Re: [Freeipa-devel] [PATCH] 468 Make ipa-client-automount backwards compatible
On 04/01/2014 07:33 PM, Rob Crittenden wrote: Martin Kosek wrote: ipa-client-automount calls automountlocation-show command during the process. Unfortunately, FreeIPA commands are forward compatible only and thus fail the installer. Similarly to ipa-client-install, call XML-RPC interface directly with version fixed to 2.0 (command was already available at that version) to fix the failure. https://fedorahosted.org/freeipa/ticket/4290 ACK. Tested F-20 client against RHEL 6.5 server. rob Thanks. Pushed to: master: 66fb4d5e849a049e95d3ef4fcf2b86217488634d ipa-3-3: ee2fac9bee6728facfa4525b8f97585f7030a14c Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 260 Fix update_ca_renewal_master plugin on CA-less installs
Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4294. Honza -- Jan Cholasta From b0e3b7c855b517ef75abd3d9eac4d5db63ef4767 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 2 Apr 2014 10:28:00 +0200 Subject: [PATCH] Fix update_ca_renewal_master plugin on CA-less installs. This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 --- ipaserver/install/plugins/ca_renewal_master.py | 79 +- 1 file changed, 53 insertions(+), 26 deletions(-) diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 2481fa7..b2a7ba7 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -18,9 +18,10 @@ # along with this program. If not, see http://www.gnu.org/licenses/. from ipaserver.install.plugins.baseupdate import PostUpdate +from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib.plugable import Registry -from ipapython import certmonger +from ipapython import certmonger, dogtag from ipapython.dn import DN register = Registry() @@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate): def execute(self, **options): +ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) +if not ca.is_configured(): +self.debug(CA is not configured on this host) +return (False, False, []) + ldap = self.obj.backend base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) @@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate): ('cert_nickname', 'ipaCert', None), ) request_id = certmonger.get_request_id(criteria) -if request_id is None: -self.error(certmonger request for ipaCert not found) -return (False, False, []) -ca_name = certmonger.get_request_value(request_id, 'ca_name') -if ca_name is None: -self.error(certmonger request for ipaCert is missing ca_name) -return (False, False, []) -ca_name = ca_name.strip() +if request_id is not None: +self.debug(found certmonger request for ipaCert) -if ca_name == 'dogtag-ipa-renew-agent': -dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) -update = { -dn: { -'dn': dn, -'updates': ['add:ipaConfigString: caRenewalMaster'], -}, -} -return (False, True, [update]) -elif ca_name == 'dogtag-ipa-retrieve-agent-submit': -return (False, False, []) -elif ca_name == 'dogtag-ipa-ca-renew-agent': -return (False, False, []) +ca_name = certmonger.get_request_value(request_id, 'ca_name') +if ca_name is None: +self.warning( +certmonger request for ipaCert is missing ca_name, +assuming local CA is renewal slave) +return (False, False, []) +ca_name = ca_name.strip() + +if ca_name == 'dogtag-ipa-renew-agent': +pass +elif ca_name == 'dogtag-ipa-retrieve-agent-submit': +return (False, False, []) +elif ca_name == 'dogtag-ipa-ca-renew-agent': +return (False, False, []) +else: +self.warning( +certmonger request for ipaCert has unknown ca_name '%s', +assuming local CA is renewal slave, ca_name) +return (False, False, []) else: -self.warning( -certmonger request for ipaCert has unknown ca_name \%s\, -assuming local CA is renewal slave, ca_name) -return (False, False, []) +self.debug(certmonger request for ipaCert not found) + +config = installutils.get_directive( +dogtag.configured_constants().CS_CFG_PATH, +'subsystem.select', '=') + +if config == 'New': +pass +elif config == 'Clone': +return (False, False, []) +else: +self.warning( +CS.cfg has unknown subsystem.select value '%s', +assuming local CA is renewal slave, config) +return (False, False, []) + +dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) +update = { +dn: { +'dn': dn, +'updates': ['add:ipaConfigString: caRenewalMaster'], +}, +} + +return (False, True, [update]) -- 1.8.5.3 ___ Freeipa-devel mailing list
[Freeipa-devel] [PATCH 0001] Add basic trust and legacy client integration tests
Hi, this adds basic trust and legacy client integration tests to our Jenkins jobs repo. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org From 3dc23d1f4ee312e01eafb9677af2d97fdc40845b Mon Sep 17 00:00:00 2001 From: Tomas Babej tomasba...@gmail.com Date: Tue, 1 Apr 2014 14:43:05 +0200 Subject: [PATCH] Add basic trust and legacy client integration tests --- README| 4 jenkins-job-builder/freeipa-jobs.yaml | 38 +++ 2 files changed, 42 insertions(+) diff --git a/README b/README index 595a041df9d52cd7b4e3a9ee5f3d752f31bb4f91..952baf22a9216eb027bb2361d6e4078409974ca7 100644 --- a/README +++ b/README @@ -101,6 +101,10 @@ prepare-hosts: any other configuration. It also installs built packages on the machines. These are found in ./dist/rpms when prepare-hosts runs. +It also handles the assigment of static test nodes. These are +specified by using special role names, such as TRUST_IPA for IPA domain +that AD is configured to establish trusts with, or trust_master for the +actual IPA master. These fake values are substituted by the script. Output can be YAML or JSON. shutdown-hosts diff --git a/jenkins-job-builder/freeipa-jobs.yaml b/jenkins-job-builder/freeipa-jobs.yaml index 95f767496ff9106cbc92cc22d69619141e00f104..8d9aa4bfa9768b92c1495a2fca40f9d2fde7de5e 100644 --- a/jenkins-job-builder/freeipa-jobs.yaml +++ b/jenkins-job-builder/freeipa-jobs.yaml @@ -432,6 +432,44 @@ role: client name: ipa.test type: IPA +- freeipa-integration-{os}-{pretty_name}: +pretty_name: basic_trust +suite: test_integration/test_trust.py +config_template: | +domains: + - hosts: + - name: master.ipa.test +role: trust_master +name: ipa.test +type: TRUST_IPA + - hosts: + - name: ad +role: ad +name: ad.test +type: AD +- freeipa-integration-{os}-{pretty_name}: +pretty_name: legacy_clients +suite: test_integration/test_legacy_clients.py +config_template: | +domains: + - hosts: + - name: master.ipa.test +role: trust_master + - name: legacy_client_sssd_redhat.ipa.test +role: legacy_client_sssd_redhat + - name: legacy_client_nss_ldap_redhat.ipa.test +role: legacy_client_nss_ldap_redhat + - name: legacy_client_nss_pam_ldapd_redhat.ipa.test +role: legacy_client_nss_pam_ldapd_redhat +name: ipa.test +type: TRUST_IPA + - hosts: + - name: ad.ad.test +role: ad + - name: child.child.ad.test +role: ad_subdomain +name: ad.test +type: AD - job-template: name: freeipa-stats-{os} -- 1.8.5.3 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
On 04/01/2014 12:03 PM, Jan Pazdziora wrote: On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: Yes, that was the intention. Mistake on my part, I'll send updated patches. Updated patch attached. Ack based on reading the code and documentation for slapi_ch_free_string. Ok, thanks. Though I would like this patch to be also functionally tested that it does not break anything, ideally together with your other ipa-range patches. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] ipa-range-check: Fix memory leaks when freeing range object
On Wed, 02 Apr 2014, Martin Kosek wrote: On 04/01/2014 12:03 PM, Jan Pazdziora wrote: On Tue, Apr 01, 2014 at 10:05:39AM +0200, Tomas Babej wrote: Yes, that was the intention. Mistake on my part, I'll send updated patches. Updated patch attached. Ack based on reading the code and documentation for slapi_ch_free_string. Ok, thanks. Though I would like this patch to be also functionally tested that it does not break anything, ideally together with your other ipa-range patches. It is on my test list, don't worry. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0017] Add wait_for_dns option to default.conf
Hello, Add wait_for_dns option to default.conf. This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. My personal recommendation is to use value 5 (for testing!). -- Petr^2 Spacek From 5509f954308b910a8b100aaf14239202f6635762 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 2 Apr 2014 11:04:07 +0200 Subject: [PATCH] Add wait_for_dns option to default.conf. This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. --- ipa-client/man/default.conf.5 | 9 ++ ipalib/constants.py | 1 + ipalib/errors.py | 18 ipalib/plugins/dns.py | 217 +- 4 files changed, 241 insertions(+), 4 deletions(-) diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index 5d5a48db62cb97e7424b42b6cb70d0c872b2bc34..c1ccf109e874907885fc3b51b63507c2b46b64ab 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -178,6 +178,15 @@ Used internally in the IPA source package to verify that the API has not changed .B verbose boolean When True provides more information. Specifically this sets the global log level to info. .TP +.B wait_for_dns number of attempts +Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second. +.IP +The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts. +.IP +The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server. +.IP +Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present). +.TP .B xmlrpc_uri URI Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml .TP diff --git a/ipalib/constants.py b/ipalib/constants.py index 8fc04afcd5cb996830d81e2e9b9dcf3f58034ef2..6cc50eacf44678840ad0048a1ef60c05736879cb 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( ('debug', False), ('startup_traceback', False), ('mode', 'production'), +('wait_for_dns', False), # CA plugin: ('ca_host', FQDN), # Set in Env._finalize_core() diff --git a/ipalib/errors.py b/ipalib/errors.py index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..311127f62e54017c85541d27276020a9f950ab0f 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1512,6 +1512,24 @@ class DatabaseTimeout(DatabaseError): format = _('LDAP timeout') +class DNSDataMismatch(ExecutionError): + +**4212** Raised when an DNS query didn't return expected answer +in a configured time limit. + +For example: + + raise DNSDataMismatch(expected=zone3.test. 86400 IN A 192.0.2.1, \ + got=zone3.test. 86400 IN A 192.168.1.1) +Traceback (most recent call last): + ... +DNSDataMismatch: DNS check failed: Expected {zone3.test. 86400 IN A 192.0.2.1} got {zone3.test. 86400 IN A 192.168.1.1} + + +errno = 4212 +format = _('DNS check failed: Expected {%(expected)s} got {%(got)s}') + + class CertificateError(ExecutionError): **4300** Base class for Certificate execution errors (*4300 - 4399*). diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index c1b1b643420b190897f9c925eaa17d51c5082348..876f376195c8026546c1160ba9a6678390a40f2e 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -24,6 +24,7 @@ import netaddr import time import re import dns.name +import dns.resolver from ipalib.request import context from ipalib import api, errors, output @@ -248,6 +249,12 @@ _record_attributes = [str('%srecord' % t.lower()) for t in _record_types] # supported DNS classes, IN = internet, rest is almost never used _record_classes = (u'IN', u'CS', u'CH', u'HS') +# IN record class +_IN = dns.rdataclass.IN + +# NS record type +_NS = dns.rdatatype.from_text('NS') + def _rname_validator(ugettext, zonemgr): try: validate_zonemgr(zonemgr) @@ -2397,6 +2404,178 @@ class dnsrecord(LDAPObject): 'NS record except when located in a zone root '
Re: [Freeipa-devel] [PATCH 0017] Add wait_for_dns option to default.conf
On 2.4.2014 14:36, Petr Spacek wrote: Hello, Add wait_for_dns option to default.conf. This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. My personal recommendation is to use value 5 (for testing!). Ah, my hands were faster than head :-) This patch was supersedes patch my patch 0015 and should apply to vanilla master (at the moment). -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0015] Add wait_for_dns option to default.conf
On 28.3.2014 09:43, Martin Kosek wrote: On 03/28/2014 09:37 AM, Petr Viktorin wrote: On 03/27/2014 05:44 PM, Petr Spacek wrote: On 27.3.2014 13:15, Martin Kosek wrote: On 02/20/2014 03:56 PM, Martin Basti wrote: On Thu, 2014-02-20 at 14:36 +0100, Petr Spacek wrote: On 19.2.2014 17:55, Martin Basti wrote: On Wed, 2014-02-19 at 17:10 +0100, Petr Spacek wrote: On 19.2.2014 15:11, Petr Spacek wrote: On 18.2.2014 17:34, Nathaniel McCallum wrote: On Tue, 2014-02-18 at 17:06 +0100, Petr Viktorin wrote: On 02/18/2014 04:45 PM, Petr Spacek wrote: Hello, Add wait_for_dns option to default.conf. This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol. It is intended only for testing - it should prevent tests from failing if there is bigger delay between change in LDAP and DNS. I would recommend value like 10 seconds. Here are a few Python nitpicks you requested. Thank you very much. This new version solves problems you found + adds proper handling for real DNS timeouts. It seems to me like a more general TimeoutError would be useful in a broader context. DNSTimeout seems overly narrow to me, unless I'm missing something. I would like to keep them separate. DNSTimeout shouldn't be handled at all because it means that your DNS server or database is dead or broken in some interesting way. I assume that generic TimeoutError could be interpreted as 'try it again'/'failover' or something like that. Maybe the DNSTimeout is not the best name, I'm open to suggestions. I have sent the old version with new name, gggrrr. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Tests failed: test_dns[92]: dnsrecord_add: Add A record to u'ns2' in zone u'zone3.test' ... ok File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in lambda func = lambda: self.check(nice, **test) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in check self.check_output(nice, cmd, args, options, expected, extra_check) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in check_output got = api.Command[cmd](*args, **options) File /root/freeipa/ipalib/frontend.py, line 436, in __call__ ret = self.run(*args, **options) File /root/freeipa/ipalib/frontend.py, line 761, in run return self.forward(*args, **options) File /root/freeipa/ipalib/frontend.py, line 782, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /root/freeipa/ipalib/rpc.py, line 836, in forward return self._call_command(command, params) File /root/freeipa/ipalib/rpc.py, line 813, in _call_command return command(*params) File /root/freeipa/ipalib/rpc.py, line 951, in _call return self.__request(name, args) File /root/freeipa/ipalib/rpc.py, line 945, in __request raise error_class(message=error['message']) DNSTimeout: DNS query timeout: Expected {_kerberos.zone2.test. 86400 IN TXT IDM.LAB.ENG.BRQ.REDHAT.COM} got {SERVFAIL} == ERROR: test_dns[51]: dnsrecord_add: Add NS+DNAME record to u'zone2.test' zone record using dnsrecord_add -- Traceback (most recent call last): File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in runTest self.test(*self.arg) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 291, in lambda func = lambda: self.check(nice, **test) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 309, in check self.check_output(nice, cmd, args, options, expected, extra_check) File /root/freeipa/ipatests/test_xmlrpc/xmlrpc_test.py, line 348, in check_output got = api.Command[cmd](*args, **options) File /root/freeipa/ipalib/frontend.py, line 436, in __call__ ret = self.run(*args, **options) File /root/freeipa/ipalib/frontend.py, line 761, in run return self.forward(*args, **options) File /root/freeipa/ipalib/frontend.py, line 782, in forward return self.Backend.rpcclient.forward(self.name, *args, **kw) File /root/freeipa/ipalib/rpc.py, line 836, in forward return self._call_command(command, params) File /root/freeipa/ipalib/rpc.py, line 813, in _call_command return command(*params) File /root/freeipa/ipalib/rpc.py, line 951, in _call return self.__request(name, args) File /root/freeipa/ipalib/rpc.py, line 945, in __request raise error_class(message=error['message']) DNSTimeout: DNS query timeout: Expected {zone2.test. 86400 IN NS ns1.dnszone.test. zone2.test. 86400 IN NS ns1.zone2.test.} got {SERVFAIL}
Re: [Freeipa-devel] [PATCH 0001] Add basic trust and legacy client integration tests
On 04/02/2014 01:34 PM, Tomas Babej wrote: Hi, this adds basic trust and legacy client integration tests to our Jenkins jobs repo. Thanks! Pushed to master at https://github.com/encukou/freeipa-ci -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 565-568 webui: field and widget binding refactoring
On Thu, 27 Mar 2014 16:07:55 +0100 Petr Vobornik pvobo...@redhat.com wrote: The last refactoring I did while implementing RCUE login or more precisely support for standalone facets which have forms but are not details facets. [PATCH] webui: field and widget binding refactoring This is a Web UI wide change. Fields and Widgets binding was refactored to enable proper two-way binding between them. This should allow to have one source of truth (field) for multiple consumers - widgets or something else. One of the goal is to have fields and widget implementations independent on each other. So that one could use a widget without field or use one field for multiple widgets, etc.. Basically a fields logic was split into separate components: - adapters - parsers formatters - binder Adapters - extract data from data source (FreeIPA RPC command result) - prepares them for commands. Parsers - parse extracted data to format expected by field - parse widget value to format expected by field Formatters - format field value to format suitable for widgets - format field value to format suitable for adapter Binder - is a communication bridge between field and widget - listens to field's and widget's events and call appropriate methods Some side benefits: - better validation reporting in multivalued widget [PATCH] webui: replace widget's hidden property with visible Hidden was used only in ACI. There is no reason to have two properties which are negations of each other. [PATCH] webui: change widget updated event into value change event This change allow us to use proper two way binding between a field and a widget. In previous implementation field was not changed if something changed the value of a widget in 'update'. Now listeners are notified when the widget value is changed by: calling 'update', 'set_value' or by user change. [PATCH] webui-tests: binding test suite Add basic tests for two-way binding between a field and two widgets Integration tests and unit tests ran as expected, looking through the code, and manually testing it confirmed that, so ACK Greets Adam ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 241-253 CA certificate renewal
Jan Cholasta wrote: Hi, the attached patches implement automatic CA certificate renewal as well as the initial version of the CA certificate management tool. Requires my patches 172-196. In order to test, you must install current git version of certmonger (see https://fedorahosted.org/certmonger/ticket/26) and set SELinux to permissive (see https://bugzilla.redhat.com/show_bug.cgi?id=1078783). Make sure you install certmonger before running ipa-server-install/ipa-replica-install. On F20 you can use RPMs located at http://jcholast.fedorapeople.org/certmonger-git/. To test automatic renewal, move system time forward (see https://fedorahosted.org/freeipa/ticket/2803#comment:17 for more info about certificate renewal testing, nickname of the CA certificate is caSigningCert cert-pki-ca). In CA-full installs the renewal should be fully automatic, in CA-less installs you should be alerted via syslog to renew the certificate using ipa-cacert-manage. To test manual renewal, run ipa-cacert-manage renew. You can run it on any CA master. To make the renewed certificate available on other CA masters, you must run getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' on each of them. Note that currently you can't change the chaining of the CA certificate. 241 Not to be too anal, but would it be too outlandish to compare the Authority Key Identifier (if there is one) with the Subject Key ID to see if the cert is self-signed? Same subject then yeah, it is probably self-signed. The keys match? Definitely. 242 I wonder if it would be clearer to use variables instead of a raw list in the return value for these handlers: (result, message) = handler(...) rather than examining result[0], etc. That may be beyond the scope of this patch though. x509.normalize_certificate() can raise an exception, there should be a try/except around it. For an invalid cookie, please include the values seen in the environment in the error message. 243 You are going to end up with a lot of acis with the same comment value. Perhaps add the host in there as well. These are not removed when a master is deleted. 244 There are now several different places where the caCertificate value is updated. I wonder if it's time for a function. I found it it in dsinstance.py, upload_cacert and now renew_ca_cert. 246 caRenewalMaster should be checked when a replica is deleted and moved to another master. This is a good idea. I wonder if a ticket should be opened to do something similar for CRL generation. 247 We've been burned by hardcoded timeouts in the past. Should this be configurable? This module doesn't currently do any logging but it might be worth spitting out a waiting message, at least for debugging. 249 nss_init() is always scary to me since we can only have one. I didn't see anything blow up, just wondering if this should be wrapped with an is_initialized()-shutdown() at the top. The find_cert_from_nickname() should be in a try/except in case the cert is not found for some reason. 251 The tool should provide some feedback while it's running. For the impatient (me) it takes a really long time and it's hard to know what is going on, something in between nothing and full debug output. The man page needs some more work too. I think some more explanation is needed and an example would probably be really helpful as well. I think particularly an example for external certs and a description of what you mean by Self-signed CA (I assume you mean IPA-provided). I don't think it really matters how many steps there are unless you are going to provide progress output. Got a backtrace when running as non-root: $ ipa-cacert-manage -v renew ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 168, in execute self.validate_options() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py, line 62, in validate_options super(CACertManage, self).validate_options(needs_root=True) File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 189, in validate_options raise ScriptError('Must be root to run %s' % self.command_name, 1) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Must be root to run ipa-cacert-manage ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Must be root to run ipa-cacert-manage 252 In what context would this be executing? My guess is that certmonger is trying to do the renewal but a new cert hasn't been issued yet, so this gets sysloged? Still doing functional testing. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel