[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

HonzaCholasta commented:
"""
LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-279935166
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#450][comment] Add FIPS-token password of HTTPD NSS database

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/450
Title: #450: Add FIPS-token password of HTTPD NSS database

HonzaCholasta commented:
"""
LGTM. I guess we don't have to bother with upgrade, given that you can turn on 
FIPS post-install, right?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/450#issuecomment-279933986
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a
https://fedorahosted.org/freeipa/changeset/38c66896de1769077cd5b057133606ec5eeaf62b
https://fedorahosted.org/freeipa/changeset/b109f5d850ce13585d4392ca48896dc069a746e5
https://fedorahosted.org/freeipa/changeset/b6741d81e187fc84177c12ef8ad900d3b5cda6a4
https://fedorahosted.org/freeipa/changeset/d2f5fc304f1938d23171ae330fa20b213ceed54e
https://fedorahosted.org/freeipa/changeset/d124e307f3b7d88bca53784f030ed6043b224432
https://fedorahosted.org/freeipa/changeset/f648c5631afa5e7954eee9a84fb1222d3bce3bf1
https://fedorahosted.org/freeipa/changeset/c2b1b2a36200b50babfda1eca37fb4b51fefa9c6
https://fedorahosted.org/freeipa/changeset/4fd89833ee5421b05c10329d627d0e0fc8496046
https://fedorahosted.org/freeipa/changeset/4bd2d6ad46c9151e11f9223dd5383555fdedb249
https://fedorahosted.org/freeipa/changeset/00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed
https://fedorahosted.org/freeipa/changeset/41c1efc44a6b809445facd4772574595029553b1
https://fedorahosted.org/freeipa/changeset/09c92e2bc1ca9db5b73d5ab8483b42dbd6b9a0e9
https://fedorahosted.org/freeipa/changeset/e4d462ad53597fd5410aa4e94a57bb15b92a3f13
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279925508
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][closed] RFC: privilege separation for ipa framework code

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/314
Author: simo5
 Title: #314: RFC: privilege separation for ipa framework code
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/314/head:pr314
git checkout pr314
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][+pushed] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][+ack] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
Thank you.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Done
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

flo-renaud commented:
"""
Hi @HonzaCholasta 
PR updated with `ipa user-add-certmapdata` using positional arg for CERTMAPDATA
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-279796224
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From f26952bee2b45fce6defbb742e563f5d8b561018 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 158 -
 ipaserver/plugins/certmap.py   | 355 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 818 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

MartinBasti commented:
"""
That test actually doesn't test output of command, IMO it should be 
xmlrpc_test. But it can be done later, shouldn't block this PR
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

MartinBasti commented:
"""
That test actually doesn't test output of command, IMO it should be 
xmlrpc_test. But it can be done later, shouldn't block this PR
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-279794064
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/454
Title: #454: Move AD trust installation code to a separate module

MartinBasti commented:
"""
LGTM, I can test it tomorrow
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/454#issuecomment-279791253
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][opened] Tests: search for disabled users

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/465
Author: MartinBasti
 Title: #465: Tests: search for disabled users
Action: opened

PR body:
"""
Add tests for searching disabled/enabled users.
   
XFAIL: newly created users has no 'nsaccountlock' attribute set and
user-find doesn't return them as active users. This should be fixed.

Partially tests: #444 

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/465/head:pr465
git checkout pr465
From 54526f42356a65993341f68aaea36e287b364c6b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 14 Feb 2017 19:06:23 +0100
Subject: [PATCH] Tests: search for disabled users

Add tests for searching disabled/enabled users.

XFAIL: newly created users has no 'nsaccountlock' attribute set and
user-find doesn't return them as active users. This should be fixed.
---
 ipatests/test_xmlrpc/test_user_plugin.py | 41 
 1 file changed, 41 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index d33c4d7..098163d 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -240,6 +240,47 @@ def test_find_with_pkey_only(self, user):
 result = command()
 user.check_find(result, pkey_only=True)
 
+@pytest.mark.xfail(
+reason="new users don't have set attribute nsaccountlock in LDAP, "
+   "thus this search doesn't return it in result")
+def test_find_enabled_user(self, user):
+"""Test user-find --disabled=False with enabled user"""
+user.ensure_exists()
+command = user.make_find_command(
+uid=user.uid, pkey_only=True, nsaccountlock=False)
+result = command()
+user.check_find(result, pkey_only=True)
+
+def test_negative_find_enabled_user(self, user):
+"""Test user-find --disabled=True with enabled user, shouldn't
+return any result"""
+user.ensure_exists()
+command = user.make_find_command(
+uid=user.uid, pkey_only=True, nsaccountlock=True)
+result = command()
+user.check_find_nomatch(result)
+
+def test_find_disabled_user(self, user):
+"""Test user-find --disabled=True with disabled user"""
+user.ensure_exists()
+user.disable()
+command = user.make_find_command(
+uid=user.uid, pkey_only=True, nsaccountlock=True)
+result = command()
+user.check_find(result, pkey_only=True)
+user.enable()
+
+def test_negative_find_disabled_user(self, user):
+"""Test user-find --disabled=False with disabled user, shouldn't
+return any results"""
+user.ensure_exists()
+user.disable()
+command = user.make_find_command(
+uid=user.uid, pkey_only=True, nsaccountlock=False)
+result = command()
+user.check_find_nomatch(result)
+user.enable()
+
 
 @pytest.mark.tier1
 class TestActive(XMLRPC_test):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][closed] Add script to setup krb5 NFS exports

[pvoborni]

   URL: https://github.com/freeipa/freeipa/pull/215
Author: jumitche
 Title: #215: Add script to setup krb5 NFS exports
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/215/head:pr215
git checkout pr215
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][+rejected] Add script to setup krb5 NFS exports

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/215
Title: #215: Add script to setup krb5 NFS exports

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#215][comment] Add script to setup krb5 NFS exports

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/215
Title: #215: Add script to setup krb5 NFS exports

pvoborni commented:
"""
Justin, pasting here re-phrased mail I wrote you on Dec 5. 

This is a tool which integrates external host with FreeIPA. It is written in a 
way that it can exist completely outside of FreeIPA git repository.  Thinking 
more about it. It might be actually better to write an Ansible module which 
would configure server as a NFS server and join it to FreeIPA realm. We will be 
working on better Ansible integration in very close future. 

Technical/maintenance side of the patch: tools merged in FreeIPA repository are 
then maintained by FreeIPA core team.  Problem is that the tool is written in a 
way that it doesn't use any internal FreeIPA calls and thus reimplements IPA 
logic, it makes it hard to maintain. To make it easier to maintain it would be 
better to reuse IPA internal calls. But it doesn't make sense for you to spend 
time on rewriting it according to upstream rules nor it doesn't make sense for 
upstream developer to modify your code according to it (this would be faster 
for both sides then former review ping-pong). So it would be preferred to 
maintain it elsewhere.

The proposal/general agreement on FreeIPA triage was:
- move this script into separate git repo, e.g. on Git Hub. That way fixing the 
script doesn't have to rely on FreeIPA schedule. It might be your repo or maybe 
under FreeIPA org if you prefer it.
- FreeIPA upstream will create wiki page where we will list similar 
contribution (like https://github.com/peterpakos/ipa_check_consistency/ ) and 
add it there so it would be discoverable
- FreeIPA upstream will also make it discoverable from installed rpms - 
https://fedorahosted.org/freeipa/ticket/6536
- if the project receives high enough popularity - will be widely use it may be 
considered for rewrite and including it into IPA core

What was not discuss but may be a good thing is to create integration travis 
tests in  the separate repo which would test the script so it can be tested 
automatically.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/215#issuecomment-279784708
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
Or we can modify search filter on server to cover this case, but it won't be 
nice
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279777252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
I found "not-sure-if" bug, nsaccountlock is not always specified (admin has it 
and any user after user-enable, that's why I didn't catch it during testing of 
PR) in LDAP tree, so search `user-find --disabled=false` returns only admin adn 
user that were explicitly enabled.

IMHO this is unexpected behavior for users, however expected from IPA framework 
POW and LDAP POW.
What could we do to improve UX? Maybe on client side we should allow 
`--disabled` only as flag to prevent users to search in enabled users and get 
corrupted results.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279776995
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#23][+postponed] Time-Based HBAC Policies

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/23
Title: #23: Time-Based HBAC Policies

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From e8a02937c9d44ea209f939a3129b8f176d50cd4a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 181 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  16 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   8 +-
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 158 -
 ipaserver/plugins/certmap.py   | 355 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  20 +++
 15 files changed, 818 insertions(+), 13 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..2bde577 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

pvoborni commented:
"""
If there is reason it can  be maintained in IPA, but what is the reason?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-279768384
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

tiran commented:
"""
I don't mind to maintain my own copy of ipacommands with ```ipa-getkeytab``` 
until we agree on a permanent solution.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-279767747
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

pvoborni commented:
"""
@tiran  I have very vague idea how this is helpful. You have mentioned it 
during post-devconf "API meeting".  But I no longer remember it and description 
of this PR is very general.  

In order to move all the pypi patches forward, we need to document(maybe 
design) the whole pypi workflow.  This is not mentioned in 
http://www.freeipa.org/page/V4/Build_system_refactoring nor in  
http://www.freeipa.org/page/V4/Integration_Improvements  I.e. how FreeIPA 
project will work/supply packages to PYPI and what are actually the 
requirements for these packages.  What is expected to work and what not (like 
everything related to pyhbac).

Right now I have no idea what are the missing blocker parts and what are just 
nice-to-have things. 

Also I don't really like the part that the patches use custom repo of 
python-nss. But I'm glad that you are working with @jdennis to improve it. 
@stlaz, with PR #367 what are the remaining usages of python-nss? Could we 
actually get rid of python-nss completely?



"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-279767185
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

MartinBasti commented:
"""
We need placeholder package for sure, this PR should be splitted into 2, but 
I'm still not endorsed to have ipa-getkeytab installable by pip
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-279760067
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][closed] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/444
Author: redhatrises
 Title: #444: Allow nsaccountlock to be searched in user-find commands
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/444/head:pr444
git checkout pr444
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#455][closed] Backup /root/kracert.p12

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/455
Author: tiran
 Title: #455: Backup /root/kracert.p12
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/455/head:pr455
git checkout pr455
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

pvoborni commented:
"""
I thought that I understand why this PR is needed bud in fact I don't.  Ticket 
#6484 is closed. Why is it attached to it?

How will the pypi packaging change if ipacommands package is not there? Would 
it be used for anything? How it should be used?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-279753967
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#455][+pushed] Backup /root/kracert.p12

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/455
Title: #455: Backup /root/kracert.p12

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#455][comment] Backup /root/kracert.p12

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/455
Title: #455: Backup /root/kracert.p12

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/11ef2cacbf2ebb67f80a0cf4a3e7b39da700188b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/455#issuecomment-279753418
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a930ec824da0337109d646ab3acb495dc1b6ba63
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279752284
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][+pushed] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

MartinBasti commented:
"""
@pvomacka IMO this may deserve webUI part too
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/444#issuecomment-279752074
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#444][+ack] Allow nsaccountlock to be searched in user-find commands

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/444
Title: #444: Allow nsaccountlock to be searched in user-find commands

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][+ack] Bump required python-cryptography version

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5b56952a547277fab4c68da02f213d40f931a4ca
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-279747218
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 61a865d14049acb5c17fac8033f173c54cbdfa84 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck | 11 +++
 ipaclient/install/client.py | 14 ++
 ipapython/certdb.py | 19 +--
 ipaserver/install/cainstance.py | 23 +++
 ipaserver/install/certs.py  |  2 +-
 ipaserver/install/installutils.py   | 18 --
 ipaserver/install/ipa_cacert_manage.py  |  8 
 ipaserver/install/ipa_server_certinstall.py |  7 +++
 ipaserver/install/kra.py|  7 ---
 ipaserver/install/server/upgrade.py |  5 +
 10 files changed, 70 insertions(+), 44 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2b01b0d..79686b6 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,18 +2284,16 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
 
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
 ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
 
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
 
-db.create_db(pwdfile)
+db.create_db()
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2667,8 +2665,8 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..597aa71 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,13 +83,17 @@ class NSSDatabase(object):
 # got too tied to IPA server details, killing reusability.
 # BaseCertDB is a class that knows nothing about IPA.
 # Generic NSS DB code should be moved here.
-def __init__(self, nssdir=None):
+def __init__(self, nssdir=None, password_file=None):
 if nssdir is None:
 self.secdir = tempfile.mkdtemp()
 self._is_temporary = True
 else:
 self.secdir = nssdir
 self._is_temporary = False
+if password_file is None:
+self.password_file = os.path.join(self.secdir, 'pwdfile.txt')
+else:
+   

[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: No NSS database passwords in ipa-client-install

stlaz commented:
"""
NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. 
It's necessary to create a pwdfile.txt in Dogtag cert store so that actions 
like CA renew function properly even with FIPS.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: No NSS database passwords in ipa-client-install

stlaz commented:
"""
NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. 
It's necessary to create a pwdfile.txt in Dogtag cert store so that actions 
like CA renew function properly even with FIPS.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][comment] No NSS database passwords in ipa-client-install

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: No NSS database passwords in ipa-client-install

stlaz commented:
"""
NSSDatabase now defaults its `.password_file` to `.sec_dir + 'passwd.txt'`. 
It's necessary to create a pwdfile.txt in system-wide cert store so that 
actions like CA renew function properly even with FIPS.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/446#issuecomment-279738463
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][+ack] dns-update-system-records: add support for nsupdate output format

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#423][comment] dns-update-system-records: add support for nsupdate output format

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/423
Title: #423: dns-update-system-records: add support for nsupdate output format

tomaskrizek commented:
"""
Please update the ticket in trac/JIRA to mentiond the command does not support 
stdout. LGTM otherwise.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/423#issuecomment-279735139
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
I would personally go with:
* Change session handling: 5959
* Generate tmpfiles config at install time: 5959
* Drop use of kinit_as_http from trust code: 5959
* Use Anonymous user to obtain FAST armor ccache: 5959
* Configure HTTPD to work via Gss-Proxy: 4189, 5959
* Separate RA cert store from the HTTP cert store: 5959
* Simplify NSSDatabase password file handling: 5959
* Always use /etc/ipa/ca.crt as CA cert file: 5959
* Add a new user to run the framework code: 5959
* Rationalize creation of RA and HTTPD NSS databases: 5959
* Fix uninstall stopping ipa.service: 5959
* Allow rpc callers to pass ccache and service names: 6543
* Explicitly pass down ccache names for connections: 6543
* Insure removal of session on identity change: 6543
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From 53aebe8ea2663dc6c57730e797f1e0b06a0b3b69 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2

It was possible to set tls_version_min/max to 'ssl2', even though
newer versions of NSS will fail to set this as a valid TLS version.
This patch explicitly checks for deprecated TLS versions prior to
creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 27 ++--
 ipalib/constants.py | 10 +
 ipapython/nsslib.py | 60 +++--
 3 files changed, 93 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..1a59879 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -578,6 +581,26 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+# set the best known TLS version if min/max versions are not set
+if 'tls_version_min' not in self:
+self.tls_version_min = TLS_VERSIONS[-1]
+elif self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(ver=self.tls_version_min))
+
+if 'tls_version_max' not in self:
+self.tls_version_max = TLS_VERSIONS[-1]
+elif self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(ver=self.tls_version_max))
+
+if self.tls_version_max < self.tls_version_min:
+raise errors.EnvironmentError(
+"tls_version_min is set to a higher TLS version than "
+"tls_version_max.")
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 81643da..1e8f51a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -276,3 +276,13 @@
 
 # regexp definitions
 PATTERN_GROUPUSER_NAME = '^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..8b02f4b 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,8 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipa_log_manager import log_mgr
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -38,6 +40,9 @@
 # pylint: disable=import-error
 import http.client as httplib
 
+# get a logger for this module
+logger = log_mgr.get_logger(__name__)
+
 # NSS database currently open
 current_dbdir = None
 
@@ -129,6 +134,55 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+"""
+This function checks whether the given TLS versions are known in FreeIPA
+and that these versions fulfill the requirements for minimal TLS version
+(see `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
+
+:param tls_version_min:
+the lower value in the TLS min-max span, raised to the lowest allowed
+value if too low
+:param tls_version_max:
+the higher value in the TLS min-max span, raised to tls_version_min
+if lower than TLS_VERSION_MINIMAL
+"""
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise ValueError("tls_version_min ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise ValueError("tls_version_max ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_max))
+
+if 

[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From bb28aabc081179154dc38cb8b3986d67cb6b9bf9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck | 11 +++
 ipaclient/install/client.py | 14 ++
 ipapython/certdb.py | 19 +--
 ipaserver/install/cainstance.py | 23 +++
 ipaserver/install/certs.py  |  2 +-
 ipaserver/install/installutils.py   | 18 --
 ipaserver/install/ipa_cacert_manage.py  |  8 
 ipaserver/install/ipa_server_certinstall.py |  7 +++
 ipaserver/install/kra.py|  7 ---
 ipaserver/install/server/upgrade.py |  5 +
 10 files changed, 70 insertions(+), 44 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..1b75f49 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2289,18 +2289,16 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
 
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
 ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
 
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
 
-db.create_db(pwdfile)
+db.create_db()
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2672,8 +2670,8 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..9493118 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,13 +83,17 @@ class NSSDatabase(object):
 # got too tied to IPA server details, killing reusability.
 # BaseCertDB is a class that knows nothing about IPA.
 # Generic NSS DB code should be moved here.
-def __init__(self, nssdir=None):
+def __init__(self, nssdir=None, password_file=None):
 if nssdir is None:
 self.secdir = tempfile.mkdtemp()
 self._is_temporary = True
 else:
 self.secdir = nssdir
 self._is_temporary = False
+if password_file is None:
+self.password_file = os.path.join(self.secdir, 'passwd.txt')
+else:
+

[Freeipa-devel] [freeipa PR#461][+pushed] Bump required version of bind-dyndb-ldap to 11.0-2

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/461
Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#461][closed] Bump required version of bind-dyndb-ldap to 11.0-2

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/461
Author: tomaskrizek
 Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/461/head:pr461
git checkout pr461
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#461][comment] Bump required version of bind-dyndb-ldap to 11.0-2

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/461
Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6cb7bca68486a5ae4be6f93c1acacb7b9890ba9a
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/461#issuecomment-279721909
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#461][+ack] Bump required version of bind-dyndb-ldap to 11.0-2

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/461
Title: #461: Bump required version of bind-dyndb-ldap to 11.0-2

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, is there an umbrella ticket? 5959 perhaps?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From 8fa8a3e8d3c9532d2cb53b0cc3b75705fd9ad87b Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 1 Feb 2017 11:36:32 +0100
Subject: [PATCH 01/10] tests: tracker: Split Tracker into one-purpose Trackers

There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.
---
 ipatests/test_xmlrpc/tracker/base.py | 285 +--
 1 file changed, 172 insertions(+), 113 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..8b6e97e 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -15,61 +15,7 @@
 from ipatests.util import Fuzzy
 
 
-class Tracker(object):
-"""Wraps and tracks modifications to a plugin LDAP entry object
-
-Stores a copy of state of a plugin entry object and allows checking that
-the state in the database is the same as expected.
-This allows creating independent tests: the individual tests check
-that the relevant changes have been made. At the same time
-the entry doesn't need to be recreated and cleaned up for each test.
-
-Two attributes are used for tracking: ``exists`` (true if the entry is
-supposed to exist) and ``attrs`` (a dict of LDAP attributes that are
-expected to be returned from IPA commands).
-
-For commonly used operations, there is a helper method, e.g.
-``create``, ``update``, or ``find``, that does these steps:
-
-* ensure the entry exists (or does not exist, for "create")
-* store the expected modifications
-* get the IPA command to run, and run it
-* check that the result matches the expected state
-
-Tests that require customization of these steps are expected to do them
-manually, using lower-level methods.
-Especially the first step (ensure the entry exists) is important for
-achieving independent tests.
-
-The Tracker object also stores information about the entry, e.g.
-``dn``, ``rdn`` and ``name`` which is derived from DN property.
-
-To use this class, the programer must subclass it and provide the
-implementation of following methods:
-
- * make_*_command   -- implementing the API call for particular plugin
-   and operation (add, delete, ...)
-   These methods should use the make_command method
- * check_* commands -- an assertion for a plugin command (CRUD)
- * track_create -- to make an internal representation of the
-   entry
-
-Apart from overriding these methods, the subclass must provide the
-distinguished name of the entry in `self.dn` property.
-
-It is also required to override the class variables defining the sets
-of ldap attributes/keys for these operations specific to the plugin
-being implemented. Take the host plugin test for an example.
-
-The implementation of these methods is not strictly enforced.
-A missing method will cause a NotImplementedError during runtime
-as a result.
-"""
-retrieve_keys = None
-retrieve_all_keys = None
-create_keys = None
-update_keys = None
-
+class BaseTracker(object):
 _override_me_msg = "This method needs to be overridden in a subclass"
 
 def __init__(self, default_version=None):
@@ -78,8 +24,6 @@ def __init__(self, default_version=None):
 self._dn = None
 self.attrs = {}
 
-self.exists = False
-
 @property
 def dn(self):
 """A property containing the distinguished name of the entry."""
@@ -138,53 +82,33 @@ def make_command(self, name, *args, **options):
 return functools.partial(self.run_command, name, *args, **options)
 
 def make_fixture(self, request):
-"""Make a pytest fixture for this tracker
+"""Make fixture for the tracker
 
-The fixture ensures the plugin entry does not exist before
-and after the tests that use it.
+Don't do anything here.
 """
-del_command = self.make_delete_command()
-try:
-del_command()
-except errors.NotFound:
-pass
-
-def cleanup():
-existed = self.exists
-try:
-del_command()
-except errors.NotFound:
-if existed:
-raise
-self.exists = False
-
-request.addfinalizer(cleanup)
-
 return self
 
-def ensure_exists(self):
-"""If the entry does not exist (according to tracker state), create it
-"""
-if not self.exists:
-   

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

HonzaCholasta commented:
"""
@flo-renaud, nevermind the `default_from` suggestion, I was wrong - if e.g. 
both `--certmapdata` and `--certificate` are specified, we want to use both, 
not throw away `--certificate`, which is exactly what would happen if 
`--certmapdata` had default derived from `--certificate`.

One more issue, I think the `--certmapdata` option in `user-add-certmapdata` 
and friends should actually be a positional argument, as that would be more 
consistent with existing commands. The common pattern is that positional 
arguments are used to specify the literal value of the attribute (such as 
principal name in `user-add-principal`), but options need some preprocessing 
(such as conversion from UID to DN in `group-add-member`). Currently the only 
exception to this scheme is `user-add-cert` and friends, but that's only 
because the original intent was to add a certificate file positional argument, 
but it never happened.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-279713429
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
For some commits I was sure what ticket to use, for some I was not, so I 
elected not to put a specific ticket in there. If you have a good idea of what 
ticket (of the External Authentication project) to apply to specific commits 
let me know and I can amend commit messages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, most of the commits do not have a ticket link, is this intentional?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279708615
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
From 2de056524eaddf7c96e91db2f179163418009af8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Feb 2017 13:34:14 +0100
Subject: [PATCH] Bump required python-cryptography version

Since we started using 'Certificate.serial_number' instead of
'.serial' from python-cryptography, bump the required version
to the one where the above mentioned transition happened.
---
 freeipa.spec.in | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 26481ff..00dda8b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -121,8 +121,8 @@ BuildRequires:  python-cffi
 %if 0%{?with_lint}
 BuildRequires:  samba-python
 BuildRequires:  python-setuptools
-# 1.3: oldest PyPI version that still compiles with recent OpenSSL
-BuildRequires:  python-cryptography >= 1.3.1
+# 1.4: the version where Certificate.serial changed to .serial_number
+BuildRequires:  python-cryptography >= 1.4
 BuildRequires:  python-gssapi >= 1.2.0
 BuildRequires:  pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -158,8 +158,8 @@ BuildRequires:  python2-jinja2
 # FIXME: this depedency is missing - server will not work
 #BuildRequires:  python3-samba
 BuildRequires:  python3-setuptools
-# 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires:  python3-cryptography >= 1.3.1
+# 1.4: the version where Certificate.serial changed to .serial_number
+BuildRequires:  python3-cryptography >= 1.4
 BuildRequires:  python3-gssapi >= 1.2.0
 BuildRequires:  python3-pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -584,7 +584,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography >= 1.3.1
+Requires: python-cryptography >= 1.4
 Requires: python-netaddr
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
@@ -634,7 +634,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
-Requires: python3-cryptography >= 1.3.1
+Requires: python3-cryptography >= 1.4
 Requires: python3-netaddr
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
@@ -709,7 +709,7 @@ Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
 Requires: python-sssdconfig
-Requires: python2-cryptography >= 1.3.1
+Requires: python2-cryptography >= 1.4
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -743,7 +743,7 @@ Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: ldns-utils
 Requires: python3-sssdconfig
-Requires: python3-cryptography >= 1.3.1
+Requires: python3-cryptography >= 1.4
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
Ok split the last stuff in 3 commits.
I remove the use of private ccache for a few reasons:
1. touches environment variables.
2. will unconditionally remove a ccache even when passed in, so it may end up 
removing the wrong thing
3. private_ccache is used in dcerpc code and I do not want to change semantics 
and risk breaking tat code path
4. This fix is much smaller and removes one more yield, which is not a bad 
thing as it makes the code easier to read.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

HonzaCholasta commented:
"""
NACK, you didn't update the comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-279698054
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][opened] :arrow_up: Bump required python-cryptography version

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: :arrow_up: Bump required python-cryptography version
Action: opened

PR body:
"""
Since we started using `Certificate.serial_number` instead of `.serial` from 
python-cryptography 
(https://github.com/freeipa/freeipa/commit/3d9bec2e879d60e6bb7b2602084d3314765a6283),
 bump the required version to the one where the above mentioned transition 
happened 
(https://github.com/pyca/cryptography/commit/e295f3ab615775c3549b7bc2e051af5cff801619).
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
From ce3e60c14174e8324259c614a4b69a9a76df1113 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 14 Feb 2017 13:34:14 +0100
Subject: [PATCH] Bump required python-cryptography version

Since we started using 'Certificate.serial_number' instead of
'.serial' from python-cryptography, bump the required version
to the one where the above mentioned transition happened.
---
 freeipa.spec.in | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 26481ff..5cc76f1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -122,7 +122,7 @@ BuildRequires:  python-cffi
 BuildRequires:  samba-python
 BuildRequires:  python-setuptools
 # 1.3: oldest PyPI version that still compiles with recent OpenSSL
-BuildRequires:  python-cryptography >= 1.3.1
+BuildRequires:  python-cryptography >= 1.4
 BuildRequires:  python-gssapi >= 1.2.0
 BuildRequires:  pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -159,7 +159,7 @@ BuildRequires:  python2-jinja2
 #BuildRequires:  python3-samba
 BuildRequires:  python3-setuptools
 # 0.6: serialization.load_pem_private_key, load_pem_public_key
-BuildRequires:  python3-cryptography >= 1.3.1
+BuildRequires:  python3-cryptography >= 1.4
 BuildRequires:  python3-gssapi >= 1.2.0
 BuildRequires:  python3-pylint >= 1.0
 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
@@ -584,7 +584,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography >= 1.3.1
+Requires: python-cryptography >= 1.4
 Requires: python-netaddr
 Requires: python-libipa_hbac
 Requires: python-qrcode-core >= 5.0.0
@@ -634,7 +634,7 @@ Requires: gnupg
 Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
-Requires: python3-cryptography >= 1.3.1
+Requires: python3-cryptography >= 1.4
 Requires: python3-netaddr
 Requires: python3-libipa_hbac
 Requires: python3-qrcode-core >= 5.0.0
@@ -709,7 +709,7 @@ Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
 Requires: python-sssdconfig
-Requires: python2-cryptography >= 1.3.1
+Requires: python2-cryptography >= 1.4
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -743,7 +743,7 @@ Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
 Requires: ldns-utils
 Requires: python3-sssdconfig
-Requires: python3-cryptography >= 1.3.1
+Requires: python3-cryptography >= 1.4
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][edited] :arrow_up: Bump required python-cryptography version

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: :arrow_up: Bump required python-cryptography version
Action: edited

 Changed field: title
Original value:
"""
:arrow_up: Bump required python-cryptography version
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for 
the changes in `ipatests/util.py`, but that doesn't mean they should be in the 
same commit, as they affect every use of `RPCClient`, not just the one in the 
tests. Following your logic, the whole PR should be just a single commit, which 
would be equally wrong.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279695377
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[lslebodn]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (14/02/17 02:29), Christian Heimes wrote:
>I'm following a different design and development philosophy. In my experience 
>an iterative approach with small, incremental improvements is often better and 
>faster than striving for 100% perfect PRs. Large and feature complete PRs take 
>more time than evolutionary steps.
>

I have never wrote anythig against this philosophy.

All small chages can make sense from semantical point of view.
Misussing names/options for different use-case just create a big mess
and confuse other people.

>Please review this PR under three viewpoints:
>
>* Does it contribute to resolving ticket 
>https://fedorahosted.org/freeipa/ticket/6517 ?

client only build and --disable-server is the same thing
(at least from "make install" POV)
I have never required changes to spec file.

>* Does it enable future changes to solve the ticket?

If you will not install ipatests (if there is a way to not
install ipatest) then it will enable future changes to solve the ticket.

Because solving ticket6517 would be just writing right spec file.

ATM it does not enable future changes to solve the ticket.

>* Does it break any code or feature that is currently present? [1]

Yes, it install server related options even though they should not be installed

Summary: You should realize that the name of PR is
"Client-only builds with --disable-server" and your use-case is not pure
client only build.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279693909
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: [WIP] Faster JSON encoder/decoder
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From 0524479852c48de7b70db8a37c0fdc8673ea1557 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH 1/5] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 211 +++--
 ipaserver/rpcserver.py |   7 +-
 2 files changed, 134 insertions(+), 84 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7d9f6ec..6cad397 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -51,7 +51,7 @@
 from ipalib.backend import Connectible
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 from ipalib.errors import (public_errors, UnknownError, NetworkError,
-KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
+KerberosError, XMLRPCMarshallError, JSONError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use issubclass to check for registered ABCs
+for c in self:
+if issubclass(typ, c):
+self[typ] = self[c]
+return 

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
We actually record the principal, change the patch to destroy session_cookie in 
create_connection if the principal is different.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, 
it makes no sense to keep them separate as in eahc patch I add respecively to 
connect() and disconnect() arguments that are use in ipatest/util.py

As for resetting session_cookie, when principal change, I am all for it, except 
we do not record the principal in the rpc context ...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

HonzaCholasta commented:
"""
The format could be nicer though - suggestions are welcome.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279689307
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

flo-renaud commented:
"""
Hi @HonzaCholasta,
PR updated with most of your comments, except the suggestion to use 
default_from. Please see my answer inline for this one.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-279689115
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

MartinBasti commented:
"""
Awesome then
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279689037
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

HonzaCholasta commented:
"""
You can, using:
```
ipaclient/install/
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279688754
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#459][comment] [WIP] Faster JSON encoder/decoder

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/459
Title: #459: [WIP] Faster JSON encoder/decoder

MartinBasti commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/459#issuecomment-279688053
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

MartinBasti commented:
"""
In this case:
```
   ipaclient/:ipaclient.install:ipalib.install:ipaplatform:ipaserver,
   ipaclient/install/:ipaserver,
```

`ipaclient/install` allows all import everything but `ipaserver`, but I cannot 
currently specify a rule that allows `ipaclient/install` import everything 
(with `ipaserver`)

But as I said this is a corner case, should be done when needed

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279681262
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

HonzaCholasta commented:
"""
I don't know what you mean, could you give me an example?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279678738
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

MartinBasti commented:
"""
Ok, this will not work if ipaclient/submodule allows to import any module, but 
seems OK for me now, can be improved when needed
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279678379
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

HonzaCholasta commented:
"""
@MartinBasti, this issue is already solved in the PR without using regular 
expressions. See `pylintrc` for example.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279676848
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][comment] pylint_plugins: add forbidden import checker

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/463
Title: #463: pylint_plugins: add forbidden import checker

MartinBasti commented:
"""
> Can you turn module matching into a regular expression? We need bit more 
> advanced checks, e.g. ipalib should not import from ipaplatform except for 
> modules in ipalib.install.

How can be the issue mentioned by @tiran solved in this PR? should regexp be 
used or allow rules added?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/463#issuecomment-279676228
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
"""
@simo5, I don't think this is the correct approach. Rather than deleting 
`context.session_cookie` in `RPCClient.destroy_connection()` when requested, it 
should be done automatically in `RPCClient.create_connection()` when the 
principal name in the ccache is different from the principal name of the cookie.

Also, IMHO it would be preferable to keep the changes in `ipatest/util.py` in a 
separate commit and not mix them with the generic changes not related only to 
tests in `ipalib/rpc.py`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-279675537
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][synchronized] pylint_plugins: add forbidden import checker

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/463
Author: HonzaCholasta
 Title: #463: pylint_plugins: add forbidden import checker
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/463/head:pr463
git checkout pr463
From 82af6b07e922f4cad625ab31b91f65cf804a9858 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 14 Feb 2017 09:58:44 +0100
Subject: [PATCH] pylint_plugins: add forbidden import checker

Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.
---
 Makefile.am  |  4 +-
 ipaclient/csrgen.py  |  2 +-
 ipaclient/install/ipa_certupdate.py  |  4 +-
 ipaclient/remote_plugins/__init__.py |  4 +-
 ipalib/__init__.py   |  8 +++-
 ipaplatform/base/services.py |  4 +-
 ipaplatform/debian/services.py   |  2 +
 ipaplatform/redhat/services.py   |  2 +
 ipaplatform/redhat/tasks.py  |  2 +
 ipapython/certdb.py  |  6 ++-
 ipapython/cookie.py  |  2 +
 ipapython/dogtag.py  |  2 +
 ipapython/ipaldap.py |  2 +
 pylint_plugins.py| 82 +++-
 pylintrc | 15 ++-
 15 files changed, 129 insertions(+), 12 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 9bfc899..bb6e480 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -164,7 +164,9 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
-		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+		--rcfile=$(top_srcdir)/pylintrc \
+		--load-plugins pylint_plugins \
+		$${FILES}
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
diff --git a/ipaclient/csrgen.py b/ipaclient/csrgen.py
index 96100ae..828ab43 100644
--- a/ipaclient/csrgen.py
+++ b/ipaclient/csrgen.py
@@ -15,7 +15,7 @@
 
 from ipalib import errors
 from ipalib.text import _
-from ipaplatform.paths import paths
+from ipaplatform.paths import paths # pylint: disable=ipa-forbidden-import
 from ipapython.ipa_log_manager import log_mgr
 
 if six.PY3:
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index 75c5d97..d6ffbde 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -100,9 +100,9 @@ def run(self):
 if server_fstore.has_files():
 self.update_server(certs)
 try:
-# pylint: disable=import-error
+# pylint: disable=import-error,ipa-forbidden-import
 from ipaserver.install import cainstance
-# pylint: enable=import-error
+# pylint: enable=import-error,ipa-forbidden-import
 cainstance.add_lightweight_ca_tracking_requests(
 self.log, lwcas)
 except Exception:
diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py
index da7004d..037dd6f 100644
--- a/ipaclient/remote_plugins/__init__.py
+++ b/ipaclient/remote_plugins/__init__.py
@@ -109,7 +109,9 @@ def is_valid(self):
 
 def get_package(api):
 if api.env.in_tree:
-from ipaserver import plugins  # pylint: disable=import-error
+# pylint: disable=import-error,ipa-forbidden-import
+from ipaserver import plugins
+# pylint: enable=import-error,ipa-forbidden-import
 else:
 try:
 plugins = api._remote_plugins
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index 544fcf2..16f90c3 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -935,7 +935,9 @@ class API(plugable.API):
 @property
 def packages(self):
 if self.env.in_server:
-import ipaserver.plugins  # pylint: disable=import-error
+# pylint: disable=import-error,ipa-forbidden-import
+import ipaserver.plugins
+# pylint: enable=import-error,ipa-forbidden-import
 result = (
 ipaserver.plugins,
 )
@@ -948,7 +950,9 @@ def packages(self):
 )
 
 if self.env.context in ('installer', 'updates'):
-import ipaserver.install.plugins  # pylint: disable=import-error
+# pylint: disable=import-error,ipa-forbidden-import
+import ipaserver.install.plugins
+# pylint: enable=import-error,ipa-forbidden-import
 result += (ipaserver.install.plugins,)
 
 return result
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 9c9a5ae..ae7c777 100644
--- 

[Freeipa-devel] [freeipa PR#462][+rejected] [WIP] pylint: add custom check for forbidden imports

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/462
Title: #462: [WIP] pylint: add custom check for forbidden imports

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
I'm following a different design and development philosophy. In my experience 
an iterative approach with small, incremental improvements is often better and 
faster than striving for 100% perfect PRs. Large and feature complete PRs take 
more time than evolutionary steps.

Your object regarding semantics is valid for the ticket, but not necessarily 
valid for this PR as this PR only addresses a part of the problem. I don't 
dispute that your proposed changes to the spec file are necessary. However I 
argue for a separate PR. I'm not an expert in RPM packaging and I'd rather let 
somebody else figure out the appropriate way to deal with client-only 
packaging. ipatests is yet another problem that should be solved in a third PR. 
Ticket https://fedorahosted.org/freeipa/ticket/6517 does not, in fact it should 
not be solved in one PR.

Please review this PR under three viewpoints:

* Does it contribute to resolving ticket 
https://fedorahosted.org/freeipa/ticket/6517 ?
* Does it enable future changes to solve the ticket?
* Does it break any code or feature that is currently present? [1]

[1] client-only packaging is currently not available
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-279669097
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#463][opened] pylint_plugins: add forbidden import checker

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/463
Author: HonzaCholasta
 Title: #463: pylint_plugins: add forbidden import checker
Action: opened

PR body:
"""
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Supersedes @MartinBasti's PR #462.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/463/head:pr463
git checkout pr463








  




  https://assets-cdn.github.com/assets/frameworks-70aff62372b4dd20e8b7e3141aa52f2b7fda1b9238a597db09f7dd5bbcff25f6.css; media="all" rel="stylesheet" />
  https://assets-cdn.github.com/assets/github-0e373bf06af78ffa67fcc21199552cb7946a49bf88cbc2e1084257963fc45d1f.css; media="all" rel="stylesheet" />
  
  
  https://assets-cdn.github.com/assets/site-fef5731cce75ca5e750fa22524df18fd064fb4c10df83448ed7db5797e3f3303.css; media="all" rel="stylesheet" />
  

  
  
  pylint_plugins: add forbidden import checker by HonzaCholasta · Pull Request #463 · freeipa/freeipa · GitHub
  
  https://github.com/fluidicon.png; title="GitHub">
  


  https://assets-cdn.github.com/;>
  
  
  
  
  

  

  



https://collector.githubapp.com/github-external/browser_event; name="octolytics-event-url" />




  



  
  

  



  

  
  

  
span.labelstyle-d93f0b, .linked-labelstyle-d93f0b {  background-color: #d93f0b !important;  color: #fff !important;}.labelstyle-d93f0b.selected {  background-color: #d93f0b !important;  color: #fff !important;}.label-select-menu .labelstyle-d93f0b.selected {  background:rgba(217, 63, 11, 0.12) !important;  color: #982c07 !important;}

span.labelstyle-1d76db, .linked-labelstyle-1d76db {  background-color: #1d76db !important;  color: #fff !important;}.labelstyle-1d76db.selected {  background-color: #1d76db !important;  color: #fff !important;}.label-select-menu .labelstyle-1d76db.selected {  background:rgba(29, 118, 219, 0.12) !important;  color: #145299 !important;}

span.labelstyle-0e8a16, .linked-labelstyle-0e8a16 {  background-color: #0e8a16 !important;  color: #fff !important;}.labelstyle-0e8a16.selected {  background-color: #0e8a16 !important;  color: #fff !important;}.label-select-menu .labelstyle-0e8a16.selected {  background:rgba(14, 138, 22, 0.12) !important;  color: #0f9918 !important;}
  

  
  https://github.com/freeipa/freeipa.git;>

  
  https://github.com/freeipa/freeipa/commits/master-pylint-forbidden-imports.atom; rel="alternate" title="Recent Commits to freeipa:master-pylint-forbidden-imports" type="application/atom+xml">




  https://api.github.com/_private/browser/stats;>

  https://api.github.com/_private/browser/errors;>

  https://assets-cdn.github.com/pinned-octocat.svg; color="#00">
  https://assets-cdn.github.com/favicon.ico;>




  

  


  
  Skip to content

  
  
  




  
https://github.com/; aria-label="Homepage" data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark">
  



  



  

  Personal

  Open source

  Business

  Explore
  

  
Sign up
  Sign in
  


  Pricing
  Blog
  https://help.github.com;>Support
  https://github.com/search;>Search GitHub
  
  

  This repository
  





  




  






  
  http://schema.org/SoftwareSourceCode;>

  




  





  
  

Watch
  
  
18
  

  

  
  

Star
  


  59


  

  
  

Fork
  


  64

  



  
  freeipa/freeipa



  
  

http://schema.org/BreadcrumbList;
 role="navigation"
 data-pjax="#js-repo-pjax-container">

  http://schema.org/ListItem; itemprop="itemListElement">

  
  Code
  
  


  http://schema.org/ListItem; itemprop="itemListElement">

  
  Pull requests
  52
  
  

  

Projects
0



  

Pulse

  

Graphs




  



  








  
  

  

  
  
  


  
pylint_plugins: add forbidden import checker
  
  #463

  


  


  
  Open



  
HonzaCholasta
  
   wants to merge 1 commit into



  freeipa:master

  

  
base:
master
  
  

  
  

  

  

  

from

HonzaCholasta:master-pylint-forbidden-imports




  



  


  

  +126


  −11


  

  


  

  
  Conversation

  
0
  



  
  Commits

  
1
  


   

[Freeipa-devel] [freeipa PR#410][+ack] ipa-kdb: support KDB DAL version 6.1

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/410
Title: #410: ipa-kdb: support KDB DAL version 6.1

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Title: #9: Remove duplicate const declaration specifier

tomaskrizek commented:
"""
@pemensik Thanks for review!
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650948
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][+pushed] Remove duplicate const declaration specifier

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Title: #9: Remove duplicate const declaration specifier

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][closed] Remove duplicate const declaration specifier

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Author: tomaskrizek
 Title: #9: Remove duplicate const declaration specifier
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/9/head:pr9
git checkout pr9
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][comment] Remove duplicate const declaration specifier

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Title: #9: Remove duplicate const declaration specifier

tomaskrizek commented:
"""
Fixed upstream.

master

- f76ca3b3a4c2c030071dd23c706d8cc06e1fa2a9
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/9#issuecomment-279650750
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][reopened] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#9][+ack] Remove duplicate const declaration specifier

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/9
Title: #9: Remove duplicate const declaration specifier

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][closed] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][synchronized] No NSS database passwords in ipa-client-install

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: No NSS database passwords in ipa-client-install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 29effa5d373340923382a508afc0e6b8545dd427 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/3] Add password to certutil calls in NSSDatabase

NSSDatabases should have the ability to run certutil with
a password if location of the file containing it is known.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck | 11 +++
 ipaclient/install/client.py | 14 ++
 ipapython/certdb.py | 19 +--
 ipaserver/install/cainstance.py | 18 ++
 ipaserver/install/certs.py  |  2 +-
 ipaserver/install/installutils.py   | 18 --
 ipaserver/install/ipa_cacert_manage.py  |  8 
 ipaserver/install/ipa_server_certinstall.py |  7 +++
 ipaserver/install/kra.py|  7 ---
 9 files changed, 60 insertions(+), 44 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..896fddc 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,9 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_passwd_file(
+ipautil.ipa_generate_password())
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +552,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index aa3449c..1b75f49 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2289,18 +2289,16 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
 
-ipautil.backup_file(pwdfile)
+ipautil.backup_file(db.password_file)
 ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
 ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
 
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
+db.create_passwd_file(ipautil.ipa_generate_password())
+os.chmod(db.password_file, 0o600)
 
-db.create_db(pwdfile)
+db.create_db()
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2672,8 +2670,8 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_passwd_file(ipautil.ipa_generate_password())
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 9481326..9493118 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -83,13 +83,17 @@ class NSSDatabase(object):
 # got too tied to IPA server details, killing reusability.
 # BaseCertDB is a class that knows nothing about IPA.
 # Generic NSS DB code should be moved here.
-def __init__(self, nssdir=None):
+def __init__(self, nssdir=None, password_file=None):
 if nssdir is None:
 self.secdir = tempfile.mkdtemp()
 self._is_temporary = True
 else:
 self.secdir = nssdir
 self._is_temporary = False
+if password_file is None:
+self.password_file = os.path.join(self.secdir, 'passwd.txt')
+else:
+self.password_file = password_file
 
 def close(self):
   

[Freeipa-devel] [freeipa PR#459][synchronized] [WIP] Faster JSON encoder/decoder

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/459
Author: tiran
 Title: #459: [WIP] Faster JSON encoder/decoder
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/459/head:pr459
git checkout pr459
From e685e106dbcfb54d1651c97d6a07a17c3417127f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 13 Feb 2017 09:46:39 +0100
Subject: [PATCH 1/4] Faster JSON encoder/decoder

Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes 
---
 ipalib/rpc.py  | 211 +++--
 ipaserver/rpcserver.py |   7 +-
 2 files changed, 134 insertions(+), 84 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 7d9f6ec..6cad397 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -51,7 +51,7 @@
 from ipalib.backend import Connectible
 from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
 from ipalib.errors import (public_errors, UnknownError, NetworkError,
-KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
+KerberosError, XMLRPCMarshallError, JSONError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipapython.ipa_log_manager import root_logger
@@ -274,67 +274,140 @@ def xml_dumps(params, version, methodname=None, methodresponse=False,
 )
 
 
-def json_encode_binary(val, version):
-'''
-   JSON cannot encode binary values. We encode binary values in Python str
-   objects and text in Python unicode objects. In order to allow a binary
-   object to be passed through JSON we base64 encode it thus converting it to
-   text which JSON can transport. To assure we recognize the value is a base64
-   encoded representation of the original binary value and not confuse it with
-   other text we convert the binary value to a dict in this form:
-
-   {'__base64__' : base64_encoding_of_binary_value}
-
-   This modification of the original input value cannot be done "in place" as
-   one might first assume (e.g. replacing any binary items in a container
-   (e.g. list, tuple, dict) with the base64 dict because the container might be
-   an immutable object (i.e. a tuple). Therefore this function returns a copy
-   of any container objects it encounters with tuples replaced by lists. This
-   is O.K. because the JSON encoding will map both lists and tuples to JSON
-   arrays.
-   '''
-
-if isinstance(val, dict):
-new_dict = {}
-for k, v in val.items():
-new_dict[k] = json_encode_binary(v, version)
-return new_dict
-elif isinstance(val, (list, tuple)):
-new_list = [json_encode_binary(v, version) for v in val]
-return new_list
-elif isinstance(val, bytes):
-encoded = base64.b64encode(val)
-if not six.PY2:
-encoded = encoded.decode('ascii')
-return {'__base64__': encoded}
-elif isinstance(val, Decimal):
-return unicode(val)
-elif isinstance(val, DN):
-return str(val)
-elif isinstance(val, datetime.datetime):
-if capabilities.client_has_capability(version, 'datetime_values'):
+class _JSONConverter(dict):
+__slots__ = ('version', '_cap_datetime', '_cap_dnsname')
+
+_identity = object()
+
+def __init__(self, version, _identity=_identity):
+super(_JSONConverter, self).__init__()
+self.version = version
+self._cap_datetime = None
+self._cap_dnsname = None
+self.update({
+unicode: _identity,
+bool: _identity,
+type(None): _identity,
+float: _identity,
+Decimal: unicode,
+DN: str,
+Principal: unicode,
+DNSName: self._enc_dnsname,
+datetime.datetime: self._enc_datetime,
+bytes: self._enc_bytes,
+list: self._enc_list,
+tuple: self._enc_list,
+dict: self._enc_dict,
+})
+# int, long
+for t in six.integer_types:
+self[t] = _identity
+
+def __missing__(self, typ):
+# walk MRO to find best match
+for c in typ.__mro__:
+if c in self:
+self[typ] = self[c]
+return self[c]
+# use issubclass to check for registered ABCs
+for c in self:
+if issubclass(typ, c):
+self[typ] = self[c]
+return 

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

abbra commented:
"""
Sorry for another delay too. We have discussed this proposal again and would 
like to have an ipa-advise implementation instead of IPA CLI command. There are 
multiple reasons for this:

* If an IPA CLI implementation would be done, from your last comment it looks 
like you would be interested in supplying a generated password to another IPA 
command call, like 'ipa passwd'. However, to get access to password policy 
object, one has to have administrative privileges, while it is supposed that 
'ipa passwd' command is executed under user privileges. Thus, 'ipa foobar 
--generate | ipa passwd' is not possible as that would require two different 
auth identities run in the same session space.
* Implementation that only uses user's identity will see no password policy 
settings at all. Thus it would not be able to follow any specific password 
policy.
* Existing 'ipa user-add --random' and 'ipa host-add --random' which set 
user/host password to a random value apply to situations where the passwords 
are of one-time use and will get changed on the first use.
* Any administratively set password for IPA users will cause its change on the 
first authentication attempt. This is not going to change. Thus, setting a 
generated password as administrator is not going to honor the password that was 
just set. As result, a sequence of events "administrator calls IPA CLI to 
generate password and then sets this password to a user" is not going to work 
in practice to retain the generated password.
* For system accounts we want to have an overall proper management. When it is 
implemented, we can add there an option to generate passwords. Given that 
system accounts aren't handled by the IPA framework right now, the source of a 
policy compliant password can be anything, as additing the account is done 
externally (via ldapadd/ldapmodify) with administrative privileges.

Thus, we'd still prefer to use 'ipa-advise' plugin approach. A script that 
'ipa-advise' would generate, can be run on any machine. If it couldn't be run 
on the target machine, it can always be run on an IPA client. An important part 
of this solution is that 'ipa-advise' plugins can be run with administrative 
privileges (ipa-advise is always run as root) and thus can read password policy 
settings for a specific user (or a specific password policy).


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-279634244
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code