Re: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation

2016-01-29 Thread Petr Spacek
On 29.1.2016 10:43, Martin Basti wrote:
> 
> 
> On 25.01.2016 13:29, Martin Basti wrote:
>>
>>
>> On 23.01.2016 10:34, Petr Spacek wrote:
>>> On 22.1.2016 17:47, Martin Basti wrote:
 -# make BIND happy, and delegate zone which contains A record of
 master
 +# make BIND happy: add the glue record and delegate zone
 +args = [
 +"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
 +"--a-rec=" + self.master.ip
 +]
 +self.master.run_command(args)
 +time.sleep(10)  # sleep a bit until data are provided by
 bind-dyndb-ldap
 +
>>> LGTM, ACK. In the worst case it will not fix the test :-)
>>>
>> Pushed to:
>> ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8
>> master: cdf08a0a869f83a6111d9560b69c582d2c04f89c
>>
> 
> Here is better fix that should actually work in lab :)
> patch attached

ACK

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0013-0021] Coverity patches

2016-01-29 Thread Martin Basti



On 29.01.2016 15:49, Stanislav Laznicka wrote:

Reworded the commits so that they better reflect what's going on in those.

On 01/29/2016 02:49 PM, Stanislav Laznicka wrote:

Hello,

I made some patches based on the Coverity report from 18.1.2016.

Cheers,
Standa







NACK, see my previous email
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] extdom: Remove unused macro

2016-01-29 Thread Sumit Bose
On Fri, Jan 29, 2016 at 01:11:32PM +0100, Lukas Slebodnik wrote:
> ehlo,
> 
> Last usage of the macro SSSD_SYSDB_SID_STR was removed
> in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3
> 
> LS

ACK

bye,
Sumit

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0013-0021] Coverity patches

2016-01-29 Thread Stanislav Laznicka

Reworded the commits so that they better reflect what's going on in those.

On 01/29/2016 02:49 PM, Stanislav Laznicka wrote:

Hello,

I made some patches based on the Coverity report from 18.1.2016.

Cheers,
Standa




From 56bfba733321388190cf6df0ec0dfab5fff15996 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 08:57:06 +0100
Subject: [PATCH 1/9] Removing dead code

---
 ipaclient/ipadiscovery.py | 3 ---
 ipalib/plugins/dns.py | 3 ---
 ipatests/i18n.py  | 4 ++--
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py
index 45a71e190e56d33d51d37f16ae61a7b4c28df521..39f3fcc98d06d7041a82ca7f5e6c240fe9a23983 100644
--- a/ipaclient/ipadiscovery.py
+++ b/ipaclient/ipadiscovery.py
@@ -401,9 +401,6 @@ class IPADiscovery(object):
 else:
 return [0, thost, lrealms[0]]
 
-#we shouldn't get here
-return [UNKNOWN_ERROR]
-
 except errors.DatabaseTimeout:
 root_logger.debug("LDAP Error: timeout")
 return [NO_LDAP_SERVER]
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 0a9fa181347514f0cc11c3ab4a3e19864df4eec0..1892d29ec9f87d3b3f955ff8df6b154961fbce36 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -800,9 +800,6 @@ class DNSRecord(Str):
 if value is None:
 return
 
-if value is None:
-return
-
 if not self.supported:
 return _('DNS RR type "%s" is not supported by bind-dyndb-ldap plugin') \
  % self.rrtype
diff --git a/ipatests/i18n.py b/ipatests/i18n.py
index a83c5806ef8ceaf011ec54db18d0222769bad1b1..368712599063c3281b95bf46e48dea924fc7999e 100755
--- a/ipatests/i18n.py
+++ b/ipatests/i18n.py
@@ -755,7 +755,7 @@ def main():
 print('ERROR: no mode specified', file=sys.stderr)
 return 1
 
-if options.mode == 'validate_pot' or options.mode == 'validate_po':
+if options.mode in ('validate_pot', 'validate_po'):
 if options.mode == 'validate_pot':
 files = args
 if not files:
@@ -795,7 +795,7 @@ def main():
 else:
 return 0
 
-elif options.mode == 'create_test' or 'test_gettext':
+elif options.mode in ('create_test', 'test_gettext'):
 po_file = '%s.po' % options.test_lang
 pot_file = options.pot_file
 
-- 
2.5.0

From 131fdd331d2283a7fc406e7c03e9f8e67f99794d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:01:43 +0100
Subject: [PATCH 2/9] Wrong assert in ldapkeydb

Asserting 'ipk11id' attribute in different object than from which it
is later accessed
---
 ipapython/dnssec/ldapkeydb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
index 55c09c040a1790569924f506f520b8327775ee7c..aa04139348a42910ed20db5189db70e262c1d5c1 100644
--- a/ipapython/dnssec/ldapkeydb.py
+++ b/ipapython/dnssec/ldapkeydb.py
@@ -288,7 +288,7 @@ class LdapKeyDB(AbstractHSM):
 for attr in default_attrs:
 key.setdefault(attr, default_attrs[attr])
 
-assert 'ipk11id' in o, 'key is missing ipk11Id in %s' % key.entry.dn
+assert 'ipk11id' in key, 'key is missing ipk11Id in %s' % key.entry.dn
 key_id = key['ipk11id']
 assert key_id not in keys, 'duplicate ipk11Id=0x%s in "%s" and "%s"' % (hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
 assert 'ipk11label' in key, 'key "%s" is missing ipk11Label' % key.entry.dn
-- 
2.5.0

From 528af83bee872b5722cdfef7c47e011f037db274 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:03:11 +0100
Subject: [PATCH 3/9] Searching for an attribute in a wrong object

Checking for an attribute in a different object than it's
accessed later
---
 ipalib/plugins/permission.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 2312008fa6db646dd4e3e9598daf7ea48c867337..9c64fdf5f6a867a4eab1ccfcdba663d5e1214f08 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -473,7 +473,7 @@ class permission(baseldap.LDAPObject):
 
 if old_client:
 for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
-if new_name in entry:
+if new_name in rights:
 rights[old_name] = rights[new_name]
 del rights[new_name]
 
-- 
2.5.0

From 61826966e57d2b070ce3de25a9f6fc9cf2588ab5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:08:19 +0100
Subject: [PATCH 4/9] Builtin 'type' used wrong in Param class

The builting 'type' is used instead of the same-named class member
---
 ipalib/parameters.py | 2 +-
 1 

Re: [Freeipa-devel] [PATCH 0013-0021] Coverity patches

2016-01-29 Thread Martin Basti



On 29.01.2016 14:49, Stanislav Laznicka wrote:

Hello,

I made some patches based on the Coverity report from 18.1.2016.

Cheers,
Standa



NACK

*) please describe issue in commit message instead of #coverity number 
in all patches


PATCH: Removing dead code
LGTM

PATCH: Wrong assert
I'm not sure with this, please ask pspacek

PATCH: Searching for an attribute in a wrong object
Please file a ticket for this, if this is right, we might want to 
backport patch


PATCH: Class attribute 'type' should be used instead
LGTM

PATCH:  Removed identical branch
NACK, bytes and string are not the same type, this may cause issues in 
python3


PATCH: completed_external might not have beed defined
LGTM

PATCH: Accessing attribute of a possible None value
LGTM

PATCH: Possible close/write into None or closed file
it looks like assertion overkill to me, would be better to rewrite the 
logic IMO


PATCH: Fixed possible dereferencing of undefined objects
NACK

1)
-root_logger.error('Failed to get create new request.')
+else:
+raise RuntimeError('Failed to add a request to DBUS.'

raise original error, do not reraise new exception, it will lost traceback

2)
I would put return to else: block, and raise RuntimeError in try block, 
then just add except (TypeError, RuntimeError)

Try to avoid broad exceptions.




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites

2016-01-29 Thread Christian Heimes
384']:
+if match['num'].endswith(algo):
+match['attr'].add('SSL_{}'.format(algo))
+
+# cipher block chaining isn't tracked
+if '_CBC' in match['num']:
+match['attr'].add('SSL_CBC')
+
+if match['attr'].intersection(DISABLED_CIPHERS):
+match['enabled'] = False
+elif match['strength'] in WEAK_STRENGTH:
+match['enabled'] = False
+else:
+match['enabled'] = True
+
+# EECDH + AES-CBC and large hash functions is slow and not more secure
+if (match['attr'].issuperset({'SSL_CBC', 'SSL_kEECDH'}) and
+match['attr'].intersection({'SSL_SHA256', 'SSL_SHA384'})):
+match['enabled'] = False
+
+ciphers.append(match)
+
+ciphers.sort(key=operator.itemgetter('name'))
+return ciphers
+
+
+def main():
+with urllib.request.urlopen(SOURCE) as r:  # pylint: disable=E1101
+ciphers = parse_nss_engine_cipher(r)
+# with open('nss_engine_cipher.c') as f:
+# ciphers = parse_nss_engine_cipher(f)
+
+print("# disabled cipher attributes: {}".format(
+', '.join(sorted(DISABLED_CIPHERS
+print("# weak strength: {}".format(', '.join(sorted(WEAK_STRENGTH
+print("# enabled cipher suites:")
+suite = []
+for cipher in ciphers:
+if cipher['enabled']:
+print("#   {:36}".format(cipher['num']))
+suite.append('+{}'.format(cipher['name']))
+print()
+print("NSSCipherSuite {}".format(','.join(suite)))
+
+
+if __name__ == '__main__':
+main()
+
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3b46dce82cae017328c9555c543e78b64e642c89..44e0a7fe087ee2420e827c878b63010c7650989a 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -57,6 +57,19 @@ SELINUX_BOOLEAN_SETTINGS = dict(
 KDCPROXY_USER = 'kdcproxy'
 HTTPD_USER = constants.HTTPD_USER
 
+# See contrib/nsscipersuite/nssciphersuite.py
+NSS_CIPHER_SUITE = [
+'+aes_128_sha_256', '+aes_256_sha_256',
+'+ecdhe_ecdsa_aes_128_gcm_sha_256', '+ecdhe_ecdsa_aes_128_sha',
+'+ecdhe_ecdsa_aes_256_gcm_sha_384', '+ecdhe_ecdsa_aes_256_sha',
+'+ecdhe_rsa_aes_128_gcm_sha_256', '+ecdhe_rsa_aes_128_sha',
+'+ecdhe_rsa_aes_256_gcm_sha_384', '+ecdhe_rsa_aes_256_sha',
+'+rsa_aes_128_gcm_sha_256', '+rsa_aes_128_sha',
+'+rsa_aes_256_gcm_sha_384', '+rsa_aes_256_sha'
+]
+NSS_CIPHER_REVISION = '20160129'
+
+
 def httpd_443_configured():
 """
 We now allow mod_ssl to be installed so don't automatically disable it.
@@ -146,6 +159,8 @@ class HTTPInstance(service.Service):
 
 
 self.step("setting mod_nss port to 443", self.__set_mod_nss_port)
+self.step("setting mod_nss cipher suite",
+  self.set_mod_nss_cipher_suite)
 self.step("setting mod_nss protocol list to TLSv1.0 - TLSv1.2",
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
@@ -255,6 +270,10 @@ class HTTPInstance(service.Service):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def set_mod_nss_cipher_suite(self):
+ciphers = ','.join(NSS_CIPHER_SUITE)
+installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
+
 def __set_mod_nss_passwordfile(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 20379f19c652cb0b5911a4c2f1c67eae7f763379..765ebacbe15df9f8f1ee81bdee9283501df48fd1 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1361,6 +1361,23 @@ def update_mod_nss_protocol(http):
 
 sysupgrade.set_upgrade_state('nss.conf', 'protocol_updated_tls12', True)
 
+
+def update_mod_nss_cipher_suite(http):
+root_logger.info('[Updating mod_nss cipher suite]')
+
+revision = sysupgrade.get_upgrade_state('nss.conf', 'cipher_suite_updated')
+if revision == httpinstance.NSS_CIPHER_REVISION:
+root_logger.info("Cipher suite already updated")
+return
+
+http.set_mod_nss_cipher_suite()
+
+sysupgrade.set_upgrade_state(
+'nss.conf',
+'cipher_suite_updated',
+httpinstance.NSS_CIPHER_REVISION)
+
+
 def ds_enable_sidgen_extdom_plugins(ds):
 """For AD trust agents, make sure we enable sidgen and extdom plugins
 """
@@ -1541,6 +1558,7 @@ def upgrade_configuration():
 
 http.stop()
 update_mod_nss_protocol(http)
+update_mod_nss_cipher_suite(http)
 fix_trust_flags()
 export_kra_agent_pem()
 http.start()
-- 
2.5.0



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0013-0021] Coverity patches

2016-01-29 Thread Stanislav Laznicka

Hello,

I made some patches based on the Coverity report from 18.1.2016.

Cheers,
Standa
From 89a945cb78b324757636dbcaddabc2616d57bde2 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 08:57:06 +0100
Subject: [PATCH 1/9] Removing dead code

Coverity #13532
Coverity #13537
Coverity #13552
---
 ipaclient/ipadiscovery.py | 3 ---
 ipalib/plugins/dns.py | 3 ---
 ipatests/i18n.py  | 4 ++--
 3 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py
index 45a71e190e56d33d51d37f16ae61a7b4c28df521..39f3fcc98d06d7041a82ca7f5e6c240fe9a23983 100644
--- a/ipaclient/ipadiscovery.py
+++ b/ipaclient/ipadiscovery.py
@@ -401,9 +401,6 @@ class IPADiscovery(object):
 else:
 return [0, thost, lrealms[0]]
 
-#we shouldn't get here
-return [UNKNOWN_ERROR]
-
 except errors.DatabaseTimeout:
 root_logger.debug("LDAP Error: timeout")
 return [NO_LDAP_SERVER]
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 0a9fa181347514f0cc11c3ab4a3e19864df4eec0..1892d29ec9f87d3b3f955ff8df6b154961fbce36 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -800,9 +800,6 @@ class DNSRecord(Str):
 if value is None:
 return
 
-if value is None:
-return
-
 if not self.supported:
 return _('DNS RR type "%s" is not supported by bind-dyndb-ldap plugin') \
  % self.rrtype
diff --git a/ipatests/i18n.py b/ipatests/i18n.py
index a83c5806ef8ceaf011ec54db18d0222769bad1b1..368712599063c3281b95bf46e48dea924fc7999e 100755
--- a/ipatests/i18n.py
+++ b/ipatests/i18n.py
@@ -755,7 +755,7 @@ def main():
 print('ERROR: no mode specified', file=sys.stderr)
 return 1
 
-if options.mode == 'validate_pot' or options.mode == 'validate_po':
+if options.mode in ('validate_pot', 'validate_po'):
 if options.mode == 'validate_pot':
 files = args
 if not files:
@@ -795,7 +795,7 @@ def main():
 else:
 return 0
 
-elif options.mode == 'create_test' or 'test_gettext':
+elif options.mode in ('create_test', 'test_gettext'):
 po_file = '%s.po' % options.test_lang
 pot_file = options.pot_file
 
-- 
2.5.0

From cdcf6dd18a7edd75e4dd4940aaaf55e3c961e3c0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:01:43 +0100
Subject: [PATCH 2/9] Wrong assert

Coverity #13529
---
 ipapython/dnssec/ldapkeydb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
index 55c09c040a1790569924f506f520b8327775ee7c..aa04139348a42910ed20db5189db70e262c1d5c1 100644
--- a/ipapython/dnssec/ldapkeydb.py
+++ b/ipapython/dnssec/ldapkeydb.py
@@ -288,7 +288,7 @@ class LdapKeyDB(AbstractHSM):
 for attr in default_attrs:
 key.setdefault(attr, default_attrs[attr])
 
-assert 'ipk11id' in o, 'key is missing ipk11Id in %s' % key.entry.dn
+assert 'ipk11id' in key, 'key is missing ipk11Id in %s' % key.entry.dn
 key_id = key['ipk11id']
 assert key_id not in keys, 'duplicate ipk11Id=0x%s in "%s" and "%s"' % (hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
 assert 'ipk11label' in key, 'key "%s" is missing ipk11Label' % key.entry.dn
-- 
2.5.0

From 575fddf988cfce082c310973fa46d98a9476587c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:03:11 +0100
Subject: [PATCH 3/9] Searching for an attribute in a wrong object

Coverity #13530
---
 ipalib/plugins/permission.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 2312008fa6db646dd4e3e9598daf7ea48c867337..9c64fdf5f6a867a4eab1ccfcdba663d5e1214f08 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -473,7 +473,7 @@ class permission(baseldap.LDAPObject):
 
 if old_client:
 for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
-if new_name in entry:
+if new_name in rights:
 rights[old_name] = rights[new_name]
 del rights[new_name]
 
-- 
2.5.0

From 996de9aeb91d3ee53a0036ef35358290a2be30da Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 29 Jan 2016 09:08:19 +0100
Subject: [PATCH 4/9] Class attribute 'type' should be used instead

Coverity #13531
---
 ipalib/parameters.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index e46068c96564d9fad61cbc75b8fe4f8f40cca98b..8d174ebec28bc0e3b2762c5d8dc1d99c041c54c9 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -482,7 +482,7 @@ 

Re: [Freeipa-devel] [PATCH 0030] Modernize mod_nss's cipher suites

2016-01-29 Thread Martin Basti



On 29.01.2016 14:42, Christian Heimes wrote:

On 2016-01-28 09:47, Martin Basti wrote:


On 22.01.2016 12:32, Martin Kosek wrote:

On 01/21/2016 04:21 PM, Christian Heimes wrote:

The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
has been modernized. Insecure or less secure algorithms such as RC4,
DES and 3DES are removed. Perfect forward secrecy suites with ephemeral
ECDH key exchange have been added. IE 8 on Windows XP is no longer
supported.

The list of enabled cipher suites has been generated with the script
contrib/nssciphersuite/nssciphersuite.py.

The supported suites are currently:

TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA

https://fedorahosted.org/freeipa/ticket/5589

Thanks for the patch! I updated the ticket to make sure this change is
release notes.


Hello,

I'm not sure if I'm the right person to do review on this, but I will
try :-)

1)
Your patch adds whitespace error

Applying: Modernize mod_nss's cipher suites
/home/mbasti/work/freeipa-devel/.git/rebase-apply/patch:52: new blank
line at EOF.
+
warning: 1 line adds whitespace errors.


2)
+import urllib.request  # pylint: disable=E0611

Please specify pylint disabled check by name

3)
+def update_mod_nss_cipher_suite(http):

in this upgrade, is there any possibility that ciphers might be upgraded
again in future? (IMO yes).

I think, it can be better to store revision of change instead of boolean

LAST_REVISION =  1

if revision >= LAST_REVISION:
 return

sysupgrade.set_upgrade_state('nss.conf', 'cipher_suite_revision',
LAST_REVISION)

Thanks for the review. I have addressed the problems. Instead of a
revision number I'm using a date string. The sysupgrade module only
stores str and bool. With a date-based revision it's easy to see when
the cipher suite was checked last time.

Christian



Thanks

1) Pylint :-)
+with urllib.request.urlopen(SOURCE) as r:  # pylint: disable=E1101

2)
+if revision == httpinstance.NSS_CIPHER_REVISION:

may happen a case where just comparation with '==' can cause a issues 
(docker world)? Should not be there rather '>='?


3)
+root_logger.info("Cipher suite already updated")

Sorry that I did not noticed earlier, this should be just debug level, 
IMO this message is not so important, it will cause only mess on output 
(we already have plenty of unneeded info messages in upgrade, they will 
be fixed once)


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast

2016-01-29 Thread Martin Babinsky

On 01/29/2016 12:48 PM, Lukas Slebodnik wrote:

On (29/01/16 12:17), Martin Kosek wrote:

On 01/29/2016 12:15 PM, Lukas Slebodnik wrote:

ehlo,

the first patch is very simple and it just suppress warning.
The second patch is either bug or dead code. I fixed it as a bug.
I'm not sure how to test 2nd patch.

LS


Thanks. But isn't this the code generated by asn1 tool? Maybe it would be
better to fix the tool, or maybe regenerate it with a newer version of the
tool? Otherwise the improvements will get lost.


As you wish.

Updated patch is attached.

LS




Hi Lukas,

I have done testing with the skeleton code generated by asn1c 9.27 in 
the past. While it did fix some of the issues reported by the static 
analyzer, it also introduced plenty of new ones that were not there before.


I was planning to check this out with the guy from upstream 
https://github.com/vlm/asn1c but the priority of the tasks was 
overshadowed by more important stuff.


We can consult our issues with him if you wish.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation

2016-01-29 Thread Oleg Fayans
Hi,

On 01/29/2016 01:44 PM, Martin Basti wrote:
> 
> 
> On 29.01.2016 13:24, Oleg Fayans wrote:
>> Hi Martin,
>>
>> On 01/29/2016 10:33 AM, Martin Basti wrote:
>>>
>>> On 21.01.2016 12:59, Oleg Fayans wrote:

>>> Hello,
>>>
>>> 1)
>>> I'm not sure if it is bug or it is related to this patch, but there is
>>> missing symetry in test_caless, I see there apply fixes but not
>>> unapply_fixes
>> test_caless is currently worked at, the patch containing a lot of
>> changes is on it's way, so the current version of this file can be
>> ignored.
> ok
>>
>>> ipatests/ipa-test-task:378:tasks.unapply_fixes(host)
>>> ipatests/test_integration/tasks.py:201:def unapply_fixes(host):
>>> ipatests/test_integration/tasks.py:646:unapply_fixes(host)
>>> ipatests/test_integration/tasks.py:654:unapply_fixes(host)
>>> ipatests/test_integration/tasks.py:997:unapply_fixes(replica)
>>> ipatests/test_integration/test_legacy_clients.py:373:
>>> tasks.unapply_fixes(cls.legacy_client)
>>>
>>>
>>> ipatests/test_integration/tasks.py:91:def apply_common_fixes(host,
>>> fix_resolv=True):
>>> ipatests/test_integration/tasks.py:269:apply_common_fixes(host,
>>> fix_resolv=False)
>>> ipatests/test_integration/tasks.py:320:apply_common_fixes(replica)
>>> ipatests/test_integration/tasks.py:386:apply_common_fixes(client)
>>> ipatests/test_integration/test_caless.py:101:
>>> tasks.apply_common_fixes(host)
>>> ipatests/test_integration/test_legacy_clients.py:361:
>>> tasks.apply_common_fixes(cls.legacy_client)
>>
>>> 2)
>>> IMO unapply_fixes is called twice for replica uninstall
>>>
>>>   uninstall_master(replica)
>>> +unapply_fixes(replica)
>>>
>>> uninstall_master calls unapply_fixes() too
>> right. Fixed
>>
>>> 3)
>>> what is purpose of prepare_host? I saw it used only in
>>> test_forced_client_reenrollment.py
>> The purpose is to create a testing folder that contains the host
>> configuration file env.sh and system file backups
>>
>> The problem was that unapply_common_fixes removed the testing directory.
>> If you then wanted to re-install master within the same test execution,
>> it would fail at the attempt to backup system files (as part of
>> apply_common_fixes, see backup_file method in tasks.py - line that does
>> mkdir_recursive)
> ok
>>
>>> Which test was failing?
>> Test_replica_promotion.py (not merged yet)
>> And basically any test that includes more than one
>> installation-uninstallation cycle would be affected
> I didn't noticed yet

That's because so far all our integration tests implied only one such
cycle. But that does not mean we should restrict ourselves to this
pattern :)

>>
>>> 4)
>>> in test_forced_client_reenrollment.py there is direct call of
>>> prepare_host, but this is also install_client that calls prepare_host
>>> too (added by your patch)
>> We can remove prepare_host call from test_client_reenrollment. Do you
>> think I should do it in the same patch, or in a separate one?
> In this patch please.

Done

>>> Martin
> 

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 544cc777231120da488728787f3756788844cf3b Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 29 Jan 2016 13:47:20 +0100
Subject: [PATCH] Enabled recreation of test directory in apply_common_fixes
 function

Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.

Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
---
 ipatests/test_integration/tasks.py   | 2 +-
 ipatests/test_integration/test_forced_client_reenrollment.py | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index a1d6cb88a1bfe2ac8c2fae9d758da726a5536ce2..27d2449ec71e0bf55a576cc495175a5ae41da1d6 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -94,6 +94,7 @@ def apply_common_fixes(host, fix_resolv=True):
 modify_nm_resolv_conf_settings(host)
 if fix_resolv:
 fix_resolv_conf(host)
+prepare_host(host)
 
 
 def backup_file(host, filename):
@@ -348,7 +349,6 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 '--forwarder', replica.config.dns_forwarder
 ])
 if domainlevel(master) == DOMAIN_LEVEL_0:
-apply_common_fixes(replica)
 # prepare the replica file on master and put it to replica, AKA "old way"
 replica_prepare(master, replica)
 replica_filename = get_replica_filename(replica)
diff --git a/ipatests/test_integration/test_forced_client_reenrollment.py b/ipatests/test_integration/test_forced_client_reenrollment.py
index df0e90526c5c8dd78d3af9d7ddb7c9bdbf5a2268..d430a98e74450f44eac286ac0ad35a5aee7cc602 100644
--- a/ipatests/test_integration/test_forced_client_reenrollment.py
+++ 

[Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4

2016-01-29 Thread Lukas Slebodnik
ehlo,

attached patch shoudl fix build on fedora-24.
It blocks static analysis scan.

Even though it unblock build on fedora-24
the solution is not ideal. It's possible that some changes
need to be done in samba side as well.
(missing prototypes for trim_string, smb_xstrdup

LS
>From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Fri, 29 Jan 2016 10:40:18 +0100
Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4

samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"

Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so

sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
00022200 gDF .text  001f  SAMBA_UTIL_0.0.1 smb_xstrdup
000223b0 gDF .text  019d  SAMBA_UTIL_0.0.1 trim_string

ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
  [-Wimplicit-function-declaration]
  TALLOC_CTX *tmp_ctx = talloc_stackframe();
^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
  [-Wimplicit-function-declaration]
  trim_string( uri, "\"", "\"" );
  ^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
   [-Wimplicit-function-declaration]
  ldap_state->domain_dn = smb_xstrdup(dn);
  ^
---
 daemons/ipa-sam/ipa_sam.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 
7274d600b532f101e8a614a47eea7632ed70..871775b0a19e9c273652ff7a0b497d86bb866aa6
 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -19,6 +19,12 @@
 #include 
 #include 
 #include 
+#include 
+
+#ifndef _SAMBA_UTIL_H_
+bool trim_string(char *s, const char *front, const char *back);
+char *smb_xstrdup(const char *s);
+#endif
 
 #include 
 #include 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0411] upgrade: log to ipaupgrade.log if ipa is not installed

2016-01-29 Thread Martin Kosek
On 01/29/2016 10:48 AM, Martin Basti wrote:
> Missing record in ipaupgrade.log that upgrade failed because IPA is not
> installed, causes harder time to debugging upgrade from log.
> 
> Patch attached.

I am thinking that in these general catch-all clauses, it could be also useful
to print the stack trace in the DEBUG log, especially for the cases when the
exception is re-raised to some general one, like here:

try:
data_upgrade.create_instance()
...
except RuntimeError:
raise RuntimeError('IPA upgrade failed.', 1)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation

2016-01-29 Thread Martin Basti



On 29.01.2016 11:10, Petr Spacek wrote:

On 29.1.2016 10:43, Martin Basti wrote:


On 25.01.2016 13:29, Martin Basti wrote:


On 23.01.2016 10:34, Petr Spacek wrote:

On 22.1.2016 17:47, Martin Basti wrote:

-# make BIND happy, and delegate zone which contains A record of
master
+# make BIND happy: add the glue record and delegate zone
+args = [
+"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
+"--a-rec=" + self.master.ip
+]
+self.master.run_command(args)
+time.sleep(10)  # sleep a bit until data are provided by
bind-dyndb-ldap
+

LGTM, ACK. In the worst case it will not fix the test :-)


Pushed to:
ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8
master: cdf08a0a869f83a6111d9560b69c582d2c04f89c


Here is better fix that should actually work in lab :)
patch attached

ACK


Pushed to:
master: c5076452d6332284d11bae932ebac1464fe2578a
ipa-4-3: 2eece8c16ae460db8b1f9e4019612128af399bf7

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCH] extdom: Remove unused macro

2016-01-29 Thread Lukas Slebodnik
ehlo,

Last usage of the macro SSSD_SYSDB_SID_STR was removed
in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3

LS
>From 8f7818fb1efc1a224ddf7360d8c7bf6bd36da852 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Fri, 29 Jan 2016 13:08:07 +0100
Subject: [PATCH 4/4] extdom: Remove unused macro

Last usage of the macre SSSD_SYSDB_SID_STR was removed
in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3
---
 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 
f5905c78e5f6eb635fcd0acf0afeda3bdb3b9baa..445624f3986944d3469214fe9c7b34ce7d9b36d1
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -489,8 +489,6 @@ int pack_ber_sid(const char *sid, struct berval **berval)
 return LDAP_SUCCESS;
 }
 
-#define SSSD_SYSDB_SID_STR "objectSIDString"
-
 int pack_ber_user(struct ipa_extdom_ctx *ctx,
   enum response_types response_type,
   const char *domain_name, const char *user_name,
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation

2016-01-29 Thread Oleg Fayans
Hi Martin,

On 01/29/2016 10:33 AM, Martin Basti wrote:
> 
> 
> On 21.01.2016 12:59, Oleg Fayans wrote:
>>
>>
> Hello,
> 
> 1)
> I'm not sure if it is bug or it is related to this patch, but there is
> missing symetry in test_caless, I see there apply fixes but not
> unapply_fixes

test_caless is currently worked at, the patch containing a lot of
changes is on it's way, so the current version of this file can be ignored.

> 
> ipatests/ipa-test-task:378:tasks.unapply_fixes(host)
> ipatests/test_integration/tasks.py:201:def unapply_fixes(host):
> ipatests/test_integration/tasks.py:646:unapply_fixes(host)
> ipatests/test_integration/tasks.py:654:unapply_fixes(host)
> ipatests/test_integration/tasks.py:997:unapply_fixes(replica)
> ipatests/test_integration/test_legacy_clients.py:373:   
> tasks.unapply_fixes(cls.legacy_client)
> 
> 
> ipatests/test_integration/tasks.py:91:def apply_common_fixes(host,
> fix_resolv=True):
> ipatests/test_integration/tasks.py:269:apply_common_fixes(host,
> fix_resolv=False)
> ipatests/test_integration/tasks.py:320:apply_common_fixes(replica)
> ipatests/test_integration/tasks.py:386:apply_common_fixes(client)
> ipatests/test_integration/test_caless.py:101:   
> tasks.apply_common_fixes(host)
> ipatests/test_integration/test_legacy_clients.py:361:   
> tasks.apply_common_fixes(cls.legacy_client)


> 
> 2)
> IMO unapply_fixes is called twice for replica uninstall
> 
>  uninstall_master(replica)
> +unapply_fixes(replica)
> 
> uninstall_master calls unapply_fixes() too

right. Fixed

> 
> 3)
> what is purpose of prepare_host? I saw it used only in
> test_forced_client_reenrollment.py

The purpose is to create a testing folder that contains the host
configuration file env.sh and system file backups

The problem was that unapply_common_fixes removed the testing directory.
If you then wanted to re-install master within the same test execution,
it would fail at the attempt to backup system files (as part of
apply_common_fixes, see backup_file method in tasks.py - line that does
mkdir_recursive)

> Which test was failing?

Test_replica_promotion.py (not merged yet)
And basically any test that includes more than one
installation-uninstallation cycle would be affected

> 
> 4)
> in test_forced_client_reenrollment.py there is direct call of
> prepare_host, but this is also install_client that calls prepare_host
> too (added by your patch)

We can remove prepare_host call from test_client_reenrollment. Do you
think I should do it in the same patch, or in a separate one?

> 
> Martin

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 6965ed7788d0c7382d6036dd87da12aac1a5833d Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 29 Jan 2016 13:19:24 +0100
Subject: [PATCH] Enabled recreation of test directory in apply_common_fixes
 function

Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.

Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
---
 ipatests/test_integration/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index a1d6cb88a1bfe2ac8c2fae9d758da726a5536ce2..27d2449ec71e0bf55a576cc495175a5ae41da1d6 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -94,6 +94,7 @@ def apply_common_fixes(host, fix_resolv=True):
 modify_nm_resolv_conf_settings(host)
 if fix_resolv:
 fix_resolv_conf(host)
+prepare_host(host)
 
 
 def backup_file(host, filename):
@@ -348,7 +349,6 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 '--forwarder', replica.config.dns_forwarder
 ])
 if domainlevel(master) == DOMAIN_LEVEL_0:
-apply_common_fixes(replica)
 # prepare the replica file on master and put it to replica, AKA "old way"
 replica_prepare(master, replica)
 replica_filename = get_replica_filename(replica)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast

2016-01-29 Thread Lukas Slebodnik
On (29/01/16 13:06), Martin Babinsky wrote:
>On 01/29/2016 12:48 PM, Lukas Slebodnik wrote:
>>On (29/01/16 12:17), Martin Kosek wrote:
>>>On 01/29/2016 12:15 PM, Lukas Slebodnik wrote:
ehlo,

the first patch is very simple and it just suppress warning.
The second patch is either bug or dead code. I fixed it as a bug.
I'm not sure how to test 2nd patch.

LS
>>>
>>>Thanks. But isn't this the code generated by asn1 tool? Maybe it would be
>>>better to fix the tool, or maybe regenerate it with a newer version of the
>>>tool? Otherwise the improvements will get lost.
>>>
>>As you wish.
>>
>>Updated patch is attached.
>>
>>LS
>>
>>
>>
>Hi Lukas,
>
>I have done testing with the skeleton code generated by asn1c 9.27 in the
>past. While it did fix some of the issues reported by the static analyzer, it
>also introduced plenty of new ones that were not there before.
>
What kind of issues?

Were problems in genrated code or in tepmplate?

Which tests did you use?

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation

2016-01-29 Thread Martin Basti



On 29.01.2016 13:50, Oleg Fayans wrote:

Hi,

On 01/29/2016 01:44 PM, Martin Basti wrote:


On 29.01.2016 13:24, Oleg Fayans wrote:

Hi Martin,

On 01/29/2016 10:33 AM, Martin Basti wrote:

On 21.01.2016 12:59, Oleg Fayans wrote:
Hello,

1)
I'm not sure if it is bug or it is related to this patch, but there is
missing symetry in test_caless, I see there apply fixes but not
unapply_fixes

test_caless is currently worked at, the patch containing a lot of
changes is on it's way, so the current version of this file can be
ignored.

ok

ipatests/ipa-test-task:378:tasks.unapply_fixes(host)
ipatests/test_integration/tasks.py:201:def unapply_fixes(host):
ipatests/test_integration/tasks.py:646:unapply_fixes(host)
ipatests/test_integration/tasks.py:654:unapply_fixes(host)
ipatests/test_integration/tasks.py:997:unapply_fixes(replica)
ipatests/test_integration/test_legacy_clients.py:373:
tasks.unapply_fixes(cls.legacy_client)


ipatests/test_integration/tasks.py:91:def apply_common_fixes(host,
fix_resolv=True):
ipatests/test_integration/tasks.py:269:apply_common_fixes(host,
fix_resolv=False)
ipatests/test_integration/tasks.py:320:apply_common_fixes(replica)
ipatests/test_integration/tasks.py:386:apply_common_fixes(client)
ipatests/test_integration/test_caless.py:101:
tasks.apply_common_fixes(host)
ipatests/test_integration/test_legacy_clients.py:361:
tasks.apply_common_fixes(cls.legacy_client)
2)
IMO unapply_fixes is called twice for replica uninstall

   uninstall_master(replica)
+unapply_fixes(replica)

uninstall_master calls unapply_fixes() too

right. Fixed


3)
what is purpose of prepare_host? I saw it used only in
test_forced_client_reenrollment.py

The purpose is to create a testing folder that contains the host
configuration file env.sh and system file backups

The problem was that unapply_common_fixes removed the testing directory.
If you then wanted to re-install master within the same test execution,
it would fail at the attempt to backup system files (as part of
apply_common_fixes, see backup_file method in tasks.py - line that does
mkdir_recursive)

ok

Which test was failing?

Test_replica_promotion.py (not merged yet)
And basically any test that includes more than one
installation-uninstallation cycle would be affected

I didn't noticed yet

That's because so far all our integration tests implied only one such
cycle. But that does not mean we should restrict ourselves to this
pattern :)


4)
in test_forced_client_reenrollment.py there is direct call of
prepare_host, but this is also install_client that calls prepare_host
too (added by your patch)

We can remove prepare_host call from test_client_reenrollment. Do you
think I should do it in the same patch, or in a separate one?

In this patch please.

Done


Martin


ACK

Pushed to:
master: b23fea76608a7d820062d1e30f06b99adeaab0ee
ipa-4-3: 8952367cca62c3c8d340a44d59ffddc16a8ff8fd

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [TEST][Patch 0021] Fixed recent replica installation issues in the lab

2016-01-29 Thread Petr Spacek
On 27.1.2016 11:16, Oleg Fayans wrote:
> Sorry, trailing whitespace detected. This version passes lint
> 
> On 01/27/2016 09:23 AM, Oleg Fayans wrote:
>> > Hi,
>> > 
>> > On 01/21/2016 04:41 PM, Petr Spacek wrote:
>>> >> Hello,
>>> >>
>>> >> On 21.1.2016 13:42, Oleg Fayans wrote:
 >>> freeipa-ofayans-0021-Removed-ip-address-option-from-replica-installation.patch
 >>>
 >>>
 >>> From d7ab06a4dcddb919fda351b983d478f1b6968578 Mon Sep 17 00:00:00 2001
 >>> From: Oleg Fayans 
 >>> Date: Thu, 21 Jan 2016 13:30:02 +0100
 >>> Subject: [PATCH] Removed --ip-address option from replica installation
 >>>
 >>> Explicitly specifying ip-address of the replica messes up with the 
 >>> current
 >>> bind-dyndb-ldap logic, causing reverse zone not to be created.
 >>>
 >>> Enabled reverse-zone creation for the clients residing in different 
 >>> subnet from
 >>> master
 >>> ---
 >>>  ipatests/test_integration/tasks.py | 19 ---
 >>>  1 file changed, 12 insertions(+), 7 deletions(-)
 >>>
 >>> diff --git a/ipatests/test_integration/tasks.py 
 >>> b/ipatests/test_integration/tasks.py
 >>> index 
 >>> 6eb55501389c72b4c7aaa599fd4852d7e8f1f3c2..43ef78b0c55deed24a0444f0ac6c38ddb2517481
 >>>  100644
 >>> --- a/ipatests/test_integration/tasks.py
 >>> +++ b/ipatests/test_integration/tasks.py
 >>> @@ -69,6 +69,8 @@ def prepare_reverse_zone(host, ip):
 >>>  host.run_command(["ipa",
 >>>"dnszone-add",
 >>>zone], raiseonerr=False)
 >>> +return zone
 >>> +
 >>>  
 >>>  def prepare_host(host):
 >>>  if isinstance(host, Host):
 >>> @@ -319,11 +321,8 @@ def domainlevel(host):
 >>>  def replica_prepare(master, replica):
 >>>  apply_common_fixes(replica)
 >>>  fix_apache_semaphores(replica)
 >>> -prepare_reverse_zone(master, replica.ip)
 >>> -master.run_command(['ipa-replica-prepare',
 >>> -'-p', replica.config.dirman_password,
 >>> -'--ip-address', replica.ip,
 >>> -replica.hostname])
 >>> +master.run_command(['ipa-replica-prepare', '-p', 
 >>> replica.config.dirman_password,
 >>> +'--auto-reverse', replica.hostname])
>>> >>
>>> >> I guess that you will need --ip-address option in cases where master's 
>>> >> reverse
>>> >> record does not exist (yet).
>> > And yo were right. Fixed
>> > 
>>> >>
>>> >> I would recommend you to test this in libvirt or somewhere without revere
>>> >> records, I suspect that it might blow up.
>>> >>
 >>>  replica_bundle = master.get_file_contents(
 >>>  paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
 >>>  replica_filename = get_replica_filename(replica)
 >>> @@ -339,8 +338,7 @@ def install_replica(master, replica, 
 >>> setup_ca=True, setup_dns=False,
 >>>  # and replica installation would fail
 >>>  args = ['ipa-replica-install', '-U',
 >>>  '-p', replica.config.dirman_password,
 >>> -'-w', replica.config.admin_password,
 >>> -'--ip-address', replica.ip]
 >>> +'-w', replica.config.admin_password]
 >>>  if setup_ca:
 >>>  args.append('--setup-ca')
 >>>  if setup_dns:
 >>> @@ -380,6 +378,13 @@ def install_client(master, client, extra_args=()):
 >>>  client.collect_log(paths.IPACLIENT_INSTALL_LOG)
 >>>  
 >>>  apply_common_fixes(client)
 >>> +# Now, for the situations where a client resides in a different 
 >>> subnet from
 >>> +# master, we need to explicitly tell master to create a reverse 
 >>> zone for
 >>> +# the client and enable dynamic updates for this zone.
 >>> +allow_sync_ptr(master)
 >>> +zone = prepare_reverse_zone(master, client.ip)
 >>> +master.run_command(["ipa", "dnszone-mod", zone,
 >>> +"--dynamic-update=TRUE"], raiseonerr=False)
>>> >>
>>> >> I'm not a big fan of ignoring exceptions here, it might be better to
>>> >> encapsulate the first command with try: except: and run the zone-mod 
>>> >> only if
>>> >> the add worked as expected.
>>> >>
>>> >> Also, logging an message that reverse zone was not added might be a good 
>>> >> idea.
>> > Agreed. Done.
>> > 
>>> >>
>>> >> HTH
>>> >>
>>> >> Petr^2 Spacek
>>> >>
>>> >>
 >>>  
 >>>  client.run_command(['ipa-client-install', '-U',
 >>>  '--domain', client.domain.name,
>>> >>
>> > 
>> > 
>> > 
> -- Oleg Fayans Quality Engineer FreeIPA team RedHat.
> 
> 
> freeipa-ofayans-0021.2-Removed-ip-address-option-from-replica-installation.patch
> 
> 
> From e70daf4ed9dfbac7e8ea75cb8e9ab0f2af12ad48 Mon Sep 17 00:00:00 2001
> From: Oleg Fayans 
> Date: Wed, 27 

Re: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4

2016-01-29 Thread Lukas Slebodnik
On (29/01/16 12:12), Lukas Slebodnik wrote:
>ehlo,
>
>attached patch shoudl fix build on fedora-24.
>It blocks static analysis scan.
>
>Even though it unblock build on fedora-24
>the solution is not ideal. It's possible that some changes
>need to be done in samba side as well.
>(missing prototypes for trim_string, smb_xstrdup
>
>LS

BTW there is also another issue in IPA-SAM.
The value of macro LDAP_PAGE_SIZE has changed
and therefore there is a warning.

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
 #define LDAP_PAGE_SIZE 1024
 ^
In file included from /usr/include/samba-4.0/smbldap.h:24:0,
 from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the 
previous definition
 #define LDAP_PAGE_SIZE 1000

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast

2016-01-29 Thread Lukas Slebodnik
On (29/01/16 12:17), Martin Kosek wrote:
>On 01/29/2016 12:15 PM, Lukas Slebodnik wrote:
>> ehlo,
>> 
>> the first patch is very simple and it just suppress warning.
>> The second patch is either bug or dead code. I fixed it as a bug.
>> I'm not sure how to test 2nd patch.
>> 
>> LS
>
>Thanks. But isn't this the code generated by asn1 tool? Maybe it would be
>better to fix the tool, or maybe regenerate it with a newer version of the
>tool? Otherwise the improvements will get lost.
>
As you wish.

Updated patch is attached.

LS
>From 47ca1fddb778c9aa68fb82f70458364a77d66aea Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Fri, 29 Jan 2016 12:44:19 +0100
Subject: [PATCH 2/2] ASN1: Regenerate code with new tool asn1c-0.9.27

asn1c-0.9.27 generates code without compiler warning
and fixes dead-code/bug

constr_SET_OF.c: In function 'SET_OF_decode_uper':
constr_SET_OF.c:907:18: warning: cast from pointer to integer of different size 
[-Wpointer-to-int-cast]
 (int)nelems, (int)ct ? ct->effective_bits : -1);
  ^
constr_SET_OF.c:924:5: warning: statement with no effect [-Wunused-value]
 rv.code == RC_FAIL;
 ^
---
 asn1/asn1c/BIT_STRING.c   |   9 +-
 asn1/asn1c/GKCurrentKeys.c|   6 +-
 asn1/asn1c/GKCurrentKeys.h|   3 +-
 asn1/asn1c/GKNewKeys.c|  12 +-
 asn1/asn1c/GKNewKeys.h|   3 +-
 asn1/asn1c/GKReply.c  |   8 +-
 asn1/asn1c/GKReply.h  |   3 +-
 asn1/asn1c/GetKeytabControl.c |  10 +-
 asn1/asn1c/GetKeytabControl.h |   3 +-
 asn1/asn1c/INTEGER.c  | 466 +-
 asn1/asn1c/INTEGER.h  |  17 ++
 asn1/asn1c/Int32.c|   7 +-
 asn1/asn1c/Int32.h|   3 +-
 asn1/asn1c/KrbKey.c   |  10 +-
 asn1/asn1c/KrbKey.h   |   3 +-
 asn1/asn1c/NativeEnumerated.c |  11 +-
 asn1/asn1c/NativeInteger.c|  32 ++-
 asn1/asn1c/OCTET_STRING.c | 449 +++-
 asn1/asn1c/OCTET_STRING.h |   8 +-
 asn1/asn1c/TypeValuePair.c|   8 +-
 asn1/asn1c/TypeValuePair.h|   3 +-
 asn1/asn1c/asn_codecs.h   |   4 +-
 asn1/asn1c/asn_codecs_prim.c  |  43 ++--
 asn1/asn1c/asn_internal.h |  27 ++-
 asn1/asn1c/asn_system.h   |  35 +++-
 asn1/asn1c/ber_decoder.c  |   2 +-
 asn1/asn1c/ber_decoder.h  |   1 +
 asn1/asn1c/constr_CHOICE.c|  70 ---
 asn1/asn1c/constr_SEQUENCE.c  | 253 +++
 asn1/asn1c/constr_SET_OF.c|  17 +-
 asn1/asn1c/der_encoder.h  |   1 +
 asn1/asn1c/per_decoder.c  |  38 
 asn1/asn1c/per_decoder.h  |  14 +-
 asn1/asn1c/per_encoder.c  | 136 
 asn1/asn1c/per_encoder.h  |  24 ++-
 asn1/asn1c/per_opentype.c | 378 ++
 asn1/asn1c/per_opentype.h |  22 ++
 asn1/asn1c/per_support.c  | 207 +--
 asn1/asn1c/per_support.h  |  38 +++-
 asn1/asn1c/xer_decoder.c  |  14 +-
 asn1/asn1c/xer_decoder.h  |   7 +-
 41 files changed, 1931 insertions(+), 474 deletions(-)
 create mode 100644 asn1/asn1c/per_opentype.c
 create mode 100644 asn1/asn1c/per_opentype.h

diff --git a/asn1/asn1c/BIT_STRING.c b/asn1/asn1c/BIT_STRING.c
index 
6469d4fd2c8782048e228c19e67950f3b2dc1305..9b9827127b7ba438676630efef975e0e80ac45aa
 100644
--- a/asn1/asn1c/BIT_STRING.c
+++ b/asn1/asn1c/BIT_STRING.c
@@ -15,7 +15,7 @@ static ber_tlv_tag_t asn_DEF_BIT_STRING_tags[] = {
 static asn_OCTET_STRING_specifics_t asn_DEF_BIT_STRING_specs = {
sizeof(BIT_STRING_t),
offsetof(BIT_STRING_t, _asn_ctx),
-   1,  /* Special indicator that this is a BIT STRING type */
+   ASN_OSUBV_BIT
 };
 asn_TYPE_descriptor_t asn_DEF_BIT_STRING = {
"BIT STRING",
@@ -50,14 +50,15 @@ BIT_STRING_constraint(asn_TYPE_descriptor_t *td, const void 
*sptr,
const BIT_STRING_t *st = (const BIT_STRING_t *)sptr;
 
if(st && st->buf) {
-   if(st->size == 1 && st->bits_unused) {
-   _ASN_CTFAIL(app_key, td,
+   if((st->size == 0 && st->bits_unused)
+   || st->bits_unused < 0 || st->bits_unused > 7) {
+   _ASN_CTFAIL(app_key, td, sptr,
"%s: invalid padding byte (%s:%d)",
td->name, __FILE__, __LINE__);
return -1;
}
} else {
-   _ASN_CTFAIL(app_key, td,
+   _ASN_CTFAIL(app_key, td, sptr,
"%s: value not given (%s:%d)",
td->name, __FILE__, __LINE__);
return -1;
diff --git a/asn1/asn1c/GKCurrentKeys.c b/asn1/asn1c/GKCurrentKeys.c
index 
abcc53130d64259d0f2947b04412b4b769bb4360..bc7c1aacabdad433abeab83ddb43ba405aaff14b
 100644
--- a/asn1/asn1c/GKCurrentKeys.c
+++ b/asn1/asn1c/GKCurrentKeys.c
@@ -1,12 +1,10 @@
 /*
- * Generated by asn1c-0.9.21 (http://lionet.info/asn1c)
+ * Generated by asn1c-0.9.27 (http://lionet.info/asn1c)
  * From ASN.1 

Re: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation

2016-01-29 Thread Martin Basti



On 29.01.2016 13:24, Oleg Fayans wrote:

Hi Martin,

On 01/29/2016 10:33 AM, Martin Basti wrote:


On 21.01.2016 12:59, Oleg Fayans wrote:



Hello,

1)
I'm not sure if it is bug or it is related to this patch, but there is
missing symetry in test_caless, I see there apply fixes but not
unapply_fixes

test_caless is currently worked at, the patch containing a lot of
changes is on it's way, so the current version of this file can be ignored.

ok



ipatests/ipa-test-task:378:tasks.unapply_fixes(host)
ipatests/test_integration/tasks.py:201:def unapply_fixes(host):
ipatests/test_integration/tasks.py:646:unapply_fixes(host)
ipatests/test_integration/tasks.py:654:unapply_fixes(host)
ipatests/test_integration/tasks.py:997:unapply_fixes(replica)
ipatests/test_integration/test_legacy_clients.py:373:
tasks.unapply_fixes(cls.legacy_client)


ipatests/test_integration/tasks.py:91:def apply_common_fixes(host,
fix_resolv=True):
ipatests/test_integration/tasks.py:269:apply_common_fixes(host,
fix_resolv=False)
ipatests/test_integration/tasks.py:320:apply_common_fixes(replica)
ipatests/test_integration/tasks.py:386:apply_common_fixes(client)
ipatests/test_integration/test_caless.py:101:
tasks.apply_common_fixes(host)
ipatests/test_integration/test_legacy_clients.py:361:
tasks.apply_common_fixes(cls.legacy_client)



2)
IMO unapply_fixes is called twice for replica uninstall

  uninstall_master(replica)
+unapply_fixes(replica)

uninstall_master calls unapply_fixes() too

right. Fixed


3)
what is purpose of prepare_host? I saw it used only in
test_forced_client_reenrollment.py

The purpose is to create a testing folder that contains the host
configuration file env.sh and system file backups

The problem was that unapply_common_fixes removed the testing directory.
If you then wanted to re-install master within the same test execution,
it would fail at the attempt to backup system files (as part of
apply_common_fixes, see backup_file method in tasks.py - line that does
mkdir_recursive)

ok



Which test was failing?

Test_replica_promotion.py (not merged yet)
And basically any test that includes more than one
installation-uninstallation cycle would be affected

I didn't noticed yet



4)
in test_forced_client_reenrollment.py there is direct call of
prepare_host, but this is also install_client that calls prepare_host
too (added by your patch)

We can remove prepare_host call from test_client_reenrollment. Do you
think I should do it in the same patch, or in a separate one?

In this patch please.

Martin


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast

2016-01-29 Thread Lukas Slebodnik
ehlo,

the first patch is very simple and it just suppress warning.
The second patch is either bug or dead code. I fixed it as a bug.
I'm not sure how to test 2nd patch.

LS
>From 49b9cd2f037f52d5095acc0d05ee1684ebb6a121 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Fri, 29 Jan 2016 11:52:08 +0100
Subject: [PATCH 2/3] ASN1: Fix warning Wpointer-to-int-cast

The cast operator "()" has higher priority then ternary
operator "?:" and therefore the first argument of ternary operator
(pointer) was cast to "int" and then interpreted as boolean value.

I think we wanted to cast value of ternary operator to type int.
However it's not necesary becuase both of branches has type int.
---
 asn1/asn1c/constr_SET_OF.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/asn1/asn1c/constr_SET_OF.c b/asn1/asn1c/constr_SET_OF.c
index 
09f27db53dada6869accd8dbb3aba0f56b49e00b..312cfc2e91d3cc710bc26a12322828c00e400b9b
 100644
--- a/asn1/asn1c/constr_SET_OF.c
+++ b/asn1/asn1c/constr_SET_OF.c
@@ -904,7 +904,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, 
asn_TYPE_descriptor_t *td,
nelems = uper_get_length(pd,
ct ? ct->effective_bits : -1, );
ASN_DEBUG("Got to decode %d elements (eff %d)",
-   (int)nelems, (int)ct ? ct->effective_bits : -1);
+   (int)nelems, ct ? ct->effective_bits : -1);
if(nelems < 0) _ASN_DECODE_STARVED;
}
 
-- 
2.5.0

>From fae6c79b65be4b21859f703dbcb7cfbb20286070 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Fri, 29 Jan 2016 11:56:23 +0100
Subject: [PATCH 3/3] ASN1: Fix warning Wunused-value

There was used operator "equal to" but there should be
an assignment.
---
 asn1/asn1c/constr_SET_OF.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/asn1/asn1c/constr_SET_OF.c b/asn1/asn1c/constr_SET_OF.c
index 
312cfc2e91d3cc710bc26a12322828c00e400b9b..0d5efa4f83c189887822f4012fd2a500faf04ae4
 100644
--- a/asn1/asn1c/constr_SET_OF.c
+++ b/asn1/asn1c/constr_SET_OF.c
@@ -921,7 +921,7 @@ SET_OF_decode_uper(asn_codec_ctx_t *opt_codec_ctx, 
asn_TYPE_descriptor_t *td,
ASN_DEBUG("Failed to add element into %s",
td->name);
/* Fall through */
-   rv.code == RC_FAIL;
+   rv.code = RC_FAIL;
} else {
ASN_DEBUG("Failed decoding %s of %s (SET OF)",
elm->type->name, td->name);
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes

2016-01-29 Thread Jan Cholasta

Hi,

On 27.1.2016 18:38, Petr Viktorin wrote:

Hello,

Here is a mixed bag of Python 3 fixes.
They fix some tests, and they should enable you to use `python3
/usr/bin/ipa`.


Patch 761:

1) The "invalid 'my_number': " bit comes from IPA itself, shouldn't we 
check at least that?



Patch 762:

1) We should handle UnicodeError here as well, in addition to TypeError:

 if k.lower() == 'negotiate':
 try:
-token = base64.b64decode(v)
+token = base64.b64decode(v.encode('ascii'))
 break
 # b64decode raises TypeError on invalid input
 except TypeError:

2) I would prefer if the encoding was specified explicitly here:

+response = json_decode_binary(json.loads(response.decode()))


Patch 763:

1)

+altname = altname

2) Nitpick, but could you please:

-if isinstance(name_or_oid, unicode):
-name_or_oid = name_or_oid.encode('utf-8')
+if six.PY2:
+if isinstance(name_or_oid, unicode):
+name_or_oid = name_or_oid.encode('utf-8')

This way it's more visible that this is a py2-only thing.


Patch 764: LGTM


Patch 765:

1)

+import tempfile
+import tempfile


Patch 766-767: LGTM


Patch 768:

1) Only binascii.Error should be handled in int_to_bytes, the try-except 
block is there just to handle odd-length strings.


2) I think you can just remove the library_path.encode(), it's there 
because the original C code did the same thing, but don't think it's 
necessary.



Patch 769: LGTM


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0410] CI DNSSEC: fix zone delegation

2016-01-29 Thread Martin Basti



On 25.01.2016 13:29, Martin Basti wrote:



On 23.01.2016 10:34, Petr Spacek wrote:

On 22.1.2016 17:47, Martin Basti wrote:
-# make BIND happy, and delegate zone which contains A 
record of master

+# make BIND happy: add the glue record and delegate zone
+args = [
+"ipa", "dnsrecord-add", root_zone, 
self.master.domain.name,

+"--a-rec=" + self.master.ip
+]
+self.master.run_command(args)
+time.sleep(10)  # sleep a bit until data are provided by 
bind-dyndb-ldap

+

LGTM, ACK. In the worst case it will not fix the test :-)


Pushed to:
ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8
master: cdf08a0a869f83a6111d9560b69c582d2c04f89c



Here is better fix that should actually work in lab :)
patch attached

From 253d18ec54f7a9612f482c6d44de4bd337d2ad9e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 28 Jan 2016 14:13:51 +0100
Subject: [PATCH] DNSSEC CI: fix zone delegations

---
 ipatests/test_integration/test_dnssec.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 111d39855b399e52052716cd83da8dfb2213fbee..e90fb1f477ab50050f619399ee168c0e4b248ac2 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -277,7 +277,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
 
 # make BIND happy: add the glue record and delegate zone
 args = [
-"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
+"ipa", "dnsrecord-add", root_zone, self.master.hostname,
 "--a-rec=" + self.master.ip
 ]
 self.master.run_command(args)
@@ -313,6 +313,13 @@ class TestInstallDNSSECFirst(IntegrationTest):
 
 self.master.run_command(args)
 
+# delegation
+args = [
+"ipa", "dnsrecord-add", root_zone, example_test_zone,
+"--ns-rec=" + self.master.hostname
+]
+self.master.run_command(args)
+
 # wait until zone is signed
 assert wait_until_record_is_signed(
 self.master.ip, example_test_zone, self.log, timeout=100
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0761-0769 More Python3 fixes

2016-01-29 Thread Jan Cholasta

On 29.1.2016 09:25, Jan Cholasta wrote:

Hi,

On 27.1.2016 18:38, Petr Viktorin wrote:

Hello,

Here is a mixed bag of Python 3 fixes.
They fix some tests, and they should enable you to use `python3
/usr/bin/ipa`.


Patch 761:

1) The "invalid 'my_number': " bit comes from IPA itself, shouldn't we
check at least that?


Patch 762:

1) We should handle UnicodeError here as well, in addition to TypeError:

  if k.lower() == 'negotiate':
  try:
-token = base64.b64decode(v)
+token = base64.b64decode(v.encode('ascii'))
  break
  # b64decode raises TypeError on invalid input
  except TypeError:

2) I would prefer if the encoding was specified explicitly here:

+response = json_decode_binary(json.loads(response.decode()))


Patch 763:

1)

+altname = altname

2) Nitpick, but could you please:

-if isinstance(name_or_oid, unicode):
-name_or_oid = name_or_oid.encode('utf-8')
+if six.PY2:
+if isinstance(name_or_oid, unicode):
+name_or_oid = name_or_oid.encode('utf-8')

This way it's more visible that this is a py2-only thing.


Patch 764: LGTM


Patch 765:

1)

+import tempfile
+import tempfile


Patch 766-767: LGTM


Patch 768:

1) Only binascii.Error should be handled in int_to_bytes, the try-except
block is there just to handle odd-length strings.

2) I think you can just remove the library_path.encode(), it's there
because the original C code did the same thing, but don't think it's
necessary.


Patch 769: LGTM


Also, could you please reference 
 in the patches?


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0003 webui: Issue New Certificate dialogs validates data

2016-01-29 Thread Pavel Vomacka



On 01/28/2016 07:28 PM, Petr Vobornik wrote:

Hi, there are few issues, NACK.

1. this patch uses tabs instead of spaces, previous was correct

Fixed.


2. code which focuses first invalid field could be replaced by:
  widget_mod.focus_invalid(that);

The old loop is replaced by this method.


3. there is a convention that field and widget names uses the same 
name as the param, therefore 'textarea_cert' should be 'csr'. There is 
no convention for messages in html widget but it might be better to 
use a name reflecting purpose and not implementation. Instead of 
'message_html_widget' use 'instructions' or just 'message' - 
consistent with spec option.



Fixed. I chose 'message' instead of 'message_html_widget'.

Also I've filed: https://fedorahosted.org/freeipa/ticket/5652

Pavel Vomacka

>From 242a52390de84025efab2fb878aa95d46c1386a4 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 28 Jan 2016 17:37:29 +0100
Subject: [PATCH] Add validation to Issue new certificate dialog

'Issue new certificate' dialog now validates whether user fills 'principal' and 'csr' field.
In case that one of these fields is empty then it does not allow to submit the dialog.

https://fedorahosted.org/freeipa/ticket/5432
---
 install/ui/src/freeipa/certificate.js | 60 +++
 install/ui/src/freeipa/details.js |  5 +++
 2 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index 93f3cfc68a95bfb8014aaf96d1b571568ac605dc..aaae4d9fb14e0c6e8dd1562b92b0ddb3ff1a6a49 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -30,10 +30,11 @@ define([
 './reg',
 './rpc',
 './text',
+'./widget',
 './dialog'],
 function(
 lang, builder, metadata_provider, IPA, $, menu,
-phases, reg, rpc, text) {
+phases, reg, rpc, text, widget_mod) {
 
 var exp = IPA.cert = {};
 
@@ -399,11 +400,35 @@ IPA.cert.request_dialog = function(spec) {
 spec = spec || {};
 
 spec.sections = spec.sections || [];
-var section = { fields: [] };
-spec.sections.push(section);
+var section0 = { fields: [] };
+var section_csr = {
+show_header: false,
+fields: [
+{
+field: false,
+$type: 'html',
+name: 'message',
+html: spec.message
+},
+{
+$type: 'textarea',
+name: 'csr',
+required: true
+}
+],
+layout:
+{
+$factory: widget_mod.fluid_layout,
+widget_cls: "col-sm-12 controls",
+label_cls: "hide"
+}
+};
+
+spec.sections.push(section0);
+spec.sections.push(section_csr);
 
 if (spec.show_principal) {
-section.fields.push(
+section0.fields.push(
 {
 $type: 'text',
 name: 'principal',
@@ -418,7 +443,7 @@ IPA.cert.request_dialog = function(spec) {
 }
 );
 }
-section.fields.push(
+section0.fields.push(
 {
 $type: 'entity_select',
 name: 'profile_id',
@@ -443,7 +468,15 @@ IPA.cert.request_dialog = function(spec) {
 click: function() {
 var values = {};
 that.save(values);
-var request = $.trim(that.textarea.val());
+
+// check requested fields
+if (!that.validate()) {
+widget_mod.focus_invalid(that);
+return;
+}
+
+// get csr from the textarea
+var request = $.trim(that.get_field('csr').get_value());
 values.request = IPA.cert.pem_csr_format(request);
 
 if (that.request) {
@@ -461,19 +494,6 @@ IPA.cert.request_dialog = function(spec) {
 }
 });
 
-that.create_content = function() {
-that.dialog_create_content();
-var node = $("", {
-'class': 'col-sm-12'
-});
-node.append(that.message);
-that.textarea = $('', {
-'class': 'certificate'
-}).appendTo(node);
-that.body_node.append(node);
-return that.body_node;
-};
-
 return that;
 };
 
@@ -1519,4 +1539,4 @@ phases.on('post-metadata', exp.create_cert_metadata);
 phases.on('profile', exp.remove_menu_item, 20);
 
 return exp;
-});
\ No newline at end of file
+});
diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index c708a878b7d6d29815535b7508da0c4cc30a3b5c..36dbb99fca3440b29ba280283c6c9e098f67d6d6 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -295,6 +295,11 @@ exp.section_builder = IPA.section_builder = function(spec) {
 
 var widget = that.widget_builder.build_widget(field_spec, section.widgets);
 
+if (field_spec.field === false) {
+

Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-29 Thread Martin Babinsky

On 01/20/2016 09:40 AM, Martin Babinsky wrote:

On 01/14/2016 05:29 PM, Martin Babinsky wrote:

On 01/13/2016 05:59 PM, Rob Crittenden wrote:

Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I opted
to reuse the configure_openldap_conf() function and restoring the
config
from client sysrestore before modifying it.

If you think this approach is not optimal please propose an alternative
solution.


You could also just do an action set on URI to change the value, right?
It would need a new function but it would be very small.

If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to deference
the ticket).

rob



Here's the patch that implements the change in URI directive. Please
keep in mind that we not only have to change the URI to point to
ourselves, we also have to do it in a way consistent with
ipa-client-install, i.e. leave a comment with new URI if it was already
set by third party.

Plain 'addifnotset' directive will not do, however, because then we end
up with two comments, one original, and one pointing to ourselves. Plain
'set' may rewrite the URI set by user and thus we would have to test its
value anyway.

The correct handling of these cases coupled with a way IPAChangeConf is
written results in a solution presented here.

The fact that it is not much shorter than configure_openldap_conf and is
additionally pretty ugly (a fact at least partially caused by me not
being very fluent in IPAChangeConf usage) led me to the conclusion that
restoring original ldap.conf and reusing already wirrten code for
reediting it anew with replica as URI is actually not that bad idea.





Bump for review/discussion.


Another bump.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [TEST][Patch 0020] Enabled recreation of test directory during ipa reinstallation

2016-01-29 Thread Martin Basti



On 21.01.2016 12:59, Oleg Fayans wrote:




Hello,

1)
I'm not sure if it is bug or it is related to this patch, but there is 
missing symetry in test_caless, I see there apply fixes but not 
unapply_fixes


ipatests/ipa-test-task:378:tasks.unapply_fixes(host)
ipatests/test_integration/tasks.py:201:def unapply_fixes(host):
ipatests/test_integration/tasks.py:646:unapply_fixes(host)
ipatests/test_integration/tasks.py:654:unapply_fixes(host)
ipatests/test_integration/tasks.py:997:unapply_fixes(replica)
ipatests/test_integration/test_legacy_clients.py:373: 
tasks.unapply_fixes(cls.legacy_client)



ipatests/test_integration/tasks.py:91:def apply_common_fixes(host, 
fix_resolv=True):
ipatests/test_integration/tasks.py:269:apply_common_fixes(host, 
fix_resolv=False)

ipatests/test_integration/tasks.py:320: apply_common_fixes(replica)
ipatests/test_integration/tasks.py:386: apply_common_fixes(client)
ipatests/test_integration/test_caless.py:101: tasks.apply_common_fixes(host)
ipatests/test_integration/test_legacy_clients.py:361: 
tasks.apply_common_fixes(cls.legacy_client)


2)
IMO unapply_fixes is called twice for replica uninstall

 uninstall_master(replica)
+unapply_fixes(replica)

uninstall_master calls unapply_fixes() too

3)
what is purpose of prepare_host? I saw it used only in 
test_forced_client_reenrollment.py

Which test was failing?

4)
in test_forced_client_reenrollment.py there is direct call of 
prepare_host, but this is also install_client that calls prepare_host 
too (added by your patch)


Martin
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0411] upgrade: log to ipaupgrade.log if ipa is not installed

2016-01-29 Thread Martin Basti
Missing record in ipaupgrade.log that upgrade failed because IPA is not 
installed, causes harder time to debugging upgrade from log.


Patch attached.
From f457b0996fcc8d6a6e0bf95763a25b518e370501 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 27 Jan 2016 15:09:32 +0100
Subject: [PATCH] Upgrade: log to ipaupgrade.log when IPA server is not
 installed

Message was printed only to stdout and leaves ipaupgrade.log without any
record that ipa-server-upgrade failed because ipa server is not
installed.
Now error is passed to logger which prints meassage to stderr and
ipaupgrade.log.
---
 ipaserver/install/server/upgrade.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 20379f19c652cb0b5911a4c2f1c67eae7f763379..844a2a3fb597fe0b2e6aca6f7e81e06142314d72 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1647,7 +1647,7 @@ def upgrade_check(options):
 try:
 installutils.check_server_configuration()
 except RuntimeError as e:
-print(unicode(e))
+root_logger.error(e)
 sys.exit(1)
 
 try:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [TEST][Patch 0022] small refactoring in integration tests due to BZ 1303095

2016-01-29 Thread Oleg Fayans

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From b866ff5336f742e170895b575df7a09419c2d731 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 29 Jan 2016 16:04:17 +0100
Subject: [PATCH] Moved NM configuration calls to the IntegrationTest base
 class

Reconfiguring and restarting of NetworkManager in the middle of test execution
sometimes causes unexpected results. See [1] for details.
It is better to have it configured in advance during test class initialization
with default configuration applied at test teardown

Also, disabled manual resetting nameservers in resolv.conf before replica and
client installations (as per discussion with pspacek).

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1303095
---
 ipatests/test_integration/base.py  |  5 +
 ipatests/test_integration/tasks.py | 11 +++
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_integration/base.py b/ipatests/test_integration/base.py
index 4f57e959032a5fda0ad002fca95501da1160605b..fef202b8e203806f711de4062b1a429482c411bb 100644
--- a/ipatests/test_integration/base.py
+++ b/ipatests/test_integration/base.py
@@ -64,6 +64,9 @@ class IntegrationTest(object):
 def install(cls, mh):
 if cls.topology is None:
 return
+for host in cls.get_all_hosts():
+# Tell NetworkManager to not mess around with resolv.conf
+tasks.modify_nm_resolv_conf_settings(host)
 else:
 tasks.install_topo(cls.topology,
cls.master, cls.replicas, cls.clients)
@@ -78,6 +81,8 @@ class IntegrationTest(object):
 tasks.uninstall_master(replica)
 for client in cls.clients:
 tasks.uninstall_client(client)
+for host in cls.get_all_hosts():
+tasks.undo_nm_resolv_conf_settings(host)
 
 
 IntegrationTest.log = log_mgr.get_logger(IntegrationTest())
diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 27d2449ec71e0bf55a576cc495175a5ae41da1d6..b5e3d1a8106d389e2027fb2535726b3a93eb2d5c 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -91,7 +91,6 @@ def allow_sync_ptr(host):
 def apply_common_fixes(host, fix_resolv=True):
 fix_etc_hosts(host)
 fix_hostname(host)
-modify_nm_resolv_conf_settings(host)
 if fix_resolv:
 fix_resolv_conf(host)
 prepare_host(host)
@@ -175,11 +174,9 @@ def undo_nm_resolv_conf_settings(host):
 
 def fix_resolv_conf(host):
 backup_file(host, paths.RESOLV_CONF)
-lines = host.get_file_contents(paths.RESOLV_CONF).splitlines()
-lines = ['#' + l if l.startswith('nameserver') else l for l in lines]
-for other_host in host.domain.hosts:
-if other_host.role in ('master', 'replica'):
-lines.append('nameserver %s' % other_host.ip)
+lines_read = host.get_file_contents(paths.RESOLV_CONF).splitlines()
+lines = ['#' + l if l.startswith('search') else l for l in lines_read]
+lines[0] = "search %s\n" % host.domain.name
 contents = '\n'.join(lines)
 log.debug('Writing the following to /etc/resolv.conf:\n%s', contents)
 host.put_file_contents(paths.RESOLV_CONF, contents)
@@ -201,8 +198,6 @@ def fix_apache_semaphores(master):
 def unapply_fixes(host):
 restore_files(host)
 restore_hostname(host)
-undo_nm_resolv_conf_settings(host)
-
 # Clean up the test directory
 host.run_command(['rm', '-rvf', host.config.test_dir])
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] extdom: Remove unused macro

2016-01-29 Thread Martin Basti



On 29.01.2016 14:56, Sumit Bose wrote:

On Fri, Jan 29, 2016 at 01:11:32PM +0100, Lukas Slebodnik wrote:

ehlo,

Last usage of the macro SSSD_SYSDB_SID_STR was removed
in the commit 0ee8fe11aea9811c724182def3f50960d5dd87b3

LS

ACK

bye,
Sumit


Pushed to master: 4bef7577b746d8decd65c18f81b1e8fdd9cf06a7

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [PATCH 0412] CI tests: Do not set ip address for replica without installed IPA DNS in topology

2016-01-29 Thread Martin Basti

Patch attached.

Should fix test_installation for domain level 0
From d1a3796189cf2c34f0d4bdfcb1459dd436194170 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 15 Jan 2016 18:17:10 +0100
Subject: [PATCH] Tests: Do not set ip address for replica prepare without IPA
 DNS

ipa-replica-prepare cannot be used with option --ip-address when
IPA DNS is not installed
---
 ipatests/test_integration/tasks.py | 18 +++---
 ipatests/test_integration/test_installation.py |  3 ++-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index a1d6cb88a1bfe2ac8c2fae9d758da726a5536ce2..ec49e1018cdfdd24d390f165e4f6a99d89a29868 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -315,14 +315,17 @@ def domainlevel(host):
 return level
 
 
-def replica_prepare(master, replica):
+def replica_prepare(master, replica, ipa_managed_dns=True):
 apply_common_fixes(replica)
 fix_apache_semaphores(replica)
 prepare_reverse_zone(master, replica.ip)
-master.run_command(['ipa-replica-prepare',
-'-p', replica.config.dirman_password,
-'--ip-address', replica.ip,
-replica.hostname])
+args = ['ipa-replica-prepare',
+'-p', replica.config.dirman_password,
+replica.hostname]
+if ipa_managed_dns:
+args.extend(['--ip-address', replica.ip,])
+
+master.run_command(args)
 replica_bundle = master.get_file_contents(
 paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
 replica_filename = get_replica_filename(replica)
@@ -330,7 +333,7 @@ def replica_prepare(master, replica):
 
 
 def install_replica(master, replica, setup_ca=True, setup_dns=False,
-setup_kra=False):
+setup_kra=False, ipa_managed_dns=True):
 replica.collect_log(paths.IPAREPLICA_INSTALL_LOG)
 replica.collect_log(paths.IPAREPLICA_CONNCHECK_LOG)
 allow_sync_ptr(master)
@@ -343,6 +346,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 if setup_ca:
 args.append('--setup-ca')
 if setup_dns:
+ipa_managed_dns = True
 args.extend([
 '--setup-dns',
 '--forwarder', replica.config.dns_forwarder
@@ -350,7 +354,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
 if domainlevel(master) == DOMAIN_LEVEL_0:
 apply_common_fixes(replica)
 # prepare the replica file on master and put it to replica, AKA "old way"
-replica_prepare(master, replica)
+replica_prepare(master, replica, ipa_managed_dns=ipa_managed_dns)
 replica_filename = get_replica_filename(replica)
 args.append(replica_filename)
 else:
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index c3d194fb4900f6ecdebffeaba90d2ecb4929c8c0..b744b227dc7204e3cd283bd3a5efb3277c920b34 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -21,7 +21,8 @@ class InstallTestBase1(IntegrationTest):
 tasks.install_master(cls.master, setup_dns=False)
 
 def test_replica0_ca_less_install(self):
-tasks.install_replica(self.master, self.replicas[0], setup_ca=False)
+tasks.install_replica(self.master, self.replicas[0], setup_ca=False,
+  ipa_managed_dns=False)
 
 def test_replica0_ipa_ca_install(self):
 tasks.install_ca(self.replicas[0])
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4

2016-01-29 Thread Alexander Bokovoy

On Fri, 29 Jan 2016, Lukas Slebodnik wrote:

On (29/01/16 12:12), Lukas Slebodnik wrote:

ehlo,

attached patch shoudl fix build on fedora-24.
It blocks static analysis scan.

Even though it unblock build on fedora-24
the solution is not ideal. It's possible that some changes
need to be done in samba side as well.
(missing prototypes for trim_string, smb_xstrdup

LS


BTW there is also another issue in IPA-SAM.
The value of macro LDAP_PAGE_SIZE has changed
and therefore there is a warning.

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
#define LDAP_PAGE_SIZE 1024
^
In file included from /usr/include/samba-4.0/smbldap.h:24:0,
from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the 
previous definition
#define LDAP_PAGE_SIZE 1000

This is something we should fix. I'll look at it once in Brno.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica

2016-01-29 Thread Martin Basti



On 29.01.2016 09:01, Martin Babinsky wrote:

On 01/20/2016 09:40 AM, Martin Babinsky wrote:

On 01/14/2016 05:29 PM, Martin Babinsky wrote:

On 01/13/2016 05:59 PM, Rob Crittenden wrote:

Martin Babinsky wrote:

fixes https://fedorahosted.org/freeipa/ticket/5584

In order to ensure consistent behavior with ipa-client-install, I 
opted

to reuse the configure_openldap_conf() function and restoring the
config
from client sysrestore before modifying it.

If you think this approach is not optimal please propose an 
alternative

solution.


You could also just do an action set on URI to change the value, 
right?

It would need a new function but it would be very small.

If you do end up keeping this I'd want a new commit message for moving
the code to include why you're moving it (to avoid the need to 
deference

the ticket).

rob



Here's the patch that implements the change in URI directive. Please
keep in mind that we not only have to change the URI to point to
ourselves, we also have to do it in a way consistent with
ipa-client-install, i.e. leave a comment with new URI if it was already
set by third party.

Plain 'addifnotset' directive will not do, however, because then we end
up with two comments, one original, and one pointing to ourselves. 
Plain
'set' may rewrite the URI set by user and thus we would have to test 
its

value anyway.

The correct handling of these cases coupled with a way IPAChangeConf is
written results in a solution presented here.

The fact that it is not much shorter than configure_openldap_conf 
and is

additionally pretty ugly (a fact at least partially caused by me not
being very fluent in IPAChangeConf usage) led me to the conclusion that
restoring original ldap.conf and reusing already wirrten code for
reediting it anew with replica as URI is actually not that bad idea.





Bump for review/discussion.


Another bump.


Works for me, ACK

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] IPA-SAM: Fix build with samba 4.4

2016-01-29 Thread Lukas Slebodnik
On (29/01/16 12:12), Lukas Slebodnik wrote:
>ehlo,
>
>attached patch shoudl fix build on fedora-24.
>It blocks static analysis scan.
>
>Even though it unblock build on fedora-24
>the solution is not ideal. It's possible that some changes
>need to be done in samba side as well.
>(missing prototypes for trim_string, smb_xstrdup
>
>LS

>>From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001
>From: Lukas Slebodnik 
>Date: Fri, 29 Jan 2016 10:40:18 +0100
>Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4
>
>samba_util.h is not shipped with samba-4.4
>and it was indirectly included by "ndr.h"
>
I checked the samba 4.4 release notes and they intentionaly
removed samba_util.h

@see
https://github.com/samba-team/samba/blob/master/WHATSNEW.txt#L191

REMOVED FEATURES


Public headers
--

Several public headers are not installed any longer. They are made for internal
use only. More public headers will very likely be removed in future releases.

The following headers are not installed any longer:
dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code