[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

martbab commented:
"""
Also, the current execution flow of the command is very confusing (retrieving 
objects based on intended principal types etc.). As a part of the ticket I was 
planning to do a sneaky refactoring of the flow which IMHO should look like 
this:

1.) you search entries by krbprincipalname extracted from 'principal' option 
(or from bind principal)

2.) If not found, you error out that such entry could not be found

3.) due to syntax overrides in ipaldap, all returned principals will be 
converted to Principal objects so *after you retrieve the entry and ensure that 
it exists* you can test whether it is service, user, etc.

4.) for values in SAN, you check whether the value is already container in the 
entries principals (as you do in this PR). If the principal is not there, you 
can try to retrieve the entry from ldap and either error out if not found, or 
check CA ACLs against it when present.

5.) if all is OK, forward the request to RA backend and issue the certificate.

Do you think that this would extend the scope of the ticket too much? If yes, I 
can open a separate ticket for this cleanup and do it on top of your work.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/227#issuecomment-260324953
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][+pushed] Issue6386 nss dir

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/143
Title: #143: Issue6386 nss dir

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a22a5dd676f581910ac7872c1a20322278fc7d4a
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/143#issuecomment-260328232
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#143][closed] Issue6386 nss dir

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/143
Author: tiran
 Title: #143: Issue6386 nss dir
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/143/head:pr143
git checkout pr143
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#178][+ack] ipatests: Fix assert_deepequal outside of pytest process

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/178
Title: #178: ipatests: Fix assert_deepequal outside of pytest process

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#203][+rejected] Add sdist_list plugin to all setup.py

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/203
Title: #203: Add sdist_list plugin to all setup.py

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

martbab commented:
"""
@frasertweedale What is the intended semantics of the checks against principal 
aliases in SAN? If the requestor can use only the aliases belonging to the 
entry of the recieving principal, then it should be enough to retrieve the 
entry by searching for the 'krbprincipalname' from --principal option, retrieve 
it, and then checking whether all values of dnsName/KRB5PrincipalName are a 
subset of Kerberos principal aliases.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/227#issuecomment-260324521
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#197][edited] Make setup.py files PyPI compatible

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/197
Author: tiran
 Title: #197: Make setup.py files PyPI compatible
Action: edited

 Changed field: body
Original value:
"""
- Use PEP 440 compatible version schema
- Use correct classifiers

Signed-off-by: Christian Heimes 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#164][closed] Trust AD cleanup

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/164
Author: mirielka
 Title: #164: Trust AD cleanup
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/164/head:pr164
git checkout pr164
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#164][+pushed] Trust AD cleanup

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/164
Title: #164: Trust AD cleanup

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/158
Title: #158: WebUI: update Patternfly and Bootstrap

mbasti-rh commented:
"""
Bump for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/158#issuecomment-260331171
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/227
Title: #227: cert-request: match names against principal aliases

martbab commented:
"""
Also one of the tests in caacl_profile_enforcement suite fails:
https://paste.fedoraproject.org/481011/12920714/

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/227#issuecomment-260331265
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#185][+ack] TESTS: Update group type name

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/185
Title: #185: TESTS: Update group type name

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][+ack] Update man page for ipa-adtrust-install by removing --no-msdcs option

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#178][comment] ipatests: Fix assert_deepequal outside of pytest process

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/178
Title: #178: ipatests: Fix assert_deepequal outside of pytest process

mbasti-rh commented:
"""
ACK, because fixing PEP8 makes readability worse in this case and it is against 
PEP8 :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/178#issuecomment-260332117
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#164][comment] Trust AD cleanup

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/164
Title: #164: Trust AD cleanup

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8a177732afc404a830b75cab03fb420af93fa441
https://fedorahosted.org/freeipa/changeset/3938698e07404acfd7ae84fcaae9c02850d1afa7
https://fedorahosted.org/freeipa/changeset/46aa41444521a1746d584b703054e2a971915dc6
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/244287a497a23e4d4d0b929d8311214f3ba4d571
https://fedorahosted.org/freeipa/changeset/546382f3a64b3627e72497253bfb229d55e882cc
https://fedorahosted.org/freeipa/changeset/1bb9b102edb57068028a97510c469640e6cf6268
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/164#issuecomment-260335007
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#119][+ack] Tests: Providing trust tests with tree root domain

[gkaihorodova]

  URL: https://github.com/freeipa/freeipa/pull/119
Title: #119: Tests: Providing trust tests with tree root domain

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][comment] Do not log DM password in ca/kra installation logs

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/231
Title: #231: Do not log DM password in ca/kra installation logs

martbab commented:
"""
I would rather hide the password by default in the `spawn_instance` method in 
the same manner as is done for admin_password, see 
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/dogtaginstance.py?id=f183f70e0183e51d569ada972bd3ec73cad76a30#n166
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/231#issuecomment-260339196
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#231][closed] Do not log DM password in ca/kra installation logs

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/231
Author: stlaz
 Title: #231: Do not log DM password in ca/kra installation logs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/231/head:pr231
git checkout pr231
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#157][+ack] git: Add commit template

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/157
Title: #157: git: Add commit template

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#164][+ack] Trust AD cleanup

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/164
Title: #164: Trust AD cleanup

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From c0faf1d8263c11d110a63b912c82a74e2f04a4d8 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From 8967612df5461669862f2609bdf69ecf7d1a0901 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+stdin_text = string.digits+string.letters[2:] + '\n'
+tasks.run_certutil(master, ['-S', '-s',
+

[Freeipa-devel] [freeipa PR#215][synchronized] Add script to setup krb5 NFS exports

[jumitche]

   URL: https://github.com/freeipa/freeipa/pull/215
Author: jumitche
 Title: #215: Add script to setup krb5 NFS exports
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/215/head:pr215
git checkout pr215
From 99c8c50dd7f1cf106b9480c1805339eb2382f18c Mon Sep 17 00:00:00 2001
From: Justin Mitchell 
Date: Tue, 8 Nov 2016 11:15:57 +
Subject: [PATCH 1/3] Add script to setup krb5 NFS exports

---
 client/Makefile.am  |   1 +
 client/ipa-client-nfsexport | 814 
 freeipa.spec.in |   1 +
 3 files changed, 816 insertions(+)
 create mode 100755 client/ipa-client-nfsexport

diff --git a/client/Makefile.am b/client/Makefile.am
index 30adafd..8996fd5 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -45,6 +45,7 @@ sbin_PROGRAMS =			\
 sbin_SCRIPTS =			\
 	ipa-client-install	\
 	ipa-client-automount	\
+	ipa-client-nfsexport	\
 	ipa-certupdate		\
 	$(NULL)
 
diff --git a/client/ipa-client-nfsexport b/client/ipa-client-nfsexport
new file mode 100755
index 000..ef47942
--- /dev/null
+++ b/client/ipa-client-nfsexport
@@ -0,0 +1,814 @@
+#!/usr/bin/python -E
+#
+# Configure an IPA/AD client system to serve Kerberos NFS4
+#
+# Author: Justin Mitchell 
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+#
+## Clients must also do:
+# ipa service-add nfs/client.mydomain
+# ipa-getkeytab -s ipa.mydomain -p nfs/client.mydomain -k /etc/krb5.keytab
+# systemctl start nfs-client.target
+# optionally: ipa-client-automount
+
+from __future__ import print_function
+
+try:
+import sys
+import os
+import time
+import tempfile
+import dns
+import socket
+import netaddr
+import logging
+import subprocess
+import tempfile
+import ConfigParser
+import re
+
+from dns import resolver, rdatatype
+from dns.exception import DNSException
+from argparse import ArgumentParser
+from subprocess import CalledProcessError, check_output, check_call
+
+except ImportError as e:
+print("""\
+There was a problem importing one of the required Python modules. The
+error was:
+
+%s
+""" % e, file=sys.stderr)
+sys.exit(1)
+
+
+class Paths:
+"""Collection of pathnames and executables to use"""
+IPA_CLI = "/usr/bin/ipa"
+IPA_GETKEYTAB = "/usr/sbin/ipa-getkeytab"
+KLIST = "/usr/bin/klist"
+KINIT = "/usr/bin/kinit"
+IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+RESOLV_CONF = "/etc/resolv.conf"
+EXPORTS = "/var/lib/nfs/etab"
+KEYTAB = "/etc/krb5.keytab"
+EXPORTSFILE = "/etc/exports.d/krb5.exports"
+EXPORTFS = "/usr/sbin/exportfs"
+SYSTEMCTL = "/usr/bin/systemctl"
+IPACONFIG = "/etc/ipa/default.conf"
+KRB5CONFIG = "/etc/krb5.conf"
+DNF = "/usr/bin/dnf"
+
+
+def parse_options():
+parser = ArgumentParser()
+
+parser.add_argument("--domain", dest="domain", help="domain name")
+parser.add_argument("--server", dest="server", help="IPA server", action="append")
+parser.add_argument("--export", dest="exports", help="NFS mount exports", action="append")
+parser.add_argument("--realm", dest="realm", help="realm name")
+parser.add_argument("--hostname", dest="hostname", help="The hostname of this machine (FQDN)")
+parser.add_argument("--username", dest="username", help="Kerberos Username")
+parser.add_argument("--force", action="store_true", 
+help="Perform actions even if unneccessary")
+parser.add_argument("-v", "--verbose", help="Increase Verbosity", action="count")
+parser.add_argument("--automount", dest="automount", default=None, action="store_true", 
+help="Configure mounts for automount use")
+parser.add_argument("--noautomount", dest="automount", default=None, action="store_false", 
+help="Do not configure mounts for automount use")
+
+options = parser.parse_args()
+
+if options.verbose > 0:
+logging.getLogger().setLevel(logging.DEBUG)
+
+return options
+
+
+def have_keytab( hostname, service='host', realm=None ):
+"""Test if we have been configured for any realm by the existance
+of a host key in the default keytab"""
+
+principal = '%s/%s' % (service, hostname)
+if realm:
+

[Freeipa-devel] [freeipa PR#224][+ack] Integration tests for certs in idoverrides

[mirielka]

  URL: https://github.com/freeipa/freeipa/pull/224
Title: #224: Integration tests for certs in idoverrides

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#174][comment] add log module

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/174
Title: #174: add log module

mbasti-rh commented:
"""
@shanyin great, I suppose you want those translations in IPA 4.4.x, so I could 
try to copy them from master.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/174#issuecomment-260319825
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][synchronized] Integration tests for certs in idoverrides

[ofayans]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
From b26d7b67ff1ebcf81231376318249554ec339d55 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 6 Sep 2016 12:39:45 +0200
Subject: [PATCH 1/3] Added interface to certutil

Added generic method to run certutil with arbitrary set of paramenters
---
 ipatests/test_integration/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index df5e408..dcf9ab8 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -1207,6 +1207,13 @@ def run_server_del(host, server_to_delete, force=False,
 return host.run_command(args, raiseonerr=False)
 
 
+def run_certutil(host, args, reqdir, stdin=None, raiseonerr=True):
+new_args = [paths.CERTUTIL, "-d", reqdir]
+new_args = " ".join(new_args + args)
+return host.run_command(new_args, raiseonerr=raiseonerr,
+stdin_text=stdin)
+
+
 def assert_error(result, stderr_text, returncode=None):
 "Assert that `result` command failed and its stderr contains `stderr_text`"
 assert stderr_text in result.stderr_text, result.stderr_text

From a7e853457a012a9f587f1af0cc92f121cf9a1fbd Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 10 Nov 2016 10:32:41 +0100
Subject: [PATCH 2/3] Test: integration tests for certs in idoverrides feature

https://fedorahosted.org/freeipa/ticket/6005
---
 ipatests/test_integration/test_idviews.py | 156 ++
 1 file changed, 156 insertions(+)
 create mode 100644 ipatests/test_integration/test_idviews.py

diff --git a/ipatests/test_integration/test_idviews.py b/ipatests/test_integration/test_idviews.py
new file mode 100644
index 000..c35997c
--- /dev/null
+++ b/ipatests/test_integration/test_idviews.py
@@ -0,0 +1,156 @@
+#
+# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
+#
+
+import os
+import re
+import string
+from ipatests.test_integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.env_config import get_global_config
+from ipaplatform.paths import paths
+config = get_global_config()
+
+
+class TestCertsInIDOverrides(IntegrationTest):
+topology = "line"
+num_ad_domains = 1
+adview = 'Default Trust View'
+cert_re = re.compile('Certificate: (?P.*?)\\s+.*')
+adcert1 = 'MyCert1'
+adcert2 = 'MyCert2'
+adcert1_file = adcert1 + '.crt'
+adcert2_file = adcert2 + '.crt'
+
+@classmethod
+def uninstall(cls, mh):
+super(TestCertsInIDOverrides, cls).uninstall(mh)
+cls.master.run_command(['rm', '-rf', cls.reqdir], raiseonerr=False)
+
+@classmethod
+def install(cls, mh):
+super(TestCertsInIDOverrides, cls).install(mh)
+cls.ad = config.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+
+master = cls.master
+# A setup for test_dbus_user_lookup
+master.run_command(['dnf', 'install', '-y', 'sssd-dbus'],
+   raiseonerr=False)
+# The tasks.modify_sssd_conf way did not work because
+# sssd_domain.set_option knows nothing about 'services' parameter of
+# the sssd config file. Therefore I am using sed approach
+master.run_command(
+"sed -i '/^services/ s/$/, ifp/' %s" % paths.SSSD_CONF)
+master.run_command(
+"sed -i 's/= 7/= 0xFFF0/' %s" % paths.SSSD_CONF, raiseonerr=False)
+master.run_command(['systemctl', 'restart', 'sssd.service'])
+# End of setup for test_dbus_user_lookup
+
+# AD-related stuff
+tasks.install_adtrust(master)
+tasks.sync_time(master, cls.ad)
+tasks.establish_trust_with_ad(cls.master, cls.ad_domain,
+  extra_args=['--range-type',
+  'ipa-ad-trust'])
+
+cls.reqdir = os.path.join(master.config.test_dir, "certs")
+cls.reqfile1 = os.path.join(cls.reqdir, "test1.csr")
+cls.reqfile2 = os.path.join(cls.reqdir, "test2.csr")
+cls.pwname = os.path.join(cls.reqdir, "pwd")
+
+# Create a NSS database folder
+master.run_command(['mkdir', cls.reqdir], raiseonerr=False)
+# Create an empty password file
+master.run_command(["touch", cls.pwname], raiseonerr=False)
+
+# Initialize NSS database
+tasks.run_certutil(master, ["-N", "-f", cls.pwname], cls.reqdir)
+# Now generate self-signed certs for a windows user
+stdin_text = string.digits+string.letters[2:] + '\n'
+

[Freeipa-devel] [freeipa PR#224][comment] Integration tests for certs in idoverrides

[ofayans]

  URL: https://github.com/freeipa/freeipa/pull/224
Title: #224: Integration tests for certs in idoverrides

ofayans commented:
"""
@mirielka done, thank you for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/224#issuecomment-260283573
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/236
Title: #236: Build phase 7: cleanup

lslebodn commented:
"""
>Hi Lukas. Given there is no technical justification to have it I'm going to 
>remove these. Simple is better than complex.
I am sorry I do not agree. The technical justification was explained in 
previous comments few time. The $(NULL) at the end of list makes patches much 
simpler and easier to read. The purpose of refactoring is make code simpler but 
also easier to **maintain/review**

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/236#issuecomment-260289586
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][-ack] Update man page for ipa-adtrust-install by removing --no-msdcs option

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#236][comment] Build phase 7: cleanup

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/236
Title: #236: Build phase 7: cleanup

pspacek commented:
"""
Hi Lukas. Given there is no technical justification to have it I'm going to 
remove these. Simple is better than complex.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/236#issuecomment-260280943
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#195][synchronized] [WIP] Make ipaclient pip install-able

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/195
Author: tiran
 Title: #195: [WIP] Make ipaclient pip install-able
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/195/head:pr195
git checkout pr195
From f7e0d1a9d0e59c3ef8f65186ecfdad5d19b4586f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 27 Oct 2016 14:04:58 +0200
Subject: [PATCH] Add install requirements to Python packages

Signed-off-by: Christian Heimes 
---
 Makefile.am  | 21 -
 Makefile.python.am   |  6 ++
 ipaclient/setup.py   | 11 +++
 ipalib/setup.py  |  8 
 ipaplatform/setup.py |  7 +++
 ipapython/setup.py   | 17 +
 ipaserver/setup.py   | 23 +++
 ipasetup.py.in   | 24 
 ipatests/setup.py| 23 ++-
 9 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 159d396..807a4f3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,5 @@
-SUBDIRS = asn1 util client contrib daemons init install ipaclient ipalib ipaplatform ipapython ipaserver ipatests po
+IPACLIENT_SUBDIRS = ipaclient ipalib ipaplatform ipapython
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaserver ipatests po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -162,3 +163,21 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+
+.PHONY: bdist_wheel wheel_bundle
+WHEELDISTDIR = $(top_builddir)/dist/wheels
+WHEELBUNDLEDIR = $(top_builddir)/dist/bundle
+
+$(WHEELDISTDIR):
+	mkdir -p $(WHEELDISTDIR)
+
+$(WHEELBUNDLEDIR):
+	mkdir -p $(WHEELBUNDLEDIR)
+
+bdist_wheel: $(WHEELDISTDIR)
+	for dir in $(IPACLIENT_SUBDIRS); do \
+	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
+	done
+
+wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
+	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
diff --git a/Makefile.python.am b/Makefile.python.am
index 0ea3fcf..2ccd383 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -36,3 +36,9 @@ dist-hook:
 		if test -x "$(srcdir)/$${FILEN}"; then MODE=755; else MODE=644; fi;	\
 		$(INSTALL) -D -m $${MODE} "$(srcdir)/$${FILEN}" "$(distdir)/$${FILEN}" || exit $$?;	\
 	done
+
+WHEELDISTDIR = $(top_builddir)/dist/wheels
+.PHONY: bdist_wheel
+bdist_wheel:
+	rm -rf $(WHEELDISTDIR)/$(pkgname)*.whl
+	$(PYTHON) "$(srcdir)/setup.py" bdist_wheel --dist-dir=$(WHEELDISTDIR)
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 722d99d..43ebf5b 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -43,4 +43,15 @@
 "ipaclient.remote_plugins.2_156",
 "ipaclient.remote_plugins.2_164",
 ],
+install_requires=[
+"cryptography",
+"ipalib",
+"ipapython",
+"python-nss",
+"qrcode",
+"six",
+],
+extra_requires = {
+"otptoken_yubikey": ["yubico", "usb"]
+}
 )
diff --git a/ipalib/setup.py b/ipalib/setup.py
index a828c37..f3ebb63 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -36,4 +36,12 @@
 "ipalib",
 "ipalib.install",
 ],
+install_requires=[
+"ipaplatform",
+"ipapython",
+"netaddr",
+"pyasn1",
+"python-nss",
+"six",
+],
 )
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index 82499da..98a9f08 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -39,4 +39,11 @@
 "ipaplatform.redhat",
 "ipaplatform.rhel"
 ],
+install_requires=[
+"cffi",
+# "ipalib",  # circular dependency
+"pyasn1",
+"python-nss",
+"six",
+],
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 47acdd6..e254253 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -38,4 +38,21 @@
 "ipapython.secrets",
 "ipapython.install"
 ],
+install_requires=[
+"cffi",
+"custodia",
+"cryptography",
+"dnspython",
+"gssapi",
+"jwcrypto",
+"ipaplatform",
+# "ipalib",  # circular dependency
+"pyldap",
+"lxml",
+"netaddr",
+"netifaces",
+"python-nss",
+"requests",
+"six",
+],
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 8ce2970..0cd20da 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -43,4 +43,27 @@
 'ipaserver.install.plugins',
 'ipaserver.install.server',
 ],
+install_requires=[
+

[Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/197
Author: tiran
 Title: #197: Make setup.py files PyPI compatible
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/197/head:pr197
git checkout pr197
From b67be5050a693c04d621ceb9a301755530c9ba48 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 31 Oct 2016 09:19:15 +0100
Subject: [PATCH] Use correct classifiers to make setup.py files PyPI
 compatible

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 25 -
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index 2835527..aff40ba 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -1,5 +1,4 @@
-#!/usr/bin/python2
-# Copyright (C) 2014  Red Hat
+# Copyright (C) 2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,9 +17,10 @@
 import os
 import sys
 
+
 common_args = dict(
 version="@VERSION@",
-license="GPL",
+license="GPLv3+",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
 maintainer="FreeIPA Developers",
@@ -30,14 +30,21 @@ common_args = dict(
 platforms=["Linux", "Solaris", "Unix"],
 classifiers=[
 "Development Status :: 5 - Production/Stable",
-("Topic :: System :: Systems Administration :: "
- "Authentication/Directory :: LDAP"),
-"Topic :: Internet :: Name Service (DNS)",
-"Intended Audience :: System Environment/Base",
-"License :: GPL",
-"Programming Language :: Python",
+"Intended Audience :: System Administrators",
+("License :: OSI Approved :: "
+ "GNU General Public License v3 or later (GPLv3+)"),
+"Programming Language :: C",
+"Programming Language :: Python :: 2",
+"Programming Language :: Python :: 2.7",
+"Programming Language :: Python :: 3",
+"Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
+"Operating System :: POSIX :: Linux",
 "Operating System :: Unix",
+"Topic :: Internet :: Name Service (DNS)",
+("Topic :: System :: Systems Administration :: "
+ "Authentication/Directory :: LDAP"),
 ],
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

martbab commented:
"""
Please add the upstream ticket to the commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/237#issuecomment-260273833
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][synchronized] Update man page for ipa-adtrust-install by removing --no-msdcs option

[pspacek]

   URL: https://github.com/freeipa/freeipa/pull/237
Author: pspacek
 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/237/head:pr237
git checkout pr237
From 7e9e99f98a4a68345de45d26d6bc1318e62d5bef Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 14 Nov 2016 08:55:52 +0100
Subject: [PATCH] Update man page for ipa-adtrust-install by removing
 --no-msdcs option

https://fedorahosted.org/freeipa/ticket/6480
---
 install/tools/man/ipa-adtrust-install.1 | 27 ---
 1 file changed, 27 deletions(-)

diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index fbf430a..6e8438b 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -75,33 +75,6 @@ ipa\-adtrust\-install for a second time with a different NetBIOS name will
 change the name. Please note that changing the NetBIOS name might break
 existing trust relationships to other domains.
 .TP
-\fB\-\-no\-msdcs\fR
-Do not create DNS service records for Windows in managed DNS server. Since those
-DNS service records are the only way to discover domain controllers of other
-domains they must be added manually to a different DNS server to allow trust
-realationships work properly. All needed service records are listed when
-ipa\-adtrust\-install finishes and either \-\-no\-msdcs was given or no IPA DNS
-service is configured. Typically service records for the following service names
-are needed for the IPA domain which should point to all IPA servers:
-.IP
-\(bu _ldap._tcp
-.IP
-\(bu _kerberos._tcp
-.IP
-\(bu _kerberos._udp
-.IP
-\(bu _ldap._tcp.dc._msdcs
-.IP
-\(bu _kerberos._tcp.dc._msdcs
-.IP
-\(bu _kerberos._udp.dc._msdcs
-.IP
-\(bu _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
-.IP
-\(bu _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
-.IP
-\(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
-.TP
 \fB\-\-add\-sids\fR
 Add SIDs to existing users and groups as on of final steps of the
 ipa\-adtrust\-install run. If there a many existing users and groups and a
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option

[pspacek]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

pspacek commented:
"""
Here you go.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/237#issuecomment-260280769
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#174][comment] add log module

[shanyin]

  URL: https://github.com/freeipa/freeipa/pull/174
Title: #174: add log module

shanyin commented:
"""
What do you mean is that I should send the log codes as separate PR? If so, I 
will do it later.





--
祝：
工作顺利！生活愉快！
--
长沙研发中心 郑磊 
电话：18684703229
邮箱：zheng...@kylinos.cn
公司：天津麒麟信息技术有限公司
地址：湖南长沙市开福区三一大道工美大厦十四楼
 

 
 
 
-- Original --
From:  "mbasti-rh";
Date:  Tue, Nov 15, 2016 01:56 AM
To:  "freeipa/freeipa"; 
Cc:  "shanyin"; "Mention"; 
Subject:  Re: [freeipa/freeipa] add log module (#174)

 

Hello,
 
we agreed on devel meeting that this is not the right way how to audit/log 
inspection should be done with FreeIPA:
  
centralized logging is preferred solution
  
However we would like to merge some parts of your PR:
  
fix for missing translation strings
 
improvement of logging that might help you and can improve value of logs for 
users Would be awesome if you can send them as separate PR.
  
Also we endorse you to create an IPA httpd log parser as separate CLI project 
from this PR which may be helpful for other users as lightweight solution 
compared to centralized logging.
 
Thank you!
 
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/174#issuecomment-260522728
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][comment] Update man page for ipa-adtrust-install by removing --no-msdcs option

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/623cc428cfd79ea228bda6e88dc48bad9aaf61aa
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/237#issuecomment-260386154
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][opened] cainstance: use correct certificate for replica install check

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/239
Author: tomaskrizek
 Title: #239: cainstance: use correct certificate for replica install check
Action: opened

PR body:
"""
Incorrect certificate file extension caused DL0 replica install to fail.

https://fedorahosted.org/freeipa/ticket/6461
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/239/head:pr239
git checkout pr239
From a190b83f1c048a2ec40d925b7ee054a74549389d Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 14 Nov 2016 17:25:33 +0100
Subject: [PATCH] cainstance: use correct certificate for replica install check

Incorrect certificate file extension caused DL0 replica install to fail.

https://fedorahosted.org/freeipa/ticket/6461
---
 ipaserver/install/cainstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 4953ff7..c7a117d 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1301,7 +1301,7 @@ def replica_ca_install_check(config, promote):
 with ipaldap.LDAPClient(
 ca_ldap_url,
 start_tls=True,
-cacert=config.dir + "/ca.cer",
+cacert=config.dir + "/ca.crt",
 force_schema_updates=False) as connection:
 connection.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=config.dirman_password)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#194][closed] Tests: Verify that validity info is present in cert-show and cert-find command

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/194
Author: mirielka
 Title: #194: Tests: Verify that validity info is present in cert-show and 
cert-find command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/194/head:pr194
git checkout pr194
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#194][comment] Tests: Verify that validity info is present in cert-show and cert-find command

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/194
Title: #194: Tests: Verify that validity info is present in cert-show and 
cert-find command

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/414ed0d182e55dfe18f31ebbbc97095b989fc162
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/118d455027beee158a934d3f25b15d0e262fc5a6
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/194#issuecomment-260385336
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#194][+pushed] Tests: Verify that validity info is present in cert-show and cert-find command

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/194
Title: #194: Tests: Verify that validity info is present in cert-show and 
cert-find command

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#197][comment] Make setup.py files PyPI compatible

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/197
Title: #197: Make setup.py files PyPI compatible

mbasti-rh commented:
"""
I have some inline questions
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/197#issuecomment-260383809
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][+pushed] Update man page for ipa-adtrust-install by removing --no-msdcs option

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][closed] Update man page for ipa-adtrust-install by removing --no-msdcs option

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/237
Author: pspacek
 Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/237/head:pr237
git checkout pr237
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#194][+ack] Tests: Verify that validity info is present in cert-show and cert-find command

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/194
Title: #194: Tests: Verify that validity info is present in cert-show and 
cert-find command

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#190][+ack] [4.4] Fix tests install dom0

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/190
Title: #190: [4.4] Fix tests install dom0

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#190][closed] [4.4] Fix tests install dom0

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/190
Author: mbasti-rh
 Title: #190: [4.4] Fix tests install dom0
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/190/head:pr190
git checkout pr190
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#237][+ack] Update man page for ipa-adtrust-install by removing --no-msdcs option

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/237
Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs 
option

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][comment] cainstance: use correct certificate for replica install check

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/239
Title: #239: cainstance: use correct certificate for replica install check

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6300dca285acaad296f6271421c23999e3c1071
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/239#issuecomment-260394466
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][closed] cainstance: use correct certificate for replica install check

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/239
Author: tomaskrizek
 Title: #239: cainstance: use correct certificate for replica install check
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/239/head:pr239
git checkout pr239
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#185][closed] TESTS: Update group type name

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/185
Author: pvomacka
 Title: #185: TESTS: Update group type name
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/185/head:pr185
git checkout pr185
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#185][comment] TESTS: Update group type name

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/185
Title: #185: TESTS: Update group type name

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6e475988e1ec1b89d44b495cd667a444526733a7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/185#issuecomment-260396497
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#185][+pushed] TESTS: Update group type name

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/185
Title: #185: TESTS: Update group type name

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#119][comment] Tests: Providing trust tests with tree root domain

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/119
Title: #119: Tests: Providing trust tests with tree root domain

mbasti-rh commented:
"""
And master too
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/119#issuecomment-260400800
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#174][comment] add log module

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/174
Title: #174: add log module

mbasti-rh commented:
"""
Hello,

we agreed on devel meeting that this is not the right way how to audit/log 
inspection should be done with FreeIPA:
- centralized logging is preferred solution

However we would like to merge some parts of your PR:
- fix for missing translation strings
- improvement of logging that might help you and can improve value of logs for 
users
Would be awesome if you can send them as separate PR.

Also we endorse you to create an IPA httpd log parser as separate CLI project 
from this PR which may be helpful for other users as lightweight solution 
compared to centralized logging.

Thank you!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/174#issuecomment-260409768
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#174][+rejected] add log module

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/174
Title: #174: add log module

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#119][comment] Tests: Providing trust tests with tree root domain

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/119
Title: #119: Tests: Providing trust tests with tree root domain

mbasti-rh commented:
"""
Needs rebase for 4.4 branch
```
error: ipatests/pytest_plugins/integration.py: patch does not apply
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/119#issuecomment-260400687
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][+pushed] cainstance: use correct certificate for replica install check

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/239
Title: #239: cainstance: use correct certificate for replica install check

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#157][comment] git: Add commit template

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/157
Title: #157: git: Add commit template

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2df709838905dec3ee2c2eaec47f506336d85a6e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/157#issuecomment-260398394
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#178][comment] ipatests: Fix assert_deepequal outside of pytest process

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/178
Title: #178: ipatests: Fix assert_deepequal outside of pytest process

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e54109c167526ae6b1cd4c977915da884482891b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/178#issuecomment-260399510
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#178][+pushed] ipatests: Fix assert_deepequal outside of pytest process

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/178
Title: #178: ipatests: Fix assert_deepequal outside of pytest process

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][comment] cainstance: use correct certificate for replica install check

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/239
Title: #239: cainstance: use correct certificate for replica install check

flo-renaud commented:
"""
Hi,
works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/239#issuecomment-260393542
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#239][+ack] cainstance: use correct certificate for replica install check

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/239
Title: #239: cainstance: use correct certificate for replica install check

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports

[jumitche]

  URL: https://github.com/freeipa/freeipa/pull/215
Title: #215: Add script to setup krb5 NFS exports

jumitche commented:
"""
@mbasti-rh This is my first python script so apologies for it being a bit rough 
around the edges, i tried to emulate the stylings of the other ipa-scripts,i 
recall that the user_input method is very similar, and there is some 
boilerplate top level exception handling, but no direct cut and paste afair. It 
does not attempt to install any packages, it just suggests which ones you might 
need if it finds commands it relies upon are missing.

The brief was to make an easy to use script in the style of ipa-client-install 
that sets up kerberos encrypted NFS exports on a host, it calls out to the cli 
commands where possible so that it could potentially be reused with AD in the 
future.

It tries to retrieve as much information from an already configured system as 
possible, and if IPA is already setup, configured, and a session in progress it 
will ask very little. When the setup is not there it gracefully falls back, 
asking more and more questions as required, attempting to initiate 
authentications where needed, until a final level where if critical components 
are missing it will suggest which packages may be missing before giving up.

I have made changes to pass all the pylint tests cleanly, as i hfailed to 
notice them originally, is there any further modifications i should be making ?

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/215#issuecomment-260394525
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#190][+pushed] [4.4] Fix tests install dom0

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/190
Title: #190: [4.4] Fix tests install dom0

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#157][closed] git: Add commit template

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/157
Author: mzidek-rh
 Title: #157: git: Add commit template
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/157/head:pr157
git checkout pr157
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#157][+pushed] git: Add commit template

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/157
Title: #157: git: Add commit template

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][closed] Integration tests for certs in idoverrides

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/224
Author: ofayans
 Title: #224: Integration tests for certs in idoverrides
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/224/head:pr224
git checkout pr224
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#224][+pushed] Integration tests for certs in idoverrides

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/224
Title: #224: Integration tests for certs in idoverrides

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#197][synchronized] Make setup.py files PyPI compatible

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/197
Author: tiran
 Title: #197: Make setup.py files PyPI compatible
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/197/head:pr197
git checkout pr197
From 814f1f01731a4aa019dab808bee55750093d1133 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 31 Oct 2016 09:19:15 +0100
Subject: [PATCH] Use correct classifiers to make setup.py files PyPI
 compatible

Signed-off-by: Christian Heimes 
---
 ipasetup.py.in | 26 +-
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index 2835527..5eff1ae 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -1,5 +1,4 @@
-#!/usr/bin/python2
-# Copyright (C) 2014  Red Hat
+# Copyright (C) 2016  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
@@ -18,9 +17,10 @@
 import os
 import sys
 
+
 common_args = dict(
 version="@VERSION@",
-license="GPL",
+license="GPLv3",
 author="FreeIPA Developers",
 author_email="freeipa-devel@redhat.com",
 maintainer="FreeIPA Developers",
@@ -30,14 +30,22 @@ common_args = dict(
 platforms=["Linux", "Solaris", "Unix"],
 classifiers=[
 "Development Status :: 5 - Production/Stable",
-("Topic :: System :: Systems Administration :: "
- "Authentication/Directory :: LDAP"),
-"Topic :: Internet :: Name Service (DNS)",
-"Intended Audience :: System Environment/Base",
-"License :: GPL",
-"Programming Language :: Python",
+"Intended Audience :: System Administrators",
+("License :: OSI Approved :: "
+ "GNU General Public License v3 (GPLv3)"),
+"Programming Language :: C",
+"Programming Language :: Python :: 2",
+"Programming Language :: Python :: 2.7",
+"Programming Language :: Python :: 3",
+"Programming Language :: Python :: 3.5",
+"Programming Language :: Python :: Implementation :: CPython",
 "Operating System :: POSIX",
+"Operating System :: POSIX :: Linux",
 "Operating System :: Unix",
+"Topic :: Internet :: Name Service (DNS)",
+"Topic :: Security",
+("Topic :: System :: Systems Administration :: "
+ "Authentication/Directory :: LDAP"),
 ],
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#197][+ack] Make setup.py files PyPI compatible

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/197
Title: #197: Make setup.py files PyPI compatible

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#229][synchronized] Remove the renewal lock file upon uninstall

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/229
Author: flo-renaud
 Title: #229: Remove the renewal lock file upon uninstall
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/229/head:pr229
git checkout pr229
From 1222e8f509151a0f4cc40f4604f21db559bacd7c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 10 Nov 2016 13:14:34 +0100
Subject: [PATCH] Fix renewal lock issues on installation

- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.

- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running

- Cleanup certmonger ra renewal script: no need to restart httpd

- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.

If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.

Part of the refactoring effort, certificates sub-effort.

https://fedorahosted.org/freeipa/ticket/6433
---
 install/restart_scripts/renew_ra_cert  | 10 --
 install/restart_scripts/restart_dirsrv |  3 ++-
 install/restart_scripts/restart_httpd  |  3 ++-
 ipaserver/install/httpinstance.py  |  4 ++--
 ipaserver/install/server/install.py|  9 +
 5 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index d71d6e2..40ef728 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -30,7 +30,6 @@ import traceback
 from ipapython import ipautil
 from ipalib import api
 from ipaserver.install import certs, cainstance, krainstance
-from ipaplatform import services
 from ipaplatform.paths import paths
 
 
@@ -68,15 +67,6 @@ def _main():
 shutil.rmtree(tmpdir)
 api.Backend.ldap2.disconnect()
 
-# Now restart Apache so the new certificate is available
-syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd")
-try:
-services.knownservices.httpd.restart()
-except Exception as e:
-syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % e)
-else:
-syslog.syslog(syslog.LOG_NOTICE, "Restarted httpd")
-
 
 def main():
 try:
diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv
index a8e7818..72d3c54 100644
--- a/install/restart_scripts/restart_dirsrv
+++ b/install/restart_scripts/restart_dirsrv
@@ -39,7 +39,8 @@ def _main():
 syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
 
 try:
-services.knownservices.dirsrv.restart(instance)
+if services.knownservices.dirsrv.is_running():
+services.knownservices.dirsrv.restart(instance)
 except Exception as e:
 syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e)))
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index 50348d4..d168481 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -29,7 +29,8 @@ def _main():
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
-services.knownservices.httpd.restart()
+if services.knownservices.httpd.is_running():
+services.knownservices.httpd.restart()
 except Exception as e:
 syslog.syslog(syslog.LOG_ERR, "Cannot restart httpd: %s" % str(e))
 
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 39d43f2..4e8107e 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -166,11 +166,11 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
+self.step("setting up httpd keytab", self._request_service_keytab)
+self.step("setting up ssl", self.__setup_ssl)
 if self.ca_is_configured:
 self.step("configure certmonger for renewals",
   self.configure_certmonger_renewal_guard)
-self.step("setting up httpd keytab", self._request_service_keytab)
-self.step("setting up ssl", self.__setup_ssl)
 self.step("importing CA certificates from LDAP", self.__import_ca_certs)
 self.step("publish CA cert", self.__publish_ca_cert)
 self.step("clean up any existing httpd ccache", 

[Freeipa-devel] [freeipa PR#238][comment] Build system refactoring phase 8: update translation system

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/238
Title: #238: Build system refactoring phase 8: update translation system

mbasti-rh commented:
"""
Lint failed

```
cd .; ./makeaci --validate
./makeaci: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module 
named backports_abc
cd .; ./makeapi --validate
./makeapi: ipaserver/plugins/dogtag.py:244: ignoring ImportError: No module 
named backports_abc
make -C ./po validate-src-strings
make[1]: Entering directory '/freeipa/po'
make[1]: Leaving directory '/freeipa/po'
make[1]: *** No rule to make target 'validate-src-strings'.  Stop.
make: *** [polint] Error 2
Makefile:1098: recipe for target 'polint' failed
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/238#issuecomment-260452692
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code