[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

2017-02-09 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 06631ac1b5508cf23d142939206a9b160511a33c Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck | 11 +++
 ipaclient/install/client.py | 14 ++
 ipapython/certdb.py | 19 ---
 ipaserver/install/certs.py  |  2 +-
 ipaserver/install/installutils.py   | 18 --
 ipaserver/install/ipa_cacert_manage.py  |  8 
 ipaserver/install/ipa_server_certinstall.py |  7 +++
 ipaserver/install/kra.py|  7 ---
 8 files changed, 41 insertions(+), 45 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..1b75f49 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2289,18 +2289,16 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
 
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
 ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
 
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
 
-db.create_db(pwdfile)
+db.create_db()
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2672,8 +2670,8 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..2e7200b 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,13 +83,14 @@ class NSSDatabase(object):
 # got too tied to IPA server details, killing reusability.
 # BaseCertDB is a class that knows nothing about IPA.
 # Generic NSS DB code should be moved here.
-def __init__(self, nssdir=None):
+def __init__(self, nssdir=None, password_file=None):
 if nssdir is None:
 self.secdir = tempfile.mkdtemp()
 self._is_temporary = True
 else:
 self.secdir = nssdir
 self._is_temporary = False
+self.password_file = password_file
 
 def close(self):
 if self._is_temporary:
@@ -102,16 +103,20 @@ def __exit__(self, type, value, tb):
 self.close()
 
 def run_certutil(self, args, stdin=None, **kwargs):
-new_args = 

[Freeipa-devel] [freeipa PR#444][edited] Allow nsaccountlock to be searched in user-find commands

2017-02-09 Thread redhatrises
   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find commands
Action: edited

 Changed field: body
Original value:
"""
This patch provides the ability to search and find users who are 
enabled/disabled in `ipa user-show` and `ipa user-find` commands without 
breaking API compatibility.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][edited] Allow nsaccountlock to be searched in user-find commands

2017-02-09 Thread redhatrises
   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find commands
Action: edited

 Changed field: title
Original value:
"""
Allow nsaccountlock to be searched in user-find and user-show commands
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][synchronized] Allow nsaccountlock to be searched in user-find and user-show commands

2017-02-09 Thread redhatrises
   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find and user-show 
commands
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/444/head:pr444
git checkout pr444
From 6d398d87e3cdb888a4d59ddb44c64ebfb033cfe4 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 9 Feb 2017 20:43:57 -0700
Subject: [PATCH] Allow nsaccountlock to be searched in user-find command

This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-find` command without breaking API compatibility.
---
 ipaserver/plugins/user.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 1ef71d2..e9ecce5 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -780,6 +780,14 @@ class user_find(baseuser_find):
 ),
 )
 
+def get_options(self):
+for option in super(user_find, self).get_options():
+if option.name == 'nsaccountlock':
+flags = set(option.flags)
+flags.remove('no_option')
+option = option.clone(flags=flags)
+yield option
+
 def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options):
 assert isinstance(base_dn, DN)
 self.pre_common_callback(ldap, filter, attrs_list, base_dn, scope,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA and wildcard certificates

2017-02-09 Thread Fraser Tweedale
On Thu, Feb 09, 2017 at 08:37:23AM +0100, Martin Kosek wrote:
> On 02/09/2017 02:12 AM, Fraser Tweedale wrote:
> > On Wed, Feb 08, 2017 at 10:19:54AM +0200, Alexander Bokovoy wrote:
> >> On ke, 08 helmi 2017, Martin Kosek wrote:
> >>> Hi Fraser and the list,
> >>>
> >>> I recently was in a conversation about integrating OpenShift with 
> >>> FreeIPA. One
> >>> of the gaps was around generating a wildcard certificate by FreeIPA that 
> >>> will
> >>> be used in the default OpenShift router for applications that do not 
> >>> deploy own
> >>> certificates [1].
> >>>
> >>> Is there any way that FreeIPA can generate it? I was thinking that 
> >>> uploading
> >>> some custom certificate profile in FreeIPA may let us get such 
> >>> certificate...
> >>> Or is the the only way we can add it by adding a new RFE in FreeIPA, 
> >>> tracked in
> >>> [2]?
> >> Yes, we need a new RFE. There are checks in IPA that prevent wildcard
> >> certificates to be issued:
> >>
> >> - we ensure subject 'cn' of the certificate matches a Kerberos principal
> >>   specified in the request
> >>
> >> - we validate that host object exists in IPA when the Kerberos
> >>   principal is host/...
> >>
> >> We could lift off these two limitations for 'cn=*,$suffix' but there is
> >> still a need to apply proper ACLs when issuing the cert -- e.g. some
> >> object has to be used for performing access rights check. The wildcard
> >> certificate does not need to be stored anywhere in the tree, but a
> >> check still needs to be done.
> >>
> >> For example, for Kerberos PKINIT certificate which is issued to KDC we
> >> don't store public certificate in LDAP either but we do two checks:
> >> - a special KDC certificate profile is used to issue the cert
> >> - a special hostname check is done so that only IPA masters are able to
> >>   request this certificate
> >>
> >> For the wildcard certificate I think we could have following:
> >> - use a separate profile for the wildcard, associated with a sub-CA
> >> - hardcode CN default in the profile to always be 'CN=*, 
> >> O=$SUB_CA_SUBJECT' so that
> >>   actual certificate ignores requested CN.
> >> - a special check to be done so that only wildcard-based subject
> >>   alternative names can be added to a wildcard certificate request
> >> - all Kerberos principal / hostname checks are skipped.
> >> - actual ACL check is done by CA ACL.
> >>
> > Issuing wildcard certs is a deprecated practice[1].  I am not
> > dismissing the needs of OpenShift (or PaaS/IaaS solutions in
> > general) but I'd like to have a discussion with them about how
> > they're currently dealing with certs and whether a different
> > direction other than wildcard certs is feasible.  Martin, who should
> > I reach out to?  Feel free to copy them into this discussion.
> 
> Right now, I am talking to a Solution Architect, i.e. someone who is building
> GAed solutions, not developers. This is not something we would change
> short-term anyway, this is how current OpenShift v2 or v3 behaves, despite 
> the RFC.
> 
> While I understand why having certificate *.lab.example.com and using it for 
> my
> lab machines is a bad idea and increases the attack vector, I do not see it
> that way for OpenShift. There, applications get URL like
> ".myopenshift.test" and all is routed by one entity, the OpenShift
> broker. So the key.cert is on one location, just serving different names that
> are provisioned with OpenShift.
> 
> I can understand that issuing a new certificate for every application
> provisioned by OpenShift and then renewing it complicates the design
> significantly. I am trying to be creative and see if current OpenShift could
> leverage FreeIPA CA and issue the broker cert, with current profile
> capabilities or with small change.
> 
I believe OpenShift supports per-application certificates (i.e. when
app developers/maintainers supply their own cert for a custom
domain).  So it might be possible in v2 or v3 to provision a cert
for every app.  An automated solution does not yet exist but that
doesn't mean it can't be built out of what's currently GA.

> > [1] https://tools.ietf.org/html/rfc6125#section-7.2
> > 
> > If we do go ahead with wildcard cert support in FreeIPA, some of my
> > initial questions are:
> > 
> > - For the OpenShift use case, what is the "parent" domain name and
> >   is it the same as the IPA domain name?  Is it a subdomain of the
> >   IPA domain name?
> > 
> > - Do we need to support issuing "*.${IPA_DOMAIN}"? i.e. wildcard
> >   cert under entire IPA domain name.
> > 
> > - Do we need to support issuing "*.${IPA_HOSTNAME}"?  i.e. wildcard
> >   certs under names of IPA host principals.
> 
> I do not know, but I can ask if it is important for you :-)
> 
It's important to know what I actually need to do if we proceed with
implementing this :)

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: 

[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

MartinBasti commented:
"""
@pvoborni 
http://www.freeipa.org/page/Howto/Updating_FreeIPA_system_DNS_records_on_a_remote_DNS_server

Still WIP, but can be reviewed if format fulfill expectations.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/423#issuecomment-278743068
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][synchronized] dns-update-system-records: add support for nsupdate output format

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/423
Author: MartinBasti
 Title: #423: dns-update-system-records: add support for nsupdate output format
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/423/head:pr423
git checkout pr423
From 12e97d38d6b8b7827bb8e623f4d9705fb64d68fb Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 27 Jan 2017 13:42:19 +0100
Subject: [PATCH 1/2] DNS: dns-update-system-record can create nsupdate file

Added option --out  creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585
---
 ipaclient/plugins/dns.py | 72 
 1 file changed, 66 insertions(+), 6 deletions(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..2d3c5e2 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -35,6 +35,7 @@
 from ipalib.parameters import Bool, Str
 from ipalib.plugable import Registry
 from ipalib import _, ngettext
+from ipalib import util
 from ipapython.dnsutil import DNSName
 
 if six.PY3:
@@ -417,6 +418,69 @@ def interactive_prompt_callback(self, kw):
 
 @register(override=True, no_fail=True)
 class dns_update_system_records(MethodOverride):
+record_groups = ('ipa_records', 'location_records')
+
+takes_options = (
+Str(
+'out?',
+include='cli',
+doc=_('file to store DNS records in nsupdate format')
+),
+)
+def _standard_output(self, textui, result, labels):
+"""Print output in standard format common across the other plugins"""
+for key in self.record_groups:
+if result.get(key):
+textui.print_indented(u'{}:'.format(labels[key]), indent=1)
+for val in sorted(result[key]):
+textui.print_indented(val, indent=2)
+textui.print_line(u'')
+
+def _nsupdate_output_file(self, out_f, result):
+"""Store data in nsupdate format in file"""
+def parse_rname_rtype(record):
+"""Get rname and rtype from textual representation of record"""
+l = record.split(' ', 4)
+return l[0], l[3]
+
+labels = {
+p.name: unicode(p.label) for p in self.output_params()
+}
+
+already_removed = set()
+for key in self.record_groups:
+if result.get(key):  # process only non-empty
+out_f.write("; {}\n".format(labels[key]))  # comment
+for val in sorted(result[key]):
+# delete old first
+r_name_type = parse_rname_rtype(val)
+if r_name_type not in already_removed:
+# remove it only once
+already_removed.add(r_name_type)
+out_f.write("update delete {rname} {rtype}\n".format(
+rname=r_name_type[0], rtype=r_name_type[1]
+))
+# add new
+out_f.write("update add {}\n".format(val))
+out_f.write("send\n\n")
+
+def forward(self, *keys, **options):
+# pop `out` before sending to server as it is only client side option
+out = options.pop('out', None)
+if out:
+util.check_writable_file(out)
+
+res = super(dns_update_system_records, self).forward(*keys, **options)
+
+if out and 'result' in res:
+try:
+with open(out, "w") as f:
+self._nsupdate_output_file(f, res['result'])
+except (OSError, IOError) as e:
+raise errors.FileError(reason=unicode(e))
+
+return res
+
 def output_for_cli(self, textui, output, *args, **options):
 output_super = copy.deepcopy(output)
 super_res = output_super.get('result', {})
@@ -431,11 +495,7 @@ def output_for_cli(self, textui, output, *args, **options):
 }
 
 result = output.get('result', {})
-for key in ('ipa_records', 'location_records'):
-if result.get(key):
-textui.print_indented(u'{}:'.format(labels[key]), indent=1)
-for val in sorted(result[key]):
-textui.print_indented(val, indent=2)
-textui.print_line(u'')
+
+self._standard_output(textui, result, labels)
 
 return int(not output['value'])

From 411d6522d13f9695fa004401b64c5a3e1be30dcd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 30 Jan 2017 21:18:46 +0100
Subject: [PATCH 2/2] Test: DNS nsupdate from dns-update-system-records

Get nsupdate data from dns-update-system-records, remove system records
and run nsupdate to verify that all system records were updated

https://fedorahosted.org/freeipa/ticket/6585
---
 ipatests/test_integration/test_dns_locations.py | 25 

[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

2017-02-09 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 6b1405b2e909faac257f3e9af91cca994a399b06 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck | 11 +++
 ipaclient/install/client.py | 14 ++
 ipapython/certdb.py | 19 ---
 ipaserver/install/certs.py  |  2 +-
 ipaserver/install/installutils.py   | 18 --
 ipaserver/install/ipa_cacert_manage.py  |  8 
 ipaserver/install/ipa_server_certinstall.py |  7 +++
 ipaserver/install/kra.py|  7 ---
 8 files changed, 41 insertions(+), 45 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..29c01d8 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2289,18 +2289,16 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
 
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
 ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
 
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
 
-db.create_db(pwdfile)
+db.create_db()
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2672,8 +2670,8 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_db()
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..5f7a9dd 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,13 +83,15 @@ class NSSDatabase(object):
 # got too tied to IPA server details, killing reusability.
 # BaseCertDB is a class that knows nothing about IPA.
 # Generic NSS DB code should be moved here.
-def __init__(self, nssdir=None):
+def __init__(self, nssdir=None, password_file=None):
 if nssdir is None:
 self.secdir = tempfile.mkdtemp()
 self._is_temporary = True
 else:
 self.secdir = nssdir
 self._is_temporary = False
+if password_file is not None:
+self.password_file = password_file
 
 def close(self):
 if self._is_temporary:
@@ -102,16 +104,19 @@ def __exit__(self, type, value, tb):
 self.close()
 
 def run_certutil(self, args, 

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py

I haven't figured out exactly what happens in change_password, I see from logs 
sent from @martbab that the kinit as the user alice is performed, but apache 
see only admin connections.

I suspect that the issue is in ipalib/rpc.py in create_connection, where 
apply_session_cookie() is called, but can't be sure.
I need a way to repro these tests locally to confirm.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find and user-show commands

2017-02-09 Thread redhatrises
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find and user-show 
commands

redhatrises commented:
"""
> Why user-show needs --nsaccountlock option?

I didn't want to limit it to user-find. However, it looks like adding the 
option is actually pointless as that information is in the output already. I 
can fix that.

> Could be this done by changing flags instead of overriding get_options? IMO 
> it is compatible

@MartinBasti sure. Not sure where we are with ABI/API compatibility issues 
which is why I didn't use the overriding get_options. I guess we will see what 
@HonzaCholasta says.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-278701548
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][synchronized] Add fix for ipa plugins command

2017-02-09 Thread Akasurde
   URL: https://github.com/freeipa/freeipa/pull/394
Author: Akasurde
 Title: #394: Add fix for ipa plugins command
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/394/head:pr394
git checkout pr394
From ddbbc1986416d6aa8e9a95baaf97f7fce7b303ce Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Thu, 12 Jan 2017 18:38:37 +0530
Subject: [PATCH] Add fix for ipa plugins command

Fix adds count of plugins loaded to return dict

Fixes https://fedorahosted.org/freeipa/ticket/6513

Signed-off-by: Abhijeet Kasurde 
---
 ipalib/misc.py| 3 ++-
 ipatests/test_cmdline/test_cli.py | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/misc.py b/ipalib/misc.py
index 687b018..a5f9b6d 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -124,8 +124,9 @@ def execute(self, **options):
 for plugin in self.api[namespace]():
 cls = type(plugin)
 key = '{}.{}'.format(cls.__module__, cls.__name__)
-result.setdefault(key, []).append(namespace)
+result.setdefault(key, []).append(namespace.decode('utf-8'))
 
 return dict(
 result=result,
+count=len(result),
 )
diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
index 07bab23..4585126 100644
--- a/ipatests/test_cmdline/test_cli.py
+++ b/ipatests/test_cmdline/test_cli.py
@@ -51,6 +51,9 @@ def fake_stdin(self, string_in):
 def test_ping(self):
 self.check_command('ping', 'ping')
 
+def test_plugins(self):
+self.check_command('plugins', 'plugins')
+
 def test_user_show(self):
 self.check_command('user-show admin', 'user_show', uid=u'admin')
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][opened] Move AD trust installation code to a separate module

2017-02-09 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/454
Author: martbab
 Title: #454: Move AD trust installation code to a separate module
Action: opened

PR body:
"""
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/454/head:pr454
git checkout pr454
From 9feed648b75fc239f713108d33c9a39f03036430 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Feb 2017 17:02:09 +0100
Subject: [PATCH] Move AD trust installation code to a separate module

This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629
---
 install/tools/ipa-adtrust-install | 349 +--
 ipaserver/install/adtrust.py  | 371 ++
 2 files changed, 378 insertions(+), 342 deletions(-)
 create mode 100644 ipaserver/install/adtrust.py

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index b504c08..443c3c4 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -25,27 +25,24 @@ from __future__ import print_function
 
 import os
 import sys
-import ldap
 
 import six
 
 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module
 
 from ipalib.install import sysrestore
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import (
 read_password,
 check_server_configuration,
 run_script)
-from ipaserver.install import service
 from ipapython.admintool import ScriptError
 from ipapython import version
-from ipapython import ipautil, ipaldap
+from ipapython import ipautil
 from ipalib import api, errors, krb_utils
 from ipapython.config import IPAOptionParser
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython.dn import DN
 
 if six.PY3:
 unicode = str
@@ -98,35 +95,6 @@ def parse_options():
 return safe_options, options
 
 
-def netbios_name_error(name):
-print("\nIllegal NetBIOS name [%s].\n" % name)
-print("Up to 15 characters and only uppercase ASCII letters, digits "
-  "and dashes are allowed. Empty string is not allowed.")
-
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print("Enter the NetBIOS name for the IPA domain.")
-print("Only up to 15 uppercase ASCII letters, digits "
-  "and dashes are allowed.")
-print("Example: EXAMPLE.")
-print("")
-print("")
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input(
-"NetBIOS domain name", netbios_default, allow_empty=False)
-print("")
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-
 def read_admin_password(admin_name):
 print("Configuring cross-realm trusts for IPA server requires password "
   "for user '%s'." % (admin_name))
@@ -137,95 +105,6 @@ def read_admin_password(admin_name):
 return admin_password
 
 
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS 

[Freeipa-devel] [INFO] Freeipa/freeipa-master copr repo required for FreeIPA from master branch

2017-02-09 Thread Martin Basti

Hello,

from now you need freeipa/freeipa-master copr repo to run IPA built from 
master branch (at least on F25/F24) due bind and bind-dyndb-ldap packages.


Sorry for inconvenience.

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find and user-show commands

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find and user-show 
commands

MartinBasti commented:
"""
Hello,

thank you for PR!

I have a few comments:
- Why user-show needs --nsaccountlock option?
- Could be this done by changing flags instead of overriding get_options?  IMO 
it is compatible
```diff
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 0194f1b..3df2723 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -371,7 +371,7 @@ class user(baseuser):
 takes_params = baseuser.takes_params + (
 Bool('nsaccountlock?',
 label=_('Account disabled'),
-flags=['no_option'],
+flags=['no_create', 'no_update'],
 ),
 Bool('preserved?',
 label=_('Preserved user'),
```

Adding @HonzaCholasta to make sure that changing options in this way is  
compatible
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-278676072
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][closed] [fedora-26] named.conf template: update API for bind 9.11

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
 Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][+pushed] [fedora-26] named.conf template: update API for bind 9.11

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/351
Title: #351: [fedora-26] named.conf template: update API for bind 9.11

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/351
Title: #351: [fedora-26] named.conf template: update API for bind 9.11

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c26dd805bdb020b12346d8cb66638883c1f46b9e
https://fedorahosted.org/freeipa/changeset/e8a2abd548b594e6f22f38445ee32bcaa7f27303
https://fedorahosted.org/freeipa/changeset/5de7065fe5769e5c3d90205b0ecc963d96f4db58
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/351#issuecomment-278677437
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb

2017-02-09 Thread tiran
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

tiran commented:
"""
Thx Rob, I use ```ipautil.run(cwd=...)``` to change the working directory just 
for the subprocess instead of the entire parent process.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/453#issuecomment-278667106
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb

2017-02-09 Thread tiran
   URL: https://github.com/freeipa/freeipa/pull/453
Author: tiran
 Title: #453: Cleanup certdb
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/453/head:pr453
git checkout pr453
From ff90bf51a9c82073be6de9a4c43e1d8271dcfa06 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 9 Feb 2017 14:55:45 +0100
Subject: [PATCH] Cleanup certdb

* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file
* remove chdir() hack with proper cwd argument to ipautil.run()

Do not ever change the working directory of a program. It's a really bad
idea. Just consider what is going to happen if two threads or two
different parts of a process decide to own control over the working
directory?

Signed-off-by: Christian Heimes 
---
 ipaserver/install/certs.py | 162 +
 1 file changed, 74 insertions(+), 88 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..a4f7149 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -103,10 +103,6 @@ def __init__(
 self.host_name = host_name
 self.ca_subject = ca_subject
 self.subject_base = subject_base
-try:
-self.cwd = os.getcwd()
-except OSError as e:
-raise RuntimeError("Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
 self.valid_months = "120"
@@ -132,10 +128,8 @@ def __init__(
 def __del__(self):
 if self.reqdir is not None:
 shutil.rmtree(self.reqdir, ignore_errors=True)
-try:
-os.chdir(self.cwd)
-except OSError:
-pass
+self.reqdir = None
+self.nssdb.close()
 
 def setup_cert_request(self):
 """
@@ -152,23 +146,26 @@ def setup_cert_request(self):
 self.certreq_fname = self.reqdir + "/tmpcertreq"
 self.certder_fname = self.reqdir + "/tmpcert.der"
 
-# When certutil makes a request it creates a file in the cwd, make
-# sure we are in a unique place when this happens
-os.chdir(self.reqdir)
-
-def set_perms(self, fname, write=False, uid=None):
-if uid:
-pent = pwd.getpwnam(uid)
-os.chown(fname, pent.pw_uid, pent.pw_gid)
+def set_perms(self, fname, write=False, user=None):
+if user is not None:
+pent = pwd.getpwnam(user)
+uid, gid = pent.pw_uid, pent.pw_gid
 else:
-os.chown(fname, self.uid, self.gid)
+uid, gid = self.uid, self.gid
 perms = stat.S_IRUSR
 if write:
 perms |= stat.S_IWUSR
-os.chmod(fname, perms)
+if hasattr(fname, 'fileno'):
+os.fchown(fname.fileno(), uid, gid)
+os.fchmod(fname.fileno(), perms)
+else:
+os.chown(fname, uid, gid)
+os.chmod(fname, perms)
 
 def run_certutil(self, args, stdin=None, **kwargs):
-return self.nssdb.run_certutil(args, stdin, **kwargs)
+# When certutil makes a request it creates a file in the cwd, make
+# sure we are in a unique place when this happens
+return self.nssdb.run_certutil(args, stdin, cwd=self.reqdir, **kwargs)
 
 def run_signtool(self, args, stdin=None):
 with open(self.passwd_fname, "r") as f:
@@ -176,24 +173,23 @@ def run_signtool(self, args, stdin=None):
 new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password]
 
 new_args = new_args + args
-ipautil.run(new_args, stdin)
+ipautil.run(new_args, stdin, cwd=self.reqdir)
 
 def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
-f = open(self.noise_fname, "w")
-f.write(ipautil.ipa_generate_password())
-self.set_perms(self.noise_fname)
+with open(self.noise_fname, "w") as f:
+self.set_perms(f)
+f.write(ipautil.ipa_generate_password())
 
 def create_passwd_file(self, passwd=None):
 ipautil.backup_file(self.passwd_fname)
-f = open(self.passwd_fname, "w")
-if passwd is not None:
-f.write("%s\n" % passwd)
-else:
-f.write(ipautil.ipa_generate_password())
-f.close()
-self.set_perms(self.passwd_fname)
+with open(self.passwd_fname, "w") as f:
+self.set_perms(f)
+if passwd is not None:
+f.write("%s\n" % passwd)
+else:
+f.write(ipautil.ipa_generate_password())
 
 def create_certdbs(self):
 ipautil.backup_file(self.certdb_fname)
@@ -232,20 +228,21 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
 # export the CA cert for 

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/47565c0fc75721f457e87b1c3e3325fff6a3b3ae
https://fedorahosted.org/freeipa/changeset/36f46a5301ce62b5549899e5d693fca0b88946fb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278666458
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][+pushed] certdb: remove unused keysize property

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][closed] certdb: remove unused keysize property

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/451
Author: tomaskrizek
 Title: #451: certdb: remove unused keysize property
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/451/head:pr451
git checkout pr451
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][comment] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/438
Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e920ae22525d34e1f524e2e59159ac50c603bc8c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/438#issuecomment-278666074
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][closed] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/438
Author: HonzaCholasta
 Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/438/head:pr438
git checkout pr438
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][+pushed] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/438
Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#441][closed] Print test env information

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/441
Author: tiran
 Title: #441: Print test env information
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/441/head:pr441
git checkout pr441
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#441][+pushed] Print test env information

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/441
Title: #441: Print test env information

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#441][comment] Print test env information

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/441
Title: #441: Print test env information

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b20f6fb29478de6b4f25741bc4fd975a5e0be671
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/441#issuecomment-278665863
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][comment] Cleanup certdb

2017-02-09 Thread rcritten
  URL: https://github.com/freeipa/freeipa/pull/453
Title: #453: Cleanup certdb

rcritten commented:
"""
I'm pretty sure the chdir() hack was due to SELinux issues, be sure to test in 
enforcing mode. It may no longer be required.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/453#issuecomment-278662888
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f51869bf5214e2d2322f85bf72b7ae86b6893974
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-278655609
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][+pushed] replica install: relax domain level check for promotion

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][closed] replica install: relax domain level check for promotion

2017-02-09 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/416
Author: frasertweedale
 Title: #416: replica install: relax domain level check for promotion
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/416/head:pr416
git checkout pr416
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][+ack] replica install: relax domain level check for promotion

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#416][comment] replica install: relax domain level check for promotion

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/416
Title: #416: replica install: relax domain level check for promotion

MartinBasti commented:
"""
ACK and I found a new bug: https://fedorahosted.org/freeipa/ticket/6654
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/416#issuecomment-278649734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#434][comment] csrgen: Automate full cert request flow

2017-02-09 Thread LiptonB
  URL: https://github.com/freeipa/freeipa/pull/434
Title: #434: csrgen: Automate full cert request flow

LiptonB commented:
"""
Thanks for the comments, and sorry about submitting this with lint errors. I 
think I've followed all of your suggestions, let me know what you think.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/434#issuecomment-278648710
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][opened] Cleanup certdb

2017-02-09 Thread tiran
   URL: https://github.com/freeipa/freeipa/pull/453
Author: tiran
 Title: #453: Cleanup certdb
Action: opened

PR body:
"""
* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file
* remove chdir() hack with proper cwd argument to ipautil.run()

Do not ever change the working directory of a program. It's a really bad
idea. Just consider what is going to happen if two threads or two
different parts of a process decide to own control over the working
directory?

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/453/head:pr453
git checkout pr453
From 5dcbdc4b3e64f2b4cd466d5cc6a2d2e3040ffc85 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 9 Feb 2017 14:55:45 +0100
Subject: [PATCH] Cleanup certdb

* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file
* remove chdir() hack with proper cwd argument to ipautil.run()

Do not ever change the working directory of a program. It's a really bad
idea. Just consider what is going to happen if two threads or two
different parts of a process decide to own control over the working
directory?

Signed-off-by: Christian Heimes 
---
 ipaserver/install/certs.py | 162 +
 1 file changed, 74 insertions(+), 88 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..beeeb24 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -103,10 +103,6 @@ def __init__(
 self.host_name = host_name
 self.ca_subject = ca_subject
 self.subject_base = subject_base
-try:
-self.cwd = os.getcwd()
-except OSError as e:
-raise RuntimeError("Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
 self.valid_months = "120"
@@ -132,10 +128,8 @@ def __init__(
 def __del__(self):
 if self.reqdir is not None:
 shutil.rmtree(self.reqdir, ignore_errors=True)
-try:
-os.chdir(self.cwd)
-except OSError:
-pass
+self.reqdir = None
+self.nssdb.close()
 
 def setup_cert_request(self):
 """
@@ -152,23 +146,26 @@ def setup_cert_request(self):
 self.certreq_fname = self.reqdir + "/tmpcertreq"
 self.certder_fname = self.reqdir + "/tmpcert.der"
 
-# When certutil makes a request it creates a file in the cwd, make
-# sure we are in a unique place when this happens
-os.chdir(self.reqdir)
-
-def set_perms(self, fname, write=False, uid=None):
-if uid:
-pent = pwd.getpwnam(uid)
-os.chown(fname, pent.pw_uid, pent.pw_gid)
+def set_perms(self, fname, write=False, user=None):
+if user is not None:
+pent = pwd.getpwnam(user)
+uid, gid = pent.pw_uid, pent.pw_gid
 else:
-os.chown(fname, self.uid, self.gid)
+uid, gid = self.uid, self.gid
 perms = stat.S_IRUSR
 if write:
 perms |= stat.S_IWUSR
-os.chmod(fname, perms)
+if hasattr(fname, 'fileno'):
+os.fchown(fname.fileno(), uid, gid)
+os.fchmod(fname.fileno(), perms)
+else:
+os.chown(fname, uid, gid)
+os.chmod(fname, perms)
 
 def run_certutil(self, args, stdin=None, **kwargs):
-return self.nssdb.run_certutil(args, stdin, **kwargs)
+# When certutil makes a request it creates a file in the cwd, make
+# sure we are in a unique place when this happens
+return self.nssdb.run_certutil(args, stdin, cwd=self.reqdir, **kwargs)
 
 def run_signtool(self, args, stdin=None):
 with open(self.passwd_fname, "r") as f:
@@ -176,24 +173,23 @@ def run_signtool(self, args, stdin=None):
 new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password]
 
 new_args = new_args + args
-ipautil.run(new_args, stdin)
+ipautil.run(new_args, stdin, cwd=self.reqdir)
 
 def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
-f = open(self.noise_fname, "w")
-f.write(ipautil.ipa_generate_password())
-self.set_perms(self.noise_fname)
+with open(self.noise_fname, "w") as f:
+self.set_perms(f)
+f.write(ipautil.ipa_generate_password())
 
 def create_passwd_file(self, passwd=None):
 ipautil.backup_file(self.passwd_fname)
-f = open(self.passwd_fname, "w")
-if passwd is not None:
-f.write("%s\n" % passwd)
-else:
-

[Freeipa-devel] [freeipa PR#434][synchronized] csrgen: Automate full cert request flow

2017-02-09 Thread LiptonB
   URL: https://github.com/freeipa/freeipa/pull/434
Author: LiptonB
 Title: #434: csrgen: Automate full cert request flow
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/434/head:pr434
git checkout pr434
From 5b4d2410d960084af766d44c112452604d0816c2 Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Mon, 22 Aug 2016 10:46:02 -0400
Subject: [PATCH 1/4] csrgen: Automate full cert request flow

Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899
---
 API.txt   |  2 +-
 ipaclient/plugins/cert.py | 83 ++-
 ipaserver/plugins/cert.py |  7 ++--
 3 files changed, 88 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..ac38514 100644
--- a/API.txt
+++ b/API.txt
@@ -788,7 +788,7 @@ option: Flag('add', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa')
 option: Principal('principal')
-option: Str('profile_id?')
+option: Str('profile_id', autofill=True, default=u'caIPAserviceCert')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('request_type', autofill=True, default=u'pkcs10')
 option: Str('version?')
diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 1075972..339b1d0 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,11 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import subprocess
+import tempfile
+
+import six
+
 from ipaclient.frontend import MethodOverride
 from ipalib import errors
 from ipalib import x509
@@ -27,17 +32,93 @@
 from ipalib.plugable import Registry
 from ipalib.text import _
 
+if six.PY3:
+unicode = str
+
 register = Registry()
 
 
 @register(override=True, no_fail=True)
 class cert_request(MethodOverride):
+takes_options = (
+Str(
+'database?',
+label=_('Path to NSS database'),
+doc=_('Path to NSS database to use for private key'),
+),
+Str(
+'private_key?',
+label=_('Path to private key file'),
+doc=_('Path to PEM file containing a private key'),
+),
+)
+
 def get_args(self):
 for arg in super(cert_request, self).get_args():
 if arg.name == 'csr':
-arg = arg.clone_retype(arg.name, File)
+arg = arg.clone_retype(arg.name, File, required=False)
 yield arg
 
+def forward(self, csr=None, **options):
+database = options.pop('database', None)
+private_key = options.pop('private_key', None)
+
+if csr is None:
+if database:
+helper = u'certutil'
+helper_args = ['-d', database]
+elif private_key:
+helper = u'openssl'
+helper_args = [private_key]
+else:
+raise errors.InvocationError(
+message=u"One of 'database' or 'private_key' is required")
+
+with tempfile.NamedTemporaryFile(
+) as scriptfile, tempfile.NamedTemporaryFile() as csrfile:
+# profile_id is optional for cert_request, but not for
+# cert_get_requestdata, so pass the default explicitly when
+# necessary
+profile_id = options.get('profile_id')
+if profile_id is None:
+profile_id = self.get_default_of('profile_id')
+
+self.api.Command.cert_get_requestdata(
+profile_id=profile_id,
+principal=options.get('principal'),
+out=unicode(scriptfile.name),
+helper=helper)
+
+helper_cmd = [
+'bash', '-e', scriptfile.name, csrfile.name] + helper_args
+
+try:
+subprocess.check_output(helper_cmd)
+except subprocess.CalledProcessError as e:
+raise errors.CertificateOperationError(
+error=(
+_('Error running "%(cmd)s" to generate CSR:'
+  ' %(err)s') %
+{'cmd': ' '.join(helper_cmd), 

[Freeipa-devel] [freeipa PR#451][+ack] certdb: remove unused keysize property

2017-02-09 Thread tiran
  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user

2017-02-09 Thread LiptonB
  URL: https://github.com/freeipa/freeipa/pull/433
Title: #433: csrgen: Allow some certificate fields to be specified by the user

LiptonB commented:
"""
Sorry for submitting this with lint errors - fixed now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/433#issuecomment-278637593
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][+pushed] AD trust installer modularization: prelude

2017-02-09 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/447
Title: #447: AD trust installer modularization: prelude

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#438][+ack] ipaldap: preserve order of values in LDAPEntry._sync()

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/438
Title: #438: ipaldap: preserve order of values in LDAPEntry._sync()

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][closed] AD trust installer modularization: prelude

2017-02-09 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/447
Author: martbab
 Title: #447: AD trust installer modularization: prelude
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/447/head:pr447
git checkout pr447
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][comment] AD trust installer modularization: prelude

2017-02-09 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/447
Title: #447: AD trust installer modularization: prelude

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/847be3a8a85cd58e5a011c0c2bc7e1123eb4a1aa
https://fedorahosted.org/freeipa/changeset/e27f6bfdc31b767be9ded411e869716b76f478ce
https://fedorahosted.org/freeipa/changeset/d7cfbb870fce40b50f6df2446c864099f8ea833e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/447#issuecomment-278635383
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread simo5
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
I think I know what is going on here, can you add an actual test to the 
testsuite that checks this ?
I will fix my PR to not cause this deadlock, I've reproduce it here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#447][+ack] AD trust installer modularization: prelude

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/447
Title: #447: AD trust installer modularization: prelude

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][+pushed] Added named.conf API transformation script to spec

2017-02-09 Thread tomaskrizek
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec

2017-02-09 Thread tomaskrizek
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

tomaskrizek commented:
"""
master:

- 
[f1028150504049a64b6c34c785c6a20e2a7ca76a](https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=f1028150504049a64b6c34c785c6a20e2a7ca76a)
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278627381
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][closed] Added named.conf API transformation script to spec

2017-02-09 Thread tomaskrizek
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Author: tomaskrizek
 Title: #7: Added named.conf API transformation script to spec
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/7/head:pr7
git checkout pr7
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][closed] Travis CI: Upload the logs from failed jobs to transfer.sh

2017-02-09 Thread HonzaCholasta
   URL: https://github.com/freeipa/freeipa/pull/449
Author: martbab
 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/449/head:pr449
git checkout pr449
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][comment] Travis CI: Upload the logs from failed jobs to transfer.sh

2017-02-09 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/449
Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/91341f4035e0d78b0adbe9a09ba69e1fd35ec26d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/449#issuecomment-278626102
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][+pushed] Travis CI: Upload the logs from failed jobs to transfer.sh

2017-02-09 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/449
Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][+ack] Travis CI: Upload the logs from failed jobs to transfer.sh

2017-02-09 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/449
Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][+ack] [fedora-26] named.conf template: update API for bind 9.11

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/351
Title: #351: [fedora-26] named.conf template: update API for bind 9.11

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/351
Title: #351: [fedora-26] named.conf template: update API for bind 9.11

MartinBasti commented:
"""
Tested manually
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/351#issuecomment-278625764
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][+ack] Added named.conf API transformation script to spec

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][synchronized] Added named.conf API transformation script to spec

2017-02-09 Thread tomaskrizek
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Author: tomaskrizek
 Title: #7: Added named.conf API transformation script to spec
Action: synchronized

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/7/head:pr7
git checkout pr7
From 3abd4c4b0e5b78535535a41079040b05a0a0eccc Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 9 Jan 2017 10:29:31 +0100
Subject: [PATCH] Added named.conf API transformation script to spec

A script that converts old-style configuration API of named.conf
to the new-style API after rpm isntallation was added to contrib
specfile.
Required version of BIND was also bumped to 9.11.
---
 contrib/bind-dyndb-ldap.spec | 48 ++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 6f5b1f3..5f6621d 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -11,13 +11,13 @@ URL:https://fedorahosted.org/bind-dyndb-ldap
 Source0:https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:  bind-devel >= 32:9.9.0, bind-lite-devel >= 32:9.9.0
+BuildRequires:  bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  automake, autoconf, libtool
 
-Requires:   bind >= 32:9.9.0
+Requires:   bind >= 32:9.11.0-6.P2
 
 %description
 This package provides an LDAP back-end plug-in for BIND. It features
@@ -42,6 +42,46 @@ mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
 rm %{buildroot}%{_libdir}/bind/ldap.la
 rm -r %{buildroot}%{_datadir}/doc/%{name}
 
+%post
+# Transform named.conf if it still has old-style API.
+PLATFORM=$(uname -m)
+
+if [ $PLATFORM == "x86_64" ] ; then
+LIBPATH=/usr/lib64
+else
+LIBPATH=/usr/lib
+fi
+
+# The following sed script:
+#   - scopes the named.conf changes to dynamic-db
+#   - replaces arg "name value" syntax with name "value"
+#   - changes dynamic-db header to dyndb
+#   - uses the new way the define path to the library
+#   - removes no longer supported arguments (library, cache_ttl,
+#   psearch, serial_autoincrement, zone_refresh)
+while read -r PATTERN
+do
+SEDSCRIPT+="$PATTERN"
+done <
+- Added named.conf API transofrmation script
+- Bumped the required BIND version to 9.11.0-6.P2
+
 * Tue Jan 28 2014 Petr Spacek 
 - package /var/named/dyndb-ldap directory
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#441][+ack] Print test env information

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/441
Title: #441: Print test env information

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

MartinBasti commented:
"""
otherwise LGTM
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278619482
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

MartinBasti commented:
"""
IMO those explanatory comments should be in code not in github
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-278619365
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

2017-02-09 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
While investigating the CI test failures, I stumbled upon another issue - two 
simultaneous login requests will deadlock httpd until it is restarted. This is 
how I did it:
```bash
(
export KRB5CCNAME=$(mktemp)
echo password | kinit admin
curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 
--negotiate -u : -e https://$HOSTNAME/ipa/session/json -D -
) & (
export KRB5CCNAME=$(mktemp)
echo password | kinit notadmin
curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt 
--negotiate -u : -e https://$HOSTNAME/ipa/session/json -D -
)
```
It is not reproducible on the master branch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-278611793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#370][+rejected] ci: send build log to paste.fedoraproject.org

2017-02-09 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/370
Title: #370: ci: send build log to paste.fedoraproject.org

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#448][comment] Tests: Basic coverage with tree root domain

2017-02-09 Thread gkaihorodova
  URL: https://github.com/freeipa/freeipa/pull/448
Title: #448: Tests: Basic coverage with tree root domain

gkaihorodova commented:
"""
Can you be a little bit more specific about "triplication of the test cases ", 
please. 
Because, to be honest, I'm having hard time trying to navigate myself there. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/448#issuecomment-278606153
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#384][closed] Add fix for user prompt in dnsrecord-add

2017-02-09 Thread Akasurde
   URL: https://github.com/freeipa/freeipa/pull/384
Author: Akasurde
 Title: #384: Add fix for user prompt in dnsrecord-add
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/384/head:pr384
git checkout pr384
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#442][synchronized] Add option to run tests in-tree and out-of-tree mode

2017-02-09 Thread tiran
   URL: https://github.com/freeipa/freeipa/pull/442
Author: tiran
 Title: #442: Add option to run tests in-tree and out-of-tree mode
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/442/head:pr442
git checkout pr442
From fa021e8e631b555068d6f7ab34abdd0a4fe844e1 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 8 Feb 2017 13:29:38 +0100
Subject: [PATCH] Add option to run tests in-tree and out-of-tree mode

By default ipa-run-tests and pytest auto-detect the presence of
../ipasetup.py.in and run tests in-tree mode when the file exists. The
option can be overriden with ipa-run-tests --in-tree=true/false.

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py | 28 +++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 6d8ba60..df8d919 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,6 +3,8 @@
 #
 from __future__ import print_function
 
+import os
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
@@ -11,6 +13,9 @@
 ipaserver = None
 
 
+HERE = os.path.dirname(os.path.abspath(__file__))
+
+
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
 'ipatests.pytest_plugins.beakerlib',
@@ -71,9 +76,30 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+def truefalse(arg):
+if arg.lower() == 'true':
+return True
+if arg.lower() == 'false':
+return False
+return arg  # triggers an error later
+
+in_tree = os.path.isfile(os.path.join(HERE, os.pardir, 'ipasetup.py.in'))
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--in-tree',
+dest="ipa_in_tree",
+type=truefalse,
+choices=(True, False),
+default=in_tree,
+help="Run IPA tests in-tree (default: auto-detect ../ipasetup.py.in)"
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
-context=u'cli', in_server=False, in_tree=True, fallback=False
+context=u'cli', in_server=False, in_tree=config.option.ipa_in_tree,
+fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-09 Thread tiran
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
I followed @lslebodn advice and changed the PR a bit. I now generate all 
Makefiles again to fix the ```make dist``` issue. Some of the Makefile are not 
working correctly because some vars are declared empty (e.g. header locations, 
libs and so on). Since they are not included in ```SUBDIRS```, they are not 
used in ```make```. ```make dist``` uses ```DIST_SUBDIRS``` and does not depend 
on the missing vars.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278598712
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-02-09 Thread tiran
   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 95026f5fae70cd49f7148b604bc22574d72e7871 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   9 +++-
 configure.ac | 148 +--
 server.m4| 119 +++
 3 files changed, 160 insertions(+), 116 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..311f612 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,14 @@
 ACLOCAL_AMFLAGS = -I m4
 
+if ENABLE_SERVER
+SERVER_SUBDIRS = daemons init install ipaserver
+else
+SERVER_SUBDIRS =
+endif
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib po \
+	$(IPACLIENT_SUBDIRS) ipaplatform ipatests $(SERVER_SUBDIRS)
+
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 8fdc731..faf6954 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- [$SAMBA40EXTRA_LIBPATH])
-
-if test "x$LIB_PDB_NAME" = 

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-02-09 Thread tiran
   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From 126df80c9edbf4d7a3232a2d7f0ade53e7021aa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH 1/2] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |  17 ++-
 configure.ac | 148 +--
 server.m4| 119 +++
 3 files changed, 168 insertions(+), 116 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..c2b205b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,22 @@
 ACLOCAL_AMFLAGS = -I m4
 
+if ENABLE_SERVER
+SERVER_SUBDIRS = daemons init install ipaserver
+else
+SERVER_SUBDIRS =
+endif
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS =
+	asn1 \
+	client \
+	contrib \
+	$(IPACLIENT_SUBDIRS) \
+	ipaplatform \
+	ipatests \
+	po \
+	$(SERVER_SUBDIRS) \
+	util
+
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 8fdc731..faf6954 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 dnl ---
 dnl - Check for OpenLDAP SDK
@@ -101,69 +85,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-[AC_DEFINE([HAVE_STRUCT_PAC_DOMAIN_GROUP_MEMBERSHIP], [1],
-   [struct PAC_DOMAIN_GROUP_MEMBERSHIP is available.])],
-[AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include 
-   #include ]])
-
-CFLAGS="$bck_cflags"
-
-LIBPDB_NAME=""
-AC_CHECK_LIB([samba-passdb],
- [make_pdb_method],
- [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
- [LIBPDB_NAME="pdb"],
- 

[Freeipa-devel] [freeipa PR#437][synchronized] FIPS: replica install check

2017-02-09 Thread tomaskrizek
   URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From 85cd763e945167db48a675fead0d1bcf29c57440 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/5] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..c7caeef 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,10 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+try:
+from ipaplatform.tasks import tasks
+except ImportError:
+tasks = None
 
 if six.PY3:
 unicode = str
@@ -440,6 +444,10 @@ def _bootstrap(self, **overrides):
 self.bin = path.dirname(self.script)
 self.home = os.environ.get('HOME', None)
 
+# Set fips_mode only if ipaplatform module was loaded
+if tasks is not None:
+self.fips_mode = tasks.is_fips_enabled()
+
 # Merge in overrides:
 self._merge(**overrides)
 

From c11b964d24255bc6adbf6924d5f77b84805a9930 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 16:53:44 +0100
Subject: [PATCH 2/5] test_config: fix tests for env.fips_mode

Remove optional key fips_mode from Env object.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipatests/test_ipalib/test_config.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_ipalib/test_config.py b/ipatests/test_ipalib/test_config.py
index 1df9a39..26f49b9 100644
--- a/ipatests/test_ipalib/test_config.py
+++ b/ipatests/test_ipalib/test_config.py
@@ -563,6 +563,7 @@ def test_finalize_core(self):
 # Test using DEFAULT_CONFIG:
 defaults = dict(constants.DEFAULT_CONFIG)
 (o, home) = self.finalize_core(None, **defaults)
+o.pop('fips_mode', None)  # Remove optional key fips_mode
 assert list(o) == sorted(defaults)
 for (key, value) in defaults.items():
 if value is object:

From 68cfb92924a8672df71fff279e0f403ac1bf016a Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 3/5] check_remote_version: update exception and docstring

Refactor function to use ScriptError exception and provide docstring.
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7d7a499..ad43aa2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -509,6 +509,13 @@ def promote_openldap_conf(hostname, master):
 
 
 def check_remote_version(api):
+"""
+Perform a check to verify remote server's version
+
+:param api: remote API
+
+:raises: ``ScriptError`` if the checks fails
+"""
 client = rpc.jsonclient(api)
 client.finalize()
 
@@ -521,7 +528,7 @@ def check_remote_version(api):
 remote_version = parse_version(env['version'])
 api_version = parse_version(api.env.version)
 if remote_version > api_version:
-raise RuntimeError(
+raise ScriptError(
 "Cannot install replica of a server of higher version ({}) than"
 "the local version ({})".format(remote_version, api_version))
 

From 0a80d26a8777a868f18739c8983fa58256240167 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 7 Feb 2017 10:42:54 +0100
Subject: [PATCH 4/5] replicainstall: add context manager for rpc client

Abstract creating rpc client into a context manager to allow re-use.
---
 ipaserver/install/server/replicainstall.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ad43aa2..4a8b9d6 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -4,6 +4,7 @@
 
 from __future__ import print_function
 
+import contextlib
 import dns.exception as dnsexception
 import dns.name as dnsname
 import dns.resolver as dnsresolver
@@ -508,29 +509,37 @@ def promote_openldap_conf(hostname, master):
 root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+@contextlib.contextmanager
+def rpc_client(api):
 """
-Perform a check to verify remote server's version
+Context manager for JSON RPC client.
 
-:param api: remote API
-

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-09 Thread tomaskrizek
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tomaskrizek commented:
"""
Server build works now, but there's still the `make dist` issue discussed above.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-278592125
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#449][synchronized] Travis CI: Upload the logs from failed jobs to transfer.sh

2017-02-09 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/449
Author: martbab
 Title: #449: Travis CI: Upload the logs from failed jobs to transfer.sh
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/449/head:pr449
git checkout pr449
From 1e7f06a1c751a0d2027367769d389c0c24a67762 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Feb 2017 10:38:57 +0100
Subject: [PATCH] Travis CI: Upload the logs from failed jobs to transfer.sh

When a non-lint job fails, all the relevant logs from the test runner
will be gzipped and uploaded to https://transfer.sh file sharing
service. The download link will then be displayed at the very end of the
Travis build log.
---
 .test_runner_config.yaml | 10 ++
 .travis.yml  | 17 +
 2 files changed, 27 insertions(+)

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index dc08d79..e473d49 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -31,6 +31,16 @@ steps:
   - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
+  - journalctl -b --no-pager > systemd_journal.log
+  - >
+  tar --ignore-failed-read -cvf ${container_working_dir}/var_log.tar
+  /var/log/dirsrv
+  /var/log/httpd
+  /var/log/ipa*
+  /var/log/krb5kdc.log
+  /var/log/pki
+  systemd_journal.log
+  - chown ${uid}:${gid} ${container_working_dir}/var_log.tar
   configure:
   - ./autogen.sh
   install_packages:
diff --git a/.travis.yml b/.travis.yml
index 6301974..04b766b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -12,6 +12,8 @@ env:
   PEP8_ERROR_LOG="pep8_errors.log"
   CI_RESULTS_LOG="ci_results_${TRAVIS_BRANCH}.log"
   CI_BACKLOG_SIZE=5000
+  CI_RUNNER_LOGS_DIR="/tmp/test-runner-logs"
+  CI_RUNNER_LOG_ARCHIVE="freeipa-ci-pr-${TRAVIS_PULL_REQUEST}-job-${TRAVIS_JOB_NUMBER}.tar.gz"
 matrix:
 - TASK_TO_RUN="lint"
 - TASK_TO_RUN="run-tests"
@@ -31,7 +33,22 @@ install:
   git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1
 
 script:
+- mkdir -p $CI_RUNNER_LOGS_DIR
 - travis_wait 50 ./.travis_run_task.sh
 after_failure:
 - echo "Test runner output:"; tail -n $CI_BACKLOG_SIZE $CI_RESULTS_LOG
 - echo "PEP-8 errors:"; cat $PEP8_ERROR_LOG
+- >
+  echo "Archiving CI logs";
+  if [[ "$TASK_TO_RUN" != "lint" ]]; then
+  tar --ignore-failed-read -uvf var_log.tar $CI_RESULTS_LOG $PEP8_ERROR_LOG;
+  gzip var_log.tar;
+  mv var_log.tar.gz $CI_RUNNER_LOG_ARCHIVE;
+
+  transfer_url=$(
+curl --upload-file \
+./$CI_RUNNER_LOG_ARCHIVE \
+https://transfer.sh/${CI_RUNNER_LOG_ARCHIVE}) &&
+echo "Download log archive from ${transfer_url}" ||
+echo "Failed to upload log archive!";
+   fi
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][synchronized] certdb: remove unused keysize property

2017-02-09 Thread tomaskrizek
   URL: https://github.com/freeipa/freeipa/pull/451
Author: tomaskrizek
 Title: #451: certdb: remove unused keysize property
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/451/head:pr451
git checkout pr451
From 6084a2c3651c54a2662f708c803e27aa8d678c64 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 18:28:25 +0100
Subject: [PATCH 1/2] certdb: remove unused keysize property

Keysize property is no longer used anywhere in the code. It was
originally introduced for the request_cert function, which was later
refactored to use a function argument instead.
---
 ipaserver/install/certs.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..e6d0ce2 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -110,7 +110,6 @@ def __init__(
 
 self.cacert_name = get_ca_nickname(self.realm)
 self.valid_months = "120"
-self.keysize = "1024"
 
 # We are going to set the owner of all of the cert
 # files to the owner of the containing directory

From 0184b7fa1f2844ee9a8dd5fa71400eec4e696b60 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 8 Feb 2017 18:54:20 +0100
Subject: [PATCH 2/2] certdb: remove unused valid_months property

Property valid_months is no longer used anywhere in the code. It was
removed when the selfsign funcionality was dropped.
---
 ipaserver/install/certs.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index e6d0ce2..d484d8a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -109,7 +109,6 @@ def __init__(
 raise RuntimeError("Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
-self.valid_months = "120"
 
 # We are going to set the owner of all of the cert
 # files to the owner of the containing directory
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#451][comment] certdb: remove unused keysize property

2017-02-09 Thread tomaskrizek
  URL: https://github.com/freeipa/freeipa/pull/451
Title: #451: certdb: remove unused keysize property

tomaskrizek commented:
"""
@frasertweedale Fixed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/451#issuecomment-278590229
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install

2017-02-09 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/443
Title: #443: Stronger check for DM password during server install

stlaz commented:
"""
@HonzaCholasta: +1, you're right, I should investigate more on how to change 
this behavior, either we or Dogtag don't behave correctly here.
@pvoborni, @tomaskrizek: out of curiousity, do we have a design/guideline on 
how to write unit tests for FreeIPA? Did not find any.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/443#issuecomment-278586306
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][synchronized] Add FIPS-token password of HTTPD NSS database

2017-02-09 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/450
Author: stlaz
 Title: #450: Add FIPS-token password of HTTPD NSS database
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/450/head:pr450
git checkout pr450
From 289934cf5ae46a272e99571133c10c0a87cbcf95 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 9 Jan 2017 08:45:33 +0100
Subject: [PATCH] Add FIPS-token password of HTTPD NSS database

This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/certs.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 80918d4..9d69540 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -504,7 +504,10 @@ def create_password_conf(self):
 f = open(self.pwd_conf, "w")
 f.write("internal:")
 pwdfile = open(self.passwd_fname)
-f.write(pwdfile.read())
+password = pwdfile.read()
+f.write(password)
+f.write("\nNSS FIPS 140-2 Certificate DB:")
+f.write(password)
 f.close()
 pwdfile.close()
 self.set_perms(self.pwd_conf, uid=constants.HTTPD_USER)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code