[Freeipa-devel] [freeipa PR#161][opened] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Author: mbasti-rh Title: #161: CI: workaround: wait for dogtag before replica-prepare Action: opened PR body: """ In domain level 0 ipa-replica-prepare fails because dogtag is not ready so soon after final restart during installation (tests are too fast). Wait 30 seconds before ipa-replica-prepare is executed, to make sure that dogtag is ready. Remove this workaround when ticket is fixed. https://fedorahosted.org/freeipa/ticket/6274 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/161/head:pr161 git checkout pr161 From e2c870121db5b3569f344a8079ddf9c6700f44a4 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Thu, 13 Oct 2016 17:12:23 +0200 Subject: [PATCH] CI: workaround: wait for dogtag before replica-prepare In domain level 0 ipa-replica-prepare fails because dogtag is not ready so soon after final restart during installation (tests are too fast). Wait 30 seconds before ipa-replica-prepare is executed, to make sure that dogtag is ready. Remove this workaround when ticket is fixed. https://fedorahosted.org/freeipa/ticket/6274 --- ipatests/test_integration/tasks.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 7c96227..0b460b9 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -370,6 +370,9 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False, args.extend(extra_args) if domain_level == DOMAIN_LEVEL_0: +# workaround #6274 - remove when fixed +time.sleep(30) # wait until dogtag wakes up + # prepare the replica file on master and put it to replica, AKA "old way" replica_prepare(master, replica) replica_filename = get_replica_filename(replica) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
I think that you forgot to squash commits. Patch 47 doesn't apply On 13.10.2016 14:01, Oleg Fayans wrote: Hi Martin, Thanks for the review. With disabling directory server it works as well, thanks for the hint. Also I moved the cleanup logic to the test itself for the sake of simplicity. Patch-0048 was not changed On 10/12/2016 02:35 PM, Martin Basti wrote: 1) Can you just turn off dirsrv on replica instead of doing iptables magic? 2) NACK No more eval() ever in code, use 'getattr', 'get' or whatever in the object that can be used. +evalhost = eval("args[0].%s" % host) Martin^2 On 12.10.2016 14:03, Oleg Fayans wrote: Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: IIUC, this will turn off the machine completely, how is cleanup done then. AFAIK our tests cannot turn on machine again and run cleanup, so you will not be able to run more tests on the same topology without manual cleanup and manual start. +replica = self.replicas[0] +replica.run_command(['poweroff']) IMO would be better to just call 'ipactl stop' instead of 'poweroff' Agreed! Fixed. Martin^2 *Automated ipa-replica-manage del tests* 1) +replica.run_command(['ipactl', 'stop']) +time.sleep(3) Why do you need sleep here? Removed, it was left from the old "poweroff" approach 2) +ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname) +replica_ruvs = ruvid_re.findall(result.stdout_text) +master.run_command(['ipa-replica-manage', 'clean-ruv', 'f', +'-p', master.config.dirman_password, +replica_ruvs[0]]) Because you are using re.findall(), without any match you will receive IndexError here replica_ruvs[0]. IMO it deserves assert before Implemented the assert which checks that the output contains enough replica RUVs 3) assert(replica.hostname in result1.stdout_text) I think that this is error prone. What if there is just error 'could not connect to replica ', or something similar. instead of listing/cleaning/whatever operation was executed. I think that it should be more specific regexp than just finding a replica name substring (Yes In IPA we dont always print error so stderr) I'm not sure, but probably there might be cases when non critical error happen and exist status is still 0 Agree. Implemented a regex-based search 4) +replica.run_command(['poweroff']) +time.sleep(3) There should not be poweroff, probably sleep could be removed too. Gone * Automated clean-ruv subcommand test* 1) PEP8, 2 new lines expected ./ipatests/test_integration/test_topology.py:163:1: E302 expected 2 blank lines, found 0 ./ipatests/test_integration/test_topology.py:182:80: E501 line too long (85 > 79 characters) Fixed 2) I dont like doing assert just with count of occurences of substring in STDOUT, would be possible to improve this somehow? Maybe, but frankly, I don't see how. In this case we are making sure that both simple and CA-specific RUVs of a replica are displayed. The format of the output is strict: Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id Certificate Server Replica Update Vectors: replica1_hostname:389:
Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation
Thank you, this was a really helpful clarification of your point. Comments below. Once again, I'm sorry I missed the email for so long. Ben On 09/05/2016 06:52 AM, Jan Cholasta wrote: On 27.8.2016 22:40, Ben Lipton wrote: On 08/25/2016 04:11 PM, Rob Crittenden wrote: Ben Lipton wrote: On 08/23/2016 03:54 AM, Jan Cholasta wrote: On 8.8.2016 22:23, Ben Lipton wrote: On 07/25/2016 07:45 AM, Jan Cholasta wrote: On 25.7.2016 13:11, Alexander Bokovoy wrote: On Mon, 25 Jul 2016, Jan Cholasta wrote: On 20.7.2016 16:05, Ben Lipton wrote: Hi, Thanks very much for the feedback! Some responses below; I hope you'll let me know what you think of my reasoning. On 07/20/2016 04:20 AM, Jan Cholasta wrote: Hi, On 17.6.2016 00:06, Ben Lipton wrote: On 06/14/2016 08:27 AM, Ben Lipton wrote: Hello all, I have written up a design proposal for making certificate requests easier to generate when using alternate certificate profiles: http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. The use case for this is described in https://fedorahosted.org/freeipa/ticket/4899. I will be working on implementing this design over the next couple of months. If you have the time and interest, please take a look and share any comments or concerns that you have. Thanks! Ben Just a quick update to say that I've created a new document that covers the proposed schema additions in a more descriptive way (with diagrams!) I'm very new to developing with LDAP, so some more experienced eyes on the proposal would be very helpful, even if you don't have time to absorb the full design. Please take a look at http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema if you have a chance. I finally had a chance to take a look at this, here are some comments: 1) I don't like how transformation rules are tied to a particular helper and have to be duplicated for each of them. They should be generic and work with any helper, as helpers are just an implementation detail and their resulting data is the same. In fact, I think I would prefer if the CSR was generated using python-cryptography's CertificateSigningRequestBuilder [1] rather than openssl or certutil or any other command line tool. There are lots of tools that users might want to use to manage their private keys, so I don't know if we can assume that whatever library we prefer will actually be able to access the private key to sign a CSR, which is why I thought it would be useful to support more than one. python-cryptography has the notion of backends, which allow it to support multiple crypto implementations. Upstream it currently supports only OpenSSL [2], but some work has been done on PKCS#11 backend [3], which provides support for HSMs and soft-tokens (like NSS databases). Alternatively, for NSS databases (and other "simple" cases), you can generate the private key with python-cryptography using the default backend, export it to a file and import the file to the target database, so you don't actually need the PKCS#11 backend for them. So, the only thing that's currently lacking is HSM support, but given that we don't support HSMs in IPA nor in certmonger, I don't think it's an issue for now. The purpose of the mapping rule is to tie together the transformation rules that produce the same data into an object that's implementation-agnostic, so that profiles referencing those rules are automatically compatible with all the helper options. They are implementation-agnostic, as long as you consider `openssl` and `certutil` the only implementations :-) But I don't think this solution scales well to other possible implementations. Anyway, my main grudge is that the transformation rules shouldn't really be stored on and processed by the server. The server should know the *what* (mapping rules), but not the *how* (transformation rules). The *how* is an implementation detail and does not change in time, so there's no benefit in handling it on the server. It should be handled exclusively on the client, which I believe would also make the whole thing more robust (it would not be possible for a bug on the server to break all the clients). This is a good point. However, for the scope of Ben's project can we limit it by openssl and certutil support? Otherwise Ben wouldn't be able to complete the project in time. I'm fine with that, but I don't think it's up to me :-) This is turning out to be a common (and, I think, reasonable) reaction to the proposal. It is rather complex, and I worry that it will be difficult to configure. On the other hand, there is some hidden complexity to enabling a simpler config format, as well. One of the goals of the project as it was presented to me was to allow the creation of profiles that add certificate extensions *that FreeIPA doesn't yet know about*. With the current proposal, one only has to add a rule generating text that the helper will
[Freeipa-devel] [freeipa PR#160][comment] Reverted the assertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Title: #160: Reverted the assertion for replica uninstall returncode mbasti-rh commented: """ Ticket https://fedorahosted.org/freeipa/ticket/5725 is in already closed milestone, please create a new one (I suppose you want backport to 4.4.3) """ See the full comment at https://github.com/freeipa/freeipa/pull/160#issuecomment-253559347 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#161][comment] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Title: #161: CI: workaround: wait for dogtag before replica-prepare martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/91b51e702f1e105329ebea29c633d94516cd673c """ See the full comment at https://github.com/freeipa/freeipa/pull/161#issuecomment-253551844 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][comment] Reverted the assertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Title: #160: Reverted the assertion for replica uninstall returncode martbab commented: """ I think that issue reported in https://fedorahosted.org/freeipa/ticket/3230 is orthogonal to uninstaller returning 0 on error. I fail to see why we are even discussing this ticket in this context. """ See the full comment at https://github.com/freeipa/freeipa/pull/160#issuecomment-253553642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#155][+ack] Build system cleanup
URL: https://github.com/freeipa/freeipa/pull/155 Title: #155: Build system cleanup Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#155][comment] Build system cleanup
URL: https://github.com/freeipa/freeipa/pull/155 Title: #155: Build system cleanup mbasti-rh commented: """ Works for me, Not pushing yet to give time to others to disagree """ See the full comment at https://github.com/freeipa/freeipa/pull/155#issuecomment-253555492 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Heimdal Kerberos support for client
On 12.10.2016 20:22, Rob Crittenden wrote: > Petr Spacek wrote: >> Hello list, >> >> I just noticed that client/configure.ac contains some checks to detect and >> support Heimdal Kerberos libraries. >> >> Was it tested? Does it work? Can I drop it? :-) >> > > Wow, that's some old code. > > Only Simo would know if it was ever tested or ever worked. > > I suppose since theoretically the client can be built separately theoretically > it might do the right thing in some cases. > > Seems like enough of a corner case to me that I'd remove it, given it is > likely untested these last 9 years or so. Simo told me on IRC that we could remove it. According to Alexander, Ubuntu is building IPA packages against MIT Kerberos so it should be okay. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#161][+pushed] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Title: #161: CI: workaround: wait for dogtag before replica-prepare Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#161][closed] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Author: mbasti-rh Title: #161: CI: workaround: wait for dogtag before replica-prepare Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/161/head:pr161 git checkout pr161 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#161][+ack] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Title: #161: CI: workaround: wait for dogtag before replica-prepare Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#136][synchronized] Fix KRA install tests
URL: https://github.com/freeipa/freeipa/pull/136 Author: mbasti-rh Title: #136: Fix KRA install tests Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/136/head:pr136 git checkout pr136 From 4bc794329399344cd2218f71c408d096b2fc2f93 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Tue, 4 Oct 2016 23:08:19 +0200 Subject: [PATCH 1/3] CI: extend replication layouts tests with KRA KRA should be tested with warious replication topologies as well, mainly in domain level 0 https://fedorahosted.org/freeipa/ticket/6088 --- ipatests/test_integration/tasks.py | 18 ++-- .../test_integration/test_replication_layouts.py | 48 ++ 2 files changed, 63 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index 0b460b9..ef5078b 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -994,12 +994,20 @@ def double_circle_topo(master, replicas, site_size=6): def install_topo(topo, master, replicas, clients, domain_level=None, - skip_master=False, setup_replica_cas=True): + skip_master=False, setup_replica_cas=True, + setup_replica_kras=False): """Install IPA servers and clients in the given topology""" +if setup_replica_kras and not setup_replica_cas: +raise ValueError("Option 'setup_replica_kras' requires " + "'setup_replica_cas' set to True") replicas = list(replicas) installed = {master} if not skip_master: -install_master(master, domain_level=domain_level) +install_master( +master, +domain_level=domain_level, +setup_kra=setup_replica_kras +) add_a_records_for_hosts_in_master_domain(master) @@ -1009,7 +1017,11 @@ def install_topo(topo, master, replicas, clients, domain_level=None, connect_replica(parent, child) else: log.info('Installing replica %s from %s' % (parent, child)) -install_replica(parent, child, setup_ca=setup_replica_cas) +install_replica( +parent, child, +setup_ca=setup_replica_cas, +setup_kra=setup_replica_kras +) installed.add(child) install_clients([master] + replicas, clients) diff --git a/ipatests/test_integration/test_replication_layouts.py b/ipatests/test_integration/test_replication_layouts.py index c178815..53cae7d 100644 --- a/ipatests/test_integration/test_replication_layouts.py +++ b/ipatests/test_integration/test_replication_layouts.py @@ -52,6 +52,16 @@ def test_line_topology_with_ca(self): self.replication_is_working() +class TestLineTopologyWithCAKRA(LayoutsBaseTest): + +num_replicas = 3 + +def test_line_topology_with_ca_kra(self): +tasks.install_topo('line', self.master, self.replicas, [], + setup_replica_cas=True, setup_replica_kras=True) +self.replication_is_working() + + class TestStarTopologyWithoutCA(LayoutsBaseTest): num_replicas = 3 @@ -72,6 +82,16 @@ def test_star_topology_with_ca(self): self.replication_is_working() +class TestStarTopologyWithCAKRA(LayoutsBaseTest): + +num_replicas = 3 + +def test_star_topology_with_ca_kra(self): +tasks.install_topo('star', self.master, self.replicas, [], + setup_replica_cas=True, setup_replica_kras=True) +self.replication_is_working() + + class TestCompleteTopologyWithoutCA(LayoutsBaseTest): num_replicas = 3 @@ -92,6 +112,16 @@ def test_complete_topology_with_ca(self): self.replication_is_working() +class TestCompleteTopologyWithCAKRA(LayoutsBaseTest): + +num_replicas = 3 + +def test_complete_topology_with_ca_kra(self): +tasks.install_topo('complete', self.master, self.replicas, [], + setup_replica_cas=True, setup_replica_kras=True) +self.replication_is_working() + + @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') class Test2ConnectedTopologyWithoutCA(LayoutsBaseTest): @@ -112,6 +142,15 @@ def test_2_connected_topology_with_ca(self): self.replication_is_working() +class Test2ConnectedTopologyWithCAKRA(LayoutsBaseTest): +num_replicas = 33 + +def test_2_connected_topology_with_ca_kra(self): +tasks.install_topo('2-connected', self.master, self.replicas, [], + setup_replica_cas=True, setup_replica_kras=True) +self.replication_is_working() + + @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0, reason='does not work on DOMAIN_LEVEL_0 by design') class TestDoubleCircleTopologyWithoutCA(LayoutsBaseTest): @@ -130,3 +169,12
Re: [Freeipa-devel] Heimdal Kerberos support for client
On 13.10.2016 18:56, Petr Spacek wrote: > On 12.10.2016 20:22, Rob Crittenden wrote: >> Petr Spacek wrote: >>> Hello list, >>> >>> I just noticed that client/configure.ac contains some checks to detect and >>> support Heimdal Kerberos libraries. >>> >>> Was it tested? Does it work? Can I drop it? :-) >>> >> >> Wow, that's some old code. >> >> Only Simo would know if it was ever tested or ever worked. >> >> I suppose since theoretically the client can be built separately >> theoretically >> it might do the right thing in some cases. >> >> Seems like enough of a corner case to me that I'd remove it, given it is >> likely untested these last 9 years or so. > > Simo told me on IRC that we could remove it. According to Alexander, Ubuntu is > building IPA packages against MIT Kerberos so it should be okay. Yes, everything I've touched uses MIT on Debian/Ubuntu. -- t -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote: > On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > > Hi, > > > > I've started to write a SSSD design page about enhancing the current > > mapping of certificates to users and how to select/match a suitable > > certificate if multiple certificates are on a Smartcard. > > > > My currently thoughts and idea and be found at > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > and for your convenience below as well. > > > > Comments and suggestions are welcome. Please let me know about concerns, > > alternatives and missing use-cases/user-stories. > > > > bye, > > Sumit > > > > Hi, > > Rob, Fraser, Alexander, thank you for your comments. I think both the > issuer specific matching and the OID in the SUBJECT matching are good > ideas. I updated the design page accordingly. The changes can be shown > with > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=9_version=6 > > The updated version can be found below as well. Of course more comments and > suggestions are still very welcome. > I did another update. A "Compatibility with Active Director" section is added which made me realize that there are use-cases for using the issuer in the mapping as well and the sub-strings in LDAP search filters might be useful as well. The changes can be seen with https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=10_version=9 Please let me know your comments and suggestions. bye, Sumit = Matching and Mapping Certificates = Related ticket(s): * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping === Problem statement === Mapping Currently it is required that a certificate used for authentication is either stored in the LDAP user entry or in a matching override. This might not always be applicable and other ways are needed to relate a user with a certificate. Matching Even if SSSD will support multiple certificates on a Smartcard in the context of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict (or relax) the current certificate selection in certain environments. === Use cases === Mapping In some environments it might not be possible or would cause unwanted effort to add certificates to the LDAP entry of the users to allow Smartcard based authentication. Reasons might be: * Certificates/Smartcards are issued externally * LDAP schema extension is not possible or not allowed Matching A user might have multiple certificate on a Smartcard which are suitable for authentication. But on some host in the environment only certificates from a specific CA (while all other CAs are trusted as well) or with some special extension should be valid for login. === Overview of the solution === To match a certificate a language/syntax has to be defined which allows to reference items from the certificate and compare the values with the expected data. To map the certificates to a user the language/syntax should allow to relate certificate items with LDAP attributes so that the value(s) from the certificate item can be used in a LDAP search filter. === Implementation details === Matching The pkinit plugin of MIT Kerberos must find a suitable certificate from a Smartcard as well and has defined the following syntax (see the pkinit_cert_match section of the krb5.conf man page or http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for details). The main components are * regular-expression * regular-expression * regular-expression * extended-key-usage-list * key-usage-list and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator ('&&' is the default). If multiple rules are given they are iterated with the order in the config file as long as a rule matches exactly one certificate. '''Question: MIT Kerberos use case-sensitive matching and POSIX Extended Regular Expression syntax, shall we do the same?''' While and are (imo) already quite flexible I can see some potential extensions for the other components. and in MIT Kerberos only accept certain string values related to some allowed values in those field as defined in https://www.ietf.org/rfc/rfc3280.txt . The selection is basically determined by what is supported on server side of the pkinit plugin of MIT Kerberos. Since we plan to extend pkinit and support local authentication without pkinit as well I would suggest to allow OID strings for those components as well (the comparison is done on the OID level nonetheless). The component in MIT Kerberos only checks the otherName SAN component for the id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME OID as mentioned in https://support.microsoft.com/en-us/kb/287547. While this is sufficient for the default pkinit user case
Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package
On 13.10.2016 19:49, Petr Vobornik wrote: On 10/12/2016 11:11 AM, Petr Spacek wrote: On 10.10.2016 10:28, Martin Basti wrote: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6 Please set karma accordingly Traceback: ... 2016-10-10T04:44:05Z DEBUG The ipa-replica-install command failed, exception: TypeError: 'unicode' does not have the buffer interface 2016-10-10T04:44:05Z ERROR 'unicode' does not have the buffer interface I'll investigate if IPA using it wrong or there is new error introduced in pyhton-dns For archaeologists: Fix https://github.com/freeipa/freeipa/pull/150 was merged. We've pushed PR 150 to 4.4 and master. 4.4.2 release fixes f25 and f26 but F24 has 4.3 branch. Is it correct to assume that 4.3 is also affected? If so, then we need either to backport the patch to 4.3 and fix Fedora directly or completely block the python-dns update on f24. 4.3 shouldn't be affected, because the code that has been failing is only in 4.4+ in DNS Locations related feature Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package
On 10/12/2016 11:11 AM, Petr Spacek wrote: > On 10.10.2016 10:28, Martin Basti wrote: >> https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6 >> >> >> Please set karma accordingly >> >> >> Traceback: >> >> ... >> >> 2016-10-10T04:44:05Z DEBUG The ipa-replica-install command failed, exception: >> TypeError: 'unicode' does not have the buffer interface >> 2016-10-10T04:44:05Z ERROR 'unicode' does not have the buffer interface >> >> >> I'll investigate if IPA using it wrong or there is new error introduced in >> pyhton-dns > > For archaeologists: > Fix > https://github.com/freeipa/freeipa/pull/150 > was merged. > We've pushed PR 150 to 4.4 and master. 4.4.2 release fixes f25 and f26 but F24 has 4.3 branch. Is it correct to assume that 4.3 is also affected? If so, then we need either to backport the patch to 4.3 and fix Fedora directly or completely block the python-dns update on f24. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6c53765ac1746ea3cb82554775a37fe43af062e8 https://fedorahosted.org/freeipa/changeset/6c09d6f8788b5436d6c9a5af4cc079a843f00e33 """ See the full comment at https://github.com/freeipa/freeipa/pull/127#issuecomment-253605497 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#127][closed] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#127][+pushed] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][+pushed] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Title: #156: cert: add revocation reason back to cert-find output Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][closed] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Author: jcholast Title: #156: cert: add revocation reason back to cert-find output Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/156/head:pr156 git checkout pr156 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][comment] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Title: #156: cert: add revocation reason back to cert-find output mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/16dad1c3cb09acee946bc5b2409447279a8bc0de ipa-4-4: https://fedorahosted.org/freeipa/changeset/30b478113e0dd7993f491c1582003567e9b20d13 """ See the full comment at https://github.com/freeipa/freeipa/pull/156#issuecomment-253607864 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#161][comment] CI: workaround: wait for dogtag before replica-prepare
URL: https://github.com/freeipa/freeipa/pull/161 Title: #161: CI: workaround: wait for dogtag before replica-prepare mbasti-rh commented: """ It looks that 30 seconds is not enough, majority of ipa-replica-prepare passed, but I had a few test where it is still failing (randomly) """ See the full comment at https://github.com/freeipa/freeipa/pull/161#issuecomment-253611853 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#127][+ack] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#136][edited] Fix KRA install tests
URL: https://github.com/freeipa/freeipa/pull/136 Author: mbasti-rh Title: #136: Fix KRA install tests Action: edited Changed field: body Original value: """ - in test_installation testsuite KRA related tests were duplicated, this PR removes it - in test_installation test suite with domain level 0, some KRA tests must be skipped because does not work under domain level 0 by design - because in previous commits I decreased amount of replicas in test_installation, I added KRA tests into replication_layout test suite to test how KRA install works with more replicas and various layouts (needed mainly for domain level 0) https://fedorahosted.org/freeipa/ticket/6088 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#162][opened] Certificate processing refactoring
URL: https://github.com/freeipa/freeipa/pull/162 Author: frasertweedale Title: #162: Certificate processing refactoring Action: opened PR body: """ This PR contains ready-for-review/test commits that: - support converting python-cryptography Name type to DN - avoid the need to parse friendlyName from CSR and remove the code that does that - convert `ipalib.pkcs10` to use python-cryptography instead of NSS for processing CSRs. - eliminate our use of the nss.data_to_hex function - switch `ipalib.x509` to use ASN.1 specifications provided by *pyasn1-modules* library, and remove our hand-rolled definitions. It was discussed to target subteam staging branches for the ongoing refactoring work but it does not seem that these were created yet. I can retarget the PR after the cert refactoring branch gets created. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/162/head:pr162 git checkout pr162 From 7b22e9d9ed300e4abf7a5679b7f7d0014976c80e Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Mon, 10 Oct 2016 16:08:52 +1000 Subject: [PATCH 1/5] dn: support conversion from python-cryptography Name The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 --- ipapython/dn.py| 43 -- ipatests/test_ipapython/test_dn.py | 23 ++-- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 3ee35c6..682e0ca 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -422,6 +422,7 @@ import sys import functools +import cryptography.x509 from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR import six @@ -976,6 +977,8 @@ class DN(object): to yield one or more RDN's which will be appended in order to the DN. The parsing recognizes the DN syntax escaping rules. +* A single ``cryptography.x509.name.Name`` object. + * A RDN object, the RDN will copied respecting the constructors keyword configuration parameters and appended in order. @@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value): rdns = [[ava]] elif isinstance(value, RDN): rdns = [value.to_openldap()] +elif isinstance(value, cryptography.x509.name.Name): +rdns = list(reversed([ +[get_ava( +_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), +ava.value)] +for ava in value +])) else: -raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" % -type(value)) +raise TypeError( +"must be str, unicode, tuple, Name, RDN or DN, got %s instead" +% type(value)) return rdns def _rdns_from_sequence(self, seq): @@ -1407,3 +1418,31 @@ def rindex(self, pattern, start=None, end=None): if i == -1: raise ValueError("pattern not found") return i + + +_ATTR_NAME_BY_OID = { +cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', +cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', +cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', +cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', +cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', +cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', +cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', +cryptography.x509.oid.NameOID.SURNAME: 'SN', +cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', +cryptography.x509.oid.NameOID.TITLE: 'title', +cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', +cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', +cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', +cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', +cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', +cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: +'incorporationCountry', +cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: +'incorporationLocality', +cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: +'incorporationState', +cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', +cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', +cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', +} diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a96bd33..3ca3b57 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -2,6 +2,7 @@ import unittest import pytest +from
[Freeipa-devel] [freeipa PR#163][opened] Do not create Object Signing certificate
URL: https://github.com/freeipa/freeipa/pull/163 Author: frasertweedale Title: #163: Do not create Object Signing certificate Action: opened PR body: """ The Object Signing certificate created during server installation was used only for signing the (recently removed) Firefox extension, so there's no need to create that certificate any more. Fixes: https://fedorahosted.org/freeipa/ticket/6399 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/163/head:pr163 git checkout pr163 From 0db6f91d8b7398d676b39176f0c962f87e15ac5e Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Fri, 14 Oct 2016 13:20:16 +1000 Subject: [PATCH] Do not create Object Signing certificate The Object Signing certificate created during server installation was used only for signing the (recently removed) Firefox extension, so there's no need to create that certificate any more. Fixes: https://fedorahosted.org/freeipa/ticket/6399 --- install/ui/test/data/cert_find.json| 8 +--- ipaserver/install/ca.py| 6 ++ ipaserver/install/httpinstance.py | 1 - ipaserver/install/server/replicainstall.py | 1 - 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/install/ui/test/data/cert_find.json b/install/ui/test/data/cert_find.json index 6c059bd..4b2fb6d 100644 --- a/install/ui/test/data/cert_find.json +++ b/install/ui/test/data/cert_find.json @@ -57,15 +57,9 @@ "serial_number_hex": "0x9", "status": "VALID", "subject": "CN=dev.example.com,O=EXAMPLE.COM" -}, -{ -"serial_number": 10, -"serial_number_hex": "0xA", -"status": "VALID", -"subject": "CN=Object Signing Cert,O=EXAMPLE.COM" } ], "summary": "10 certificates matched", "truncated": false } -} \ No newline at end of file +} diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index dadc34e..ac04b64 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -94,8 +94,7 @@ def install_check(standalone, replica_config, options): for db in (cadb, dsdb): for nickname, _trust_flags in db.list_certs(): if nickname in (certdb.get_ca_nickname(realm_name), -'ipaCert', -'Signing-Cert'): +'ipaCert'): raise ScriptError( "Certificate with nickname %s is present in %s, " "cannot continue." % (nickname, db.secdir)) @@ -105,8 +104,7 @@ def install_check(standalone, replica_config, options): continue subject = DN(str(x509.get_subject(cert))) if subject in (DN('CN=Certificate Authority', subject_base), - DN('CN=IPA RA', subject_base), - DN('CN=Object Signing Cert', subject_base)): + DN('CN=IPA RA', subject_base)): raise ScriptError( "Certificate with subject %s is present in %s, " "cannot continue." % (subject, db.secdir)) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 60d62c0..a49280a 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -347,7 +347,6 @@ def __setup_ssl(self): ca_db) db.track_server_cert(self.cert_nickname, self.principal, db.passwd_fname, 'restart_httpd') -db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) self.add_cert_to_service() # Fix the database permissions diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 6c9f598..27d4dbb 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -96,7 +96,6 @@ def install_http_certs(config, fstore, remote_api): subject = DN(('O', config.realm_name)) db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject) db.request_service_cert('Server-Cert', principal, config.host_name, True) -# FIXME: need Signing-Cert too ? def install_replica_ds(config, options, ca_is_configured, remote_api, -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#162][synchronized] Certificate processing refactoring
URL: https://github.com/freeipa/freeipa/pull/162 Author: frasertweedale Title: #162: Certificate processing refactoring Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/162/head:pr162 git checkout pr162 From 7b22e9d9ed300e4abf7a5679b7f7d0014976c80e Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Mon, 10 Oct 2016 16:08:52 +1000 Subject: [PATCH 1/5] dn: support conversion from python-cryptography Name The upcoming change to using python-cryptography for certificate process will require a way to convert ``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``. Update the ``DN`` constructor to accept a ``Name``. Part of: https://fedorahosted.org/freeipa/ticket/6398 --- ipapython/dn.py| 43 -- ipatests/test_ipapython/test_dn.py | 23 ++-- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/ipapython/dn.py b/ipapython/dn.py index 3ee35c6..682e0ca 100644 --- a/ipapython/dn.py +++ b/ipapython/dn.py @@ -422,6 +422,7 @@ import sys import functools +import cryptography.x509 from ldap.dn import str2dn, dn2str from ldap import DECODING_ERROR import six @@ -976,6 +977,8 @@ class DN(object): to yield one or more RDN's which will be appended in order to the DN. The parsing recognizes the DN syntax escaping rules. +* A single ``cryptography.x509.name.Name`` object. + * A RDN object, the RDN will copied respecting the constructors keyword configuration parameters and appended in order. @@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value): rdns = [[ava]] elif isinstance(value, RDN): rdns = [value.to_openldap()] +elif isinstance(value, cryptography.x509.name.Name): +rdns = list(reversed([ +[get_ava( +_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string), +ava.value)] +for ava in value +])) else: -raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" % -type(value)) +raise TypeError( +"must be str, unicode, tuple, Name, RDN or DN, got %s instead" +% type(value)) return rdns def _rdns_from_sequence(self, seq): @@ -1407,3 +1418,31 @@ def rindex(self, pattern, start=None, end=None): if i == -1: raise ValueError("pattern not found") return i + + +_ATTR_NAME_BY_OID = { +cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', +cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', +cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', +cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', +cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', +cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', +cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', +cryptography.x509.oid.NameOID.SURNAME: 'SN', +cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', +cryptography.x509.oid.NameOID.TITLE: 'title', +cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', +cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', +cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', +cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', +cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', +cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: +'incorporationCountry', +cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: +'incorporationLocality', +cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: +'incorporationState', +cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', +cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', +cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', +} diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py index a96bd33..3ca3b57 100644 --- a/ipatests/test_ipapython/test_dn.py +++ b/ipatests/test_ipapython/test_dn.py @@ -2,6 +2,7 @@ import unittest import pytest +from cryptography import x509 import six from ipapython.dn import DN, RDN, AVA @@ -621,7 +622,7 @@ class TestDN(unittest.TestCase): def setUp(self): # ava1 must sort before ava2 self.attr1= 'cn' -self.value1 = 'Bob' +self.value1 = u'Bob' self.str_ava1 = '%s=%s' % (self.attr1, self.value1) self.ava1 = AVA(self.attr1, self.value1) @@ -629,7 +630,7 @@ def setUp(self): self.rdn1 = RDN((self.attr1, self.value1)) self.attr2= 'ou' -self.value2 = 'people' +self.value2 = u'people' self.str_ava2 = '%s=%s' % (self.attr2, self.value2) self.ava2 = AVA(self.attr2,
[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension frasertweedale commented: """ I think this change has caused SELinux errors when starting the daemon. (I had to `setenforce 0` to get the installer to complete). """ See the full comment at https://github.com/freeipa/freeipa/pull/127#issuecomment-253699714 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2 Title: #2: fix ldif syntax and add idnsTemplateAttribute pspacek commented: """ @mbasti-rh , the white-space at the end of line is required here because the first space at the beginning of line will be consumed by LDIF parser. I agree that root should not be author of the commit :-) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253430924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] links to docs in the messages from code
On 10/13/2016 08:54 AM, Martin Basti wrote: On 12.10.2016 19:56, Petr Spacek wrote: Hello FreeIPA developers, looking at freeipa-users mailing list, a lot of questions could be answered by just quick glance to the docs. I wonder if we should add links HTML version of docs on access.redhat.com to the messages generated by the code. If we really want, we can make these platform-specific, but I would not even bother with it. Fedora & CentOS & RHEL users end up on the very same page, only the way how then find it is different (mailing list vs. Google vs. paid support). Examples: a) Installation without DNS could end up with message like this: Do not forget to finish post-installation steps listed on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns b) Failed connection check could print link to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports c) Failed DNS check could mention link https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs d) Failed attempt to find AD DC could print a link to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings etc. What do you think about this? I'm afraid that those links can change over time, so we have to check them regularly otherwise we may end up with links pointing to nowhere. I'm not excited too much with this idea. Martin^2 I think that we probably could check these link automatically, the only thing which would be necessary is to store these links in some format which can be easily parsed. We could use the Emender and modify its TestLinks [1]. This test now consume .xml files, but it should not be hard to change it to different format. [1] https://github.com/emender/emender-fedora/blob/master/test/TestLinks.lua -- Pavel^3 Vomacka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2 Title: #2: fix ldif syntax and add idnsTemplateAttribute stutiredboy commented: """ so sorry for the root committer, but the white space is needed by OpenLDAP LDIF parser. I have fixed the ugly pull request. :-) Thanks. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253458793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][comment] Reverted the essertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Title: #160: Reverted the essertion for replica uninstall returncode martbab commented: """ Please mention either git commit (f7764cda6824a2fe73abe11f6daa28758a185319) that fixed this behavior, or put the link to closed ticket (https://fedorahosted.org/freeipa/ticket/5725) that addressed this. Everything is recorded in our git history and/or tracking system, so 'apparently addressed' really has no place in our commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/160#issuecomment-253432003 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][synchronized] Reverted the essertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Author: ofayans Title: #160: Reverted the essertion for replica uninstall returncode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/160/head:pr160 git checkout pr160 From b4259eae202d352ebe548c6c316c0ea534ab959e Mon Sep 17 00:00:00 2001 From: Oleg FayansDate: Thu, 13 Oct 2016 08:46:35 +0200 Subject: [PATCH] Reverted the essertion for replica uninstall returncode As the issue with ipa installer always returning 0 returncode was addressed, the test needs to be made aware of this change. https://fedorahosted.org/freeipa/ticket/5725 --- ipatests/test_integration/test_replica_promotion.py | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 58f0fa5..0e93356 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self): result = self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U'], raiseonerr=False) -# Due to ticket 3230 server installation/uninstallation always returns -# 0 unless an uncaught exception occurs. Once this issue is properly -# addressed, please care to change expected return code in the -# following assert from 0 to something else. assert_error(result, "Removal of '%s' leads to disconnected" - " topology" % self.replicas[0].hostname, 0) + " topology" % self.replicas[0].hostname, 1) self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect']) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][comment] Reverted the essertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Title: #160: Reverted the essertion for replica uninstall returncode ofayans commented: """ Fair point. Fixed. Should we also update the initial (3230) issue? """ See the full comment at https://github.com/freeipa/freeipa/pull/160#issuecomment-253453106 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] links to docs in the messages from code
On 12.10.2016 19:56, Petr Spacek wrote: Hello FreeIPA developers, looking at freeipa-users mailing list, a lot of questions could be answered by just quick glance to the docs. I wonder if we should add links HTML version of docs on access.redhat.com to the messages generated by the code. If we really want, we can make these platform-specific, but I would not even bother with it. Fedora & CentOS & RHEL users end up on the very same page, only the way how then find it is different (mailing list vs. Google vs. paid support). Examples: a) Installation without DNS could end up with message like this: Do not forget to finish post-installation steps listed on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns b) Failed connection check could print link to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports c) Failed DNS check could mention link https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs d) Failed attempt to find AD DC could print a link to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings etc. What do you think about this? I'm afraid that those links can change over time, so we have to check them regularly otherwise we may end up with links pointing to nowhere. I'm not excited too much with this idea. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2 Title: #2: fix ldif syntax and add idnsTemplateAttribute mbasti-rh commented: """ Hello, I wrote inline comments. Please set proper author name in commit (no root please) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253430426 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][comment] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Title: #156: cert: add revocation reason back to cert-find output pvomacka commented: """ Ah, OK, then it works correctly. ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/156#issuecomment-253441752 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#156][+ack] cert: add revocation reason back to cert-find output
URL: https://github.com/freeipa/freeipa/pull/156 Title: #156: cert: add revocation reason back to cert-find output Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires pspacek commented: """ Interestingly, the CI failed with following errors: * Module ipatests.test_xmlrpc.test_automount_plugin ipatests/test_xmlrpc/test_automount_plugin.py:34: [E0401(import-error), ] Unable to import 'nose.tools') * Module ipatests.test_xmlrpc.test_hbactest_plugin ipatests/test_xmlrpc/test_hbactest_plugin.py:27: [E0401(import-error), ] Unable to import 'nose.tools') * Module ipatests.test_xmlrpc.test_pwpolicy_plugin ipatests/test_xmlrpc/test_pwpolicy_plugin.py:24: [E0401(import-error), ] Unable to import 'nose.tools') * Module ipatests.test_xmlrpc.test_external_members ipatests/test_xmlrpc/test_external_members.py:24: [E0401(import-error), ] Unable to import 'nose') * Module lite-server lite-server.py:36: [E0401(import-error), ] Unable to import 'paste') lite-server.py:37: [E0401(import-error), ] Unable to import 'paste.gzipper') lite-server.py:38: [E0401(import-error), ] Unable to import 'paste.urlmap') * Module ipa-ods-exporter daemons/dnssec/ipa-ods-exporter:29: [E0401(import-error), ] Unable to import 'systemd.daemon') daemons/dnssec/ipa-ods-exporter:30: [E0401(import-error), ] Unable to import 'systemd.journal') Weren't you to eager in pruning BuildRequires? :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-253445874 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#2][synchronized] fix ldif syntax and add idnsTemplateAttribute
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2 Author: stutiredboy Title: #2: fix ldif syntax and add idnsTemplateAttribute Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/2/head:pr2 git checkout pr2 From 7a808ffd0126967b56ff16cf2c5d0eb7b43c66d2 Mon Sep 17 00:00:00 2001 From: stutiredboyDate: Thu, 13 Oct 2016 17:05:10 +0800 Subject: [PATCH] add 'idnsTemplateAttribute' and ldif format fix --- doc/schema.ldif | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/schema.ldif b/doc/schema.ldif index 8fdc99f..77c5b0e 100644 --- a/doc/schema.ldif +++ b/doc/schema.ldif @@ -362,9 +362,16 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.31 NAME 'idnsServerId' DESC 'DNS server identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY caseIgnoreMatch + EQUALITY caseIgnoreMatch SINGLE-VALUE ) # +attributeTypes: ( 2.16.840.1.113730.3.8.5.29 + NAME 'idnsTemplateAttribute' + DESC 'Template attribute for dynamic attribute generation' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + X-ORIGIN 'IPA v4.4' ) +# attributeTypes: ( 2.16.840.1.113730.3.8.5.30 NAME 'idnsSubstitutionVariable' DESC 'User defined variable for DNS plugin' @@ -426,6 +433,6 @@ objectClasses: ( 2.16.840.1.113730.3.8.6.6 objectClasses: ( 2.16.840.1.113730.3.8.6.5 NAME 'idnsTemplateObject' DESC 'Template object for dynamic DNS attribute generation' - SUP top + SUP top AUXILIARY MUST ( idnsTemplateAttribute ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][opened] Reverted the essertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Author: ofayans Title: #160: Reverted the essertion for replica uninstall returncode Action: opened PR body: """ As the issue with ipa installer always returning 0 returncode is apparently addressed, the test needs to be made aware of this change. https://fedorahosted.org/freeipa/ticket/3230 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/160/head:pr160 git checkout pr160 From 1b339b81679126c45c2af8887c74df35f89808ed Mon Sep 17 00:00:00 2001 From: Oleg FayansDate: Thu, 13 Oct 2016 08:46:35 +0200 Subject: [PATCH] Reverted the essertion for replica uninstall returncode As the issue with ipa installer always returning 0 returncode is apparently addressed, the test needs to be made aware of this change. https://fedorahosted.org/freeipa/ticket/3230 --- ipatests/test_integration/test_replica_promotion.py | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 58f0fa5..0e93356 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self): result = self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U'], raiseonerr=False) -# Due to ticket 3230 server installation/uninstallation always returns -# 0 unless an uncaught exception occurs. Once this issue is properly -# addressed, please care to change expected return code in the -# following assert from 0 to something else. assert_error(result, "Removal of '%s' leads to disconnected" - " topology" % self.replicas[0].hostname, 0) + " topology" % self.replicas[0].hostname, 1) self.replicas[0].run_command(['ipa-server-install', '--uninstall', '-U', '--ignore-topology-disconnect']) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] links to docs in the messages from code
On 13.10.2016 08:54, Martin Basti wrote: > > > On 12.10.2016 19:56, Petr Spacek wrote: >> Hello FreeIPA developers, >> >> looking at freeipa-users mailing list, a lot of questions could be answered >> by >> just quick glance to the docs. >> >> I wonder if we should add links HTML version of docs on access.redhat.com to >> the messages generated by the code. >> >> If we really want, we can make these platform-specific, but I would not even >> bother with it. Fedora & CentOS & RHEL users end up on the very same page, >> only the way how then find it is different (mailing list vs. Google vs. paid >> support). >> >> >> Examples: >> >> a) Installation without DNS could end up with message like this: >> Do not forget to finish post-installation steps listed on >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns >> >> >> >> b) Failed connection check could print link to >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports >> >> >> >> c) Failed DNS check could mention link >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs >> >> >> >> d) Failed attempt to find AD DC could print a link to: >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings >> >> >> etc. >> >> What do you think about this? >> > > I'm afraid that those links can change over time, so we have to check them > regularly otherwise we may end up with links pointing to nowhere. This check can be easily automated. AFAIK docs team already have tools like this. > I'm not excited too much with this idea. Okay then. I'm open to any other idea to alleviate the problem with ever-repeating questions on the freeipa-users list. Do you have one? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires mbasti-rh commented: """ Please update BUILD.txt with how to run pylint with build, probably freeipa.org should be updated as well """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-253483810 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Author: jcholast Title: #159: spec file: clean up BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/159/head:pr159 git checkout pr159 From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 13:20:32 +0200 Subject: [PATCH 1/7] spec file: clean up BuildRequires Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. --- freeipa.spec.in | 125 +--- 1 file changed, 75 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..c44929b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -43,82 +43,107 @@ URL:http://www.freeipa.org/ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.13 -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcurl-devel +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext BuildRequires: python-devel +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +%if 0%{?rhel} +BuildRequires: samba-devel >= 4.0.0 +%else +BuildRequires: samba-devel >= 2:4.0.0 +%endif +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libuuid-devel BuildRequires: python-ldap -BuildRequires: python-setuptools -BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 -# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 -BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-memcached -BuildRequires: python-lxml -BuildRequires: python-pyasn1 >= 0.0.9a -BuildRequires: python-qrcode-core >= 5.0.0 -BuildRequires: python-dns >= 1.11.1 +BuildRequires: python-gssapi +BuildRequires: python-dns BuildRequires: libsss_idmap-devel +# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) BuildRequires: libsss_nss_idmap-devel >= 1.14.0 -BuildRequires: java-headless -BuildRequires: jsl BuildRequires: rhino BuildRequires: libverto-devel -BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy -BuildRequires: python-yubico >= 1.2.3 -BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 -BuildRequires: python-pytest-multihost >= 0.5 -BuildRequires: python-pytest-sourceorder -BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six -BuildRequires: python-jwcrypto -BuildRequires: custodia -BuildRequires: libini_config-devel >= 1.2.0 +BuildRequires: python-netifaces +%endif # ONLY_CLIENT + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: krb5-workstation +BuildRequires: python-setuptools +BuildRequires: python-nss +# 0.6: serialization.load_pem_private_key, load_pem_public_key +BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-libipa_hbac +BuildRequires: python-memcached +BuildRequires: python-lxml +BuildRequires: python-pyasn1 +# pki Python package +BuildRequires: pki-base BuildRequires: dbus-python -BuildRequires: python-netifaces >= 0.10.4 BuildRequires: python-libsss_nss_idmap +BuildRequires:
[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension mbasti-rh commented: """ Hello @tjaalton, I cannot apply second commit, it needs rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/127#issuecomment-253487937 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Author: jcholast Title: #159: spec file: clean up BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/159/head:pr159 git checkout pr159 From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 13:20:32 +0200 Subject: [PATCH 1/7] spec file: clean up BuildRequires Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. --- freeipa.spec.in | 125 +--- 1 file changed, 75 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..c44929b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -43,82 +43,107 @@ URL:http://www.freeipa.org/ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.13 -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcurl-devel +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext BuildRequires: python-devel +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +%if 0%{?rhel} +BuildRequires: samba-devel >= 4.0.0 +%else +BuildRequires: samba-devel >= 2:4.0.0 +%endif +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libuuid-devel BuildRequires: python-ldap -BuildRequires: python-setuptools -BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 -# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 -BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-memcached -BuildRequires: python-lxml -BuildRequires: python-pyasn1 >= 0.0.9a -BuildRequires: python-qrcode-core >= 5.0.0 -BuildRequires: python-dns >= 1.11.1 +BuildRequires: python-gssapi +BuildRequires: python-dns BuildRequires: libsss_idmap-devel +# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) BuildRequires: libsss_nss_idmap-devel >= 1.14.0 -BuildRequires: java-headless -BuildRequires: jsl BuildRequires: rhino BuildRequires: libverto-devel -BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy -BuildRequires: python-yubico >= 1.2.3 -BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 -BuildRequires: python-pytest-multihost >= 0.5 -BuildRequires: python-pytest-sourceorder -BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six -BuildRequires: python-jwcrypto -BuildRequires: custodia -BuildRequires: libini_config-devel >= 1.2.0 +BuildRequires: python-netifaces +%endif # ONLY_CLIENT + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: krb5-workstation +BuildRequires: python-setuptools +BuildRequires: python-nss +# 0.6: serialization.load_pem_private_key, load_pem_public_key +BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-libipa_hbac +BuildRequires: python-memcached +BuildRequires: python-lxml +BuildRequires: python-pyasn1 +# pki Python package +BuildRequires: pki-base BuildRequires: dbus-python -BuildRequires: python-netifaces >= 0.10.4 BuildRequires: python-libsss_nss_idmap +BuildRequires:
Re: [Freeipa-devel] FleetCommander integration
On Tue, Sep 06, 2016 at 01:18:14PM +0300, Alexander Bokovoy wrote: > Hi, > > Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for > FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/ > > You can read the design page: > https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki Hi Alexander, if I understand it correctly each profile has a priority which is used by FleetCommander on the client side to order the different profiles if for a given user and host multiple rules matches. To make this work smoothly each priority value should be only assigned once to avoid a tie. Are you planning to use the uniqueness plugin on the priority value or are there other ways to solve ties reliable in FleetCommander? bye, Sumit > > The design was mostly figured out in discussions with Alberto, Fabiano, > Nathaniel, and Jakub, so we are more or less on the common ground here > between SSSD and FleetCommander. You can send pull requests to me on > github to update the design. ;) > > You can cut a tarball using > git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \ > --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz \ > freeipa-desktop-profile-0.0.1 > > And then build the package with > rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz > > When installed, the package does not run ipa-server-upgrade by itself, > yet. So you need to run ipa-server-upgrade manually. Once ran, > deskprofile/deskprofilerule topics would become available and can be > used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from > COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today. > > UI plugin is not ready yet and is disabled in the spec file as it breaks > loading the whole UI. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FleetCommander integration
On to, 13 loka 2016, Sumit Bose wrote: On Tue, Sep 06, 2016 at 01:18:14PM +0300, Alexander Bokovoy wrote: Hi, Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/ You can read the design page: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki Hi Alexander, if I understand it correctly each profile has a priority which is used by FleetCommander on the client side to order the different profiles if for a given user and host multiple rules matches. To make this work smoothly each priority value should be only assigned once to avoid a tie. Are you planning to use the uniqueness plugin on the priority value or are there other ways to solve ties reliable in FleetCommander? I'm not planning to make priorities unique. Do we really need that? My idea was to make sure we provide clear sorting logic: profilename.json file name is built using profile RDN and is prefixed by the priority of the profile rule using leading zeros. To ease handling of the files, SSSD may transform RDN value by removing certain characters used by the shell for globing purposes and by replacing spaces with underscores. Since the name of the file is only used to ensure ordering of the profiles when merging them, a lexicographical sort of names should be enough. Example: For a profile rule 'Minimal Desktop For Guests' stored as cn=Minimal desktop for guests,cn=rules,cn=desktop-profile,$SUFFIX with a priority 100, SSSD would use a file name '000100_Minimal_desktop_for_guests.json'. Given that you would not be able to have exact same RDN value in two different profiles, using lexicographical sort gives you explicit ordering schema. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#160][edited] Reverted the assertion for replica uninstall returncode
URL: https://github.com/freeipa/freeipa/pull/160 Author: ofayans Title: #160: Reverted the assertion for replica uninstall returncode Action: edited Changed field: title Original value: """ Reverted the essertion for replica uninstall returncode """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Author: jcholast Title: #159: spec file: clean up BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/159/head:pr159 git checkout pr159 From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 13:20:32 +0200 Subject: [PATCH 1/7] spec file: clean up BuildRequires Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. --- freeipa.spec.in | 125 +--- 1 file changed, 75 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..c44929b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -43,82 +43,107 @@ URL:http://www.freeipa.org/ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.13 -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcurl-devel +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext BuildRequires: python-devel +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +%if 0%{?rhel} +BuildRequires: samba-devel >= 4.0.0 +%else +BuildRequires: samba-devel >= 2:4.0.0 +%endif +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libuuid-devel BuildRequires: python-ldap -BuildRequires: python-setuptools -BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 -# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 -BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-memcached -BuildRequires: python-lxml -BuildRequires: python-pyasn1 >= 0.0.9a -BuildRequires: python-qrcode-core >= 5.0.0 -BuildRequires: python-dns >= 1.11.1 +BuildRequires: python-gssapi +BuildRequires: python-dns BuildRequires: libsss_idmap-devel +# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) BuildRequires: libsss_nss_idmap-devel >= 1.14.0 -BuildRequires: java-headless -BuildRequires: jsl BuildRequires: rhino BuildRequires: libverto-devel -BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy -BuildRequires: python-yubico >= 1.2.3 -BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 -BuildRequires: python-pytest-multihost >= 0.5 -BuildRequires: python-pytest-sourceorder -BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six -BuildRequires: python-jwcrypto -BuildRequires: custodia -BuildRequires: libini_config-devel >= 1.2.0 +BuildRequires: python-netifaces +%endif # ONLY_CLIENT + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: krb5-workstation +BuildRequires: python-setuptools +BuildRequires: python-nss +# 0.6: serialization.load_pem_private_key, load_pem_public_key +BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-libipa_hbac +BuildRequires: python-memcached +BuildRequires: python-lxml +BuildRequires: python-pyasn1 +# pki Python package +BuildRequires: pki-base BuildRequires: dbus-python -BuildRequires: python-netifaces >= 0.10.4 BuildRequires: python-libsss_nss_idmap +BuildRequires:
[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 From 219aadd8aede7c0a06a59d62804ad3d55382910f Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Fri, 30 Sep 2016 01:00:02 +0300 Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa This is more consistent with the other daemons. --- daemons/ipa-otpd/Makefile.am | 3 ++- daemons/ipa-otpd/ipa-o...@.service.in | 2 +- freeipa.spec.in | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..d2e1679 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h -libexec_PROGRAMS = ipa-otpd +appdir = $(libexecdir)/ipa/ +app_PROGRAMS = ipa-otpd dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in index b85d5a1..92afb40 100644 --- a/daemons/ipa-otpd/ipa-o...@.service.in +++ b/daemons/ipa-otpd/ipa-o...@.service.in @@ -3,7 +3,7 @@ Description=ipa-otpd service [Service] EnvironmentFile=@sysconfdir@/ipa/default.conf -ExecStart=@libexecdir@/ipa-otpd $ldap_uri +ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..260d58c 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1058,13 +1058,13 @@ fi %{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf From 0231023bd028a8ba1bce74aeb0ebbf8d22790b3b Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 29 Mar 2016 21:33:15 +0300 Subject: [PATCH 2/2] Purge obsolete firefox extension --- freeipa.spec.in| 12 -- install/Makefile.am| 1 - install/configure.ac | 5 - install/ffextension/Makefile.am| 23 --- install/ffextension/bootstrap.js | 88 - install/ffextension/chrome.manifest| 4 - install/ffextension/chrome/Makefile.am | 19 -- install/ffextension/chrome/content/Makefile.am | 17 -- install/ffextension/chrome/content/kerberosauth.js | 197 - .../chrome/content/kerberosauth_overlay.xul| 9 - install/ffextension/install.rdf| 26 --- install/ffextension/locale/Makefile.am | 19 -- install/ffextension/locale/en-US/Makefile.am | 16 -- .../locale/en-US/kerberosauth.properties | 4 - install/share/Makefile.am | 1 - install/share/krb.js.template | 2 - ipaplatform/base/paths.py | 4 - ipaserver/install/httpinstance.py | 42 + ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py| 11 -- 20 files changed, 2 insertions(+), 502 deletions(-) delete mode 100644 install/ffextension/Makefile.am delete mode 100644 install/ffextension/bootstrap.js delete mode 100644 install/ffextension/chrome.manifest delete mode 100644 install/ffextension/chrome/Makefile.am delete mode 100644 install/ffextension/chrome/content/Makefile.am delete mode 100644 install/ffextension/chrome/content/kerberosauth.js delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul delete mode 100644 install/ffextension/install.rdf delete mode 100644 install/ffextension/locale/Makefile.am delete mode 100644 install/ffextension/locale/en-US/Makefile.am delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties delete mode 100644 install/share/krb.js.template diff --git a/freeipa.spec.in b/freeipa.spec.in index 260d58c..49e20f6 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.5-6 Requires: pki-kra >= 10.3.5-6 Requires(preun): python systemd-units
[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Author: jcholast Title: #159: spec file: clean up BuildRequires Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/159/head:pr159 git checkout pr159 From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001 From: Jan CholastaDate: Wed, 12 Oct 2016 13:20:32 +0200 Subject: [PATCH 1/7] spec file: clean up BuildRequires Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose, python-paste, python-sssdconfig and systemd-python BuildRequires. Remove unused custodia, java-headless, m4, policycoreutils, python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires. Correct versioned BuildRequires and provide explanatory comments. --- freeipa.spec.in | 125 +--- 1 file changed, 75 insertions(+), 50 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index e5e1292..c44929b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -43,82 +43,107 @@ URL:http://www.freeipa.org/ Source0:freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.5.6 -BuildRequires: svrcore-devel -BuildRequires: policycoreutils >= 2.1.12-5 -BuildRequires: systemd-units -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: samba-python -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -%endif # ONLY_CLIENT -BuildRequires: nspr-devel -BuildRequires: nss-devel -BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.13 -BuildRequires: krb5-workstation -BuildRequires: libuuid-devel -BuildRequires: libcurl-devel >= 7.21.7-2 +# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcurl-devel +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel BuildRequires: autoconf BuildRequires: automake -BuildRequires: m4 BuildRequires: libtool BuildRequires: gettext BuildRequires: python-devel +%if 0%{?with_python3} +BuildRequires: python3-devel +%endif # with_python3 +# %{_unitdir}, %{_tmpfilesdir} +BuildRequires: systemd +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) +BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: svrcore-devel +%if 0%{?rhel} +BuildRequires: samba-devel >= 4.0.0 +%else +BuildRequires: samba-devel >= 2:4.0.0 +%endif +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openssl-devel +BuildRequires: libuuid-devel BuildRequires: python-ldap -BuildRequires: python-setuptools -BuildRequires: python-nss -BuildRequires: python-cryptography >= 0.9 BuildRequires: python-netaddr -BuildRequires: python-gssapi >= 1.1.2 -BuildRequires: python-rhsm -BuildRequires: pyOpenSSL -BuildRequires: pylint >= 1.0 -# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506 -BuildRequires: python2-polib -BuildRequires: python-libipa_hbac -BuildRequires: python-memcached -BuildRequires: python-lxml -BuildRequires: python-pyasn1 >= 0.0.9a -BuildRequires: python-qrcode-core >= 5.0.0 -BuildRequires: python-dns >= 1.11.1 +BuildRequires: python-gssapi +BuildRequires: python-dns BuildRequires: libsss_idmap-devel +# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897) BuildRequires: libsss_nss_idmap-devel >= 1.14.0 -BuildRequires: java-headless -BuildRequires: jsl BuildRequires: rhino BuildRequires: libverto-devel -BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy -BuildRequires: python-yubico >= 1.2.3 -BuildRequires: openssl-devel -BuildRequires: pki-base >= 10.3.3-3 -BuildRequires: python-pytest-multihost >= 0.5 -BuildRequires: python-pytest-sourceorder -BuildRequires: python-kdcproxy >= 0.3 BuildRequires: python-six -BuildRequires: python-jwcrypto -BuildRequires: custodia -BuildRequires: libini_config-devel >= 1.2.0 +BuildRequires: python-netifaces +%endif # ONLY_CLIENT + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: krb5-workstation +BuildRequires: python-setuptools +BuildRequires: python-nss +# 0.6: serialization.load_pem_private_key, load_pem_public_key +BuildRequires: python-cryptography >= 0.6 +BuildRequires: python-libipa_hbac +BuildRequires: python-memcached +BuildRequires: python-lxml +BuildRequires: python-pyasn1 +# pki Python package +BuildRequires: pki-base BuildRequires: dbus-python -BuildRequires: python-netifaces >= 0.10.4 BuildRequires: python-libsss_nss_idmap +BuildRequires:
[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires
URL: https://github.com/freeipa/freeipa/pull/159 Title: #159: spec file: clean up BuildRequires jcholast commented: """ @pspacek, @mbasti-rh, fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/159#issuecomment-253491282 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#126][comment] Fix ipa migrate-ds when it finds a search reference
URL: https://github.com/freeipa/freeipa/pull/126 Title: #126: Fix ipa migrate-ds when it finds a search reference mbasti-rh commented: """ Hello, LGTM but PR needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/126#issuecomment-253491876 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964
Hi Martin, Thanks for the review. With disabling directory server it works as well, thanks for the hint. Also I moved the cleanup logic to the test itself for the sake of simplicity. Patch-0048 was not changed On 10/12/2016 02:35 PM, Martin Basti wrote: 1) Can you just turn off dirsrv on replica instead of doing iptables magic? 2) NACK No more eval() ever in code, use 'getattr', 'get' or whatever in the object that can be used. +evalhost = eval("args[0].%s" % host) Martin^2 On 12.10.2016 14:03, Oleg Fayans wrote: Hi Martin, After extensive discussion with Ludwig, I finally got the clue on how does this feature work. When we uninstall the replica, the master cleans the replication agreements with this replica and automatically cleans all replica's RUVs. If we clean replica's RUVs on master without uninstalling the replica, the replica's RUVs get recreated on master (replication works!). So, the only way to test the clean-ruv subcommand is to turn off the replica, or block the traffic on it so it gets inaccessible to updates from master. The testcases were updated, see [1] and [2] The updated versions of the patches are attached [1] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs [2] http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand On 08/05/2016 06:36 PM, Martin Basti wrote: On 03.08.2016 14:45, Oleg Fayans wrote: Hi Martin, Thanks for the review! Both patches were updated. On 07/28/2016 04:11 PM, Martin Basti wrote: On 08.07.2016 15:41, Oleg Fayans wrote: Hi Martin, Thanks for the review! On 07/08/2016 02:18 PM, Martin Basti wrote: On 27.06.2016 13:53, Oleg Fayans wrote: Hi guys, Is there a chance the patches NN 0047.1 and 0048.1 get reviewed before 4.4 release? They cover a good part of the Managed Topology 4.4 feature. On 06/17/2016 11:18 AM, Oleg Fayans wrote: One more test was added to the patch-0048 On 06/17/2016 09:43 AM, Oleg Fayans wrote: Fixed a bug in the previous patch, automated 2 more testcases from http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan On 06/16/2016 04:46 PM, Oleg Fayans wrote: IIUC, this will turn off the machine completely, how is cleanup done then. AFAIK our tests cannot turn on machine again and run cleanup, so you will not be able to run more tests on the same topology without manual cleanup and manual start. +replica = self.replicas[0] +replica.run_command(['poweroff']) IMO would be better to just call 'ipactl stop' instead of 'poweroff' Agreed! Fixed. Martin^2 *Automated ipa-replica-manage del tests* 1) +replica.run_command(['ipactl', 'stop']) +time.sleep(3) Why do you need sleep here? Removed, it was left from the old "poweroff" approach 2) +ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname) +replica_ruvs = ruvid_re.findall(result.stdout_text) +master.run_command(['ipa-replica-manage', 'clean-ruv', 'f', +'-p', master.config.dirman_password, +replica_ruvs[0]]) Because you are using re.findall(), without any match you will receive IndexError here replica_ruvs[0]. IMO it deserves assert before Implemented the assert which checks that the output contains enough replica RUVs 3) assert(replica.hostname in result1.stdout_text) I think that this is error prone. What if there is just error 'could not connect to replica ', or something similar. instead of listing/cleaning/whatever operation was executed. I think that it should be more specific regexp than just finding a replica name substring (Yes In IPA we dont always print error so stderr) I'm not sure, but probably there might be cases when non critical error happen and exist status is still 0 Agree. Implemented a regex-based search 4) +replica.run_command(['poweroff']) +time.sleep(3) There should not be poweroff, probably sleep could be removed too. Gone * Automated clean-ruv subcommand test* 1) PEP8, 2 new lines expected ./ipatests/test_integration/test_topology.py:163:1: E302 expected 2 blank lines, found 0 ./ipatests/test_integration/test_topology.py:182:80: E501 line too long (85 > 79 characters) Fixed 2) I dont like doing assert just with count of occurences of substring in STDOUT, would be possible to improve this somehow? Maybe, but frankly, I don't see how. In this case we are making sure that both simple and CA-specific RUVs of a replica are displayed. The format of the output is strict: Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id Certificate Server Replica Update Vectors: replica1_hostname:389: RUV_id replica2_hostname:389: RUV_id If we do not see 2 occurrences of the replica hostname than definitely something went wrong