Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

[Fraser Tweedale]

On Fri, Jun 03, 2016 at 05:17:12PM +0200, Petr Vobornik wrote:
> On 05/10/2016 04:52 PM, Pavel Vomacka wrote:
> > Hi all,
> > 
> > please review the patch for webUI which adds SAN names into 'Issue new
> > certificate' dialog. The SAN names are mentioned only in dialogs for
> > requesting for host and service certificate, according to the design page:
> > http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not
> > sure whether this change provides enough information. If you think that
> > we should add more information to these dialogs or even extend also
> > dialog on Authentication -> Certificates page, just let me know.
> > 
> 
> Should we also include SAN for user certs?
> 
> E.g.:
>   -7 emailAddrs
> 
> Adding Fraser to loop...
> 
> Otherwise the patch looks good.
>
We *could* add rfc822Name example for user certs, but I don't think
we should.

Especially for user certs, we might as well hold off because the
"CSR templates" feature is intended to relieve users of having to
generate CSRs themselves.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 958 admintools: missing python3-ipaclient dependency

[Petr Vobornik]

admintools doesn't pull python[2|3]-ipaclient by default which ends
with exception if CLI is used.
-- 
Petr Vobornik
From 8342e64430949bf66b6f7254d3a432f875023842 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Fri, 3 Jun 2016 18:26:25 +0200
Subject: [PATCH] admintools: missing python3-ipaclient dependency

admintools doesn't pull python[2|3]-ipaclient by default which ends
with exception if CLI is used.
---
 freeipa.spec.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index d5d78f806607bfd61daab43f50dba8caa6d0661c..43fbaa123f088e392f73462b006f95597319ad41 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -424,8 +424,10 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 %if 0%{?with_python3}
 Requires: python3-ipalib = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
 %else
 Requires: python2-ipalib = %{version}-%{release}
+Requires: python2-ipaclient = %{version}-%{release}
 %endif
 Requires: python-ldap
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] script for provisioning

[thierry bordaz]

Hello,

A performance bottleneck during provisioning was described 
http://www.freeipa.org/page/V4/Performance_Improvements#typical_provisioning:_ldapadd_entries.2C_migrate-ds...


I wrote the attached script that is following 
http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm


This is a preliminary script that needs to be improved but just to check 
it matches basic requirements I am sending it to the alias to get some 
feedback.


The output of a provisioning session is below. The steps are:

 * install freeipa-server
 * create a provisioning file using
   https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py
 * ipa-provision.py prepare
 * ipa-provision.py import
 * ipa-provision.py finish

Note: you will likely need to define the DM password with the option '-w 
'


regards
thierry


/tmp/ipa-provision.py prepare -f 
/tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -d 1

entrycache = 10485760
dncache= 10485760
dbcache= 209715200
dblock = 1
Preparation of the bulk import is now completed
If you want to continue:
  - run /tmp/ipa-provision.py import -f 
/tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif

  - run /tmp/ipa-provision.py finish -b 

If you want to not continue:
  - run /tmp/ipa-provision.py abort



/tmp/ipa-provision import -f 
/tmp/1K_users_800_hosts_groups_hostgroups_sudorules_hbac_rules.ldif -debug 2
adding new entry 
"uid=user0,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"


adding new entry 
"uid=user1,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"


adding new entry 
"uid=user2,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"

...
adding new entry 
"ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"


adding new entry 
"ipaUniqueID=autogenerate,cn=hbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"


Bulk import is now completed
You need to run:
  - run /tmp/ipa-provision.py finish -b 



/tmp/ipa-provision.py finish

Waiting for (objectClass=inetorgperson) fixup to complete...
Completed filter (objectClass=inetorgperson)

Waiting for (objectClass=ipausergroup) fixup to complete...
Completed filter (objectClass=ipausergroup)

Waiting for (objectClass=ipahost) fixup to complete...
Completed filter (objectClass=ipahost)

Waiting for (objectClass=ipahostgroup) fixup to complete...
Completed filter (objectClass=ipahostgroup)

Waiting for (objectClass=ipasudorule) fixup to complete...
Completed filter (objectClass=ipasudorule)

Waiting for (objectClass=ipahbacrule) fixup to complete...
Completed filter (objectClass=ipahbacrule)

Bulk import and fixup tasks are now completed

#! /usr/bin/python2

import os
import sys
try:
import psutil
except ImportError:
raise ("Missing module: psutil (try 'dnf install python-psutil')")
import time
import argparse
import ldap
import socket
import re
import shutil
import pdb
import pwd
import grp
from subprocess import Popen, PIPE
from socket import getfqdn


DEFAULT_PORT_ROOT = str(389)
DEFAULT_ROOT_DN   = 'cn=Directory Manager'
DEFAULT_PASSWORD  = 'Secret123'
DEFAULT_DEBUG_LVL = 0
ENVIRON_PORT  = 'BULK_PORT'
ENVIRON_ROOTDN= 'BULK_ROOTDN'
ENVIRON_PASSWORD  = 'BULK_PASSWORD'
ENVIRON_DEBUG_LVL = 'BULK_DEBUG_LVL'

#path = os.pathsep.join(("/usr/lib64/python2.7","/usr/lib64/python2.7/plat-linux2","/usr/lib64/python2.7/lib-dynload","/usr/lib64/python2.7/site-packages","/usr/lib64/python2.7/site-packages/psutil","/usr/lib/python2.7/site-packages","/usr/lib/python2.7/site-packages/setuptools-0.6c11-py2.7.egg-info"))
#os.environ['PYTHONPATH'] = path

# DS attributes & entries
ds_config   = "cn=config"
ds_schema_dir   = "nsslapd-schemadir"
ds_dbconfig_dn  = "cn=config,cn=ldbm database,cn=plugins,cn=config"
ds_dbcache_attr = 'nsslapd-dbcachesize'
ds_dblock_attr  = 'nsslapd-db-locks'
ds_backend_dn   = "cn=ldbm database,cn=plugins,cn=config"
ds_domainBackend_dn = "cn=userRoot,%s" % ds_backend_dn
ds_backend_ecache   = "nsslapd-cachememsize"
ds_backend_dncache  = "nsslapd-dncachememsize"
ds_plugin   = "cn=plugins,cn=config"
ds_membeof_plugin   = "cn=MemberOf Plugin,%s" % ds_plugin
ds_schemaCompat_plugin = "cn=Schema Compatibility,%s" % ds_plugin
ds_uid  = pwd.getpwnam("dirsrv").pw_uid
ds_gid  = grp.getgrnam("dirsrv").gr_gid
ds_server_id= None

# Fixup data
fixup_filters = ["(objectClass=inetorgperson)", "(objectClass=ipausergroup)", "(objectClass=ipahost)", "(objectClass=ipahostgroup)", "(objectClass=ipasudorule)", "(objectClass=ipahbacrule)"]
taskStatus = "nstaskstatus"

# ipactl command
ipactl  = "/usr/sbin/ipactl"

kilo = 1024
mega = kilo * kilo
systemMemory = None
entryCache = None
dbCache = None

# workaround for https://fedorahosted.org/389/ticket/48868
ticket48868_fixed = False

# return the total memory size available on the system
def getSystemMemory():
global 

[Freeipa-devel] [PATCHES 0146-0152] Server Roles v2

[Martin Babinsky]

I am sending rebased patches implementing 
http://www.freeipa.org/page/V4/Server_Roles


I hope the patches work since I have had a lot of fun rebasing them on 
top of thin client and DNS locations effort.


https://fedorahosted.org/freeipa/ticket/5181

--
Martin^3 Babinsky
From 65fc5d1ea0f99f0785e306d0e00d4b115416a9bf Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 26 May 2016 19:24:22 +0200
Subject: [PATCH 1/7] Server Roles: definitions of server roles and attributes

This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.

A brief documentation about defining and using roles is given at the beginning
of the module.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
---
 ipaserver/servroles.py | 560 +
 1 file changed, 560 insertions(+)
 create mode 100644 ipaserver/servroles.py

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
new file mode 100644
index ..fb328e05aa4dce9709558227639c840508fa56af
--- /dev/null
+++ b/ipaserver/servroles.py
@@ -0,0 +1,560 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+
+"""
+This module contains the set of classes which abstract various bits and pieces
+of information present in the LDAP tree about functionalities such as DNS
+server, Active Directory trust controller etc. These properties come in two
+distinct groups:
+
+server roles
+this group represents a genral functionality provided by one or more
+IPA servers, such as DNS server, certificate authority and such. In
+this case there is a many-to-many mapping between the roles and the
+masters which provide them.
+
+server attributes
+these represent a functionality associated with the whole topology,
+such as CA renewal master or DNSSec key master.
+
+See the corresponding design page (http://www.freeipa.org/page/V4/Server_Roles)
+for more info.
+
+Both of these groups use `LDAPBasedProperty` class as a base.
+
+Server Roles
+
+
+Server role objects are usually consuming information from the master's service
+container (cn=FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX) are represented by
+`ServiceBasedRole`class. To create an instance of such role, you only need to
+specify role name and individual services comprising the role (more systemd
+services may be enabled to provide some function):
+
+>>> example_role = ServiceBasedRole(
+... "Example Role",
+... component_services = ['SERVICE1', 'SERVICE2'])
+>>> example_role.name
+'Example Role'
+
+The role object can then be queried for the status of the role in the whole
+topology or on a single master by using its `status` method. This method
+returns a list of dictionaries akin to LDAP entries comprised from server name,
+role name and role status (enabled if role is enabled, configured if the
+service entries are present but not marked as enabled by 'enabledService'
+config string, absent if the service entries are not present).
+
+Note that 'AD trust agent' role is based on membership of the master in the
+'adtrust agents' sysaccount group and is thus an instance of different class
+(`ADTrustBasedRole`). This role also does not have 'configured' status, since
+the master is either member of the group ('enabled') or not ('absent')
+
+Server Attributes
+=
+
+Server attributes are implemented as instances of `ServerAttribute` class. The
+attribute is defined by some flag set on 'ipaConfigString' attribute of some
+service entry. To create your own server attribute, see the following example:
+
+>>> example_attribute = ServerAttribute("Example Attribute", example_role,
+... "SERVICE1", "roleMaster")
+>>> example_attribute.name
+'Example Attribute'
+
+The FQDN of master with the attribute set can be requested using `get()`
+method. The attribute master can be changed by the `set()` method
+which accepts FQDN of a new master hosting the attribute.
+
+The available role/attribute instances are stored in
+`role_instances`/`attribute_instances` dictionaries keyed by instance name.
+"""
+
+import abc
+from collections import namedtuple, defaultdict
+
+from ldap import SCOPE_ONELEVEL
+import six
+
+from ipalib import _, errors
+from ipapython.dn import DN
+
+
+if six.PY3:
+unicode = str
+
+
+ENABLED = u'enabled'
+CONFIGURED = u'configured'
+ABSENT = u'absent'
+
+
+@six.add_metaclass(abc.ABCMeta)
+class LDAPBasedProperty(object):
+"""
+base class for all master properties defined by LDAP content
+:param name: user-friendly name of the property
+:param attrs_list: list of attributes to retrieve during search, defaults
+to all
+"""
+attrs_list = ['*']
+
+def __init__(self, name):
+self.name = name
+
+

Re: [Freeipa-devel] [PATCH] 0033 webui: Mention SAN names in 'Issue new certificate'

[Petr Vobornik]

On 05/10/2016 04:52 PM, Pavel Vomacka wrote:
> Hi all,
> 
> please review the patch for webUI which adds SAN names into 'Issue new
> certificate' dialog. The SAN names are mentioned only in dialogs for
> requesting for host and service certificate, according to the design page:
> http://www.freeipa.org/page/V4/RFC_2818_certificate_compliance . I'm not
> sure whether this change provides enough information. If you think that
> we should add more information to these dialogs or even extend also
> dialog on Authentication -> Certificates page, just let me know.
> 

Should we also include SAN for user certs?

E.g.:
  -7 emailAddrs

Adding Fraser to loop...

Otherwise the patch looks good.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0149-0152] Server Roles: user-facing part

[Martin Babinsky]

On 05/30/2016 07:13 PM, Martin Babinsky wrote:

These patches implement the usable part of Server Roles design. There
might be some discrepancies between the design and actual
implementation, I was head first in hacking and was not very disciplined
in keeping the design up to date.

I will fix this ASAP.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181
https://fedorahosted.org/freeipa/ticket/5689



Ignore this thread please, all other revisions will be sent together 
with user-facing part in separate thread.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0146-0147] Server Roles: basic infrastructure

[Martin Babinsky]

On 05/19/2016 04:59 PM, Martin Babinsky wrote:

Patch 0146 implements lower-lever infrastructure for querying server
roles/attributes

Patch 0147 are some basic tests slapped together for the `serverroles`
backend to ensure that it works as expected.

The new/modified CLI commands specified in the design page [1] will be
coming soon.

Also coming soon will be an interface to construct DNS records for each
role requested by Petr^2 and Martin^2 which I will start implement when
we agree on the backend implementation.

https://fedorahosted.org/freeipa/ticket/5181

[1] https://www.freeipa.org/page/V4/Server_Roles#CLI



Ignore this thread please, all other revisions will be sent together 
with user-facing part in separate thread.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0035: webui: change Restore cert to Remove cert hold

[Petr Vobornik]

On 05/20/2016 01:17 PM, Pavel Vomacka wrote:
> Hi,
> 
> please review attached patch. It change Restore certificate strings to
> Remove certificate hold to be consistent with CLI.
> 
> https://fedorahosted.org/freeipa/ticket/5878
> 
> -- 
> 
> Pavel^3 Vomacka
> 
> 

ACK

rebased (internal.py move) and pushed:

master:
* fdd2265bc4a0894fa5a33bc4c5fd026593185c8b Change 'Restore' to 'Remove Hold'
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0032 webui: change lang.hitch to the javascript bind method

[Petr Vobornik]

On 04/29/2016 03:15 PM, Pavel Vomacka wrote:
> Hi,
> 
> please review the attached patch.
> 
> https://fedorahosted.org/freeipa/ticket/5702
> 
> -- 
> 
> Pavel^3 Vomacka
> 

ACK

pushed to master:
* b16e59bdaa4acba7b8a190a4ca32b7a113b32cd1 Change lang.hitch to
javascript bind method

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0013, 0017 webui: Add ability to convert users from preserved to staged state

[Petr Vobornik]

On 06/03/2016 08:27 AM, Pavel Vomacka wrote:
> 
> 
> On 06/02/2016 06:45 PM, Petr Vobornik wrote:
>> On 04/20/2016 07:05 PM, Pavel Vomacka wrote:
>>> On 04/15/2016 06:44 PM, Petr Vobornik wrote:
 On 04/13/2016 02:56 PM, Pavel Vomacka wrote:
> Hello,
>
> This patch adds ability to convert users from preserved to staged
> state.
>
> Fixes this ticket:https://fedorahosted.org/freeipa/ticket/5371
>
> -- 
> Pavel^3 Vomacka
>
>
 The patch requires rebase.
>>> Attached rebased patches. I split this one patch into two patches.
>> Patch 13: ACK
>>
>> Maybe a nitpick, why the icon have opacity 0.5?
> I was not sure which icon I should use, so we talked about it with Honza
> and we've chosen the the user icon which will be  lighter than default. 
> It would be better to do it using text color. So, updated patch attached.
>> Patch 17: needs rebase
> Rebased patch attached.

ACK for both patches.

Rebased(due to internal.py move) and pushed.

master:
* b71d1b431d7393187de162c4c0d921a2dc4b3a49 Add ability to stage multiple
users
* 46e3245fdedbf88050fffa6039d176914c242418 Add option to stage user from
details page
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue

[Petr Spacek]

On 3.6.2016 12:51, Martin Basti wrote:
> 
> 
> On 03.06.2016 08:53, Petr Spacek wrote:
>> On 2.6.2016 17:53, Martin Basti wrote:
>>> 
 Typo - redundant ' ' at the end.


 Conditional NACK, warnings mentioned in
 http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI
 are not there.

 I'm open to changing this to ACK if you open a separate ticket for this
 omission so we do not forget to add them later on.
>>> I forgot to add, this will be in next batch of patches (you may see that 
>>> there
>>> are not marked DNS servers in output of location show), I do not see reason 
>>> to
>>> open ticket when the current one is not finished.
>>>
>>> +1
>>>
 Done

>>> Patch 480:
>>>
>>> 1) The code in location_show.execute() looks like it could be moved to
>>> location_show.post_callback()
>>>
 I had to add it to execute because I modifies result entry not just
 entry_attrs

>>> 2) Before calling super().output_for_cli(), pop 'servers' from result, 
>>> so
>>> that
>>> it is not displayed with --all.
>>>
>>>
 Done

>>> Patch 481:
>>>
>>> 1) Could we rename --force to --nonempty (or something better)? I would
>>> like
>>> to reserve --force for "ignore NotFound when deleting the entry", which
>>> is not
>>> the case here.
>> IMHO option is unnecessary. Just delete the location (and unset location
>> from
>> all member servers). The design does not contain --force anyway :-)
> OK, that's even better :-)
>
 Done

 Updated patches attached
>> I had to add top object class to the plugin and tests to make tests pass.
>> Patch is attached.
>>
>> CondACK: Fix this before pushing somehow.
>>
> 
> Updated and heavily rebased patches attached.

ACK

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles

[Martin Basti]

On 03.06.2016 15:10, Petr Vobornik wrote:

On 06/02/2016 01:40 PM, Pavel Vomacka wrote:

Hello,

please review my patches which add webui for server roles.


Did not test yet. I'm waiting for rebase of backend.

Patch 36: ACK (assuming it works when ^^ is available)

Patch 37:

1. typo: 'overriden' - twice

2. 'create_column_link' is a bad name for the method. The method doesn't
create a column link. It is a link's click handler. So the name should
be e.g. on_column_link_click

Patch 38:

1. in serverroles_nested_search_facet wouldn't it be better to override
only get_refresh_command_options and maybe get_refresh_command_args
instead of full create_refresh_command?



Works for me, but I borrow my VM to Petr to be sure if you meet all 
webUI requirements :)


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Fix minor typo

[Martin Basti]

On 03.06.2016 15:20, Yuri Chornoivan wrote:

Hi,

There is a minor typo in one of the FreeIPA user visible messages: 
"you OTP device" -> "your OTP device".


Thanks for fixing it.

Best regards,
Yuri



Thank you!

ACK

Pushed to master: fd4386d5c98e4b823a9f05e18c8b0db857bf1284

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Fix minor typo

[Abhijeet Kasurde]

On 06/03/2016 06:50 PM, Yuri Chornoivan wrote:

Hi,

There is a minor typo in one of the FreeIPA user visible messages: 
"you OTP device" -> "your OTP device".


Thanks for fixing it.

Best regards,
Yuri



LGTM

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0032] Remove dangling RUVs even if replicas are offline

[Martin Basti]

On 19.05.2016 09:30, Stanislav Laznicka wrote:

On 05/19/2016 08:52 AM, Ludwig Krispenz wrote:


On 05/19/2016 08:02 AM, Stanislav Laznicka wrote:

On 05/18/2016 04:44 PM, Petr Vobornik wrote:

On 05/18/2016 04:36 PM, Stanislav Laznicka wrote:

There's no ticket for this patch but as there was a fix to 389-ds
mentioned in https://fedorahosted.org/freeipa/ticket/5396, the TODO
section in clean_dangling_ruvs could be removed.


What about using
   'replica-force-cleaning':'yes',

every time?

Is there a drawback which we would like to avoid?


The DS website mentions two possible risks
- possible loss of changes on deleted replica should these have not 
been reflected to some other replicas
this is a theoretical concern that there might be changes from the 
replica to be removed which are not yet on all servers, but to me the 
problem that cleaning ruvs hangs because replicas cannot be reached 
is the worse scenario.
- if some offline replica comes back online, it may re-pollute the 
RUVs back


I'm not sure of the probability of the second scenario, in my rather 
simple environment the re-pollution did not happen.
there have been fixes in 389-ds to prevent the repollution, so it 
should no longer happen.


Thank you, Ludwig. It seems reasonable to have the option set to 'yes' 
all the time, then.




ACK

Pushed to:
master: 0492ab9c0a014735f09e82d5db1c4c1aa2bd6d81
ipa-4-3: d7985af911d54d3ea2637cd8200aeff5d66638d5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] Fix minor typo

[Yuri Chornoivan]

Hi,

There is a minor typo in one of the FreeIPA user visible messages: "you  
OTP device" -> "your OTP device".


Thanks for fixing it.

Best regards,
Yuri

0001-Fix-minor-typo.patch
Description: Binary data
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0036-38 webui: Server roles

[Petr Vobornik]

On 06/02/2016 01:40 PM, Pavel Vomacka wrote:
> Hello,
> 
> please review my patches which add webui for server roles.
> 

Did not test yet. I'm waiting for rebase of backend.

Patch 36: ACK (assuming it works when ^^ is available)

Patch 37:

1. typo: 'overriden' - twice

2. 'create_column_link' is a bad name for the method. The method doesn't
create a column link. It is a link's click handler. So the name should
be e.g. on_column_link_click

Patch 38:

1. in serverroles_nested_search_facet wouldn't it be better to override
only get_refresh_command_options and maybe get_refresh_command_args
instead of full create_refresh_command?

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0031] Fix replica deletion when there's no RUVs on the server

[Martin Basti]

On 13.05.2016 15:48, Stanislav Laznicka wrote:

Fix.

On 05/13/2016 03:43 PM, Stanislav Laznicka wrote:
Got distracted with the code, beautifying replacement of previous 
patch attached.


On 05/13/2016 03:30 PM, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/5307

Please see the patch attached.












ACK

Pushed to:
master: 72f5c52d8cca32d8de5e8e0228d8ad3246efda48
ipa-4-3: 66be65c477ff029737adf89202a5c555092b5157

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember

[Stanislav Laznicka]

On 06/03/2016 02:19 PM, Martin Basti wrote:


On 03.06.2016 14:13, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/5892



NACK

please remove it from LDAPAddReverseMember too, it contains the same code

Martin^2


Please see the modified patch.

Standa

From 6bd0ea9cb7749cceba40e5df03aeca2e9ee3b70d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 3 Jun 2016 14:08:59 +0200
Subject: [PATCH] Removed dead code from LDAP{Remove,Add}ReverseMember

https://fedorahosted.org/freeipa/ticket/5892
---
 ipaserver/plugins/baseldap.py | 16 
 1 file changed, 16 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index bbd8ba146ead81857bbc4c2aee550b855b846be5..3f0e68b143f2dcb50be6bc49a752b19da02a248d 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -2129,14 +2129,6 @@ class LDAPAddReverseMember(LDAPModReverseMember):
 dn = callback(self, ldap, dn, *keys, **options)
 assert isinstance(dn, DN)
 
-if options.get('all', False):
-attrs_list = ['*'] + self.obj.default_attributes
-else:
-attrs_list = set(self.obj.default_attributes)
-if options.get('no_members', False):
-attrs_list.difference_update(self.obj.attribute_members)
-attrs_list = list(attrs_list)
-
 completed = 0
 failed = {'member': {self.reverse_attr: []}}
 for attr in options.get(self.reverse_attr) or []:
@@ -2228,14 +2220,6 @@ class LDAPRemoveReverseMember(LDAPModReverseMember):
 dn = callback(self, ldap, dn, *keys, **options)
 assert isinstance(dn, DN)
 
-if options.get('all', False):
-attrs_list = ['*'] + self.obj.default_attributes
-else:
-attrs_list = set(self.obj.default_attributes)
-if options.get('no_members', False):
-attrs_list.difference_update(self.obj.attribute_members)
-attrs_list = list(attrs_list)
-
 completed = 0
 failed = {'member': {self.reverse_attr: []}}
 for attr in options.get(self.reverse_attr) or []:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][patch-0042] Automated 2 testcases from Managed Topology testplan

[Martin Babinsky]

On 06/03/2016 02:09 PM, Oleg Fayans wrote:

The patch applies and passes pylint




Hi Oleg,

You don't need to implement server-del tests as I have an extensive CI 
test suite for that already, see 
https://www.redhat.com/archives/freeipa-devel/2016-April/msg00101.html.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember

[Martin Basti]

On 03.06.2016 14:13, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/5892




NACK

please remove it from LDAPAddReverseMember too, it contains the same code

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0042] Removed dead code from LDAPRemoveReverseMember

[Stanislav Laznicka]

https://fedorahosted.org/freeipa/ticket/5892

From 350cfa89f34a6f9beddc85a195963966e1aa561d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 3 Jun 2016 14:08:59 +0200
Subject: [PATCH] Removed dead code from LDAPRemoveReverseMember

https://fedorahosted.org/freeipa/ticket/5892
---
 ipaserver/plugins/baseldap.py | 8 
 1 file changed, 8 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index bbd8ba146ead81857bbc4c2aee550b855b846be5..f60fb505961ed3b6ce97b505623af153532dd1c9 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -2228,14 +2228,6 @@ class LDAPRemoveReverseMember(LDAPModReverseMember):
 dn = callback(self, ldap, dn, *keys, **options)
 assert isinstance(dn, DN)
 
-if options.get('all', False):
-attrs_list = ['*'] + self.obj.default_attributes
-else:
-attrs_list = set(self.obj.default_attributes)
-if options.get('no_members', False):
-attrs_list.difference_update(self.obj.attribute_members)
-attrs_list = list(attrs_list)
-
 completed = 0
 failed = {'member': {self.reverse_attr: []}}
 for attr in options.get(self.reverse_attr) or []:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [Test][patch-0042] Automated 2 testcases from Managed Topology testplan

[Oleg Fayans]

The patch applies and passes pylint

-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 39fd39118a6d6e84a4c8791c17ad54da5cbffd0d Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 3 Jun 2016 13:22:48 +0200
Subject: [PATCH] Automated 2 managed topology 4.4 testcases

---
 ipatests/test_integration/test_topology.py | 53 ++
 1 file changed, 53 insertions(+)

diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..9deeb4c552cc147ef536bb515ac2e731e44b8b10 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -159,3 +159,56 @@ class TestTopologyOptions(IntegrationTest):
 assert err == "", err
 returncode, error = tasks.destroy_segment(self.master, "%s-to-%s" % replicas)
 assert returncode == 0, error
+
+
+class TestServerDel(IntegrationTest):
+num_replicas = 1
+topology = 'star'
+
+def test_server_del_command(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_ipa_server-del_command
+"""
+self.master.run_command(['ipa', 'server-del',
+ self.replicas[0].hostname])
+result1 = self.master.run_command(['ipa', 'host-find'])
+assert(self.replicas[0].hostname in result1.stdout_text), (
+"Server-del has deleted replica's host record from the master")
+result2 = self.master.run_command(['ipa', 'dnsrecord-find',
+   self.master.domain.name])
+assert(self.replicas[0].hostname in result2.stdout_text), (
+"Server-del has removed replica's A record from master dns")
+result3 = self.master.run_command(['ipa-replica-manage', 'list-ruv'])
+assert(self.replicas[0].hostname not in result3.stdout_text), (
+"Server-del did not clean out replica's RUVs")
+
+
+class TestRemoteServerDelCall(IntegrationTest):
+num_replicas = 2
+domain_level = 0
+topology = 'star'
+
+def test_remote_server_del_execution(self):
+"""
+http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/
+Test_Plan#Test_case:_server_del_API_call_is_executed_at_
+ipa-server-install_--uninstall_on_the_replica_under_domain_level_1
+"""
+tasks.uninstall_master(self.replicas[0])
+result1 = self.master.run_command(['ipa-replica-manage', 'list-ruv'])
+assert(self.replicas[0].hostname in result1.stdout_text), (
+"Remote execution of server-del was performed under domain ldvel 0")
+self.master.run_command(['ipa', 'domainlevel-set', '1'])
+tasks.uninstall_master(self.replicas[1])
+result2 = self.master.run_command(['ipa', 'host-find'])
+assert(self.replicas[1].hostname in result2.stdout_text), (
+"Server-del has deleted replica's host record from the master")
+result3 = self.master.run_command(['ipa', 'dnsrecord-find',
+   self.master.domain.name])
+assert(self.replicas[1].hostname in result3.stdout_text), (
+"Server-del has removed replica's A record from master dns")
+result4 = self.master.run_command(['ipa-replica-manage', 'list-ruv'])
+assert(self.replicas[1].hostname not in result4.stdout_text), (
+"Replica uninstallation did not cause deleting of corresponding"
+" RUVs from master")
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0041] Increase nsslapd-db-locks

[Stanislav Laznicka]

Hello,

The attached patch implements solution to 
https://fedorahosted.org/freeipa/ticket/5914. The patch is rather hacky 
as nsslapd-db-locks requires to be modified when DS is not running 
although I accept proposals for better solution.


Standa

From f46164b12228708eac9656c85ff82657fa2b2a1f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 3 Jun 2016 13:27:04 +0200
Subject: [PATCH] Increase nsslapd-db-locks to 10

https://fedorahosted.org/freeipa/ticket/5914
---
 ipaserver/install/dsinstance.py | 15 ++-
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 00ef5f3a9370c2782213e5b269267eaa1ba4ae40..5e461fcdc61c0f27977c06ab4e8671952160c05d 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -250,8 +250,7 @@ class DsInstance(service.Service):
 
 self.step("creating directory server user", create_ds_user)
 self.step("creating directory server instance", self.__create_instance)
-if self.config_ldif:
-self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
+self.step("updating configuration in dse.ldif", self.__update_dse_ldif)
 self.step("restarting directory server", self.__restart_instance)
 self.step("adding default schema", self.__add_default_schemas)
 self.step("enabling memberof plugin", self.__add_memberof_module)
@@ -571,9 +570,15 @@ class DsInstance(service.Service):
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
-# parse modification from config ldif
-with open(self.config_ldif, "r") as config_ldif:
-parser.modifications_from_ldif(config_ldif)
+parser.replace_value(
+'cn=config,cn=ldbm database,cn=plugins,cn=config',
+'nsslapd-db-locks',
+['10']
+)
+if self.config_ldif:
+# parse modifications from ldif file supplied by the admin
+with open(self.config_ldif, "r") as config_ldif:
+parser.modifications_from_ldif(config_ldif)
 parser.parse()
 new_dse_ldif.flush()
 shutil.copy2(temp_filename, dse_filename)
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf

[Martin Basti]

On 03.06.2016 10:15, Alexander Bokovoy wrote:

On Thu, 02 Jun 2016, Martin Basti wrote:



On 02.06.2016 16:02, Stanislav Laznicka wrote:

Hello,

In this patch I am adding the mapping = to 
krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903.





ACK

I have just one question, where is install/share/krb5.conf.template 
file used in code?

For setting up Kerberos instance as we have to do a lot more on IPA
master than IPA server.



Anyway, for the god of consistency I'm pushing this and that template 
can be updated and removed in another patch, if unused.

No, it should not be removed or you'll break FreeIPA completely.



Ok, thanks for info

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue

[Martin Basti]

On 03.06.2016 08:53, Petr Spacek wrote:

On 2.6.2016 17:53, Martin Basti wrote:



Typo - redundant ' ' at the end.


Conditional NACK, warnings mentioned in
http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI
are not there.

I'm open to changing this to ACK if you open a separate ticket for this
omission so we do not forget to add them later on.

I forgot to add, this will be in next batch of patches (you may see that there
are not marked DNS servers in output of location show), I do not see reason to
open ticket when the current one is not finished.


+1


Done


Patch 480:

1) The code in location_show.execute() looks like it could be moved to
location_show.post_callback()


I had to add it to execute because I modifies result entry not just entry_attrs


2) Before calling super().output_for_cli(), pop 'servers' from result, so
that
it is not displayed with --all.



Done


Patch 481:

1) Could we rename --force to --nonempty (or something better)? I would like
to reserve --force for "ignore NotFound when deleting the entry", which
is not
the case here.

IMHO option is unnecessary. Just delete the location (and unset location from
all member servers). The design does not contain --force anyway :-)

OK, that's even better :-)


Done

Updated patches attached

I had to add top object class to the plugin and tests to make tests pass.
Patch is attached.

CondACK: Fix this before pushing somehow.



Updated and heavily rebased patches attached.
From 0ba65ac9702d04fdccab7809af51c166e82e3379 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 4 May 2016 17:33:52 +0200
Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges

DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'

https://fedorahosted.org/freeipa/ticket/2008
---
 install/share/delegation.ldif| 16 
 install/share/dns.ldif   | 16 
 install/updates/37-locations.update  |  0
 install/updates/40-delegation.update | 16 
 4 files changed, 32 insertions(+), 16 deletions(-)
 create mode 100644 install/updates/37-locations.update

diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -80,6 +80,22 @@ objectClass: nestedgroup
 cn: Delegation Administrator
 description: Role administration
 
+dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: DNS Administrators
+description: DNS Administrators
+
+dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: DNS Servers
+description: DNS Servers
+
 dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";)
 aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";)
 aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX;)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";)
-
-dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: groupofnames
-objectClass: nestedgroup
-cn: DNS Administrators
-description: DNS Administrators
-
-dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX

[Freeipa-devel] [PATCH 0102] test: test_cli: Do not expect defaults in kwargs.

[David Kupka]

https://fedorahosted.org/freeipa/ticket/4739

With this patch all but one test in test_cli.py will pass again. The one 
failing is bug in the dns* commands prompt behavior and will be fixed soon.

--
David Kupka
From b3501bdc4a3195b8736a8d05992874ec72e7d97f Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 3 Jun 2016 09:21:08 +0200
Subject: [PATCH] test: test_cli: Do not expect defaults in kwargs.

Client is no longer forwarding in arguments with default values to the server.

https://fedorahosted.org/freeipa/ticket/4739
---
 ipatests/test_cmdline/test_cli.py | 126 ++
 1 file changed, 46 insertions(+), 80 deletions(-)

diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
index c2e051769550ae2b25b951731cc6f10bc05b2212..a6e6363cbc6d992743a1c07f5eb21c00370256b0 100644
--- a/ipatests/test_cmdline/test_cli.py
+++ b/ipatests/test_cmdline/test_cli.py
@@ -52,31 +52,18 @@ class TestCLIParsing(object):
 self.check_command('ping', 'ping')
 
 def test_user_show(self):
-self.check_command('user-show admin', 'user_show',
-uid=u'admin',
-rights=False,
-no_members=False,
-raw=False,
-all=False)
+self.check_command('user-show admin', 'user_show', uid=u'admin')
 
 def test_user_show_underscore(self):
-self.check_command('user_show admin', 'user_show',
-uid=u'admin',
-rights=False,
-no_members=False,
-raw=False,
-all=False)
+self.check_command('user_show admin', 'user_show', uid=u'admin')
 
 def test_group_add(self):
-self.check_command('group-add tgroup1 --desc="Test group"',
+self.check_command(
+'group-add tgroup1 --desc="Test group"',
 'group_add',
 cn=u'tgroup1',
 description=u'Test group',
-nonposix=False,
-external=False,
-no_members=False,
-raw=False,
-all=False)
+)
 
 def test_sudocmdgroup_add_member(self):
 # Test CSV splitting is not done
@@ -86,53 +73,41 @@ class TestCLIParsing(object):
 'sudocmdgroup_add_member',
 cn=u'tcmdgroup1',
 sudocmd=[u'ab,c', u'd'],
-no_members=False,
-raw=False,
-all=False)
+)
 
 def test_group_add_nonposix(self):
-self.check_command('group-add tgroup1 --desc="Test group" --nonposix',
+self.check_command(
+'group-add tgroup1 --desc="Test group" --nonposix',
 'group_add',
 cn=u'tgroup1',
 description=u'Test group',
 nonposix=True,
-external=False,
-no_members=False,
-raw=False,
-all=False)
+)
 
 def test_group_add_gid(self):
-self.check_command('group-add tgroup1 --desc="Test group" --gid=1234',
+self.check_command(
+'group-add tgroup1 --desc="Test group" --gid=1234',
 'group_add',
 cn=u'tgroup1',
 description=u'Test group',
 gidnumber=u'1234',
-nonposix=False,
-external=False,
-no_members=False,
-raw=False,
-all=False)
+)
 
 def test_group_add_interactive(self):
 with self.fake_stdin('Test group\n'):
-self.check_command('group-add tgroup1', 'group_add',
+self.check_command(
+'group-add tgroup1', 'group_add',
 cn=u'tgroup1',
-nonposix=False,
-external=False,
-no_members=False,
-raw=False,
-all=False)
+)
 
 def test_dnsrecord_add(self):
-self.check_command('dnsrecord-add %s ns --a-rec=1.2.3.4' % TEST_ZONE,
+self.check_command(
+'dnsrecord-add %s ns --a-rec=1.2.3.4' % TEST_ZONE,
 'dnsrecord_add',
 dnszoneidnsname=TEST_ZONE,
 idnsname=u'ns',
 arecord=u'1.2.3.4',
-structured=False,
-force=False,
-raw=False,
-all=False)
+)
 
 def test_dnsrecord_del_all(self):
 try:
@@ -144,19 +119,21 @@ class TestCLIParsing(object):
 dnszoneidnsname=TEST_ZONE,
 idnsname=u'ns', arecord=u'1.2.3.4', force=True)
 with self.fake_stdin('yes\n'):
-self.check_command('dnsrecord_del %s ns' % TEST_ZONE,
+self.check_command(
+'dnsrecord_del %s ns' % TEST_ZONE,
 'dnsrecord_del',
 dnszoneidnsname=TEST_ZONE,
 idnsname=u'ns',
 del_all=True,
-structured=False)
+)
 with self.fake_stdin('YeS\n'):
-self.check_command('dnsrecord_del 

[Freeipa-devel] [python-pytest-multihost][PATCH 0003] Added force option to rmdir

[Abhijeet Kasurde]

Hi All,

Please review this patch.

--
Thanks,
Abhijeet Kasurde

IRC: akasurde
http://akasurde.github.io

From 9148f39e340f9441be2b9e613485374b0f769559 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 3 Jun 2016 14:54:14 +0530
Subject: [PATCH] Added force option to rmdir

In order to remove directory with contents,
rmdir requires --ignore-fail-on-non-empty option

Signed-off-by: Abhijeet Kasurde 
---
 pytest_multihost/transport.py | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pytest_multihost/transport.py b/pytest_multihost/transport.py
index 8a36f02b56bfb8ba55069f76ebcd11e40ee5dc27..9622fc77698183884e8fe5624c63627426788d16 100644
--- a/pytest_multihost/transport.py
+++ b/pytest_multihost/transport.py
@@ -374,9 +374,12 @@ class OpenSSHTransport(Transport):
 else:
 raise IOError('File %r could not be read' % filename)
 
-def rmdir(self, path):
+def rmdir(self, path, force=False):
 self.log.info('RMDIR %s', path)
-cmd = self._run(['rmdir', path])
+cmdlist = ['rmdir', path]
+if force:
+cmdlist.append('--ignore-fail-on-non-empty')
+cmd = self._run(cmdlist)
 cmd.wait()
 
 def remove_file(self, filepath):
-- 
2.4.11

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf

[Alexander Bokovoy]

On Thu, 02 Jun 2016, Martin Basti wrote:



On 02.06.2016 16:02, Stanislav Laznicka wrote:

Hello,

In this patch I am adding the mapping = to 
krb5.conf as requested in 
https://fedorahosted.org/freeipa/ticket/5903.





ACK

I have just one question, where is install/share/krb5.conf.template 
file used in code?

For setting up Kerberos instance as we have to do a lot more on IPA
master than IPA server.



Anyway, for the god of consistency I'm pushing this and that template 
can be updated and removed in another patch, if unused.

No, it should not be removed or you'll break FreeIPA completely.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0002 Add the culprit line when a configuration file has an incorrect format

[Florence Blanc-Renaud]

On 06/02/2016 07:18 PM, Martin Basti wrote:




On 30.05.2016 18:11, Florence Blanc-Renaud wrote:


Hi Martin,

thanks for the review and the suggestion. Please find the updated 
patch attached.


Flo.

On 05/30/2016 11:00 AM, Martin Basti wrote:




On 27.05.2016 11:35, Florence Blanc-Renaud wrote:


Hi all,

this patch adds information to the output of ipa-client-install 
when it fails due to invalid format in a configuration file:
ipa-client-install failing with SyntaxError: Syntax Error: Unknown 
line format


Fixes: https://fedorahosted.org/freeipa/ticket/5811

--
Florence Blanc-Renaud
Identity Management Team, Red Hat


Thank you for your patch, I have just one nitpick. Can you please 
reuse the original exception?


-curopts.append(self.parseLine(line))
+try:
+curopts.append(self.parseLine(line))
+except SyntaxError as e:
+raise SyntaxError('{error} in file {fname}: 
[{line}]'.format(

+error=e, fname=f.name, line=line))

Martin^2


--
Florence Blanc-Renaud
Identity Management Team, Red Hat



We are almost there

SyntaxError: Syntax Error: Unknown line format in file 
/etc/nsswitch.conf: [sudoers sss

]

I don't like that extra newline, probably we should use line.rstrip() 
to line, to remove any whitespaces on right side, I'm not sure about 
left side, it probably should stay with whitespaces


Martin^2


Hi Martin,
good catch. Please find the updated patch attached.

--
Florence Blanc-Renaud
Identity Management Team, Red Hat

From 0dd3c93ce22ba4a5b1e222e8bea8782efffa245e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 23 May 2016 17:18:15 +0200
Subject: [PATCH] Add the culprit line when a configuration file has an
 incorrect format

For instance if /etc/nsswitch.conf contains an incorrect line
sudoers		file sss
(Note the missing : after sudoers)
ipa-client-install exits with a SyntaxError traceback but does not state
which line caused the issue.
With the fix, the filename and the line are displayed in the SyntaxError
message.

https://fedorahosted.org/freeipa/ticket/5811
---
 ipaclient/ipachangeconf.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaclient/ipachangeconf.py b/ipaclient/ipachangeconf.py
index e73f2978cf512fdfe055f349dba80f4d3275c433..1b5167c552f55d6665d8a5870ce29ab676e1f605 100644
--- a/ipaclient/ipachangeconf.py
+++ b/ipaclient/ipachangeconf.py
@@ -460,7 +460,11 @@ class IPAChangeConf:
 continue
 
 # Copy anything else as is.
-curopts.append(self.parseLine(line))
+try:
+curopts.append(self.parseLine(line))
+except SyntaxError as e:
+raise SyntaxError('{error} in file {fname}: [{line}]'.format(
+error=e, fname=f.name, line=line.rstrip()))
 
 #Add last section if any
 if len(sectopts) is not 0:
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0040] Always add hostname=IPAREALM to krb5.conf

[Stanislav Laznicka]

On 06/02/2016 08:11 PM, Martin Basti wrote:


On 02.06.2016 16:02, Stanislav Laznicka wrote:

Hello,

In this patch I am adding the mapping = to 
krb5.conf as requested in https://fedorahosted.org/freeipa/ticket/5903.



ACK

I have just one question, where is install/share/krb5.conf.template 
file used in code?


Anyway, for the god of consistency I'm pushing this and that template 
can be updated and removed in another patch, if unused.


Pushed to master: f0160a2ed28325e46be2921ac44d71ee88d1b3b1

It's rather cryptically hidden in the code (took me a while to find it 
again, I used it in some other patch before). It's used in creation of 
the krbinstance. See ipaserver/install/krbinstance.py:293 for the 
funzies and profit.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue

[Petr Spacek]

On 2.6.2016 17:53, Martin Basti wrote:
> 
>> Typo - redundant ' ' at the end.
>>
>>
>> Conditional NACK, warnings mentioned in
>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI
>> are not there.
>>
>> I'm open to changing this to ACK if you open a separate ticket for this
>> omission so we do not forget to add them later on.
> I forgot to add, this will be in next batch of patches (you may see that there
> are not marked DNS servers in output of location show), I do not see reason to
> open ticket when the current one is not finished.
> 
>
> +1
>
>> Done
>>
>
> Patch 480:
>
> 1) The code in location_show.execute() looks like it could be moved to
> location_show.post_callback()
>
>> I had to add it to execute because I modifies result entry not just 
>> entry_attrs
>>
>
> 2) Before calling super().output_for_cli(), pop 'servers' from result, so
> that
> it is not displayed with --all.
>
>
>> Done
>>
> Patch 481:
>
> 1) Could we rename --force to --nonempty (or something better)? I would 
> like
> to reserve --force for "ignore NotFound when deleting the entry", which
> is not
> the case here.

 IMHO option is unnecessary. Just delete the location (and unset location 
 from
 all member servers). The design does not contain --force anyway :-)
>>>
>>> OK, that's even better :-)
>>>
>> Done
>>
>> Updated patches attached

I had to add top object class to the plugin and tests to make tests pass.
Patch is attached.

CondACK: Fix this before pushing somehow.

-- 
Petr^2 Spacek
diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py
index 3bf97fa..cf61094 100644
--- a/ipalib/plugins/location.py
+++ b/ipalib/plugins/location.py
@@ -58,7 +58,7 @@ class location(LDAPObject):
 container_dn = api.env.container_locations
 object_name = _('location')
 object_name_plural = _('locations')
-object_class = ['ipaLocationObject']
+object_class = ['ipaLocationObject', 'top']
 search_attributes = ['idnsName']
 default_attributes = [
 'idnsname', 'description'
diff --git a/ipatests/test_xmlrpc/tracker/location_plugin.py b/ipatests/test_xmlrpc/tracker/location_plugin.py
index 5e9713c..086442d 100644
--- a/ipatests/test_xmlrpc/tracker/location_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/location_plugin.py
@@ -73,7 +73,7 @@ class LocationTracker(Tracker):
 dn=self.dn,
 idnsname=[self.idnsname_obj],
 description=[self.description],
-objectclass=[u'ipaLocationObject'],
+objectclass=[u'ipaLocationObject', u'top'],
 )
 self.exists = True
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0013, 0017 webui: Add ability to convert users from preserved to staged state

[Pavel Vomacka]

On 06/02/2016 06:45 PM, Petr Vobornik wrote:

On 04/20/2016 07:05 PM, Pavel Vomacka wrote:

On 04/15/2016 06:44 PM, Petr Vobornik wrote:

On 04/13/2016 02:56 PM, Pavel Vomacka wrote:

Hello,

This patch adds ability to convert users from preserved to staged state.

Fixes this ticket:https://fedorahosted.org/freeipa/ticket/5371

--
Pavel^3 Vomacka



The patch requires rebase.

Attached rebased patches. I split this one patch into two patches.

Patch 13: ACK

Maybe a nitpick, why the icon have opacity 0.5?
I was not sure which icon I should use, so we talked about it with Honza 
and we've chosen the the user icon which will be  lighter than default.  
It would be better to do it using text color. So, updated patch attached.

Patch 17: needs rebase

Rebased patch attached.
From fe5043f2ce4989c2a4149442ff23db6679bdf642 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 20 Apr 2016 18:43:35 +0200
Subject: [PATCH 1/2] Add ability to stage multiple users

Add 'Stage' button on  search page where preserved users are listed.

https://fedorahosted.org/freeipa/ticket/5371
---
 install/ui/ipa.css  |  4 
 install/ui/src/freeipa/stageuser.js | 29 +
 install/ui/test/data/ipa_init.json  |  3 +++
 ipalib/plugins/internal.py  |  3 +++
 4 files changed, 39 insertions(+)

diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index f419eb224252aa03eaf4b25bb03435f4c9a6de9b..2921f4360a70f143d936e39bfdd5693b4a341750 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -174,6 +174,10 @@ div[name=settings].facet-group li a {
 float: right;
 }
 
+.facet-controls-right .fa.fa-user {
+color: #aaa;
+}
+
 .control-buttons {
 display: inline-block;
 }
diff --git a/install/ui/src/freeipa/stageuser.js b/install/ui/src/freeipa/stageuser.js
index 9d26ef1fa1a86aef5835af51b7abd2369e4c7223..12debed301a3ddbc166abcb3f444dd4775b40407 100644
--- a/install/ui/src/freeipa/stageuser.js
+++ b/install/ui/src/freeipa/stageuser.js
@@ -298,6 +298,9 @@ stageuser.search_preserved_facet_spec = {
 actions: [
 {
 $type: 'batch_undel'
+},
+{
+$type: 'batch_stage'
 }
 ],
 control_buttons: [
@@ -305,6 +308,11 @@ stageuser.search_preserved_facet_spec = {
 name: 'undel',
 label: '@i18n:buttons.restore',
 icon: 'fa-heart'
+},
+{
+name: 'batch_stage',
+label: '@i18n:buttons.stage',
+icon: 'fa-user'
 }
 ],
 policies: [
@@ -323,6 +331,12 @@ mod_user.entity_spec.policies.push(
 {
 $factory: IPA.facet_update_policy,
 source_facet: 'search_preserved',
+dest_entity: 'stageuser',
+dest_facet: 'search'
+},
+{
+$factory: IPA.facet_update_policy,
+source_facet: 'search_preserved',
 dest_entity: 'user',
 dest_facet: 'search'
 },
@@ -385,6 +399,20 @@ stageuser.activate_action = function(spec) {
 return that;
 };
 
+stageuser.batch_stage_action = function(spec) {
+
+spec = spec || {};
+
+spec.name = spec.name || 'batch_stage';
+spec.method = spec.method || 'stage';
+spec.needs_confirm = spec.needs_confirm === undefined ? true : spec.needs_confirm;
+spec.enable_cond = spec.enable_cond || ['item-selected'];
+spec.success_msg = spec.success_msg || '@i18n:objects.stageuser.stage_success';
+spec.confirm_msg = spec.confirm_msg || '@i18n:objects.stageuser.stage_confirm';
+
+return IPA.batch_items_action(spec);
+};
+
 /**
  * Stage user entity specification object
  * @member stageuser
@@ -402,6 +430,7 @@ stageuser.register = function() {
 a.register('batch_activate', stageuser.batch_activate_action);
 a.register('batch_undel', stageuser.batch_undel_action);
 a.register('activate', stageuser.activate_action);
+a.register('batch_stage', stageuser.batch_stage_action);
 e.register({type: 'stageuser', spec: stageuser.stageuser_spec});
 f.register_from_spec('user_search_preserved', stageuser.search_preserved_facet_spec);
 };
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 6ed7e98246c5d46850718fb1fbfafc0e8aebef0f..da401d415358347b5bb29fdbeaecf6da83546849 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -89,6 +89,7 @@
 "save": "Save",
 "set": "Set",
 "show": "Show",
+"stage": "Stage",
 "unapply": "Un-apply",
 "update": "Update",
 "view": "View"
@@ -545,6 +546,8 @@
 "activate_success": "${count} user(s) activated",
 "label": "Stage users",
 "preserved_label": "Preserved users",
+"stage_confirm": "Are you sure you want to stage 

Re: [Freeipa-devel] [WIP] Thin client

[David Kupka]

On 25/05/16 16:07, Jan Cholasta wrote:

On 25.5.2016 15:03, David Kupka wrote:

On 18/05/16 08:01, Jan Cholasta wrote:

On 16.5.2016 16:35, Martin Basti wrote:



On 09.05.2016 14:07, Jan Cholasta wrote:

On 6.5.2016 14:32, Martin Basti wrote:



On 28.04.2016 14:45, Jan Cholasta wrote:

Hi,

I have pushed my thin client WIP branch to GitHub:
.

All commits up to "ipalib: use relative imports for cross-plugin
imports" should be good for review. The rest is subject to change
(WARNING: I will force push into this branch).

Honza


I did not test it yet, I just checked the code

* automount: do not inherit automountlocation_tofiles from
LDAPQuery *
LGTM

* dns: move all dnsrecord code called on client to a single class *
LGTM

* dns: do not rely on server data structures in code called on
client *
1)
you forgot to increment VERSION


This was deliberate, as it will no longer be necessary to bump VERSION
for backward compatible changes after this whole patchset is merged.
But we're not there yet, so fixed.


How we should handle VERSION after your patches?


Otherwise LGTM

* otptoken: fix import of DN *
ACK

* otptoken_yubikey: fix otptoken_add_yubikey arguments *
1)
you forgot to increment VERSION


Fixed.



2)
Did you find out why this was issue?
-del answer['value']# Why does this cause an error if
omitted?
 -del answer['summary']  # Why does this cause an error if
omitted?


The command definition was not complete, it was missing has_output.



Otherwise LGTM

* vault: move client-side code to the module level *
LGTM

* vault: copy arguments of client commands from server counterparts *
1)
you forgot to increment Version


Fixed.



* ipalib: use relative imports for cross-plugin imports *
1) Missing explanation for future generations why this change is
needed
in commit message


Fixed.



The other commits I will check later.
Martin^2



Okay. Thanks.



* frontend: remove the unused Command.soft_validate method
LGTM

* frontend: perform argument value validation only on server
LGTM

* frontend: do not forward argument defaults to server
I'm not a fan of returning  None in promt_param function, but I havent
found anything better to use.


It always returned None for unset params.


LGTM

* ipalib: optimize API.txt
this contains a lot of black magic, but because this is mainly copy of
current to proper places, LGTM


It's actually mostly cut-n-paste.



* makeaci: load additional plugins using API.add_module
Looks good, but I miss explanation why is this change needed


The next change would be impossible without this.



* plugable: replace API.import_plugins with new API.add_package
LGTM


* ipalib, ipaserver: migrate all plugins to Registry-based registration
ACK

* ipalib, ipaserver: fix incorrect API.register calls in docstrings
LGTM


* plugable: remove the unused deprecated API.register method
LGTM


* plugable: switch API to Registry-based plugin discovery
LGTM

* frontend: merge baseldap.CallbackRegistry into Command
LGTM

*frontend: move the interactive_prompt callback type to Command
 LGTM

Martin^2







Hello,
first batch of 30 patches from Honza's trac-4739 branch
(https://github.com/jcholast/freeipa/commits/trac-4739) is ready to be
pushed into master.
All upto "frontend: allow commands to have an argument named `name`" got
over numerous test cycles in last week+ and is working as expected
now, ACK.


Thanks for the review.



Honzo, please rebase and push them, thanks!



Attaching the patches for reference.

Pushed to master: 2b50fc617024f18a81e97f30f75ed1b9221c4055



Hello,
another patchset is ready. There are still some minor issues with 
interactive prompt in dns* commands but these can be fixed later. 
Otherwise all work as expected, ACK.


Also it would be good to have tests for schema plugin, I have filled a 
ticket [1].


List of commits in Honza's trac-4739 branch:
frontend: do not check API minor version of the client
ipalib: move server-side plugins to ipaserver
ipaclient: implement thin client
misc: hide the unused --all option of `env` and `plugins` in CLI
ipalib: move File command arguments to ipaclient
ipactl: use server API
client install: finalize API after CA certs are available
rpc: do not validate command name in RPCClient.forward
rpc: optimize JSON-RPC response handling
rpc: specify connection options in API config
rpc: allow overriding NSS DB directory in API config
rpc: respect API config in RPCClient.create_connection
ipalib: introduce API schema plugins
ipalib: replace DeprecatedParam with `deprecated` Param argument
parameters: introduce no_convert keyword argument
parameters: introduce cli_metavar keyword argument
ipalib: split off client-side plugin code into ipaclient
dns: move code shared by client and server to separate module
ipaclient: add client-side command override class
frontend: turn Method attributes into properties
plugable: remember overriden plugins in API
plugable: