skipping
NTP sync?


 2)
 wouldnt be better to use just else?


I actually ran ipa-client-install with no options on a system where I used
'else', and it printed the skipping NTP sync when it should not have.
That is why the patch does not use 'else'.



 Martin

 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0045] Add message for skipping NTP configuration during client install

[Gabe Alford]

Hello,

With the merging of ticket 4842
https://fedorahosted.org/freeipa/ticket/4842, I believe that half of
ticket 3092 https://fedorahosted.org/freeipa/ticket/3092 has been done.
This patch just adds a message that says that NTP configuration was skipped
which I believe should finish 3092
https://fedorahosted.org/freeipa/ticket/3092.

Thanks,

Gabe
From 77a8b703acb81b36b11a250660b834a72c7a2f4c Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Mon, 30 Mar 2015 07:09:05 -0600
Subject: [PATCH] Add message for skipping NTP configuration during client
 install

https://fedorahosted.org/freeipa/ticket/3092
---
 ipa-client/ipa-install/ipa-client-install | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index e31d83dc98d411d281c9913af6cd45b41e2b51a1..c021eb0ec94284aaa5fb4ed66011e6a9b5b879c4 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2344,6 +2344,9 @@ def install(options, env, fstore, statestore):
 server, assuming the time is in sync. Please check  +
 that 123 UDP port is opened.)
 
+if options.conf_ntp:
+root_logger.info('Skipping synchronizing time with IPA NTP server.')
+
 if not options.unattended:
 if (options.principal is None and options.password is None and
 options.prompt_password is False and options.keytab is None):
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master

[Gabe Alford]

On Thu, Mar 12, 2015 at 8:26 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/12/2015 02:37 PM, Gabe Alford wrote:
  Hello,
 
  Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there seems
 to
  be plenty of time, I added it to the freeipa-4-1 branch.

 Thanks Gabe! I would still suggest against moving the tickets to milestones
 yourself, all new tickets should still undergo the weekly triage so that
 all
 core developers see it and we can decide the target milestone.


Sorry about that.


 With this one, it would likely indeed end in 4.1.x, especially given you
 contributed a patch, but still...

 For the patch itself, I still think the wording is not as should be:

 - following line is not entirely trie, you can install can create replica
 also
 on servers installed with ipa-replica-install :-)
 +A replica can be created on any IPA master server installed with
 ipa\-server\-install.

 - Following line may also use some rewording:
 However if you want to create a replica as a redundant CA with an existing
 replica or master, ipa\-replica\-prepare should be run on a replica or
 master
 that contains the CA.

 Maybe we should add subsection to DESCRIPTION section, with following
 lines:


What should the .SS be called? Replica Info? PKI INFO? Preparation
Requirements?


 - A replica should only be installed on the same or higher version of IPA
 on
 the remote system.

- A replica with PKI can only be installed from replica file prepared on a
 master with PKI

Makes sense?


We will see if the coffee is working today. :)


 Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master

[Gabe Alford]

Limitations is fine with me. Updated patch attached.

On Fri, Mar 13, 2015 at 7:17 AM, Martin Kosek mko...@redhat.com wrote:

 On 03/13/2015 02:13 PM, Gabe Alford wrote:

 On Thu, Mar 12, 2015 at 8:26 AM, Martin Kosek mko...@redhat.com
 mailto:mko...@redhat.com wrote:

 On 03/12/2015 02:37 PM, Gabe Alford wrote:
   Hello,
  
   Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there
 seems to
   be plenty of time, I added it to the freeipa-4-1 branch.

 Thanks Gabe! I would still suggest against moving the tickets to
 milestones
 yourself, all new tickets should still undergo the weekly triage so
 that all
 core developers see it and we can decide the target milestone.


 Sorry about that.

 With this one, it would likely indeed end in 4.1.x, especially given
 you
 contributed a patch, but still...

 For the patch itself, I still think the wording is not as should be:

 - following line is not entirely trie, you can install can create
 replica also
 on servers installed with ipa-replica-install :-)
 +A replica can be created on any IPA master server installed with
 ipa\-server\-install.

 - Following line may also use some rewording:
 However if you want to create a replica as a redundant CA with an
 existing
 replica or master, ipa\-replica\-prepare should be run on a replica
 or master
 that contains the CA.

 Maybe we should add subsection to DESCRIPTION section, with following
 lines:


 What should the .SS be called? Replica Info? PKI INFO? Preparation
 Requirements?


 Limitations?




 - A replica should only be installed on the same or higher version of
 IPA on
 the remote system.

 - A replica with PKI can only be installed from replica file prepared
 on a
 master with PKI

 Makes sense?


 We will see if the coffee is working today. :)

 Martin




From 1a679b80db8b577b531a3bc825340f06e56b9886 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Fri, 13 Mar 2015 07:34:49 -0600
Subject: [PATCH] ipa-replica-prepare can only be created on the first master

- https://fedorahosted.org/freeipa/ticket/4944
---
 install/tools/man/ipa-replica-prepare.1 | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
index 1879d2ee88fc78fb755a702a2b2fe9a93e153b45..4c5ad3e8e49798eb33667903f2de1f35d83596c0 100644
--- a/install/tools/man/ipa-replica-prepare.1
+++ b/install/tools/man/ipa-replica-prepare.1
@@ -24,15 +24,17 @@ ipa\-replica\-prepare [\fIOPTION\fR]... hostname
 .SH DESCRIPTION
 Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server.
 
-A replica can only be created on an IPA server installed with ipa\-server\-install (the first server).
+A replica can be created on any IPA master or replica server.
 
 You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
 
 If IPA manages the DNS for your domain, you should either use the \fB\-\-ip\-address\fR option or add the forward and reverse records manually using IPA plugins.
 
 Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
-
+.SS LIMITATIONS
 A replica should only be installed on the same or higher version of IPA on the remote system.
+
+A replica with PKI can only be installed from a replica file prepared on a master with PKI.
 .SH OPTIONS
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0044] Man pages: ipa-replica-prepare can only be created on first master

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4944. Since there seems to
be plenty of time, I added it to the freeipa-4-1 branch.

Thanks,

Gabe
From 0887f4f4595e62ce4d24f1b031418e47da7586fb Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Thu, 12 Mar 2015 07:26:34 -0600
Subject: [PATCH] ipa-replica-prepare can only be created on the first master

- https://fedorahosted.org/freeipa/ticket/4944
---
 install/tools/man/ipa-replica-prepare.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1
index 1879d2ee88fc78fb755a702a2b2fe9a93e153b45..8d97c27b36b54d5ce95bd85f0d9adb4022a6ecfb 100644
--- a/install/tools/man/ipa-replica-prepare.1
+++ b/install/tools/man/ipa-replica-prepare.1
@@ -24,7 +24,7 @@ ipa\-replica\-prepare [\fIOPTION\fR]... hostname
 .SH DESCRIPTION
 Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server.
 
-A replica can only be created on an IPA server installed with ipa\-server\-install (the first server).
+A replica can be created on any IPA master server installed with ipa\-server\-install. However if you want to create a replica as a redundant CA with an existing replica or master, ipa\-replica\-prepare should be run on a replica or master that contains the CA.
 
 You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
 
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Time-based account policies

[Gabe Alford]

On Tue, Mar 10, 2015 at 9:51 AM, Stanislav Láznička s...@seznam.cz wrote:

 On 03/10/2015 04:06 PM, Jakub Hrozek wrote:

 On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:

 This is where importing iCal is helpful because it allows you to
 outsource the task of creating such event to something else.

 Parsing event information would produce a rule definition we would store
 and SSSD would apply as HBAC rule. However, we don't need ourselves to
 provide a complex UI to define such rules. Instead, we can do a simple
 UI to create rules plus a UI to import rules defined in iCal by some
 other software. The rest is visualizing HBAC time/date rules which is
 separate from dealing with complexity of creating or importing rules.

 Additionally, for iCal-based imports we can utilize participants
 information from the iCal to automatically set up members of the rule
 (based on mail attribute).

  Ah, makes sense to me.

 With all the possibilities that iCal format offers, we would more or
 less end
 up storing iCal in HBAC rules (or our own format of iCal). I am just
 concerned
 it would make a bit complex processing on SSSD side, especially in the
 security
 sensitive piece for authorization rules.

 We may need to use libraries for processing iCal rules, like libical
 (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...

 Is that what Alexander said, though? In his reply, I see:
  Parsing event information would produce a rule definition we would
  store and SSSD would apply as HBAC rule.

 This is what kind of worried me, too. If I understand it well, this means
 you would have iCal events such as holidays (these were mentioned before),
 and you would like to generate HBAC rules based on these events. Those
 rules would, however, be different for each country (if this is still about
 holidays) and might collide among user and host groups. Therefore, you
 would have lots and lots of rules in the end, wouldn't you?

 I wonder if anyone does that. From what I've seen in AD and 389 Directory
 Server, time-based rules are being stored in a rather simple manner. I
 don't mind a more complex solution but I think such exceptions might be
 little too much. But I might have not understood the idea very well.


This is my understanding as well. If using AD as the example, there are two
ways that timebased rules are configured:
 1. Permit logon hours during specified timeframe on specified day(s)
of the week.
 2. Deny logon hours during specified timeframe on specified day(s) of
the week.

There is nothing about holidays. I think that implementing holidays and
special exemptions should be avoided.

Just my 2 cents.

Gabe


  I don't think iCal dependency is something we want in SSSD, the
 rules should be converted from iCal to SSSD format in a layer atop
 libipa_hbac..


 --
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise

[Gabe Alford]

Yeah. That makes more sense. Updated patch attached.

Thanks,

Gabe

On Wed, Feb 25, 2015 at 3:55 PM, Tomas Babej tba...@redhat.com wrote:

  Hi Gabe,

 sorry for not being clear. This approach will not work:

 +class TestAdvice(BaseTestInvalidAdvice,
 + BaseTestFedoraAuthconfig,
 + BaseTestFreeBSDNSSPAM,
 + BaseTestGenericNSSPAM,
 + BaseTestGenericSSSDBefore19,
 + BaseTestRedHatNSS,
 + BaseTestRedHatNSSPAM,
 + BaseTestRedHatSSSDBefore19,
 + BaseTestAdvice):
 +pass

 By combining all the base classes into one, you will not get the desired
 effect (which is to run the test_advice method for each advice_id). Let me
 explain why:

 The test runner works in the following way: it inspects any discovered
 class which name begins with Test, and executes each its method, which
 names begins with test as a test case.

 If the test runner inspects the TestAdvice class, the only method
 beggining with test, which it will see, is the test_advice which was
 inherited back from BaseTestAdvice class. So we can safely conclude the
 test runner will only run 1 test case.

 Which one, you may ask? Well, since the test_advice behaviour is fully
 determined by the values of advice_id, advice_regex and raiseerr
 attributes, let's look at their values in TestAdvice class. This class does
 not define attirbutes with such names, so we move along the inheritance
 chain (also called MRO) - the first class from which we inherit is
 BaseTestInvalidAdvice, and this class defines all three mentioned
 attributes.

 Hence the only test method will be run the test for invalid advice :)

 Now, how to fix this? The easiest approach would be to abandon the
 approach with the separate classes, and map each class to a test method in
 the TestAdvice class, like this (from the top of my head):

 +class TestAdvice(IntegrationTest):
 +topology = 'line'
 +
 +def test_invalid_advice(self):
 +advice_id = 'invalid-advise-param'
 +advice_regex = invalid[\s]+\'advice\'.*
 +raiseerr = False
 +# Obtain the advice from the server
 +tasks.kinit_admin(self.master)
 +result = self.master.run_command(['ipa-advise', self.advice_id],
 + raiseonerr=self.raiseerr)
 +
 +if not result.stdout_text:
 +advice = result.stderr_text
 +else:
 +advice = result.stdout_text
 +
 +assert re.search(self.advice_regex, advice, re.S)
 +
 +def test_advice_fedora_authconfig(self):
 +advice_id = 'config-fedora-authconfig'
 +advice_regex = \#\!\/bin\/sh.* \
 +   authconfig[\s]+\-\-enableldap[\s]+ \
 +   \-\-ldapserver\=.*[\s]+\-\-enablerfc2307bis[\s]+
 \
 +   \-\-enablekrb5
 +raiseonerr = True
 +# Obtain the advice from the server
 +tasks.kinit_admin(self.master)
 +result = self.master.run_command(['ipa-advise', self.advice_id],
 + raiseonerr=self.raiseerr)
 +
 +if not result.stdout_text:
 +advice = result.stderr_text
 +else:
 +advice = result.stdout_text
 +
 +assert re.search(self.advice_regex, advice, re.S)

 ... the same for the remaining 6 cases

 Now, this pattern has lots of duplicated code which can be extracted to a
 helper method, I just thought it would help to be more explicit to get the
 idea across. In the end you can achieve the same level of conciseness than
 with the separate test classes. Good luck!

 HTH,

 Tomas




 On 02/25/2015 03:52 PM, Gabe Alford wrote:

  No worries about the delay. Thanks for taking the time! Updated patch
 attached.

  Thanks,

  Gabe

 On Tue, Feb 24, 2015 at 11:03 AM, Tomas Babej tba...@redhat.com wrote:

  Hi Gabe,

 sorry for the delay. Here comes the review!

  1.) All the tests fail, since the IPA master is not installed at all:

 def test_advice(self):
 # Obtain the advice from the server
tasks.kinit_admin(self.master)

 test_integration/test_advise.py:37:
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
 _ _
 test_integration/tasks.py:484: in kinit_admin
 stdin_text=host.config.admin_password)
 ../pytest_multihost/host.py:222: in run_command
 command.wait(raiseonerr=raiseonerr)
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
 _ _

 self = pytest_multihost.transport.SSHCommand object at 0x7f09c0530c90
 raiseonerr = True

 def wait(self, raiseonerr=True):
 Wait for the remote process to exit

 Raises an excption if the exit code is not 0, unless raiseonerr 
 is
 true.
 
 if self._done:
 return self.returncode

 self._end_process()

 self._done = True

 if raiseonerr and self.returncode

Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise

[Gabe Alford]

No worries about the delay. Thanks for taking the time! Updated patch
attached.

Thanks,

Gabe

On Tue, Feb 24, 2015 at 11:03 AM, Tomas Babej tba...@redhat.com wrote:

  Hi Gabe,

 sorry for the delay. Here comes the review!

1.) All the tests fail, since the IPA master is not installed at all:

 def test_advice(self):
 # Obtain the advice from the server
tasks.kinit_admin(self.master)

 test_integration/test_advise.py:37:
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
 _
 test_integration/tasks.py:484: in kinit_admin
 stdin_text=host.config.admin_password)
 ../pytest_multihost/host.py:222: in run_command
 command.wait(raiseonerr=raiseonerr)
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
 _

 self = pytest_multihost.transport.SSHCommand object at 0x7f09c0530c90
 raiseonerr = True

 def wait(self, raiseonerr=True):
 Wait for the remote process to exit

 Raises an excption if the exit code is not 0, unless raiseonerr is
 true.
 
 if self._done:
 return self.returncode

 self._end_process()

 self._done = True

 if raiseonerr and self.returncode:
 self.log.error('Exit code: %s', self.returncode)
raise subprocess.CalledProcessError(self.returncode, self.argv)
 E   CalledProcessError: Command '['kinit', 'admin']' returned 
 non-zero exit status 1


 Similiarly for other tests. This is caused by the fact that you did not
 set topology in the BaseTestAdvise class, like this:

 --- a/ipatests/test_integration/test_advise.py
 +++ b/ipatests/test_integration/test_advise.py
 @@ -31,6 +31,7 @@ class BaseTestAdvise(IntegrationTest, object):
  advice_id = None
  raiseerr = None
  advice_regex = ''
 +topology = 'line'

 2.) BaseTestAdvise inherits from IntegrationTest and from object.
 Explicitly specifying object as superclass is not needed, IntegrationTest
 already inherits from it.

 3.) I think there is no good incentive to separate the test cases into
 mutliple classes. Each test class adds overhead of installing and
 uninstalling IPA server, to guarantee a clean and sane environment.
 However, it seems to be an overkill for testing ipa-advise command, which
 should be read-only anyway. By squashing the tests into one test class, we
 will decrease the run time of this test more than 8-fold.

 4.) The patch adds a whitespace error.

 The test cases themselves are looking fine, and when I fixed the missing
 topology, they all passed. So this is a question of fixing the above
 issues, and we should be ready to push.

 Tomas



freeipa-rga-0039-2-ipatests-Add-tests-for-valid-and-invalid-ipa-advise.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0042] ipa-replica-prepare should document ipv6 options

[Gabe Alford]

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/4877. I just took what was
in the ticket.

Thanks,

Gabe


freeipa-rga-0042-ipa-replica-prepare-should-document-ipv6-options.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0039] Add test case for unsupported arg for ipa-advise

[Gabe Alford]

Hello,

I was wondering if I could get a review of this patch.

Thanks,

Gabe

On Thursday, January 29, 2015, Gabe Alford redhatri...@gmail.com wrote:

 Hello,

Here is a patch for https://fedorahosted.org/freeipa/ticket/4029 I
 added test cases for valid and invalid advice.

 Thanks,

 Gabe

 On Wed, Jan 14, 2015 at 10:23 AM, Tomas Babej tba...@redhat.com
 javascript:_e(%7B%7D,'cvml','tba...@redhat.com'); wrote:


 On 01/14/2015 06:13 PM, Gabe Alford wrote:

  On Wed, Jan 14, 2015 at 10:05 AM, Tomas Babej tba...@redhat.com
 javascript:_e(%7B%7D,'cvml','tba...@redhat.com'); wrote:


 On 01/14/2015 06:00 PM, Tomas Babej wrote:


 On 01/14/2015 05:37 PM, Tomas Babej wrote:


 On 01/14/2015 02:55 PM, Gabe Alford wrote:

   Hello,

 In looking into https://fedorahosted.org/freeipa/ticket/4029 I
 am wondering if there should be separate ipa-advise test, Yes/No? Could be
 handy in the future to test more ipa-advise output? Or should this test be
 added to the test_legacy_clients.py?

  Thanks,

  Gabe

 On Tue, Dec 2, 2014 at 9:21 PM, Gabe Alford redhatri...@gmail.com
 javascript:_e(%7B%7D,'cvml','redhatri...@gmail.com'); wrote:

  Hello,

 I was going to try my hand at attempting a patch for ipa-tests. However
 in wanting to test my patch, I am not sure how to run ipa-tests to check if
 it works or not. Documentation is not really clear on what needs to be done
 to start a test and run a test. This is for
 https://fedorahosted.org/freeipa/ticket/4029

  I have attached the patch that I have yet to really test with
 ipa-test. Any help on how to test the patch running ipa-tests would be
 great. Of course, if one of the reviewers looks at the patch and looks
 good, then I would be happy with that as well.

  Thanks,

 Gabe




 ___
 Freeipa-devel mailing listfreeipa-de...@redhat.com 
 javascript:_e(%7B%7D,'cvml','Freeipa-devel@redhat.com');https://www.redhat.com/mailman/listinfo/freeipa-devel


 Hello,

 TL;DR: feel free to create a separate ipa-advise test file. Test
 requested in this ticket really does not belong to the legacy clients
 feature test.

 As for the any new tests that might come: I think tests for ipa-advise
 that are specific to that particular feature should be tested with that
 feature, more so, if they contain parts that are supposed to work
 copy-pasted. If a tests, however, tests a general behaviour of ipa-advise,
 it should live in the ipa-advise namespace, hence separate test file.

 HTH,

 --
 Tomas Babej
 Associate Software Engineer | Red Hat | Identity Management
 RHCE | Brno Site | IRC: tbabej | freeipa.org


  The attached patch looks fine, although, please also test for a
 non-zero return code number.


 Upon hitting send I noticed you did not include raiseonerr=False into
 the run_command call. You need to do that, otherwise a exception will be
 raised, since ipa-advise exited with non-zero return code.

 Thanks Tomas.

  Which do you prefer: a test_advise.py or an update to the existing
 patch?


 A new test file, as I pointed out in the second email :) sorry for
 splitting.

 However, it would be the best if you could spin up a positive test as
 well (maybe listing out available advices), not just this negative one, to
 justify the overhead reinstalling IPA for testing this feature.



 --
 Tomas Babej
 Associate Software Engineer | Red Hat | Identity Management
 RHCE | Brno Site | IRC: tbabej | freeipa.org


 --
 Tomas Babej
 Associate Software Engineer | Red Hat | Identity Management
 RHCE | Brno Site | IRC: tbabej | freeipa.org



 --
 Tomas Babej
 Associate Software Engineer | Red Hat | Identity Management
 RHCE | Brno Site | IRC: tbabej | freeipa.org



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0041] permission-add does not prompt for ipapermright option in interactive mode

[Gabe Alford]

Oops. My mistake. Corrected patch attached.

On Wed, Feb 11, 2015 at 8:59 AM, Martin Basti mba...@redhat.com wrote:

  Sorry, alwaysask didnt work.
 It was asking for rights during permission-mod.

 I replaced alwaysask with flag ask_create.
 Sorry for late catch.

 Updated patch attached.

 PS: your name+email is missing in commit message, is it on purpose? And
 time wasn't correct in previous patch.



 On 11/02/15 15:06, Gabe Alford wrote:

 Good point. I personally was not aware of all that the API can do. Thanks
 Martin^2! Updated patch attached.

 On Tue, Feb 10, 2015 at 11:42 AM, Martin Basti mba...@redhat.com wrote:

   On 29/01/15 17:10, Gabe Alford wrote:

   Hello,

  Fix for https://fedorahosted.org/freeipa/ticket/4872

  Thanks,

 Gabe


  ___
 Freeipa-devel mailing 
 listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel

  Thank you for your patch.

 IMO, would be better to use flag, alwaysask for ipapermright, instead of
 creating new callback:

  StrEnum(
  'ipapermright*',
  cli_name='right',
  deprecated_cli_aliases={'permissions'},
  label=_('Granted rights'),
  doc=_('Rights to grant '
'(read, search, compare, write, add, delete, all)'),
  values=(u'read', u'search', u'compare',
  u'write', u'add', u'delete', u'all'),
 +alwaysask=True,
  ),

 This change requires to generate new API.txt

 please run ./makeapi  and increment API version in VERSION file.

 Thank you in advance :-)

 Martin^2

 --
 Martin Basti




 --
 Martin Basti




freeipa-rga-0041-3-permission-add-does-not-prompt-for-ipapermright-in-i.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0041] permission-add does not prompt for ipapermright option in interactive mode

[Gabe Alford]

Good point. I personally was not aware of all that the API can do. Thanks
Martin^2! Updated patch attached.

On Tue, Feb 10, 2015 at 11:42 AM, Martin Basti mba...@redhat.com wrote:

  On 29/01/15 17:10, Gabe Alford wrote:

  Hello,

  Fix for https://fedorahosted.org/freeipa/ticket/4872

  Thanks,

 Gabe


 ___
 Freeipa-devel mailing 
 listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel

  Thank you for your patch.

 IMO, would be better to use flag, alwaysask for ipapermright, instead of
 creating new callback:

  StrEnum(
  'ipapermright*',
  cli_name='right',
  deprecated_cli_aliases={'permissions'},
  label=_('Granted rights'),
  doc=_('Rights to grant '
'(read, search, compare, write, add, delete, all)'),
  values=(u'read', u'search', u'compare',
  u'write', u'add', u'delete', u'all'),
 +alwaysask=True,
  ),

 This change requires to generate new API.txt

 please run ./makeapi  and increment API version in VERSION file.

 Thank you in advance :-)

 Martin^2

 --
 Martin Basti




freeipa-rga-0041-2-permission-add-does-not-prompt-for-ipapermright-in-i.patch
Description: Binary data
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0042] Typos in ipa-rmkeytab

[Gabe Alford]

Hello,

   Fix for https://fedorahosted.org/freeipa/ticket/4890

Thanks,

Gabe
From 6c760974951325419414ef4d474293c1af089004 Mon Sep 17 00:00:00 2001
From: Gabe redhatri...@gmail.com
Date: Mon, 9 Feb 2015 20:44:31 -0700
Subject: [PATCH] Typos in ipa-rmkeytab options help and man page

https://fedorahosted.org/freeipa/ticket/4890
---
 ipa-client/ipa-rmkeytab.c | 4 ++--
 ipa-client/man/ipa-rmkeytab.1 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipa-client/ipa-rmkeytab.c b/ipa-client/ipa-rmkeytab.c
index a2a292e3d6882f4c15f2134cdb8ff73a7159492f..3687b1dc7ea0ab4484af3385bb87c5b9155e53da 100644
--- a/ipa-client/ipa-rmkeytab.c
+++ b/ipa-client/ipa-rmkeytab.c
@@ -168,10 +168,10 @@ main(int argc, const char **argv)
 { debug, 'd', POPT_ARG_NONE, debug, 0,
   _(Print debugging information), _(Debugging output) },
 { principal, 'p', POPT_ARG_STRING, principal, 0,
-  _(The principal to get a keytab for (ex: ftp/ftp.example@example.com)),
+  _(The principal to remove from the keytab (ex: ftp/ftp.example@example.com)),
   _(Kerberos Service Principal Name) },
 { keytab, 'k', POPT_ARG_STRING, keytab, 0,
-  _(File were to store the keytab information), _(Keytab File Name) },
+  _(The keytab file to remove the principcal(s) from), _(Keytab File Name) },
 { realm, 'r', POPT_ARG_STRING, realm, 0,
   _(Remove all principals in this realm), _(Realm name) },
 POPT_AUTOHELP
diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1
index 4f4fcee2665c105c5cdab5f964e3295bea4b7997..53f775439dbdb5a4b9dfee7fe6c7277fce10893c 100644
--- a/ipa-client/man/ipa-rmkeytab.1
+++ b/ipa-client/man/ipa-rmkeytab.1
@@ -54,7 +54,7 @@ the entry from the local keytab.
 The non\-realm part of the full principal name.
 .TP
 \fB\-k keytab\-file\fR
-The keytab file to append the principal(s) from.
+The keytab file to remove the principal(s) from.
 .TP
 \fB\-r realm\fR
 A realm to remove all principals for.
-- 
2.1.0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel