[Freeipa-devel] [freeipa PR#774][+ack] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Title: #774: Remove pkinit-anonymous command Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#774][comment] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Title: #774: Remove pkinit-anonymous command martbab commented: """ master: * 24099d0f806103d8ec57d69fc97e9b4ae061bfdd Remove pkinit-anonymous command """ See the full comment at https://github.com/freeipa/freeipa/pull/774#issuecomment-303448710 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#774][closed] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Author: stlaz Title: #774: Remove pkinit-anonymous command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/774/head:pr774 git checkout pr774 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#774][+pushed] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Title: #774: Remove pkinit-anonymous command Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#774][comment] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/774 Title: #774: Remove pkinit-anonymous command martbab commented: """ ipa-4-5 needs a separate PR due to merge conflicts. """ See the full comment at https://github.com/freeipa/freeipa/pull/774#issuecomment-303449122 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][synchronized] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790
Author: martbab
Title: #790: RFC: API for reporting PKINIT status
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/790/head:pr790
git checkout pr790
From 4f6876c27d467bfe1fc49ba960d1e2282335e946 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 11 May 2017 15:55:53 +0200
Subject: [PATCH 1/6] Allow for multivalued server attributes
In order to achieve the task, the following changes were required:
* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
accepts/returns single-value lists in order to not break Liskov
substitution principle
* Existing attributes inherit from the child class
https://pagure.io/freeipa/issue/6937
---
ipaserver/plugins/serverroles.py| 4 +-
ipaserver/servroles.py | 109 +++-
ipatests/test_ipaserver/test_serverroles.py | 10 +--
3 files changed, 79 insertions(+), 44 deletions(-)
diff --git a/ipaserver/plugins/serverroles.py b/ipaserver/plugins/serverroles.py
index e22eadd7b1..e81635c331 100644
--- a/ipaserver/plugins/serverroles.py
+++ b/ipaserver/plugins/serverroles.py
@@ -136,9 +136,7 @@ def config_retrieve(self, servrole):
for name, attr in assoc_attributes.items():
attr_value = attr.get(self.api)
-
-if attr_value is not None:
-result.update({name: attr_value})
+result.update({name: attr_value})
return result
diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index cf4551..84fed1046b 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -277,29 +277,33 @@ def get(self, api_instance):
try:
entries = ldap2.get_entries(search_base, filter=search_filter)
except errors.EmptyResult:
-return
+return []
-master_cn = entries[0].dn[1]['cn']
+master_cns = {e.dn[1]['cn'] for e in entries}
associated_role_providers = set(
self._get_assoc_role_providers(api_instance))
-if master_cn not in associated_role_providers:
+if not master_cns.issubset(associated_role_providers):
raise errors.ValidationError(
name=self.name,
error=_("all masters must have %(role)s role enabled" %
{'role': self.associated_role.name})
)
-return master_cn
+return sorted(master_cns)
-def _get_master_dn(self, api_instance, server):
-return DN(('cn', server), api_instance.env.container_masters,
- api_instance.env.basedn)
+def _get_master_dns(self, api_instance, servers):
+return [
+DN(('cn', server), api_instance.env.container_masters,
+ api_instance.env.basedn) for server in servers]
+
+def _get_masters_service_entries(self, ldap, master_dns):
+service_dns = [
+DN(('cn', self.associated_service_name), master_dn) for master_dn
+in master_dns]
-def _get_masters_service_entry(self, ldap, master_dn):
-service_dn = DN(('cn', self.associated_service_name), master_dn)
-return ldap.get_entry(service_dn)
+return [ldap.get_entry(service_dn) for service_dn in service_dns]
def _add_attribute_to_svc_entry(self, ldap, service_entry):
"""
@@ -341,65 +345,98 @@ def _get_assoc_role_providers(self, api_instance):
r[u'server_server'] for r in self.associated_role.status(
api_instance) if r[u'status'] == ENABLED]
-def _remove(self, api_instance, master):
+def _remove(self, api_instance, masters):
"""
-remove attribute from the master
+remove attribute from one or more masters
:param api_instance: API instance
-:param master: master FQDN
+:param master: list or iterable containing master FQDNs
"""
ldap = api_instance.Backend.ldap2
-master_dn = self._get_master_dn(api_instance, master)
-service_entry = self._get_masters_service_entry(ldap, master_dn)
-self._remove_attribute_from_svc_entry(ldap, service_entry)
+master_dns = self._get_master_dns(api_instance, masters)
+service_entries = self._get_masters_service_entries(ldap, master_dns)
+
+for service_entry in service_entries:
+self._remove_attribute_from_svc_entry(ldap, service_entry)
-def _add(self, api_instance, master):
+def _add(self, api_instance, masters):
"""
add attribute to the master
:param api_instance: API instance
-:param master: master FQDN
+:param master: iterable containing master FQDNs
:raises: * errors.ValidationError if the associated role is not enabled
on the master
"""
-
[Freeipa-devel] [freeipa PR#811][+ack] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Title: #811: [4.5] Remove pkinit-anonymous command Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#811][closed] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Author: stlaz Title: #811: [4.5] Remove pkinit-anonymous command Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/811/head:pr811 git checkout pr811 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#811][comment] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Title: #811: [4.5] Remove pkinit-anonymous command martbab commented: """ ipa-4-5: * 4e878c3dc6f72cae4e7b4cb2ef45f2f4e91ac287 Remove pkinit-anonymous command """ See the full comment at https://github.com/freeipa/freeipa/pull/811#issuecomment-303772501 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#811][+pushed] [4.5] Remove pkinit-anonymous command
URL: https://github.com/freeipa/freeipa/pull/811 Title: #811: [4.5] Remove pkinit-anonymous command Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][closed] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][comment] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable martbab commented: """ master: * 9c3fad9cef7785a65c795f1b4fc3f94e50af9db2 krb5: make sure KDC certificate is readable ipa-4-5: * db7967061b9b7d001c923ce3da9d6c6036627253 krb5: make sure KDC certificate is readable """ See the full comment at https://github.com/freeipa/freeipa/pull/804#issuecomment-303998000 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#804][+pushed] krb5: make sure KDC certificate is readable
URL: https://github.com/freeipa/freeipa/pull/804 Title: #804: krb5: make sure KDC certificate is readable Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][opened] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816
Author: martbab
Title: #816: only stop/disable simple service if it is installed
Action: opened
PR body:
"""
The SimpleServiceInstance uninstaller assument that the service to
uninstall was always present on the system. This may not be valid in
some cases (e.g. containerized deployments) and thus we need to change
the service state only when we know that the unit file exists.
https://pagure.io/freeipa/issue/6977
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/816/head:pr816
git checkout pr816
From dca1ca780be369544d1886ff489301eaee48a317 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Tue, 23 May 2017 16:35:01 +0200
Subject: [PATCH] only stop/disable simple service if it is installed
The SimpleServiceInstance uninstaller assument that the service to
uninstall was always present on the system. This may not be valid in
some cases (e.g. containerized deployments) and thus we need to change
the service state only when we know that the unit file exists.
https://pagure.io/freeipa/issue/6977
---
ipaserver/install/service.py | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 1aa49ed25b..0523e914aa 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -674,18 +674,21 @@ def __enable(self):
else:
self.ldap_enable(self.gensvc_name, self.fqdn, None, self.suffix)
+def is_installed(self):
+return self.service.is_installed()
+
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
-self.stop()
-self.disable()
-
running = self.restore_state("running")
enabled = self.restore_state("enabled")
-# restore the original state of service
-if running:
-self.start()
-if enabled:
-self.enable()
+if self.is_installed():
+self.stop()
+self.disable()
+
+if running:
+self.start()
+if enabled:
+self.enable()
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][+ack] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Title: #796: Move selinux booleans to ipaplatform Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][comment] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Title: #796: Move selinux booleans to ipaplatform martbab commented: """ master: * 1a6de32c9e74493ca677353a0c7f14aa45977b6b httpd: move SELinux settings to constants * 663f227a5cd8ee4eb2b365d2765b330a9aa60685 adtrust: move SELinux settings to constants """ See the full comment at https://github.com/freeipa/freeipa/pull/796#issuecomment-304204580 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][closed] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Author: MartinBasti Title: #796: Move selinux booleans to ipaplatform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/796/head:pr796 git checkout pr796 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#796][+pushed] Move selinux booleans to ipaplatform
URL: https://github.com/freeipa/freeipa/pull/796 Title: #796: Move selinux booleans to ipaplatform Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status martbab commented: """ @HonzaCholasta thanks for looking on API, anyone for functional review? """ See the full comment at https://github.com/freeipa/freeipa/pull/790#issuecomment-304218253 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][+ack] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][closed] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Author: pvomacka Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/819/head:pr819 git checkout pr819 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][comment] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography martbab commented: """ ipa-4-5: * 14ff94a0d481051613338a512260b6a473671538 Change python-cryptography to python2-cryptography """ See the full comment at https://github.com/freeipa/freeipa/pull/819#issuecomment-304242752 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#819][+pushed] [ipa-4-5] Change python-cryptography to python2-cryptography
URL: https://github.com/freeipa/freeipa/pull/819 Title: #819: [ipa-4-5] Change python-cryptography to python2-cryptography Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#820][opened] Amend some regressions in backup/restore tests
URL: https://github.com/freeipa/freeipa/pull/820
Author: martbab
Title: #820: Amend some regressions in backup/restore tests
Action: opened
PR body:
"""
After investigating the backup_restore test failures in CI I found out that
most of them were caused by recently introduced changes in 4.5 development and
are quite easy to fix.
The last one, however, is caused by some bug in Vault and may not be as easy as
it seems.
https://pagure.io/freeipa/issue/6956
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/820/head:pr820
git checkout pr820
From 131208291ececfec78ae8b0bba2fe7330a61b1a3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 25 May 2017 14:02:10 +0200
Subject: [PATCH 1/2] test_backup_restore: do not fail on missing
KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.
https://pagure.io/freeipa/issue/6956
---
ipatests/test_integration/test_backup_and_restore.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 833baed366..2899434b9d 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -58,7 +58,7 @@ def check_admin_in_ldap(host):
assert entry.dn == user_dn
assert entry['uid'] == ['admin']
-del entry['krbLastSuccessfulAuth']
+entry.pop('krbLastSuccessfulAuth', None)
return entry
From 7b6cc89621e81ca10ed4370480729168e9ae8691 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 26 May 2017 12:39:35 +0200
Subject: [PATCH 2/2] Do not delete DS and PKI users during backup/restore
tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.
https://pagure.io/freeipa/issue/6956
---
ipatests/test_integration/test_backup_and_restore.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 2899434b9d..a90d9fbc53 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -165,9 +165,6 @@ def test_full_backup_and_restore_with_removed_users(self):
'--uninstall',
'-U'])
-self.master.run_command(['userdel', constants.DS_USER])
-self.master.run_command(['userdel', constants.PKI_USER])
-
homedir = os.path.join(self.master.config.test_dir,
'testuser_homedir')
self.master.run_command(['useradd', 'ipatest_user1',
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#701][comment] ipa help doesn't always work
URL: https://github.com/freeipa/freeipa/pull/701 Title: #701: ipa help doesn't always work martbab commented: """ @neffs please fix pylint error reported in Travis CI: ```console * Module ipaclient.remote_plugins.schema ipaclient/remote_plugins/schema.py:519: [E1101(no-member), Schema.get_help] Instance of 'dict' has no 'decode' member) make: *** [pylint] Error 2 Makefile:1175: recipe for target 'pylint' failed ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/701#issuecomment-304254492 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#802][comment] Improve cert messages some more + do that for KDC certs as well
URL: https://github.com/freeipa/freeipa/pull/802 Title: #802: Improve cert messages some more + do that for KDC certs as well martbab commented: """ I would personally prefer to let the output as is (be it verbose) rather than spending time on trying to devise some fancy-pants output parsing code that would pull in additional bugs and inconsistencies. """ See the full comment at https://github.com/freeipa/freeipa/pull/802#issuecomment-304261563 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#820][synchronized] Amend some regressions in backup/restore tests
URL: https://github.com/freeipa/freeipa/pull/820
Author: martbab
Title: #820: Amend some regressions in backup/restore tests
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/820/head:pr820
git checkout pr820
From 131208291ececfec78ae8b0bba2fe7330a61b1a3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Thu, 25 May 2017 14:02:10 +0200
Subject: [PATCH 1/2] test_backup_restore: do not fail on missing
KrbLastSuccessfulAuth
Since FreeIPA 4.5.1 now sets 'Disable last successful auth' option by
default (see https://pagure.io/freeipa/issue/5313), the
'KrbLastSuccessfulAuth' may not always be present on the user entry. The
restored entry checker in backup/restore suite should consider this.
https://pagure.io/freeipa/issue/6956
---
ipatests/test_integration/test_backup_and_restore.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 833baed366..2899434b9d 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -58,7 +58,7 @@ def check_admin_in_ldap(host):
assert entry.dn == user_dn
assert entry['uid'] == ['admin']
-del entry['krbLastSuccessfulAuth']
+entry.pop('krbLastSuccessfulAuth', None)
return entry
From e9ca893c5b5785c0e00a0373b43b1a5db3cf1237 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 26 May 2017 12:39:35 +0200
Subject: [PATCH 2/2] Do not delete DS and PKI users during backup/restore
tests
Since the creation of DS and PKI users is now handled by RPMs and not at
runtime in FreeIPA 4.5.x, we should no longer remove them during
backup/restore tests.
https://pagure.io/freeipa/issue/6956
---
ipatests/test_integration/test_backup_and_restore.py | 4
1 file changed, 4 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index 2899434b9d..bb648d71b7 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -23,7 +23,6 @@
import re
import contextlib
-from ipaplatform.constants import constants
from ipapython.ipa_log_manager import log_mgr
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
@@ -165,9 +164,6 @@ def test_full_backup_and_restore_with_removed_users(self):
'--uninstall',
'-U'])
-self.master.run_command(['userdel', constants.DS_USER])
-self.master.run_command(['userdel', constants.PKI_USER])
-
homedir = os.path.join(self.master.config.test_dir,
'testuser_homedir')
self.master.run_command(['useradd', 'ipatest_user1',
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][opened] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821
Author: martbab
Title: #821: fix incorrect suffix handling in topology checks
Action: opened
PR body:
"""
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.
If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.
https://pagure.io/freeipa/issue/6965
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/821/head:pr821
git checkout pr821
From 7543b48870f1046067fd8adf4106bb72c6b688dc Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 26 May 2017 12:23:51 +0200
Subject: [PATCH] fix incorrect suffix handling in topology checks
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.
If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.
https://pagure.io/freeipa/issue/6965
---
ipaserver/topology.py | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/ipaserver/topology.py b/ipaserver/topology.py
index 385da29a66..7da68552f5 100644
--- a/ipaserver/topology.py
+++ b/ipaserver/topology.py
@@ -74,11 +74,8 @@ def map_masters_to_suffixes(masters):
masters_to_suffix = {}
for master in masters:
-try:
-managed_suffixes = master.get(
-'iparepltopomanagedsuffix_topologysuffix')
-except KeyError:
-continue
+managed_suffixes = master.get(
+'iparepltopomanagedsuffix_topologysuffix', [])
for suffix_name in managed_suffixes:
try:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status martbab commented: """ Well the command is intended to be used either by administrators or by hosts themselves so I have no problem with unprivileged users not seeing anything. We can fix it in a separate PR if the need arises anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/790#issuecomment-304291965 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][+pushed] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][comment] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Title: #790: RFC: API for reporting PKINIT status martbab commented: """ ipa-4-5: * c4aa3a17694b1ad8f9c60c98a95d217c01fc736c Allow for multivalued server attributes * 753f8cf3aff07d22b35005b973e8518665d1fe6f Refactor the role/attribute member reporting code * fbccb748a1c85b7ed67946ba7a11a960b839bcc9 Add an attribute reporting client PKINIT-capable servers * 733cef9d5b0ae8312789371689939902d257 Add the list of PKINIT servers as a virtual attribute to global config * 6b815aae7174693b4952f2c60e7201d99e7b9684 Add `pkinit-status` command * 4fa29a33765cb5d6ce86846f37766e5d3322f25f test_serverroles: Get rid of MockLDAP and use ldap2 instead master: * bddb90f38a3505a2768862d2f814c5e749a7dcde Allow for multivalued server attributes * cac7e49daa04e838650548cc9162b8f117dc55b3 Refactor the role/attribute member reporting code * d8bb23ac389929f28c584602e592b821e4c6ef9a Add an attribute reporting client PKINIT-capable servers * f80553208e8d9f3df422f5be8e1cafa511e1b2c4 Add the list of PKINIT servers as a virtual attribute to global config * 99352731b4b4bdcedfe6668ce71c1d67720ac4af Add `pkinit-status` command * 58fd229a1dbb3f00a591de9417f36197141e26d7 test_serverroles: Get rid of MockLDAP and use ldap2 instead """ See the full comment at https://github.com/freeipa/freeipa/pull/790#issuecomment-304292760 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#790][closed] RFC: API for reporting PKINIT status
URL: https://github.com/freeipa/freeipa/pull/790 Author: martbab Title: #790: RFC: API for reporting PKINIT status Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/790/head:pr790 git checkout pr790 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][+pushed] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][comment] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Title: #816: only stop/disable simple service if it is installed martbab commented: """ ipa-4-5: * 6114150de20a7d8371c7383f619cd0fefe339cbf only stop/disable simple service if it is installed master: * 8b6f8ed7d47542b9bd8b7453a8a0e202ed1db97d only stop/disable simple service if it is installed """ See the full comment at https://github.com/freeipa/freeipa/pull/816#issuecomment-304293870 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#816][closed] only stop/disable simple service if it is installed
URL: https://github.com/freeipa/freeipa/pull/816 Author: martbab Title: #816: only stop/disable simple service if it is installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/816/head:pr816 git checkout pr816 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using martbab commented: """ Remember taht you have to use 'exact=False' in the filter to perform substring search for krbPrincipalName given the fact that (except for services) the principal is constructed from primary key by appending realm (and prepending `host/` in the case of hosts). This, however, opens a range of possibilities for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP, what will your search filter return?). That's why I think this is not correct solution given we currently reference owners by primary keys and not by principals (krbPrincipalName != primary key in most cases except services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative is to report principals as cert owners, which will break API, however. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#812][comment] [WIP] Refactoring cert-find to use API call directly instead of using
URL: https://github.com/freeipa/freeipa/pull/812 Title: #812: [WIP] Refactoring cert-find to use API call directly instead of using martbab commented: """ Remember taht you have to use 'exact=False' in the filter to perform substring search for krbPrincipalName given the fact that (except for services) the principal is constructed from primary key by appending realm (and prepending `host/` in the case of hosts). This, however, opens a range of possibilities for new bug to creep in (considering 'tuser' is the owner but we have 'tuser1' and 'tuser2' in LDAP, what will your search filter return?). That's why I think this is not correct solution given we currently reference owners by primary keys and not by principals (krbPrincipalName != primary key in most cases except services without krbCanonicalName attribute). I am more inclined to @HonzaCholasta's solution as it seems cleaner to me. An alternative is to report principals as cert owners, which will break API, however. """ See the full comment at https://github.com/freeipa/freeipa/pull/812#issuecomment-304304587 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][+pushed] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Title: #817: [py3] Change ConfigParser to RawConfigParser Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][closed] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Author: stlaz Title: #817: [py3] Change ConfigParser to RawConfigParser Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/817/head:pr817 git checkout pr817 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#817][comment] [py3] Change ConfigParser to RawConfigParser
URL: https://github.com/freeipa/freeipa/pull/817 Title: #817: [py3] Change ConfigParser to RawConfigParser martbab commented: """ master: * 35675ca2bbe9c044f115764a2daac45f7468be00 Change ConfigParser to RawConfigParser """ See the full comment at https://github.com/freeipa/freeipa/pull/817#issuecomment-304306864 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks martbab commented: """ @pvoborni it shouldn't but given how our framework sometimes (mis)-behaves the possibility is there. """ See the full comment at https://github.com/freeipa/freeipa/pull/821#issuecomment-304643335 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][synchronized] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821
Author: martbab
Title: #821: fix incorrect suffix handling in topology checks
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/821/head:pr821
git checkout pr821
From 25bb509404d8111fd761ec3074e558a725c7dadd Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 26 May 2017 12:23:51 +0200
Subject: [PATCH] fix incorrect suffix handling in topology checks
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.
If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.
https://pagure.io/freeipa/issue/6965
---
ipaserver/topology.py | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/ipaserver/topology.py b/ipaserver/topology.py
index 385da29a66..2b6b083547 100644
--- a/ipaserver/topology.py
+++ b/ipaserver/topology.py
@@ -72,12 +72,15 @@ def get_topology_connection_errors(graph):
def map_masters_to_suffixes(masters):
masters_to_suffix = {}
+managed_suffix_attr = 'iparepltopomanagedsuffix_topologysuffix'
for master in masters:
-try:
-managed_suffixes = master.get(
-'iparepltopomanagedsuffix_topologysuffix')
-except KeyError:
+if managed_suffix_attr not in master:
+continue
+
+managed_suffixes = master[managed_suffix_attr]
+
+if managed_suffixes is None:
continue
for suffix_name in managed_suffixes:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][+ack] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][closed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Author: flo-renaud Title: #797: ipa-replica-conncheck: handle ssh not installed Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/797/head:pr797 git checkout pr797 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][+pushed] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#797][comment] ipa-replica-conncheck: handle ssh not installed
URL: https://github.com/freeipa/freeipa/pull/797 Title: #797: ipa-replica-conncheck: handle ssh not installed martbab commented: """ ipa-4-5: * bacccb70a2e91efa22ee19aec9cca75bac94bd95 ipa-replica-conncheck: handle ssh not installed master: * f960450820c13284b52b4c5f420f0f1191a45619 ipa-replica-conncheck: handle ssh not installed """ See the full comment at https://github.com/freeipa/freeipa/pull/797#issuecomment-304832646 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+ack] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][comment] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated martbab commented: """ master: * ab71cd5a1693c221950bdfa9ffdfb99b9c317004 httpinstance: wait until the service entry is replicated ipa-4-5: * 9871bc08f8b8f51e2a05c4dfa18d844f9c141b8d httpinstance: wait until the service entry is replicated """ See the full comment at https://github.com/freeipa/freeipa/pull/801#issuecomment-304843404 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][closed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Author: HonzaCholasta Title: #801: httpinstance: wait until the service entry is replicated Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/801/head:pr801 git checkout pr801 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#801][+pushed] httpinstance: wait until the service entry is replicated
URL: https://github.com/freeipa/freeipa/pull/801 Title: #801: httpinstance: wait until the service entry is replicated Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][+pushed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][comment] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Title: #830: custodia dep: require explictly python2 version martbab commented: """ master: * a90a113b66fca620b04635442b135a5136ece7ba custodia dep: require explictly python2 version ipa-4-5: * 444107a00bf995aca62aba74ea02b52e577ab791 custodia dep: require explictly python2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/830#issuecomment-305122168 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#830][closed] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/830 Author: MartinBasti Title: #830: custodia dep: require explictly python2 version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/830/head:pr830 git checkout pr830 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][closed] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Author: MartinBasti Title: #831: [4.4] custodia dep: require explictly python2 version Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/831/head:pr831 git checkout pr831 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][comment] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Title: #831: [4.4] custodia dep: require explictly python2 version martbab commented: """ ipa-4-4: * a1276d550a1a5f28e1214ceb53cbe460428baef1 custodia dep: require explictly python2 version """ See the full comment at https://github.com/freeipa/freeipa/pull/831#issuecomment-305122558 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#831][+pushed] [4.4] custodia dep: require explictly python2 version
URL: https://github.com/freeipa/freeipa/pull/831 Title: #831: [4.4] custodia dep: require explictly python2 version Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM martbab commented: """ ipa-4-5: * 359e3f261705976229bace2d0a22546670181603 Add remote_plugins subdirectories to RPM master: * 71adc8cd3ff6d6e54f332e94bfda3ed59396de90 Add remote_plugins subdirectories to RPM """ See the full comment at https://github.com/freeipa/freeipa/pull/832#issuecomment-305123104 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][comment] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM martbab commented: """ @MartinBasti please make a separate PR for ipa-4-4 branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/832#issuecomment-305122966 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][+pushed] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Title: #832: Add remote_plugins subdirectories to RPM Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#832][closed] Add remote_plugins subdirectories to RPM
URL: https://github.com/freeipa/freeipa/pull/832 Author: MartinBasti Title: #832: Add remote_plugins subdirectories to RPM Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/832/head:pr832 git checkout pr832 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][+ack] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][comment] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all martbab commented: """ master: * 3b6892783ee6ed6dac9c4f328cc89ae030ce10a7 kdc.key should not be visible to all ipa-4-5: * 37be8e9ac3b46d6d31199227216b5a5a8d5d5614 kdc.key should not be visible to all """ See the full comment at https://github.com/freeipa/freeipa/pull/835#issuecomment-305239546 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][closed] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Author: stlaz Title: #835: kdc.key should not be visible to all Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/835/head:pr835 git checkout pr835 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#835][+pushed] kdc.key should not be visible to all
URL: https://github.com/freeipa/freeipa/pull/835 Title: #835: kdc.key should not be visible to all Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ How did we resolve the issue of tracking nssocsp status in sysupgrade state? Shouldn't we record this so that we now it was disabled by our installer/upgrader? """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-305804717 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][+pushed] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][comment] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth martbab commented: """ master: * e8a7e2e38ad7cea2964305247430e964d2b785b1 ipa-kdb: add pkinit authentication indicator in case of a successful certauth ipa-4-5: * ca02cea8dfd63290e4821833fc2ac7d457290e9f ipa-kdb: add pkinit authentication indicator in case of a successful certauth """ See the full comment at https://github.com/freeipa/freeipa/pull/851#issuecomment-306237025 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#851][closed] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
URL: https://github.com/freeipa/freeipa/pull/851 Author: abbra Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/851/head:pr851 git checkout pr851 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][+pushed] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][comment] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Title: #821: fix incorrect suffix handling in topology checks martbab commented: """ ipa-4-5: * d651a9877d0e2f9dd1b057630508b488678bb86e fix incorrect suffix handling in topology checks master: * 8ef4888af77f8e6fd8324297d26287b575b18163 fix incorrect suffix handling in topology checks """ See the full comment at https://github.com/freeipa/freeipa/pull/821#issuecomment-306237609 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#821][closed] fix incorrect suffix handling in topology checks
URL: https://github.com/freeipa/freeipa/pull/821 Author: martbab Title: #821: fix incorrect suffix handling in topology checks Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/821/head:pr821 git checkout pr821 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+ack] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][comment] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage martbab commented: """ ipa-4-5: * 1b62e5aac9d9668604e82879c020bff310fa549f server certinstall: update KDC master entry * c072135340bc8e75f621e2b9163b1347b9eb528f pkinit manage: introduce ipa-pkinit-manage * cb9353d6e0fbc0912dd20bf29e3835a7740d1af6 server upgrade: do not enable PKINIT by default master: * e131905f3e0fe9179c5f4a09da4e7a204012603a server certinstall: update KDC master entry * 92276c1e8809f3ff6b59bd6124869f816627bac7 pkinit manage: introduce ipa-pkinit-manage * 0772ef20b39b11950fddc913a350534988294c89 server upgrade: do not enable PKINIT by default """ See the full comment at https://github.com/freeipa/freeipa/pull/852#issuecomment-306458799 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][+pushed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Title: #852: pkinit manage: introduce ipa-pkinit-manage Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#852][closed] pkinit manage: introduce ipa-pkinit-manage
URL: https://github.com/freeipa/freeipa/pull/852 Author: HonzaCholasta Title: #852: pkinit manage: introduce ipa-pkinit-manage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/852/head:pr852 git checkout pr852 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+ack] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +ack ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][+pushed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][comment] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Title: #847: Turn off OCSP check martbab commented: """ ipa-4-5: * 51b361f475b3e25ace982873beb05cafcba95808 Turn off OCSP check master: * 566361e63d4a670460df3dbb28b9d19f38eaea2d Turn off OCSP check """ See the full comment at https://github.com/freeipa/freeipa/pull/847#issuecomment-306459491 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#847][closed] Turn off OCSP check
URL: https://github.com/freeipa/freeipa/pull/847 Author: pvomacka Title: #847: Turn off OCSP check Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/847/head:pr847 git checkout pr847 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][opened] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854
Author: martbab
Title: #854: RFC: server-side smart card auth advise plugin
Action: opened
PR body:
"""
This advise plugin generates a script which configures all the components
required for successful processing of smart card auth requests on IPA server.
I could split it into sub-advises and call them from the combined advise but
that would require some further refactoring of advise plugin framework. Let me
know if you would prefer this way instead.
https://pagure.io/freeipa/issue/6982
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/854/head:pr854
git checkout pr854
From 7761b0c4dd29d07a4431a55da7343f77e6cb0d49 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 5 Jun 2017 16:59:25 +0200
Subject: [PATCH 1/2] Extend the advice printing code by some useful
abstractions
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.
https://pagure.io/freeipa/issue/6982
---
ipaserver/advise/base.py | 34 --
1 file changed, 32 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 40dabd0426..72ac7b092f 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -94,8 +94,38 @@ def debug(self, line):
if self.options.verbose:
self.comment('DEBUG: ' + line)
-def command(self, line):
-self.content.append(line)
+def command(self, line, indent_spaces=0):
+self.content.append(
+'{}{}'.format(self._format_indent(indent_spaces), line))
+
+def _format_indent(self, num_spaces):
+return ' ' * num_spaces
+
+def echo_error(self, error_message, indent_spaces=0):
+self.command(
+'{}echo "{}" >&2'.format(
+self._format_indent(indent_spaces), error_message))
+
+def exit_on_failed_command(self, command_to_run,
+ error_message_lines, indent_spaces=0):
+self.command(command_to_run, indent_spaces=indent_spaces)
+self.exit_on_predicate(
+'"$?" -ne "0"', error_message_lines, indent_spaces=indent_spaces)
+
+def exit_on_predicate(self, predicate, error_message_lines,
+ indent_spaces=0):
+if_command = 'if [ {} ]'.format(predicate)
+self.command(if_command, indent_spaces=indent_spaces)
+self.command('then', indent_spaces=indent_spaces)
+
+indented_block_spaces = indent_spaces + 2
+
+for error_message_line in error_message_lines:
+self.echo_error(
+error_message_line, indent_spaces=indented_block_spaces)
+
+self.command('exit 1', indent_spaces=indented_block_spaces)
+self.command('fi', indent_spaces=indent_spaces)
class Advice(Plugin):
From 63c3389d2ba7a819b5ffe5e235ebaf2edc59e19b Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 2 Jun 2017 18:36:29 +0200
Subject: [PATCH 2/2] Prepare an advise plugin for server-side smart card auth
configuration
The plugin will contain topics for configuring Smart Card authentication
on FreeIPA server.
https://pagure.io/freeipa/issue/6982
---
ipaserver/advise/plugins/smart_card_auth.py | 147
1 file changed, 147 insertions(+)
create mode 100644 ipaserver/advise/plugins/smart_card_auth.py
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
new file mode 100644
index 00..7e388a75b7
--- /dev/null
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -0,0 +1,147 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib.plugable import Registry
+from ipaplatform.paths import paths
+from ipaserver.advise.base import Advice
+from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
+
+register = Registry()
+
+
+@register()
+class config_server_for_smart_card_auth(Advice):
+"""
+Configures smart card authentication via Kerberos (PKINIT) and for WebUI
+"""
+
+description = ("Instructions for enabling Smart Card authentication on "
+ "FreeIPA server. Includes Apache configuration, enabling "
+ "PKINIT on KDC and configuring WebUI to accept Smart Card "
+ "auth requests")
+
+nss_conf = paths.HTTPD_NSS_CONF
+nss_ocsp_directive = 'NSSOCSP'
+nss_nickname_directive = 'NSSNickname'
+
+def get_info(self):
+self.check_ccache_not_empty()
+self.check_hostname_is_in_masters()
+self.resolve_ipaca_records()
+self.enable_nss_ocsp()
+self.mark_httpd_cert_as_trusted()
+self.restart_httpd()
+self.record_httpd_ocsp_status()
+self.check_and_enable_pkinit()
+self.enable_ok_to_auth_as_delegate_on_http_principal()
+
+def check_ccache_not_empty(self):
+self.lo
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin martbab commented: """ support for non-RPM platforms would require some more additions to the base Advice code to handle this systematically, or alternatively we may just test for the presence of required command and fail with instruction to install the missing package using platform-specific means. While we may want to migrate to `mod_ssl` in the future, there will be much more work to do regarding switching TLS modules so the advise can be ported as a part of this effort. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306714152 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin martbab commented: """ @flo thanks for your input, I will rework the PR tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306811993 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][edited] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited Changed field: title Original value: """ RFC: server-side smart card auth advise plugin """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][synchronized] RFC: server-side smart card auth advise plugin
URL: https://github.com/freeipa/freeipa/pull/854
Author: martbab
Title: #854: RFC: server-side smart card auth advise plugin
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/854/head:pr854
git checkout pr854
From 70298a7285cb84d28172a059dfe23917c074e4c2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 5 Jun 2017 16:59:25 +0200
Subject: [PATCH 1/3] Extend the advice printing code by some useful
abstractions
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.
https://pagure.io/freeipa/issue/6982
---
ipaserver/advise/base.py | 53 ++--
1 file changed, 51 insertions(+), 2 deletions(-)
diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
index 40dabd0426..7b23adc115 100644
--- a/ipaserver/advise/base.py
+++ b/ipaserver/advise/base.py
@@ -94,8 +94,57 @@ def debug(self, line):
if self.options.verbose:
self.comment('DEBUG: ' + line)
-def command(self, line):
-self.content.append(line)
+def command(self, line, indent_spaces=0):
+self.content.append(
+'{}{}'.format(self._format_indent(indent_spaces), line))
+
+def _format_indent(self, num_spaces):
+return ' ' * num_spaces
+
+def echo_error(self, error_message, indent_spaces=0):
+self.command(
+self._format_error(error_message, indent_spaces=indent_spaces))
+
+def _format_error(self, error_message, indent_spaces=0):
+return '{}echo "{}" >&2'.format(
+self._format_indent(indent_spaces), error_message)
+
+def exit_on_failed_command(self, command_to_run,
+ error_message_lines, indent_spaces=0):
+self.command(command_to_run, indent_spaces=indent_spaces)
+self.exit_on_predicate(
+'"$?" -ne "0"', error_message_lines, indent_spaces=indent_spaces)
+
+def exit_on_nonroot_euid(self):
+self.exit_on_predicate(
+'"$(id -u)" -ne "0"',
+["This script has to be run as root user"]
+)
+
+def exit_on_predicate(self, predicate, error_message_lines,
+ indent_spaces=0):
+commands_to_run = [
+self._format_error(error_message_line, indent_spaces=indent_spaces)
+for error_message_line in error_message_lines]
+
+commands_to_run.append('exit 1')
+self.commands_on_predicate(
+predicate,
+commands_to_run,
+indent_spaces=indent_spaces)
+
+def commands_on_predicate(self, predicate, commands_to_run,
+ indent_spaces=0):
+if_command = 'if [ {} ]'.format(predicate)
+self.command(if_command, indent_spaces=indent_spaces)
+self.command('then', indent_spaces=indent_spaces)
+
+indented_block_spaces = indent_spaces + 2
+
+for command_to_run in commands_to_run:
+self.command(command_to_run, indent_spaces=indented_block_spaces)
+
+self.command('fi', indent_spaces=indent_spaces)
class Advice(Plugin):
From 6de3a19dd2fe43909b5b38bd4688da3eed339e4e Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Fri, 2 Jun 2017 18:36:29 +0200
Subject: [PATCH 2/3] Prepare an advise plugin for server-side smart card auth
configuration
The plugin will contain topics for configuring Smart Card authentication
on FreeIPA server.
https://pagure.io/freeipa/issue/6982
---
ipaserver/advise/plugins/smart_card_auth.py | 166
1 file changed, 166 insertions(+)
create mode 100644 ipaserver/advise/plugins/smart_card_auth.py
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
new file mode 100644
index 00..55fe996d7e
--- /dev/null
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -0,0 +1,166 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib.plugable import Registry
+from ipaplatform.paths import paths
+from ipaserver.advise.base import Advice
+from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
+
+register = Registry()
+
+
+@register()
+class config_server_for_smart_card_auth(Advice):
+"""
+Configures smart card authentication via Kerberos (PKINIT) and for WebUI
+"""
+
+description = ("Instructions for enabling Smart Card authentication on "
+ " a single FreeIPA server. Includes Apache configuration, "
+ "enabling PKINIT on KDC and configuring WebUI to accept "
+ "Smart Card auth requests. To enable the feature in the "
+ "whole topology you have to run the script on each master")
+
+nss_conf = paths.HTTPD_NSS_CONF
+nss_ocsp_directive = 'NSSOCSP'
+nss_nickname_directive = 'NSSNickname'
+
+def get_info(self):
+self.log.exit_
[Freeipa-devel] [freeipa PR#854][edited] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited Changed field: body Original value: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server. I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead. https://pagure.io/freeipa/issue/6982 """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo @abbra I have rebased PR and included also a recipe for client configuration for the sake of completeness. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307326811 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @abbra thanks for review. Is `pam_pkcs11` removal necessary for client? Also what option does the recipe need to pass to `authconfig` to properly configure smart card auth? isn't it enough to configure SSSD? """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307352108 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's `pam` section which is already done on both server and client, see `enable_pam_auth_in_sssd` method. Am I missing something? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/idm-smart-cards.html """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo ah sorry I missed that. I will incorporate it into advise then. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][+pushed] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Title: #838: Explicitly ask for py2 dependencies in py2 packages Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][comment] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Title: #838: Explicitly ask for py2 dependencies in py2 packages martbab commented: """ master: * a2147de6e2eb217163d6f106d3220c7b1e7570b5 Explicitly ask for py2 dependencies in py2 packages """ See the full comment at https://github.com/freeipa/freeipa/pull/838#issuecomment-307405964 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#838][closed] Explicitly ask for py2 dependencies in py2 packages
URL: https://github.com/freeipa/freeipa/pull/838 Author: MartinBasti Title: #838: Explicitly ask for py2 dependencies in py2 packages Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/838/head:pr838 git checkout pr838 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][+pushed] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Title: #840: Add Role 'Enrollment Administrator' Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][comment] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Title: #840: Add Role 'Enrollment Administrator' martbab commented: """ master: * 468eb3c712140399ed2ec346ff4356bffd590e09 Add Role 'Enrollment Administrator' """ See the full comment at https://github.com/freeipa/freeipa/pull/840#issuecomment-307407213 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#840][closed] Add Role 'Enrollment Administrator'
URL: https://github.com/freeipa/freeipa/pull/840 Author: Tiboris Title: #840: Add Role 'Enrollment Administrator' Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/840/head:pr840 git checkout pr840 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][comment] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types martbab commented: """ master: * d665224a85610cccbe7d291e9ed41d2ce7e5b61c session_storage: Correctly handle string/byte types """ See the full comment at https://github.com/freeipa/freeipa/pull/849#issuecomment-307413021 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][closed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Author: stlaz Title: #849: session_storage: Correctly handle string/byte types Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/849/head:pr849 git checkout pr849 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#849][+pushed] session_storage: Correctly handle string/byte types
URL: https://github.com/freeipa/freeipa/pull/849 Title: #849: session_storage: Correctly handle string/byte types Label: +pushed ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo regarding enabling Smart Card login ( add PKCS#11 module, configure SSSD and such), do we really need to setup this on server? I do not expect somebody logging directly to machine hosting FreeIPA server using smard card reader. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307424330 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ Also I get the following error when running authconfig: ```console authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. ``` It is understandable, since I have removed pam_pkcs11 package as per documentation, but it still puzzles me. It may be that I have an old version of authconfig, as I am developing this on F25 where I have authconfig-6.2.10-14.fc25.x86_64. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
