[Freeipa-devel] [freeipa PR#184][comment] Minor install script fixes

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/184
Title: #184: Minor install script fixes

pvoborni commented:
"""
The debug patch breaks test installation on RHEL. Following exception is  
printed only if install.py is adjusted to print exception on line 
```
ipa : ERRORdebug
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", 
line 899, in install
if options.debug:
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 550, 
in __getattr__
raise AttributeError(name)
AttributeError: debug

```
I.e. there is no Knob debug nor verbose unless it is somehow copied. I don't 
know why it doesn't break install on Fedora but imho the patch cannot work.

This might also be the "there is no ipa-client-install.log"  issue. Because it 
fails just before calling ipa-client-install.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/184#issuecomment-256165308
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#171][comment] Build system cleanup phase 2

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/171
Title: #171: Build system cleanup phase 2

lslebodn commented:
"""
On (20/10/16 10:29), Petr Špaček wrote:
>@lslebodn I'm really trying to explain this but I'm still not able to get the 
>point across. 
>> My concerns are related purely to C-code.
>
>Please understand that IPA client consists of components in C as well from 
>components in Python, and also non-programatic components like translation 
>machinery etc.
>
Correct me If I am wrong. The configure script is and will be used
just for detection of build dependencies for C-code.

So here I cannot see a conflict with my proposal.

>We certainly can create m4 include maze
I cannot see a reason why it would be a maze
Detection of client build dependencies will be done in main configure.ac
Detection of server dependencies would be done in `daemons/configure.ac`
`./ipatests/man/configure.ac` and `./install/configure.ac` does not have any
C-related dependencies and `./asn1/configure.ac` is required by client code.
IMHO ans1c/ can be moved to client/asn1c/ (but that's offtopic)

There would not be much includes as I showed in POC

>and force maintainer to always use `grep` before he finds particular part in 
>the build system.
maintainers do not use grep for finding build dependencies.
The most common use case is just to run configure script and
wait for reported errors. pkg-config returns nice error messages.
And then add new build dependency.

However, C related code is not changed very often and even more
C-related dependencies are added much less often.
But if new depenendecy will be added to server part then it will
be much simpler to review whether build dependency is added to the
right section if server dependencies will be in separate file.

>Unfortunatlly, even the m4 maze will not solve the problem that client-only
>build of C binaries simply do not constitute working IPA client.
>Integration with other Python components is necessary to get the client to 
>work.
>
Totally agree. But python components is not related to checking of
build time dependencies for C-code. It should be solved in different PR
IMHO, this PR should not complicate client-only build just for C-binaries.

>The end goal is to fold all of hand-made Makefile and SPEC file scripts to the 
>build system, so in the end, it should help with porting to other arches - 
>there will be just one place where changes need to be done, instead of three.
>
Agree, but here I cannot see any conflict with my proposal.


>I hope that it clears up why it is not useful to insist on keeping current 
>pieces as they were before. The design document was sent to freeipa-devel 
>mailing list in this thread:
>https://www.redhat.com/archives/freeipa-devel/2016-October/msg00134.html
>Please discuss conceptual questions on the mailing list so we can get 
>attention of other FreeIPA developers and avoid need to point people one by 
>one to this PR.
>
I read the desing page and there is mentioned that autotools
will be used for C-part as an implementation and configure
script should have the option --enable-server which default yes.

I could not find any contradiction between my proposal and desing page.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/171#issuecomment-256120734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#145][comment] Refactoring: LDAP Connection Management

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/145
Title: #145: Refactoring: LDAP Connection Management

mbasti-rh commented:
"""
@rcritten Tomas removed timelimit that was used for repeated connections, it is 
not used for preventing hangs. (If we talk about the same commit 'ldap 
refactoring: remove wait/timeout during binds') We added this functionality to 
DS restart, restart will block code until DS is not ready on LDAPI port.

@tomaskrizek I put two inline comments there, otherwise changes make sense. 
I'll wait for tests results
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/145#issuecomment-256088359
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#183][+pushed] Add __name__ == __main__ guards to setup.pys

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/183
Title: #183: Add __name__ == __main__ guards to setup.pys

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#183][comment] Add __name__ == __main__ guards to setup.pys

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/183
Title: #183: Add __name__ == __main__ guards to setup.pys

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/91920e7cb48cbf143ae281c9c073df14b2c2dddf
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/183#issuecomment-256082320
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#183][closed] Add __name__ == __main__ guards to setup.pys

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/183
Author: tiran
 Title: #183: Add __name__ == __main__ guards to setup.pys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/183/head:pr183
git checkout pr183
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#183][+ack] Add __name__ == __main__ guards to setup.pys

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/183
Title: #183: Add __name__ == __main__ guards to setup.pys

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#185][opened] TESTS: Update group type name

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/185
Author: pvomacka
 Title: #185: TESTS: Update group type name
Action: opened

PR body:
"""
As the group type has been changed from 'normal' to 'nonposix' we need to update
this information also in tests.

https://fedorahosted.org/freeipa/ticket/6334
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/185/head:pr185
git checkout pr185
From 828037fded701447ef8cd6cb9da1765a316c35f0 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 20 Oct 2016 15:25:13 +0200
Subject: [PATCH] TESTS: Update group type name

As the group type has been changed from 'normal' to 'nonposix' we need to update
this information also in tests.

https://fedorahosted.org/freeipa/ticket/6334
---
 ipatests/test_webui/data_group.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_webui/data_group.py b/ipatests/test_webui/data_group.py
index 9d79d18..517f98f 100644
--- a/ipatests/test_webui/data_group.py
+++ b/ipatests/test_webui/data_group.py
@@ -26,7 +26,7 @@
 'add': [
 ('textbox', 'cn', PKEY),
 ('textarea', 'description', 'test-group desc'),
-('radio', 'type', 'normal'),
+('radio', 'type', 'nonposix'),
 ],
 'mod': [
 ('textarea', 'description', 'test-group desc modified'),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

pvomacka commented:
"""
@mbasti-rh 
2) fixed
3) I filled a ticket: https://fedorahosted.org/freeipa/ticket/6388
4) Tests added
5) Fixed
6) Fixed
7) Salt added
8) Field for public key added
9) Warning added
10) Transport certificate is now visible in WebUI
11) Information added into adder dialog

The issue with showing error in case that KRA is not installed is also fixed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-256062716
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
From 0e038b2e6297e1045008d8aacccfcba067d6e7ab Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 09:54:24 +0200
Subject: [PATCH 01/13] Additional option to add and del operations can be set

By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 7579bb0..d44f8c8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) {
 
 var that = IPA.table_widget(spec);
 
+/**
+ * The value should be name of the field, which will be added to *_add_*,
+ * *_del_* commands as option: {fieldname: fieldvalue}.
+ *
+ * @property {String} fieldname
+ */
+that.additional_add_del_field = spec.additional_add_del_field;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) {
 });
 command.set_option(that.other_entity.name, values);
 
+that.join_additional_option(command);
+
 command.execute();
 };
 
+that.join_additional_option = function(command) {
+var add_opt = that.additional_add_del_field;
+if (add_opt && typeof add_opt === 'string') {
+var opt_field = that.entity.facet.get_field(add_opt);
+var value;
+if (opt_field) value = opt_field.get_value()[0];
+
+command.set_option(add_opt, value);
+}
+};
+
 that.show_remove_dialog = function() {
 
 var selected_values = that.get_selected_values();
@@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) {
 });
 
 command.set_option(that.other_entity.name, values);
+that.join_additional_option(command);
 
 command.execute();
 };

From 3f665d1ecff23515c68ff872e7d2fa23f570b0d6 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 10:09:20 +0200
Subject: [PATCH 02/13] Allow to set another other_entity name

Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 24 +---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index d44f8c8..63beeb8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -429,6 +429,17 @@ IPA.association_table_widget = function (spec) {
  */
 that.additional_add_del_field = spec.additional_add_del_field;
 
+/**
+ * Can be used in situations when the *_add_member command needs entity
+ * as a parameter, but parameter has different name than entity.
+ * i.e. vault_add_member --services=[values] ... this needs values from service
+ * entity, but option is called services, that we can set by setting
+ * this option in spec to other_option_name: 'services'
+ *
+ * @property other_option_name {String}
+ */
+that.other_option_name = spec.other_option_name;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -683,9 +694,9 @@ IPA.association_table_widget = function (spec) {
 on_success: on_success,
 on_error: on_error
 });
-command.set_option(that.other_entity.name, values);
 
 that.join_additional_option(command);
+that.handle_entity_option(command, values);
 
 command.execute();
 };
@@ -701,6 +712,14 @@ IPA.association_table_widget = function (spec) {
 }
 };
 
+that.handle_entity_option = function(command, values) {
+var option_name = that.other_option_name;
+if (!option_name) {
+option_name = that.other_entity.name;
+}
+

[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/182
Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context

tiran commented:
"""
Your proposals are hacks / workarounds, not a proper API to point ipa/ipalib to 
a custom configuration location. I'm proposing a proper API for integrators 
that works similar to ```KRB5_CONFIG``` 
(https://web.mit.edu/kerberos/krb5-1.14/doc/admin/env_variables.html). The PR 
is part of a larger effort to simplify integration of ipalib and ipa CLI into 
Ansible and other systems. Such integration needs to set ```KRB5_CONFIG``` 
anyway. It makes perfectly sense to have ```IPA_CONFDIR```, too. It's not 
```IPA_CONFIG``` because a local enrolment needs ```ca.crt``` and ```nssdb```.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/182#issuecomment-256056130
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#148][closed] Unaccessible variable self.attrs in Tracker

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/148
Author: gkaihorodova
 Title: #148: Unaccessible variable self.attrs in Tracker
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/148/head:pr148
git checkout pr148
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#148][+pushed] Unaccessible variable self.attrs in Tracker

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/148
Title: #148: Unaccessible variable self.attrs in Tracker

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#148][comment] Unaccessible variable self.attrs in Tracker

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/148
Title: #148: Unaccessible variable self.attrs in Tracker

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9b0b97073304ba6bfdd6292b07533ab3e7fe8bcb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/148#issuecomment-256016975
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] tomcat-8.0.37-3.fc24.noarch package from updates testing breaks CA instance spawn

[Alexander Bokovoy]

On ti, 25 loka 2016, Martin Babinsky wrote:
An update for Apache Tmocat recently pushed into bodhi[1] seems to 
break CA instance spawning in a spectacular way.[2] It seems that the 
update once again breaks the loading of Java classes during Dogtag 
server initialization.


I gave the package negative karma and I suggest for you to do the same 
until the issue is resolved.


As a workaround you can either disable updates-testing or use:

"""
dnf downgrade --allowerasing tomcat
"""

to downgrade tomcat and dependencies to version 8.0.36-2.fc24 which works.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c1b01b9278
[2] https://paste.fedoraproject.org/460589/77394029

Thank you Martin.

I've found the corresponding Apache bugzilla entry:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60101

Tomcat needs to be rebased to 8.0.38 to work. I just broke my test
install ;)
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#184][+pushed] Minor install script fixes

[mbasti-rh]

  URL: https://github.com/freeipa/freeipa/pull/184
Title: #184: Minor install script fixes

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#184][closed] Minor install script fixes

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/184
Author: simo5
 Title: #184: Minor install script fixes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/184/head:pr184
git checkout pr184
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] tomcat-8.0.37-3.fc24.noarch package from updates testing breaks CA instance spawn

[Martin Babinsky]

An update for Apache Tmocat recently pushed into bodhi[1] seems to break 
CA instance spawning in a spectacular way.[2] It seems that the update 
once again breaks the loading of Java classes during Dogtag server 
initialization.


I gave the package negative karma and I suggest for you to do the same 
until the issue is resolved.


As a workaround you can either disable updates-testing or use:

"""
dnf downgrade --allowerasing tomcat
"""

to downgrade tomcat and dependencies to version 8.0.36-2.fc24 which works.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c1b01b9278
[2] https://paste.fedoraproject.org/460589/77394029

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/180
Title: #180: Make api.env.nss_dir relative to api.env.confdir

tiran commented:
"""
The improvement depends on PR #143.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/180#issuecomment-255978976
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

[gkaihorodova]

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

gkaihorodova commented:
"""
Yes, It's  a valid point to add testcases for these changes . Will do. Thank 
you.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-255976850
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/182
Author: tiran
 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/182/head:pr182
git checkout pr182
From efa099f727898172f4addd7cfd89666d56c9988f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 24 Oct 2016 10:35:41 +0200
Subject: [PATCH] Use env var IPA_CONFDIR to get confdir for cli contexts

For 'cli' and 'cli_installer' contexts, the environment variable
IPA_CONFDIR overrides the default confdir path. The value of the
environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Server and server installer contexts do not use the env var.

Signed-off-by: Christian Heimes 
---
 client/man/ipa.1 |  4 
 ipalib/config.py | 10 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/client/man/ipa.1 b/client/man/ipa.1
index 9194ca0..b843e7b 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -186,6 +186,10 @@ The ipa client will determine which server to connect to in this order:
 
 .TP
 If a kerberos error is raised by any of the requests then it will stop processing and display the error message.
+.SH "ENVIRONMENT VARIABLES"
+.TP
+\fBIPA_CONFDIR\fR
+Override path to confdir (default: \fB/etc/ipa\fR).
 .SH "FILES"
 .TP
 \fB/etc/ipa/default.conf\fR
diff --git a/ipalib/config.py b/ipalib/config.py
index cf9e925..3b1eaeb 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -461,7 +461,15 @@ def _bootstrap(self, **overrides):
 
 # Set confdir:
 if 'confdir' not in self:
-if self.in_tree:
+ipa_confdir = os.environ.get('IPA_CONFDIR')
+env_contexts = {'cli', 'cli_installer'}
+if ipa_confdir is not None and self.context in env_contexts:
+if not path.isabs(ipa_confdir) or not path.isdir(ipa_confdir):
+raise AttributeError(
+'IPA_CONFDIR must be an absolute path to an '
+'existing directory.')
+self.confdir = ipa_confdir
+elif self.in_tree:
 self.confdir = self.dot_ipa
 else:
 self.confdir = path.join('/', 'etc', 'ipa')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/182
Author: tiran
 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/182/head:pr182
git checkout pr182
From 703a8e7c36cc0d9c4005681436a5cdba7d0bff47 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 24 Oct 2016 10:35:41 +0200
Subject: [PATCH] Use env var IPA_CONFDIR to get confdir for cli contexts

For 'cli' and 'cli_installer' contexts, the environment variable
IPA_CONFDIR overrides the default confdir path. The value of the
environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.

Server and server installer contexts do not use the env var.

Signed-off-by: Christian Heimes 
---
 client/man/ipa.1 |  4 
 ipalib/config.py | 10 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/client/man/ipa.1 b/client/man/ipa.1
index 9194ca0..b843e7b 100644
--- a/client/man/ipa.1
+++ b/client/man/ipa.1
@@ -186,6 +186,10 @@ The ipa client will determine which server to connect to in this order:
 
 .TP
 If a kerberos error is raised by any of the requests then it will stop processing and display the error message.
+.SH "ENVIRONMENT VARIABLES"
+.TP
+\fBIPA_CONFDIR\fR
+Override path to confdir (default: \fB/etc/ipa\fR).
 .SH "FILES"
 .TP
 \fB/etc/ipa/default.conf\fR
diff --git a/ipalib/config.py b/ipalib/config.py
index cf9e925..b55a524 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -461,7 +461,15 @@ def _bootstrap(self, **overrides):
 
 # Set confdir:
 if 'confdir' not in self:
-if self.in_tree:
+ipa_confdir = os.environ.get('IPA_CONFDIR')
+env_contexts = {'cli', 'cli_installer'}
+if ipa_confdir is not None and self.context in env_contests:
+if not path.isabs(ipa_confdir) or not path.isdir(ipa_confdir):
+raise AttributeError(
+'IPA_CONFDIR must be an absolute path to an '
+'existing directory.')
+self.confdir = ipa_confdir
+elif self.in_tree:
 self.confdir = self.dot_ipa
 else:
 self.confdir = path.join('/', 'etc', 'ipa')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#183][synchronized] Add __name__ == __main__ guards to setup.pys

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/183
Author: tiran
 Title: #183: Add __name__ == __main__ guards to setup.pys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/183/head:pr183
git checkout pr183
From 07c46dd705bbebb3faca13997497926c5a77c038 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 24 Oct 2016 14:56:58 +0200
Subject: [PATCH] Add __name__ == __main__ guards to setup.pys

Signed-off-by: Christian Heimes 
---
 ipaclient/setup.py   | 40 +++---
 ipalib/setup.py  | 26 +--
 ipaplatform/setup.py | 34 -
 ipapython/setup.py   | 32 
 ipaserver/setup.py   | 39 ++---
 ipatests/pytest.ini  |  7 ++
 ipatests/setup.py| 70 ++--
 7 files changed, 127 insertions(+), 121 deletions(-)

diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index 8b9dd58..32778b0 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -20,26 +20,26 @@
 
 FreeIPA is a server for identity, policy, and audit.
 """
-import os
+from os.path import abspath, dirname
 import sys
 
-# include ../ for ipasetup.py
-sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__
+if __name__ == '__main__':
+# include ../ for ipasetup.py
+sys.path.append(dirname(dirname(abspath(__file__
+from ipasetup import ipasetup  # noqa: E402
 
-from ipasetup import ipasetup  # noqa: E402
-
-ipasetup(
-name="ipaclient",
-doc=__doc__,
-scripts=['../ipa'],
-package_dir={'ipaclient': ''},
-packages=[
-"ipaclient",
-"ipaclient.plugins",
-"ipaclient.remote_plugins",
-"ipaclient.remote_plugins.2_49",
-"ipaclient.remote_plugins.2_114",
-"ipaclient.remote_plugins.2_156",
-"ipaclient.remote_plugins.2_164",
-],
-)
+ipasetup(
+name="ipaclient",
+doc=__doc__,
+scripts=['../ipa'],
+package_dir={'ipaclient': ''},
+packages=[
+"ipaclient",
+"ipaclient.plugins",
+"ipaclient.remote_plugins",
+"ipaclient.remote_plugins.2_49",
+"ipaclient.remote_plugins.2_114",
+"ipaclient.remote_plugins.2_156",
+"ipaclient.remote_plugins.2_164",
+],
+)
diff --git a/ipalib/setup.py b/ipalib/setup.py
index 62a4499..982a783 100644
--- a/ipalib/setup.py
+++ b/ipalib/setup.py
@@ -20,19 +20,19 @@
 
 FreeIPA is a server for identity, policy, and audit.
 """
-import os
+from os.path import abspath, dirname
 import sys
 
-# include ../ for ipasetup.py
-sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__
+if __name__ == '__main__':
+# include ../ for ipasetup.py
+sys.path.append(dirname(dirname(abspath(__file__
+from ipasetup import ipasetup  # noqa: E402
 
-from ipasetup import ipasetup  # noqa: E402
-
-ipasetup(
-name="ipalib",
-doc=__doc__,
-package_dir={'ipalib': ''},
-packages=[
-"ipalib",
-],
-)
+ipasetup(
+name="ipalib",
+doc=__doc__,
+package_dir={'ipalib': ''},
+packages=[
+"ipalib",
+],
+)
diff --git a/ipaplatform/setup.py b/ipaplatform/setup.py
index 8b2d75d..82499da 100644
--- a/ipaplatform/setup.py
+++ b/ipaplatform/setup.py
@@ -20,23 +20,23 @@
 
 FreeIPA is a server for identity, policy, and audit.
 """
-import os
+from os.path import abspath, dirname
 import sys
 
-# include ../ for ipasetup.py
-sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__
+if __name__ == '__main__':
+# include ../ for ipasetup.py
+sys.path.append(dirname(dirname(abspath(__file__
+from ipasetup import ipasetup  # noqa: E402
 
-from ipasetup import ipasetup  # noqa: E402
-
-ipasetup(
-name="ipaplatform",
-doc=__doc__,
-package_dir={'ipaplatform': ''},
-packages=[
-"ipaplatform",
-"ipaplatform.base",
-"ipaplatform.fedora",
-"ipaplatform.redhat",
-"ipaplatform.rhel"
-],
-)
+ipasetup(
+name="ipaplatform",
+doc=__doc__,
+package_dir={'ipaplatform': ''},
+packages=[
+"ipaplatform",
+"ipaplatform.base",
+"ipaplatform.fedora",
+"ipaplatform.redhat",
+"ipaplatform.rhel"
+],
+)
diff --git a/ipapython/setup.py b/ipapython/setup.py
index 81e032b..47acdd6 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -20,22 +20,22 @@
 
 FreeIPA is a server for identity, policy, and audit.
 """
-import os
+from os.path import abspath, dirname
 import sys
 
-# include ../ for ipasetup.py
-sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__
+if __name__ == '__main__':
+# include ../ for ipasetup.py
+

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Integration part of the tests is ready. 2 tests:

1. Adds a cert to idoverride of a windows user
2. sssd part - looks up user by his certificate using dbus-sssd

Second and third dbus call are executed as a string insted of as array 
of strings because it just does not work otherwise. Some quote escaping 
gets screwed probably, but the system returns "Error 
org.freedesktop.DBus.Error.UnknownInterface: Unknown interface" if the 
command is executed using the standard array-based approach


The run looks like this:

bash-4.3$ ipa-run-tests test_integration/test_idviews.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'

WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
 test session starts 


platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 2 items

test_integration/test_idviews.py ..

 2 passed in 948.44 seconds 
=



On 10/21/2016 10:54 AM, Oleg Fayans wrote:

Added one more test, resolved the pep8 issues

On 10/19/2016 12:32 PM, Oleg Fayans wrote:

Hi Martin,

As you suggested, I've extended the
test_xmlrpc/test_add_remove_cert_cmd.py to contain basic tests for certs
in idoverrides.
The integration part still needs some polishing in the part related to
user lookup by cert

On 10/14/2016 03:57 PM, Martin Babinsky wrote:

On 10/14/2016 03:48 PM, Oleg Fayans wrote:

So, did I understand correctly, that there would be 2 patches: one
containing test for basic idoverrides functionality without
AD-integration, and the second one - with AD-integration and an sssd
check, correct?
I guess, the
freeipa-ofayans-0050.1-Automated-test-for-certs-in-idoverrides-feature.patch



might be a good candidate for the first one, I only have to change the
filename to test_idviews.py, right?



Oleg, we already have XMLRPC tests for idoverrides:

ipatests/test_xmlrpc/test_idviews_plugin.py

Is there any particular reason why not to extend them with add
cert/remove cert operations?

Even better, you can extend
`ipatests/test_xmlrpc/test_add_remove_cert_cmd.py` suite by doing the
same set of tests on idoverrideuser objects.

Or am I missing something?


On 09/15/2016 10:32 AM, Martin Basti wrote:



On 15.09.2016 10:10, Oleg Fayans wrote:

Hi Martin,

The file was renamed. Did I understand correctly that for now we are
leaving the test as is and are planning to extend it later?


I would like to have there SSSD check involved, please use what Summit
recommends. No new test cases.

And this can be done by separate patch, I want to have API/CLI
certificate override tests for non-AD idview (extending current
tests I
posted in this thread)

Martin^2


On 09/15/2016 09:49 AM, Martin Basti wrote:



On 14.09.2016 18:53, Sumit Bose wrote:

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:


On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:


On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default
trust ID view is added just by ipa-adtrust-install, adding
trust is not needed for current implementation. You don't
need AD for this, IDviews is generic feature not just for
AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will
not be
able to set up certificates to ID override which does not
exist.

For non-'default trust view' you can add both IPA and AD users,
so using
some other view and then assign certificate for a ID
override in
that
one.


Ok then, but anyway I would like to see API/CLI tests for this
feature with proper output validation.


How can be this tested with SSSD?

You need to log into the system with a certificate...

Is this possible from test? We are logged remotely as root, is
there any
cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate.
This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate



.

HTH

bye,
Sumit


Thank you Alexander and Summit for hints.

Oleg I realized we don't have any other idviews integration tests

So I propose to rename test file you are adding to
test_idviews.py. We
can add more testcases for idviews there later

Martin^2

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: 

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

[mirielka]

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

mirielka commented:
"""
The same minimal values apply for stageuser-add command, can you please modify 
the stageuser tracker as well? Also adding testcases for these changes would be 
nice.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-255951439
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code