date:20170220

[Freeipa-devel] [freeipa PR#478][closed] [4.4] Do not configure PKI ajp redirection to use "::1"

2017-02-20 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/478
Author: flo-renaud
 Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/478/head:pr478
git checkout pr478
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#478][+pushed] [4.4] Do not configure PKI ajp redirection to use "::1"

2017-02-20 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b4fa354f500bcf3ac23ee3805f2c166c6a635b92
https://fedorahosted.org/freeipa/changeset/ba8a10fbdb39cab672038e1a6dc9c7507070cdf9
https://fedorahosted.org/freeipa/changeset/97e838e10da3b42e3605d230e0b8e01b9148876f
https://fedorahosted.org/freeipa/changeset/0862e320916e0123df7e8505ba61229db0cb1e4a
https://fedorahosted.org/freeipa/changeset/6d34c2169fcd520cc726e58e01d008ae3637aad4
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-281072241
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][+pushed] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][closed] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

tiran commented:
"""
Or you could always clean up ```/root/.dogtag``` and remove the tmp dir when 
the var is not None.

By the way do you clean up ```/root/.dogtag``` during update?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281063403
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
"""
The raised issues seem to have been fixed. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-281071960
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][+ack] Fix some privilege separation regressions

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py | 10 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e43ec7b..f951770 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-db.create_db(backup=True)
+db.create_db(mode=0o755, backup=True)
 os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 73387cf..b22c3c1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 """
 dirmode = 0o750
 filemode = 0o640
+pwdfilemode = 0o640
 if mode is not None:
 dirmode = mode
 filemode = mode & 0o666
+pwdfilemode = mode & 0o660
 
 uid = -1
 gid = -1
@@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 # Create the password file for this db
 with io.open(os.open(self.pwd_file,
  os.O_CREAT | os.O_WRONLY,
- filemode), 'w', closefd=True) as f:
+ pwdfilemode), 'w', closefd=True) as f:
 f.write(ipautil.ipa_generate_password())
 f.flush()
 
@@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 if os.path.exists(path):
 if uid != -1 or gid != -1:
 os.chown(path, uid, gid)
-os.chmod(path, filemode)
+if path == self.pwd_file:
+new_mode = pwdfilemode
+else:
+new_mode = filemode
+os.chmod(path, new_mode)
 tasks.restore_context(path)
 
 def list_certs(self):

From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/plugins/update_ra_cert_store.py | 4 
 ipaserver/install/plugins/upload_cacrt.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index d7d28fd..c3aef6f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -22,6 +22,10 @@ class update_ra_cert_store(Updater):
 """
 
 def execute(self, **options):
+ca_enabled = self.api.Command.ca_is_enabled()['result']
+if not ca_enabled:
+return False, []
+
 olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
 if not olddb.has_nickname('ipaCert'):
 # Nothign to do
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 1a78108..425ea63 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see .
 
 from ipalib.install import certstore
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 from ipalib import Registry, errors
 from ipalib import Updater
@@ -34,7 +35,7 @@ class update_upload_cacrt(Updater):
 """
 
 def execute(self, **options):
-db = certs.CertDB(self.api.env.realm)
+db =

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

stlaz commented:
"""
Always tend to forget about the upgrade part, will do, thanks  
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281069900
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
"""
Note that `KRA_AGENT_PEM` will not be moved to the correct folder if KRA is not 
installed but that's fine with me.
`/bin/systemctl status  ipa_memcached.service` still shows the service as 
`running` although there's the strange line `Loaded: not-found (Reason: No such 
file or directory)`. That does not seem ok, should we stop the service as well?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-281029398
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#478][comment] [4.4] Do not configure PKI ajp redirection to use "::1"

2017-02-20 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"

martbab commented:
"""
Fixed upstream
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/4a30e9d53475d60fb76242a098f1d969d6b19f75
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/478#issuecomment-281027818
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

MartinBasti commented:
"""
```
* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member), 
CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:685: [E1101(no-member), 
CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' 
member)
ipaserver/install/cainstance.py:831: [E1101(no-member), 
CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 
'ra_agent_db' member)
ipaserver/install/cainstance.py:834: [E1101(no-member), 
CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 
'ra_agent_pwd' member)
* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), 
export_kra_agent_pem] Undefined variable 'tempfile')
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281060112
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][opened] lite-server: validate LDAP connection and cache schema

2017-02-20 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/483
Author: tiran
 Title: #483: lite-server: validate LDAP connection and cache schema
Action: opened

PR body:
"""
The LDAP schema cache makes the lite-server behave more like mod_wsgi.

See https://fedorahosted.org/freeipa/ticket/6679

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/483/head:pr483
git checkout pr483
From 210509a11067465be9a4a1bcf2d92f72d3cfb3b7 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 20 Feb 2017 11:58:17 +0100
Subject: [PATCH] lite-server: validate LDAP connection and cache schema

The LDAP schema cache makes the lite-server behave more like mod_wsgi.

See https://fedorahosted.org/freeipa/ticket/6679

Signed-off-by: Christian Heimes 
---
 contrib/lite-server.py | 34 --
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/contrib/lite-server.py b/contrib/lite-server.py
index 1df5004..9f2a813 100755
--- a/contrib/lite-server.py
+++ b/contrib/lite-server.py
@@ -51,10 +51,12 @@
 import optparse  # pylint: disable=deprecated-module
 import ssl
 import sys
+import time
 import warnings
 
 import ipalib
 from ipalib import api
+from ipalib.errors import NetworkError
 from ipalib.krb_utils import krb5_parse_ccache
 from ipalib.krb_utils import krb5_unparse_ccache
 
@@ -130,7 +132,7 @@ def loader(path):
 return loader
 
 
-def init_api():
+def init_api(ccname):
 """Initialize FreeIPA API from command line
 """
 parser = optparse.OptionParser()
@@ -167,6 +169,7 @@ def init_api():
 # workaround: AttributeError: locked: cannot set ldap2.time_limit to None
 api.env.mode = 'production'
 
+start_time = time.time()
 # pylint: disable=unused-variable
 options, args = api.bootstrap_with_global_options(parser, context='lite')
 api.env._merge(
@@ -177,6 +180,33 @@ def init_api():
 lite_pem=api.env._join('dot_ipa', 'lite.pem'),
 )
 api.finalize()
+api_time = time.time()
+api.log.info("API initialized in {:03f} sec".format(api_time - start_time))
+
+# Validate LDAP connection and pre-fetch schema
+# Pre-fetching makes the lite-server behave similar to mod_wsgi. werkzeug's
+# multi-process WSGI server forks a new process for each request while
+# mod_wsgi handles multiple request in a daemon process. Without schema
+# cache, every lite server request would download the LDAP schema and
+# distort performance profiles.
+ldap2 = api.Backend.ldap2
+try:
+if not ldap2.isconnected():
+ldap2.connect(ccache=ccname)
+except NetworkError as e:
+api.log.error("Unable to connect to LDAP: %s", e)
+api.log.error("lite-server needs a working LDAP connect. Did you "
+  "configure ldap_uri in '%s'?", api.env.conf_default)
+sys.exit(2)
+else:
+# prefetch schema
+assert ldap2.schema
+# Disconnect main process, each WSGI request handler subprocess will
+# must have its own connection.
+ldap2.disconnect()
+ldap_time = time.time()
+api.log.info("LDAP schema retrieved {:03f} sec".format(
+ldap_time - api_time))
 
 
 def redirect_ui(app):
@@ -209,7 +239,7 @@ def main():
 print("kinit\n", file=sys.stderr)
 sys.exit(1)
 
-init_api()
+init_api(ccname)
 
 if os.path.isfile(api.env.lite_pem):
 ctx = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

stlaz commented:
"""
Hm, originally had this over the nsslib removal patchset but the rebase was not 
as successful as I thought, will fix the issues.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281061194
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#478][+ack] [4.4] Do not configure PKI ajp redirection to use "::1"

2017-02-20 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/478
Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][opened] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread stlaz

   URL: https://github.com/freeipa/freeipa/pull/482
Author: stlaz
 Title: #482: Don't count service/host/user cert md5 fprints in FIPS
Action: opened

PR body:
"""
To be "backward compatible" we cannot remove `md5_fingerprint` so we at least 
supply the reason why it can't be counted.

https://fedorahosted.org/freeipa/ticket/5695
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/482/head:pr482
git checkout pr482
From 24550d5b26adae722c154c98949479e51d03fee7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 6 Jan 2017 09:08:52 +0100
Subject: [PATCH] Don't count service/host/user cert md5 fprints in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/plugins/cert.py   |  7 +--
 ipaserver/plugins/service.py|  9 +++--
 ipatests/test_xmlrpc/test_host_plugin.py|  6 +++---
 ipatests/test_xmlrpc/test_service_plugin.py | 18 ++
 ipatests/test_xmlrpc/xmlrpc_test.py |  6 +-
 5 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 0852197..595bed7 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -393,8 +393,11 @@ def _parse(self, obj, full=True):
 obj['valid_not_after'] = x509.format_datetime(
 cert.not_valid_after)
 if full:
-obj['md5_fingerprint'] = x509.to_hex_with_colons(
-cert.fingerprint(hashes.MD5()))
+if not self.api.env.fips_mode:
+obj['md5_fingerprint'] = x509.to_hex_with_colons(
+cert.fingerprint(hashes.MD5()))
+else:
+obj['md5_fingerprint'] = _("Not available in FIPS mode")
 obj['sha1_fingerprint'] = x509.to_hex_with_colons(
 cert.fingerprint(hashes.SHA1()))
 
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 0c49808..a898eb6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -49,6 +49,7 @@
 from ipalib import output
 from ipapython import kerberos
 from ipapython.dn import DN
+from ipaplatform.tasks import tasks
 
 
 if six.PY3:
@@ -274,8 +275,12 @@ def set_certificate_attrs(entry_attrs):
 entry_attrs['valid_not_before'] = x509.format_datetime(
 cert.not_valid_before)
 entry_attrs['valid_not_after'] = x509.format_datetime(cert.not_valid_after)
-entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons(
-cert.fingerprint(hashes.MD5()))
+if not tasks.is_fips_enabled():
+entry_attrs['md5_fingerprint'] = x509.to_hex_with_colons(
+cert.fingerprint(hashes.MD5()))
+else:
+entry_attrs['md5_fingerprint'] = ('md5 fingerprints are disabled in '
+  'FIPS mode')
 entry_attrs['sha1_fingerprint'] = x509.to_hex_with_colons(
 cert.fingerprint(hashes.SHA1()))
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index d4384e1..1c082ad 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -35,8 +35,8 @@
 from ipapython.dn import DN
 from ipapython.dnsutil import DNSName
 from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test,
-fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_date, fuzzy_issuer,
-fuzzy_hex, raises_exact)
+fuzzy_uuid, fuzzy_digits, fuzzy_hash, fuzzy_md5_hash, fuzzy_date,
+fuzzy_issuer, fuzzy_hex, raises_exact)
 from ipatests.test_xmlrpc.test_user_plugin import get_group_dn
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
@@ -232,7 +232,7 @@ def test_update_simple(self, host):
 description=[u'Updated host 1'],
 usercertificate=[base64.b64decode(host_cert)],
 issuer=fuzzy_issuer,
-md5_fingerprint=fuzzy_hash,
+md5_fingerprint=fuzzy_md5_hash,
 serial_number=fuzzy_digits,
 serial_number_hex=fuzzy_hex,
 sha1_fingerprint=fuzzy_hash,
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index f3940f4..965183e 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -22,7 +22,9 @@
 """
 
 from ipalib import api, errors, x509
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
+from ipatests.test_xmlrpc.xmlrpc_test import (
+Declarative, fuzzy_uuid, fuzzy_hash, fuzzy_md5_hash
+)
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
 from ipatests.test_xmlrpc import

[Freeipa-devel] [freeipa PR#482][edited] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread stlaz

   URL: https://github.com/freeipa/freeipa/pull/482
Author: stlaz
 Title: #482: Don't count service/host/user cert md5 fprints in FIPS
Action: edited

 Changed field: body
Original value:
"""
To be "backward compatible" we cannot remove `md5_fingerprint` so we at least 
supply the reason why it can't be counted.

https://fedorahosted.org/freeipa/ticket/5695
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][opened] FIPS: Remove pkispawn cruft

2017-02-20 Thread stlaz

   URL: https://github.com/freeipa/freeipa/pull/484
Author: stlaz
 Title: #484: FIPS: Remove pkispawn cruft
Action: opened

PR body:
"""
`pkispawn` leaves some ugly files after its successful run. This patch:
a) makes sure the files are removed (say no to `__del__` in `DogtagInstance`)
b) prevents special requirements for DM password in FIPS as this was for some 
reason used to create an NSS database for `pkispawn`
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/484/head:pr484
git checkout pr484
From 0bad72e5d4abce6ea253c9709a5cbe64c89f96ac Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Feb 2017 16:54:43 +0100
Subject: [PATCH 1/2] Remove ra_db argument from CAInstance init

The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/ca.py |  8 +++-
 ipaserver/install/cainstance.py | 24 +---
 ipaserver/install/server/upgrade.py |  2 +-
 3 files changed, 9 insertions(+), 25 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8e92ef0..e346a2b 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -265,8 +265,7 @@ def install_step_0(standalone, replica_config, options):
 'certmap.conf', 'subject_base', str(subject_base))
 dsinstance.write_certmap_conf(realm_name, ca_subject)
 
-ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
-   host_name=host_name)
+ca = cainstance.CAInstance(realm_name, host_name=host_name)
 ca.configure_instance(host_name, dm_password, dm_password,
   subject_base=subject_base,
   ca_subject=ca_subject,
@@ -293,8 +292,7 @@ def install_step_1(standalone, replica_config, options):
 subject_base = options._subject_base
 basedn = ipautil.realm_to_suffix(realm_name)
 
-ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
-   host_name=host_name)
+ca = cainstance.CAInstance(realm_name, host_name=host_name)
 
 ca.stop('pki-tomcat')
 
@@ -356,7 +354,7 @@ def install_step_1(standalone, replica_config, options):
 
 
 def uninstall():
-ca_instance = cainstance.CAInstance(api.env.realm, paths.IPA_RADB_DIR)
+ca_instance = cainstance.CAInstance(api.env.realm)
 ca_instance.stop_tracking_certificates()
 if ca_instance.is_configured():
 ca_instance.uninstall()
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 52485b9..425b36b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -294,7 +294,7 @@ class CAInstance(DogtagInstance):
  ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
 server_cert_name = 'Server-Cert cert-pki-ca'
 
-def __init__(self, realm=None, ra_db=None, host_name=None):
+def __init__(self, realm=None, host_name=None):
 super(CAInstance, self).__init__(
 realm=realm,
 subsystem="CA",
@@ -313,11 +313,6 @@ def __init__(self, realm=None, ra_db=None, host_name=None):
 self.canickname = get_ca_nickname(realm)
 else:
 self.canickname = None
-self.ra_agent_db = ra_db
-if self.ra_agent_db is not None:
-self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
-else:
-self.ra_agent_pwd = None
 self.ra_cert = None
 self.requestId = None
 self.log = log_mgr.get_logger(self)
@@ -742,16 +737,6 @@ def __create_ca_agent(self):
 
 conn.disconnect()
 
-def __run_certutil(self, args, database=None, pwd_file=None, stdin=None,
-   **kwargs):
-if not database:
-database = self.ra_agent_db
-if not pwd_file:
-pwd_file = self.ra_agent_pwd
-new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file]
-new_args = new_args + args
-return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)
-
 def __get_ca_chain(self):
 try:
 return dogtag.get_ca_certchain(ca_host=self.fqdn)
@@ -791,7 +776,7 @@ def __import_ca_chain(self):
 else:
 nick = str(subject_dn)
 trust_flags = ',,'
-self.__run_certutil(
+certdb.run_certutil(
 ['-A', '-t', trust_flags, '-n', nick, '-a',
  '-i', chain_file.name]
 )
@@ -852,7 +837,8 @@ def __request_ra_certificate(self):
 post_command='renew_ra_cert')
 
 self.requestId = str(reqId)
-result = self.__run_certutil(
+

[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request

MartinBasti commented:
"""
Ticket is `Enumerate all available request type options in ipa cert-request 
help` but your commit doesn't enumerate all possible certtypes
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/480#issuecomment-281058427
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request

MartinBasti commented:
"""
Ticket is `Enumerate all available request type options in ipa cert-request 
help` but your commit doesn't enumerate all possible certtypes
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/480#issuecomment-281058427
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

tiran commented:
"""
pylint needs some attention, too.

```
* Module ipaserver.install.cainstance
ipaserver/install/cainstance.py:685: [E1101(no-member), 
CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_db' member)
ipaserver/install/cainstance.py:685: [E1101(no-member), 
CAInstance.import_ra_cert] Instance of 'CAInstance' has no 'ra_agent_pwd' 
member)
ipaserver/install/cainstance.py:831: [E1101(no-member), 
CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 
'ra_agent_db' member)
ipaserver/install/cainstance.py:834: [E1101(no-member), 
CAInstance.__request_ra_certificate] Instance of 'CAInstance' has no 
'ra_agent_pwd' member)
* Module ipaserver.install.dogtaginstance
ipaserver/install/dogtaginstance.py:78: [E0602(undefined-variable), 
export_kra_agent_pem] Undefined variable 'tempfile')
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281075216
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
We want to prevent others to have packages in PyPI with the same names as used 
for IPA. This is reasonable for protecting users to get attacker code from PyPI 
and rewrite working modules installed from rpms. In case that somebody install 
`ipamodulefromhell` we really cannot help this user
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281056392
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#485][opened] Fix session logout

2017-02-20 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/485
Author: simo5
 Title: #485: Fix session logout
Action: opened

PR body:
"""
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.

Fixes https://fedorahosted.org/freeipa/ticket/6685

Signed-off-by: Simo Sorce 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/485/head:pr485
git checkout pr485
From 85eb3103c04e6e125bdb1d09caed6a94580a7592 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 20 Feb 2017 12:38:11 -0500
Subject: [PATCH] Fix session logout

There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.

Fixes https://fedorahosted.org/freeipa/ticket/6685

Signed-off-by: Simo Sorce 
---
 ipaserver/plugins/session.py | 2 +-
 ipaserver/rpcserver.py   | 8 
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py
index 8e480ed..a049cd9 100644
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -23,6 +23,6 @@ def execute(self, *args, **options):
 else:
 delattr(context, 'ccache_name')
 
-setattr(context, 'logout_cookie', '')
+setattr(context, 'logout_cookie', 'MagBearerToken=')
 
 return dict(result=None)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index f5c520f..25f2740 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -434,6 +434,10 @@ def __call__(self, environ, start_response):
 response = status.encode('utf-8')
 headers = [('Content-Type', 'text/plain; charset=utf-8')]
 
+logout_cookie = getattr(context, 'logout_cookie', None)
+if logout_cookie is not None:
+headers.append(('IPASESSION', logout_cookie))
+
 start_response(status, headers)
 return [response]
 
@@ -639,10 +643,6 @@ def __call__(self, environ, start_response):
 
 return self.marshal(None, CCacheError())
 
-logout_cookie = getattr(context, 'logout_cookie', None)
-if logout_cookie:
-self.headers.append(('IPASESSION', logout_cookie))
-
 try:
 self.create_context(ccache=user_ccache)
 response = super(KerberosWSGIExecutioner, self).__call__(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

stlaz commented:
"""
All should be fixed now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281120295
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS

MartinBasti commented:
"""
I don't think that this is a good way how to handle backward compatibility. 
With FIPS mode enabled there is no md5 backward compatibility and users should 
adapt their automation. In case that  IPA API is used directly it will contain 
a garbage and it may not be catched faster enough by any automation on user 
side. We should not provide anything related to md5 under FIPS mode and let any 
possible automation using IPA API to fail early on missing values.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/482#issuecomment-281089720
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS

MartinBasti commented:
"""
I don't think that this is a good way how to handle backward compatibility. 
With FIPS mode enabled there is no md5 backward compatibility and users should 
adapt their automation. In case that  IPA API is used directly it will contain 
a garbage and it may not be catched faster enough by any automation on user 
side. We should not provide anything related to md5 under FIPS mode and let any 
possible automation using IPA API to fail early on missing values.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/482#issuecomment-281089720
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS

tomaskrizek commented:
"""
@rcritten Currently, the tests fail because we need #437 merged. It would be 
caught.

@MartinBasti The only other option I see is to provide `None`. We can't remove 
the md5 fingerprint from API - or can we?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/482#issuecomment-281105590
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][comment] Don't count service/host/user cert md5 fprints in FIPS

2017-02-20 Thread rcritten

  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Don't count service/host/user cert md5 fprints in FIPS

rcritten commented:
"""
In service.py the error isn't wrapped in _(). You should use the same message 
in both.

Given the different messages I'm surprised this didn't pop up as a test failure.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/482#issuecomment-281086821
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

2017-02-20 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 48a5dbb8c68a13a4a95aea3fe5679ddd27639684 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  14 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  24 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 174 -
 ipaserver/plugins/certmap.py   | 391 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 ++
 15 files changed, 865 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example

Re: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split

2017-02-20 Thread Alexander Bokovoy


On la, 18 helmi 2017, Timo Aaltonen wrote:


Hi,

So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver,
but dcerpc.py imports python-samba which -ipaserver does not depend on.
So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad
on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that
ipa-server-install wants to import adtrustinstance and fails to run if
it's not installed.

Traceback (most recent call last):
 File "/usr/sbin/ipa-server-install", line 25, in 
   from ipaserver.install.server import Server
 File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py",
line 8, in 
   from .upgrade import upgrade_check, upgrade
 File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 49, in 
   from ipaserver.install import adtrustinstance
ImportError: cannot import name adtrustinstance


So what to do here? I can't remember exactly what problems I hit when
everything was in python-ipaserver while testing 4.3.0, but I think they
were about the samba stuff.. and don't want to test again without asking
first. Should the upgrader stuff be split?

I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib.
It only needs to read a config file and check a signature. Signature could be
moved to constants. Then ipa_smb_conf_exists() can be imported in both
upgrade tool and in adtrustinstance.

Want to make a PR?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][opened] Limit request sizes to /KdcProxy

2017-02-20 Thread npmccallum

   URL: https://github.com/freeipa/freeipa/pull/487
Author: npmccallum
 Title: #487: Limit request sizes to /KdcProxy
Action: opened

PR body:
"""
Related: CVE-2015-5159
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/487/head:pr487
git checkout pr487
From cdbe075de7937a1bb671816a0177b09189af7bae Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Wed, 22 Jul 2015 14:18:16 -0400
Subject: [PATCH] Limit request sizes to /KdcProxy

Related: CVE-2015-5159
---
 install/conf/ipa-kdc-proxy.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template
index 9290ceb..4b9c716 100644
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -27,4 +27,5 @@ WSGIScriptReloading Off
   Allow from all
   WSGIProcessGroup kdcproxy
   WSGIApplicationGroup kdcproxy
+  LimitRequestBody 10
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][closed] Limit request sizes to /KdcProxy

2017-02-20 Thread npmccallum

   URL: https://github.com/freeipa/freeipa/pull/487
Author: npmccallum
 Title: #487: Limit request sizes to /KdcProxy
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/487/head:pr487
git checkout pr487
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][+rejected] Limit request sizes to /KdcProxy

2017-02-20 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography

2017-02-20 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography

tiran commented:
"""
Thanks Indiana Nathaniel, good code archaeology. The ticket aligns nicely with 
https://fedorahosted.org/freeipa/ticket/6650
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/486#issuecomment-281163303
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy

2017-02-20 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy

npmccallum commented:
"""
@tiran Indeed, I did. Thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/487#issuecomment-281163319
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy

2017-02-20 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy

npmccallum commented:
"""
I found this old patch on my system. I don't remember if it is relevant any 
more. Maybe @tiran knows?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/487#issuecomment-281160380
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#488][opened] Speed up client schema cache

2017-02-20 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/488
Author: tiran
 Title: #488: Speed up client schema cache
Action: opened

PR body:
"""
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

```
$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m13.608s
user0m10.316s
sys 0m1.121s
```

After:

```
$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m9.330s
user0m7.635s
sys 0m1.146s
```

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/488/head:pr488
git checkout pr488
From 26d3b966a9b36f5e0dd9f3a82422249f33f48f6e Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 20 Feb 2017 20:09:13 +0100
Subject: [PATCH] Speed up client schema cache

It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m13.608s
user0m10.316s
sys 0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real0m9.330s
user0m7.635s
sys 0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes 
---
 ipaclient/remote_plugins/schema.py | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index 15c03f4..13bdee4 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -458,11 +458,15 @@ def _read_schema(self, fingerprint):
 with self._open(fingerprint, 'rb') as f:
 self._file.write(f.read())
 
+# It's more efficient to read zip file members at once than to open
+# the zip file a couple of times, see #6690.
 with zipfile.ZipFile(self._file, 'r') as schema:
 for name in schema.namelist():
 ns, _slash, key = name.partition('/')
 if ns in self.namespaces:
-self._dict[ns][key] = None
+self._dict[ns][key] = schema.read(name)
+elif name == '_help':
+self._help = schema.read(name)
 
 def __getitem__(self, key):
 try:
@@ -520,16 +524,12 @@ def _write_schema(self, fingerprint):
 f.truncate(0)
 f.write(self._file.read())
 
-def _read(self, path):
-with zipfile.ZipFile(self._file, 'r') as zf:
-return json.loads(zf.read(path).decode('utf-8'))
-
 def read_namespace_member(self, namespace, member):
 value = self._dict[namespace][member]
 
-if value is None:
-path = '{}/{}'.format(namespace, member)
-value = self._dict[namespace][member] = self._read(path)
+if isinstance(value, bytes):
+value = json.loads(value.decode('utf-8'))
+self._dict[namespace][member] = value
 
 return value
 
@@ -537,8 +537,8 @@ def iter_namespace(self, namespace):
 return iter(self._dict[namespace])
 
 def get_help(self, namespace, member):
-if not self._help:
-self._help = self._read('_help')
+if isinstance(self._help, bytes):
+self._help = json.loads(self._help.decode('utf-8'))
 
 return self._help[namespace][member]
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#486][opened] Migrate OTP import script to python-cryptography

2017-02-20 Thread npmccallum

   URL: https://github.com/freeipa/freeipa/pull/486
Author: npmccallum
 Title: #486: Migrate OTP import script to python-cryptography
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/5192
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/486/head:pr486
git checkout pr486
From a42cc54f44c48aaf105d4765af797676d1802881 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Mon, 31 Aug 2015 10:46:19 -0400
Subject: [PATCH] Migrate OTP import script to python-cryptography

https://fedorahosted.org/freeipa/ticket/5192
---
 ipaserver/install/ipa_otptoken_import.py| 104 ++--
 ipatests/test_ipaserver/test_otptoken_import.py | 100 +--
 2 files changed, 80 insertions(+), 124 deletions(-)

diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 00939e0..d5ed12a 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -29,11 +29,15 @@
 from lxml import etree
 import dateutil.parser
 import dateutil.tz
-import nss.nss as nss
 import gssapi
 import six
 from six.moves import xrange
 
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf import pbkdf2
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
+
 from ipapython import admintool
 from ipalib import api, errors
 from ipaserver.plugins.ldap2 import AUTOBIND_DISABLED
@@ -118,13 +122,13 @@ def convertAlgorithm(value):
 "Converts encryption URI to (mech, ivlen)."
 
 return {
-"http://www.w3.org/2001/04/xmlenc#aes128-cbc":(nss.CKM_AES_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmlenc#aes192-cbc":(nss.CKM_AES_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmlenc#aes256-cbc":(nss.CKM_AES_CBC_PAD, 256),
-"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (nss.CKM_DES3_CBC_PAD, 64),
-"http://www.w3.org/2001/04/xmldsig-more#camellia128": (nss.CKM_CAMELLIA_CBC_PAD, 128),
-"http://www.w3.org/2001/04/xmldsig-more#camellia192": (nss.CKM_CAMELLIA_CBC_PAD, 192),
-"http://www.w3.org/2001/04/xmldsig-more#camellia256": (nss.CKM_CAMELLIA_CBC_PAD, 256),
+"http://www.w3.org/2001/04/xmlenc#aes128-cbc": (algorithms.AES, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmlenc#aes192-cbc": (algorithms.AES, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmlenc#aes256-cbc": (algorithms.AES, modes.CBC, 256),
+"http://www.w3.org/2001/04/xmlenc#tripledes-cbc": (algorithms.TripleDES, modes.CBC, 64),
+"http://www.w3.org/2001/04/xmldsig-more#camellia128": (algorithms.Camellia, modes.CBC, 128),
+"http://www.w3.org/2001/04/xmldsig-more#camellia192": (algorithms.Camellia, modes.CBC, 192),
+"http://www.w3.org/2001/04/xmldsig-more#camellia256": (algorithms.Camellia, modes.CBC, 256),
 
 # TODO: add support for these formats.
 # "http://www.w3.org/2001/04/xmlenc#kw-aes128": "kw-aes128",
@@ -134,7 +138,7 @@ def convertAlgorithm(value):
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia128": "kw-camellia128",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia192": "kw-camellia192",
 # "http://www.w3.org/2001/04/xmldsig-more#kw-camellia256": "kw-camellia256",
-}.get(value.lower(), (None, None))
+}.get(value.lower(), (None, None, None))
 
 
 def convertEncrypted(value, decryptor=None, pconv=base64.b64decode, econv=lambda x: x):
@@ -169,50 +173,29 @@ def __init__(self, enckey):
 if params is None:
 raise ValueError("XML file is missing PBKDF2 parameters!")
 
-self.salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
-self.iter = fetch(params, "./xenc11:IterationCount/text()", int)
-self.klen = fetch(params, "./xenc11:KeyLength/text()", int)
-self.hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
+salt = fetch(params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode)
+itrs = fetch(params, "./xenc11:IterationCount/text()", int)
+klen = fetch(params, "./xenc11:KeyLength/text()", int)
+hmod = fetch(params, "./xenc11:PRF/@Algorithm", convertHMACType, hashlib.sha1)
 
-if self.salt is None:
+if salt is None:
 raise ValueError("XML file is missing PBKDF2 salt!")
 
-if self.iter is None:
+if itrs is None:
 raise ValueError("XML file is missing PBKDF2 iteration count!")
 
-if self.klen is None:
+if klen is None:
 raise ValueError("XML file is missing PBKDF2 key length!")
 
-def derive(self, masterkey):
-mac = hmac.HMAC(masterkey, None, self.hmod)
-
-# Figure out how many blocks we will have to combine
-

[Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography

2017-02-20 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography

npmccallum commented:
"""
This is an old patch I found on my system that doesn't appear to be merged.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/486#issuecomment-281159669
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#487][comment] Limit request sizes to /KdcProxy

2017-02-20 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/487
Title: #487: Limit request sizes to /KdcProxy

tiran commented:
"""
You fixed the issue in summer 2015. 
https://github.com/latchset/kdcproxy/commit/f274aa6787cb8b3ec1cc12c440a56665b7231882
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/487#issuecomment-281162623
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request

2017-02-20 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request

frasertweedale commented:
"""
I would like to NACK this.  We instead want to hide or remove the option, 
because
we only support PKCS #10 and this is unlikely to change any time soon.

There is already a ticket for that: https://fedorahosted.org/freeipa/ticket/5734
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/480#issuecomment-281209123
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-20 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

HonzaCholasta commented:
"""
Is this really the right thing to do? IMO it does not make much sense to have 
placeholders for every `ipa*` package, as it does not scale at all - nothing is 
preventing a potential attacker to register their own `ipa*` package, which 
will confuse PyPI users all the same and will prevent us to use that name 
ourselves in the future, should we want to.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281011551
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py | 10 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e43ec7b..f951770 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-db.create_db(backup=True)
+db.create_db(mode=0o755, backup=True)
 os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 73387cf..b22c3c1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 """
 dirmode = 0o750
 filemode = 0o640
+pwdfilemode = 0o640
 if mode is not None:
 dirmode = mode
 filemode = mode & 0o666
+pwdfilemode = mode & 0o660
 
 uid = -1
 gid = -1
@@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 # Create the password file for this db
 with io.open(os.open(self.pwd_file,
  os.O_CREAT | os.O_WRONLY,
- filemode), 'w', closefd=True) as f:
+ pwdfilemode), 'w', closefd=True) as f:
 f.write(ipautil.ipa_generate_password())
 f.flush()
 
@@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 if os.path.exists(path):
 if uid != -1 or gid != -1:
 os.chown(path, uid, gid)
-os.chmod(path, filemode)
+if path == self.pwd_file:
+new_mode = pwdfilemode
+else:
+new_mode = filemode
+os.chmod(path, new_mode)
 tasks.restore_context(path)
 
 def list_certs(self):

From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/plugins/update_ra_cert_store.py | 4 
 ipaserver/install/plugins/upload_cacrt.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index d7d28fd..c3aef6f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -22,6 +22,10 @@ class update_ra_cert_store(Updater):
 """
 
 def execute(self, **options):
+ca_enabled = self.api.Command.ca_is_enabled()['result']
+if not ca_enabled:
+return False, []
+
 olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
 if not olddb.has_nickname('ipaCert'):
 # Nothign to do
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 1a78108..425ea63 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see .
 
 from ipalib.install import certstore
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 from ipalib import Registry, errors
 from ipalib import Updater
@@ -34,7 +35,7 @@ class update_upload_cacrt(Updater):
 """
 
 def execute(self, **options):
-db = certs.CertDB(self.api.env.realm)
+db =

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

HonzaCholasta commented:
"""
@stlaz, not sure what's going on there, but not my fault, these failures happen 
even without this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-281011963
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#481][+ack] Minor typo fix in DNS install plugin

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/481
Title: #481: Minor typo fix in DNS install plugin

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#486][comment] Migrate OTP import script to python-cryptography

2017-02-20 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/486
Title: #486: Migrate OTP import script to python-cryptography

stlaz commented:
"""
Thanks for the patch, less `nss` is always good. It seems that 
python-cryptography might have added the `backend` attribute to some 
constructors since the patch was created, our tests found two of such spots, if 
you could perhaps add it there.
I personally don't care much for the pep8 errors, IMHO the code reads better 
this way.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/486#issuecomment-281268640
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#480][comment] Add request_type doc string in cert-request

2017-02-20 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/480
Title: #480: Add request_type doc string in cert-request

Akasurde commented:
"""
@frasertweedale What do you recommend to hide this option ? does removing this 
option has detrimental effect on `cert-request` command ? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/480#issuecomment-281260868
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

48 matches

Mail list logo