[Freeipa-devel] [freeipa PR#1544][opened] [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used
URL: https://github.com/freeipa/freeipa/pull/1544 Author: tiran Title: #1544: [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used Action: opened PR body: """ Manual backport of PR #1537 The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 Reviewed-By: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1544/head:pr1544 git checkout pr1544 From 8b8947831f394bedcb6fc2344166e623e937b707 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 7 Feb 2018 17:10:08 +0100 Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 Reviewed-By: Christian Heimes --- daemons/ipa-kdb/ipa_kdb.c | 1 + daemons/ipa-kdb/ipa_kdb.h | 2 ++ daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index c0f1e276ca..d547eb01b6 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext, if (!ipactx) { return ENOMEM; } +ipactx->magic = IPA_CONTEXT_MAGIC; /* only check for unsupported 'temporary' value for now */ for (i = 0; db_args != NULL && db_args[i] != NULL; i++) { diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 72573a61ad..cffe330baa 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -101,7 +101,9 @@ struct ipadb_global_config { bool disable_preauth_for_spns; }; +#define IPA_CONTEXT_MAGIC 0x0c027ea7 struct ipadb_context { +int magic; char *uri; char *base; char *realm; diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index 66c2d08cbb..432379b333 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext, krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin."); ipactx = ipadb_get_context(kcontext); -if (ipactx == NULL) { +if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) { return KRB5_KDB_DBNOTINITED; } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1543][opened] [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used
URL: https://github.com/freeipa/freeipa/pull/1543 Author: tiran Title: #1543: [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used Action: opened PR body: """ This PR was opened automatically because PR #1537 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1543/head:pr1543 git checkout pr1543 From 470358fa03797dd5b89811bd4ae9fbe60b0281b4 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Wed, 7 Feb 2018 17:10:08 +0100 Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 --- daemons/ipa-kdb/ipa_kdb.c | 1 + daemons/ipa-kdb/ipa_kdb.h | 2 ++ daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index b11153eccd..222900ae7a 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext, if (!ipactx) { return ENOMEM; } +ipactx->magic = IPA_CONTEXT_MAGIC; /* only check for unsupported 'temporary' value for now */ for (i = 0; db_args != NULL && db_args[i] != NULL; i++) { diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index be2f457522..d187d969f5 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -101,7 +101,9 @@ struct ipadb_global_config { bool disable_preauth_for_spns; }; +#define IPA_CONTEXT_MAGIC 0x0c027ea7 struct ipadb_context { +int magic; char *uri; char *base; char *realm; diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index 35e5e7d086..82589f2f92 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext, krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin."); ipactx = ipadb_get_context(kcontext); -if (ipactx == NULL) { +if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) { return KRB5_KDB_DBNOTINITED; } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1537][closed] ipa-kdb: use magic value to check if ipadb is used
URL: https://github.com/freeipa/freeipa/pull/1537 Author: sumit-bose Title: #1537: ipa-kdb: use magic value to check if ipadb is used Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1537/head:pr1537 git checkout pr1537 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1540][closed] [Backport][ipa-4-6] ipa_tests: test subca key replication
URL: https://github.com/freeipa/freeipa/pull/1540 Author: tiran Title: #1540: [Backport][ipa-4-6] ipa_tests: test subca key replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1540/head:pr1540 git checkout pr1540 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1542][opened] [Backport][ipa-4-6] Bump SELinux policy for DNSSEC
URL: https://github.com/freeipa/freeipa/pull/1542 Author: tiran Title: #1542: [Backport][ipa-4-6] Bump SELinux policy for DNSSEC Action: opened PR body: """ This PR was opened automatically because PR #1509 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1542/head:pr1542 git checkout pr1542 From 149bd1442e9511686e7136cdddc731b838e3c791 Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Tue, 6 Feb 2018 08:53:54 +0100 Subject: [PATCH] Bump SELinux policy for DNSSEC selinux-policy-3.13.1-283.24 fixes an AVC with OpenDNSSEC ods-signer. See: https://bugzilla.redhat.com/show_bug.cgi?id=1537971 See: https://pagure.io/freeipa/issue/7378 Signed-off-by: Christian Heimes --- freeipa.spec.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 7f4f93c70d..45bf53c09e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -57,7 +57,8 @@ %global python_netaddr_version 0.7.16 # Require 4.7.0 which brings Python 3 bindings %global samba_version 2:4.7.0 -%global selinux_policy_version 3.13.1-158.4 +# DNSSEC AVC violation, RHBZ#1537971 +%global selinux_policy_version 3.13.1-283.24 %global slapi_nis_version 0.56.1 # Use python3-pyldap to be compatible with old python3-pyldap 2.x and new ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1509][closed] Bump SELinux policy for DNSSEC
URL: https://github.com/freeipa/freeipa/pull/1509 Author: tiran Title: #1509: Bump SELinux policy for DNSSEC Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1509/head:pr1509 git checkout pr1509 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1541][opened] [Backport][ipa-4-6] ipa-server-upgrade now checks custodia server keys
URL: https://github.com/freeipa/freeipa/pull/1541 Author: tiran Title: #1541: [Backport][ipa-4-6] ipa-server-upgrade now checks custodia server keys Action: opened PR body: """ This PR was opened automatically because PR #1507 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1541/head:pr1541 git checkout pr1541 From e257bfccba15efd8fffa7aeb187a4b3ca9f9745d Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Wed, 31 Jan 2018 09:57:26 +0100 Subject: [PATCH] ipa-server-upgrade now checks custodia server keys The ipa-server-upgrade command now checks for presence of ipa-custodia's config and server keys. In case any of the files is missing, it re-creates both files. Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does not auto-detect broken or mismatching keys yet. Signed-off-by: Christian Heimes --- ipaserver/install/custodiainstance.py | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 748f84763a..9bc1b2f41d 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -92,7 +92,17 @@ def __gen_keys(self): keystore.generate_server_keys() def upgrade_instance(self): -if not sysupgrade.get_upgrade_state("custodia", "installed"): +installed = sysupgrade.get_upgrade_state("custodia", "installed") +if installed: +if (not os.path.isfile(self.server_keys) +or not os.path.isfile(self.config_file)): +logger.warning( +"Custodia server keys or config are missing, forcing " +"reinstallation of ipa-custodia." +) +installed = False + +if not installed: logger.info("Custodia service is being configured") self.create_instance() else: ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1507][closed] ipa-server-upgrade now checks custodia server keys
URL: https://github.com/freeipa/freeipa/pull/1507 Author: tiran Title: #1507: ipa-server-upgrade now checks custodia server keys Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1507/head:pr1507 git checkout pr1507 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA developement good practices
Felipe Barreto via FreeIPA-devel wrote: > Hi flo, > > that sounds great. Thank you for doing it. > > I would like to add just one more topic: > - The use of "make fastlint" to check pep8 issues +1. Looks great to me, thanks for taking the lead on this. rob > > On 02/07/2018 02:52 PM, Florence Blanc-Renaud via FreeIPA-devel wrote: >> Hi all, >> >> in order to promote good development practices, I would like to write >> a wiki page stating FreeIPA expectations and helping contributors to >> remain on track (or extend the Contribute/Code wiki page). >> >> The topics include a description explaining our use of the tools (such >> as github, pagure etc), but also general development habits that >> everyone should enforce. >> >> A draft is available below for your comments/suggestions. >> >> Thanks, >> Flo >> >> >> ___ >> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-devel-le...@lists.fedorahosted.org >> > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1539][closed] [Backport][ipa-4-6] Python 3 support for DNSSEC
URL: https://github.com/freeipa/freeipa/pull/1539 Author: tiran Title: #1539: [Backport][ipa-4-6] Python 3 support for DNSSEC Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1539/head:pr1539 git checkout pr1539 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1540][opened] [Backport][ipa-4-6] ipa_tests: test subca key replication
URL: https://github.com/freeipa/freeipa/pull/1540 Author: tiran Title: #1540: [Backport][ipa-4-6] ipa_tests: test subca key replication Action: opened PR body: """ This PR was opened automatically because PR #1516 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1540/head:pr1540 git checkout pr1540 From 5e892c2be26a7e9a9d7401a1f89031ed5820 Mon Sep 17 00:00:00 2001 From: Michal ReznikDate: Thu, 1 Feb 2018 13:17:48 +0100 Subject: [PATCH] ipa_tests: test subca key replication Test if key replication is not failing. https://pagure.io/freeipa/issue/7387 --- .../test_integration/test_replica_promotion.py | 49 -- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 4629d1ff05..67b596209f 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -10,9 +10,9 @@ from ipatests.pytest_plugins.integration import tasks from ipatests.pytest_plugins.integration.tasks import ( assert_error, replicas_cleanup) -from ipalib.constants import DOMAIN_LEVEL_0 -from ipalib.constants import DOMAIN_LEVEL_1 -from ipalib.constants import DOMAIN_SUFFIX_NAME +from ipalib.constants import ( +DOMAIN_LEVEL_0, DOMAIN_LEVEL_1, DOMAIN_SUFFIX_NAME, IPA_CA_NICKNAME) +from ipaplatform.paths import paths class ReplicaPromotionBase(IntegrationTest): @@ -527,3 +527,46 @@ def test_replica_install_with_existing_entry(self): master.run_command(arg) tasks.install_replica(master, replica) + + +class TestSubCAkeyReplication(IntegrationTest): +""" +Test if subca key replication is not failing. +""" +topology = 'line' +num_replicas = 1 + +SUBCA = 'test_subca' +SUBCA_CN = 'cn=' + SUBCA + +PKI_DEBUG_PATH = '/var/log/pki/pki-tomcat/ca/debug' + +ERR_MESS = 'Caught exception during cert/key import' + +def test_sub_ca_key_replication(self): +master = self.master +replica = self.replicas[0] + +result = master.run_command(['ipa', 'ca-add', self.SUBCA, '--subject', + self.SUBCA_CN]) + +uuid = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' +auth_id_re = re.compile('Authority ID: ({})'.format(uuid), +re.IGNORECASE) +auth_id = "".join(re.findall(auth_id_re, result.stdout_text)) + +cert_nick = '{} {}'.format(IPA_CA_NICKNAME, auth_id) + +# give replication some time +time.sleep(30) + +replica.run_command(['ipa-certupdate']) +replica.run_command(['ipa', 'ca-show', self.SUBCA]) + +tasks.run_certutil(replica, ['-L', '-n', cert_nick], + paths.PKI_TOMCAT_ALIAS_DIR) + +pki_debug_log = replica.get_file_contents(self.PKI_DEBUG_PATH, + encoding='utf-8') +# check for cert/key import error message +assert self.ERR_MESS not in pki_debug_log ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: FreeIPA developement good practices
On Wed, Feb 7, 2018 at 5:52 PM, Florence Blanc-Renaud via FreeIPA-develwrote: > Hi all, > > in order to promote good development practices, I would like to write a wiki > page stating FreeIPA expectations and helping contributors to remain on > track (or extend the Contribute/Code wiki page). > > The topics include a description explaining our use of the tools (such as > github, pagure etc), but also general development habits that everyone > should enforce. > > A draft is available below for your comments/suggestions. > Hi Flo, good stuff. Btw when I was reviewing https://www.freeipa.org/page/Contribute/Code today, it reminded me that we already have some basis there. E.g. https://www.freeipa.org/page/Coding_Best_Practices but this page is quite specific to only some project aspects and lacks more general ideas. -- Petr Vobornik ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Handling of postponed/abandoned efforts
On 02/07/2018 02:48 PM, Petr Vobornik via FreeIPA-devel wrote: Hi all, you could see that I and Christian closed some old postponed PRs. I was thinking how to keep track of such closed efforts in case we would like to return to some. An Idea I have is a postponed page on FreeIPA wiki. https://www.freeipa.org/page/Postponed Which is also added to Roadmap to be discoverable: https://www.freeipa.org/page/Roadmap I'm not sure with one thing. Usually, we close pr with rejected label. But if we close postponed PR with only "we don't have time" reason, we might want to keep postponed label there so that it can be easily found (query: is:pr is:closed label:postponed ). Do you see value in the page or the practice? I would go with the practice, a page in wiki doesn't seem so easy to maintain as a GH label. We could use the label postponed and leave a comment as you mentioned. Thank you ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: Handling of postponed/abandoned efforts
- Original Message - > From: "Petr Vobornik via FreeIPA-devel"> To: "Discussion of the development of FreeIPA" > > Cc: "Petr Vobornik" > Sent: Wednesday, February 7, 2018 10:48:14 AM > Subject: [Freeipa-devel] Handling of postponed/abandoned efforts > > Hi all, > > you could see that I and Christian closed some old postponed PRs. > > I was thinking how to keep track of such closed efforts in case we > would like to return to some. > > An Idea I have is a postponed page on FreeIPA wiki. > https://www.freeipa.org/page/Postponed > > Which is also added to Roadmap to be discoverable: > https://www.freeipa.org/page/Roadmap > > I'm not sure with one thing. Usually, we close pr with rejected label. > But if we close postponed PR with only "we don't have time" reason, we > might want to keep postponed label there so that it can be easily > found (query: is:pr is:closed label:postponed ). > > > Do you see value in the page or the practice? Would you also triage that page occasionally and decide to keep or completely close PRs? Would you have some age cutoff? I'd say after some period in time it's unlikely to ever be completed. After 5 years the PR gets tossed. I'm just thinking you may end up with a lot of stuff there you'll never have time to do. > > Thank you > -- > Petr Vobornik > ___ > FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org > To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org > ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] FreeIPA developement good practices
Hi all, in order to promote good development practices, I would like to write a wiki page stating FreeIPA expectations and helping contributors to remain on track (or extend the Contribute/Code wiki page). The topics include a description explaining our use of the tools (such as github, pagure etc), but also general development habits that everyone should enforce. A draft is available below for your comments/suggestions. Thanks, Flo Developing for FreeIPA 1 Opening an issue * FreeIPA is using pagure.io to track its upstream issues (either corresponding to bugs or requests for enhancements): https://pagure.io/freeipa/issues * Bugs against released Fedora version can be logged in Bugzilla (https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora=freeipa) with the freeipa component. * Bugs against released Red Hat Enterprise Linux versions of Identity Management product can be logged in Bugzilla (https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207=ipa) with the ipa component. When opening an issue, please refer to https://www.freeipa.org/page/Troubleshooting#Reporting_bugs advices in order to include the relevant information. The page for new issue (https://pagure.io/freeipa/new_issue) will display a template guiding you. 2 Working on an issue When you start working on a pagure.io ticket, * assign the ticket to yourself by clicking on the "Take" button, in order to avoid multiple developers working on the same issues. * follow the Contribute/Code guidelines (https://www.freeipa.org/page/Contribute/Code). * create a corresponding test for each ticket As soon as your code is ready for review: * create a Pull Request (PR) following https://www.freeipa.org/page/Pull_request_on_Github * update the pagure.io ticket: click on "Edit metadata" and edit the on_review field with the link to the PR The PR will trigger only a subset of the tests. Please keep in mind that, due to resource limitations, all the tests from the source tree will not be executed. We expect you to check if the PR-CI tests are indeed testing your fix. If some parts of your code are not executed by the PR-CI, then you need to: * check if there are tests in ipatests/ which validate your fix * run these tests using the instructions in https://www.freeipa.org/page/Testing * list these tests in your PR * mention which commands or scenarios should be thoroughfully checked by the reviewer * describe the manual tests than you have run A good habit is also to try to reproduce the issue first: build a scenario that consistently shows the issue, then implement the fix, and re-run the same scenario to make sure that the fix is correct. Once the review is in progress, please remember that the fix is still under your responsibility as long as no ACK has been given. This means that you should answer to questions or requests for modifications and update your PR by taking into accounts all the comments. If the PR does not progress for a while, you can ask assign the review to a developer by setting an Assignee (in the PR page, click on Assignees and pick a reviewer). 3 Reviewing a PR When you start reviewing a PR, add your name to the Assignees list in order to avoid duplication of effort. The reviewer responsibilities include the following steps: * check that the PR-CI was successful (otherwise comment the PR asking for a fix, for instance because lint failed ...) * check that the PR includes a corresponding test and that the test scenario exhibits the issue * build with the patch * install and run * try to consider how you would have fixed the issue and compare with the proposed fix if a different strategy was picked * try to consider the potential regressions (for instance if a method is modified, identify which parts of the code are using this method, and check whether they are tested) * if the PR-CI does not validate the fix, check if there are existing tests that are relevant and launch them, or perform a manual verification. Remember that a reviewer also has a teaching or guiding role: suggest enhancements or point to existing portions of code that could be reused, promote good practices and always assume good intent. The PR submitter may be new to FreeIPA or even new to python development and is certainly willing to improve and learn from others. In the review comments, list the checks that you manually did or the scenario that you tested. Make objective and argumented comments (avoid "I don't like that..." but rather explain "this should not be done this way because...") and suggest improvements or alternate strategies when you request a change. Finally, when you are OK with the fix, give the ACK label to the PR so that the fix can be pushed by one of the FreeIPA members. ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to
[Freeipa-devel] Re: Discussion: Removing special characters from host-add random one-time-password generation
John Larson via FreeIPA-devel wrote: > I recently experienced an issue where special characters in the "ipa > host-add" operation were interpreted by bash in an unattended > provisioning script. In checking the log after the provisioning failure, > I saw the password was considered incorrect by the server. > > I never had this issue before 4.5.0 was released because prior to that, > a smaller subset of special characters were allowed and any special > character that needed to be escaped was removed. Upon further > inspection, I discovered that the script I was using to provision my > servers did not have the password quoted properly. I was able to modify > that and the issue was resloved. > > Would it be better to exclude all special characters in the random > password generation for host-add moving forward? When the special > character set was expanded in 4.5.0, this could cause issues for people > who were operating under the assumption that troublesome special > characters were excluded. > > Here are some references for consideration. > > This is the original bug and the fix from 2012. This "fix" was removed > in 4.5.0 and all special characters are now valid: > > https://bugzilla.redhat.com/show_bug.cgi?id=827392 > > Here is my pull request that will remove special characters from random > OTP generation moving forward: > > https://github.com/freeipa/freeipa/pull/1505 > > Do you think it should be left to the user to properly quote variables > or remove the possibility of the issue by removing special characters > for the the host-add operation? Do you think that, since the whole array > of special characters was opened up in 4.5.0, that this can be perceived > as a "regression"? I consider it a regression in that we used to specifically not return a set of characters and now it is possible. Certainly any consumers of that data should do proper quoting but if they bothered to look they would have seen that we excluded characters which made the shell blow up. I think passing in special=None for a host OTP is sufficient given the entropy of the password shouldn't change (the string just gets a bit longer). rob ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#310][closed] WIP: CLI testing
URL: https://github.com/freeipa/freeipa/pull/310 Author: mirielka Title: #310: WIP: CLI testing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/310/head:pr310 git checkout pr310 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1538][opened] Replace hard-coded paths with path constants
URL: https://github.com/freeipa/freeipa/pull/1538 Author: tiran Title: #1538: Replace hard-coded paths with path constants Action: opened PR body: """ Several run() calls used hard-coded paths rather than pre-defined paths from ipaplatform.paths. The patch fixes all places that I was able to find with a simple search. Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1538/head:pr1538 git checkout pr1538 From f63e2dc563f836fb856cbf39842968ee9f443785 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 7 Feb 2018 17:18:07 +0100 Subject: [PATCH] Replace hard-coded paths with path constants Several run() calls used hard-coded paths rather than pre-defined paths from ipaplatform.paths. The patch fixes all places that I was able to find with a simple search. Signed-off-by: Christian Heimes --- client/ipa-client-automount| 2 +- install/tools/ipa-adtrust-install | 2 +- install/tools/ipa-ca-install | 2 +- install/tools/ipa-dns-install | 2 +- ipaclient/install/client.py| 6 +++--- ipaplatform/base/paths.py | 4 ipapython/kernel_keyring.py| 24 +++--- ipaserver/install/adtrustinstance.py | 6 -- ipaserver/install/installutils.py | 17 ++- ipaserver/install/ipa_backup.py| 4 ++-- ipaserver/install/ipa_restore.py | 4 ++-- ipatests/pytest_plugins/integration/__init__.py| 3 ++- ipatests/test_integration/test_caless.py | 2 +- .../test_xmlrpc/test_caacl_profile_enforcement.py | 3 ++- ipatests/test_xmlrpc/test_cert_plugin.py | 2 +- 15 files changed, 54 insertions(+), 29 deletions(-) diff --git a/client/ipa-client-automount b/client/ipa-client-automount index ee55d655c9..6c2816c410 100755 --- a/client/ipa-client-automount +++ b/client/ipa-client-automount @@ -92,7 +92,7 @@ def wait_for_sssd(): time.sleep(1) while n < 10 and not found: try: -ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm]) +ipautil.run([paths.GETENT, "passwd", "admin@%s" % api.env.realm]) found = True except Exception: time.sleep(1) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index d4e5d4c09c..6e0c60a042 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -110,7 +110,7 @@ def read_admin_password(admin_name): def ensure_admin_kinit(admin_name, admin_password): try: -ipautil.run(['kinit', admin_name], stdin=admin_password+'\n') +ipautil.run([paths.KINIT, admin_name], stdin=admin_password+'\n') except ipautil.CalledProcessError: print("There was error to automatically re-kinit your admin user " "ticket.") diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install index 812dcb235e..212c432a1d 100755 --- a/install/tools/ipa-ca-install +++ b/install/tools/ipa-ca-install @@ -341,7 +341,7 @@ def main(): install(safe_options, options, filename) # execute ipactl to refresh services status -ipautil.run(['ipactl', 'start', '--ignore-service-failures'], +ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'], raiseonerr=False) api.Backend.ldap2.disconnect() diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index a7f136b16a..0e527b2e83 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -150,7 +150,7 @@ def main(): dns_installer.install(True, False, options) # execute ipactl to refresh services status -ipautil.run(['ipactl', 'start', '--ignore-service-failures'], +ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'], raiseonerr=False) api.Backend.ldap2.disconnect() diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 5173d90bfe..2c7f2d3163 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2576,7 +2576,7 @@ def _install(options): subject_base = DN(subject_base) if options.principal is not None: -run(["kdestroy"], raiseonerr=False, env=env) +run([paths.KDESTROY], raiseonerr=False, env=env) # Obtain the TGT. We do it with the temporary krb5.conf, so that # only the KDC we're installing under is contacted. @@ -2911,7 +2911,7 @@ def _install(options): # Particulary, SSSD might take longer than 6-8 seconds. while n < 10 and not found: try: -ipautil.run(["getent", "passwd", user]) +
[Freeipa-devel] [freeipa PR#1537][opened] ipa-kdb: use magic value to check if ipadb is used
URL: https://github.com/freeipa/freeipa/pull/1537 Author: sumit-bose Title: #1537: ipa-kdb: use magic value to check if ipadb is used Action: opened PR body: """ The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1537/head:pr1537 git checkout pr1537 From 86347cdaec7bb67335251d9ea3c718533584590a Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Wed, 7 Feb 2018 17:10:08 +0100 Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used The certauth plugin is configured in /etc/krb5.conf independently form the database module. As a result the IPA certauth plugin can be added to the configuration without the IPA DAL driver. Since the IPA certauth plugin depends on the presence of the IPA DAL driver this patch adds a magic value at the beginning of struct ipadb_context which can be checked to see if the IPA DAL driver is properly initialized. Resolves https://pagure.io/freeipa/issue/7261 --- daemons/ipa-kdb/ipa_kdb.c | 1 + daemons/ipa-kdb/ipa_kdb.h | 2 ++ daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index b11153eccd..222900ae7a 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext, if (!ipactx) { return ENOMEM; } +ipactx->magic = IPA_CONTEXT_MAGIC; /* only check for unsupported 'temporary' value for now */ for (i = 0; db_args != NULL && db_args[i] != NULL; i++) { diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index be2f457522..d187d969f5 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -101,7 +101,9 @@ struct ipadb_global_config { bool disable_preauth_for_spns; }; +#define IPA_CONTEXT_MAGIC 0x0c027ea7 struct ipadb_context { +int magic; char *uri; char *base; char *realm; diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index 35e5e7d086..82589f2f92 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext, krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin."); ipactx = ipadb_get_context(kcontext); -if (ipactx == NULL) { +if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) { return KRB5_KDB_DBNOTINITED; } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1533][closed] [Backport][ipa-4-6] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1533 Author: flo-renaud Title: #1533: [Backport][ipa-4-6] ipa-advise for smartcards updated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1533/head:pr1533 git checkout pr1533 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1532][closed] [Backport][ipa-4-5] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1532 Author: flo-renaud Title: #1532: [Backport][ipa-4-5] ipa-advise for smartcards updated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1532/head:pr1532 git checkout pr1532 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1527][closed] [Backport][ipa-4-5] Fix replica_promotion-domlevel0 test failures
URL: https://github.com/freeipa/freeipa/pull/1527 Author: tiran Title: #1527: [Backport][ipa-4-5] Fix replica_promotion-domlevel0 test failures Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1527/head:pr1527 git checkout pr1527 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1534][closed] [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall
URL: https://github.com/freeipa/freeipa/pull/1534 Author: tiran Title: #1534: [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1534/head:pr1534 git checkout pr1534 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1536][opened] Fix multiple uninstallation of server
URL: https://github.com/freeipa/freeipa/pull/1536 Author: tiran Title: #1536: Fix multiple uninstallation of server Action: opened PR body: """ "ipa-server-install --uninstall" no longer fails with error message "'Env' object has no attribute 'basedn'" when executed on a system that has no freeIPA server installation. Fixes: https://pagure.io/freeipa/issue/7063 Signed-off-by: Christian Heimes""" To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1536/head:pr1536 git checkout pr1536 From 8026c6d8e1803d2e8f3e5ee0dd54a696a421e9d1 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 7 Feb 2018 14:22:06 +0100 Subject: [PATCH] Fix multiple uninstallation of server "ipa-server-install --uninstall" no longer fails with error message "'Env' object has no attribute 'basedn'" when executed on a system that has no freeIPA server installation. Fixes: https://pagure.io/freeipa/issue/7063 Signed-off-by: Christian Heimes --- ipalib/config.py | 10 ++ ipaserver/secrets/kem.py | 20 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index 4ee10d2a80..52b032a25a 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -576,6 +576,16 @@ def _finalize_core(self, **defaults): if 'log' not in self: self.log = self._join('logdir', '%s.log' % self.context) +# Workaround for ipa-server-install --uninstall. When no config file +# is available, we set realm, domain, and basedn to RFC 2606 reserved +# suffix to suppress attribute errors during uninstallation. +if (self.in_server and self.context == 'installer' and +not getattr(self, 'config_loaded', False)): +if 'realm' not in self: +self.realm = 'UNCONFIGURED.INVALID' +if 'domain' not in self: +self.domain = self.realm.lower() + if 'basedn' not in self and 'domain' in self: self.basedn = DN(*(('dc', dc) for dc in self.domain.split('.'))) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 5521c4772b..ad932b6b68 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -207,12 +207,15 @@ class IPAKEMKeys(KEMKeysStore): def __init__(self, config=None, ipaconf=paths.IPA_DEFAULT_CONF): super(IPAKEMKeys, self).__init__(config) conf = ConfigParser() -conf.read(ipaconf) -self.host = conf.get('global', 'host') -self.realm = conf.get('global', 'realm') +self.host = None +self.realm = None self.ldap_uri = config.get('ldap_uri', None) -if self.ldap_uri is None: -self.ldap_uri = conf.get('global', 'ldap_uri', raw=True) +if conf.read(ipaconf): +self.host = conf.get('global', 'host') +self.realm = conf.get('global', 'realm') +if self.ldap_uri is None: +self.ldap_uri = conf.get('global', 'ldap_uri', raw=True) + self._server_keys = None def find_key(self, kid, usage): @@ -259,9 +262,10 @@ def remove_keys(self, servicename): """ self.remove_server_keys_file() principal = '%s/%s@%s' % (servicename, self.host, self.realm) -ldapconn = KEMLdap(self.ldap_uri) -ldapconn.del_key(KEY_USAGE_SIG, principal) -ldapconn.del_key(KEY_USAGE_ENC, principal) +if self.ldap_uri is not None: +ldapconn = KEMLdap(self.ldap_uri) +ldapconn.del_key(KEY_USAGE_SIG, principal) +ldapconn.del_key(KEY_USAGE_ENC, principal) @property def server_keys(self): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1535][opened] [WIP] Deprecate NTP
URL: https://github.com/freeipa/freeipa/pull/1535 Author: Tiboris Title: #1535: [WIP] Deprecate NTP Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1535/head:pr1535 git checkout pr1535 From 6ceb7bf604777a0069e1fc871d154bcef5a1519d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?=Date: Fri, 2 Feb 2018 13:16:29 +0100 Subject: [PATCH] [WIP] Deprecate NTP --- freeipa.spec.in | 11 --- ipaclient/install/client.py | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index be2cb869a5..24793eceb8 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -322,7 +322,6 @@ Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} -Requires: ntp Requires: httpd >= 2.4.6-31 %if 0%{with_python3} Requires(preun): python3 @@ -579,7 +578,6 @@ Requires: python2-ldap >= %{python2_ldap_version} Requires: python2-sssdconfig %endif Requires: cyrus-sasl-gssapi%{?_isa} -Requires: ntp Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl @@ -1269,15 +1267,6 @@ if [ $1 -gt 1 ] ; then fi fi -if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then -if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then -sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew -mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd - -/bin/systemctl condrestart ntpd.service 2>&1 || : -fi -fi - if [ $restore -ge 2 ]; then %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 5173d90bfe..543697c460 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -3442,7 +3442,7 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface, ntp_servers = enroll_only(ntp_servers) no_ntp = knob( -None, +None, True, description="do not configure ntp", cli_names=[None, '-N'], ) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1534][opened] [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall
URL: https://github.com/freeipa/freeipa/pull/1534 Author: tiran Title: #1534: [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall Action: opened PR body: """ This PR was opened automatically because PR #1459 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1534/head:pr1534 git checkout pr1534 From be54239bfc51913216c2f362c911308731900667 Mon Sep 17 00:00:00 2001 From: Felipe BarretoDate: Fri, 26 Jan 2018 14:31:14 -0200 Subject: [PATCH] Make IntegrationTest fail if an error happened during uninstall Before this change, if the uninstall process fails, the test would not fail, due to the raiseonerr=False. It's necessary to remove the uninstall call in CALessBase because in TestIntegration there is another uninstall call. So, without the raiseonerr=False, it would make the uninstall process fail, since the master is already uninstalled. https://pagure.io/freeipa/issue/7357 --- ipatests/pytest_plugins/integration/tasks.py | 2 +- ipatests/test_integration/test_caless.py | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index a6fdca39e6..d9ba187d92 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -710,7 +710,7 @@ def uninstall_master(host, ignore_topology_disconnect=True, if ignore_last_of_role and host_domain_level != DOMAIN_LEVEL_0: uninstall_cmd.append('--ignore-last-of-role') -host.run_command(uninstall_cmd, raiseonerr=False) +host.run_command(uninstall_cmd) host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'], raiseonerr=False) host.run_command(['rm', '-rf', diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 76f40292fd..09973dd1f8 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -159,8 +159,6 @@ def install(cls, mh): def uninstall(cls, mh): # Remove the NSS database shutil.rmtree(cls.cert_dir) -for host in cls.get_all_hosts(): -tasks.uninstall_master(host) super(CALessBase, cls).uninstall(mh) @classmethod ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1459][closed] Make IntegrationTest fail if an error happened during uninstall
URL: https://github.com/freeipa/freeipa/pull/1459 Author: felipevolpone Title: #1459: Make IntegrationTest fail if an error happened during uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1459/head:pr1459 git checkout pr1459 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Contribute/Code wiki page updated
Hi all, I've updated Contribute/Code wiki page to reflect reality: https://www.freeipa.org/index.php?title=Contribute%2FCode=revision=15186=15023 Main changes: - removal of contribution process through sending emails with a patch. We have not received such contribution for very long time. It makes the page unnecessarily long and we require CI checks to pass so pull request is a must. If somebody sends it via email then we will deal with it, but no need to advertise it. - replacement of mentions and link to Trac with Pagure - updated review process that it requires to pass CI checks - updated devel mailing list link -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1532][opened] [Backport][ipa-4-5] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1532 Author: flo-renaud Title: #1532: [Backport][ipa-4-5] ipa-advise for smartcards updated Action: opened PR body: """ This PR was opened automatically because PR #1469 was pushed to master and backport to ipa-4-5 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1532/head:pr1532 git checkout pr1532 From fe1a5462e619b27ad194e7eebdf0e9fd51ee50b7 Mon Sep 17 00:00:00 2001 From: amitkumaDate: Tue, 16 Jan 2018 15:56:25 +0530 Subject: [PATCH] ipa-advise for smartcards updated .. authconfig --enablesmartcard --smartcardmodule=sssd --updateall Advise is updated to: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall Resolves: https://pagure.io/freeipa/issue/7358 --- ipaserver/advise/plugins/smart_card_auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index fb328f29ca..109e9ba381 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self): def run_authconfig_to_configure_smart_card_auth(self): self.log.exit_on_failed_command( -'authconfig --enablesmartcard --smartcardmodule=sssd --updateall', + 'authconfig --enablesssd --enablesssdauth --enablesmartcard ' + '--smartcardmodule=sssd --smartcardaction=1 --updateall', [ 'Failed to configure Smart Card authentication in SSSD' ] ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1533][opened] [Backport][ipa-4-6] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1533 Author: flo-renaud Title: #1533: [Backport][ipa-4-6] ipa-advise for smartcards updated Action: opened PR body: """ This PR was opened automatically because PR #1469 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1533/head:pr1533 git checkout pr1533 From 79cc5781760e4980677f98ab1108be6955463d9f Mon Sep 17 00:00:00 2001 From: amitkumaDate: Tue, 16 Jan 2018 15:56:25 +0530 Subject: [PATCH] ipa-advise for smartcards updated .. authconfig --enablesmartcard --smartcardmodule=sssd --updateall Advise is updated to: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall Resolves: https://pagure.io/freeipa/issue/7358 --- ipaserver/advise/plugins/smart_card_auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index fb328f29ca..109e9ba381 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self): def run_authconfig_to_configure_smart_card_auth(self): self.log.exit_on_failed_command( -'authconfig --enablesmartcard --smartcardmodule=sssd --updateall', + 'authconfig --enablesssd --enablesssdauth --enablesmartcard ' + '--smartcardmodule=sssd --smartcardaction=1 --updateall', [ 'Failed to configure Smart Card authentication in SSSD' ] ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1469][closed] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1469 Author: amitkumar50 Title: #1469: ipa-advise for smartcards updated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1469/head:pr1469 git checkout pr1469 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1420][closed] Fix python-ldap byte warnings
URL: https://github.com/freeipa/freeipa/pull/1420 Author: tiran Title: #1420: Fix python-ldap byte warnings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1420/head:pr1420 git checkout pr1420 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#927][closed] WebUI: Cockpit integration
URL: https://github.com/freeipa/freeipa/pull/927 Author: pvomacka Title: #927: WebUI: Cockpit integration Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/927/head:pr927 git checkout pr927 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1458][closed] Prepare migration of mod_nss NSSDB to sql format
URL: https://github.com/freeipa/freeipa/pull/1458 Author: tiran Title: #1458: Prepare migration of mod_nss NSSDB to sql format Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1458/head:pr1458 git checkout pr1458 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1339][closed] Bump 389-ds-base to 1.3.7.8-1
URL: https://github.com/freeipa/freeipa/pull/1339 Author: stlaz Title: #1339: Bump 389-ds-base to 1.3.7.8-1 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1339/head:pr1339 git checkout pr1339 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org