[Freeipa-devel] [freeipa PR#161][opened] CI: workaround: wait for dogtag before replica-prepare

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/161
Author: mbasti-rh
 Title: #161: CI: workaround: wait for dogtag before replica-prepare
Action: opened

PR body:
"""
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.

https://fedorahosted.org/freeipa/ticket/6274
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/161/head:pr161
git checkout pr161
From e2c870121db5b3569f344a8079ddf9c6700f44a4 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 13 Oct 2016 17:12:23 +0200
Subject: [PATCH] CI: workaround: wait for dogtag before replica-prepare

In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.

https://fedorahosted.org/freeipa/ticket/6274
---
 ipatests/test_integration/tasks.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 7c96227..0b460b9 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -370,6 +370,9 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 args.extend(extra_args)
 
 if domain_level == DOMAIN_LEVEL_0:
+# workaround #6274 - remove when fixed
+time.sleep(30)  # wait until dogtag wakes up
+
 # prepare the replica file on master and put it to replica, AKA "old way"
 replica_prepare(master, replica)
 replica_filename = get_replica_filename(replica)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Martin Basti]

I think that you forgot to squash commits. Patch 47 doesn't apply


On 13.10.2016 14:01, Oleg Fayans wrote:

Hi Martin,

Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of 
simplicity. Patch-0048 was not changed


On 10/12/2016 02:35 PM, Martin Basti wrote:

1)

Can you just turn off dirsrv on replica instead of doing iptables magic?


2) NACK

No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.

+evalhost = eval("args[0].%s" % host)

Martin^2

On 12.10.2016 14:03, Oleg Fayans wrote:

Hi Martin,

After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to updates
from master.
The testcases were updated, see [1] and [2]

The updated versions of the patches are attached

[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs 




[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand 




On 08/05/2016 06:36 PM, Martin Basti wrote:



On 03.08.2016 14:45, Oleg Fayans wrote:

Hi Martin,

Thanks for the review! Both patches were updated.

On 07/28/2016 04:11 PM, Martin Basti wrote:



On 08.07.2016 15:41, Oleg Fayans wrote:

Hi Martin,

Thanks for the review!

On 07/08/2016 02:18 PM, Martin Basti wrote:



On 27.06.2016 13:53, Oleg Fayans wrote:

Hi guys,

Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.

On 06/17/2016 11:18 AM, Oleg Fayans wrote:

One more test was added to the patch-0048

On 06/17/2016 09:43 AM, Oleg Fayans wrote:

Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan 







On 06/16/2016 04:46 PM, Oleg Fayans wrote:









IIUC, this will turn off the machine completely, how is cleanup 
done

then.  AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology 
without

manual cleanup and manual start.

+replica = self.replicas[0]
+replica.run_command(['poweroff'])

IMO would be better to just call 'ipactl stop' instead of 
'poweroff'


Agreed! Fixed.



Martin^2






*Automated ipa-replica-manage del tests*

1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)

Why do you need sleep here?


Removed, it was left from the old "poweroff" approach




2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % 
replica.hostname)

+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])

Because you are using re.findall(), without any match you will 
receive

IndexError here replica_ruvs[0]. IMO it deserves assert before


Implemented the assert which checks that the output contains enough
replica RUVs



3)
assert(replica.hostname in result1.stdout_text)

I think that this is error prone. What if there is just error
'could not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)

I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0


Agree. Implemented a regex-based search



4)

+replica.run_command(['poweroff'])
+time.sleep(3)

There should not be poweroff, probably sleep could be removed too.


Gone




  *   Automated clean-ruv subcommand test*

1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)


Fixed




2)
I dont like doing assert just with count of occurences of 
substring in

STDOUT, would be possible to improve this somehow?


Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: 

Re: [Freeipa-devel] [Design Review Request] V4/Automatic_Certificate_Request_Generation

[Ben Lipton]

Thank you, this was a really helpful clarification of your point. 
Comments below. Once again, I'm sorry I missed the email for so long.


Ben

On 09/05/2016 06:52 AM, Jan Cholasta wrote:

On 27.8.2016 22:40, Ben Lipton wrote:

On 08/25/2016 04:11 PM, Rob Crittenden wrote:

Ben Lipton wrote:

On 08/23/2016 03:54 AM, Jan Cholasta wrote:

On 8.8.2016 22:23, Ben Lipton wrote:

On 07/25/2016 07:45 AM, Jan Cholasta wrote:

On 25.7.2016 13:11, Alexander Bokovoy wrote:

On Mon, 25 Jul 2016, Jan Cholasta wrote:

On 20.7.2016 16:05, Ben Lipton wrote:

Hi,

Thanks very much for the feedback! Some responses below; I hope
you'll
let me know what you think of my reasoning.


On 07/20/2016 04:20 AM, Jan Cholasta wrote:

Hi,

On 17.6.2016 00:06, Ben Lipton wrote:

On 06/14/2016 08:27 AM, Ben Lipton wrote:

Hello all,

I have written up a design proposal for making certificate
requests
easier to generate when using alternate certificate profiles:
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation. 







The use case for this is described in
https://fedorahosted.org/freeipa/ticket/4899. I will be
working on
implementing this design over the next couple of months. 
If you

have
the time and interest, please take a look and share any
comments or
concerns that you have.

Thanks!

Ben

Just a quick update to say that I've created a new document 
that

covers
the proposed schema additions in a more descriptive way (with
diagrams!)
I'm very new to developing with LDAP, so some more experienced
eyes on
the proposal would be very helpful, even if you don't have
time to
absorb the full design. Please take a look at
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Schema 







if you have a chance.


I finally had a chance to take a look at this, here are some
comments:

1) I don't like how transformation rules are tied to a 
particular
helper and have to be duplicated for each of them. They 
should be

generic and work with any helper, as helpers are just an
implementation detail and their resulting data is the same.

In fact, I think I would prefer if the CSR was generated using
python-cryptography's CertificateSigningRequestBuilder [1] 
rather

than
openssl or certutil or any other command line tool.


There are lots of tools that users might want to use to manage
their
private keys, so I don't know if we can assume that whatever
library we
prefer will actually be able to access the private key to sign a
CSR,
which is why I thought it would be useful to support more than
one.


python-cryptography has the notion of backends, which allow it to
support multiple crypto implementations. Upstream it currently
supports only OpenSSL [2], but some work has been done on PKCS#11
backend [3], which provides support for HSMs and soft-tokens 
(like

NSS
databases).

Alternatively, for NSS databases (and other "simple" cases), you
can
generate the private key with python-cryptography using the 
default

backend, export it to a file and import the file to the target
database, so you don't actually need the PKCS#11 backend for 
them.


So, the only thing that's currently lacking is HSM support, but
given
that we don't support HSMs in IPA nor in certmonger, I don't 
think

it's an issue for now.


The
purpose of the mapping rule is to tie together the 
transformation

rules
that produce the same data into an object that's
implementation-agnostic, so that profiles referencing those 
rules

are
automatically compatible with all the helper options.


They are implementation-agnostic, as long as you consider 
`openssl`
and `certutil` the only implementations :-) But I don't think 
this

solution scales well to other possible implementations.

Anyway, my main grudge is that the transformation rules shouldn't
really be stored on and processed by the server. The server 
should
know the *what* (mapping rules), but not the *how* 
(transformation

rules). The *how* is an implementation detail and does not
change in
time, so there's no benefit in handling it on the server. It
should be
handled exclusively on the client, which I believe would also 
make

the
whole thing more robust (it would not be possible for a bug on 
the

server to break all the clients).
This is a good point. However, for the scope of Ben's project 
can we
limit it by openssl and certutil support? Otherwise Ben 
wouldn't be

able
to complete the project in time.


I'm fine with that, but I don't think it's up to me :-)




This is turning out to be a common (and, I think, reasonable)
reaction
to the proposal. It is rather complex, and I worry that it 
will be

difficult to configure. On the other hand, there is some hidden
complexity to enabling a simpler config format, as well. One of
the
goals of the project as it was presented to me was to allow the
creation
of profiles that add certificate extensions *that FreeIPA 
doesn't

yet
know about*. With the current proposal, one only has to add a 
rule

generating text that the helper will 

[Freeipa-devel] [freeipa PR#160][comment] Reverted the assertion for replica uninstall returncode

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/160
Title: #160: Reverted the assertion for replica uninstall returncode

mbasti-rh commented:
"""
Ticket https://fedorahosted.org/freeipa/ticket/5725 is in already closed 
milestone, please create a new one (I suppose you want backport to 4.4.3)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/160#issuecomment-253559347
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#161][comment] CI: workaround: wait for dogtag before replica-prepare

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/161
Title: #161: CI: workaround: wait for dogtag before replica-prepare

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/91b51e702f1e105329ebea29c633d94516cd673c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/161#issuecomment-253551844
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][comment] Reverted the assertion for replica uninstall returncode

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/160
Title: #160: Reverted the assertion for replica uninstall returncode

martbab commented:
"""
I think that issue reported in https://fedorahosted.org/freeipa/ticket/3230 is 
orthogonal to uninstaller returning 0 on error. I fail to see why we are even 
discussing this ticket in this context.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/160#issuecomment-253553642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#155][+ack] Build system cleanup

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/155
Title: #155: Build system cleanup

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#155][comment] Build system cleanup

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/155
Title: #155: Build system cleanup

mbasti-rh commented:
"""
Works for me, Not pushing yet to give time to others to disagree
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/155#issuecomment-253555492
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Heimdal Kerberos support for client

[Petr Spacek]

On 12.10.2016 20:22, Rob Crittenden wrote:
> Petr Spacek wrote:
>> Hello list,
>>
>> I just noticed that client/configure.ac contains some checks to detect and
>> support Heimdal Kerberos libraries.
>>
>> Was it tested? Does it work? Can I drop it? :-)
>>
> 
> Wow, that's some old code.
> 
> Only Simo would know if it was ever tested or ever worked.
> 
> I suppose since theoretically the client can be built separately theoretically
> it might do the right thing in some cases.
> 
> Seems like enough of a corner case to me that I'd remove it, given it is
> likely untested these last 9 years or so.

Simo told me on IRC that we could remove it. According to Alexander, Ubuntu is
building IPA packages against MIT Kerberos so it should be okay.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#161][+pushed] CI: workaround: wait for dogtag before replica-prepare

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/161
Title: #161: CI: workaround: wait for dogtag before replica-prepare

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#161][closed] CI: workaround: wait for dogtag before replica-prepare

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/161
Author: mbasti-rh
 Title: #161: CI: workaround: wait for dogtag before replica-prepare
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/161/head:pr161
git checkout pr161
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#161][+ack] CI: workaround: wait for dogtag before replica-prepare

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/161
Title: #161: CI: workaround: wait for dogtag before replica-prepare

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#136][synchronized] Fix KRA install tests

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/136
Author: mbasti-rh
 Title: #136: Fix KRA install tests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/136/head:pr136
git checkout pr136
From 4bc794329399344cd2218f71c408d096b2fc2f93 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 4 Oct 2016 23:08:19 +0200
Subject: [PATCH 1/3] CI: extend replication layouts tests with KRA

KRA should be tested with warious replication topologies as well, mainly
in domain level 0

https://fedorahosted.org/freeipa/ticket/6088
---
 ipatests/test_integration/tasks.py | 18 ++--
 .../test_integration/test_replication_layouts.py   | 48 ++
 2 files changed, 63 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 0b460b9..ef5078b 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -994,12 +994,20 @@ def double_circle_topo(master, replicas, site_size=6):
 
 
 def install_topo(topo, master, replicas, clients, domain_level=None,
- skip_master=False, setup_replica_cas=True):
+ skip_master=False, setup_replica_cas=True,
+ setup_replica_kras=False):
 """Install IPA servers and clients in the given topology"""
+if setup_replica_kras and not setup_replica_cas:
+raise ValueError("Option 'setup_replica_kras' requires "
+ "'setup_replica_cas' set to True")
 replicas = list(replicas)
 installed = {master}
 if not skip_master:
-install_master(master, domain_level=domain_level)
+install_master(
+master,
+domain_level=domain_level,
+setup_kra=setup_replica_kras
+)
 
 add_a_records_for_hosts_in_master_domain(master)
 
@@ -1009,7 +1017,11 @@ def install_topo(topo, master, replicas, clients, domain_level=None,
 connect_replica(parent, child)
 else:
 log.info('Installing replica %s from %s' % (parent, child))
-install_replica(parent, child, setup_ca=setup_replica_cas)
+install_replica(
+parent, child,
+setup_ca=setup_replica_cas,
+setup_kra=setup_replica_kras
+)
 installed.add(child)
 install_clients([master] + replicas, clients)
 
diff --git a/ipatests/test_integration/test_replication_layouts.py b/ipatests/test_integration/test_replication_layouts.py
index c178815..53cae7d 100644
--- a/ipatests/test_integration/test_replication_layouts.py
+++ b/ipatests/test_integration/test_replication_layouts.py
@@ -52,6 +52,16 @@ def test_line_topology_with_ca(self):
 self.replication_is_working()
 
 
+class TestLineTopologyWithCAKRA(LayoutsBaseTest):
+
+num_replicas = 3
+
+def test_line_topology_with_ca_kra(self):
+tasks.install_topo('line', self.master, self.replicas, [],
+   setup_replica_cas=True, setup_replica_kras=True)
+self.replication_is_working()
+
+
 class TestStarTopologyWithoutCA(LayoutsBaseTest):
 
 num_replicas = 3
@@ -72,6 +82,16 @@ def test_star_topology_with_ca(self):
 self.replication_is_working()
 
 
+class TestStarTopologyWithCAKRA(LayoutsBaseTest):
+
+num_replicas = 3
+
+def test_star_topology_with_ca_kra(self):
+tasks.install_topo('star', self.master, self.replicas, [],
+   setup_replica_cas=True, setup_replica_kras=True)
+self.replication_is_working()
+
+
 class TestCompleteTopologyWithoutCA(LayoutsBaseTest):
 
 num_replicas = 3
@@ -92,6 +112,16 @@ def test_complete_topology_with_ca(self):
 self.replication_is_working()
 
 
+class TestCompleteTopologyWithCAKRA(LayoutsBaseTest):
+
+num_replicas = 3
+
+def test_complete_topology_with_ca_kra(self):
+tasks.install_topo('complete', self.master, self.replicas, [],
+   setup_replica_cas=True, setup_replica_kras=True)
+self.replication_is_working()
+
+
 @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
 reason='does not work on DOMAIN_LEVEL_0 by design')
 class Test2ConnectedTopologyWithoutCA(LayoutsBaseTest):
@@ -112,6 +142,15 @@ def test_2_connected_topology_with_ca(self):
 self.replication_is_working()
 
 
+class Test2ConnectedTopologyWithCAKRA(LayoutsBaseTest):
+num_replicas = 33
+
+def test_2_connected_topology_with_ca_kra(self):
+tasks.install_topo('2-connected', self.master, self.replicas, [],
+   setup_replica_cas=True, setup_replica_kras=True)
+self.replication_is_working()
+
+
 @pytest.mark.skipif(config.domain_level == DOMAIN_LEVEL_0,
 reason='does not work on DOMAIN_LEVEL_0 by design')
 class TestDoubleCircleTopologyWithoutCA(LayoutsBaseTest):
@@ -130,3 +169,12 

Re: [Freeipa-devel] Heimdal Kerberos support for client

[Timo Aaltonen]

On 13.10.2016 18:56, Petr Spacek wrote:
> On 12.10.2016 20:22, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> Hello list,
>>>
>>> I just noticed that client/configure.ac contains some checks to detect and
>>> support Heimdal Kerberos libraries.
>>>
>>> Was it tested? Does it work? Can I drop it? :-)
>>>
>>
>> Wow, that's some old code.
>>
>> Only Simo would know if it was ever tested or ever worked.
>>
>> I suppose since theoretically the client can be built separately 
>> theoretically
>> it might do the right thing in some cases.
>>
>> Seems like enough of a corner case to me that I'd remove it, given it is
>> likely untested these last 9 years or so.
> 
> Simo told me on IRC that we could remove it. According to Alexander, Ubuntu is
> building IPA packages against MIT Kerberos so it should be okay.

Yes, everything I've touched uses MIT on Debian/Ubuntu.


-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates

[Sumit Bose]

On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote:
> On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote:
> > Hi,
> > 
> > I've started to write a SSSD design page about enhancing the current
> > mapping of certificates to users and how to select/match a suitable
> > certificate if multiple certificates are on a Smartcard.
> > 
> > My currently thoughts and idea and be found at
> > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates
> > and for your convenience below as well.
> > 
> > Comments and suggestions are welcome. Please let me know about concerns,
> > alternatives and missing use-cases/user-stories.
> > 
> > bye,
> > Sumit
> > 
> 
> Hi,
> 
> Rob, Fraser, Alexander, thank you for your comments. I think both the
> issuer specific matching and the OID in the SUBJECT matching are good
> ideas. I updated the design page accordingly. The changes can be shown
> with
> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=9_version=6
> 
> The updated version can be found below as well. Of course more comments and
> suggestions are still very welcome.
> 

I did another update. A "Compatibility with Active Director" section is
added which made me realize that there are use-cases for using the
issuer in the mapping as well and the sub-strings in LDAP search filters
might be useful as well.

The changes can be seen with
https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff=10_version=9

Please let me know your comments and suggestions.

bye,
Sumit

= Matching and Mapping Certificates =

Related ticket(s):
 * http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

=== Problem statement ===
 Mapping 
Currently it is required that a certificate used for authentication is either 
stored in the LDAP user entry or in a matching override. This might not always 
be applicable and other ways are needed to relate a user with a certificate.

 Matching 
Even if SSSD will support multiple certificates on a Smartcard in the context 
of https://fedorahosted.org/sssd/ticket/3050 it might be necessary to restrict 
(or relax) the current certificate selection in certain environments. 

=== Use cases ===
 Mapping 
In some environments it might not be possible or would cause unwanted effort to 
add certificates to the LDAP entry of the users to allow Smartcard based 
authentication. Reasons might be:
* Certificates/Smartcards are issued externally
* LDAP schema extension is not possible or not allowed

 Matching 
A user might have multiple certificate on a Smartcard which are suitable for 
authentication. But on some host in the environment only certificates from a 
specific CA (while all other CAs are trusted as well) or with some special 
extension should be valid for login.

=== Overview of the solution ===
To match a certificate a language/syntax has to be defined which allows to 
reference items from the certificate and compare the values with the expected 
data. To map the certificates to a user the language/syntax should allow to 
relate certificate items with LDAP attributes so that the value(s) from the 
certificate item can be used in a LDAP search filter.


=== Implementation details ===
 Matching 
The pkinit plugin of MIT Kerberos must find a suitable certificate from a 
Smartcard as well and has defined the following syntax (see the 
pkinit_cert_match section of the krb5.conf man page or 
http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html for 
details). The main components are

* regular-expression
* regular-expression
* regular-expression
* extended-key-usage-list
* key-usage-list

and can be grouped together with a prefixed '&&' (and) or '`||`' (or) operator 
('&&' is the default). If multiple rules are given they are iterated with the 
order in the config file as long as a rule matches exactly one certificate.

'''Question: MIT Kerberos use case-sensitive matching and POSIX Extended 
Regular Expression syntax, shall we do the same?'''

While  and  are (imo) already quite flexible I can see some 
potential extensions for the other components.

 and  in MIT Kerberos only accept certain string values related to 
some allowed values in those field as defined in 
https://www.ietf.org/rfc/rfc3280.txt . The selection is basically determined by 
what is supported on server side of the pkinit plugin of MIT Kerberos. Since we 
plan to extend pkinit and support local authentication without pkinit as well I 
would suggest to allow OID strings for those components as well (the comparison 
is done on the OID level nonetheless).

The  component in MIT Kerberos only checks the otherName SAN component for 
the id-pkinit-san OID as defined in https://www.ietf.org/rfc/rfc4556.txt or the 
szOID_NT_PRINCIPAL_NAME OID as mentioned in 
https://support.microsoft.com/en-us/kb/287547. While this is sufficient for the 
default pkinit user case 

Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package

[Martin Basti]

On 13.10.2016 19:49, Petr Vobornik wrote:

On 10/12/2016 11:11 AM, Petr Spacek wrote:

On 10.10.2016 10:28, Martin Basti wrote:

https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6


Please set karma accordingly


Traceback:

...

2016-10-10T04:44:05Z DEBUG The ipa-replica-install command failed, exception:
TypeError: 'unicode' does not have the buffer interface
2016-10-10T04:44:05Z ERROR 'unicode' does not have the buffer interface


I'll investigate if IPA using it wrong or there is new error introduced in
pyhton-dns

For archaeologists:
Fix
https://github.com/freeipa/freeipa/pull/150
was merged.


We've pushed PR 150 to 4.4 and master. 4.4.2 release fixes f25 and f26
but F24 has 4.3 branch.

Is it correct to assume that 4.3 is also affected?

If so, then we need either to backport the patch to 4.3 and fix Fedora
directly or completely block the python-dns update on f24.


4.3 shouldn't be affected, because the code that has been failing is 
only in 4.4+ in DNS Locations related feature


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package

[Petr Vobornik]

On 10/12/2016 11:11 AM, Petr Spacek wrote:
> On 10.10.2016 10:28, Martin Basti wrote:
>> https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6
>>
>>
>> Please set karma accordingly
>>
>>
>> Traceback:
>>
>> ...
>>
>> 2016-10-10T04:44:05Z DEBUG The ipa-replica-install command failed, exception:
>> TypeError: 'unicode' does not have the buffer interface
>> 2016-10-10T04:44:05Z ERROR 'unicode' does not have the buffer interface
>>
>>
>> I'll investigate if IPA using it wrong or there is new error introduced in
>> pyhton-dns
> 
> For archaeologists:
> Fix
> https://github.com/freeipa/freeipa/pull/150
> was merged.
> 

We've pushed PR 150 to 4.4 and master. 4.4.2 release fixes f25 and f26
but F24 has 4.3 branch.

Is it correct to assume that 4.3 is also affected?

If so, then we need either to backport the patch to 4.3 and fix Fedora
directly or completely block the python-dns update on f24.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/127
Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6c53765ac1746ea3cb82554775a37fe43af062e8
https://fedorahosted.org/freeipa/changeset/6c09d6f8788b5436d6c9a5af4cc079a843f00e33
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/127#issuecomment-253605497
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#127][closed] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#127][+pushed] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/127
Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#156][+pushed] cert: add revocation reason back to cert-find output

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/156
Title: #156: cert: add revocation reason back to cert-find output

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#156][closed] cert: add revocation reason back to cert-find output

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/156
Author: jcholast
 Title: #156: cert: add revocation reason back to cert-find output
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/156/head:pr156
git checkout pr156
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#156][comment] cert: add revocation reason back to cert-find output

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/156
Title: #156: cert: add revocation reason back to cert-find output

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/16dad1c3cb09acee946bc5b2409447279a8bc0de
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/30b478113e0dd7993f491c1582003567e9b20d13
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/156#issuecomment-253607864
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#161][comment] CI: workaround: wait for dogtag before replica-prepare

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/161
Title: #161: CI: workaround: wait for dogtag before replica-prepare

mbasti-rh commented:
"""
It looks that 30 seconds is not enough, majority of ipa-replica-prepare passed, 
but I had a few test where it is still failing (randomly)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/161#issuecomment-253611853
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#127][+ack] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/127
Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#136][edited] Fix KRA install tests

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/136
Author: mbasti-rh
 Title: #136: Fix KRA install tests
Action: edited

 Changed field: body
Original value:
"""
- in test_installation testsuite KRA related tests were duplicated, this PR 
removes it
- in test_installation test suite with domain level 0, some KRA tests must be 
skipped because does not work under domain level 0 by design
- because in previous commits I decreased amount of replicas in 
test_installation, I added KRA tests into replication_layout test suite to test 
how KRA install works with more replicas and various layouts (needed mainly for 
domain level 0)

https://fedorahosted.org/freeipa/ticket/6088
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#162][opened] Certificate processing refactoring

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/162
Author: frasertweedale
 Title: #162: Certificate processing refactoring
Action: opened

PR body:
"""
This PR contains ready-for-review/test commits that:

- support converting python-cryptography Name type to DN

- avoid the need to parse friendlyName from CSR and remove
  the code that does that

- convert `ipalib.pkcs10` to use python-cryptography instead of NSS
  for processing CSRs.

- eliminate our use of the nss.data_to_hex function

- switch `ipalib.x509` to use ASN.1 specifications provided by
  *pyasn1-modules* library, and remove our hand-rolled definitions.


It was discussed to target subteam staging branches for the ongoing
refactoring work but it does not seem that these were created yet.
I can retarget the PR after the cert refactoring branch gets
created.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/162/head:pr162
git checkout pr162
From 7b22e9d9ed300e4abf7a5679b7f7d0014976c80e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 10 Oct 2016 16:08:52 +1000
Subject: [PATCH 1/5] dn: support conversion from python-cryptography Name

The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.

Part of: https://fedorahosted.org/freeipa/ticket/6398
---
 ipapython/dn.py| 43 --
 ipatests/test_ipapython/test_dn.py | 23 ++--
 2 files changed, 62 insertions(+), 4 deletions(-)

diff --git a/ipapython/dn.py b/ipapython/dn.py
index 3ee35c6..682e0ca 100644
--- a/ipapython/dn.py
+++ b/ipapython/dn.py
@@ -422,6 +422,7 @@
 import sys
 import functools
 
+import cryptography.x509
 from ldap.dn import str2dn, dn2str
 from ldap import DECODING_ERROR
 import six
@@ -976,6 +977,8 @@ class DN(object):
   to yield one or more RDN's which will be appended in order to
   the DN. The parsing recognizes the DN syntax escaping rules.
 
+* A single ``cryptography.x509.name.Name`` object.
+
 * A RDN object, the RDN will copied respecting the constructors
   keyword configuration parameters and appended in order.
 
@@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value):
 rdns = [[ava]]
 elif isinstance(value, RDN):
 rdns = [value.to_openldap()]
+elif isinstance(value, cryptography.x509.name.Name):
+rdns = list(reversed([
+[get_ava(
+_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string),
+ava.value)]
+for ava in value
+]))
 else:
-raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" %
-type(value))
+raise TypeError(
+"must be str, unicode, tuple, Name, RDN or DN, got %s instead"
+% type(value))
 return rdns
 
 def _rdns_from_sequence(self, seq):
@@ -1407,3 +1418,31 @@ def rindex(self, pattern, start=None, end=None):
 if i == -1:
 raise ValueError("pattern not found")
 return i
+
+
+_ATTR_NAME_BY_OID = {
+cryptography.x509.oid.NameOID.COMMON_NAME: 'CN',
+cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C',
+cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L',
+cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST',
+cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O',
+cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU',
+cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber',
+cryptography.x509.oid.NameOID.SURNAME: 'SN',
+cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName',
+cryptography.x509.oid.NameOID.TITLE: 'title',
+cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier',
+cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier',
+cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym',
+cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC',
+cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E',
+cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME:
+'incorporationCountry',
+cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME:
+'incorporationLocality',
+cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME:
+'incorporationState',
+cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory',
+cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET',
+cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID',
+}
diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py
index a96bd33..3ca3b57 100644
--- a/ipatests/test_ipapython/test_dn.py
+++ b/ipatests/test_ipapython/test_dn.py
@@ -2,6 +2,7 @@
 import unittest
 import pytest
 
+from 

[Freeipa-devel] [freeipa PR#163][opened] Do not create Object Signing certificate

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/163
Author: frasertweedale
 Title: #163: Do not create Object Signing certificate
Action: opened

PR body:
"""
The Object Signing certificate created during server installation
was used only for signing the (recently removed) Firefox extension,
so there's no need to create that certificate any more.

Fixes: https://fedorahosted.org/freeipa/ticket/6399
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/163/head:pr163
git checkout pr163
From 0db6f91d8b7398d676b39176f0c962f87e15ac5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 14 Oct 2016 13:20:16 +1000
Subject: [PATCH] Do not create Object Signing certificate

The Object Signing certificate created during server installation
was used only for signing the (recently removed) Firefox extension,
so there's no need to create that certificate any more.

Fixes: https://fedorahosted.org/freeipa/ticket/6399
---
 install/ui/test/data/cert_find.json| 8 +---
 ipaserver/install/ca.py| 6 ++
 ipaserver/install/httpinstance.py  | 1 -
 ipaserver/install/server/replicainstall.py | 1 -
 4 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/install/ui/test/data/cert_find.json b/install/ui/test/data/cert_find.json
index 6c059bd..4b2fb6d 100644
--- a/install/ui/test/data/cert_find.json
+++ b/install/ui/test/data/cert_find.json
@@ -57,15 +57,9 @@
 "serial_number_hex": "0x9",
 "status": "VALID",
 "subject": "CN=dev.example.com,O=EXAMPLE.COM"
-},
-{
-"serial_number": 10,
-"serial_number_hex": "0xA",
-"status": "VALID",
-"subject": "CN=Object Signing Cert,O=EXAMPLE.COM"
 }
 ],
 "summary": "10 certificates matched",
 "truncated": false
 }
-}
\ No newline at end of file
+}
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index dadc34e..ac04b64 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -94,8 +94,7 @@ def install_check(standalone, replica_config, options):
 for db in (cadb, dsdb):
 for nickname, _trust_flags in db.list_certs():
 if nickname in (certdb.get_ca_nickname(realm_name),
-'ipaCert',
-'Signing-Cert'):
+'ipaCert'):
 raise ScriptError(
 "Certificate with nickname %s is present in %s, "
 "cannot continue." % (nickname, db.secdir))
@@ -105,8 +104,7 @@ def install_check(standalone, replica_config, options):
 continue
 subject = DN(str(x509.get_subject(cert)))
 if subject in (DN('CN=Certificate Authority', subject_base),
-   DN('CN=IPA RA', subject_base),
-   DN('CN=Object Signing Cert', subject_base)):
+   DN('CN=IPA RA', subject_base)):
 raise ScriptError(
 "Certificate with subject %s is present in %s, "
 "cannot continue." % (subject, db.secdir))
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 60d62c0..a49280a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -347,7 +347,6 @@ def __setup_ssl(self):
  ca_db)
 db.track_server_cert(self.cert_nickname, self.principal,
  db.passwd_fname, 'restart_httpd')
-db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
 self.add_cert_to_service()
 
 # Fix the database permissions
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 6c9f598..27d4dbb 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -96,7 +96,6 @@ def install_http_certs(config, fstore, remote_api):
 subject = DN(('O', config.realm_name))
 db = certs.CertDB(config.realm_name, nssdir=nssdir, subject_base=subject)
 db.request_service_cert('Server-Cert', principal, config.host_name, True)
-# FIXME: need Signing-Cert too ?
 
 
 def install_replica_ds(config, options, ca_is_configured, remote_api,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#162][synchronized] Certificate processing refactoring

[frasertweedale]

   URL: https://github.com/freeipa/freeipa/pull/162
Author: frasertweedale
 Title: #162: Certificate processing refactoring
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/162/head:pr162
git checkout pr162
From 7b22e9d9ed300e4abf7a5679b7f7d0014976c80e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 10 Oct 2016 16:08:52 +1000
Subject: [PATCH 1/5] dn: support conversion from python-cryptography Name

The upcoming change to using python-cryptography for certificate
process will require a way to convert
``cryptography.x509.name.Name`` values to ``ipapython.dn.DN``.
Update the ``DN`` constructor to accept a ``Name``.

Part of: https://fedorahosted.org/freeipa/ticket/6398
---
 ipapython/dn.py| 43 --
 ipatests/test_ipapython/test_dn.py | 23 ++--
 2 files changed, 62 insertions(+), 4 deletions(-)

diff --git a/ipapython/dn.py b/ipapython/dn.py
index 3ee35c6..682e0ca 100644
--- a/ipapython/dn.py
+++ b/ipapython/dn.py
@@ -422,6 +422,7 @@
 import sys
 import functools
 
+import cryptography.x509
 from ldap.dn import str2dn, dn2str
 from ldap import DECODING_ERROR
 import six
@@ -976,6 +977,8 @@ class DN(object):
   to yield one or more RDN's which will be appended in order to
   the DN. The parsing recognizes the DN syntax escaping rules.
 
+* A single ``cryptography.x509.name.Name`` object.
+
 * A RDN object, the RDN will copied respecting the constructors
   keyword configuration parameters and appended in order.
 
@@ -1125,9 +1128,17 @@ def _rdns_from_value(self, value):
 rdns = [[ava]]
 elif isinstance(value, RDN):
 rdns = [value.to_openldap()]
+elif isinstance(value, cryptography.x509.name.Name):
+rdns = list(reversed([
+[get_ava(
+_ATTR_NAME_BY_OID.get(ava.oid, ava.oid.dotted_string),
+ava.value)]
+for ava in value
+]))
 else:
-raise TypeError("must be str, unicode, tuple, or RDN or DN, got %s instead" %
-type(value))
+raise TypeError(
+"must be str, unicode, tuple, Name, RDN or DN, got %s instead"
+% type(value))
 return rdns
 
 def _rdns_from_sequence(self, seq):
@@ -1407,3 +1418,31 @@ def rindex(self, pattern, start=None, end=None):
 if i == -1:
 raise ValueError("pattern not found")
 return i
+
+
+_ATTR_NAME_BY_OID = {
+cryptography.x509.oid.NameOID.COMMON_NAME: 'CN',
+cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C',
+cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L',
+cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST',
+cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O',
+cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU',
+cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber',
+cryptography.x509.oid.NameOID.SURNAME: 'SN',
+cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName',
+cryptography.x509.oid.NameOID.TITLE: 'title',
+cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier',
+cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier',
+cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym',
+cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC',
+cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E',
+cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME:
+'incorporationCountry',
+cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME:
+'incorporationLocality',
+cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME:
+'incorporationState',
+cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory',
+cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET',
+cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID',
+}
diff --git a/ipatests/test_ipapython/test_dn.py b/ipatests/test_ipapython/test_dn.py
index a96bd33..3ca3b57 100644
--- a/ipatests/test_ipapython/test_dn.py
+++ b/ipatests/test_ipapython/test_dn.py
@@ -2,6 +2,7 @@
 import unittest
 import pytest
 
+from cryptography import x509
 import six
 
 from ipapython.dn import DN, RDN, AVA
@@ -621,7 +622,7 @@ class TestDN(unittest.TestCase):
 def setUp(self):
 # ava1 must sort before ava2
 self.attr1= 'cn'
-self.value1   = 'Bob'
+self.value1   = u'Bob'
 self.str_ava1 = '%s=%s' % (self.attr1, self.value1)
 self.ava1 = AVA(self.attr1, self.value1)
 
@@ -629,7 +630,7 @@ def setUp(self):
 self.rdn1 = RDN((self.attr1, self.value1))
 
 self.attr2= 'ou'
-self.value2   = 'people'
+self.value2   = u'people'
 self.str_ava2 = '%s=%s' % (self.attr2, self.value2)
 self.ava2 = AVA(self.attr2, 

[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/127
Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension

frasertweedale commented:
"""
I think this change has caused SELinux errors when starting the daemon.
(I had to `setenforce 0` to get the installer to complete).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/127#issuecomment-253699714
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute

[pspacek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2
Title: #2: fix ldif syntax and add idnsTemplateAttribute

pspacek commented:
"""
@mbasti-rh , the white-space at the end of line is required here because the 
first space at the beginning of line will be consumed by LDIF parser. I agree 
that root should not be author of the commit :-)
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253430924
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] links to docs in the messages from code

[Pavel Vomacka]

On 10/13/2016 08:54 AM, Martin Basti wrote:



On 12.10.2016 19:56, Petr Spacek wrote:

Hello FreeIPA developers,

looking at freeipa-users mailing list, a lot of questions could be 
answered by

just quick glance to the docs.

I wonder if we should add links HTML version of docs on 
access.redhat.com to

the messages generated by the code.

If we really want, we can make these platform-specific, but I would 
not even
bother with it. Fedora & CentOS & RHEL users end up on the very same 
page,
only the way how then find it is different (mailing list vs. Google 
vs. paid

support).


Examples:

a) Installation without DNS could end up with message like this:
Do not forget to finish post-installation steps listed on
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns 




b) Failed connection check could print link to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports 




c) Failed DNS check could mention link
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs 




d) Failed attempt to find AD DC could print a link to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings 



etc.

What do you think about this?



I'm afraid that those links can change over time, so we have to check 
them regularly otherwise we may end up with links pointing to nowhere. 
I'm not excited too much with this idea.


Martin^2

I think that we probably could check these link automatically, the only 
thing which would be necessary is to store these links in some format 
which can be easily parsed. We could use the Emender and modify its 
TestLinks [1]. This test now consume .xml files, but it should not be 
hard to change it to different format.


[1] https://github.com/emender/emender-fedora/blob/master/test/TestLinks.lua

--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute

[stutiredboy]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2
Title: #2: fix ldif syntax and add idnsTemplateAttribute

stutiredboy commented:
"""
so sorry for the root committer, but the white space is needed by OpenLDAP LDIF 
parser. I have fixed the ugly pull request. :-)

Thanks.
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253458793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][comment] Reverted the essertion for replica uninstall returncode

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/160
Title: #160: Reverted the essertion for replica uninstall returncode

martbab commented:
"""
Please mention either git commit (f7764cda6824a2fe73abe11f6daa28758a185319) 
that fixed this behavior, or put the link to closed ticket 
(https://fedorahosted.org/freeipa/ticket/5725) that addressed this. Everything 
is recorded in our git history and/or tracking system, so 'apparently 
addressed' really has no place in our commit messages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/160#issuecomment-253432003
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][synchronized] Reverted the essertion for replica uninstall returncode

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/160
Author: ofayans
 Title: #160: Reverted the essertion for replica uninstall returncode
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/160/head:pr160
git checkout pr160
From b4259eae202d352ebe548c6c316c0ea534ab959e Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 13 Oct 2016 08:46:35 +0200
Subject: [PATCH] Reverted the essertion for replica uninstall returncode

As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/5725
---
 ipatests/test_integration/test_replica_promotion.py | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 58f0fa5..0e93356 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-# Due to ticket 3230 server installation/uninstallation always returns
-# 0 unless an uncaught exception occurs. Once this issue is properly
-# addressed, please care to change expected return code in the
-# following assert from 0 to something else.
 assert_error(result, "Removal of '%s' leads to disconnected"
- " topology" % self.replicas[0].hostname, 0)
+ " topology" % self.replicas[0].hostname, 1)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][comment] Reverted the essertion for replica uninstall returncode

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/160
Title: #160: Reverted the essertion for replica uninstall returncode

ofayans commented:
"""
Fair point. Fixed. Should we also update the initial (3230) issue?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/160#issuecomment-253453106
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] links to docs in the messages from code

[Martin Basti]

On 12.10.2016 19:56, Petr Spacek wrote:

Hello FreeIPA developers,

looking at freeipa-users mailing list, a lot of questions could be answered by
just quick glance to the docs.

I wonder if we should add links HTML version of docs on access.redhat.com to
the messages generated by the code.

If we really want, we can make these platform-specific, but I would not even
bother with it. Fedora & CentOS & RHEL users end up on the very same page,
only the way how then find it is different (mailing list vs. Google vs. paid
support).


Examples:

a) Installation without DNS could end up with message like this:
Do not forget to finish post-installation steps listed on
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns


b) Failed connection check could print link to
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports


c) Failed DNS check could mention link
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs


d) Failed attempt to find AD DC could print a link to:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings

etc.

What do you think about this?



I'm afraid that those links can change over time, so we have to check 
them regularly otherwise we may end up with links pointing to nowhere. 
I'm not excited too much with this idea.


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#2][comment] fix ldif syntax and add idnsTemplateAttribute

[mbasti-rh]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2
Title: #2: fix ldif syntax and add idnsTemplateAttribute

mbasti-rh commented:
"""
Hello, I wrote inline comments. Please set proper author name in commit (no 
root please)
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/2#issuecomment-253430426
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#156][comment] cert: add revocation reason back to cert-find output

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/156
Title: #156: cert: add revocation reason back to cert-find output

pvomacka commented:
"""
Ah, OK, then it works correctly. ACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/156#issuecomment-253441752
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#156][+ack] cert: add revocation reason back to cert-find output

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/156
Title: #156: cert: add revocation reason back to cert-find output

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/159
Title: #159: spec file: clean up BuildRequires

pspacek commented:
"""
Interestingly, the CI failed with following errors:

* Module ipatests.test_xmlrpc.test_automount_plugin

ipatests/test_xmlrpc/test_automount_plugin.py:34: [E0401(import-error), ] 
Unable to import 'nose.tools')

* Module ipatests.test_xmlrpc.test_hbactest_plugin

ipatests/test_xmlrpc/test_hbactest_plugin.py:27: [E0401(import-error), ] Unable 
to import 'nose.tools')

* Module ipatests.test_xmlrpc.test_pwpolicy_plugin

ipatests/test_xmlrpc/test_pwpolicy_plugin.py:24: [E0401(import-error), ] Unable 
to import 'nose.tools')

* Module ipatests.test_xmlrpc.test_external_members

ipatests/test_xmlrpc/test_external_members.py:24: [E0401(import-error), ] 
Unable to import 'nose')

* Module lite-server

lite-server.py:36: [E0401(import-error), ] Unable to import 'paste')

lite-server.py:37: [E0401(import-error), ] Unable to import 'paste.gzipper')

lite-server.py:38: [E0401(import-error), ] Unable to import 'paste.urlmap')

* Module ipa-ods-exporter

daemons/dnssec/ipa-ods-exporter:29: [E0401(import-error), ] Unable to import 
'systemd.daemon')

daemons/dnssec/ipa-ods-exporter:30: [E0401(import-error), ] Unable to import 
'systemd.journal')


Weren't you to eager in pruning BuildRequires? :-)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/159#issuecomment-253445874
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#2][synchronized] fix ldif syntax and add idnsTemplateAttribute

[stutiredboy]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/2
Author: stutiredboy
 Title: #2: fix ldif syntax and add idnsTemplateAttribute
Action: synchronized

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/2/head:pr2
git checkout pr2
From 7a808ffd0126967b56ff16cf2c5d0eb7b43c66d2 Mon Sep 17 00:00:00 2001
From: stutiredboy 
Date: Thu, 13 Oct 2016 17:05:10 +0800
Subject: [PATCH] add 'idnsTemplateAttribute' and ldif format fix

---
 doc/schema.ldif | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/schema.ldif b/doc/schema.ldif
index 8fdc99f..77c5b0e 100644
--- a/doc/schema.ldif
+++ b/doc/schema.ldif
@@ -362,9 +362,16 @@ attributeTypes: ( 2.16.840.1.113730.3.8.5.31
  NAME 'idnsServerId'
  DESC 'DNS server identifier'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
- EQUALITY caseIgnoreMatch
+ EQUALITY caseIgnoreMatch 
  SINGLE-VALUE )
 #
+attributeTypes: ( 2.16.840.1.113730.3.8.5.29 
+ NAME 'idnsTemplateAttribute' 
+ DESC 'Template attribute for dynamic attribute generation' 
+ EQUALITY caseIgnoreIA5Match 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 
+ X-ORIGIN 'IPA v4.4' )
+#
 attributeTypes: ( 2.16.840.1.113730.3.8.5.30 
  NAME 'idnsSubstitutionVariable' 
  DESC 'User defined variable for DNS plugin' 
@@ -426,6 +433,6 @@ objectClasses: ( 2.16.840.1.113730.3.8.6.6
 objectClasses: ( 2.16.840.1.113730.3.8.6.5 
  NAME 'idnsTemplateObject' 
  DESC 'Template object for dynamic DNS attribute generation' 
- SUP top
+ SUP top 
  AUXILIARY 
  MUST ( idnsTemplateAttribute ) )
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][opened] Reverted the essertion for replica uninstall returncode

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/160
Author: ofayans
 Title: #160: Reverted the essertion for replica uninstall returncode
Action: opened

PR body:
"""
As the issue with ipa installer always returning 0 returncode is apparently
addressed, the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/3230
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/160/head:pr160
git checkout pr160
From 1b339b81679126c45c2af8887c74df35f89808ed Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 13 Oct 2016 08:46:35 +0200
Subject: [PATCH] Reverted the essertion for replica uninstall returncode

As the issue with ipa installer always returning 0 returncode is apparently
addressed, the test needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/3230
---
 ipatests/test_integration/test_replica_promotion.py | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 58f0fa5..0e93356 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -357,12 +357,8 @@ def test_replica_uninstallation_prohibited(self):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-# Due to ticket 3230 server installation/uninstallation always returns
-# 0 unless an uncaught exception occurs. Once this issue is properly
-# addressed, please care to change expected return code in the
-# following assert from 0 to something else.
 assert_error(result, "Removal of '%s' leads to disconnected"
- " topology" % self.replicas[0].hostname, 0)
+ " topology" % self.replicas[0].hostname, 1)
 self.replicas[0].run_command(['ipa-server-install', '--uninstall',
   '-U', '--ignore-topology-disconnect'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] links to docs in the messages from code

[Petr Spacek]

On 13.10.2016 08:54, Martin Basti wrote:
> 
> 
> On 12.10.2016 19:56, Petr Spacek wrote:
>> Hello FreeIPA developers,
>>
>> looking at freeipa-users mailing list, a lot of questions could be answered 
>> by
>> just quick glance to the docs.
>>
>> I wonder if we should add links HTML version of docs on access.redhat.com to
>> the messages generated by the code.
>>
>> If we really want, we can make these platform-specific, but I would not even
>> bother with it. Fedora & CentOS & RHEL users end up on the very same page,
>> only the way how then find it is different (mailing list vs. Google vs. paid
>> support).
>>
>>
>> Examples:
>>
>> a) Installation without DNS could end up with message like this:
>> Do not forget to finish post-installation steps listed on
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-dns
>>
>>
>>
>> b) Failed connection check could print link to
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports
>>
>>
>>
>> c) Failed DNS check could mention link
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#dns-reqs
>>
>>
>>
>> d) Failed attempt to find AD DC could print a link to:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
>>
>>
>> etc.
>>
>> What do you think about this?
>>
> 
> I'm afraid that those links can change over time, so we have to check them
> regularly otherwise we may end up with links pointing to nowhere.

This check can be easily automated. AFAIK docs team already have tools like 
this.


> I'm not excited too much with this idea.

Okay then. I'm open to any other idea to alleviate the problem with
ever-repeating questions on the freeipa-users list. Do you have one?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/159
Title: #159: spec file: clean up BuildRequires

mbasti-rh commented:
"""
Please update BUILD.txt with how to run pylint with build, probably freeipa.org 
should be updated as well
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/159#issuecomment-253483810
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires

[jcholast]

   URL: https://github.com/freeipa/freeipa/pull/159
Author: jcholast
 Title: #159: spec file: clean up BuildRequires
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/159/head:pr159
git checkout pr159
From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Oct 2016 13:20:32 +0200
Subject: [PATCH 1/7] spec file: clean up BuildRequires

Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose,
python-paste, python-sssdconfig and systemd-python BuildRequires.

Remove unused custodia, java-headless, m4, policycoreutils,
python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires.

Correct versioned BuildRequires and provide explanatory comments.
---
 freeipa.spec.in | 125 +---
 1 file changed, 75 insertions(+), 50 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..c44929b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -43,82 +43,107 @@ URL:http://www.freeipa.org/
 Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-%if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5.6
-BuildRequires:  svrcore-devel
-BuildRequires:  policycoreutils >= 2.1.12-5
-BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= %{samba_version}
-BuildRequires:  samba-python
-BuildRequires:  libtalloc-devel
-BuildRequires:  libtevent-devel
-%endif # ONLY_CLIENT
-BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
-BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.13
-BuildRequires:  krb5-workstation
-BuildRequires:  libuuid-devel
-BuildRequires:  libcurl-devel >= 7.21.7-2
+# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
+BuildRequires:  krb5-devel >= 1.12
+BuildRequires:  libcurl-devel
+# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
-BuildRequires:  m4
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  python-devel
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif # with_python3
+# %{_unitdir}, %{_tmpfilesdir}
+BuildRequires:  systemd
+BuildRequires:  libini_config-devel
+BuildRequires:  cyrus-sasl-devel
+%if ! %{ONLY_CLIENT}
+# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  svrcore-devel
+%if 0%{?rhel}
+BuildRequires:  samba-devel >= 4.0.0
+%else
+BuildRequires:  samba-devel >= 2:4.0.0
+%endif
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtevent-devel
+BuildRequires:  nspr-devel
+BuildRequires:  nss-devel
+BuildRequires:  openssl-devel
+BuildRequires:  libuuid-devel
 BuildRequires:  python-ldap
-BuildRequires:  python-setuptools
-BuildRequires:  python-nss
-BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  python-netaddr
-BuildRequires:  python-gssapi >= 1.1.2
-BuildRequires:  python-rhsm
-BuildRequires:  pyOpenSSL
-BuildRequires:  pylint >= 1.0
-# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
-BuildRequires:  python2-polib
-BuildRequires:  python-libipa_hbac
-BuildRequires:  python-memcached
-BuildRequires:  python-lxml
-BuildRequires:  python-pyasn1 >= 0.0.9a
-BuildRequires:  python-qrcode-core >= 5.0.0
-BuildRequires:  python-dns >= 1.11.1
+BuildRequires:  python-gssapi
+BuildRequires:  python-dns
 BuildRequires:  libsss_idmap-devel
+# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897)
 BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
-BuildRequires:  java-headless
-BuildRequires:  jsl
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
-BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
-BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  openssl-devel
-BuildRequires:  pki-base >= 10.3.3-3
-BuildRequires:  python-pytest-multihost >= 0.5
-BuildRequires:  python-pytest-sourceorder
-BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
-BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
-BuildRequires:  libini_config-devel >= 1.2.0
+BuildRequires:  python-netifaces
+%endif # ONLY_CLIENT
+
+#
+# Build dependencies for makeapi/makeaci
+#
+BuildRequires:  krb5-workstation
+BuildRequires:  python-setuptools
+BuildRequires:  python-nss
+# 0.6: serialization.load_pem_private_key, load_pem_public_key
+BuildRequires:  python-cryptography >= 0.6
+BuildRequires:  python-libipa_hbac
+BuildRequires:  python-memcached
+BuildRequires:  python-lxml
+BuildRequires:  python-pyasn1
+# pki Python package
+BuildRequires:  pki-base
 BuildRequires:  dbus-python
-BuildRequires:  python-netifaces >= 0.10.4
 BuildRequires:  python-libsss_nss_idmap
+BuildRequires:  

[Freeipa-devel] [freeipa PR#127][comment] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/127
Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension

mbasti-rh commented:
"""
Hello @tjaalton, I cannot apply second commit, it needs rebase.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/127#issuecomment-253487937
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires

[jcholast]

   URL: https://github.com/freeipa/freeipa/pull/159
Author: jcholast
 Title: #159: spec file: clean up BuildRequires
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/159/head:pr159
git checkout pr159
From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Oct 2016 13:20:32 +0200
Subject: [PATCH 1/7] spec file: clean up BuildRequires

Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose,
python-paste, python-sssdconfig and systemd-python BuildRequires.

Remove unused custodia, java-headless, m4, policycoreutils,
python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires.

Correct versioned BuildRequires and provide explanatory comments.
---
 freeipa.spec.in | 125 +---
 1 file changed, 75 insertions(+), 50 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..c44929b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -43,82 +43,107 @@ URL:http://www.freeipa.org/
 Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-%if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5.6
-BuildRequires:  svrcore-devel
-BuildRequires:  policycoreutils >= 2.1.12-5
-BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= %{samba_version}
-BuildRequires:  samba-python
-BuildRequires:  libtalloc-devel
-BuildRequires:  libtevent-devel
-%endif # ONLY_CLIENT
-BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
-BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.13
-BuildRequires:  krb5-workstation
-BuildRequires:  libuuid-devel
-BuildRequires:  libcurl-devel >= 7.21.7-2
+# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
+BuildRequires:  krb5-devel >= 1.12
+BuildRequires:  libcurl-devel
+# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
-BuildRequires:  m4
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  python-devel
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif # with_python3
+# %{_unitdir}, %{_tmpfilesdir}
+BuildRequires:  systemd
+BuildRequires:  libini_config-devel
+BuildRequires:  cyrus-sasl-devel
+%if ! %{ONLY_CLIENT}
+# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  svrcore-devel
+%if 0%{?rhel}
+BuildRequires:  samba-devel >= 4.0.0
+%else
+BuildRequires:  samba-devel >= 2:4.0.0
+%endif
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtevent-devel
+BuildRequires:  nspr-devel
+BuildRequires:  nss-devel
+BuildRequires:  openssl-devel
+BuildRequires:  libuuid-devel
 BuildRequires:  python-ldap
-BuildRequires:  python-setuptools
-BuildRequires:  python-nss
-BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  python-netaddr
-BuildRequires:  python-gssapi >= 1.1.2
-BuildRequires:  python-rhsm
-BuildRequires:  pyOpenSSL
-BuildRequires:  pylint >= 1.0
-# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
-BuildRequires:  python2-polib
-BuildRequires:  python-libipa_hbac
-BuildRequires:  python-memcached
-BuildRequires:  python-lxml
-BuildRequires:  python-pyasn1 >= 0.0.9a
-BuildRequires:  python-qrcode-core >= 5.0.0
-BuildRequires:  python-dns >= 1.11.1
+BuildRequires:  python-gssapi
+BuildRequires:  python-dns
 BuildRequires:  libsss_idmap-devel
+# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897)
 BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
-BuildRequires:  java-headless
-BuildRequires:  jsl
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
-BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
-BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  openssl-devel
-BuildRequires:  pki-base >= 10.3.3-3
-BuildRequires:  python-pytest-multihost >= 0.5
-BuildRequires:  python-pytest-sourceorder
-BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
-BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
-BuildRequires:  libini_config-devel >= 1.2.0
+BuildRequires:  python-netifaces
+%endif # ONLY_CLIENT
+
+#
+# Build dependencies for makeapi/makeaci
+#
+BuildRequires:  krb5-workstation
+BuildRequires:  python-setuptools
+BuildRequires:  python-nss
+# 0.6: serialization.load_pem_private_key, load_pem_public_key
+BuildRequires:  python-cryptography >= 0.6
+BuildRequires:  python-libipa_hbac
+BuildRequires:  python-memcached
+BuildRequires:  python-lxml
+BuildRequires:  python-pyasn1
+# pki Python package
+BuildRequires:  pki-base
 BuildRequires:  dbus-python
-BuildRequires:  python-netifaces >= 0.10.4
 BuildRequires:  python-libsss_nss_idmap
+BuildRequires:  

Re: [Freeipa-devel] FleetCommander integration

[Sumit Bose]

On Tue, Sep 06, 2016 at 01:18:14PM +0300, Alexander Bokovoy wrote:
> Hi,
> 
> Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for
> FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/
> 
> You can read the design page:
> https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki

Hi Alexander,

if I understand it correctly each profile has a priority which is used
by FleetCommander on the client side to order the different profiles if
for a given user and host multiple rules matches.

To make this work smoothly each priority value should be only assigned
once to avoid a tie. Are you planning to use the uniqueness plugin on
the priority value or are there other ways to solve ties reliable in
FleetCommander?

bye,
Sumit

> 
> The design was mostly figured out in discussions with Alberto, Fabiano,
> Nathaniel, and Jakub, so we are more or less on the common ground here
> between SSSD and FleetCommander. You can send pull requests to me on
> github to update the design. ;)
> 
> You can cut a tarball using
> git archive --format=tar.gz --prefix=freeipa-desktop-profile-0.0.1/ \
>   --output ~/rpmbuild/SOURCES/freeipa-desktop-profile-0.0.1.tar.gz \
>   freeipa-desktop-profile-0.0.1
> 
> And then build the package with
> rpmbuild -ta freeipa-desktop-profile-0.0.1.tar.gz
> 
> When installed, the package does not run ipa-server-upgrade by itself,
> yet. So you need to run ipa-server-upgrade manually. Once ran,
> deskprofile/deskprofilerule topics would become available and can be
> used for testing purposes. For Fedora 24 one can use FreeIPA 4.4.1 from
> COPR, for Fedora 25 we have FreeIPA 4.4.1 in updates stable as of today.
> 
> UI plugin is not ready yet and is disabled in the spec file as it breaks
> loading the whole UI.
> 
> -- 
> / Alexander Bokovoy
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FleetCommander integration

[Alexander Bokovoy]

On to, 13 loka 2016, Sumit Bose wrote:

On Tue, Sep 06, 2016 at 01:18:14PM +0300, Alexander Bokovoy wrote:

Hi,

Now that FreeIPA 4.4.1 is out, I've pushed to github my prototype for
FleetCommander integration: https://github.com/abbra/freeipa-desktop-profile/

You can read the design page:
https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki


Hi Alexander,

if I understand it correctly each profile has a priority which is used
by FleetCommander on the client side to order the different profiles if
for a given user and host multiple rules matches.

To make this work smoothly each priority value should be only assigned
once to avoid a tie. Are you planning to use the uniqueness plugin on
the priority value or are there other ways to solve ties reliable in
FleetCommander?

I'm not planning to make priorities unique. Do we really need that?
My idea was to make sure we provide clear sorting logic:

profilename.json file name is built using profile RDN and is prefixed by
the priority of the profile rule using leading zeros. To ease handling
of the files, SSSD may transform RDN value by removing certain
characters used by the shell for globing purposes and by replacing
spaces with underscores. Since the name of the file is only used to
ensure ordering of the profiles when merging them, a lexicographical
sort of names should be enough.



Example: For a profile rule 'Minimal Desktop For Guests' stored as
cn=Minimal desktop for guests,cn=rules,cn=desktop-profile,$SUFFIX with a
priority 100, SSSD would use a file name '000100_Minimal_desktop_for_guests.json'. 



Given that you would not be able to have exact same RDN value in two
different profiles, using lexicographical sort gives you explicit
ordering schema. 


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#160][edited] Reverted the assertion for replica uninstall returncode

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/160
Author: ofayans
 Title: #160: Reverted the assertion for replica uninstall returncode
Action: edited

 Changed field: title
Original value:
"""
Reverted the essertion for replica uninstall returncode
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires

[jcholast]

   URL: https://github.com/freeipa/freeipa/pull/159
Author: jcholast
 Title: #159: spec file: clean up BuildRequires
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/159/head:pr159
git checkout pr159
From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Oct 2016 13:20:32 +0200
Subject: [PATCH 1/7] spec file: clean up BuildRequires

Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose,
python-paste, python-sssdconfig and systemd-python BuildRequires.

Remove unused custodia, java-headless, m4, policycoreutils,
python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires.

Correct versioned BuildRequires and provide explanatory comments.
---
 freeipa.spec.in | 125 +---
 1 file changed, 75 insertions(+), 50 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..c44929b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -43,82 +43,107 @@ URL:http://www.freeipa.org/
 Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-%if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5.6
-BuildRequires:  svrcore-devel
-BuildRequires:  policycoreutils >= 2.1.12-5
-BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= %{samba_version}
-BuildRequires:  samba-python
-BuildRequires:  libtalloc-devel
-BuildRequires:  libtevent-devel
-%endif # ONLY_CLIENT
-BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
-BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.13
-BuildRequires:  krb5-workstation
-BuildRequires:  libuuid-devel
-BuildRequires:  libcurl-devel >= 7.21.7-2
+# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
+BuildRequires:  krb5-devel >= 1.12
+BuildRequires:  libcurl-devel
+# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
-BuildRequires:  m4
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  python-devel
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif # with_python3
+# %{_unitdir}, %{_tmpfilesdir}
+BuildRequires:  systemd
+BuildRequires:  libini_config-devel
+BuildRequires:  cyrus-sasl-devel
+%if ! %{ONLY_CLIENT}
+# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  svrcore-devel
+%if 0%{?rhel}
+BuildRequires:  samba-devel >= 4.0.0
+%else
+BuildRequires:  samba-devel >= 2:4.0.0
+%endif
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtevent-devel
+BuildRequires:  nspr-devel
+BuildRequires:  nss-devel
+BuildRequires:  openssl-devel
+BuildRequires:  libuuid-devel
 BuildRequires:  python-ldap
-BuildRequires:  python-setuptools
-BuildRequires:  python-nss
-BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  python-netaddr
-BuildRequires:  python-gssapi >= 1.1.2
-BuildRequires:  python-rhsm
-BuildRequires:  pyOpenSSL
-BuildRequires:  pylint >= 1.0
-# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
-BuildRequires:  python2-polib
-BuildRequires:  python-libipa_hbac
-BuildRequires:  python-memcached
-BuildRequires:  python-lxml
-BuildRequires:  python-pyasn1 >= 0.0.9a
-BuildRequires:  python-qrcode-core >= 5.0.0
-BuildRequires:  python-dns >= 1.11.1
+BuildRequires:  python-gssapi
+BuildRequires:  python-dns
 BuildRequires:  libsss_idmap-devel
+# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897)
 BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
-BuildRequires:  java-headless
-BuildRequires:  jsl
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
-BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
-BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  openssl-devel
-BuildRequires:  pki-base >= 10.3.3-3
-BuildRequires:  python-pytest-multihost >= 0.5
-BuildRequires:  python-pytest-sourceorder
-BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
-BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
-BuildRequires:  libini_config-devel >= 1.2.0
+BuildRequires:  python-netifaces
+%endif # ONLY_CLIENT
+
+#
+# Build dependencies for makeapi/makeaci
+#
+BuildRequires:  krb5-workstation
+BuildRequires:  python-setuptools
+BuildRequires:  python-nss
+# 0.6: serialization.load_pem_private_key, load_pem_public_key
+BuildRequires:  python-cryptography >= 0.6
+BuildRequires:  python-libipa_hbac
+BuildRequires:  python-memcached
+BuildRequires:  python-lxml
+BuildRequires:  python-pyasn1
+# pki Python package
+BuildRequires:  pki-base
 BuildRequires:  dbus-python
-BuildRequires:  python-netifaces >= 0.10.4
 BuildRequires:  python-libsss_nss_idmap
+BuildRequires:  

[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa, purge ffextension

[tjaalton]

   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
From 219aadd8aede7c0a06a59d62804ad3d55382910f Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Fri, 30 Sep 2016 01:00:02 +0300
Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa

This is more consistent with the other daemons.
---
 daemons/ipa-otpd/Makefile.am  | 3 ++-
 daemons/ipa-otpd/ipa-o...@.service.in | 2 +-
 freeipa.spec.in   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index 8392174..d2e1679 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
 AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
 
 noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
 dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py
 systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
 
diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in
index b85d5a1..92afb40 100644
--- a/daemons/ipa-otpd/ipa-o...@.service.in
+++ b/daemons/ipa-otpd/ipa-o...@.service.in
@@ -3,7 +3,7 @@ Description=ipa-otpd service
 
 [Service]
 EnvironmentFile=@sysconfdir@/ipa/default.conf
-ExecStart=@libexecdir@/ipa-otpd $ldap_uri
+ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri
 StandardInput=socket
 StandardOutput=socket
 StandardError=syslog
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..260d58c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1058,13 +1058,13 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
-%{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf

From 0231023bd028a8ba1bce74aeb0ebbf8d22790b3b Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 29 Mar 2016 21:33:15 +0300
Subject: [PATCH 2/2] Purge obsolete firefox extension

---
 freeipa.spec.in|  12 --
 install/Makefile.am|   1 -
 install/configure.ac   |   5 -
 install/ffextension/Makefile.am|  23 ---
 install/ffextension/bootstrap.js   |  88 -
 install/ffextension/chrome.manifest|   4 -
 install/ffextension/chrome/Makefile.am |  19 --
 install/ffextension/chrome/content/Makefile.am |  17 --
 install/ffextension/chrome/content/kerberosauth.js | 197 -
 .../chrome/content/kerberosauth_overlay.xul|   9 -
 install/ffextension/install.rdf|  26 ---
 install/ffextension/locale/Makefile.am |  19 --
 install/ffextension/locale/en-US/Makefile.am   |  16 --
 .../locale/en-US/kerberosauth.properties   |   4 -
 install/share/Makefile.am  |   1 -
 install/share/krb.js.template  |   2 -
 ipaplatform/base/paths.py  |   4 -
 ipaserver/install/httpinstance.py  |  42 +
 ipaserver/install/server/replicainstall.py |   4 +-
 ipaserver/install/server/upgrade.py|  11 --
 20 files changed, 2 insertions(+), 502 deletions(-)
 delete mode 100644 install/ffextension/Makefile.am
 delete mode 100644 install/ffextension/bootstrap.js
 delete mode 100644 install/ffextension/chrome.manifest
 delete mode 100644 install/ffextension/chrome/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/kerberosauth.js
 delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul
 delete mode 100644 install/ffextension/install.rdf
 delete mode 100644 install/ffextension/locale/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties
 delete mode 100644 install/share/krb.js.template

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 260d58c..49e20f6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.5-6
 Requires: pki-kra >= 10.3.5-6
 Requires(preun): python systemd-units
 

[Freeipa-devel] [freeipa PR#159][synchronized] spec file: clean up BuildRequires

[jcholast]

   URL: https://github.com/freeipa/freeipa/pull/159
Author: jcholast
 Title: #159: spec file: clean up BuildRequires
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/159/head:pr159
git checkout pr159
From 506b3e9324bf0497162405594f8bc316b723f7ad Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Oct 2016 13:20:32 +0200
Subject: [PATCH 1/7] spec file: clean up BuildRequires

Add missing cyrus-sasl-devel, python-cffi, python-custodia, python-nose,
python-paste, python-sssdconfig and systemd-python BuildRequires.

Remove unused custodia, java-headless, m4, policycoreutils,
python-kdcproxy, python-rhsm, pyOpenSSL and systemd-units BuildRequires.

Correct versioned BuildRequires and provide explanatory comments.
---
 freeipa.spec.in | 125 +---
 1 file changed, 75 insertions(+), 50 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e5e1292..c44929b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -43,82 +43,107 @@ URL:http://www.freeipa.org/
 Source0:freeipa-%{version}.tar.gz
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-%if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5.6
-BuildRequires:  svrcore-devel
-BuildRequires:  policycoreutils >= 2.1.12-5
-BuildRequires:  systemd-units
-BuildRequires:  samba-devel >= %{samba_version}
-BuildRequires:  samba-python
-BuildRequires:  libtalloc-devel
-BuildRequires:  libtevent-devel
-%endif # ONLY_CLIENT
-BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
-BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.13
-BuildRequires:  krb5-workstation
-BuildRequires:  libuuid-devel
-BuildRequires:  libcurl-devel >= 7.21.7-2
+# 1.12: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678)
+BuildRequires:  krb5-devel >= 1.12
+BuildRequires:  libcurl-devel
+# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
-BuildRequires:  m4
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  python-devel
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif # with_python3
+# %{_unitdir}, %{_tmpfilesdir}
+BuildRequires:  systemd
+BuildRequires:  libini_config-devel
+BuildRequires:  cyrus-sasl-devel
+%if ! %{ONLY_CLIENT}
+# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
+BuildRequires:  389-ds-base-devel >= 1.3.3.9
+BuildRequires:  svrcore-devel
+%if 0%{?rhel}
+BuildRequires:  samba-devel >= 4.0.0
+%else
+BuildRequires:  samba-devel >= 2:4.0.0
+%endif
+BuildRequires:  libtalloc-devel
+BuildRequires:  libtevent-devel
+BuildRequires:  nspr-devel
+BuildRequires:  nss-devel
+BuildRequires:  openssl-devel
+BuildRequires:  libuuid-devel
 BuildRequires:  python-ldap
-BuildRequires:  python-setuptools
-BuildRequires:  python-nss
-BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  python-netaddr
-BuildRequires:  python-gssapi >= 1.1.2
-BuildRequires:  python-rhsm
-BuildRequires:  pyOpenSSL
-BuildRequires:  pylint >= 1.0
-# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
-BuildRequires:  python2-polib
-BuildRequires:  python-libipa_hbac
-BuildRequires:  python-memcached
-BuildRequires:  python-lxml
-BuildRequires:  python-pyasn1 >= 0.0.9a
-BuildRequires:  python-qrcode-core >= 5.0.0
-BuildRequires:  python-dns >= 1.11.1
+BuildRequires:  python-gssapi
+BuildRequires:  python-dns
 BuildRequires:  libsss_idmap-devel
+# 1.14.0: sss_nss_getnamebycert (https://fedorahosted.org/sssd/ticket/2897)
 BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
-BuildRequires:  java-headless
-BuildRequires:  jsl
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
-BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
-BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  openssl-devel
-BuildRequires:  pki-base >= 10.3.3-3
-BuildRequires:  python-pytest-multihost >= 0.5
-BuildRequires:  python-pytest-sourceorder
-BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
-BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
-BuildRequires:  libini_config-devel >= 1.2.0
+BuildRequires:  python-netifaces
+%endif # ONLY_CLIENT
+
+#
+# Build dependencies for makeapi/makeaci
+#
+BuildRequires:  krb5-workstation
+BuildRequires:  python-setuptools
+BuildRequires:  python-nss
+# 0.6: serialization.load_pem_private_key, load_pem_public_key
+BuildRequires:  python-cryptography >= 0.6
+BuildRequires:  python-libipa_hbac
+BuildRequires:  python-memcached
+BuildRequires:  python-lxml
+BuildRequires:  python-pyasn1
+# pki Python package
+BuildRequires:  pki-base
 BuildRequires:  dbus-python
-BuildRequires:  python-netifaces >= 0.10.4
 BuildRequires:  python-libsss_nss_idmap
+BuildRequires:  

[Freeipa-devel] [freeipa PR#159][comment] spec file: clean up BuildRequires

[jcholast]

  URL: https://github.com/freeipa/freeipa/pull/159
Title: #159: spec file: clean up BuildRequires

jcholast commented:
"""
@pspacek, @mbasti-rh, fixed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/159#issuecomment-253491282
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#126][comment] Fix ipa migrate-ds when it finds a search reference

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/126
Title: #126: Fix ipa migrate-ds when it finds a search reference

mbasti-rh commented:
"""
Hello, LGTM but PR needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/126#issuecomment-253491876
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0047] Added a test for Ticket N 5964

[Oleg Fayans]

Hi Martin,

Thanks for the review.
With disabling directory server it works as well, thanks for the hint.
Also I moved the cleanup logic to the test itself for the sake of 
simplicity. Patch-0048 was not changed


On 10/12/2016 02:35 PM, Martin Basti wrote:

1)

Can you just turn off dirsrv on replica instead of doing iptables magic?


2) NACK

No more eval() ever in code, use 'getattr', 'get' or whatever in the
object that can be used.

+evalhost = eval("args[0].%s" % host)

Martin^2

On 12.10.2016 14:03, Oleg Fayans wrote:

Hi Martin,

After extensive discussion with Ludwig, I finally got the clue on how
does this feature work. When we uninstall the replica, the master
cleans the replication agreements with this replica and automatically
cleans all replica's RUVs.
If we clean replica's RUVs on master without uninstalling the replica,
the replica's RUVs get recreated on master (replication works!). So,
the only way to test the clean-ruv subcommand is to turn off the
replica, or block the traffic on it so it gets inaccessible to updates
from master.
The testcases were updated, see [1] and [2]

The updated versions of the patches are attached

[1]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_.2A-ruv_subcommands_of_ipa-replica-manage_are_extended_to_handle_CA-specific_RUVs


[2]
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan#Test_case:_clean-ruv_subcommand


On 08/05/2016 06:36 PM, Martin Basti wrote:



On 03.08.2016 14:45, Oleg Fayans wrote:

Hi Martin,

Thanks for the review! Both patches were updated.

On 07/28/2016 04:11 PM, Martin Basti wrote:



On 08.07.2016 15:41, Oleg Fayans wrote:

Hi Martin,

Thanks for the review!

On 07/08/2016 02:18 PM, Martin Basti wrote:



On 27.06.2016 13:53, Oleg Fayans wrote:

Hi guys,

Is there a chance the patches NN 0047.1 and 0048.1 get reviewed
before
4.4 release? They cover a good part of the Managed Topology 4.4
feature.

On 06/17/2016 11:18 AM, Oleg Fayans wrote:

One more test was added to the patch-0048

On 06/17/2016 09:43 AM, Oleg Fayans wrote:

Fixed a bug in the previous patch, automated 2 more testcases
from
http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan





On 06/16/2016 04:46 PM, Oleg Fayans wrote:










IIUC, this will turn off the machine completely, how is cleanup done
then.  AFAIK our tests cannot turn on machine again and run
cleanup, so
you will not be able to run more tests on the same topology without
manual cleanup and manual start.

+replica = self.replicas[0]
+replica.run_command(['poweroff'])

IMO would be better to just call 'ipactl stop' instead of 'poweroff'


Agreed! Fixed.



Martin^2






*Automated ipa-replica-manage del tests*

1)
+replica.run_command(['ipactl', 'stop'])
+time.sleep(3)

Why do you need sleep here?


Removed, it was left from the old "poweroff" approach




2)
+ruvid_re = re.compile(".*%s:389: (\d+).*" % replica.hostname)
+replica_ruvs = ruvid_re.findall(result.stdout_text)
+master.run_command(['ipa-replica-manage', 'clean-ruv', 'f',
+'-p', master.config.dirman_password,
+replica_ruvs[0]])

Because you are using re.findall(), without any match you will receive
IndexError here replica_ruvs[0]. IMO it deserves assert before


Implemented the assert which checks that the output contains enough
replica RUVs



3)
assert(replica.hostname in result1.stdout_text)

I think that this is error prone. What if there is just error
'could not
connect to replica ', or something similar.
instead of
listing/cleaning/whatever operation was executed. I think that it
should
be more specific regexp than just finding a replica name substring
(Yes
In IPA we dont always print error so stderr)

I'm not sure, but probably there might be cases when non critical
error
happen and exist status is still 0


Agree. Implemented a regex-based search



4)

+replica.run_command(['poweroff'])
+time.sleep(3)

There should not be poweroff, probably sleep could be removed too.


Gone




  *   Automated clean-ruv subcommand test*

1) PEP8, 2 new lines expected
./ipatests/test_integration/test_topology.py:163:1: E302 expected 2
blank lines, found 0
./ipatests/test_integration/test_topology.py:182:80: E501 line too
long
(85 > 79 characters)


Fixed




2)
I dont like doing assert just with count of occurences of substring in
STDOUT, would be possible to improve this somehow?


Maybe, but frankly, I don't see how. In this case we are making sure
that both simple and CA-specific RUVs of a replica are displayed. The
format of the output is strict:
Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
Certificate Server Replica Update Vectors:
replica1_hostname:389: RUV_id
replica2_hostname:389: RUV_id
If we do not see 2 occurrences of the replica hostname than definitely
something went wrong