[Freeipa-devel] [PATCH] 947 webui: use API call ca_is_enabled instead of enable_ra env variable.

2016-01-20 Thread Petr Vobornik 

To be consistent with backend code.

https://fedorahosted.org/freeipa/ticket/5622
--
Petr Vobornik
From 083644a9203745fe5e0a51647b076b4a42e38e5c Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 20 Jan 2016 19:00:33 +0100
Subject: [PATCH] webui: use API call ca_is_enabled instead of enable_ra env
 variable.

To be consistent with backend code.

https://fedorahosted.org/freeipa/ticket/5622
---
 install/ui/src/freeipa/certificate.js | 2 +-
 install/ui/src/freeipa/ipa.js | 8 
 install/ui/test/data/ipa_init.json| 6 ++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index 93f3cfc68a95bfb8014aaf96d1b571568ac605dc..5d50a25571f0669250927895ebe52fbf4aad0584 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -592,7 +592,7 @@ IPA.cert.load_policy = function(spec) {
 };
 
 IPA.cert.is_enabled = function() {
-return !!IPA.env.enable_ra;
+return !!IPA.ca_enabled;
 };
 
 IPA.cert.view_action = function(spec) {
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 23efd6916cdaa76973491a5741f0800caa186fee..29af4048740894c6d46b5419a941e2a48cd68775 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -232,6 +232,14 @@ var IPA = function () {
 }
 }));
 
+batch.add_command(rpc.command({
+entity: 'ca',
+method: 'is_enabled',
+on_success: function(data, text_status, xhr) {
+that.ca_enabled = data.result;
+}
+}));
+
 batch.execute();
 };
 
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 310eef1055a19dd40f8221c2967b09773595b80b..129ce4e26e7e6bdc2fac039e3628f608eaf4509f 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -971,6 +971,12 @@
 {
 "error": null,
 "result": 1
+},
+{
+"error": null,
+"result": true,
+"summary": null,
+"value": null
 }
 ]
 }
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Freeipa-users] IE10 Dialogs close on Enter keypress

2016-01-20 Thread Petr Vobornik 

On 01/07/2016 06:11 AM, Jim Groffen wrote:

Hello,

I found that when running FreeIPA Web UI on IE10 that modal dialogs close
when enter is pressed. Normal functionality is to 'submit' the dialog on an
enter keypress.

I found a solution by adding a type="button" attribute to the close button
of the dialog (in /install/ui/src/freeipa/dialog.js).

I have tested on recent Chrome, IE and Firefox versions as well as on IE10.
Seems to be no side-effects.

Attached is a patch showing the change I made. Apologies if the patch isn't
formatted correctly.

Regards,

Jim G



Thanks for the patch. Looks good - ACK

was pushed to master branch

https://fedorahosted.org/freeipa/changeset/f5f5c8c603e95d246d2cde92f56959fedba4666d
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 946 webui: fixed showing of success message after password change on login

2016-01-20 Thread Petr Vobornik 

similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567

root cause is that binding triggers validation which clears messages in
validation summary. Maybe it could be refactored in a future to not use
 the same validation summary field for API calls and fields.

If you think it is actually ticket #5567 (could be in some point of 
view) then feel free to push also to 4.2 and 4.3 branch.

--
Petr Vobornik
From 62728373e83265916abc6ad88aba9d3fb0bfa97f Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 20 Jan 2016 18:33:21 +0100
Subject: [PATCH] webui: fixed showing of success message after password change
 on login

similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567

root cause is that binding triggers validation which clears messages in
validation summary. Maybe it could be refactored in a future to not use
 the same validation summary field for API calls and fields.
---
 install/ui/src/freeipa/widgets/LoginScreen.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 2c778b50cfb10bfa8eef25c5456c6ce913e02695..17f891e0ee1d200eb4c9aa881dafcac5fc2c86da 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -262,7 +262,6 @@ define(['dojo/_base/declare',
 otp);
 
 if (result.status === 'ok') {
-val_summary.add_success('login', this.password_change_complete);
 psw_f.set_value('');
 psw_f2.set_value('');
 // do not login if otp is used because it will fail (reuse of OTP)
@@ -270,6 +269,7 @@ define(['dojo/_base/declare',
 psw_f.set_value(new_f.get_value());
 this.login();
 }
+val_summary.add_success('login', this.password_change_complete);
 this.set('view', 'login');
 } else {
 otp_f.set_value('');
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Fixed login error message box in LoginScreen page

2016-01-20 Thread Petr Vobornik 

On 01/20/2016 08:30 AM, Abhijeet Kasurde wrote:

Ping for review request.

On 12/28/2015 12:36 PM, Abhijeet Kasurde wrote:

Hi All,

Please review patches attached.


ACK

Pushed to:
master: d9983d8ec651166801cd9fac54378bdd527398a4
ipa-4-2: fc2a4d5366982e8103348293fb75c6b3099b1fbd
ipa-4-3: 9f7146e98e53aef868a10ee2d8df4264d43dda63



Thanks,
Abhijeet Kasurde

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0022] topology plugin prevents deletes but does not prevent moddn

2016-01-20 Thread Martin Basti 



On 11.12.2015 13:56, Ludwig Krispenz wrote:

Ticket: https://fedorahosted.org/freeipa/ticket/5536

Patch attached.



Patch works, I cannot move entry out of container via moddn operation.


I have question, is it expected to be able rename entry?
I tried it and I was able to change RDN

#!RESULT OK
#!CONNECTION ldap://vm-058-138.abc.idm.lab.eng.brq.redhat.com:636
#!DATE 2016-01-20T16:28:18.702
dn: 
cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab.eng

 .brq.redhat.com,cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,
 dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
changetype: moddn
newrdn: 
cn=vm-058-137.abc.idm.lab.eng.brq.redhat.com-to-vm-058-138.abc.idm.lab

 .eng.brq.redhat
deleteoldrdn: 1
newsuperior: 
cn=domain,cn=topology,cn=ipa,cn=etc,dc=dom-138,dc=abc,dc=idm,dc=l

 ab,dc=eng,dc=brq,dc=redhat,dc=com
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

2016-01-20 Thread Simo Sorce 
On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote:
> On 01/15/2016 06:29 PM, Martin Babinsky wrote:
> > On 01/15/2016 04:57 PM, Simo Sorce wrote:
> >> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
> >>> On 01/14/2016 10:31 PM, Simo Sorce wrote:
>  On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
> > On 01/13/2016 10:31 AM, Martin Babinsky wrote:
> >> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
> >>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
>  https://fedorahosted.org/freeipa/ticket/5584
> 
> >>> And the patch is here.
> >>>
> >>>
> >>>
> >> self-NACK, there may be a better way to handle this. I will do some
> >> investigation and send updated patch.
> >>
> > Attaching updated patch.
> 
>  A failure to obtain a tgt may be due to other reasons (for example the
>  KDC crashed), why are you trying to use this test ?
>  Isn't it sufficient to see there is no host entry in the directory ?
> 
>  Simo.
> 
> >>> There were some corner cases I encountered, mostly concerning a cleanup
> >>> after unsuccessful replica promotion.
> >>>
> >>> You may sometimes end up in a state where local DS is working, but KDC
> >>> crashed and the krb5.conf is still pointing at a remote one. In that
> >>> case "malformed" replica's local host entry exist, but when such host
> >>> tries to get TGT, the AS-REQ goes to remote KDC from other master.
> >>>
> >>> However, if the admin had in the mean time cleaned up this host's
> >>> kerberos principals/keys, the crashed replica gets one of the following
> >>> errors:
> >>>
> >>> Client not found in Kerberos database
> >>> Client credentials have been revoked
> >>> Generic preauthentication failure
> >>>
> >>> These were printed out as errors during uninstall, but were actually
> >>> expected in situation like this. It is true that the code should check
> >>> and ignore these specific errors.
> >>
> >> Only the first id valid for your case, the others may be transient
> >> errors.
> >>
> >> Simo.
> >>
> >>
> > True, attaching updated patch. The other errors will now pop out in the
> > output and the warning will be displayed.
> >
> >
> >
> Bump for review.
> 

LGTM
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0407] WIP: make-lint migration to config file and pylint plugin due pylint 1.5.2

2016-01-20 Thread Jan Cholasta 

Hi,

On 19.1.2016 13:43, Martin Basti wrote:

New pylint version will broke our custom make-lint script again,
attached patch migrates make-lint to:
* config file
* pylint plugin
which are supported by pylint and should not have regular compatibility
issues

to test new approach run ./make-lint2

Advantages:
* compatibility with pylint
* works on both pylint-1.4.3-3.fc23.noarch and pylint-1.5.2-1.fc24.noarch
* pylint plugin works in different way than the previous custom checker.
Missing ("dynamic") attributes are added to abstract syntax tree instead
of ignoring them and all their sub-members. This makes check better,
pylint can detect more typos in tests configurations, api, env, etc..

Disadvantages:
* any new attribute in api, test config, etc.. must be added to
definition of missing members (pylint plugin) - this should not happen
too often


1) Please "mv pylint_plugins/fix_ipa_members.py pylint_plugins.py" and 
"rm -rf pylint_plugins/", no need for this redundant directory structure.


2) Rename pylintrc to freeipa.pylintrc so you have to always specify it 
explicitly with --rcfile.


3) Use the load-plugins directive in freeipa.pylintrc to load the 
plugins rather than --load-plugins.


4) Instead of running pylint twice, run it only once with both normal 
and Python 3 checks enabled:


[MESSAGE CONTROL]
enable=all,python3
disable=...,no-absolute-import




Q&TODO:
* make-lint: should it be just bash script or rather python script?


IMO neither, it should be a make target (make lint).


* add dynamic detection of python files to be checked


You can use "find . -type f -executable ! -path \*/.\* ! -name \*.py\* 
-exec grep -lsm1 '^#!.*\bpython' \{\} \;".



* should I keep the current options from original make-lint?


No, but allow pylint options to be overridable (make lint 
PYLINTFLAGS="--disable=python3")



* several false positive errors I haven't been able to fix in plugin
yet, in worst case they can be locally disabled:


Disable them locally.

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver

2016-01-20 Thread Martin Basti 



On 13.01.2016 16:13, Martin Basti wrote:



On 13.01.2016 16:03, Simo Sorce wrote:

On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote:

On 13.01.2016 15:31, Martin Babinsky wrote:

On 01/13/2016 03:30 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote:

On 01/05/2016 11:19 PM, Simo Sorce wrote:

On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote:

The LDAP context was not checked on the first api call and a
context may
be null on some error conditions (LDAP server unreachable).

Always check that we have a valid context before calling the ldap
API.

Builds abut it is untested.

Forgot to mention that this bug affects all 4.x versions and should
probably be backported on all maintained branches.

I opened a bug to track it too:
https://fedorahosted.org/freeipa/ticket/5577

Simo.


ACK. Please include the ticket URL in the commit message.


Could you add it when pushing ?

Unless you need some other change in the patch it will be less churn
that way.

Simo.


Yes we could. I didn't realize that, sorry for the noise.


I do not know where to push it, ticket is still in needs triage, it has
not been decided where it should go.

It definitely goes in master. You can push elsewhere as well later.

Simo.


Pushed to master: 2144b1eeb789639b8a3df287b580aeb6196188a8


Backported to ipa-4-3
Pushed to ipa-4-3: d622c71820809820a6c9bc206914e3e79249006a


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 945 webui: dislay server suffixes in server search page

2016-01-20 Thread Martin Basti 



On 20.01.2016 08:21, Martin Babinsky wrote:

On 01/19/2016 06:32 PM, Petr Vobornik wrote:

[PATCH] webui: dislay server suffixes in server search page

There was a change where suffixes in server are not longer returned as
DNs but rather a cn of related topology suffix. I.e. they share
"memberof" logic. This caused that search page doesn't get the data
because it uses "no_member: true" option by default.

This patch overrides the behavior because it is OK for server search
page to fetch also member data - it is not so costly as e.g. in users.

https://fedorahosted.org/freeipa/ticket/5609



ACK


Pushed to:
master: 133b1327e2c6f78a2f8a6f482dbc9f6f66aace11
ipa-4-3: 5bf43edf19b69c1883aa3d55bf6e209f816fb3c1

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf

2016-01-20 Thread Martin Basti 



On 20.01.2016 12:33, Christian Heimes wrote:

On 2016-01-20 12:15, Abhijeet Kasurde wrote:

Hi Christian,

On 01/20/2016 04:15 PM, Christian Heimes wrote:

On 2016-01-20 08:30, Abhijeet Kasurde wrote:

Ping for review request.

Hi,

your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.

Christian



Please find the patches for review.

ACK






Pushed to master: e381d763fa99df80c326b7fa63469d3380b7f08e

I didn't push it to ipa-4-2, ipa-4-3 because ticket is targeted to 
master only
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 537] ipapython: port p11helper C code to Python

2016-01-20 Thread Martin Basti 



On 19.01.2016 11:43, Jan Cholasta wrote:

On 12.1.2016 16:06, Martin Basti wrote:



On 12.01.2016 14:44, Jan Cholasta wrote:

On 12.1.2016 13:32, Martin Basti wrote:



On 12.01.2016 12:24, Jan Cholasta wrote:

On 12.1.2016 12:17, Martin Basti wrote:



On 12.01.2016 10:19, Jan Cholasta wrote:

On 12.1.2016 09:32, Martin Basti wrote:



On 07.01.2016 14:13, Jan Cholasta wrote:

On 7.1.2016 09:50, Jan Cholasta wrote:

Hi,

the attached patch ports the _ipap11helper module to 
python-cffi.


Combined with my patch 536 [1], this makes ipapython 
architecture

independent.


Updated patch attached.




I tried to run DNSSEC tests and it failed unexpectedly:

Jan 12 08:28:06 master.ipa.test
/usr/libexec/ipa/ipa-ods-exporter[8667]:
Connected
Jan 12 08:28:06 master.ipa.test
/usr/libexec/ipa/ipa-ods-exporter[8667]:
replica pub keys in LDAP: 
set(['0x51df7c70b9869a7dd2bbd27335dba3f8',

'0xd8538e634797420ca86cda420234443c'])
Jan 12 08:28:06 master.ipa.test
/usr/libexec/ipa/ipa-ods-exporter[8667]:
replica pub keys in SoftHSM:
set(['0x51df7c70b9869a7dd2bbd27335dba3f8',
'0x1f7241a64d69ced6c0a14f6999410c59'])
Jan 12 08:28:06 master.ipa.test
/usr/libexec/ipa/ipa-ods-exporter[8667]:
new replica keys in LDAP:
set(['0xd8538e634797420ca86cda420234443c'])
Jan 12 08:28:06 master.ipa.test
/usr/libexec/ipa/ipa-ods-exporter[8667]:
label=dnssec-replica:replica1.ipa.test.,
id=d8538e634797420ca86cda420234443c,
data=30820122300d06092a864886f70d01010105
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: Traceback
(most
recent call last):
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
"/usr/libexec/ipa/ipa-ods-exporter", line 664, in 
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
"/usr/libexec/ipa/ipa-ods-exporter", line 313, in
ldap2master_replica_keys_sync
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]:
localhsm.import_public_key(new_key_ldap,
new_key_ldap['ipapublickey'])
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/localhsm.py",
line
173, in import_public_key
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: h =
self.p11.import_public_key(**params)
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: File
"/usr/lib/python2.7/site-packages/ipapython/p11helper.py", line
1498, in
import_public_key
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: pkey =
d2i_PUBKEY(NULL, data_ptr, data_length)
Jan 12 08:28:06 master.ipa.test ipa-ods-exporter[8667]: TypeError:
'int(*)(EVP_PKEY *, unsigned char * *)' expects 2 arguments, got 3
Jan 12 08:28:06 master.ipa.test systemd[1]:
ipa-ods-exporter.service:
Main process exited, code=exited, status=1/FAILURE
Jan 12 08:28:06 master.ipa.test systemd[1]:
ipa-ods-exporter.service:
Unit entered failed state.
Jan 12 08:28:06 master.ipa.test systemd[1]:
ipa-ods-exporter.service:
Failed with result 'exit-code'.

I haven't seen any other errors


Updated patch attached. Added a patch which replaces calls to
libcrypto with calls to python-cryptography.



[ipa.ipatests.test_integration.host.Host.master.cmd10] Done
configuring
DNS (named).
[ipa.ipatests.test_integration.host.Host.master.cmd10] 
Configuring DNS

key synchronization service (ipa-dnskeysyncd)
[ipa.ipatests.test_integration.host.Host.master.cmd10] [1/7]: 
checking

status
[ipa.ipatests.test_integration.host.Host.master.cmd10] [2/7]: 
setting

up bind-dyndb-ldap working directory
[ipa.ipatests.test_integration.host.Host.master.cmd10] [3/7]: 
setting

up kerberos principal
[ipa.ipatests.test_integration.host.Host.master.cmd10] [4/7]: 
setting

up SoftHSM
[ipa.ipatests.test_integration.host.Host.master.cmd10] [5/7]: adding
DNSSEC containers
[ipa.ipatests.test_integration.host.Host.master.cmd10] [6/7]: 
creating

replica keys
[ipa.ipatests.test_integration.host.Host.master.cmd10] [error] 
Error:

export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
[ipa.ipatests.test_integration.host.Host.master.cmd10]
ipa.ipapython.install.cli.install_tool(Server): ERROR
export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed
[ipa.ipatests.test_integration.host.Host.master.cmd10]
ipa.ipapython.install.cli.install_tool(Server): ERROR The
ipa-server-install command failed. See 
/var/log/ipaserver-install.log

for more information
[ipa.ipatests.test_integration.host.Host.master.cmd10] Exit code: 1

ipa-server-install.log

   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 436, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", 




line 342, in __setup_replica_keys
 public_key_blob = p11.export_public_key(public_key_handle)
   File "/usr/lib/python2.7/site-packages/ipapython/p11helper.py",
line
1275, in export_public_key
 return self._export_RSA_public_key(object)
   File "/usr/lib/python2.7/site-packages/ipapython/p11he

Re: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf

2016-01-20 Thread Christian Heimes 
On 2016-01-20 12:15, Abhijeet Kasurde wrote:
> Hi Christian,
> 
> On 01/20/2016 04:15 PM, Christian Heimes wrote:
>> On 2016-01-20 08:30, Abhijeet Kasurde wrote:
>>> Ping for review request.
>> Hi,
>>
>> your initial patch has a small problem. Please provide a new patch with
>> port 464 instead of 749.
>>
>> Christian
>>
>>
> Please find the patches for review.

ACK





signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 944 spec: do not require arch specific ipalib package from noarch packages

2016-01-20 Thread Jan Cholasta 

On 19.1.2016 18:55, Petr Vobornik wrote:

noarch packages should not contain:
   Requires: some-package-{?_isa}

because then they are not the same for each arch - are not noarch

https://fedorahosted.org/freeipa/ticket/5568


Thanks, ACK.

Pushed to:
master: 3aef54d0c2b5a6fcb305e71530a850fedbb84cf8
ipa-4-3: 84bcdf27600e5eee10d230c7ea96b10aa064ff90

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf

2016-01-20 Thread Abhijeet Kasurde 

Hi Christian,

On 01/20/2016 04:15 PM, Christian Heimes wrote:

On 2016-01-20 08:30, Abhijeet Kasurde wrote:

Ping for review request.

Hi,

your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.

Christian



Please find the patches for review.

Thanks,
Abhijeet
From bfb646e2a77151bd0fcfd61d50e23afb04266581 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 21 Dec 2015 12:03:10 +0530
Subject: [PATCH] Added kpasswd_server directive in client krb5.conf

While configuring ipa client using ipa-client-install can configure
kpasswd_server explicitly using directive in client's krb5.conf

https://fedorahosted.org/freeipa/ticket/5547

Signed-off-by: Abhijeet Kasurde 
---
 ipa-client/ipa-install/ipa-client-install | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..443a4429f45e6c3f572d4f21a795549c0257 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1106,6 +1106,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
 kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
 kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)})
+kropts.append({'name': 'kpasswd_server',
+   'type': 'option',
+   'value': ipautil.format_netloc(server, 464)
+  })
 kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain})
 kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:%s' % CACERT})
 ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}]
-- 
2.4.3

From ace7705e73e0af67253d0484d7dad2f7f1fa4e77 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 21 Dec 2015 12:11:31 +0530
Subject: [PATCH] Added kpasswd_server directive in client krb5.conf

While configuring ipa client using ipa-client-install can configure
kpasswd_server explicitly using directive in client's krb5.conf

https://fedorahosted.org/freeipa/ticket/5547

Signed-off-by: Abhijeet Kasurde 
---
 ipa-client/ipa-install/ipa-client-install | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 789ff591591673744ee3b922e5c0181233ad553c..14d1dc98a23fed8ffe147c0c03711e7d7467edef 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1103,6 +1103,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
 kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
 kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)})
 kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)})
+kropts.append({'name': 'kpasswd_server',
+   'type': 'option',
+   'value': ipautil.format_netloc(server, 464)
+  })
 kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain})
 kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:%s' % CACERT})
 ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}]
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k

2016-01-20 Thread Jan Cholasta 

On 20.1.2016 10:15, Petr Viktorin wrote:

On 01/19/2016 04:52 PM, Jan Cholasta wrote:

On 19.1.2016 13:45, Petr Viktorin wrote:

[...]

Otherwise LGTM, including patch 758.


Attaching updated patches, with py3k check as as default squashed in.
I also added a pylint exception for a new use of reload() in 0756.
One more thing I did was disable pylint's long and uninteresting report,
so now only the messages are shown.


Thanks, ACK.

Could you please rebase the patches on top of ipa-4-3 so I can push them?


Oh, they're going into an earlier release as well?


Yes, unless you want to wait for 4.4 / Fedora 25.

I files a ticket for this: .



Here is a patchset for ipa-4-3.


Thanks.

Pushed to:
master: 5d8221478729db1b8c1c064e64ac4d18983ae98d
ipa-4-3: b301aea7ca3e9bd33c3a02c00cccbf2dd3da9e65

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0029] Move user/group constants for PKI and DS into ipaplatform

2016-01-20 Thread Christian Heimes 
On 2016-01-20 02:54, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 02:20:27PM +0100, Christian Heimes wrote:
>> ipaplatform.constants has platform specific names for a couple of system
>> users like Apache HTTPD. The user names for PKI_USER, PKI_GROUP, DS_USER
>> and DS_GROUP are defined in other modules. Similar to #5587 the patch my
>> patch moves the constants into the platform module.
>>
>> https://fedorahosted.org/freeipa/ticket/5619
> 
> I see a few remaining cases:
> 
> ipaserver/install/dsinstance.py
> 712:pent = pwd.getpwnam("dirsrv")
> 
> ipatests/test_integration/test_backup_and_restore.py
> 167:self.master.run_command(['userdel', 'dirsrv'])
> 168:self.master.run_command(['userdel', 'pkiuser'])
> 
> ipaplatform/redhat/tasks.py
> 441:if name == 'pkiuser':
> 
> When these are included, ACK.

Good catch!

My new patch takes care of remaining cases.

From ed52b83274c7cb70271264c01d25d9571ed48510 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 19 Jan 2016 14:18:30 +0100
Subject: [PATCH] Move user/group constants for PKI and DS into ipaplatform

https://fedorahosted.org/freeipa/ticket/5619
---
 install/share/copy-schema-to-ca.py   |  8 
 ipaplatform/base/constants.py|  4 
 ipaplatform/redhat/tasks.py  |  5 +++--
 ipaserver/install/cainstance.py  | 15 +++
 ipaserver/install/dogtaginstance.py  |  3 ++-
 ipaserver/install/dsinstance.py  |  7 ---
 ipaserver/install/ipa_backup.py  |  4 ++--
 ipaserver/install/ipa_restore.py | 16 +---
 ipaserver/install/krainstance.py |  8 
 ipaserver/install/krbinstance.py |  4 ++--
 ipaserver/install/server/upgrade.py  |  3 ++-
 ipatests/test_integration/test_backup_and_restore.py |  5 +++--
 12 files changed, 46 insertions(+), 36 deletions(-)

diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py
index 10fd3d740bb60b9506a233a6aea6c6ac98356c18..c2f070aa29b7abf1cb32c46020ae80450cfd5080 100755
--- a/install/share/copy-schema-to-ca.py
+++ b/install/share/copy-schema-to-ca.py
@@ -19,9 +19,9 @@ from hashlib import sha1
 
 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipaserver.install.dsinstance import DS_USER, schema_dirname
-from ipaserver.install.cainstance import PKI_USER
+from ipaserver.install.dsinstance import schema_dirname
 from ipalib import api
+from ipaplatform.constants import constants
 
 try:
 from ipaplatform import services
@@ -52,8 +52,8 @@ def _sha1_file(filename):
 def add_ca_schema():
 """Copy IPA schema files into the CA DS instance
 """
-pki_pent = pwd.getpwnam(PKI_USER)
-ds_pent = pwd.getpwnam(DS_USER)
+pki_pent = pwd.getpwnam(constants.PKI_USER)
+ds_pent = pwd.getpwnam(constants.DS_USER)
 for schema_fname in SCHEMA_FILENAMES:
 source_fname = os.path.join(ipautil.SHARE_DIR, schema_fname)
 target_fname = os.path.join(schema_dirname(SERVERID), schema_fname)
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 50f8a3ed140aca0f6573231f2a7e5b20e2169919..52af12429d090dcc0d7eed14b76e8b651360f283 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -8,9 +8,13 @@ This base platform module exports platform dependant constants.
 
 
 class BaseConstantsNamespace(object):
+DS_USER = 'dirsrv'
+DS_GROUP = 'dirsrv'
 HTTPD_USER = "apache"
 IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
 NAMED_USER = "named"
+PKI_USER = 'pkiuser'
+PKI_GROUP = 'pkiuser'
 # ntpd init variable used for daemon options
 NTPD_OPTS_VAR = "OPTIONS"
 # quote used for daemon options
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index a0b4060cb26bab66248c4397c24b4d58bf1bf8d6..55c840de2be0a8c8308d93c2b533ce2df9f76471 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -44,6 +44,7 @@ import ipapython.errors
 
 from ipalib import x509 # FIXME: do not import from ipalib
 
+from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipaplatform.redhat.authconfig import RedHatAuthConfig
 from ipaplatform.base.tasks import BaseTaskNamespace
@@ -458,14 +459,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 This values should be constant and may be hardcoded.
 Add other values for other users when needed.
 """
-if name == 'pkiuser':
+if name == constants.PKI_USER:
 if uid is None:
 uid = 17
 if gid is None:
 gid = 17
 if comment is None:
 comment = 'CA System User'
-if name == 'dirsrv':
+if name == constants.DS_USER:
 if comment is

Re: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf

2016-01-20 Thread Christian Heimes 
On 2016-01-20 08:30, Abhijeet Kasurde wrote:
> Ping for review request.

Hi,

your initial patch has a small problem. Please provide a new patch with
port 464 instead of 749.

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check

2016-01-20 Thread Fraser Tweedale 
On Wed, Jan 20, 2016 at 07:52:32PM +1000, Fraser Tweedale wrote:
> Good pickup on the curl dependency; indeed it is no longer needed.
> Updated patch attached.
>
Whups, that was same patch, different name. *Here* is the new patch.
From ba5750b7a805841abd8d4795d9c4bcec2a3518a0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 20 Jan 2016 18:35:15 +1100
Subject: [PATCH] Remove workaround for CA running check

A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).

Remove the workaround and use an http request (no TLS) to check the
CA status.  Also remove the now-unused unauthenticated_http_request
method, and update specfile to remove ipalib dependency on curl.

https://fedorahosted.org/freeipa/ticket/4676
---
 freeipa.spec.in|  2 --
 ipaplatform/redhat/services.py | 25 +
 ipapython/dogtag.py| 25 +++--
 3 files changed, 4 insertions(+), 48 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 
961d8c38e0dd5f954bfca47e8209a5655eaacc86..ae0887390d623b035734dc5c8da703ba33a37e9f
 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -466,7 +466,6 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: curl
 Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
@@ -510,7 +509,6 @@ Requires: python3-pyasn1
 Requires: python3-dateutil
 Requires: python3-yubico >= 1.2.3
 Requires: python3-sss-murmur
-Requires: curl
 Requires: python3-dbus
 Requires: python3-setuptools
 Requires: python3-six
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 
11292fa4912844db78899d779b84104288e469dc..3c18dbc3c1274ef3852abef5f054b4e37e6b32fa
 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -199,30 +199,7 @@ class RedHatCAService(RedHatService):
 op_timeout = time.time() + timeout
 while time.time() < op_timeout:
 try:
-# FIXME https://fedorahosted.org/freeipa/ticket/4716
-# workaround
-#
-# status = dogtag.ca_status(use_proxy=use_proxy)
-#
-port = 8443
-
-url = "https://%(host_port)s%(path)s" % {
-"host_port": ipautil.format_netloc(api.env.ca_host, port),
-"path": "/ca/admin/ca/getStatus"
-}
-
-args = [
-paths.BIN_CURL,
-'-o', '-',
-'--connect-timeout', '30',
-'-k',
-url
-]
-
-result = ipautil.run(args, capture_output=True)
-
-status = dogtag._parse_ca_status(result.output)
-# end of workaround
+status = dogtag.ca_status()
 except Exception as e:
 status = 'check interrupted due to error: %s' % e
 root_logger.debug('The CA status is: %s' % status)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 
1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1..6f13880026e9e6043649405245c9cd50a826f652
 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -103,7 +103,7 @@ def _parse_ca_status(body):
 raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
 
 
-def ca_status(ca_host=None, use_proxy=True):
+def ca_status(ca_host=None):
 """Return the status of the CA, and the httpd proxy in front of it
 
 The returned status can be:
@@ -113,13 +113,8 @@ def ca_status(ca_host=None, use_proxy=True):
 """
 if ca_host is None:
 ca_host = api.env.ca_host
-if use_proxy:
-# Use port 443 to test the proxy as well
-ca_port = 443
-else:
-ca_port = 8443
-status, headers, body = unauthenticated_https_request(
-ca_host, ca_port, '/ca/admin/ca/getStatus')
+status, headers, body = http_request(
+ca_host, 8080, '/ca/admin/ca/getStatus')
 if status == 503:
 # Service temporarily unavailable
 return status
@@ -175,20 +170,6 @@ def http_request(host, port, url, **kw):
 'http', host, port, url, httplib.HTTPConnection, body)
 
 
-def unauthenticated_https_request(host, port, url, **kw):
-"""
-:param url: The path (not complete URL!) to post to.
-:param kw: Keyword arguments to encode into POST body.
-:return:   (http_status, http_headers, http_body)
-as (integer, dict, str)
-
-Perform an unauthenticated HTTPS request.
-"""
-body = urlencode(kw)
-return _httplib_request(
-'https', host, port, url, httplib.HTTPSConnection, body)
-
-
 def _httplib_request(
 protocol, host, port, path, connection_factory, request_body,
 method='POST', headers=None):
-- 
2.5

Re: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check

2016-01-20 Thread Fraser Tweedale 
On Wed, Jan 20, 2016 at 09:30:29AM +0100, Martin Kosek wrote:
> On 01/20/2016 08:45 AM, Fraser Tweedale wrote:
> > The attached patch removes a workaround introduced as part of
> > https://fedorahosted.org/freeipa/ticket/4676.
> > 
> > Alternatively, if we want to keep the "workaround" I will submit a
> > different patch that removes unused code and FIXME comments :)
> > 
> > Cheers,
> > Fraser
> 
> You may also want to check FreeIPA spec file, if there is now no extra curl
> dependency. I would leave it up to Martin Basti, to confirm that the original
> issue cannot appear again. It was a nightmare to troubleshoot, as I heard :)
>
Good pickup on the curl dependency; indeed it is no longer needed.
Updated patch attached.
From df99d69569ddc173c7495eb5cd85133079a24ba9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 20 Jan 2016 18:35:15 +1100
Subject: [PATCH] Remove workaround for CA running check

A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).

Remove the workaround and use an http request (no TLS) to check the
CA status.  Also remove the now-unused unauthenticated_http_request
method.

https://fedorahosted.org/freeipa/ticket/4676
---
 ipaplatform/redhat/services.py | 25 +
 ipapython/dogtag.py| 25 +++--
 2 files changed, 4 insertions(+), 46 deletions(-)

diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 
11292fa4912844db78899d779b84104288e469dc..3c18dbc3c1274ef3852abef5f054b4e37e6b32fa
 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -199,30 +199,7 @@ class RedHatCAService(RedHatService):
 op_timeout = time.time() + timeout
 while time.time() < op_timeout:
 try:
-# FIXME https://fedorahosted.org/freeipa/ticket/4716
-# workaround
-#
-# status = dogtag.ca_status(use_proxy=use_proxy)
-#
-port = 8443
-
-url = "https://%(host_port)s%(path)s" % {
-"host_port": ipautil.format_netloc(api.env.ca_host, port),
-"path": "/ca/admin/ca/getStatus"
-}
-
-args = [
-paths.BIN_CURL,
-'-o', '-',
-'--connect-timeout', '30',
-'-k',
-url
-]
-
-result = ipautil.run(args, capture_output=True)
-
-status = dogtag._parse_ca_status(result.output)
-# end of workaround
+status = dogtag.ca_status()
 except Exception as e:
 status = 'check interrupted due to error: %s' % e
 root_logger.debug('The CA status is: %s' % status)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 
1cb74719c4ce2cc97c54dc7bebfa4b32ceee14a1..6f13880026e9e6043649405245c9cd50a826f652
 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -103,7 +103,7 @@ def _parse_ca_status(body):
 raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
 
 
-def ca_status(ca_host=None, use_proxy=True):
+def ca_status(ca_host=None):
 """Return the status of the CA, and the httpd proxy in front of it
 
 The returned status can be:
@@ -113,13 +113,8 @@ def ca_status(ca_host=None, use_proxy=True):
 """
 if ca_host is None:
 ca_host = api.env.ca_host
-if use_proxy:
-# Use port 443 to test the proxy as well
-ca_port = 443
-else:
-ca_port = 8443
-status, headers, body = unauthenticated_https_request(
-ca_host, ca_port, '/ca/admin/ca/getStatus')
+status, headers, body = http_request(
+ca_host, 8080, '/ca/admin/ca/getStatus')
 if status == 503:
 # Service temporarily unavailable
 return status
@@ -175,20 +170,6 @@ def http_request(host, port, url, **kw):
 'http', host, port, url, httplib.HTTPConnection, body)
 
 
-def unauthenticated_https_request(host, port, url, **kw):
-"""
-:param url: The path (not complete URL!) to post to.
-:param kw: Keyword arguments to encode into POST body.
-:return:   (http_status, http_headers, http_body)
-as (integer, dict, str)
-
-Perform an unauthenticated HTTPS request.
-"""
-body = urlencode(kw)
-return _httplib_request(
-'https', host, port, url, httplib.HTTPSConnection, body)
-
-
 def _httplib_request(
 protocol, host, port, path, connection_factory, request_body,
 method='POST', headers=None):
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0752-0757, 0759 Enable pylint --py3k

2016-01-20 Thread Petr Viktorin 
On 01/19/2016 04:52 PM, Jan Cholasta wrote:
> On 19.1.2016 13:45, Petr Viktorin wrote:
[...]
>>> Otherwise LGTM, including patch 758.
>>
>> Attaching updated patches, with py3k check as as default squashed in.
>> I also added a pylint exception for a new use of reload() in 0756.
>> One more thing I did was disable pylint's long and uninteresting report,
>> so now only the messages are shown.
> 
> Thanks, ACK.
> 
> Could you please rebase the patches on top of ipa-4-3 so I can push them?

Oh, they're going into an earlier release as well?

Here is a patchset for ipa-4-3.


-- 
Petr Viktorin
From d6c083bae2aeebeaddf30b998881dfa403a5cf47 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Tue, 5 Jan 2016 13:19:25 +0100
Subject: [PATCH] Use explicit truncating division

In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
---
 ipalib/plugins/dns.py| 6 +++---
 ipalib/plugins/pwpolicy.py   | 4 ++--
 ipalib/plugins/trust.py  | 2 +-
 ipaserver/install/ipa_otptoken_import.py | 4 ++--
 ipatests/test_integration/util.py| 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 6272220aaf264dffaabaf48111c652544a08044a..e4a92e1d54afe68b2bb5fe2329b06d43e10bd706 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -350,9 +350,9 @@ def _reverse_zone_name(netstr):
 net = netaddr.IPNetwork(netstr)
 items = net.ip.reverse_dns.split('.')
 if net.version == 4:
-return u'.'.join(items[4 - net.prefixlen / 8:])
+return u'.'.join(items[4 - net.prefixlen // 8:])
 elif net.version == 6:
-return u'.'.join(items[32 - net.prefixlen / 4:])
+return u'.'.join(items[32 - net.prefixlen // 4:])
 else:
 return None
 
@@ -3417,7 +3417,7 @@ class dnsrecord(LDAPObject):
 resolver = dns.resolver.Resolver()
 resolver.set_flags(0)  # disable recursion (for NS RR checks)
 max_attempts = int(self.api.env['wait_for_dns'])
-warn_attempts = max_attempts / 2
+warn_attempts = max_attempts // 2
 period = 1  # second
 attempt = 0
 log_fn = self.log.debug
diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 7bd3c0984fde5c3182f229a545b487614106a128..dafa5be788128de7cfca1592be8d4a72cddaa930 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -373,11 +373,11 @@ class pwpolicy(LDAPObject):
 if not options.get('raw', False):
 if 'krbmaxpwdlife' in entry_attrs:
 entry_attrs['krbmaxpwdlife'][0] = unicode(
-int(entry_attrs['krbmaxpwdlife'][0]) / 86400
+int(entry_attrs['krbmaxpwdlife'][0]) // 86400
 )
 if 'krbminpwdlife' in entry_attrs:
 entry_attrs['krbminpwdlife'][0] = unicode(
-int(entry_attrs['krbminpwdlife'][0]) / 3600
+int(entry_attrs['krbminpwdlife'][0]) // 3600
 )
 
 def convert_time_on_input(self, entry_attrs):
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 61846dc11e0decff2c45d599a803ca2e384364c9..7f925b734fe5583bec676f8270b860d446f0787a 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -385,7 +385,7 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
 max_id = int(max(max_uid, max_gid)[0])
 
 base_id = int(info.get('msSFU30OrderNumber')[0])
-range_size = (1 + (max_id - base_id) / DEFAULT_RANGE_SIZE)\
+range_size = (1 + (max_id - base_id) // DEFAULT_RANGE_SIZE)\
  * DEFAULT_RANGE_SIZE
 
 # Second, options given via the CLI options take precedence to discovery
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 10b8af6f158ee957036889b162d21cb45e47..fe5588874fb14e8786c0a56cb2b0e7c7307ad69f 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -246,9 +246,9 @@ class XMLDecryptor(object):
 # Decrypt the data.
 slot = nss.get_best_slot(mech)
 key = nss.import_sym_key(slot, mech, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, self.__key)
-iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen/8]))
+iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen//8]))
 ctx = nss.create_context_by_sym_key(mech, nss.CKA_DECRYPT, key, iv)
-out = ctx.cipher_op(data[ivlen / 8:])
+out = ctx.cipher_op(data[ivlen // 8:])
 out += ctx.digest_final()
 return out
 
diff --git a/ipatests/test_integration/util.py b/ipatests/test_integration/util.py
index 5cfbb2e948c04c70e77b29fd3813ae3fb8a1b84c..594737b6d753d476cd06aeb0d5cd376b7ca46467 100644
--- a/ipatests/test_integration/util.py
+++ b/ipatests/test_integration/util.py
@@ -57,7 +57,7 @@ d

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

2016-01-20 Thread Jan Cholasta 

On 20.1.2016 10:05, Petr Spacek wrote:

On 19.1.2016 16:10, David Kupka wrote:

On 19/01/16 14:38, Jan Cholasta wrote:

On 19.1.2016 14:26, Martin Kosek wrote:

On 01/19/2016 01:47 PM, David Kupka wrote:

I've polished the patch attached to #5586 by Timo Aaltonen.

Thanks for the patch. I've fixed the path in specfile and removed
unused import
but otherwise it works, ACK.

https://fedorahosted.org/freeipa/ticket/5586


Won't this break existing certmonger requests depending on the old path?


It will, I don't see any upgrade code.



# getcert list | grep '/usr/lib64/ipa/certmonger'
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert
cert-pki-ca"
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"caSigningCert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
 pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
 post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"Server-Cert
cert-pki-ca"
 post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
 post-save command: /usr/lib64/ipa/certmonger/restart_httpd






You're right it will break the upgrade. I haven't noticed that Server-Cert for
DS and HTTPD are not handled by certificate_renewal_update
(ipaserver.install.server.upgrade) where all the other trackings are stopped
and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already
updated.


LOL, one more reason to centralize the certificate madness to one place? :-)


Definitely!

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011] Move freeipa certmonger helpers to libexecdir.

2016-01-20 Thread Petr Spacek 
On 19.1.2016 16:10, David Kupka wrote:
> On 19/01/16 14:38, Jan Cholasta wrote:
>> On 19.1.2016 14:26, Martin Kosek wrote:
>>> On 01/19/2016 01:47 PM, David Kupka wrote:
 I've polished the patch attached to #5586 by Timo Aaltonen.

 Thanks for the patch. I've fixed the path in specfile and removed
 unused import
 but otherwise it works, ACK.

 https://fedorahosted.org/freeipa/ticket/5586
>>>
>>> Won't this break existing certmonger requests depending on the old path?
>>
>> It will, I don't see any upgrade code.
>>
>>>
>>> # getcert list | grep '/usr/lib64/ipa/certmonger'
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "subsystemCert
>>> cert-pki-ca"
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "caSigningCert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
>>> "Server-Cert
>>> cert-pki-ca"
>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv RHEL72
>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>>
>>
>>
> 
> You're right it will break the upgrade. I haven't noticed that Server-Cert for
> DS and HTTPD are not handled by certificate_renewal_update
> (ipaserver.install.server.upgrade) where all the other trackings are stopped
> and then configured again with the paths.CERTMONGER_COMMAND_TEMPLATE already
> updated.

LOL, one more reason to centralize the certificate madness to one place? :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails

2016-01-20 Thread Martin Babinsky 

On 01/15/2016 06:29 PM, Martin Babinsky wrote:

On 01/15/2016 04:57 PM, Simo Sorce wrote:

On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:

On 01/14/2016 10:31 PM, Simo Sorce wrote:

On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:

On 01/13/2016 10:31 AM, Martin Babinsky wrote:

On 01/07/2016 05:38 PM, Martin Babinsky wrote:

On 01/07/2016 05:37 PM, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5584


And the patch is here.




self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.


Attaching updated patch.


A failure to obtain a tgt may be due to other reasons (for example the
KDC crashed), why are you trying to use this test ?
Isn't it sufficient to see there is no host entry in the directory ?

Simo.


There were some corner cases I encountered, mostly concerning a cleanup
after unsuccessful replica promotion.

You may sometimes end up in a state where local DS is working, but KDC
crashed and the krb5.conf is still pointing at a remote one. In that
case "malformed" replica's local host entry exist, but when such host
tries to get TGT, the AS-REQ goes to remote KDC from other master.

However, if the admin had in the mean time cleaned up this host's
kerberos principals/keys, the crashed replica gets one of the following
errors:

Client not found in Kerberos database
Client credentials have been revoked
Generic preauthentication failure

These were printed out as errors during uninstall, but were actually
expected in situation like this. It is true that the code should check
and ignore these specific errors.


Only the first id valid for your case, the others may be transient
errors.

Simo.



True, attaching updated patch. The other errors will now pop out in the
output and the warning will be displayed.




Bump for review.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-20 Thread Martin Babinsky 

On 01/14/2016 05:29 PM, Martin Babinsky wrote:

On 01/13/2016 05:59 PM, Rob Crittenden wrote:

Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the config
from client sysrestore before modifying it.

If you think this approach is not optimal please propose an alternative
solution.


You could also just do an action set on URI to change the value, right?
It would need a new function but it would be very small.

If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to deference
the ticket).

rob



Here's the patch that implements the change in URI directive. Please
keep in mind that we not only have to change the URI to point to
ourselves, we also have to do it in a way consistent with
ipa-client-install, i.e. leave a comment with new URI if it was already
set by third party.

Plain 'addifnotset' directive will not do, however, because then we end
up with two comments, one original, and one pointing to ourselves. Plain
'set' may rewrite the URI set by user and thus we would have to test its
value anyway.

The correct handling of these cases coupled with a way IPAChangeConf is
written results in a solution presented here.

The fact that it is not much shorter than configure_openldap_conf and is
additionally pretty ugly (a fact at least partially caused by me not
being very fluent in IPAChangeConf usage) led me to the conclusion that
restoring original ldap.conf and reusing already wirrten code for
reediting it anew with replica as URI is actually not that bad idea.





Bump for review/discussion.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0049 Remove workaround for CA running check

2016-01-20 Thread Martin Kosek 
On 01/20/2016 08:45 AM, Fraser Tweedale wrote:
> The attached patch removes a workaround introduced as part of
> https://fedorahosted.org/freeipa/ticket/4676.
> 
> Alternatively, if we want to keep the "workaround" I will submit a
> different patch that removes unused code and FIXME comments :)
> 
> Cheers,
> Fraser

You may also want to check FreeIPA spec file, if there is now no extra curl
dependency. I would leave it up to Martin Basti, to confirm that the original
issue cannot appear again. It was a nightmare to troubleshoot, as I heard :)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code