Re: [Freeipa-devel] Karma Requests for ldapjdk-4.19-1 and tomcatjss-7.2.0-1

2017-03-13 Thread Matthew Harmsen 

On 03/12/2017 11:39 PM, Matthew Harmsen wrote:


*The following updated candidate builds of ldapjdk 4.19 and tomcatjss 
7.2.0 were generated:*


  * *Fedora 25:*
  o *ldapjdk-4.19-1.fc25
*
  o *tomcatjss-7.2.0-1.fc25

*
  * *Fedora 26:*
  o *ldapjdk-4.19-1.fc26
*
  o *tomcatjss-7.2.0-1.fc26

*
  * *Fedora 27:*
  o *ldapjdk-4.19-1.fc27
*
  o *tomcatjss-7.2.0-1.fc27

*

*These builds address the following Bugs and Pagure Issues:*

  * *Bugzilla Bug #1382856 - ldapjdk fails to parse ldap url with no
host:port *
  * *Bugzilla Bug #1394372 - Rebase ldapjdk to 4.19
*
  * *tomcatjss Pagure Issue #6 - Rebase tomcatjss to 7.2.0 in Fedora
25+ *

*Please provide Karma for the following builds:*

  * *Fedora 25:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-6559356a15
 ldapjdk-4.19-1.fc25*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-39eb143dc7
tomcatjss-7.2.0-1.fc25

*
  * *Fedora 26:*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-d10f519981
ldapjdk-4.19-1.fc26
*
  o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-a6d36fe632
tomcatjss-7.2.0-1.fc26

*

A problem was discovered in which the tomcatjss.spec file was embedded 
inside the tomcatjss tarball; this was fixed, the tarball was
republished, all packages were rebuilt, and new builds were submitted to 
bodhi:


*The following updated candidate builds of tomcatjss 7.2.0 were 
regenerated:*


 * *Fedora 25:*
 o *tomcatjss-7.2.0-2.fc25
   
   *
 * *Fedora 26:*
 o *tomcatjss-7.2.0-2.fc26
   
   *
 * *Fedora 27:*
 o *tomcatjss-7.2.0-2.fc27
   
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2fc4861133
 tomcatjss-7.2.0-2.fc25
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cd38eab18
   tomcatjss-7.2.0-2.fc26
   
   *

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

MartinBasti commented:
"""
I would rather focus on why `principal_obj` is not defined there
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/578#issuecomment-286216443
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

stlaz commented:
"""
My wild guess is that it might be caused by ba3c201a but not by this patchset 
as it does not touch it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286212984
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][comment] Coverity: fix bad use of null-like value in cert.py

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/578
Title: #578: Coverity: fix bad use of null-like value in cert.py

stlaz commented:
"""
Shame on you, @tomaskrizek 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/578#issuecomment-286204648
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][comment] ipa-replica-prepare fix

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/574
Title: #574: ipa-replica-prepare fix

stlaz commented:
"""
Very unlikely but I'll investigate.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/574#issuecomment-286204519
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][edited] Coverity: fix bad use of null-like value in cert.py

2017-03-13 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/578
Author: tomaskrizek
 Title: #578: Coverity: fix bad use of null-like value in cert.py
Action: edited

 Changed field: body
Original value:
"""
http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#578][opened] Coverity: fix bad use of null-like value in cert.py

2017-03-13 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/578
Author: tomaskrizek
 Title: #578: Coverity: fix bad use of null-like value in cert.py
Action: opened

PR body:
"""
http://cov01.lab.eng.brq.redhat.com/covscanhub/task/38300/
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/578/head:pr578
git checkout pr578
From aa920d58ba2c8ecea4c8c00946d1927b9a250f04 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Mar 2017 18:55:59 +0100
Subject: [PATCH] Coverity: fix bad use of null-like value in cert.py

---
 ipaserver/plugins/cert.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index fb16f5b..6c63913 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -679,7 +679,8 @@ def execute(self, csr, all=False, raw=False, **kw):
 # fail if any email addr from DN does not appear in ldap entry
 email_addrs = csr_obj.subject.get_attributes_for_oid(
 cryptography.x509.oid.NameOID.EMAIL_ADDRESS)
-if len(set(email_addrs) - set(principal_obj.get('mail', []))) > 0:
+if principal_obj is None or len(set(email_addrs) - set(
+principal_obj.get('mail', []))) > 0:
 raise errors.ValidationError(
 name='csr',
 error=_(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management

2017-03-13 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/139
Author: pvomacka
 Title: #139: WebUI: Vault Management
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/139/head:pr139
git checkout pr139
From 5ae278199c0ae562647b7fba63b24de359a606a5 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 09:54:24 +0200
Subject: [PATCH 01/15] Additional option to add and del operations can be set

By setting the property 'additional_add_del_field' to the name of one of
the fields which are on current details page, we choose field which value
will be added to  *_add_* and *_del_* commands in this format:

{field_name: field_value}
--field_name: field_value

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index 7579bb0..d44f8c8 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -421,6 +421,14 @@ IPA.association_table_widget = function (spec) {
 
 var that = IPA.table_widget(spec);
 
+/**
+ * The value should be name of the field, which will be added to *_add_*,
+ * *_del_* commands as option: {fieldname: fieldvalue}.
+ *
+ * @property {String} fieldname
+ */
+that.additional_add_del_field = spec.additional_add_del_field;
+
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -677,9 +685,22 @@ IPA.association_table_widget = function (spec) {
 });
 command.set_option(that.other_entity.name, values);
 
+that.join_additional_option(command);
+
 command.execute();
 };
 
+that.join_additional_option = function(command) {
+var add_opt = that.additional_add_del_field;
+if (add_opt && typeof add_opt === 'string') {
+var opt_field = that.entity.facet.get_field(add_opt);
+var value;
+if (opt_field) value = opt_field.get_value()[0];
+
+command.set_option(add_opt, value);
+}
+};
+
 that.show_remove_dialog = function() {
 
 var selected_values = that.get_selected_values();
@@ -741,6 +762,7 @@ IPA.association_table_widget = function (spec) {
 });
 
 command.set_option(that.other_entity.name, values);
+that.join_additional_option(command);
 
 command.execute();
 };

From 0322f2e82f024a8f3da0ad33401caba8f8ea68bb Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 5 Oct 2016 10:09:20 +0200
Subject: [PATCH 02/15] Allow to set another other_entity name

Association table's add, del commands needs as option list of cn of
other_entity, which is added or deleted. There is a case (currently in vaults)
that the name of option is different than the name of other_entity.
In this situation we can set 'other_option_name' and put there the option name.
This option name will be used instead of 'other_entity' name.

Part of: https://fedorahosted.org/freeipa/ticket/5426
---
 install/ui/src/freeipa/association.js | 29 ++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
index d44f8c8..02f990a 100644
--- a/install/ui/src/freeipa/association.js
+++ b/install/ui/src/freeipa/association.js
@@ -429,6 +429,22 @@ IPA.association_table_widget = function (spec) {
  */
 that.additional_add_del_field = spec.additional_add_del_field;
 
+/**
+ * Can be used in situations when the *_add_member command needs entity
+ * as a parameter, but parameter has different name than entity.
+ * i.e. vault_add_member --services=[values] ... this needs values from service
+ * entity, but option is called services, that we can set by setting
+ * this option in spec to other_option_name: 'services'
+ *
+ * @property {String} other_option_name
+ */
+that.other_option_name = spec.other_option_name;
+
+/**
+ * Entity which is added into member table.
+ *
+ * @property {String} other_entity
+ */
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.attribute_member = spec.attribute_member;
 
@@ -683,9 +699,9 @@ IPA.association_table_widget = function (spec) {
 on_success: on_success,
 on_error: on_error
 });
-command.set_option(that.other_entity.name, values);
 
 that.join_additional_option(command);
+that.handle_entity_option(command, values);
 
 command.execute();
 };
@@ -701,6 +717,14 @@ IPA.association_table_widget = function (spec) {
 }
 };
 
+that.handle_entity_option = function(command, values) {
+var option_name = that.other_option_name;
+

[Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution

2017-03-13 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/577
Author: pvomacka
 Title: #577: WebUI: Add support for AD users short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/577/head:pr577
git checkout pr577
From 679d91c00243ca01bc04bc1d2e6b89654906414b Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 13 Mar 2017 17:30:57 +0100
Subject: [PATCH] WebUI: Add support for AD users short name resolution

https://pagure.io/freeipa/issue/6372
---
 install/ui/src/freeipa/idviews.js  | 4 
 install/ui/src/freeipa/serverconfig.js | 4 
 2 files changed, 8 insertions(+)

diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 25c043c..322f80e 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -267,6 +267,10 @@ return {
 'loginshell',
 'homedirectory',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:idview_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'sshkeys',
 name: 'ipasshpubkey',
 label: '@i18n:objects.sshkeystore.keys'
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 2bc4e88..25f484a 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -56,6 +56,10 @@ return {
 'ipausersearchfields',
 'ipadefaultemaildomain',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:config_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'entity_select',
 name: 'ipadefaultprimarygroup',
 other_entity: 'group',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#4][closed] spec: Re-sync spec to Fedora

2017-03-13 Thread tomaskrizek 
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/4
Author: sgallagher
 Title: #4: spec: Re-sync spec to Fedora
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/4/head:pr4
git checkout pr4
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#10][+pushed] spec: fix sed error and re-sync with fedora

2017-03-13 Thread tomaskrizek 
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10
Title: #10: spec: fix sed error and re-sync with fedora

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#10][comment] spec: fix sed error and re-sync with fedora

2017-03-13 Thread tomaskrizek 
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10
Title: #10: spec: fix sed error and re-sync with fedora

tomaskrizek commented:
"""
master:

- d74bba1f332b419a19e5656e5bba51c61dcb656f: spec: re-sync spec file with Fedora
- 84b5558906d4735d4c2ab7494ac6c3e1d6f40c5e: spec: fix regex in postinstall sed 
script
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/10#issuecomment-286171090
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#10][+ack] spec: fix sed error and re-sync with fedora

2017-03-13 Thread tomaskrizek 
  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10
Title: #10: spec: fix sed error and re-sync with fedora

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#570][comment] ipaserver/dcerpc.py: use arcfour_encrypt from samba

2017-03-13 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/570
Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba

martbab commented:
"""
master:

* 7657754e02a5fa62265327937a6c7fd19b381610 ipaserver/dcerpc.py: use 
arcfour_encrypt from samba
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/570#issuecomment-286161752
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#570][+pushed] ipaserver/dcerpc.py: use arcfour_encrypt from samba

2017-03-13 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/570
Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#576][opened] Installation must publish CA cert in /usr/share/ipa/html/ca.crt

2017-03-13 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/576
Author: flo-renaud
 Title: #576: Installation must publish CA cert in /usr/share/ipa/html/ca.crt
Action: opened

PR body:
"""
Regression introduced with commit d124e30.
ipa-server-install and ipa-replica-install must publish the CA cert
in /usr/share/ipa/html/ca.crt, otherwise the web page
http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to
http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing.

https://pagure.io/freeipa/issue/6750
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/576/head:pr576
git checkout pr576
From 9f7be115b616f04c9661362770f8662f450b60bc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 13 Mar 2017 16:12:46 +0100
Subject: [PATCH] Installation must publish CA cert in
 /usr/share/ipa/html/ca.crt

Regression introduced with commit d124e30.
ipa-server-install and ipa-replica-install must publish the CA cert
in /usr/share/ipa/html/ca.crt, otherwise the web page
http://ipaserver.ipadomain.com/ipa/config/ssbrowser.html has a link to
http://ipaserver.ipadomain.com/ipa/config/ca.crt but this file is missing.

https://pagure.io/freeipa/issue/6750
---
 ipaserver/install/httpinstance.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 3e8fb0c..27d0cfe 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -174,6 +174,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
 self.step("configure certmonger for renewals",
   self.configure_certmonger_renewal_guard)
 self.step("importing CA certificates from LDAP", self.__import_ca_certs)
+self.step("publish CA cert", self.__publish_ca_cert)
 self.step("clean up any existing httpd ccaches",
   self.remove_httpd_ccaches)
 self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
@@ -422,6 +423,11 @@ def __import_ca_certs(self):
   subject_base=self.subject_base)
 self.import_ca_certs(db, self.ca_is_configured)
 
+def __publish_ca_cert(self):
+ca_db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
+ subject_base=self.subject_base)
+ca_db.publish_ca_cert(paths.CA_CRT)
+
 def is_kdcproxy_configured(self):
 """Check if KDC proxy has already been configured in the past"""
 return os.path.isfile(paths.HTTPD_IPA_KDCPROXY_CONF)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][closed] Don't allow standalone KRA uninstalls

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/556
Author: stlaz
 Title: #556: Don't allow standalone KRA uninstalls
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/556/head:pr556
git checkout pr556
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][+pushed] Don't allow standalone KRA uninstalls

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/556
Title: #556: Don't allow standalone KRA uninstalls

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/556
Title: #556: Don't allow standalone KRA uninstalls

MartinBasti commented:
"""
master:

* 5d3a0e6758866239c886e998a6d89c5a4b150184 Don't allow standalone KRA uninstalls
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/556#issuecomment-286142058
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/556
Title: #556: Don't allow standalone KRA uninstalls

stlaz commented:
"""
Rebased.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/556#issuecomment-286139764
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][synchronized] Don't allow standalone KRA uninstalls

2017-03-13 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/556
Author: stlaz
 Title: #556: Don't allow standalone KRA uninstalls
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/556/head:pr556
git checkout pr556
From 568ed7b4b0a6b0656ac8e3e0722d227d65a31ed1 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 16:38:12 +0100
Subject: [PATCH] Don't allow standalone KRA uninstalls

KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538
---
 install/tools/man/ipa-kra-install.1 |  5 +--
 ipaplatform/base/paths.py   |  1 -
 ipaserver/install/ipa_kra_install.py| 32 --
 ipaserver/install/kra.py| 17 ++
 ipaserver/install/server/install.py |  2 +-
 ipatests/test_integration/tasks.py  |  2 --
 ipatests/test_integration/test_vault.py | 58 -
 7 files changed, 12 insertions(+), 105 deletions(-)

diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
index e3133ee..0aa9073 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins
 
 The replica_file is created using the ipa\-replica\-prepare utility.  A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
 
-The uninstall option can be  used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected.  The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall.
+KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
 .SH "OPTIONS"
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
@@ -39,9 +39,6 @@ Directory Manager (existing master) password
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
-\fB\-\-uninstall\fR
-Uninstall the KRA from the local IPA server.
-.TP
 \fB\-v\fR, \fB\-\-verbose\fR
 Enable debug output when more verbose output is needed
 .TP
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f74dfa1..4fde6c6 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -309,7 +309,6 @@ class BasePathNamespace(object):
 IPARESTORE_LOG = "/var/log/iparestore.log"
 IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
 IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
-IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
 IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
 IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
 KADMIND_LOG = "/var/log/kadmind.log"
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 99ff4a6..2576654 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -20,7 +20,9 @@
 
 from __future__ import print_function
 
+import sys
 import tempfile
+from optparse import SUPPRESS_HELP
 
 from textwrap import dedent
 from ipalib import api
@@ -69,8 +71,7 @@ def add_options(cls, parser, debug_option=True):
 parser.add_option(
 "--uninstall",
 dest="uninstall", action="store_true", default=False,
-help="uninstall an existing installation. The uninstall can "
- "be run with --unattended option")
+help=SUPPRESS_HELP)
 
 def validate_options(self, needs_root=True):
 super(KRAInstall, self).validate_options(needs_root=True)
@@ -83,33 +84,14 @@ def validate_options(self, needs_root=True):
 @classmethod
 def get_command_class(cls, options, args):
 if options.uninstall:
-return KRAUninstaller
+sys.exit(
+'ERROR: Standalone KRA uninstallation was removed in '
+'FreeIPA 4.5 as it had never worked properly and only caused '
+'issues.')
 else:
 return KRAInstaller
 
 
-class KRAUninstaller(KRAInstall):
-log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
-
-def validate_options(self, needs_root=True):
-super(KRAUninstaller, self).validate_options(needs_root=True)
-
-if self.args:
-self.option_parser.error("Too many parameters provided.")
-
-_kra = krainstance.KRAInstance(api)
-if not _kra.is_installed():
-self.option_parser.error(
-"Cannot uninstall.  There is no KRA installed on this system."
-

[Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin

2017-03-13 Thread sumit-bose 
  URL: https://github.com/freeipa/freeipa/pull/575
Title: #575: IPA certauth plugin

sumit-bose commented:
"""
This patch depends on https://github.com/SSSD/sssd/pull/192 (SSSD's certmap 
library) and https://github.com/krb5/krb5/pull/610 (MIT Kerberos certauth 
plugin support)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/575#issuecomment-286137210
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][comment] Don't allow standalone KRA uninstalls

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/556
Title: #556: Don't allow standalone KRA uninstalls

MartinBasti commented:
"""
needs rebase

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/556#issuecomment-286137069
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][closed] Add check for removing last KRA server

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/553
Author: stlaz
 Title: #553: Add check for removing last KRA server
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/553/head:pr553
git checkout pr553
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

MartinBasti commented:
"""
master:

* 670f8fb1db109ec2c9ab7e5d2189325988220b23 Add check to prevent removal of last 
KRA
* 1e8db4b5c7a55dac0008ad9b9bf5802ba30e8c2a Add message about last KRA to WebUI 
Topology view
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-286136808
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][+pushed] Add check for removing last KRA server

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/476
Title: #476: vault: cache the transport certificate on client

MartinBasti commented:
"""
master:

* 98bb5397c535e5e1a6c5ade9f0fb918be1d282c3 vault: cache the transport 
certificate on client
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/476#issuecomment-286134100
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/561
Title: #561: ldap2: fix crash in development mode

MartinBasti commented:
"""
master:

* 8fdd7a9ffc263c1198afa5479cda41d319f11d91 backend plugins: fix crashes in 
development mode
* fe4489ede2b40902fb7d734d04a1f997c6df86fb Travis CI: run tests in development 
mode
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/561#issuecomment-286135528
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#561][closed] ldap2: fix crash in development mode

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/561
Author: HonzaCholasta
 Title: #561: ldap2: fix crash in development mode
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/561/head:pr561
git checkout pr561
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#561][+pushed] ldap2: fix crash in development mode

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/561
Title: #561: ldap2: fix crash in development mode

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#571][comment] pylint: bump dependency to version >= 1.6

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/571
Title: #571: pylint: bump dependency to version >= 1.6

MartinBasti commented:
"""
master:

* 4514ec150586fb43fa66566cce8a69b3ac15b86c pylint: bump dependency to version 
>= 1.6
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/571#issuecomment-286135137
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][+pushed] vault: cache the transport certificate on client

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/476
Title: #476: vault: cache the transport certificate on client

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][closed] vault: cache the transport certificate on client

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/476
Author: HonzaCholasta
 Title: #476: vault: cache the transport certificate on client
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/476/head:pr476
git checkout pr476
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#575][opened] IPA certauth plugin

2017-03-13 Thread sumit-bose 
   URL: https://github.com/freeipa/freeipa/pull/575
Author: sumit-bose
 Title: #575: IPA certauth plugin
Action: opened

PR body:
"""
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension which
contains a Kerberos principal but allow other mappings with the help of
SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/575/head:pr575
git checkout pr575
From 32482b96b07b4076bb14f9e52c7c493af3d7b1aa Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 15 Feb 2017 12:09:20 +0100
Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905
---
 daemons/ipa-kdb/ipa_kdb.h| 11 +++
 daemons/ipa-kdb/ipa_kdb_principals.c | 58 
 2 files changed, 56 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3..72f2675 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
 char **db_args);
 krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ unsigned int flags,
+ LDAPMessage *res,
+ char **principal,
+ LDAPMessage **entry);
 #if KRB5_KDB_API_VERSION < 8
 krb5_error_code ipadb_iterate(krb5_context kcontext,
   char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8..82c8574 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
 "(objectclass=krbprincipal))" \
   "(krbprincipalname=%s))"
 
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal)" \
+  "(objectclass=ipakrbprincipal))" \
+"(|(ipakrbprincipalalias=%s)" \
+  "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+ "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal))" \
+"(krbprincipalname=%s)" \
+"%s)"
 static char *std_principal_attrs[] = {
 "krbPrincipalName",
 "krbCanonicalName",
@@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
 return kerr;
 }
 
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
-  unsigned int flags,
-  char *principal,
-  LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result)
 {
 krb5_error_code kerr;
 char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
 goto done;
 }
 
-if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-ret = asprintf(_filter, PRINC_TGS_SEARCH_FILTER,
-   esc_original_princ, esc_original_princ);
+if (filter == NULL) {
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(_filter, PRINC_TGS_SEARCH_FILTER,
+   esc_original_princ, esc_original_princ);
+} else {
+ret = asprintf(_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+}
 } else {
-ret = asprintf(_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(_filter,

[Freeipa-devel] [freeipa PR#572][+pushed] rpc: fix crash in verbose mode

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/572
Title: #572: rpc: fix crash in verbose mode

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/572
Title: #572: rpc: fix crash in verbose mode

MartinBasti commented:
"""
master:

* 8295848bfec6f96410ab8383107fdaf565f02974 rpc: fix crash in verbose mode
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/572#issuecomment-286128713
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][closed] rpc: fix crash in verbose mode

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/572
Author: HonzaCholasta
 Title: #572: rpc: fix crash in verbose mode
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/572/head:pr572
git checkout pr572
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#571][+ack] pylint: bump dependency to version >= 1.6

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/571
Title: #571: pylint: bump dependency to version >= 1.6

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][+ack] rpc: fix crash in verbose mode

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/572
Title: #572: rpc: fix crash in verbose mode

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/572
Title: #572: rpc: fix crash in verbose mode

stlaz commented:
"""
Works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/572#issuecomment-286125002
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][synchronized] ipa-replica-prepare fix

2017-03-13 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/574
Author: stlaz
 Title: #574: ipa-replica-prepare fix
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/574/head:pr574
git checkout pr574
From 21a2c34e3cac0e8c32a68fb53ac1820fb143f1cd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:25:36 +0100
Subject: [PATCH 1/2] Fix ipa-replica-prepare server-cert creation

Fixes an issue introduced in 0a54fac0, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/ipa_replica_prepare.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..f9f2758 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -603,7 +603,8 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 
 try:
 db = certs.CertDB(
-api.env.realm, nssdir=self.dir, subject_base=subject_base)
+api.env.realm, nssdir=self.dir, subject_base=subject_base,
+host_name=api.env.host)
 db.create_passwd_file()
 db.create_from_cacert()
 db.create_server_cert(nickname, hostname)

From 5ad5230e6e6391a6e2c9147a48665403c018c987 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:40:38 +0100
Subject: [PATCH 2/2] Don't fail more if cert req/cert creation failed

This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/certs.py | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..63e7887 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -368,8 +368,11 @@ def create_server_cert(self, nickname, hostname, subject=None):
 with open(self.certder_fname, "r") as f:
 dercert = f.read()
 finally:
-os.unlink(self.certreq_fname)
-os.unlink(self.certder_fname)
+for fname in (self.certreq_fname, self.certder_fname):
+try:
+os.unlink(fname)
+except OSError:
+pass
 
 return dercert
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][synchronized] ipa-replica-prepare fix

2017-03-13 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/574
Author: stlaz
 Title: #574: ipa-replica-prepare fix
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/574/head:pr574
git checkout pr574
From 21a2c34e3cac0e8c32a68fb53ac1820fb143f1cd Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:25:36 +0100
Subject: [PATCH 1/2] Fix ipa-replica-prepare server-cert creation

Fixes an issue introduced in 0a54fac0, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/ipa_replica_prepare.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..f9f2758 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -603,7 +603,8 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 
 try:
 db = certs.CertDB(
-api.env.realm, nssdir=self.dir, subject_base=subject_base)
+api.env.realm, nssdir=self.dir, subject_base=subject_base,
+host_name=api.env.host)
 db.create_passwd_file()
 db.create_from_cacert()
 db.create_server_cert(nickname, hostname)

From 70eb74ee339c9d8b1e6c56e9d8cd7b57a90da2ee Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:40:38 +0100
Subject: [PATCH 2/2] Don't fail more if cert req/cert creation failed

This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/certs.py | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..d85884e 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -368,8 +368,11 @@ def create_server_cert(self, nickname, hostname, subject=None):
 with open(self.certder_fname, "r") as f:
 dercert = f.read()
 finally:
-os.unlink(self.certreq_fname)
-os.unlink(self.certder_fname)
+for fname in (self.certreq_fname, self.certder_fname):
+try:
+os.unlink(fname)
+except Exception:
+pass
 
 return dercert
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#574][opened] ipa-replica-prepare fix

2017-03-13 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/574
Author: stlaz
 Title: #574: ipa-replica-prepare fix
Action: opened

PR body:
"""
A regression was introduced in 
https://github.com/freeipa/freeipa/commit/0a54fac02cecad3b9e3bf8ad0c8a44df3b701857.
 Fix + don't fail if either file was not created during server-cert creation.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/574/head:pr574
git checkout pr574
From 0259c560a3b3b329300e79080b5b659559a78145 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:25:36 +0100
Subject: [PATCH 1/2] Fix ipa-replica-prepare server-cert creation

Fixes an issue introduced in 0a54fac0, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/ipa_replica_prepare.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index da13e74..631eaba 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -603,7 +603,8 @@ def export_certdb(self, fname, passwd_fname, is_kdc=False):
 
 try:
 db = certs.CertDB(
-api.env.realm, nssdir=self.dir, subject_base=subject_base)
+api.env.realm, nssdir=self.dir, subject_base=subject_base,
+host_name=hostname)
 db.create_passwd_file()
 db.create_from_cacert()
 db.create_server_cert(nickname, hostname)

From abdb37087de28772c740e34d9f47543e77e80f04 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 13 Mar 2017 14:40:38 +0100
Subject: [PATCH 2/2] Don't fail more if cert req/cert creation failed

This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755
---
 ipaserver/install/certs.py | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 660da79..d85884e 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -368,8 +368,11 @@ def create_server_cert(self, nickname, hostname, subject=None):
 with open(self.certder_fname, "r") as f:
 dercert = f.read()
 finally:
-os.unlink(self.certreq_fname)
-os.unlink(self.certder_fname)
+for fname in (self.certreq_fname, self.certder_fname):
+try:
+os.unlink(fname)
+except Exception:
+pass
 
 return dercert
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-13 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

abbra commented:
"""
I don't see ACI.txt regenerated.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286097962
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-13 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
Updated PR, added ACIs and fixed Py2/Py3 compatibility of doctests.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286096789
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-13 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

HonzaCholasta commented:
"""
I would rather avoid the refactoring in 4.5 - this is fragile code you are 
touching and I'm afraid it might break in some cases (think different client / 
server version combinations, thin client vs fat client, etc.).

As for the edge case values, IMO we should allow `:` without complaining as a 
special case to support "no domains in the list" configuration, and otherwise 
require known domain names (like in `certmaprule-add`).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286095738
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

MartinBasti commented:
"""
ACIs? AFAIK SSSD should be able to read this
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286094363
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#10][synchronized] spec: fix sed error and re-sync with fedora

2017-03-13 Thread tomaskrizek 
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10
Author: tomaskrizek
 Title: #10: spec: fix sed error and re-sync with fedora
Action: synchronized

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/10/head:pr10
git checkout pr10
From 12a5306fd30d2b6a7f2f90b783165def823ba6cf Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Mar 2017 13:15:51 +0100
Subject: [PATCH 1/2] spec: fix regex in postinstall sed script

Post install sed script would fail with invalid range, because
a-Z is not supported.
---
 contrib/bind-dyndb-ldap.spec | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index d8c0347..9c91d39 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -65,7 +65,7 @@ do
 done <
+- Fixed sed script regex error
+
 * Thu Jan 26 2017 Tomas Krizek 
 - Added named.conf API transofrmation script
 - Bumped the required BIND version to 9.11.0-6.P2

From d53e509f3827b057d2680d33c4099fd697cb71d2 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Mar 2017 13:21:56 +0100
Subject: [PATCH 2/2] spec: re-sync spec file with Fedora

---
 contrib/bind-dyndb-ldap.spec | 30 +-
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 9c91d39..7d0e887 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -7,17 +7,18 @@ Summary:LDAP back-end plug-in for BIND
 
 Group:  System Environment/Libraries
 License:GPLv2+
-URL:https://fedorahosted.org/bind-dyndb-ldap
-Source0:https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
+URL:https://releases.pagure.org/bind-dyndb-ldap
+Source0:https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
+Source1:https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:  bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2
+BuildRequires:  bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2, bind-pkcs11-devel >= 32:9.11.0-6.P2
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  automake, autoconf, libtool
 
-Requires:   bind >= 32:9.11.0-6.P2
+Requires:   bind-pkcs11 >= 32:9.11.0-6.P2, bind-pkcs11-utils >= 32:9.11.0-6.P2
 
 %description
 This package provides an LDAP back-end plug-in for BIND. It features
@@ -29,6 +30,7 @@ off of your LDAP server.
 %setup -q -n %{name}-%{VERSION}
 
 %build
+autoreconf -fiv
 %configure
 make %{?_smp_mflags}
 
@@ -43,6 +45,15 @@ rm %{buildroot}%{_libdir}/bind/ldap.la
 rm -r %{buildroot}%{_datadir}/doc/%{name}
 
 %post
+# SELinux boolean named_write_master_zones has to be enabled
+# otherwise the plugin will not be able to write to /var/named.
+# This scriptlet enables the boolean after installation or upgrade.
+# SELinux is sensitive area so I want to inform user about the change.
+if [ -x "/usr/sbin/setsebool" ] ; then
+echo "Enabling SELinux boolean named_write_master_zones"
+/usr/sbin/setsebool -P named_write_master_zones=1 || :
+fi
+
 # Transform named.conf if it still has old-style API.
 PLATFORM=$(uname -m)
 
@@ -83,13 +94,21 @@ EOF
 sed -i.bak -e "$SEDSCRIPT" /etc/named.conf
 
 
+# This scriptlet disables the boolean after uninstallation.
+%postun
+if [ "0$1" -eq "0" ] && [ -x "/usr/sbin/setsebool" ] ; then
+echo "Disabling SELinux boolean named_write_master_zones"
+/usr/sbin/setsebool -P named_write_master_zones=0 || :
+fi
+
+
 %clean
 rm -rf %{buildroot}
 
 
 %files
 %defattr(-,root,root,-)
-%doc NEWS README COPYING doc/{example,schema}.ldif
+%doc NEWS README.md COPYING doc/{example,schema}.ldif
 %dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
 %{_libdir}/bind/ldap.so
 
@@ -97,6 +116,7 @@ rm -rf %{buildroot}
 %changelog
 * Mon Mar 13 2017 Tomas Krizek 
 - Fixed sed script regex error
+- Re-synced specfile with fedora
 
 * Thu Jan 26 2017 Tomas Krizek 
 - Added named.conf API transofrmation script
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#10][opened] spec: fix sed error and re-sync with fedora

2017-03-13 Thread tomaskrizek 
   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/10
Author: tomaskrizek
 Title: #10: spec: fix sed error and re-sync with fedora
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/10/head:pr10
git checkout pr10
From 12a5306fd30d2b6a7f2f90b783165def823ba6cf Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Mar 2017 13:15:51 +0100
Subject: [PATCH 1/2] spec: fix regex in postinstall sed script

Post install sed script would fail with invalid range, because
a-Z is not supported.
---
 contrib/bind-dyndb-ldap.spec | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index d8c0347..9c91d39 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -65,7 +65,7 @@ do
 done <
+- Fixed sed script regex error
+
 * Thu Jan 26 2017 Tomas Krizek 
 - Added named.conf API transofrmation script
 - Bumped the required BIND version to 9.11.0-6.P2

From 61abaf9fc079f241a84106e9f5ba212a2747fb86 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 13 Mar 2017 13:21:56 +0100
Subject: [PATCH 2/2] spec: re-sync spec file with Fedora

---
 contrib/bind-dyndb-ldap.spec | 22 +-
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 9c91d39..849fe61 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -7,17 +7,18 @@ Summary:LDAP back-end plug-in for BIND
 
 Group:  System Environment/Libraries
 License:GPLv2+
-URL:https://fedorahosted.org/bind-dyndb-ldap
-Source0:https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
+URL:https://releases.pagure.org/bind-dyndb-ldap
+Source0:https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2
+Source1:https://releases.pagure.org/%{name}/%{name}-%{VERSION}.tar.bz2.asc
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:  bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2
+BuildRequires:  bind-devel >= 32:9.11.0-6.P2, bind-lite-devel >= 32:9.11.0-6.P2, bind-pkcs11-devel >= 32:9.11.0-6.P2
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  automake, autoconf, libtool
 
-Requires:   bind >= 32:9.11.0-6.P2
+Requires:   bind-pkcs11 >= 32:9.11.0-6.P2, bind-pkcs11-utils >= 32:9.11.0-6.P2
 
 %description
 This package provides an LDAP back-end plug-in for BIND. It features
@@ -29,6 +30,7 @@ off of your LDAP server.
 %setup -q -n %{name}-%{VERSION}
 
 %build
+autoreconf -fiv
 %configure
 make %{?_smp_mflags}
 
@@ -43,6 +45,15 @@ rm %{buildroot}%{_libdir}/bind/ldap.la
 rm -r %{buildroot}%{_datadir}/doc/%{name}
 
 %post
+# SELinux boolean named_write_master_zones has to be enabled
+# otherwise the plugin will not be able to write to /var/named.
+# This scriptlet enables the boolean after installation or upgrade.
+# SELinux is sensitive area so I want to inform user about the change.
+if [ -x "/usr/sbin/setsebool" ] ; then
+echo "Enabling SELinux boolean named_write_master_zones"
+/usr/sbin/setsebool -P named_write_master_zones=1 || :
+fi
+
 # Transform named.conf if it still has old-style API.
 PLATFORM=$(uname -m)
 
@@ -89,7 +100,7 @@ rm -rf %{buildroot}
 
 %files
 %defattr(-,root,root,-)
-%doc NEWS README COPYING doc/{example,schema}.ldif
+%doc NEWS README.md COPYING doc/{example,schema}.ldif
 %dir %attr(770, root, named) %{_localstatedir}/named/dyndb-ldap
 %{_libdir}/bind/ldap.so
 
@@ -97,6 +108,7 @@ rm -rf %{buildroot}
 %changelog
 * Mon Mar 13 2017 Tomas Krizek 
 - Fixed sed script regex error
+- Re-synced specfile with fedora
 
 * Thu Jan 26 2017 Tomas Krizek 
 - Added named.conf API transofrmation script
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][opened] Provide centralized management of user short name resolution

2017-03-13 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: opened

PR body:
"""
This PR implement an initial version of AD user short name resolution
infrastructure consumable by SSSD.[1]

Most of the stuff described in the design page[2] is in-place except of hooks
that would refresh the domain resolution orders after trust domain removal or
disablement. I would like to do them in a separate PR.

Also some edge cases like specifying only separator (':') or an empty domain
('dom1::dom2') have no special treatment, the current code will just complain
about empty DNS labels. Should I improve this behavior?

[1] https://pagure.io/freeipa/issue/6372
[2] https://www.freeipa.org/page/V4/AD_User_Short_Names
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/4] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From 734025316099a45e0a353dc7778704a1a3268ad7 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 16:37:22 +0100
Subject: [PATCH 2/4] new

[Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/568
Author: HonzaCholasta
 Title: #568: cert: include certificate chain in cert command output
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/568/head:pr568
git checkout pr568
From 2f08a1e0e6e8ee82d7fa67e8d5d26cdbabc4fc45 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:19:53 +
Subject: [PATCH 1/2] cert: add output file option to cert-request

The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547
---
 ipaclient/plugins/cert.py | 66 +--
 1 file changed, 52 insertions(+), 14 deletions(-)

diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 348529c..62171e9 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
 import subprocess
 from tempfile import NamedTemporaryFile as NTF
 
@@ -38,10 +39,37 @@
 register = Registry()
 
 
-@register(override=True, no_fail=True)
-class cert_request(MethodOverride):
+class CertRetrieveOverride(MethodOverride):
 takes_options = (
 Str(
+'certificate_out?',
+doc=_('Write certificate (chain if --chain used) to file'),
+include='cli',
+cli_metavar='FILE',
+),
+)
+
+def forward(self, *args, **options):
+certificate_out = options.pop('certificate_out', None)
+if certificate_out is not None:
+util.check_writable_file(certificate_out)
+
+result = super(CertRetrieveOverride, self).forward(*args, **options)
+
+if certificate_out is not None:
+certs = [result['result']['certificate']]
+certs = (x509.normalize_certificate(cert) for cert in certs)
+certs = (x509.make_pem(base64.b64encode(cert)) for cert in certs)
+with open(certificate_out, 'w') as f:
+f.write('\n'.join(certs))
+
+return result
+
+
+@register(override=True, no_fail=True)
+class cert_request(CertRetrieveOverride):
+takes_options = CertRetrieveOverride.takes_options + (
+Str(
 'database?',
 label=_('Path to NSS database'),
 doc=_('Path to NSS database to use for private key'),
@@ -135,18 +163,28 @@ def forward(self, csr=None, **options):
 
 
 @register(override=True, no_fail=True)
-class cert_show(MethodOverride):
-def forward(self, *keys, **options):
-if 'out' in options:
-util.check_writable_file(options['out'])
-result = super(cert_show, self).forward(*keys, **options)
-if 'certificate' in result['result']:
-x509.write_certificate(result['result']['certificate'], options['out'])
-return result
-else:
-raise errors.NoCertificateError(entry=keys[-1])
-else:
-return super(cert_show, self).forward(*keys, **options)
+class cert_show(CertRetrieveOverride):
+def get_options(self):
+for option in super(cert_show, self).get_options():
+if option.name == 'out':
+# skip server-defined --out
+continue
+if option.name == 'certificate_out':
+# add --out as a deprecated alias of --certificate-out
+option = option.clone_rename(
+'out',
+cli_name='certificate_out',
+deprecated_cli_aliases={'out'},
+)
+yield option
+
+def forward(self, *args, **options):
+try:
+options['certificate_out'] = options.pop('out')
+except KeyError:
+pass
+
+return super(cert_show, self).forward(*args, **options)
 
 
 @register(override=True, no_fail=True)

From d3b3266018df4390b348ff253dae42b522511c34 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:22:42 +
Subject: [PATCH 2/2] cert: include certificate chain in cert command output

Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547
---
 API.txt   |  6 --
 VERSION.m4|  4 ++--
 ipaclient/plugins/cert.py |  5 -
 ipaserver/plugins/cert.py | 53 ---
 4 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 90cda74..2d6b401 100644
--- a/API.txt

[Freeipa-devel] [freeipa PR#568][synchronized] cert: include certificate chain in cert command output

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/568
Author: HonzaCholasta
 Title: #568: cert: include certificate chain in cert command output
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/568/head:pr568
git checkout pr568
From aedb67fca0fbb58e101da3300c7fd6b5afeddc0a Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:19:53 +
Subject: [PATCH 1/2] cert: add output file option to cert-request

The certificate returned by cert-request can now be saved to a file in the
CLI using a new --certificate-out option.

Deprecate --out in cert-show in favor of --certificate-out.

https://pagure.io/freeipa/issue/6547
---
 ipaclient/plugins/cert.py | 54 +++
 1 file changed, 40 insertions(+), 14 deletions(-)

diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index 348529c..2dcdcf7 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
 import subprocess
 from tempfile import NamedTemporaryFile as NTF
 
@@ -38,10 +39,37 @@
 register = Registry()
 
 
-@register(override=True, no_fail=True)
-class cert_request(MethodOverride):
+class CertRetrieveOverride(MethodOverride):
 takes_options = (
 Str(
+'certificate_out?',
+doc=_('Write certificate (chain if --chain used) to file'),
+include='cli',
+cli_metavar='FILE',
+),
+)
+
+def forward(self, *args, **options):
+certificate_out = options.pop('certificate_out', None)
+if certificate_out is not None:
+util.check_writable_file(certificate_out)
+
+result = super(CertRetrieveOverride, self).forward(*args, **options)
+
+if certificate_out is not None:
+certs = [result['result']['certificate']]
+certs = (x509.normalize_certificate(cert) for cert in certs)
+certs = (x509.make_pem(base64.b64encode(cert)) for cert in certs)
+with open(certificate_out, 'w') as f:
+f.write('\n'.join(certs))
+
+return result
+
+
+@register(override=True, no_fail=True)
+class cert_request(CertRetrieveOverride):
+takes_options = CertRetrieveOverride.takes_options + (
+Str(
 'database?',
 label=_('Path to NSS database'),
 doc=_('Path to NSS database to use for private key'),
@@ -135,18 +163,16 @@ def forward(self, csr=None, **options):
 
 
 @register(override=True, no_fail=True)
-class cert_show(MethodOverride):
-def forward(self, *keys, **options):
-if 'out' in options:
-util.check_writable_file(options['out'])
-result = super(cert_show, self).forward(*keys, **options)
-if 'certificate' in result['result']:
-x509.write_certificate(result['result']['certificate'], options['out'])
-return result
-else:
-raise errors.NoCertificateError(entry=keys[-1])
-else:
-return super(cert_show, self).forward(*keys, **options)
+class cert_show(CertRetrieveOverride):
+def get_options(self):
+for option in super(cert_show, self).get_options():
+if option.name == 'out':
+# skip server-defined --out
+continue
+if option.name == 'certificate_out':
+# add --out as a deprecated alias of --certificate-out
+option = option.clone(deprecated_cli_aliases={'out'})
+yield option
 
 
 @register(override=True, no_fail=True)

From 5ca69abd1f423dcc6112cbcb98fd4839ef54ed29 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:22:42 +
Subject: [PATCH 2/2] cert: include certificate chain in cert command output

Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547
---
 API.txt   |  6 --
 VERSION.m4|  4 ++--
 ipaclient/plugins/cert.py |  5 -
 ipaserver/plugins/cert.py | 53 ---
 4 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/API.txt b/API.txt
index 90cda74..2d6b401 100644
--- a/API.txt
+++ b/API.txt
@@ -782,11 +782,12 @@ option: Str('cacn?', autofill=True, cli_name='ca', default=u'ipa')
 option: Str('version?')
 output: Output('result')
 command: cert_request/1
-args: 1,8,3
+args: 1,9,3
 arg: Str('csr', cli_name='csr_file')
 option: Flag('add', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all',

[Freeipa-devel] [freeipa PR#561][+ack] ldap2: fix crash in development mode

2017-03-13 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/561
Title: #561: ldap2: fix crash in development mode

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][+ack] vault: cache the transport certificate on client

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/476
Title: #476: vault: cache the transport certificate on client

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][comment] vault: cache the transport certificate on client

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/476
Title: #476: vault: cache the transport certificate on client

MartinBasti commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/476#issuecomment-286077394
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][+ack] Don't allow standalone KRA uninstalls

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/556
Title: #556: Don't allow standalone KRA uninstalls

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][+ack] Add check for removing last KRA server

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][synchronized] rpc: fix crash in verbose mode

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/572
Author: HonzaCholasta
 Title: #572: rpc: fix crash in verbose mode
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/572/head:pr572
git checkout pr572
From bb56b33e205c89d458c04132a59e1df089a5079c Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:33:15 +
Subject: [PATCH] rpc: fix crash in verbose mode

Fix a crash caused by feeding incorrect data to `json.dumps()` in
`JSONServerProxy.__request()` introduced by commit
8159c2883bf66980582d1227c364df4e592bdd7e.

https://pagure.io/freeipa/issue/6734
---
 ipalib/rpc.py | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 3a589cb..16ffb8b 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1136,16 +1136,17 @@ def __request(self, name, args):
 verbose=self.__verbose >= 3,
 )
 
+if print_json:
+root_logger.info(
+'Response: %s',
+json.dumps(json.loads(response), sort_keys=True, indent=4)
+)
+
 try:
 response = json_decode_binary(response)
 except ValueError as e:
 raise JSONError(error=str(e))
 
-if print_json:
-root_logger.info(
-'Response: %s',
-json.dumps(response, sort_keys=True, indent=4)
-)
 error = response.get('error')
 if error:
 try:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][comment] rpc: fix crash in verbose mode

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/572
Title: #572: rpc: fix crash in verbose mode

stlaz commented:
"""
Does this fix https://pagure.io/freeipa/issue/6734?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/572#issuecomment-286056640
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#572][opened] rpc: fix crash in verbose mode

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/572
Author: HonzaCholasta
 Title: #572: rpc: fix crash in verbose mode
Action: opened

PR body:
"""
Fix a crash caused by feeding incorrect data to `json.dumps()` in
`JSONServerProxy.__request()` introduced by commit
8159c2883bf66980582d1227c364df4e592bdd7e.

https://pagure.io/freeipa/issue/6655
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/572/head:pr572
git checkout pr572
From d6ceec00d3a522e0ff8b0002a1b44f91e79bc832 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 10 Mar 2017 09:33:15 +
Subject: [PATCH] rpc: fix crash in verbose mode

Fix a crash caused by feeding incorrect data to `json.dumps()` in
`JSONServerProxy.__request()` introduced by commit
8159c2883bf66980582d1227c364df4e592bdd7e.

https://pagure.io/freeipa/issue/6655
---
 ipalib/rpc.py | 11 ++-
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 3a589cb..16ffb8b 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -1136,16 +1136,17 @@ def __request(self, name, args):
 verbose=self.__verbose >= 3,
 )
 
+if print_json:
+root_logger.info(
+'Response: %s',
+json.dumps(json.loads(response), sort_keys=True, indent=4)
+)
+
 try:
 response = json_decode_binary(response)
 except ValueError as e:
 raise JSONError(error=str(e))
 
-if print_json:
-root_logger.info(
-'Response: %s',
-json.dumps(response, sort_keys=True, indent=4)
-)
 error = response.get('error')
 if error:
 try:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][closed] install: fix help

2017-03-13 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/550
Author: HonzaCholasta
 Title: #550: install: fix help
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/550/head:pr550
git checkout pr550
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][comment] install: fix help

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/550
Title: #550: install: fix help

MartinBasti commented:
"""
master:

* 00f49dd7bbf277757902c94990d33758fec56b23 server install: remove duplicate -w 
option
* 5efa55c88d73d9f5db77df4be9fedf03f9b323d1 install: add missing space in 
realm_name description
* 94f362d7b0b6c838752eb2f6674149e96d3ae95b server install: remove duplicate 
knob definitions
* 1cfe06c79eb0b98a0f4bd663165156596b59e85f client install: split off SSSD 
options into a separate class
* 774d8d0a5dc0ac175ab0cecc76001632c2a79744 install CLI: remove magic option 
groups
* 2fc9feddd02bb17c3a9eb7efde83277fcf93252c install: re-introduce option groups
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/550#issuecomment-286051845
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][+pushed] install: fix help

2017-03-13 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/550
Title: #550: install: fix help

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][+ack] install: fix help

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/550
Title: #550: install: fix help

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][comment] install: fix help

2017-03-13 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/550
Title: #550: install: fix help

stlaz commented:
"""
Works like a charm, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/550#issuecomment-286051511
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#557][closed] certmap: load certificate from file in certmap-match CLI

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/557
Author: HonzaCholasta
 Title: #557: certmap: load certificate from file in certmap-match CLI
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/557/head:pr557
git checkout pr557
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#557][+pushed] certmap: load certificate from file in certmap-match CLI

2017-03-13 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/557
Title: #557: certmap: load certificate from file in certmap-match CLI

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI

2017-03-13 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/557
Title: #557: certmap: load certificate from file in certmap-match CLI

HonzaCholasta commented:
"""
master:

* 0298ecf441ba38858d7909b8c3b4cc2b4c4e53c4 certmap: load certificate from file 
in certmap-match CLI
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/557#issuecomment-286037607
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#550][synchronized] install: fix help

2017-03-13 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/550
Author: HonzaCholasta
 Title: #550: install: fix help
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/550/head:pr550
git checkout pr550
From 349f6e08cd69696a1fb63f2e459e192e65f90478 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Mar 2017 13:19:51 +
Subject: [PATCH 1/6] server install: remove duplicate -w option

Remove duplicate -w alias of --admin-password in ipa-server-install and
ipa-replica-install.

https://pagure.io/freeipa/issue/6392
---
 ipaserver/install/server/__init__.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 5a079ee..4a0289b 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -118,6 +118,10 @@ class ServerInstallInterface(client.ClientInstallInterface,
 )
 principal = replica_install_only(principal)
 
+admin_password = extend_knob(
+client.ClientInstallInterface.admin_password,
+)
+
 master_password = knob(
 str, None,
 sensitive=True,

From 51de0df7e992f6cfcede70cd5dc72cfa1fdcb600 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Mar 2017 13:20:38 +
Subject: [PATCH 2/6] install: add missing space in realm_name description

https://pagure.io/freeipa/issue/6392
---
 ipalib/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/install/service.py b/ipalib/install/service.py
index 73b8fd8..84539ad 100644
--- a/ipalib/install/service.py
+++ b/ipalib/install/service.py
@@ -122,7 +122,7 @@ def domain_name(self, value):
 
 realm_name = knob(
 str, None,
-description="Kerberos realm name of the IPA deployment (typically"
+description="Kerberos realm name of the IPA deployment (typically "
 "an upper-cased name of the primary DNS domain)",
 cli_names='--realm',
 )

From 866cef758bbaadc6f7e9cac049d76c5412e2240a Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 7 Mar 2017 14:06:11 +
Subject: [PATCH 3/6] server install: remove duplicate knob definitions

Remove duplicate definitions of knobs already defined in client install.

https://pagure.io/freeipa/issue/6392
---
 ipaserver/install/server/__init__.py | 24 
 1 file changed, 24 deletions(-)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 4a0289b..edb91f3 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -221,30 +221,6 @@ def idmax(self):
 )
 no_ui_redirect = enroll_only(no_ui_redirect)
 
-ssh_trust_dns = knob(
-None,
-description="configure OpenSSH client to trust DNS SSHFP records",
-)
-ssh_trust_dns = enroll_only(ssh_trust_dns)
-
-no_ssh = knob(
-None,
-description="do not configure OpenSSH client",
-)
-no_ssh = enroll_only(no_ssh)
-
-no_sshd = knob(
-None,
-description="do not configure OpenSSH server",
-)
-no_sshd = enroll_only(no_sshd)
-
-no_dns_sshfp = knob(
-None,
-description="Do not automatically create DNS SSHFP records",
-)
-no_dns_sshfp = enroll_only(no_dns_sshfp)
-
 dirsrv_config_file = knob(
 str, None,
 description="The path to LDIF file that will be used to modify "

From f842cc155739fb9a83e551ff08709a2ca111a9cd Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 8 Mar 2017 08:01:41 +
Subject: [PATCH 4/6] client install: split off SSSD options into a separate
 class

Split off SSSD knob definitions from the ClientInstallInterface class into
a new SSSDInstallInterface class.

https://pagure.io/freeipa/issue/6392
---
 ipaclient/install/client.py | 44 +++---
 ipaclient/install/sssd.py   | 52 +
 2 files changed, 55 insertions(+), 41 deletions(-)
 create mode 100644 ipaclient/install/sssd.py

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 774eaaf..b251223 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -63,7 +63,7 @@
 )
 from ipapython.ssh import SSHPublicKey
 
-from . import automount, ipadiscovery, ntpconf
+from . import automount, ipadiscovery, ntpconf, sssd
 from .ipachangeconf import IPAChangeConf
 
 NoneType = type(None)
@@ -3356,7 +3356,8 @@ def init(installer):
 
 
 class ClientInstallInterface(hostname_.HostNameInstallInterface,
- service.ServiceAdminInstallInterface):
+ service.ServiceAdminInstallInterface,
+ sssd.SSSDInstallInterface):
 """
 Interface of the client installer
 
@@ -3367,12 +3368,6 @@ class

[Freeipa-devel] [freeipa PR#557][comment] certmap: load certificate from file in certmap-match CLI

2017-03-13 Thread flo-renaud 
  URL: https://github.com/freeipa/freeipa/pull/557
Title: #557: certmap: load certificate from file in certmap-match CLI

flo-renaud commented:
"""
@HonzaCholasta 
Sorry, I forgot to ACK. You can push the PR.
For the record, Issue [6746](https://pagure.io/freeipa/issue/6746) has been 
opened for the framework issue.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/557#issuecomment-286036301
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#561][comment] ldap2: fix crash in development mode

2017-03-13 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/561
Title: #561: ldap2: fix crash in development mode

HonzaCholasta commented:
"""
OK everything is green now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/561#issuecomment-286022821
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code