Re: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10

[Martin Babinsky]

On 01/25/2016 08:56 AM, Alexander Bokovoy wrote:

On Mon, 25 Jan 2016, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that this is a 4.2-specific fix.

Honza

--
Jan Cholasta



From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 25 Jan 2016 08:48:42 +0100
Subject: [PATCH] CA install: explicitly set dogtag_version to 10

When installing new CA master, explicitly set the dogtag_version
option to
10 in api.bootstrap() to prevent failures in code which expects the value
to be 10 rather than the default value of 9.

https://fedorahosted.org/freeipa/ticket/5611
---
install/tools/ipa-ca-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d..e8ccaef 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -162,7 +162,7 @@ def install_master(safe_options, options):

# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
-api.bootstrap(in_server=True, ra_plugin='dogtag')
+api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10)
api.finalize()

dm_password = options.password
--

ACK.



Not so fast, I have this patch applied on top of ipa-4-2 and it does not 
fix the crash described in the ticket.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 543] CA install: explicitly set dogtag_version to 10

[Martin Babinsky]

On 01/26/2016 10:14 AM, Martin Babinsky wrote:

On 01/25/2016 08:56 AM, Alexander Bokovoy wrote:

On Mon, 25 Jan 2016, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Note that this is a 4.2-specific fix.

Honza

--
Jan Cholasta



From c2a0684c64538166809883a235bd131518b6e78f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 25 Jan 2016 08:48:42 +0100
Subject: [PATCH] CA install: explicitly set dogtag_version to 10

When installing new CA master, explicitly set the dogtag_version
option to
10 in api.bootstrap() to prevent failures in code which expects the
value
to be 10 rather than the default value of 9.

https://fedorahosted.org/freeipa/ticket/5611
---
install/tools/ipa-ca-install | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d..e8ccaef 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -162,7 +162,7 @@ def install_master(safe_options, options):

# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
-api.bootstrap(in_server=True, ra_plugin='dogtag')
+api.bootstrap(in_server=True, ra_plugin='dogtag',
dogtag_version=10)
api.finalize()

dm_password = options.password
--

ACK.



Not so fast, I have this patch applied on top of ipa-4-2 and it does not
fix the crash described in the ticket.



See the end of CA install log (http://fpaste.org/314777/14537999/), it 
seems that despite setting dogtag version to 10 in API initialization, 
CA instance still thinks it needs to work with version 9.


It seems that dogtag.configured_constants() function is to blame:

"""
In [4]: from ipalib import api

In [5]: api.bootstrap(dogtag_version=10)

In [6]: api.finalize()

In [7]: dogtag.configured_constants()
Out[7]: ipapython.dogtag.Dogtag9Constants

In [8]: dogtag.configured_constants(api)
Out[8]: ipapython.dogtag.Dogtag10Constants
"""

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master

[Martin Babinsky]

https://fedorahosted.org/freeipa/ticket/5636

--
Martin^3 Babinsky
From 93952405192c16a573d8066265523e73318d5844 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 26 Jan 2016 13:02:44 +0100
Subject: [PATCH] fix standalone installation of externally signed CA on IPA
 master

https://fedorahosted.org/freeipa/ticket/5636
---
 ipaserver/install/ca.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 84cbf423246534259cd6b7a8cca25caa16e5594f..d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -46,7 +46,8 @@ def install_check(standalone, replica_config, options):
 return
 
 if standalone:
-if cainstance.is_ca_installed_locally():
+if (not options.external_cert_files and
+cainstance.is_ca_installed_locally()):
 sys.exit("CA is already installed on this host.")
 elif api.Command.ca_is_enabled()['result']:
 sys.exit(
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 540] cert renewal: import all external CA certs on IPA CA cert renewal

[Martin Babinsky]

On 01/25/2016 08:19 AM, Jan Cholasta wrote:

On 22.1.2016 12:28, Jan Cholasta wrote:

On 22.1.2016 10:34, Martin Babinsky wrote:

On 01/21/2016 10:27 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes
.

Honza




ACK


Self-NACK. Doesn't work with external CA install.



Updated patches attached.


ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check

[Jan Cholasta]

On 21.1.2016 14:10, Martin Basti wrote:



On 20.01.2016 10:52, Fraser Tweedale wrote:

On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote:

On 01/20/2016 08:45 AM, Fraser Tweedale wrote:

The attached patch removes a workaround introduced as part of
https://fedorahosted.org/freeipa/ticket/4676.

Alternatively, if we want to keep the "workaround" I will submit a
different patch that removes unused code and FIXME comments :)

Cheers,
Fraser

You may also want to check FreeIPA spec file, if there is now no
extra curl
dependency. I would leave it up to Martin Basti, to confirm that the
original
issue cannot appear again. It was a nightmare to troubleshoot, as I
heard :)


Good pickup on the curl dependency; indeed it is no longer needed.
Updated patch attached.

Thank you, patch works for me. However, I'm not sure where the original
error was located, it looked like something in _httplib_request doesn't
work properly with SSL. Your patch uses _httplib_request without TLS so
it should work.

I would like to push this patch only to master, as the issue before
wasn't regularly reproducible, and I will keep eye on it.

Also I will remove the ticket #4676 from description, because ticket has
been closed in 4.1 Milestone.

ACK with keeping eyes on it

Pushed to master: fd7ea2c9395651d5bce41cc603557fea107f65a7


Please don't introduce additional patches to tickets closed in released 
milestones. You should open a new ticket for the additional change so 
that it can be properly triaged and you don't have to guess where it 
should be pushed.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0130] disable RA plugins when promoting a replica from CA-less master

[Jan Cholasta]

On 21.1.2016 15:04, Martin Babinsky wrote:

On 01/21/2016 02:51 PM, Jan Cholasta wrote:

On 21.1.2016 14:45, Martin Babinsky wrote:

On 01/21/2016 02:21 PM, Petr Vobornik wrote:

On 01/21/2016 01:53 PM, Martin Babinsky wrote:

this patch ensures that promoted replicas in CA-less topology have
correct settings in their default.conf.

I couldn't find any ticket for this issue, should I file one so that
this patch can land in 4-3 branch?



yes


New ticket here: https://fedorahosted.org/freeipa/ticket/5626

I have also attached the ticket URL to the commit message.


Why so much code for such a simple change? Please keep the style
consistent with the code in install.install() and
replicainstall.install().



It did not occur to me as much code, the logic was equivalent to the
stuff other installers do but bit more concise.

But attaching updated patch in common style anyway.


Thanks, ACK.

Pushed to:
master: 7dae5c09d5a6bf084661511bef4811223da64252
ipa-4-3: b63505ef765768b7cbcfc84983c249269ab8b788

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0407] make lint: migration to config file and pylint plugin due pylint 1.5.2

[Martin Basti]

On 20.01.2016 14:38, Jan Cholasta wrote:

Hi,

On 19.1.2016 13:43, Martin Basti wrote:

New pylint version will broke our custom make-lint script again,
attached patch migrates make-lint to:
* config file
* pylint plugin
which are supported by pylint and should not have regular compatibility
issues

to test new approach run ./make-lint2

Advantages:
* compatibility with pylint
* works on both pylint-1.4.3-3.fc23.noarch and 
pylint-1.5.2-1.fc24.noarch

* pylint plugin works in different way than the previous custom checker.
Missing ("dynamic") attributes are added to abstract syntax tree instead
of ignoring them and all their sub-members. This makes check better,
pylint can detect more typos in tests configurations, api, env, etc..

Disadvantages:
* any new attribute in api, test config, etc.. must be added to
definition of missing members (pylint plugin) - this should not happen
too often


1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py" and 
"rm -rf pylint_plugins/", no need for this redundant directory structure.


2) Rename pylintrc to freeipa.pylintrc so you have to always specify 
it explicitly with --rcfile.


3) Use the load-plugins directive in freeipa.pylintrc to load the 
plugins rather than --load-plugins.


4) Instead of running pylint twice, run it only once with both normal 
and Python 3 checks enabled:


[MESSAGE CONTROL]
enable=all,python3
disable=...,no-absolute-import




Q:
* make-lint: should it be just bash script or rather python script?


IMO neither, it should be a make target (make lint).


* add dynamic detection of python files to be checked


You can use "find . -type f -executable ! -path \*/.\* ! -name \*.py\* 
-exec grep -lsm1 '^#!.*\bpython' \{\} \;".



* should I keep the current options from original make-lint?


No, but allow pylint options to be overridable (make lint 
PYLINTFLAGS="--disable=python3")



* several false positive errors I haven't been able to fix in plugin
yet, in worst case they can be locally disabled:


Disable them locally.

Honza


Updated patch attached.

Please note that make-lint script has been removed, to execute lint 
check use 'make lint'
From ebb80f64dd1450886de709da014fc86c2a5b159c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 15 Jan 2016 16:58:38 +0100
Subject: [PATCH] make lint: use config file and plugin for pylint

Our custom implementation of pylint checker is often broken by
incompatible change on pylint side. Using supported solutions (config
file, pylint plugins) should avoid this issue.

The plugin adds missing (dynamic) member to classes in abstract syntax
tree generated for pylint, instead of just ignoring missing members and
all sub-members. This should improve pylint detection of typos and
missing members in api. env and test config.

make-lint python script has been removed, to run pylint execute 'make
lint'

https://fedorahosted.org/freeipa/ticket/5615
---
 Makefile|  13 +-
 ipalib/plugins/vault.py |   4 +-
 ipatests/test_ipapython/test_ipautil.py |   2 +
 make-lint   | 351 ---
 pylint_plugins.py   | 209 
 pylintrc| 406 
 6 files changed, 629 insertions(+), 356 deletions(-)
 delete mode 100755 make-lint
 create mode 100644 pylint_plugins.py
 create mode 100644 pylintrc

diff --git a/Makefile b/Makefile
index 7b9f95a1d06fdd73f7c1c9f1edb7fb694aaf8579..8eb1305bd23909a6f1d6a0b3f55c7d336af0d4a9 100644
--- a/Makefile
+++ b/Makefile
@@ -53,7 +53,9 @@ LIBDIR ?= /usr/lib
 
 DEVELOPER_MODE ?= 0
 ifneq ($(DEVELOPER_MODE),0)
-LINT_OPTIONS=--no-fail
+LINT_IGNORE_FAIL=true
+else
+LINT_IGNORE_FAIL=false
 endif
 
 PYTHON ?= $(shell rpm -E %__python || echo /usr/bin/python2)
@@ -124,8 +126,13 @@ client-dirs:
 	fi
 
 lint: bootstrap-autogen
-	./make-lint $(LINT_OPTIONS)
-	$(MAKE) -C install/po validate-src-strings
+	FILES=`find . \
+		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
+		-name \*.py -print -o \
+		-type f \! -path '*/.*' \! -name '*~' -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
+	echo "Pylint is running, please wait ..."; \
+	PYTHONPATH=. pylint --rcfile=pylintrc $(PYLINTFLAGS) $$FILES || $(LINT_IGNORE_FAIL)
+	$(MAKE) -C install/po validate-src-strings || $(LINT_IGNORE_FAIL)
 
 
 test:
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 4d8419e75770dc4c8b856560cf6c1613a132f8c0..f67dee3dd34e49d8c23475327afac281741f3aa7 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -1651,7 +1651,7 @@ class vault_archive(PKQuery, Local):
 session_key = slot.key_gen(mechanism, None, key_length)
 
 # wrap session key with transport certificate
-public_key = nss_transport_cert.subject_public_key_info.public_key
+public_key = nss_transport_cert.subject_public_key_info.public_key  # pylint: 

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Petr Spacek]

On 26.1.2016 14:02, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/5634
> 
> Patch attached.

It works for me in API, CLI, and Web UI. The warning is shown as expected.

Interestingly, Web UI behaves strangely when search limit is hit. This needs
more investigation because it happens even without this patch :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Martin Basti]

On 26.01.2016 14:55, Petr Spacek wrote:

On 26.1.2016 14:02, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5634

Patch attached.

It works for me in API, CLI, and Web UI. The warning is shown as expected.

Interestingly, Web UI behaves strangely when search limit is hit. This needs
more investigation because it happens even without this patch :-)

I found different bug there, webUI passes sizelimit: 0 (unlimited), but 
this values is not passed to some searches inside BaseldapSearch which 
raise error, I will file a ticket na provide details there


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Gabe Alford]

On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti  wrote:

>
>
> On 26.01.2016 14:55, Petr Spacek wrote:
>
>> On 26.1.2016 14:02, Martin Basti wrote:
>>
>>> https://fedorahosted.org/freeipa/ticket/5634
>>>
>>> Patch attached.
>>>
>> It works for me in API, CLI, and Web UI. The warning is shown as expected.
>>
>> Interestingly, Web UI behaves strangely when search limit is hit. This
>> needs
>> more investigation because it happens even without this patch :-)
>>
>> I found different bug there, webUI passes sizelimit: 0 (unlimited), but
> this values is not passed to some searches inside BaseldapSearch which
> raise error, I will file a ticket na provide details there


Works for me as well. However, it would be nice to have what ipasearchlimit
is limited to in the error message as well. So something like:

"Search result has been truncated, the current search limit is set to 10.
Please increase the search limit."

Does this also address https://fedorahosted.org/freeipa/ticket/4022?

Gabe
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Martin Basti]

On 26.01.2016 15:00, Gabe Alford wrote:
On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > wrote:




On 26.01.2016 14:55, Petr Spacek wrote:

On 26.1.2016 14:02, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5634

Patch attached.

It works for me in API, CLI, and Web UI. The warning is shown
as expected.

Interestingly, Web UI behaves strangely when search limit is
hit. This needs
more investigation because it happens even without this patch :-)

I found different bug there, webUI passes sizelimit: 0
(unlimited), but this values is not passed to some searches inside
BaseldapSearch which raise error, I will file a ticket na provide
details there


Works for me as well. However, it would be nice to have what 
ipasearchlimit is limited to in the error message as well. So 
something like:

thanks for testing.



"Search result has been truncated, the current search limit is set to 
10. Please increase the search limit."
Well this is not so easy to achieve in framework, I prefer not to add 
number there, it requires bigger change in framework or an extra ldap 
search.


Does this also address https://fedorahosted.org/freeipa/ticket/4022?

It should.

Gabe


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Petr Spacek]

On 26.1.2016 15:06, Martin Basti wrote:
> 
> 
> On 26.01.2016 15:00, Gabe Alford wrote:
>> On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > > wrote:
>>
>>
>>
>> On 26.01.2016 14:55, Petr Spacek wrote:
>>
>> On 26.1.2016 14:02, Martin Basti wrote:
>>
>> https://fedorahosted.org/freeipa/ticket/5634
>>
>> Patch attached.
>>
>> It works for me in API, CLI, and Web UI. The warning is shown
>> as expected.
>>
>> Interestingly, Web UI behaves strangely when search limit is
>> hit. This needs
>> more investigation because it happens even without this patch :-)
>>
>> I found different bug there, webUI passes sizelimit: 0
>> (unlimited), but this values is not passed to some searches inside
>> BaseldapSearch which raise error, I will file a ticket na provide
>> details there
>>
>>
>> Works for me as well. However, it would be nice to have what ipasearchlimit
>> is limited to in the error message as well. So something like:
> thanks for testing.
> 
>>
>> "Search result has been truncated, the current search limit is set to 10.
>> Please increase the search limit."
> Well this is not so easy to achieve in framework, I prefer not to add number
> there, it requires bigger change in framework or an extra ldap search.
>>
>> Does this also address https://fedorahosted.org/freeipa/ticket/4022?
> It should.

Maybe we can use some generic phrase like:
"Search result has been truncated to configured search limit."
and avoid advice like 'increase search limit' which may not be possible to do,
e.g. because user does not have permission to do that etc.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Martin Basti]

On 26.01.2016 15:17, Petr Spacek wrote:

On 26.1.2016 15:06, Martin Basti wrote:


On 26.01.2016 15:00, Gabe Alford wrote:

On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > wrote:



 On 26.01.2016 14:55, Petr Spacek wrote:

 On 26.1.2016 14:02, Martin Basti wrote:

 https://fedorahosted.org/freeipa/ticket/5634

 Patch attached.

 It works for me in API, CLI, and Web UI. The warning is shown
 as expected.

 Interestingly, Web UI behaves strangely when search limit is
 hit. This needs
 more investigation because it happens even without this patch :-)

 I found different bug there, webUI passes sizelimit: 0
 (unlimited), but this values is not passed to some searches inside
 BaseldapSearch which raise error, I will file a ticket na provide
 details there


Works for me as well. However, it would be nice to have what ipasearchlimit
is limited to in the error message as well. So something like:

thanks for testing.


"Search result has been truncated, the current search limit is set to 10.
Please increase the search limit."

Well this is not so easy to achieve in framework, I prefer not to add number
there, it requires bigger change in framework or an extra ldap search.

Does this also address https://fedorahosted.org/freeipa/ticket/4022?

It should.

Maybe we can use some generic phrase like:
"Search result has been truncated to configured search limit."
and avoid advice like 'increase search limit' which may not be possible to do,
e.g. because user does not have permission to do that etc.


Updated patch attached.
From 56f80feb7a4b4fb33f0c04e9dd718cdcb212199f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 26 Jan 2016 13:47:56 +0100
Subject: [PATCH] Warn user when ipa *-find reach limit

Truncated entries were silently ignored, now a user receives warning.

https://fedorahosted.org/freeipa/ticket/5634
---
 ipalib/messages.py | 10 ++
 ipalib/plugins/baseldap.py |  8 +++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index 078e13f596f448601a74d0241801bc9ee858548f..e43584b108eda0055419f605c4c0c1893ec9a6d0 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -331,6 +331,16 @@ class ExternalCommandOutput(PublicMessage):
 format = _("%(line)s")
 
 
+class SearchResultTruncated(PublicMessage):
+"""
+**13017** Results of LDAP search has been truncated
+"""
+
+errno = 13017
+type = "warning"
+format = _("Search result has been truncated to configured search limit.")
+
+
 def iter_messages(variables, base):
 """Return a tuple with all subclasses
 """
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 5f7b7fba1dbf782cfcbffadce55d1610122cb72c..03a255ca1303091f8a9f08f6ae1d0f76281937a0 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -35,6 +35,7 @@ from ipalib import output
 from ipalib.text import _
 from ipalib.util import json_serialize, validate_hostname
 from ipalib.capabilities import client_has_capability
+from ipalib.messages import add_message, SearchResultTruncated
 from ipapython.dn import DN
 from ipapython.version import API_VERSION
 
@@ -2101,12 +2102,17 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):
 entries[i] = entry_to_dict(e, **options)
 entries[i]['dn'] = e.dn
 
-return dict(
+result = dict(
 result=entries,
 count=len(entries),
 truncated=truncated,
 )
 
+if truncated:
+add_message(options['version'], result, SearchResultTruncated())
+
+return result
+
 def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
 assert isinstance(base_dn, DN)
 return (filters, base_dn, scope)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Gabe Alford]

On Tue, Jan 26, 2016 at 7:33 AM, Martin Basti  wrote:

>
>
> On 26.01.2016 15:17, Petr Spacek wrote:
>
>> On 26.1.2016 15:06, Martin Basti wrote:
>>
>>>
>>> On 26.01.2016 15:00, Gabe Alford wrote:
>>>
 On Tue, Jan 26, 2016 at 6:56 AM, Martin Basti > wrote:



  On 26.01.2016 14:55, Petr Spacek wrote:

  On 26.1.2016 14:02, Martin Basti wrote:

  https://fedorahosted.org/freeipa/ticket/5634

  Patch attached.

  It works for me in API, CLI, and Web UI. The warning is shown
  as expected.

  Interestingly, Web UI behaves strangely when search limit is
  hit. This needs
  more investigation because it happens even without this patch
 :-)

  I found different bug there, webUI passes sizelimit: 0
  (unlimited), but this values is not passed to some searches inside
  BaseldapSearch which raise error, I will file a ticket na provide
  details there


 Works for me as well. However, it would be nice to have what
 ipasearchlimit
 is limited to in the error message as well. So something like:

>>> thanks for testing.
>>>
>>> "Search result has been truncated, the current search limit is set to 10.
 Please increase the search limit."

>>> Well this is not so easy to achieve in framework, I prefer not to add
>>> number
>>> there, it requires bigger change in framework or an extra ldap search.
>>>
 Does this also address https://fedorahosted.org/freeipa/ticket/4022?

>>> It should.
>>>
>> Maybe we can use some generic phrase like:
>> "Search result has been truncated to configured search limit."
>> and avoid advice like 'increase search limit' which may not be possible
>> to do,
>> e.g. because user does not have permission to do that etc.
>>
>
Sounds good.



> Updated patch attached.
>

Ack from me.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result

[Tomas Babej]

Hi,

The ldap_result operation can time out, returning a NULL result,
which in turn causes the parsing operation to crash.

https://fedorahosted.org/freeipa/ticket/5642

Tomas
From 3b4482cdd5494890a220bfd935874fa84677524c Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Tue, 26 Jan 2016 17:32:29 +0100
Subject: [PATCH] ipa-getkeytab: Handle the possibility of not obtaining a
 result

The ldap_result operation can time out, returning a NULL result,
which in turn causes the parsing operation to crash.

https://fedorahosted.org/freeipa/ticket/5642
---
 ipa-client/ipa-getkeytab.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 3592d9970412e91fa62b6ca8310a9511c4235656..d4925865393ea19705d5d9ae09847966402fd8f0 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -275,6 +275,10 @@ static int ipa_ldap_extended_op(LDAP *ld, const char *reqoid,
 fprintf(stderr, _("Failed to get result: %s\n"), ldap_err2string(ret));
 goto done;
 }
+else if (res == NULL) {
+fprintf(stderr, _("Timeout exceeded."));
+goto done;
+}
 
 ret = ldap_parse_extended_result(ld, res, , , 0);
 if (ret != LDAP_SUCCESS) {
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0399] ipa-getkeytab: Handle the possibility of not obtaining a result

[Simo Sorce]

On Tue, 2016-01-26 at 17:48 +0100, Tomas Babej wrote:
> Hi,
> 
> The ldap_result operation can time out, returning a NULL result,
> which in turn causes the parsing operation to crash.
> 
> https://fedorahosted.org/freeipa/ticket/5642
> 
> Tomas
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

LGTM

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0003] Refactor test_replace

[Milan Kubík]

On 01/12/2016 03:04 PM, Milan Kubík wrote:

On 12/04/2015 11:29 AM, Filip Škola wrote:

On Fri, 4 Dec 2015 10:08:40 +0100
Milan Kubík  wrote:


On 12/04/2015 10:04 AM, Filip Škola wrote:

Hi,

sending rather short one this time.

F.

NACK, UserTracker is implemented in
ipatests.test_xmlrpc.tracker.user_plugin.


Ah, sorry for this.


F.

Hi,
the tests do not work. Similar problems to test_attr. There are some 
problems with the expected and actual results. NACK.


Problems were caused by missing dependency (patch). The code looks good. 
ACK.


--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

[Milan Kubík]

On 01/12/2016 03:03 PM, Milan Kubík wrote:

On 12/07/2015 01:25 PM, Filip Škola wrote:

Now the tier marker have lost somewhere on the way... which is
corrected in this patch.

/me apologizes for the noise

F.

On Mon, 7 Dec 2015 13:00:41 +0100
Filip Škola  wrote:


Self-NACK, resubmitting with the last commit which includes
UserTracker from the right location...

F.

On Fri, 4 Dec 2015 16:24:16 +0100
Filip Škola  wrote:


Hi,

sending a new version of test_attr.

F.
Hello, tha patch doesn't work. The tests fail on mismatches in 
expected and actual result.

NACK.


My mistake, the code just needed earlier patch. ACK.

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

[Milan Kubík]

On 01/25/2016 11:11 AM, Filip Skola wrote:


- Original Message -

On 01/15/2016 03:38 PM, Filip Skola wrote:

Hi,

sending rebased patch.

F.

- Original Message -

Hello,

sorry for delays. The patch no longer applies to master. Rebase it,
please.

Milan

- Original Message -
From: "Filip Škola" 
To: "Milan Kubík" 
Cc: freeipa-devel@redhat.com
Sent: Wednesday, 9 December, 2015 7:01:02 PM
Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

On Mon, 7 Dec 2015 17:49:18 +0100
Milan Kubík  wrote:


On 12/03/2015 08:15 PM, Filip Škola wrote:

On Mon, 30 Nov 2015 17:18:30 +0100
Milan Kubík  wrote:


On 11/23/2015 04:42 PM, Filip Škola wrote:

Sending updated patch.

F.

On Mon, 23 Nov 2015 14:59:34 +0100
Filip Škola  wrote:


Found couple of issues (broke some dependencies).

NACK

F.

On Fri, 20 Nov 2015 13:56:36 +0100
Filip Škola  wrote:


Another one.

F.

Hi, the tests look good. Few remarks, though.

1. Please, use the shortes copyright notice in new modules.

#
# Copyright (C) 2015  FreeIPA Contributors see COPYING for
license #

2. The tests `test_group_remove_group_from_protected_group` and
`test_group_full_set_of_objectclass_not_available_post_detach`
were not ported. Please, include them in the patch.

Also, for less hassle, please rebase your patches on top of
freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch
Which changes the location of tracker implementations and prevents
circular imports.

Thanks.


Hi,

these cases are there, in corresponding classes. They are marked
with the original comments. (However I can move them to separate
class if desirable.)

The copyright notice is changed. Also included a few changes in the
test with user without private group.

Filip

NACK

linter:
* Module tracker.group_plugin
ipatests/test_xmlrpc/tracker/group_plugin.py:257:
[E0102(function-redefined), GroupTracker.check_remove_member] method
already defined line 253)

Probably a leftover after the rebase made on top of my patch. Please
fix it. You can check youch changes by make-lint script before
sending them.

Thanks


Hi,

I learned to use make-lint!

Thanks,
F.


Hello,

NACK, pylint doesn't seem to like the way the fixtures are imported
(pytest does a lot of runtime magic) [1].
One possible solution would be [2]. Though, I don't think this would be
a good idea in our environment. I suggest to create the fixtures on per
module basis.


[1]: http://fpaste.org/311949/53118942/
[2]:
https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects

--
Milan Kubik



Hi,

the fixtures were copied into corresponding module. Please note that this patch 
has a dependence on my patch 0001 (user plugin).

Filip

Linter:
* Module ipatests.test_xmlrpc.tracker.group_plugin
W:100,26: Calling a dict.iter*() method (dict-iter-method)

please use dict.items

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs

[Martin Basti]

On 25.01.2016 16:41, Stanislav Laznicka wrote:

Hi,

Worked those comments into the code. Also added a bit different info 
message in clean_ruv with ca=True (ipa-replica-manage:430).


Also adding stepst to reproduce:
1. Create a master and some replica (3 replicas is a good solution - 1 
with CA, 1 without, 1 to be dangling (with CA))

2. Change domain level to 0 and ipactl restart
3. Remove the "dangling-to-be" replica from masters.ipa.etc and from 
both ipaca and domain subtrees in mapping tree.config

4. Try to remove the dangling ruvs with the command

Cheers,
Standa


On 01/22/2016 01:22 PM, Martin Basti wrote:

Hello,

I have a few comments

PATCH Automatically detect and remove dangling RUVs

1)
+# get the Directory Manager password
+if options.dirman_passwd:
+dirman_passwd = options.dirman_passwd
+else:
+dirman_passwd = installutils.read_password('Directory Manager',
+confirm=False, validate=False, retry=False)
+if dirman_passwd is None:
+sys.exit('Directory Manager password is required')
+
+options.dirman_passwd = dirman_passwd

IMO you need only else branch here

if not options.dirman_password:
dirman_passwd = installutils.read_password('Directory Manager',
confirm=False, validate=False, retry=False)
if dirman_passwd is None:
sys.exit('Directory Manager password is required')
   options.dirman_passwd = dirman_passwd


2)
We should use new formatting in new code (more times in code)

+sys.exit(
+"Failed to get data from '%s' while trying to list 
replicas: %s" %

+(host, e)
+)

sys.exit(
"Failed to get data from '{host}' while trying to list 
replicas: {e}".format(

  host=host, e=e
)
)

3)
+# get all masters
+masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ipautil.realm_to_suffix(realm))

IMO you should use constants:
 masters_dn = DN(api.env.container_masters, api.env.basedn)

4)
+# Get realm string for config tree
+s = realm.split('.')
+s = ['dc={dc},'.format(dc=x.lower()) for x in s]
+realm_config = DN(('cn', ''.join(s)[0:-1]))

Can be api.env.basedn used instead of this block of code?

5)
+masters = [x.single_value['cn'] for x in masters]

+for master in masters:

is there any reason why not iterate over the keys in info dict?

for master_name, master_data/values/whatever in info.items():
   master_data['online'] = True

Looks better than: info[master]['online'] = True

6)
I asked python gurus, for empty lists and dicts, please use [] and {} 
instead of list() and dict()

It is preferred and faster.

7)
+if(info[master]['ca']):
+entry = conn.get_entry(csreplica_dn)
+csruv = (master, 
entry.single_value.get('nsDS5ReplicaID'))

+if csruv not in csruvs:
+csruvs.append(csruv)

I dont like too much adding tuples into list and then doing search 
there, but it is as designed


However can you use set() instead of list when the purpose of 
variable is only testing existence?


related to:
csruvs
ruvs
offlines
clean_list
cleaned

8)
conn in finally block may be undefined

9)
unused local variables

clean_list
entry on line 570

10)
optional, comment what keys means in info structure




Hello,

1)
I accept your silence as the following code cannot use nothing from api.env
+# Get realm string for config tree
+s = realm.split('.')
+s = ['dc={dc},'.format(dc=x.lower()) for x in s]
+realm_config = DN(('cn', ''.join(s)[0:-1]))

but then please use:
s = ['dc={dc}'.format(dc=x.lower()) for x in s]
realm_config = DN(('cn', ','.join(s)))

But I still think that api.env.basedn can be used, because it contains 
the same format as you need

realm_config = DN(('cn', api.env.basedn))

2) nitpick
ca_dn = DN(('cn', 'ca'), DN(master.dn))

AFAIK can be just

ca_dn = DN(('cn', 'ca'), master.dn)

3) uber nitpick
This is PEP8 valid, but somehow inconsistent with the rest of code and 
it hit my eyes


print('\t\tid: {id}, hostname: {host}'
.format(id=csruv[1], host=csruv[0])
)

we use in code

print(
   something1,
   something2
)

or

print(something1,
something2)

Otherwise LGTM
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] webui: 949 crash nicely if sessionStorage is not available

[Petr Vobornik]

https://fedorahosted.org/freeipa/ticket/5643
--
Petr Vobornik
From 006be0e198b79fd07dd413afcb05f0cf8f7cb57d Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Tue, 26 Jan 2016 18:55:06 +0100
Subject: [PATCH] webui: crash nicely if sessionStorage is not available

https://fedorahosted.org/freeipa/ticket/5643
---
 install/ui/src/freeipa/Application_controller.js | 17 +++--
 install/ui/src/freeipa/app_container.js  |  8 
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 69b9cd1c3c5873e10729f808ca3ec27688a1ecf2..5c040e4a05a140a1842f7265c036cd0eae962a35 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -257,15 +257,20 @@ define([
 'class': 'error-details'
 }).appendTo(error_container);
 
-details.append($('', { text: 'Web UI got in unrecoverable state during "' + error.phase + '" phase' }));
+details.append($('', { text: 'Web UI got in unrecoverable state during "' + error.phase + '" phase.' }));
 if (error.name) window.console.error(error.name);
 if (error.results) {
-var msg = error.results.message;
-var stack = error.results.stack.toString();
-window.console.error(stack);
 details.append('Technical details:');
-details.append($('', { text: error.results.message }));
-details.append($('').append($('', { text: stack })));
+var msg = error.results.message;
+if (msg) {
+window.console.error(msg);
+details.append($('', { text: msg }));
+}
+if (error.results.stack) {
+var stack = error.results.stack.toString();
+window.console.error(stack);
+details.append($('').append($('', { text: stack })));
+}
 }
 },
 
diff --git a/install/ui/src/freeipa/app_container.js b/install/ui/src/freeipa/app_container.js
index 0a49307e31f4875724ee430f32c9483a23c6b51e..1194fd14263a1b6f1a5a0a2fa4bc605f344ef417 100644
--- a/install/ui/src/freeipa/app_container.js
+++ b/install/ui/src/freeipa/app_container.js
@@ -63,6 +63,14 @@ define([
 
 phases.on('init', lang.hitch(this, function() {
 var deferred = new Deferred();
+if (!window.sessionStorage) {
+deferred.reject({
+message: "Web UI requires sessionStorage enabled. " +
+ "This might be caused by too strict browser " +
+ "configuration."
+});
+return deferred.promise;
+}
 if (window.sessionStorage.getItem('logout')) {
 window.sessionStorage.removeItem('logout');
 var login_facet = reg.facet.get('login');
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] webui: 949 crash nicely if sessionStorage is not available

[Tomas Babej]

ACK

On 01/26/2016 06:57 PM, Petr Vobornik wrote:
> https://fedorahosted.org/freeipa/ticket/5643
> 
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0003] Refactor test_replace

[Martin Basti]

On 26.01.2016 18:37, Milan Kubík wrote:

On 01/12/2016 03:04 PM, Milan Kubík wrote:

On 12/04/2015 11:29 AM, Filip Škola wrote:

On Fri, 4 Dec 2015 10:08:40 +0100
Milan Kubík  wrote:


On 12/04/2015 10:04 AM, Filip Škola wrote:

Hi,

sending rather short one this time.

F.

NACK, UserTracker is implemented in
ipatests.test_xmlrpc.tracker.user_plugin.


Ah, sorry for this.


F.

Hi,
the tests do not work. Similar problems to test_attr. There are some 
problems with the expected and actual results. NACK.


Problems were caused by missing dependency (patch). The code looks 
good. ACK.



Pushed to:
master: 9ba5bf03a89816ef33f7d0b8dab14aa2e01deaaa
ipa-4-3: 66c7ecd8c6b42fe17aa5d5410f67baf8371eba25

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

[Martin Basti]

On 26.01.2016 18:38, Milan Kubík wrote:

On 01/12/2016 03:03 PM, Milan Kubík wrote:

On 12/07/2015 01:25 PM, Filip Škola wrote:

Now the tier marker have lost somewhere on the way... which is
corrected in this patch.

/me apologizes for the noise

F.

On Mon, 7 Dec 2015 13:00:41 +0100
Filip Škola  wrote:


Self-NACK, resubmitting with the last commit which includes
UserTracker from the right location...

F.

On Fri, 4 Dec 2015 16:24:16 +0100
Filip Škola  wrote:


Hi,

sending a new version of test_attr.

F.
Hello, tha patch doesn't work. The tests fail on mismatches in 
expected and actual result.

NACK.


My mistake, the code just needed earlier patch. ACK.


Pushed to:
master: ec75b01f17e759f3a1bba2d8bb63e09d65fec051
ipa-4-3: 0b04242e3478eab45121893db676cbe3829edb7c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker

[Milan Kubík]

On 01/18/2016 02:26 PM, Filip Skola wrote:

Hi,

this should be fixed in this patch.

F.

- Original Message -

On 01/15/2016 03:37 PM, Filip Skola wrote:

Hi,

sending rebased patch.

F.

- Original Message -

Hi,

the patch no longer applies to master. Please rebase it.

Thanks,
Milan

- Original Message -
From: "Filip Skola" 
To: freeipa-devel@redhat.com
Cc: "Milan Kubík" , "Aleš Mareček"

Sent: Tuesday, 22 December, 2015 11:56:15 AM
Subject: [PATCH 0005] Refactor test_nesting, create HostGroupTracker

Hi,

another patch from refactoring-test_xmlrpc series.

Filip


NACK, something seems to be missing in the patch


* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin
ipatests/test_xmlrpc/tracker/hostgroup_plugin.py:222: [E1101(no-member),
HostGroupTracker.check_add_member_negative] Instance of
'HostGroupTracker' has no 'adds' member)

--
Milan Kubik



The same as with patch 0002:
* Module ipatests.test_xmlrpc.tracker.hostgroup_plugin
W:142,26: Calling a dict.iter*() method (dict-iter-method)

Please use dict.items method.

--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0409] Warn user when ipa *-find reach search limit

[Martin Basti]

https://fedorahosted.org/freeipa/ticket/5634

Patch attached.
From c3ff150ac9787608f0bb7b27802a499a05084b49 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 26 Jan 2016 13:47:56 +0100
Subject: [PATCH] Warn user when ipa *-find reach limit

Truncated entries were silently ignored, now a user receives warning.

https://fedorahosted.org/freeipa/ticket/5634
---
 ipalib/messages.py | 10 ++
 ipalib/plugins/baseldap.py |  8 +++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ipalib/messages.py b/ipalib/messages.py
index 078e13f596f448601a74d0241801bc9ee858548f..bc39b0e17270fdd2f1de356ae024f51c1511b3c1 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -331,6 +331,16 @@ class ExternalCommandOutput(PublicMessage):
 format = _("%(line)s")
 
 
+class SearchResultTruncated(PublicMessage):
+"""
+**13017** Results of LDAP search has been truncated
+"""
+
+errno = 13017
+type = "warning"
+format = _("Search result has been truncated, please increase search limit")
+
+
 def iter_messages(variables, base):
 """Return a tuple with all subclasses
 """
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 5f7b7fba1dbf782cfcbffadce55d1610122cb72c..03a255ca1303091f8a9f08f6ae1d0f76281937a0 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -35,6 +35,7 @@ from ipalib import output
 from ipalib.text import _
 from ipalib.util import json_serialize, validate_hostname
 from ipalib.capabilities import client_has_capability
+from ipalib.messages import add_message, SearchResultTruncated
 from ipapython.dn import DN
 from ipapython.version import API_VERSION
 
@@ -2101,12 +2102,17 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):
 entries[i] = entry_to_dict(e, **options)
 entries[i]['dn'] = e.dn
 
-return dict(
+result = dict(
 result=entries,
 count=len(entries),
 truncated=truncated,
 )
 
+if truncated:
+add_message(options['version'], result, SearchResultTruncated())
+
+return result
+
 def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
 assert isinstance(base_dn, DN)
 return (filters, base_dn, scope)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0131] fix standalone installation of externally signed CA on IPA master

[Martin Babinsky]

On 01/26/2016 01:06 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5636



This also happens on ipa-4-3/master but the offending check was moved 
around. Attaching patch for 4-3/master branches.


--
Martin^3 Babinsky
From 84f2114aee0f59634d3e0f41e655bec9313fd0f5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 26 Jan 2016 13:41:37 +0100
Subject: [PATCH] fix standalone installation of externally signed CA on IPA
 master

https://fedorahosted.org/freeipa/ticket/5636
---
 install/tools/ipa-ca-install | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 83cf98ec6a34093c826470e06ad448e6033bc682..1bc5def03bf687a1e4f9fb38a54363b5429c8fc4 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -276,7 +276,8 @@ def main():
 if not dsinstance.DsInstance().is_configured():
 sys.exit("IPA server is not configured on this system.\n")
 
-if cainstance.is_ca_installed_locally():
+if (not options.external_cert_files and
+cainstance.is_ca_installed_locally()):
 sys.exit("CA is already installed on this host.")
 
 standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code