[Freeipa-devel] [freeipa PR#503][opened] [WIP] Update testcase for cert plugin

2017-02-23 Thread Akasurde 
   URL: https://github.com/freeipa/freeipa/pull/503
Author: Akasurde
 Title: #503: [WIP] Update testcase for cert plugin
Action: opened

PR body:
"""
Fixes https://fedorahosted.org/freeipa/ticket/6275

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/503/head:pr503
git checkout pr503
From 76dcaceaed890e76a38915e4fd5345a04140794d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 24 Feb 2017 13:21:49 +0530
Subject: [PATCH] [WIP] Update testcase for cert plugin

Fixes https://fedorahosted.org/freeipa/ticket/6275

Signed-off-by: Abhijeet Kasurde 
---
 ipatests/test_xmlrpc/test_cert_plugin.py | 56 +++-
 1 file changed, 47 insertions(+), 9 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index 0b8277b..140bd02 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -50,6 +50,7 @@
 _EXP_CRL_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ipa/crl/MasterCRL.bin'])
 _EXP_OCSP_URI = ''.join(['http://ipa-ca.', _DOMAIN, '/ca/ocsp'])
 
+
 def is_db_configured():
 """
 Raise an exception if we are testing against lite-server and the
@@ -88,6 +89,8 @@ def setup_class(cls):
 raise nose.SkipTest('cert_request not registered')
 if 'cert_show' not in api.Command:
 raise nose.SkipTest('cert_show not registered')
+if 'cert_status' not in api.Command:
+raise nose.SkipTest('cert_status not registered')
 
 is_db_configured()
 
@@ -97,15 +100,14 @@ def run_certutil(self, args, stdin=None):
 return ipautil.run(new_args, stdin)
 
 def setup(self):
-self.reqdir = tempfile.mkdtemp(prefix = "tmp-")
+self.reqdir = tempfile.mkdtemp(prefix="tmp-")
 self.reqfile = self.reqdir + "/test.csr"
 self.pwname = self.reqdir + "/pwd"
 self.certfile = self.reqdir + "/cert.crt"
 
 # Create an empty password file
-fp = open(self.pwname, "w")
-fp.write("\n")
-fp.close()
+with open(self.pwname, "w") as fp:
+fp.write("\n")
 
 # Create our temporary NSS database
 self.run_certutil(["-N", "-f", self.pwname])
@@ -122,9 +124,8 @@ def generateCSR(self, subject):
"-f", self.pwname,
"-a",
])
-fp = open(self.reqfile, "r")
-data = fp.read()
-fp.close()
+with open(self.reqfile, "r") as fp:
+data = fp.read()
 return data
 
 host_fqdn = u'ipatestcert.%s' % api.env.domain
@@ -191,10 +192,10 @@ def test_0005_cert_uris(self):
 
 See https://fedorahosted.org/freeipa/ticket/5881
 """
-result = api.Command.cert_show(sn, out=unicode(self.certfile))
+api.Command['cert_show'](sn, out=unicode(self.certfile))
 with open(self.certfile, "r") as f:
 pem_cert = unicode(f.read())
-result = run(['openssl', 'x509', '-text'],
+result = run([paths.OPENSSL, 'x509', '-text'],
  stdin=pem_cert, capture_output=True)
 assert _EXP_CRL_URI in result.output
 assert _EXP_OCSP_URI in result.output
@@ -290,6 +291,7 @@ def test_0002_find_CA(self):
 """
 res = api.Command['cert_find'](subject=u'Certificate Authority')
 assert 'count' in res and res['count'] == 1
+assert u'CN=Certificate Authority' in res['result'][0]['subject']
 
 def test_0003_find_OCSP(self):
 """
@@ -298,6 +300,7 @@ def test_0003_find_OCSP(self):
 res = api.Command['cert_find'](subject=u'OCSP Subsystem')
 assert 'count' in res
 assert res['count'], "No OSCP certificate found"
+assert u'CN=OCSP Subsystem' in res['result'][0]['subject']
 
 def test_0004_find_this_host(self):
 """
@@ -305,6 +308,7 @@ def test_0004_find_this_host(self):
 """
 res = api.Command['cert_find'](subject=api.env.host)
 assert 'count' in res and res['count'] > 1
+assert api.env.host in res['result'][0]['subject']
 
 def test_0005_find_this_host_exact(self):
 """
@@ -312,6 +316,7 @@ def test_0005_find_this_host_exact(self):
 """
 res = api.Command['cert_find'](subject=api.env.host, exactly=True)
 assert 'count' in res and res['count'] > 1
+assert api.env.host in res['result'][0]['subject']
 
 def test_0006_find_this_short_host_exact(self):
 """
@@ -319,6 +324,7 @@ def test_0006_find_this_short_host_exact(self):
 """
 res = api.Command['cert_find'](subject=self.short, exactly=True)
 assert 'count' in res and res['count'] == 0
+assert u'0 certificates matched' in res['summary']
 
 # tests 0007 to 0016 removed
 
@@ -423,6

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-23 Thread Tomas Krizek 
On 02/24/2017 08:34 AM, Standa Laznicka wrote:
> On 02/24/2017 08:29 AM, Jan Cholasta wrote:
>> On 23.2.2017 19:06, Martin Basti wrote:
>>>
>>>
>>> On 23.02.2017 15:09, Tomas Krizek wrote:
 On 02/22/2017 01:44 PM, Fraser Tweedale wrote:
> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:
>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote:
>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:
 On 02/21/2017 04:24 PM, Tomas Krizek wrote:
> On 02/21/2017 03:23 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> Hello,
>>>
>>> Since we're trying to make FreeIPA work in FIPS we got to
>>> the point
>>> where we need to do something with MD5 fingerprints in the
>>> cert plugin.
>>> Eventually we came to a realization that it'd be best to get
>>> rid of them
>>> as a whole. These are counted by the framework and are not
>>> stored
>>> anywhere. Note that alongside with these fingerprints SHA1
>>> fingerprints
>>> are also counted and those are there to stay.
>>>
>>> The question for this ML is, then - is it OK to remove these
>>> or would
>>> you rather have them replaced with SHA-256 alongside the
>>> SHA-1? MD5 is a
>>> grandpa and I think it should go.
>> I based the values displayed on what certutil displayed at
>> the time (7
>> years ago). I don't know that anyone uses these fingerprints.
>> The
>> OpenSSL equivalent doesn't include them by default.
>>
>> You may be able to deprecate fingerprints altogether.
>>
>> rob
> I think it's useful to display the certificate's fingerprint.
> I'm in
> favor of removing md5 and adding sha256 instead.
>
 Rob, thank you for sharing the information of where the cert
 fingerprints
 are originated! `certutil` shipped with nss-3.27.0-1.3
 currently displays
 SHA-256 and SHA1 fingerprints for certificates so I propose
 going that way
 too.

>>> IMO we should remove MD5 and SHA-1, and add SHA-256. But we should
>>> also make no API stability guarantee w.r.t. the fingerprint
>>> attributes, i.e. to allow us to move to newer digests in future
>>> (and
>>> remove broken/no-longer-secure ones).  We should advise that if a
>>> customer has a hard requirement on a particular digest that they
>>> should compute it themselves from the certificate.
>>>
>>> Cheers,
>>> Fraser
>> What is the motivation to remove SHA-1? Are there any attacks
>> besides
>> theoretical ones on SHA-1?
>>
>> Do other libraries already deprecate SHA-1?
>>
> Come to think of it, I was thinking about SHA-1 signatures (which
> are completely forbidden in the public PKI nowadays).  But for
> fingerprints it is not so bad (for now).
>
> Thanks,
> Fraser
 Actually, there's been a practical SHA1 attack just published [1].
 Computational complexity was
 9,223,372,036,854,775,808 SHA1 computations, which takes about 110
 years
 on a single GPU.

 Therefore, I'm in favor to deprecate SHA1 as well and provide only
 SHA256.

 [1] - https://shattered.io/



>>>
>>> I think we should wait with removal SHA1, don't remove it prematurely.
>>> As MD5 is deprecated for very long time, SHA1 is not and we are not
>>> using it for any cryptographic operation nor certificates. It is just
>>> informational fingerprint.
>>
>> +1
>>
> +1, I don't favour the
> http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach.
>
People will most likely be using the software even years after its
upstream release, so I think its best to address these issues sooner
rather than later.

SHA256 fingerprints should be added even if we decide to keep SHA1 for now.

-- 
Tomas Krizek




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][opened] Make pylint and jsl optional

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: opened

PR body:
"""
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From 21794f9008cbe5a3d239f8f7ecd7db441894e2f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am  | 14 +++---
 configure.ac | 32 
 2 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index a35d18f..4e00053 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -180,9 +184,12 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
 		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -205,6 +212,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 9ee281a..3e98653 100644
--- a/configure.ac
+++ b/configure.ac
@@ -375,14 +375,20 @@ AC_ARG_ENABLE([pylint],
 	AS_HELP_STRING([--disable-pylint],
 			   [skip Pylint in make lint target]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -394,13 +400,20 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[],
+[with_jslint=check]
 )
-if test "x${JSLINT}" == "x"; then
-	AC_MSG_ERROR([cannot find JS lint])
+if test "x$with_jslint=" != xno; then
+AC_PATH_PROG([JSLINT], [jsl])
+if test "x${JSLINT}" == "x"; then
+if test "x$with_jslint"

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-23 Thread Standa Laznicka 

On 02/24/2017 08:29 AM, Jan Cholasta wrote:

On 23.2.2017 19:06, Martin Basti wrote:



On 23.02.2017 15:09, Tomas Krizek wrote:

On 02/22/2017 01:44 PM, Fraser Tweedale wrote:

On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:

On 02/22/2017 12:28 AM, Fraser Tweedale wrote:

On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:

On 02/21/2017 04:24 PM, Tomas Krizek wrote:

On 02/21/2017 03:23 PM, Rob Crittenden wrote:

Standa Laznicka wrote:

Hello,

Since we're trying to make FreeIPA work in FIPS we got to the 
point
where we need to do something with MD5 fingerprints in the 
cert plugin.
Eventually we came to a realization that it'd be best to get 
rid of them
as a whole. These are counted by the framework and are not 
stored
anywhere. Note that alongside with these fingerprints SHA1 
fingerprints

are also counted and those are there to stay.

The question for this ML is, then - is it OK to remove these 
or would
you rather have them replaced with SHA-256 alongside the 
SHA-1? MD5 is a

grandpa and I think it should go.
I based the values displayed on what certutil displayed at the 
time (7

years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.

You may be able to deprecate fingerprints altogether.

rob
I think it's useful to display the certificate's fingerprint. 
I'm in

favor of removing md5 and adding sha256 instead.

Rob, thank you for sharing the information of where the cert 
fingerprints
are originated! `certutil` shipped with nss-3.27.0-1.3 currently 
displays
SHA-256 and SHA1 fingerprints for certificates so I propose 
going that way

too.


IMO we should remove MD5 and SHA-1, and add SHA-256. But we should
also make no API stability guarantee w.r.t. the fingerprint
attributes, i.e. to allow us to move to newer digests in future (and
remove broken/no-longer-secure ones).  We should advise that if a
customer has a hard requirement on a particular digest that they
should compute it themselves from the certificate.

Cheers,
Fraser

What is the motivation to remove SHA-1? Are there any attacks besides
theoretical ones on SHA-1?

Do other libraries already deprecate SHA-1?


Come to think of it, I was thinking about SHA-1 signatures (which
are completely forbidden in the public PKI nowadays).  But for
fingerprints it is not so bad (for now).

Thanks,
Fraser

Actually, there's been a practical SHA1 attack just published [1].
Computational complexity was
9,223,372,036,854,775,808 SHA1 computations, which takes about 110 
years

on a single GPU.

Therefore, I'm in favor to deprecate SHA1 as well and provide only 
SHA256.


[1] - https://shattered.io/





I think we should wait with removal SHA1, don't remove it prematurely.
As MD5 is deprecated for very long time, SHA1 is not and we are not
using it for any cryptographic operation nor certificates. It is just
informational fingerprint.


+1

+1, I don't favour the 
http://new2.fjcdn.com/gifs/Everybody_d72014_61779.gif approach.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#501][opened] C compilation fixes and hardening

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/501
Author: tiran
 Title: #501: C compilation fixes and hardening
Action: opened

PR body:
"""
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.

Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.

Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/501/head:pr501
git checkout pr501
From bbf04dbc1637327d91a83e743d2dc877edf98d5d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 24 Feb 2017 08:20:15 +0100
Subject: [PATCH] C compilation fixes and hardening
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.

Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.

Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979

Signed-off-by: Christian Heimes 
---
 configure.ac| 4 
 util/ipa_pwd_ntlm.c | 1 +
 2 files changed, 5 insertions(+)

diff --git a/configure.ac b/configure.ac
index 9ee281a..369f2ae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,10 @@ LT_INIT
 
 AC_HEADER_STDC
 
+dnl 389-DS' slapi-plugin.h contains wrong prototype
+dnl warn about missing includes
+CFLAGS+=" -Wno-strict-prototypes -Werror=implicit-function-declaration"
+
 PKG_PROG_PKG_CONFIG
 
 AC_ARG_ENABLE([server],
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index f709981..263816d 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -26,6 +26,7 @@
 
 #include 
 #include 
+#include 
 #include 
 #include 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-23 Thread Jan Cholasta 

On 23.2.2017 19:06, Martin Basti wrote:



On 23.02.2017 15:09, Tomas Krizek wrote:

On 02/22/2017 01:44 PM, Fraser Tweedale wrote:

On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:

On 02/22/2017 12:28 AM, Fraser Tweedale wrote:

On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:

On 02/21/2017 04:24 PM, Tomas Krizek wrote:

On 02/21/2017 03:23 PM, Rob Crittenden wrote:

Standa Laznicka wrote:

Hello,

Since we're trying to make FreeIPA work in FIPS we got to the point
where we need to do something with MD5 fingerprints in the cert plugin.
Eventually we came to a realization that it'd be best to get rid of them
as a whole. These are counted by the framework and are not stored
anywhere. Note that alongside with these fingerprints SHA1 fingerprints
are also counted and those are there to stay.

The question for this ML is, then - is it OK to remove these or would
you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
grandpa and I think it should go.

I based the values displayed on what certutil displayed at the time (7
years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.

You may be able to deprecate fingerprints altogether.

rob

I think it's useful to display the certificate's fingerprint. I'm in
favor of removing md5 and adding sha256 instead.


Rob, thank you for sharing the information of where the cert fingerprints
are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays
SHA-256 and SHA1 fingerprints for certificates so I propose going that way
too.


IMO we should remove MD5 and SHA-1, and add SHA-256.  But we should
also make no API stability guarantee w.r.t. the fingerprint
attributes, i.e. to allow us to move to newer digests in future (and
remove broken/no-longer-secure ones).  We should advise that if a
customer has a hard requirement on a particular digest that they
should compute it themselves from the certificate.

Cheers,
Fraser

What is the motivation to remove SHA-1? Are there any attacks besides
theoretical ones on SHA-1?

Do other libraries already deprecate SHA-1?


Come to think of it, I was thinking about SHA-1 signatures (which
are completely forbidden in the public PKI nowadays).  But for
fingerprints it is not so bad (for now).

Thanks,
Fraser

Actually, there's been a practical SHA1 attack just published [1].
Computational complexity was
9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years
on a single GPU.

Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256.

[1] - https://shattered.io/





I think we should wait with removal SHA1, don't remove it prematurely.
As MD5 is deprecated for very long time, SHA1 is not and we are not
using it for any cryptographic operation nor certificates. It is just
informational fingerprint.


+1

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#500][opened] Replace sha1 fingerprints with sha256

2017-02-23 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/500
Author: tomaskrizek
 Title: #500: Replace sha1 fingerprints with sha256
Action: opened

PR body:
"""
- we probably want to keep SHA1 for DNS SSHFP (along with SHA256)
- removing SHA1 from RSA-OAEP probably doesn't have any benefits 
http://security.stackexchange.com/questions/112029/should-sha-1-be-used-with-rsa-oaep
- SHA1 for otp will be handled in a separate PR
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/500/head:pr500
git checkout pr500
From 3ea80f8a1e831da8580019f22159ce8f4c29da86 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Thu, 23 Feb 2017 17:03:01 +0100
Subject: [PATCH 1/2] Replace SHA1 cert fingerprints with SHA256

https://fedorahosted.org/freeipa/ticket/6701
---
 install/ui/src/freeipa/certificate.js  | 13 +
 install/ui/test/data/cert_request.json |  2 +-
 install/ui/test/data/cert_show.json|  2 +-
 install/ui/test/data/ipa_init.json |  1 -
 install/ui/test/data/service_show.json |  2 +-
 ipaserver/plugins/cert.py  |  8 
 ipaserver/plugins/host.py  |  4 ++--
 ipaserver/plugins/internal.py  |  1 -
 ipaserver/plugins/service.py   |  8 
 ipatests/test_xmlrpc/test_host_plugin.py   |  2 +-
 ipatests/test_xmlrpc/test_service_plugin.py| 14 +++---
 ipatests/test_xmlrpc/tracker/host_plugin.py|  2 +-
 ipatests/test_xmlrpc/tracker/service_plugin.py |  2 +-
 13 files changed, 28 insertions(+), 33 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index b86c6cf..e02a08e 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -361,7 +361,6 @@ IPA.cert.view_dialog = function(spec) {
 that.issuer = IPA.cert.parse_dn(spec.certificate.issuer);
 that.issued_on = spec.certificate.valid_not_before || '';
 that.expires_on = spec.certificate.valid_not_after || '';
-that.sha1_fingerprint = spec.certificate.sha1_fingerprint || '';
 that.sha256_fingerprint = spec.certificate.sha256_fingerprint || '';
 
 that.create_button({
@@ -426,8 +425,6 @@ IPA.cert.view_dialog = function(spec) {
 
 table_layout = that.create_layout().appendTo(that.container);
 
-new_row('@i18n:objects.cert.sha1_fingerprint', that.sha1_fingerprint)
-.appendTo(table_layout);
 new_row('@i18n:objects.cert.sha256_fingerprint', that.sha256_fingerprint)
 .appendTo(table_layout);
 };
@@ -570,7 +567,7 @@ IPA.cert.loader = function(spec) {
 revocation_reason: result.revocation_reason,
 serial_number: result.serial_number,
 serial_number_hex: result.serial_number_hex,
-sha1_fingerprint: result.sha1_fingerprint,
+sha256_fingerprint: result.sha256_fingerprint,
 subject: result.subject,
 valid_not_after: result.valid_not_after,
 valid_not_before: result.valid_not_before
@@ -1575,9 +1572,9 @@ exp.create_cert_metadata = function() {
 add_param('valid_not_after',
 text.get('@i18n:objects.cert.expires_on'),
 text.get('@i18n:objects.cert.expires_on'));
-add_param('sha1_fingerprint',
-text.get('@i18n:objects.cert.sha1_fingerprint'),
-text.get('@i18n:objects.cert.sha1_fingerprint'));
+add_param('sha256_fingerprint',
+text.get('@i18n:objects.cert.sha256_fingerprint'),
+text.get('@i18n:objects.cert.sha256_fingerprint'));
 add_param('certificate',
 text.get('@i18n:objects.cert.certificate'),
 text.get('@i18n:objects.cert.certificate'));
@@ -1754,7 +1751,7 @@ return {
 },
 'valid_not_before',
 'valid_not_after',
-'sha1_fingerprint',
+'sha256_fingerprint',
 {
 $type: 'revocation_reason',
 name: 'revocation_reason'
diff --git a/install/ui/test/data/cert_request.json b/install/ui/test/data/cert_request.json
index f8d8544..d0f09e5 100644
--- a/install/ui/test/data/cert_request.json
+++ b/install/ui/test/data/cert_request.json
@@ -7,7 +7,7 @@
 "issuer": "CN=Certificate Authority,O=EXAMPLE.COM",
 "request_id": "1",
 "serial_number": "1",
-"sha1_fingerprint": "b8:4c:4b:79:4f:13:03:79:47:08:fa:6b:52:63:3d:f9:15:8e:7e:dc",
+"sha256_fingerprint": "0f:3c:77:ed:c7:2b:09:5a:27:88:26:ca:91:e0:81:26:70:14:b1:cd:8e:fe:19:79:42:18:1b:02:07:70:25:30",
 "subject": "CN=dev.example.com,O=EXAMPLE.COM",
 "valid_not_after": "Tue Oct 13 01:59:32 2015 UTC",
 "valid_not_before": "Wed Oct 13

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-23 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
Hopefully all issues were addressed + `radb` removed. If the Travis check 
passes then this is ready for review again.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-282074914
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-23 Thread Martin Basti 



On 23.02.2017 15:09, Tomas Krizek wrote:

On 02/22/2017 01:44 PM, Fraser Tweedale wrote:

On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:

On 02/22/2017 12:28 AM, Fraser Tweedale wrote:

On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:

On 02/21/2017 04:24 PM, Tomas Krizek wrote:

On 02/21/2017 03:23 PM, Rob Crittenden wrote:

Standa Laznicka wrote:

Hello,

Since we're trying to make FreeIPA work in FIPS we got to the point
where we need to do something with MD5 fingerprints in the cert plugin.
Eventually we came to a realization that it'd be best to get rid of them
as a whole. These are counted by the framework and are not stored
anywhere. Note that alongside with these fingerprints SHA1 fingerprints
are also counted and those are there to stay.

The question for this ML is, then - is it OK to remove these or would
you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
grandpa and I think it should go.

I based the values displayed on what certutil displayed at the time (7
years ago). I don't know that anyone uses these fingerprints. The
OpenSSL equivalent doesn't include them by default.

You may be able to deprecate fingerprints altogether.

rob

I think it's useful to display the certificate's fingerprint. I'm in
favor of removing md5 and adding sha256 instead.


Rob, thank you for sharing the information of where the cert fingerprints
are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays
SHA-256 and SHA1 fingerprints for certificates so I propose going that way
too.


IMO we should remove MD5 and SHA-1, and add SHA-256.  But we should
also make no API stability guarantee w.r.t. the fingerprint
attributes, i.e. to allow us to move to newer digests in future (and
remove broken/no-longer-secure ones).  We should advise that if a
customer has a hard requirement on a particular digest that they
should compute it themselves from the certificate.

Cheers,
Fraser

What is the motivation to remove SHA-1? Are there any attacks besides
theoretical ones on SHA-1?

Do other libraries already deprecate SHA-1?


Come to think of it, I was thinking about SHA-1 signatures (which
are completely forbidden in the public PKI nowadays).  But for
fingerprints it is not so bad (for now).

Thanks,
Fraser

Actually, there's been a practical SHA1 attack just published [1].
Computational complexity was
9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years
on a single GPU.

Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256.

[1] - https://shattered.io/





I think we should wait with removal SHA1, don't remove it prematurely. 
As MD5 is deprecated for very long time, SHA1 is not and we are not 
using it for any cryptographic operation nor certificates. It is just 
informational fingerprint.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/483
Title: #483: lite-server: validate LDAP connection and cache schema

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/dcb618152572ca013a447336e13d24399b5f7960
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/483#issuecomment-282069082
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][closed] lite-server: validate LDAP connection and cache schema

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/483
Author: tiran
 Title: #483: lite-server: validate LDAP connection and cache schema
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/483/head:pr483
git checkout pr483
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][+pushed] lite-server: validate LDAP connection and cache schema

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/483
Title: #483: lite-server: validate LDAP connection and cache schema

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][+pushed] Remove MD5 certificate fingerprints

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Remove MD5 certificate fingerprints

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/412
Title: #412: Define template version in certmap.conf

MartinBasti commented:
"""
needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/412#issuecomment-282069402
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][closed] Remove MD5 certificate fingerprints

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/482
Author: stlaz
 Title: #482: Remove MD5 certificate fingerprints
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/482/head:pr482
git checkout pr482
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][+pushed] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/498
Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][closed] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/499
Author: tscherf
 Title: #499: added help about default value for --external-ca-type option
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/499/head:pr499
git checkout pr499
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/499
Title: #499: added help about default value for --external-ca-type option

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/573a0f1ffe5035b75fb88ee7752029e34c6b37af
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/499#issuecomment-282068837
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][+pushed] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/499
Title: #499: added help about default value for --external-ca-type option

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][closed] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/498
Author: HonzaCholasta
 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/498/head:pr498
git checkout pr498
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/498
Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/19060db1b8fa9d1d3e8f3ac3fcd1f387e9a39c94
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/498#issuecomment-282068566
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][comment] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/498
Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`

MartinBasti commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/498#issuecomment-282068296
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][+ack] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/498
Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/7] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  6 +++---
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index a35d18f..9595c9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,11 +9,9 @@ if WITH_IPATESTS
 endif
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-
-SUBDIRS = asn1 util client contrib po \
+SUBDIRS = asn1 util client contrib po pypi \
 	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
 
-
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
@@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 9ee281a..ebdd358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,6 +484,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy

[Freeipa-devel] [freeipa PR#479][synchronized] Merge AD trust installer into composite ones

2017-02-23 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From e24d7ffe6978328738cf37c69cd522a2324f0343 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 16 Feb 2017 14:06:08 +0100
Subject: [PATCH 01/12] Refactor the code checking for missing SIDs

Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630
---
 ipaserver/install/adtrust.py | 107 ++-
 1 file changed, 64 insertions(+), 43 deletions(-)

diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 92fe031..69e9834 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -168,6 +168,69 @@ def check_for_installed_deps():
 raise ScriptError("Aborting installation.")
 
 
+def retrieve_entries_without_sid(api):
+"""
+Retrieve a list of entries without assigned SIDs.
+:returns: a list of entries or an empty list if an error occurs
+"""
+# The filter corresponds to ipa_sidgen_task.c LDAP search filter
+filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
+ '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
+ '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
+base_dn = api.env.basedn
+try:
+root_logger.debug(
+"Searching for objects with missing SID with "
+"filter=%s, base_dn=%s", filter, base_dn)
+entries, _truncated = api.Backend.ldap2.find_entries(
+filter=filter, base_dn=base_dn, attrs_list=[''])
+return entries
+except errors.NotFound:
+# All objects have SIDs assigned
+pass
+except (errors.DatabaseError, errors.NetworkError) as e:
+print("Could not retrieve a list of objects that need a SID "
+  "identifier assigned:")
+print(unicode(e))
+
+return []
+
+
+def retrieve_and_ask_about_sids(api, options):
+entries = []
+if api.Backend.ldap2.isconnected():
+entries = retrieve_entries_without_sid(api)
+else:
+root_logger.debug(
+"LDAP backend not connected, can not retrieve entries "
+"with missing SID")
+
+object_count = len(entries)
+if object_count > 0:
+print("")
+print("WARNING: %d existing users or groups do not have "
+  "a SID identifier assigned." % len(entries))
+print("Installer can run a task to have ipa-sidgen "
+  "Directory Server plugin generate")
+print("the SID identifier for all these users. Please note, "
+  "the in case of a high")
+print("number of users and groups, the operation might "
+  "lead to high replication")
+print("traffic and performance degradation. Refer to "
+  "ipa-adtrust-install(1) man page")
+print("for details.")
+print("")
+if options.unattended:
+print("Unattended mode was selected, installer will "
+  "NOT run ipa-sidgen task!")
+else:
+if ipautil.user_input(
+"Do you want to run the ipa-sidgen task?",
+default=False,
+allow_empty=False):
+options.add_sids = True
+
+
 def install_check(standalone, options, api):
 global netbios_name
 global reset_netbios_name
@@ -225,49 +288,7 @@ def install_check(standalone, options, api):
 options.netbios_name, options.unattended, api)
 
 if not options.add_sids:
-# The filter corresponds to ipa_sidgen_task.c LDAP search filter
-filter = '(&(objectclass=ipaobject)(!(objectclass=mepmanagedentry))' \
- '(|(objectclass=posixaccount)(objectclass=posixgroup)' \
- '(objectclass=ipaidobject))(!(ipantsecurityidentifier=*)))'
-base_dn = api.env.basedn
-try:
-root_logger.debug(
-"Searching for objects with missing SID with "
-"filter=%s, base_dn=%s", filter, base_dn)
-entries, _truncated = api.Backend.ldap2.find_entries(
-filter=filter, base_dn=base_dn, attrs_list=[''])
-except errors.NotFound:
-# All objects have SIDs assigned
-pass
-except (errors.DatabaseError, errors.NetworkError) as e:
-print("Could not retrieve a list of objects that need a SID "
-  "identifier assigned:")
-print(unicode(e))
-else:
-object_count = len(entries)
-if object_count > 0:
-print("")
-print("WARNING: %d existing users or groups do not have "

[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management

2017-02-23 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
From 18dc79dccc5e667a6de9d12136fa04eda9952628 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 09:54:24 +0200
Subject: [PATCH 01/14] Additional option to add and del operations can be set

By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 7579bb0..d44f8c8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) {
 
 var that = IPA.table_widget(spec);
 
+/**
+ * The value should be name of the field, which will be added to *_add_*,
+ * *_del_* commands as option: {fieldname: fieldvalue}.
+ *
+ * @property {String} fieldname
+ */
+that.additional_add_del_field = spec.additional_add_del_field;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) {
 });
 command.set_option(that.other_entity.name, values);
 
+that.join_additional_option(command);
+
 command.execute();
 };
 
+that.join_additional_option = function(command) {
+var add_opt = that.additional_add_del_field;
+if (add_opt && typeof add_opt === 'string') {
+var opt_field = that.entity.facet.get_field(add_opt);
+var value;
+if (opt_field) value = opt_field.get_value()[0];
+
+command.set_option(add_opt, value);
+}
+};
+
 that.show_remove_dialog = function() {
 
 var selected_values = that.get_selected_values();
@@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) {
 });
 
 command.set_option(that.other_entity.name, values);
+that.join_additional_option(command);
 
 command.execute();
 };

From 7cdeea860d1f2698773e8c1763829fed45f9b754 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 10:09:20 +0200
Subject: [PATCH 02/14] Allow to set another other_entity name

Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index d44f8c8..63beeb8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -429,6 +429,17 @@ IPA.association_table_widget = function (spec) {
  */
 that.additional_add_del_field = spec.additional_add_del_field;
 
+/**
+ * Can be used in situations when the *_add_member command needs entity
+ * as a parameter, but parameter has different name than entity.
+ * i.e. vault_add_member --services=[values] ... this needs values from service
+ * entity, but option is called services, that we can set by setting
+ * this option in spec to other_option_name: 'services'
+ *
+ * @property other_option_name {String}
+ */
+that.other_option_name = spec.other_option_name;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -683,9 +694,9 @@ IPA.association_table_widget = function (spec) {
 on_success: on_success,
 on_error: on_error
 });
-command.set_option(that.other_entity.name, values);
 
 that.join_additional_option(command);
+that.handle_entity_option(command, values);
 
 command.execute();
 };
@@ -701,6 +712,14 @@ IPA.association_table_widget = function (spec) {
 }
 };
 
+that.handle_entity_option = function(command, values) {
+var option_name = that.other_option_name;
+if (!option_name) {
+option_name = that.other_entity.name;
+}
+

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2017-02-23 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

pvomacka commented:
"""
@tiran Yes, rebased.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-282060928
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

tiran commented:
"""
@MartinBasti you approved this PR a month ago but it has neither the ACK flag 
nor was it merged.

@pvomacka Your work would be useful for my Custodia Vault work. Can you rebase 
this PR to master to verify it still works?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-282053796
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][+ack] lite-server: validate LDAP connection and cache schema

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/483
Title: #483: lite-server: validate LDAP connection and cache schema

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#483][comment] lite-server: validate LDAP connection and cache schema

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/483
Title: #483: lite-server: validate LDAP connection and cache schema

MartinBasti commented:
"""
Code looks good to me, as far as this is just code for developers I assume that 
@tiran tested it enough, so ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/483#issuecomment-282045305
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

tiran commented:
"""
I have postponed the ```ipacommands``` part. Placeholders are covered by #472.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-282044669
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][+postponed] Packaging: Add placeholder and IPA commands packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/7] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  6 +++---
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index a35d18f..9595c9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,11 +9,9 @@ if WITH_IPATESTS
 endif
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-
-SUBDIRS = asn1 util client contrib po \
+SUBDIRS = asn1 util client contrib po pypi \
 	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
 
-
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
@@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 9ee281a..ebdd358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,6 +484,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy

[Freeipa-devel] [freeipa PR#482][comment] Remove MD5 certificate fingerprints

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Remove MD5 certificate fingerprints

tomaskrizek commented:
"""
ACK, there is no disagreement on the freeipa-devel.

I'm already working on replacing SHA1 with SHA256 given the [recent 
events](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/482#issuecomment-282014171
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#482][+ack] Remove MD5 certificate fingerprints

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/482
Title: #482: Remove MD5 certificate fingerprints

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 41acd1dc09f5ed5c03620f51e8e7a502c548ee47 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/5] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  6 +++---
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index a35d18f..9595c9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,11 +9,9 @@ if WITH_IPATESTS
 endif
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-
-SUBDIRS = asn1 util client contrib po \
+SUBDIRS = asn1 util client contrib po pypi \
 	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
 
-
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
@@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 9ee281a..ebdd358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,6 +484,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy

Re: [Freeipa-devel] MD5 certificate fingerprints removal

2017-02-23 Thread Tomas Krizek 
On 02/22/2017 01:44 PM, Fraser Tweedale wrote:
> On Wed, Feb 22, 2017 at 01:41:22PM +0100, Tomas Krizek wrote:
>> On 02/22/2017 12:28 AM, Fraser Tweedale wrote:
>>> On Tue, Feb 21, 2017 at 05:23:07PM +0100, Standa Laznicka wrote:
 On 02/21/2017 04:24 PM, Tomas Krizek wrote:
> On 02/21/2017 03:23 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> Hello,
>>>
>>> Since we're trying to make FreeIPA work in FIPS we got to the point
>>> where we need to do something with MD5 fingerprints in the cert plugin.
>>> Eventually we came to a realization that it'd be best to get rid of them
>>> as a whole. These are counted by the framework and are not stored
>>> anywhere. Note that alongside with these fingerprints SHA1 fingerprints
>>> are also counted and those are there to stay.
>>>
>>> The question for this ML is, then - is it OK to remove these or would
>>> you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a
>>> grandpa and I think it should go.
>> I based the values displayed on what certutil displayed at the time (7
>> years ago). I don't know that anyone uses these fingerprints. The
>> OpenSSL equivalent doesn't include them by default.
>>
>> You may be able to deprecate fingerprints altogether.
>>
>> rob
> I think it's useful to display the certificate's fingerprint. I'm in
> favor of removing md5 and adding sha256 instead.
>
 Rob, thank you for sharing the information of where the cert fingerprints
 are originated! `certutil` shipped with nss-3.27.0-1.3 currently displays
 SHA-256 and SHA1 fingerprints for certificates so I propose going that way
 too.

>>> IMO we should remove MD5 and SHA-1, and add SHA-256.  But we should
>>> also make no API stability guarantee w.r.t. the fingerprint
>>> attributes, i.e. to allow us to move to newer digests in future (and
>>> remove broken/no-longer-secure ones).  We should advise that if a
>>> customer has a hard requirement on a particular digest that they
>>> should compute it themselves from the certificate.
>>>
>>> Cheers,
>>> Fraser
>> What is the motivation to remove SHA-1? Are there any attacks besides
>> theoretical ones on SHA-1?
>>
>> Do other libraries already deprecate SHA-1?
>>
> Come to think of it, I was thinking about SHA-1 signatures (which
> are completely forbidden in the public PKI nowadays).  But for
> fingerprints it is not so bad (for now).
>
> Thanks,
> Fraser
Actually, there's been a practical SHA1 attack just published [1].
Computational complexity was
9,223,372,036,854,775,808 SHA1 computations, which takes about 110 years
on a single GPU.

Therefore, I'm in favor to deprecate SHA1 as well and provide only SHA256.

[1] - https://shattered.io/

-- 
Tomas Krizek




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][closed] FIPS: Remove pkispawn cruft

2017-02-23 Thread pvoborni 
   URL: https://github.com/freeipa/freeipa/pull/484
Author: stlaz
 Title: #484: FIPS: Remove pkispawn cruft
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/484/head:pr484
git checkout pr484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-23 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

pvoborni commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/728a6bd4229ba170b2e94f216127b19d5d94e2ba
https://fedorahosted.org/freeipa/changeset/a39effed7603d66acd238e3142f4df8081ff7bc8
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281997170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][+pushed] FIPS: Remove pkispawn cruft

2017-02-23 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/499
Title: #499: added help about default value for --external-ca-type option

MartinBasti commented:
"""
Thanks!
Next time please use `git push --force` to update current pull request instead 
creating a new one.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#497][+rejected] added more meaningful help for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/497
Title: #497: added more meaningful help for --external-ca-type option

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/497
Title: #497: added more meaningful help for --external-ca-type option

MartinBasti commented:
"""
Replaced by #499 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/497#issuecomment-281995516
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][+ack] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/499
Title: #499: added help about default value for --external-ca-type option

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#499][comment] added help about default value for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/499
Title: #499: added help about default value for --external-ca-type option

MartinBasti commented:
"""
Thanks!
Next time please use 'git push --force' to update current pull request instead 
a creating a new one.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/499#issuecomment-281995320
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

tiran commented:
"""
Commit 1f8326aa fixes an issue in ```Makefile.python.am```. I think the issue 
caused ```ipaplatform``` and ```pypi/ipaplatform``` to cross streams.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281989060
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#412][+ack] Define template version in certmap.conf

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/412
Title: #412: Define template version in certmap.conf

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/412
Title: #412: Define template version in certmap.conf

tomaskrizek commented:
"""
Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/412#issuecomment-28194
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 4adaffb04e8fea15feb661611e2eaef71c9b6fd8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/5] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  6 +++---
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index a35d18f..9595c9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,11 +9,9 @@ if WITH_IPATESTS
 endif
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-
-SUBDIRS = asn1 util client contrib po \
+SUBDIRS = asn1 util client contrib po pypi \
 	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
 
-
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
@@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 9ee281a..ebdd358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,6 +484,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy

[Freeipa-devel] [freeipa PR#499][opened] added help about default value for --external-ca-type option

2017-02-23 Thread tscherf 
   URL: https://github.com/freeipa/freeipa/pull/499
Author: tscherf
 Title: #499: added help about default value for --external-ca-type option
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/499/head:pr499
git checkout pr499
From 9932ec8f32e0d36af4a4b2a825bb4f1b7cecf540 Mon Sep 17 00:00:00 2001
From: Thorsten Scherf 
Date: Thu, 23 Feb 2017 14:09:39 +0100
Subject: [PATCH] added help about default value for --external-ca-type option

---
 install/tools/ipa-ca-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 5e425f8..c05abb9 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -65,7 +65,7 @@ def parse_options():
 parser.add_option("--external-ca-type", dest="external_ca_type",
   type="choice", choices=ext_cas,
   metavar="{{{0}}}".format(",".join(ext_cas)),
-  help="Type of the external CA")
+  help="Type of the external CA. Default: generic")
 parser.add_option("--external-cert-file", dest="external_cert_files",
   action="append", metavar="FILE",
   help="File containing the IPA CA certificate and the external CA certificate chain")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#497][closed] added more meaningful help for --external-ca-type option

2017-02-23 Thread tscherf 
   URL: https://github.com/freeipa/freeipa/pull/497
Author: tscherf
 Title: #497: added more meaningful help for --external-ca-type option
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/497/head:pr497
git checkout pr497
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#498][opened] compat: fix `Any` params in `batch` and `dnsrecord`

2017-02-23 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/498
Author: HonzaCholasta
 Title: #498: compat: fix `Any` params in `batch` and `dnsrecord`
Action: opened

PR body:
"""
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/498/head:pr498
git checkout pr498
From 3936af7513c1f39de254db05a9fbb8f3395dfaa6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 13:04:19 +
Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord`

The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647
---
 ipaclient/remote_plugins/2_114/batch.py | 2 +-
 ipaclient/remote_plugins/2_114/dns.py   | 2 +-
 ipaclient/remote_plugins/2_156/batch.py | 2 +-
 ipaclient/remote_plugins/2_156/dns.py   | 2 +-
 ipaclient/remote_plugins/2_164/batch.py | 2 +-
 ipaclient/remote_plugins/2_164/dns.py   | 2 +-
 ipaclient/remote_plugins/2_49/batch.py  | 2 +-
 ipaclient/remote_plugins/2_49/dns.py| 2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py
index 4a613b6..2709e59 100644
--- a/ipaclient/remote_plugins/2_114/batch.py
+++ b/ipaclient/remote_plugins/2_114/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
 NO_CLI = True
 
 takes_args = (
-parameters.Str(
+parameters.Any(
 'methods',
 required=False,
 multivalue=True,
diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
index 5d91dbc..acb8a65 100644
--- a/ipaclient/remote_plugins/2_114/dns.py
+++ b/ipaclient/remote_plugins/2_114/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
 'dnsclass',
 required=False,
 ),
-parameters.Str(
+parameters.Any(
 'dnsrecords',
 required=False,
 label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py
index 4a613b6..2709e59 100644
--- a/ipaclient/remote_plugins/2_156/batch.py
+++ b/ipaclient/remote_plugins/2_156/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
 NO_CLI = True
 
 takes_args = (
-parameters.Str(
+parameters.Any(
 'methods',
 required=False,
 multivalue=True,
diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
index 39a0b26..bbfaa9f 100644
--- a/ipaclient/remote_plugins/2_156/dns.py
+++ b/ipaclient/remote_plugins/2_156/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
 'dnsclass',
 required=False,
 ),
-parameters.Str(
+parameters.Any(
 'dnsrecords',
 required=False,
 label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py
index 4a613b6..2709e59 100644
--- a/ipaclient/remote_plugins/2_164/batch.py
+++ b/ipaclient/remote_plugins/2_164/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
 NO_CLI = True
 
 takes_args = (
-parameters.Str(
+parameters.Any(
 'methods',
 required=False,
 multivalue=True,
diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
index b07a94f..244be87 100644
--- a/ipaclient/remote_plugins/2_164/dns.py
+++ b/ipaclient/remote_plugins/2_164/dns.py
@@ -326,7 +326,7 @@ class dnsrecord(Object):
 'dnsclass',
 required=False,
 ),
-parameters.Str(
+parameters.Any(
 'dnsrecords',
 required=False,
 label=_(u'Records'),
diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py
index a1f351d..67e5978 100644
--- a/ipaclient/remote_plugins/2_49/batch.py
+++ b/ipaclient/remote_plugins/2_49/batch.py
@@ -50,7 +50,7 @@ class batch(Command):
 NO_CLI = True
 
 takes_args = (
-parameters.Str(
+parameters.Any(
 'methods',
 required=False,
 multivalue=True,
diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
index 07cef75..4b543a2 100644
--- a/ipaclient/remote_plugins/2_49/dns.py
+++ b/ipaclient/remote_plugins/2_49/dns.py
@@ -256,7 +256,7 @@ class dnsrecord(Object):
 label=_(u'Class'),
 doc=_(u'DNS class'),
 ),
-parameters.Str(
+parameters.Any(
 'dnsrecords',
 required=False,
 label=_(u'Records'),
-- 
Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/497
Title: #497: added more meaningful help for --external-ca-type option

MartinBasti commented:
"""
This is already fixed in master, however it missed what is the default value

```
  --external-ca-type={generic,ms-cs}
Type of the external CA
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#497][comment] added more meaningful help for --external-ca-type option

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/497
Title: #497: added more meaningful help for --external-ca-type option

MartinBasti commented:
"""
This is already fixed in master, however it missed what is the default value

```
  --external-ca-type={generic,ms-cs}
Type of the external CA
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/497#issuecomment-281983727
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#497][opened] added more meaningful help for --external-ca-type option

2017-02-23 Thread tscherf 
   URL: https://github.com/freeipa/freeipa/pull/497
Author: tscherf
 Title: #497: added more meaningful help for --external-ca-type option
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/497/head:pr497
git checkout pr497
From f0dccbc6c997e5410f355e96a48bd568658decec Mon Sep 17 00:00:00 2001
From: Thorsten Scherf 
Date: Thu, 23 Feb 2017 13:48:29 +0100
Subject: [PATCH] added more meaningful help for --external-ca-type option

---
 install/tools/ipa-ca-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 5e425f8..7e29c9a 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -65,7 +65,7 @@ def parse_options():
 parser.add_option("--external-ca-type", dest="external_ca_type",
   type="choice", choices=ext_cas,
   metavar="{{{0}}}".format(",".join(ext_cas)),
-  help="Type of the external CA")
+  help="Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic")
 parser.add_option("--external-cert-file", dest="external_cert_files",
   action="append", metavar="FILE",
   help="File containing the IPA CA certificate and the external CA certificate chain")
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][+ack] FIPS: Remove pkispawn cruft

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#484][comment] FIPS: Remove pkispawn cruft

2017-02-23 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/484
Title: #484: FIPS: Remove pkispawn cruft

tomaskrizek commented:
"""
Works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/484#issuecomment-281979229
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] make causes unsolicited changes to PO files

2017-02-23 Thread Christian Heimes 
Hi,

for a while make causes unsolicited modifications to all translation
files. I have to reset all PO files a couple of times a day during
development:

git checkout -- po/*.po

It's slowly wearing me off. I opened ticket
https://fedorahosted.org/freeipa/ticket/6605 a while ago. It contains
more details and a reproducer.

Regards,
Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][synchronized] vault: cache the transport certificate on client

2017-02-23 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/476
Author: HonzaCholasta
 Title: #476: vault: cache the transport certificate on client
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/476/head:pr476
git checkout pr476
From a8e1704ef4055b7d8083b99367b53dbdf95c475f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 17 Feb 2017 11:25:17 +0100
Subject: [PATCH] vault: cache the transport certificate on client

Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.

https://fedorahosted.org/freeipa/ticket/6652
---
 ipaclient/plugins/vault.py   | 161 +++
 ipaclient/remote_plugins/__init__.py |   3 +-
 ipaclient/remote_plugins/schema.py   |  12 +--
 ipalib/constants.py  |  14 +++
 4 files changed, 143 insertions(+), 47 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 9efb1f1..ebfb129 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -20,29 +20,41 @@
 from __future__ import print_function
 
 import base64
+import errno
 import getpass
 import io
 import json
 import os
 import sys
+import tempfile
 
 from cryptography.fernet import Fernet, InvalidToken
 from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
 load_pem_private_key
 
 import nss.nss as nss
+import six
 
 from ipaclient.frontend import MethodOverride
+from ipalib import x509
+from ipalib.constants import USER_CACHE_PATH
 from ipalib.frontend import Local, Method, Object
 from ipalib.util import classproperty
 from ipalib import api, errors
 from ipalib import Bytes, Flag, Str
 from ipalib.plugable import Registry
 from ipalib import _
+from ipapython.dnsutil import DNSName
+from ipapython.ipa_log_manager import log_mgr
+
+logger = log_mgr.get_logger(__name__)
+
+TRANSPORT_CERT_CACHE_PATH = (
+os.path.join(USER_CACHE_PATH, 'ipa', 'kra-transport-certs'))
 
 
 def validated_read(argname, filename, mode='r', encoding=None):
@@ -568,6 +580,115 @@ def forward(self, *args, **options):
 return response
 
 
+class _TransportCertInvalid(Exception):
+def __init__(self, exc_info):
+self.exc_info = exc_info
+
+
+_transport_cert_cache = {}
+
+
+class ModVaultData(Local):
+def _do_internal(self, mechanism, session_key, transport_cert_der,
+ *args, **options):
+nss_transport_cert = nss.Certificate(transport_cert_der)
+
+# wrap session key with transport certificate
+# pylint: disable=no-member
+public_key = nss_transport_cert.subject_public_key_info.public_key
+# pylint: enable=no-member
+wrapped_session_key = nss.pub_wrap_sym_key(mechanism,
+   public_key,
+   session_key)
+
+options['session_key'] = wrapped_session_key.data
+
+name = self.name + '_internal'
+try:
+return self.api.Command[name](*args, **options)
+except errors.NotFound:
+raise
+except (errors.InternalError,
+errors.ExecutionError,
+errors.GenericError):
+raise _TransportCertInvalid(sys.exc_info())
+
+def internal(self, mechanism, session_key, *args, **options):
+"""
+Calls the internal counterpart of the command.
+"""
+domain = self.api.env.domain
+dirname = TRANSPORT_CERT_CACHE_PATH
+basename = DNSName(domain).ToASCII() + '.pem'
+filename = os.path.join(dirname, basename)
+
+# get transport cert from cache
+transport_cert_der = _transport_cert_cache.get(domain)
+if transport_cert_der is None:
+try:
+try:
+transport_cert = x509.load_certificate_from_file(filename)
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+else:
+transport_cert_der = transport_cert.public_bytes(
+serialization.Encoding.DER)
+except Exception:
+logger.warning("Failed to load %s: %s", filename,
+   exc_info=True)
+
+# try call with the cached transport cert, uncache it if unsuccessful
+if transport_cert_der is not None:
+try:
+return self._do_internal(mechanism,
+ session_key,
+ transport_cert_der,
+

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
The old pylint issue is back
```
* Module ipaserver.install.installutils
ipaserver/install/installutils.py:1209: [E1101(no-member), store_version] 
Module 'ipaplatform' has no 'NAME' member)
ipaserver/install/installutils.py:1221: [E1101(no-member), check_version] 
Module 'ipaplatform' has no 'NAME' member)
ipaserver/install/installutils.py:1224: [E1101(no-member), check_version] 
Module 'ipaplatform' has no 'NAME' member)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281970741
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Release: script for updating contributors

2017-02-23 Thread Martin Basti 



On 23.02.2017 12:31, Martin Kosek wrote:

Hi all,

Based on my recent Contributors.txt update and on Martin Basti's request in the
pull request:
https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080

I added my (hacky) script for updating the file in the freeipa-tools repo and
updated our Release page:

http://www.freeipa.org/page/Release#Update_Contributors.txt

HTH!



+1, Thank you!

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Release: script for updating contributors

2017-02-23 Thread Martin Kosek 
Hi all,

Based on my recent Contributors.txt update and on Martin Basti's request in the
pull request:
https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080

I added my (hacky) script for updating the file in the freeipa-tools repo and
updated our Release page:

http://www.freeipa.org/page/Release#Update_Contributors.txt

HTH!

-- 
Martin Kosek 
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults

2017-02-23 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/492
Author: HonzaCholasta
 Title: #492: [WIP] config: remove meaningless defaults
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/492/head:pr492
git checkout pr492
From a5bfc0b734466ea5a8a9447fd1a916fa85462922 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:44:04 +
Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP
 connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
---
 ipaserver/plugins/migration.py | 15 +--
 ipaserver/plugins/user.py  | 11 ---
 2 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 72abd14..e8d102a 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -28,13 +28,9 @@
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-try:
-from ipaserver.plugins.ldap2 import ldap2
-except Exception as e:
-raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options):
 return dict(result={}, failed={}, enabled=False, compat=True)
 
 # connect to DS
-ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
 cacert = None
 if options.get('cacertfile') is not None:
 # store CA cert into file
@@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options):
 cacert = tmp_ca_cert_f.name
 
 # start TLS connection
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-cacert=cacert)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 tmp_ca_cert_f.close()
 else:
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 # check whether the compat plugin is enabled
 if not options.get('compat'):
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 88171cf..4c4b7d3 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -21,7 +21,6 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
 
 import six
 
@@ -62,12 +61,10 @@
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
 unicode = str
 
@@ -1115,9 +1112,9 @@ def execute(self, *keys, **options):
 if host == api.env.host:
 other_ldap = self.obj.backend
 else:
-other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
 try:
-other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+other_ldap.gssapi_bind()
 except Exception as e:
 self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
 newresult = {'dn': dn}
@@ -1162,7 +1159,7 @@ def execute(self, *keys, **options):
 count += 1
 
 if host != api.env.host:
-other_ldap.disconnect()
+other_ldap.close()
 
 return dict(result=entries,
 count=count,

From f77a3d6f811c20e46b6a61e4e8a20b1e447b0ed5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:52:51 +
Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc
 ldap2 connections

Use the default URI from api.env.ldap_uri, as it is the same as the URI
provided using the argument.
---
 ipaserver/install/cainstance.py  | 19 +--
 ipaserver/install/krainstance.py |  4 +---
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3c86b91..b79b432 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -703,9 +703,7 @@ def __create_ca_agent(self):
 cert = x509.load_certificate(cert_data, x509.DER)
 
 # connect to CA database
-server_id =

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-23 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
Some more fixes for Travis to check.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-281950085
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

tiran commented:
"""
@MartinBasti I dropped the last commit. make check no longer checks wheel 
packages.

I'm going to open a new ticket for @martbab and ask him to add to add a proper 
test for wheel building to his awesome container magic.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281946900
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 4adaffb04e8fea15feb661611e2eaef71c9b6fd8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/4] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  6 +++---
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 11 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index a35d18f..9595c9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,11 +9,9 @@ if WITH_IPATESTS
 endif
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-
-SUBDIRS = asn1 util client contrib po \
+SUBDIRS = asn1 util client contrib po pypi \
 	$(IPACLIENT_SUBDIRS) ipaplatform $(IPATESTS_SUBDIRS) $(SERVER_SUBDIRS)
 
-
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
 		   ipasetup.pyc ipasetup.pyo \
@@ -217,6 +215,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 9ee281a..ebdd358 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,6 +484,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-02-23 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From cff6590500682cde35148542cf7f078a31ca34a2 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/6] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From b094db2321ef425bb14fb031247a2af89f1d6b90 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/6] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 95ba5eb..acdae5a 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -60,12 +60,6 @@
 "pyldap",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
@tiran I thought we agreed on having `with_wheels` in specfile and install 
dependencies only when you want to build wheel packages, what is not the case 
of RHEL. So what is the issue with python-wheel?

My only concern it to not run wheel build in make check
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281943814
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split

2017-02-23 Thread Timo Aaltonen 
On 20.02.2017 20:24, Alexander Bokovoy wrote:
> On la, 18 helmi 2017, Timo Aaltonen wrote:
>>
>> Hi,
>>
>> So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver,
>> but dcerpc.py imports python-samba which -ipaserver does not depend on.
>> So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad
>> on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that
>> ipa-server-install wants to import adtrustinstance and fails to run if
>> it's not installed.
>>
>> Traceback (most recent call last):
>>  File "/usr/sbin/ipa-server-install", line 25, in 
>>from ipaserver.install.server import Server
>>  File
>> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py",
>> line 8, in 
>>from .upgrade import upgrade_check, upgrade
>>  File
>> "/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
>> line 49, in 
>>from ipaserver.install import adtrustinstance
>> ImportError: cannot import name adtrustinstance
>>
>>
>> So what to do here? I can't remember exactly what problems I hit when
>> everything was in python-ipaserver while testing 4.3.0, but I think they
>> were about the samba stuff.. and don't want to test again without asking
>> first. Should the upgrader stuff be split?
> I think we simply can move ipa_smb_conf_exists() to ipapython or ipalib.
> It only needs to read a config file and check a signature. Signature
> could be
> moved to constants. Then ipa_smb_conf_exists() can be imported in both
> upgrade tool and in adtrustinstance.
> 
> Want to make a PR?

Well, maybe I'll first try moving adtrustinstance/dcerpc stuff back to
python-ipaserver and see if something breaks with the current version
and then perhaps fix that instead.

t


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

2017-02-23 Thread sumit-bose 
  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

sumit-bose commented:
"""
Ok, sorry for the noise, I tested on a fresh install again and now it is 
working as expected. I guess I shouldn't have tried to update from an older 
version of your patch to a newer one.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-281939524
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/493
Title: #493: Update Contributors.txt

MartinBasti commented:
"""
If script for generating contributors file was published it may be documented 
in releasing page and it may be part of each release.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/493#issuecomment-281938080
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][+pushed] Update Contributors.txt

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/493
Title: #493: Update Contributors.txt

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/493
Title: #493: Update Contributors.txt

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b367c3a622c8c8b96777e4ce50334d2a4477bbe7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/493#issuecomment-281937859
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][closed] Update Contributors.txt

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/493
Author: mkosek
 Title: #493: Update Contributors.txt
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/493/head:pr493
git checkout pr493
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#495][comment] Fix ipa-server-upgrade

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/495
Title: #495: Fix ipa-server-upgrade

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/32076df10231b381a80c9ef850c2c31d7a25feb8
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/495#issuecomment-281937465
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#496][closed] Use newer Certificate.serial_number in krainstance.py

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/496
Author: stlaz
 Title: #496: Use newer Certificate.serial_number in krainstance.py
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/496/head:pr496
git checkout pr496
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#495][closed] Fix ipa-server-upgrade

2017-02-23 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/495
Author: stlaz
 Title: #495: Fix ipa-server-upgrade
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/495/head:pr495
git checkout pr495
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#495][+pushed] Fix ipa-server-upgrade

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/495
Title: #495: Fix ipa-server-upgrade

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/496
Title: #496: Use newer Certificate.serial_number in krainstance.py

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8c2cd66269d7be976ae7fc990343ed8e9b5282a3
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/496#issuecomment-281937212
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#496][+pushed] Use newer Certificate.serial_number in krainstance.py

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/496
Title: #496: Use newer Certificate.serial_number in krainstance.py

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#439][+postponed] [WIP] [Py3] testing both py2/py3 in travis

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/439
Title: #439: [WIP] [Py3] testing both py2/py3 in travis

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#460][+postponed] [Py3] ipa-server-install, ipa-server-upgrade fixes

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/460
Title: #460: [Py3] ipa-server-install, ipa-server-upgrade fixes

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

lslebodn commented:
"""
NACK for downstream patch. The intentin of build system refactoring was make 
packaging in downstream simpler.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

lslebodn commented:
"""
NACK for downstream patch. The intentin of build system refactoring was make 
packaging in downstream simpler.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281935052
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

pvoborni commented:
"""
Some distros like RHEL doesn't have python-wheel packaged. It can be disabled 
by downstream patch, but better would be to remove it or make it configurable.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281934554
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][+ack] Update Contributors.txt

2017-02-23 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/493
Title: #493: Update Contributors.txt

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#493][comment] Update Contributors.txt

2017-02-23 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/493
Title: #493: Update Contributors.txt

stlaz commented:
"""
I don't give two poops and a popsicle about the order of names in the 
Contributors.txt file. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/493#issuecomment-281934226
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

lslebodn commented:
"""
FYI: At the moment, `make check` run just C-based unit test and all of them are 
optional.
If required dependency is not found at configure time then test is not 
build/executed.

The reason is that required dependencies are not in some downstream 
distributions and IIRC python-wheel is not there either.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281933816
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
I didn't know about the ```SkipPluginModule``` feature. I agree with you, your 
solution is more elegant.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-281932095
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#412][comment] Define template version in certmap.conf

2017-02-23 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/412
Title: #412: Define template version in certmap.conf

flo-renaud commented:
"""
Bump for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/412#issuecomment-281931336
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

tiran commented:
"""
That's not the point here. We are arguing about a new build dependency 
(python-wheel).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281930993
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

lslebodn commented:
"""
I agree with @MartinBasti it is not a unit test.
IMHO better approach is to test it in CI/travis/...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281929628
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#496][+ack] Use newer Certificate.serial_number in krainstance.py

2017-02-23 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/496
Title: #496: Use newer Certificate.serial_number in krainstance.py

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

tiran commented:
"""
I'm open to suggestions here, but I like to have automatic validation of 
packaging.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281928143
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#496][comment] Use newer Certificate.serial_number in krainstance.py

2017-02-23 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/496
Title: #496: Use newer Certificate.serial_number in krainstance.py

flo-renaud commented:
"""
Hi @stlaz ,

the warning 
`/usr/lib/python2.7/site-packages/ipaserver/install/krainstance.py:316: 
DeprecationWarning: Certificate serial is deprecated, use serial_number instead.
` is not present anymore.
ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/496#issuecomment-281928293
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
Is really needed to have this is make check? It makes build dependencies of 
wheel mandratory not optional

```
error: invalid command 'bdist_wheel'
make[5]: *** [bdist_wheel] Error 1
Makefile:591: recipe for target 'bdist_wheel' failed
make[5]: Leaving directory 
'/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa'
Makefile:1192: recipe for target 'wheel_placeholder' failed
make[4]: *** [wheel_placeholder] Error 1
make[4]: *** Waiting for unfinished jobs
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-23 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
Is really needed to have this is make check? It makes build dependencies of 
wheel mandratory not optional

```
error: invalid command 'bdist_wheel'
make[5]: *** [bdist_wheel] Error 1
Makefile:591: recipe for target 'bdist_wheel' failed
make[5]: Leaving directory 
'/freeipa/rpmbuild/BUILD/freeipa-4.4.90.dev201702221837+git07cd377/pypi/freeipa'
Makefile:1192: recipe for target 'wheel_placeholder' failed
make[4]: *** [wheel_placeholder] Error 1
make[4]: *** Waiting for unfinished jobs
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-281926018
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code