[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes

simo5 commented:
"""
I aded a 4th patch to address the FILE ccache growth issue.
It is a bit unorthodox but it works. Please review carefully and let me know if 
you are ok with this
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/649#issuecomment-21336
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
 Title: #649: Session cookie storage and handling fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce 
---
 ipapython/session_storage.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
 if not isinstance(value, bytes):
 value = value.encode('utf-8')
 
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
 context = krb5_context()
 principal = krb5_principal()
 ccache = krb5_ccache()

From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/4] Handle failed authentication via cookie

If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.

Fixes https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 52 
 1 file changed, 32 insertions(+), 20 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
 else:
 raise errors.KerberosError(message=unicode(e))
 
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
 """
 Two things can happen here. If we have a session we will add
 a cookie for that. If not we will set an Authorization header.
 """
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
 
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
 
 # Set the remote host principal
+host = self._get_host()
 service = self.service + "@" + host.split(':')[0]
 
 try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
 except gssapi.exceptions.GSSError as e:
 self._handle_exception(e, service=service)
 
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
 
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
 
 if token:
-extra_headers.append(
+self._extra_headers.append(
 ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
 )
 
@@ -651,18 +658,23 @@ def _auth_complete(self, response):
 if self._sec_context.complete:
 self._sec_context = None
 return True
-self._set_auth_header(self._extra_headers, token)
+self._set_auth_header(token)
+return False
+elif response.status == 401:
+self.get_auth_info(use_cookie=False)
 return False
 return True
 
 def single_request(self, host, handler, request_body, verbose=0):

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes

simo5 commented:
"""
The FILE ccache is still growing because we keep getting updated cookies (where 
the only thing that changes is the expiration date.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/649#issuecomment-288859035
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/638
Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches

simo5 commented:
"""
This PR has been obsoleted by #649
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/638#issuecomment-288850585
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#638][closed] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/638
Author: abbra
 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/638/head:pr638
git checkout pr638
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/649
Title: #649: Session cookie storage and handling fixes

simo5 commented:
"""
Note I am still running tests, but I think the patchset is good for review 
already.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/649#issuecomment-288850417
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#649][opened] Session cookie storage and handling fixes

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/649
Author: simo5
 Title: #649: Session cookie storage and handling fixes
Action: opened

PR body:
"""
This patchset improves the behavior of the client in various ways.
- Avoids unbounded growth of FILE ccaches
- Fix regression with session cookies updates not being retrievable with FILE 
caches
- Fix client authentication to better handle servers that may decide our cookie 
is not good anymore
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/649/head:pr649
git checkout pr649
From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 22 Mar 2017 18:25:38 -0400
Subject: [PATCH 1/3] Avoid growing FILE ccaches unnecessarily

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce 
---
 ipapython/session_storage.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index bcf0947..f208827 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -111,6 +111,12 @@ def store_data(princ_name, key, value):
 if not isinstance(value, bytes):
 value = value.encode('utf-8')
 
+# FILE ccaches grow every time an entry is stored, so we need
+# to avoid storing the same entry multiple times.
+oldvalue = get_data(princ_name, key)
+if oldvalue == value:
+return
+
 context = krb5_context()
 principal = krb5_principal()
 ccache = krb5_ccache()

From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 22 Mar 2017 18:38:22 -0400
Subject: [PATCH 2/3] Handle failed authentication via cookie

If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.

Fixes https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce 
---
 ipalib/rpc.py | 52 
 1 file changed, 32 insertions(+), 20 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 303b22a..f597ce0 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None):
 else:
 raise errors.KerberosError(message=unicode(e))
 
-def get_host_info(self, host):
+def _get_host(self):
+return self._connection[0]
+
+def _remove_extra_header(self, name):
+for (h, v) in self._extra_headers:
+if h == name:
+self._extra_headers.remove((h, v))
+break
+
+def get_auth_info(self, use_cookie=True):
 """
 Two things can happen here. If we have a session we will add
 a cookie for that. If not we will set an Authorization header.
 """
-(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
-
-if not isinstance(extra_headers, list):
-extra_headers = []
+if not isinstance(self._extra_headers, list):
+self._extra_headers = []
 
-session_cookie = getattr(context, 'session_cookie', None)
-if session_cookie:
-extra_headers.append(('Cookie', session_cookie))
-return (host, extra_headers, x509)
+# Remove any existing Cookie first
+self._remove_extra_header('Cookie')
+if use_cookie:
+session_cookie = getattr(context, 'session_cookie', None)
+if session_cookie:
+self._extra_headers.append(('Cookie', session_cookie))
+return
 
 # Set the remote host principal
+host = self._get_host()
 service = self.service + "@" + host.split(':')[0]
 
 try:
@@ -616,18 +627,14 @@ def get_host_info(self, host):
 except gssapi.exceptions.GSSError as e:
 self._handle_exception(e, service=service)
 
-self._set_auth_header(extra_headers, response)
-
-return (host, extra_headers, x509)
+self._set_auth_header(response)
 
-def _set_auth_header(self, extra_headers, token):
-for (h, v) in extra_headers:
-if h == 'Authorization':
-extra_headers.remove((h, v))
-break
+def _set_auth_header(self, token):
+# Remove any existing authorization header first
+self._remove_extra_header('Authorization')
 
 if token:
-extra_headers.append(
+self._extra_headers.append(
 ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii'))
 )
 
@@ -651,18 +658,23 @@ def _auth_complete(self, response):
 if self._sec_context.complete:
 self._sec_context = None
 return True
-self._set_auth_hea

[Freeipa-devel] Announcing FreeIPA 4.3.3

[Martin Basti]

Release date: 2017-03-23

The FreeIPA team would like to announce FreeIPA 4.3.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Please note that this is the last upstream release of FreeIPA 4.3.x branch.

This announcement is also available at 
.



== Highlights in 4.3.3 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.3.3 is a stabilization release for the features delivered as a
part of 4.3.0. There are more than 20 bug-fixes which details can be seen in
the list of resolved tickets below.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing

list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa
channel on Freenode.

== Resolved tickets ==
* 6774 FreeIPA client <= 4.4 fail to parse 4.5 cookies
* 6561 CVE-2016-7030 freeipa: ipa: DoS attack against kerberized 
services by abusing password policy
* 6560 CVE-2016-9575 freeipa: ipa: Insufficient permission check in 
certprofile-mod

* 6485 Document make_delete_command method in UserTracker
* 6378 Tests: Fix failing sudo test
* 6317 backport #6213 Incorrect test for 
DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
* 6316 backport #6199 Received ACIError instead of DuplicatedError in 
stageuser_tests

* 6311 Fix or remove the  `LDAPUpdate.update_from_dict` method
* 6287 Refer to nodes in TestWrongClientDomain replica promotion tests 
as replicas
* 6284 Tests: avoid skipping tests because of missing files when running 
as outoftree

* 6278 Use OAEP padding with custodia (to avoid CVE-2016-6298)
* 6262 Fix integration sudo tests setup and checks
* 6254 kinit_admin raises an exception if server uninstallation is 
called from test teardown with server not installed

* 6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
* 6205 The ipa-server-upgrade command failed when named-pkcs11 does not 
happen to run during dnf upgrade

* 6177 ca-less test are broken - invalid usage of ipautil.run
* 6167 Incorrect domainlevel info in tests
* 6166 Subsequent external CA installation fails
* 6147 Failing automember tests due to manager output normalization
* 6134 Command "ipa-replica-prepare" not allowed to create line 
replication topology
* 6120 ipa-adtrust-install: when running with --netbios-name="", the 
NetBIOS name is changed without notification

* 6076 Mulitple domain Active Directory Trust conflict
* 6056 custodia.conf and server.keys file is world-readable.
* 6016 ipa-ca-install on replica tries to connect to master:8443
* 5696 Add conflicts with bind-chroot to spec.
== Detailed changelog since 4.3.2 ==
=== Alexander Bokovoy (5) ===
* ipa-kdb: search for password policies globally
* ipa-kdb: simplify trusted domain parent search
* trust: make sure ID range is created for the child domain even if it 
exists

* trust: automatically resolve DNS trust conflicts for triangle trusts
* ipaserver/dcerpc: reformat to make the code closer to pep8

=== Christian Heimes (3) ===
* Use RSA-OAEP instead of RSA PKCS#1 v1.5
* Secure permissions of Custodia server.keys
* RedHatCAService should wait for local Dogtag instance

=== David Kupka (1) ===
* password policy: Add explicit default password policy for hosts and 
services


=== Fraser Tweedale (2) ===
* certprofile-mod: correctly authorise config update
* cert-revoke: fix permission check bypass (CVE-2016-5404)

=== Ganna Kaihorodova (1) ===
* Fix for integration tests replication layouts

=== Jan Cholasta (2) ===
* Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
* install: fix external CA cert validation

=== Lenka Doudova (7) ===
* Document make_delete_command method in UserTracker
* Tests: Fix integration sudo test
* Tests: Fix integration sudo tests setup and checks
* Tests: Avoid skipping tests due to missing files
* Raise error when running ipa-adtrust-install with empty netbios--name
* Tests: Fix failing automember tests
* Tests: Remove DNS configuration from trust tests

=== Martin Babinsky (1) ===
* add python-libsss_nss_idmap and python-sss to BuildRequires

=== Martin Basti (5) ===
* Become IPA 4.3.3
* Update Contributors.txt
* Raise DuplicatedEnrty error when user exists in delete_container
* Catch DNS exceptions during emptyzones named.conf upgrade
* Start named during configuration upgrade.

=== Oleg Fayans (3) ===
* Changed addressing to the client hosts to be replicas
* Disabled raiseonerr in kinit call during topology level check
* Fixed incorrect domainlevel determination in tests

=== Peter Lacko (1) ===
* Test URIs in certificate.

=== Petr Spacek (3) ===
* Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
* DNS server upgrade: do not fail when DNS server did not respond
* Fix ipa-replica-prepare's error message about missing local CA instance

=== Petr Vobornik (1) ===
* ca-less tests: fix getting cert in 

[Freeipa-devel] Announcing FreeIPA 4.4.4

[Martin Basti]

Release date: 2017-03-23

The FreeIPA team would like to announce FreeIPA 4.4.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 24 will be available in the official COPR repository 
.


This announcement is also available 
at.



== Highlights in 4.4.4 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.4.4 is a stabilization release for the features delivered as a
part of 4.4.0.

== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users 
mailing

list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa
channel on Freenode.

== Resolved tickets ==
* 6776 krb5 1.15 broke DAL principal free
* 6738 Ipa-kra-install fails with weird output when backspace is used 
during typing Directory Manager password
* 6713 ipa: Insufficient permission check for ca-del, ca-disable and 
ca-enable commands (CVE-2017-2590)

* 6647 batch param compatibility is incorrect
* 6608 IPA server installation should check if IPv6 stack is enabled
* 6600 Legacy client tests doesn't have tree domain role.
* 6588 replication race condition prevents IPA to install
* 6575 ipa-replica-install fails on requesting DS cert when master is 
not configured with IPv6
* 6070 ipa-replica-install fails to install when resolv.conf incomplete 
entries

== Detailed changelog since 4.4.3 ==
=== Alexander Bokovoy (1) ===
* ipa-kdb: support KDB DAL version 6.1

=== David Kupka (1) ===
* ipapython.ipautil.nolog_replace: Do not replace empty value

=== Florence Blanc-Renaud (1) ===
* Do not configure PKI ajp redirection to use "::1"

=== Fraser Tweedale (2) ===
* ca: correctly authorise ca-del, ca-enable and ca-disable
* Set up DS TLS on replica in CA-less topology

=== Ganna Kaihorodova (1) ===
* Tests: Add tree root domain role in legacy client tests

=== Jan Cholasta (1) ===
* compat: fix `Any` params in `batch` and `dnsrecord`

=== Martin Basti (7) ===
* Become IPA 4.4.4
* Update Contributors.txt
* FreeIPA 4.4.4 translations
* Bump python-dns to improve processing of non-complete resolv.conf
* Use proper logging for error messages
* Wait until HTTPS principal entry is replicated to replica
* wait_for_entry: use only DN as parameter

=== Stanislav Laznicka (2) ===
* Add debug log in case cookie retrieval went wrong
* Fix cookie with Max-Age processing

=== Tomas Krizek (1) ===
* server install: require IPv6 stack to be enabled

=== Thorsten Scherf (1) ===
* added ssl verification using IPA trust anchor

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][closed] [4.4] Update Contributors.txt

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/648
Author: MartinBasti
 Title: #648: [4.4] Update Contributors.txt
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/648/head:pr648
git checkout pr648
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][+pushed] [4.4] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/648
Title: #648: [4.4] Update Contributors.txt

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][comment] [4.4] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/648
Title: #648: [4.4] Update Contributors.txt

tomaskrizek commented:
"""
ipa-4-4:

* b150a7a9941893d11d4bccc4f0e1e2bd4b27d289 Update Contributors.txt
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/648#issuecomment-288787836
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#647][comment] [4.3] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/647
Title: #647: [4.3] Update Contributors.txt

tomaskrizek commented:
"""
ipa-4-3:

* 4ce58141cce0a58ec896b93bc1409a56a88c7700 Update Contributors.txt
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/647#issuecomment-288787577
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#647][closed] [4.3] Update Contributors.txt

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/647
Author: MartinBasti
 Title: #647: [4.3] Update Contributors.txt
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/647/head:pr647
git checkout pr647
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#647][+pushed] [4.3] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/647
Title: #647: [4.3] Update Contributors.txt

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#647][+ack] [4.3] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/647
Title: #647: [4.3] Update Contributors.txt

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][+ack] [4.4] Update Contributors.txt

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/648
Title: #648: [4.4] Update Contributors.txt

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][synchronized] [4.4] Update Contributors.txt

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/648
Author: MartinBasti
 Title: #648: [4.4] Update Contributors.txt
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/648/head:pr648
git checkout pr648
From 1f987f06336f820a78196bf8b06428e68e639b08 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 23 Mar 2017 17:48:55 +0100
Subject: [PATCH] Update Contributors.txt

---
 .mailmap | 4 
 Contributors.txt | 6 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.mailmap b/.mailmap
index 4fe0587..13960be 100644
--- a/.mailmap
+++ b/.mailmap
@@ -3,6 +3,7 @@ Adam Misnyovszki  
 Endi Sukma DewataSystem Administrator 
 Endi Sukma Dewata 
 Gabe Alford 
+Ganna Kaihorodova  
 Jan Zelený  
 Jim Meyering  
 John Dennis
@@ -36,6 +37,8 @@ Pavel Zůna   
 Pavel Zůna   
 Petr Špaček 
 Petr Voborník   
+Pavel Vomáčka   
+Pavel Vomáčka tester 
 Rich Megginson
 Rob Crittenden  
 Rob Crittenden
@@ -48,6 +51,7 @@ Rob Crittenden
 Simo Sorce  
 Sumit Bose   
 Sumit Bose   
+Tibor Dudlák   
 Thierry Bordaz  
 Thierry Bordaz 
 Thierry Bordaz 
diff --git a/Contributors.txt b/Contributors.txt
index a003a3e..db44c71 100644
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -33,6 +33,7 @@ Developers:
 	Lenka Doudova
 	Benjamin Drung
 	Patrice Duc-Jacquet
+	Tibor Dudlák
 	Drew Erny
 	Oleg Fayans
 	Jérôme Fenal
@@ -42,6 +43,7 @@ Developers:
 	Nick Hatch
 	Christian Heimes
 	Jakub Hrozek
+	Ganna Kaihorodova
 	Abhijeet Kasurde
 	Nathan Kinder
 	Krzysztof Klimonda
@@ -49,6 +51,7 @@ Developers:
 	Martin Košek
 	Ludwig Krispenz
 	Ana Krivokapić
+	Tomas Krizek
 	Milan Kubík
 	Ian Kumlien
 	David Kupka
@@ -56,6 +59,7 @@ Developers:
 	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
+	Ben Lipton
 	Karl MacMillan
 	Niranjan Mallapadi
 	Ales 'alich' Marecek
@@ -92,7 +96,7 @@ Developers:
 	Fraser Tweedale
 	Petr Viktorin
 	Petr Voborník
-	Pavel Vomacka
+	Pavel Vomáčka
 	Andrew Wnuk
 	Jason Woods
 	Adam Young
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#648][opened] [4.4] Update Contributors.txt

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/648
Author: MartinBasti
 Title: #648: [4.4] Update Contributors.txt
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/648/head:pr648
git checkout pr648
From 896cfda67102386eceda2d33783e64564d26ca80 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 23 Mar 2017 17:48:55 +0100
Subject: [PATCH] Update Contributors.txt

---
 .mailmap | 4 
 Contributors.txt | 5 +
 2 files changed, 9 insertions(+)

diff --git a/.mailmap b/.mailmap
index 4fe0587..13960be 100644
--- a/.mailmap
+++ b/.mailmap
@@ -3,6 +3,7 @@ Adam Misnyovszki  
 Endi Sukma DewataSystem Administrator 
 Endi Sukma Dewata 
 Gabe Alford 
+Ganna Kaihorodova  
 Jan Zelený  
 Jim Meyering  
 John Dennis
@@ -36,6 +37,8 @@ Pavel Zůna   
 Pavel Zůna   
 Petr Špaček 
 Petr Voborník   
+Pavel Vomáčka   
+Pavel Vomáčka tester 
 Rich Megginson
 Rob Crittenden  
 Rob Crittenden
@@ -48,6 +51,7 @@ Rob Crittenden
 Simo Sorce  
 Sumit Bose   
 Sumit Bose   
+Tibor Dudlák   
 Thierry Bordaz  
 Thierry Bordaz 
 Thierry Bordaz 
diff --git a/Contributors.txt b/Contributors.txt
index a003a3e..c4dabd1 100644
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -33,6 +33,7 @@ Developers:
 	Lenka Doudova
 	Benjamin Drung
 	Patrice Duc-Jacquet
+	Tibor Dudlák
 	Drew Erny
 	Oleg Fayans
 	Jérôme Fenal
@@ -42,6 +43,7 @@ Developers:
 	Nick Hatch
 	Christian Heimes
 	Jakub Hrozek
+	Ganna Kaihorodova
 	Abhijeet Kasurde
 	Nathan Kinder
 	Krzysztof Klimonda
@@ -49,6 +51,7 @@ Developers:
 	Martin Košek
 	Ludwig Krispenz
 	Ana Krivokapić
+	Tomas Krizek
 	Milan Kubík
 	Ian Kumlien
 	David Kupka
@@ -56,6 +59,7 @@ Developers:
 	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
+	Ben Lipton
 	Karl MacMillan
 	Niranjan Mallapadi
 	Ales 'alich' Marecek
@@ -93,6 +97,7 @@ Developers:
 	Petr Viktorin
 	Petr Voborník
 	Pavel Vomacka
+	Pavel Vomáčka
 	Andrew Wnuk
 	Jason Woods
 	Adam Young
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#647][opened] [4.3] Update Contributors.txt

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/647
Author: MartinBasti
 Title: #647: [4.3] Update Contributors.txt
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/647/head:pr647
git checkout pr647
From 9ec7aa32fb33e6bc87e4d3da03f2e4f6e7053049 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 23 Mar 2017 17:39:05 +0100
Subject: [PATCH] Update Contributors.txt

---
 Contributors.txt | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/Contributors.txt b/Contributors.txt
index 8858724..cf25a3b 100644
--- a/Contributors.txt
+++ b/Contributors.txt
@@ -12,6 +12,7 @@ Developers:
 	Kyle Baker
 	Martin Bašti
 	Sylvain Baubeau
+	Florence Blanc-Renaud
 	Alexander Bokovoy
 	Thierry Bordaz
 	Sumit Bose
@@ -37,6 +38,7 @@ Developers:
 	Nick Hatch
 	Christian Heimes
 	Jakub Hrozek
+	Ganna Kaihorodova
 	Abhijeet Kasurde
 	Nathan Kinder
 	Krzysztof Klimonda
@@ -44,10 +46,12 @@ Developers:
 	Martin Košek
 	Ludwig Krispenz
 	Ana Krivokapić
+	Tomas Krizek
 	Milan Kubík
 	Ian Kumlien
 	David Kupka
 	Robert Kuska
+	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
 	Karl MacMillan
@@ -76,6 +80,7 @@ Developers:
 	Thorsten Scherf
 	Michael Simacek
 	Lars Sjostrom
+	Filip Skola
 	Lukáš Slebodník
 	Simo Sorce
 	Petr Špaček
@@ -84,6 +89,7 @@ Developers:
 	Fraser Tweedale
 	Petr Viktorin
 	Petr Voborník
+	Pavel Vomacka
 	Andrew Wnuk
 	Jason Woods
 	Adam Young
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#646][closed] [4.4] FreeIPA 4.4.4 translations

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/646
Author: MartinBasti
 Title: #646: [4.4] FreeIPA 4.4.4 translations
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/646/head:pr646
git checkout pr646
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#646][comment] [4.4] FreeIPA 4.4.4 translations

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/646
Title: #646: [4.4] FreeIPA 4.4.4 translations

tomaskrizek commented:
"""
ipa-4-4:

* e7beb9a2ae5349525119ee072eebcc385f01c68e FreeIPA 4.4.4 translations
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/646#issuecomment-288780894
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#646][+pushed] [4.4] FreeIPA 4.4.4 translations

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/646
Title: #646: [4.4] FreeIPA 4.4.4 translations

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#646][+ack] [4.4] FreeIPA 4.4.4 translations

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/646
Title: #646: [4.4] FreeIPA 4.4.4 translations

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#646][opened] [4.4] FreeIPA 4.4.4 translations

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/646
Author: MartinBasti
 Title: #646: [4.4] FreeIPA 4.4.4 translations
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/646/head:pr646
git checkout pr646
From 497a7ce034fec338e1d75fe3e98383e2976b9ddd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 23 Mar 2017 17:14:17 +0100
Subject: [PATCH] FreeIPA 4.4.4 translations

---
 install/po/bn_IN.po |  8 
 install/po/ca.po|  8 
 install/po/cs.po|  8 
 install/po/de.po|  8 
 install/po/es.po|  8 
 install/po/eu.po|  8 
 install/po/fr.po|  8 
 install/po/hi.po|  8 
 install/po/hu.po|  8 
 install/po/id.po|  8 
 install/po/ipa.pot  | 36 
 install/po/ja.po|  8 
 install/po/kn.po|  8 
 install/po/mr.po|  8 
 install/po/nl.po|  8 
 install/po/pl.po|  8 
 install/po/pt_BR.po | 18 +-
 install/po/ru.po|  8 
 install/po/sk.po|  8 
 install/po/tg.po|  8 
 install/po/uk.po| 28 +++-
 install/po/zh_CN.po |  8 
 22 files changed, 136 insertions(+), 98 deletions(-)

diff --git a/install/po/bn_IN.po b/install/po/bn_IN.po
index d5d2eb7..379a91b 100644
--- a/install/po/bn_IN.po
+++ b/install/po/bn_IN.po
@@ -9,15 +9,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ipa\n"
 "Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n";
-"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"POT-Creation-Date: 2017-03-23 16:24+0100\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
 "PO-Revision-Date: 2015-01-05 01:08-0500\n"
 "Last-Translator: Copied by Zanata \n"
 "Language-Team: Bengali (India) (http://www.transifex.com/projects/p/freeipa/";
 "language/bn_IN/)\n"
 "Language: bn-IN\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Generator: Zanata 3.9.6\n"
 
diff --git a/install/po/ca.po b/install/po/ca.po
index e0ab376..b4e4e48 100644
--- a/install/po/ca.po
+++ b/install/po/ca.po
@@ -8,15 +8,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ipa\n"
 "Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n";
-"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"POT-Creation-Date: 2017-03-23 16:24+0100\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
 "PO-Revision-Date: 2015-01-05 01:08-0500\n"
 "Last-Translator: Copied by Zanata \n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/freeipa/language/";
 "ca/)\n"
 "Language: ca\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Generator: Zanata 3.9.6\n"
 
diff --git a/install/po/cs.po b/install/po/cs.po
index 9dc807b..47439de 100644
--- a/install/po/cs.po
+++ b/install/po/cs.po
@@ -9,15 +9,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ipa\n"
 "Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n";
-"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"POT-Creation-Date: 2017-03-23 16:24+0100\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
 "PO-Revision-Date: 2015-06-29 01:17-0400\n"
 "Last-Translator: Josef Hruška \n"
 "Language-Team: Czech (http://www.transifex.com/projects/p/freeipa/language/";
 "cs/)\n"
 "Language: cs\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
 "X-Generator: Zanata 3.9.6\n"
 
diff --git a/install/po/de.po b/install/po/de.po
index 04394fe..51f8e9e 100644
--- a/install/po/de.po
+++ b/install/po/de.po
@@ -15,15 +15,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ipa\n"
 "Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n";
-"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"POT-Creation-Date: 2017-03-23 16:24+0100\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
 "PO-Revision-Date: 2016-11-25 04:33-0500\n"
 "Last-Translator: David Kreitschmann \n"
 "Language-Team: German (http://www.transifex.com/projects/p/freeipa/language/";
 "de/)\n"
 "Language: de\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Generator: Zanata 3.9.6\n"
 
diff --git a/install/po/es.po b/install/po/es.po
index 32dc0ce..47c38ce 100644
--- a/install/po/es.po
+++ b/install/po/es.po
@@ -18,15 +18,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: ipa\n"
 "Report-Msgid-Bugs-To: htt

[Freeipa-devel] [freeipa PR#470][synchronized] WebUI: Size limit warning on details pages fixed

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/470
Author: pvomacka
 Title: #470: WebUI: Size limit warning on details pages fixed
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/470/head:pr470
git checkout pr470
From f1d8fc4bedc825612393dbac0d6c58e1cb7db735 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 17 Mar 2017 15:10:42 +0100
Subject: [PATCH 1/2] WebUI: Add support for suppressing warnings

Each command can have specified an array of warning codes which will
be suppressed and won't be shown.

For specifying this it is necessary to set command property
'supressed_warnings: [codes_of_warning]'

Part of: https://pagure.io/freeipa/issue/6618
---
 install/ui/src/freeipa/rpc.js | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 7ae1b64..c910427 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -72,6 +72,12 @@ rpc.command = function(spec) {
 that.options = $.extend({}, spec.options || {});
 
 /**
+ * @property {Array} suppress_warnings array of message codes which
+ * are suppressed
+ */
+that.suppress_warnings = spec.suppress_warnings || [];
+
+/**
  * Success handler
  * @property {Function}
  * @param {Object} data
@@ -219,6 +225,7 @@ rpc.command = function(spec) {
 
 for (var i=0,l=msgs.length; i -1) continue;
 // escape and reformat message
 msg.message = util.beautify_message(msg.message);
 IPA.notify(msg.message, msg.type);

From 4c29a605ba94792415c75c2c1c25c2e6485d6942 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Fri, 17 Mar 2017 15:10:49 +0100
Subject: [PATCH 2/2] WebUI: suppress truncation warning in select widget

This widget is used on details pages and dialogs. When the size limit
is set to lower number the warning about truncation was shown every time
the details page was open.

Now, with support for suppressing warning messages from server according
to its code, we are able to disable warning with 13017 code (truncation
warning)

https://pagure.io/freeipa/issue/6618
---
 install/ui/src/freeipa/widget.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 223b449..b7a6504 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5012,7 +5012,8 @@ IPA.entity_select_widget = function(spec) {
 entity: that.other_entity.name,
 method: 'find',
 args: [filter],
-options: that.filter_options
+options: that.filter_options,
+suppress_warnings: [13017]
 });
 var no_members = metadata.get('@mc-opt:' + cmd.get_command() + ':no_members');
 if (no_members) {
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/639
Title: #639: WebUI: Login for AD Users

pvomacka commented:
"""
I implemented all comments which you proposed and I also changed menu of AD 
user selfservice - I removed User tab and renamed User ID override to Profile.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/639#issuecomment-288744985
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/639
Author: pvomacka
 Title: #639: WebUI: Login for AD Users
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/639/head:pr639
git checkout pr639
From 36d039e75ebf07af0ad66d4f5b93fe6b4ea052dc Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 22 Mar 2017 16:39:21 +0100
Subject: [PATCH 1/3] WebUI: check principals in lowercase

WebUI checks whether principal name of logged user and principal name
in each command is equal. As KDC for our principals is case insensitive
- it does make sense to switch this check also into case insensitive.
So both principals are reformated to lower case and then
compared.

Part of: https://pagure.io/freeipa/issue/3242
---
 install/ui/src/freeipa/rpc.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 7ae1b64..1880f8d 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -389,7 +389,8 @@ rpc.command = function(spec) {
 } else if (IPA.version && data.version && IPA.version !== data.version) {
 window.location.reload();
 
-} else if (IPA.principal && data.principal && IPA.principal !== data.principal) {
+} else if (IPA.principal && data.principal &&
+IPA.principal.toLowerCase() !== data.principal.toLowerCase()) {
 window.location.reload();
 
 } else if (data.error) {

From cb5d8825ee05695265fd62f5cad6ee9de7072aab Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 22 Mar 2017 16:48:36 +0100
Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown
 menu

AD user can do only several things. One of those which are not
allowed is to reset password to itself. Therefore we need to be
able to turn of a item in dropdown menu. In our case
'Password reset' item. Function which disable menu item and detach
the listener on click from the item specified by its name was added.

Part of: https://pagure.io/freeipa/issue/3242
---
 install/ui/src/freeipa/Application_controller.js | 42 
 install/ui/src/freeipa/widgets/App.js|  4 +++
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 32add5f..d809c1f 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -69,6 +69,16 @@ define([
 facet_changing: false,
 
 /**
+ * Listeners for user menu items
+ */
+ on_profile_listener: null,
+ on_passwd_reset_listener: null,
+ on_logout_listener: null,
+ on_item_select_listener: null,
+ on_configuration_listerer: null,
+ on_about_listener: null,
+
+/**
  * Currently displayed facet
  *
  */
@@ -109,12 +119,7 @@ define([
 }
 };
 
-on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this));
-on(this.app_widget, 'profile-click', this.on_profile.bind(this));
-on(this.app_widget, 'logout-click', this.on_logout.bind(this));
-on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this));
-on(this.app_widget, 'configuration-click', this.on_configuration.bind(this));
-on(this.app_widget, 'about-click', this.on_about.bind(this));
+this.register_user_menu_listeners();
 
 on(this.router, 'facet-show', this.on_facet_show.bind(this));
 on(this.router, 'facet-change', this.on_facet_change.bind(this));
@@ -133,6 +138,31 @@ define([
 IPA.opened_dialogs.start_handling(this);
 },
 
+register_user_menu_listeners: function() {
+this.on_profile_listener = on(this.app_widget, 'profile-click',
+this.on_profile.bind(this));
+this.on_passwd_reset_listener = on(this.app_widget,
+'password-reset-click', this.on_password_reset.bind(this));
+this.on_logout_listener = on(this.app_widget, 'logout-click',
+this.on_logout.bind(this));
+this.on_item_select_listener = on(this.app_widget.menu_widget,
+'item-select', this.on_menu_click.bind(this));
+this.on_configuration_listerer = on(this.app_widget,
+'configuration-click', this.on_configuration.bind(this));
+this.on_about_listener = on(this.app_widget,
+'about-click', this.on_about.bind(this));
+},
+
+/**
+ * Turns off one item in user dropdown menu and remove its listener.
+ * @param {string} name of the user menu item which should be disabled
+ * @param {Object} listener disable t

[Freeipa-devel] [freeipa PR#575][synchronized] IPA certauth plugin

[sumit-bose]

   URL: https://github.com/freeipa/freeipa/pull/575
Author: sumit-bose
 Title: #575: IPA certauth plugin
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/575/head:pr575
git checkout pr575
From e84f70cceec2421968977e4012bbf747e060b5f4 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 15 Feb 2017 12:09:20 +0100
Subject: [PATCH 1/2] ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905
---
 daemons/ipa-kdb/ipa_kdb.h| 11 +++
 daemons/ipa-kdb/ipa_kdb_principals.c | 58 
 2 files changed, 56 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 8a3f7d3..72f2675 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -198,6 +198,17 @@ krb5_error_code ipadb_put_principal(krb5_context kcontext,
 char **db_args);
 krb5_error_code ipadb_delete_principal(krb5_context kcontext,
krb5_const_principal search_for);
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result);
+krb5_error_code ipadb_find_principal(krb5_context kcontext,
+ unsigned int flags,
+ LDAPMessage *res,
+ char **principal,
+ LDAPMessage **entry);
 #if KRB5_KDB_API_VERSION < 8
 krb5_error_code ipadb_iterate(krb5_context kcontext,
   char *match_entry,
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 3bd8fb8..82c8574 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -37,6 +37,17 @@
 "(objectclass=krbprincipal))" \
   "(krbprincipalname=%s))"
 
+#define PRINC_TGS_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal)" \
+  "(objectclass=ipakrbprincipal))" \
+"(|(ipakrbprincipalalias=%s)" \
+  "(krbprincipalname:caseIgnoreIA5Match:=%s))" \
+ "%s)"
+
+#define PRINC_SEARCH_FILTER_EXTRA "(&(|(objectclass=krbprincipalaux)" \
+  "(objectclass=krbprincipal))" \
+"(krbprincipalname=%s)" \
+"%s)"
 static char *std_principal_attrs[] = {
 "krbPrincipalName",
 "krbCanonicalName",
@@ -864,10 +875,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
 return kerr;
 }
 
-static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
-  unsigned int flags,
-  char *principal,
-  LDAPMessage **result)
+krb5_error_code
+ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
+ unsigned int flags,
+ const char *principal,
+ const char *filter,
+ LDAPMessage **result)
 {
 krb5_error_code kerr;
 char *src_filter = NULL;
@@ -890,11 +903,21 @@ static krb5_error_code ipadb_fetch_principals(struct ipadb_context *ipactx,
 goto done;
 }
 
-if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
-ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
-   esc_original_princ, esc_original_princ);
+if (filter == NULL) {
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
+   esc_original_princ, esc_original_princ);
+} else {
+ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+}
 } else {
-ret = asprintf(&src_filter, PRINC_SEARCH_FILTER, esc_original_princ);
+if (flags & KRB5_KDB_FLAG_ALIAS_OK) {
+ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
+   esc_original_princ, esc_original_princ, filter);
+} else {
+ret = asprintf(&src_filter, PRINC_SEARCH_FILTER_EXTRA,
+   esc_original_princ, filter);
+}
 }
 
 if (ret == -1) {
@@ -913,11 +936,20 @

Re: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

[Alexander Bokovoy]

On to, 23 maalis 2017, Simo Sorce wrote:

On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote:

On to, 23 maalis 2017, Martin Babinsky wrote:
>Hi List,
>
>TL;DR we have to handle FAST channer establishment  when KDC is not issued
>PKINIT keypair
>
>I have spent some time studying and fixing bugs/regressions caused by
>incomplete consideration of PKINIT and anonymous principal setup regarding to
>
>* replicas standed up against old (3.0.0) masters
>* domain level 0 topologies
>* CA-less deployments
>
>I want to discuss the impact of these findings on existing functionality and
>how to fix them so that 4.5.1 release will be more usable and free of subtle
>but serious bugs (more on this later).
>
>From conversation from Alexander and Simo it follows that anonymous PKINIT
>feature is supposed to be used in domain level 1 deployments because only these
>guarantee the presence of the features (CA ACLs and custom certificate
>profiles) which allow for issuing certificates suitable for PKINIT
>authentication. This leads to the following considerations:
>
>* on DL0 enforce no_pkinit on server/replica deployments
>* during upgrade of DL0 deployments, do not issue PKINIT certificates
>* during upgrade of DL1 deployments issue PKINIT certs
>* extend ipa-server-certinstall to install/issue PKINIT certificates after
>  DL0/DL1 ugrade (have to be manually).
>
>However, I found out that the only case when anonymous PKINIT actually works is
>for fresh DL1 server install and upgrade and install of 4.5.0 replica against
>4.5.0 master in DL1. The following use-cases either fail to install or leave
>the system with unusable password auth (e.g. WebUI login):
>
>* setting up 4.5 replica against <4.5 master fails during anonymous
>  principal setup[1] (ticket states domain level 0, but DL1 is also
>  affected)
>* setting up server-replica with `no_pkinit` option (CA-full or CA-less)
>  leaves the installation without non-working WebUI as anonymous PKINIT does
>  not work (ticket incoming)
>* If we restrict DL0 installs to force no_pkinit[2] we will be left with
>  whole topologies where anonymous PKINIT does not work, so no WebUI auth
>  for them
>
>We now have to decide how to properly support or avoid non-PKINIT deployments.
>The current code which handles armoring of password auth requests[3] does not
>actually work without PKINIT certificates, the fallback mechanism still fails
>to obtain armor ccache[4].
>
>I have concluded that for non-PKINIT cases we have
>to use the old way to armor TGT request (i.e. establish fast channel by
>kinit as service principal), but this means that the framewrok has to use a
>service principal whose keytab it can read and use. After privilege separation,
>however, we do not have direct access to HTTP keytab so how should we proceed
>in this case? We definitely need to discuss this further.
>
>Please state your suggestions and comments, and sorry for the long mail.
Thanks, Martin, for the thorough analysis.

I need to clarify *why* we need working Anonymous PKINIT. There are two
separate needs here:

 - Enable clients with no access to a separate key to be usable for 2FA
   accounts. This can be best explained as to support Kerberos auth from
   non-enrolled machines or machines where no SSSD is in use. In such
   cases we cannot use another credentials to create FAST channel and
   pass 2FA creds with kinit.

 - Enable IPA framework to perform password-based login for 2FA. With
   privilege separation we don't have access to HTTP/... principal's
   keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy
   support FAST channel wrapping for explicitly specified password+2FA
   token.

For DL0 we do not officially support PKINIT, so first case is not
relevant. However, second case is what we need even on DL0 because
otherwise IPA framework does not work, as you have witnessed.

We thought that we could solve this problem by re-using anonymous
principal as 'normal' principal -- by fetching its keytab and
authenticating with the keys from it. But for anonymous principal MIT
Kerberos library does verification of the session key and requires it to
be provided with PKINIT PA DATA when there is no wrapping principal
keys.

See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1


   The Kerberos client can use the client's long-term keys, the client's
   X.509 certificates [RFC4556], or any other pre-authentication data,
   to authenticate to the KDC and requests an anonymous ticket in an AS
   exchange where the client's identity is known to the KDC.

   If the client in the AS request is anonymous, the anonymous KDC
   option MUST be set in the request.  Otherwise, the KDC MUST return a
   KRB-ERROR message with the code KDC_ERR_BADOPTION.


Corresponding code in MIT Kerberos is this:
https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157

So, using keytab for anonymous principal does not work. We either can
have another principal to perfor

[Freeipa-devel] [DRAFT] release notes FreeIPA 4.4.4

[Martin Basti]

Please check the draft of the release notes for FreeIPA 4.4.4 release: 
http://www.freeipa.org/page/Releases/4.4.4


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [DRAFT] release notes FreeIPA 4.3.3

[Martin Basti]

Please check the draft of the release notes for FreeIPA 4.3.3 release: 
http://www.freeipa.org/page/Releases/4.3.3


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

[Simo Sorce]

On Thu, 2017-03-23 at 16:08 +0200, Alexander Bokovoy wrote:
> On to, 23 maalis 2017, Martin Babinsky wrote:
> >Hi List,
> >
> >TL;DR we have to handle FAST channer establishment  when KDC is not issued
> >PKINIT keypair
> >
> >I have spent some time studying and fixing bugs/regressions caused by
> >incomplete consideration of PKINIT and anonymous principal setup regarding to
> >
> >* replicas standed up against old (3.0.0) masters
> >* domain level 0 topologies
> >* CA-less deployments
> >
> >I want to discuss the impact of these findings on existing functionality and
> >how to fix them so that 4.5.1 release will be more usable and free of subtle
> >but serious bugs (more on this later).
> >
> >From conversation from Alexander and Simo it follows that anonymous PKINIT
> >feature is supposed to be used in domain level 1 deployments because only 
> >these
> >guarantee the presence of the features (CA ACLs and custom certificate
> >profiles) which allow for issuing certificates suitable for PKINIT
> >authentication. This leads to the following considerations:
> >
> >* on DL0 enforce no_pkinit on server/replica deployments
> >* during upgrade of DL0 deployments, do not issue PKINIT certificates
> >* during upgrade of DL1 deployments issue PKINIT certs
> >* extend ipa-server-certinstall to install/issue PKINIT certificates after
> >  DL0/DL1 ugrade (have to be manually).
> >
> >However, I found out that the only case when anonymous PKINIT actually works 
> >is
> >for fresh DL1 server install and upgrade and install of 4.5.0 replica against
> >4.5.0 master in DL1. The following use-cases either fail to install or leave
> >the system with unusable password auth (e.g. WebUI login):
> >
> >* setting up 4.5 replica against <4.5 master fails during anonymous
> >  principal setup[1] (ticket states domain level 0, but DL1 is also
> >  affected)
> >* setting up server-replica with `no_pkinit` option (CA-full or CA-less)
> >  leaves the installation without non-working WebUI as anonymous PKINIT does
> >  not work (ticket incoming)
> >* If we restrict DL0 installs to force no_pkinit[2] we will be left with
> >  whole topologies where anonymous PKINIT does not work, so no WebUI auth
> >  for them
> >
> >We now have to decide how to properly support or avoid non-PKINIT 
> >deployments.
> >The current code which handles armoring of password auth requests[3] does not
> >actually work without PKINIT certificates, the fallback mechanism still fails
> >to obtain armor ccache[4].
> >
> >I have concluded that for non-PKINIT cases we have
> >to use the old way to armor TGT request (i.e. establish fast channel by
> >kinit as service principal), but this means that the framewrok has to use a
> >service principal whose keytab it can read and use. After privilege 
> >separation,
> >however, we do not have direct access to HTTP keytab so how should we proceed
> >in this case? We definitely need to discuss this further.
> >
> >Please state your suggestions and comments, and sorry for the long mail.
> Thanks, Martin, for the thorough analysis.
> 
> I need to clarify *why* we need working Anonymous PKINIT. There are two
> separate needs here:
> 
>  - Enable clients with no access to a separate key to be usable for 2FA
>accounts. This can be best explained as to support Kerberos auth from
>non-enrolled machines or machines where no SSSD is in use. In such
>cases we cannot use another credentials to create FAST channel and
>pass 2FA creds with kinit.
> 
>  - Enable IPA framework to perform password-based login for 2FA. With
>privilege separation we don't have access to HTTP/... principal's
>keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy
>support FAST channel wrapping for explicitly specified password+2FA
>token.
> 
> For DL0 we do not officially support PKINIT, so first case is not
> relevant. However, second case is what we need even on DL0 because
> otherwise IPA framework does not work, as you have witnessed.
> 
> We thought that we could solve this problem by re-using anonymous
> principal as 'normal' principal -- by fetching its keytab and
> authenticating with the keys from it. But for anonymous principal MIT
> Kerberos library does verification of the session key and requires it to
> be provided with PKINIT PA DATA when there is no wrapping principal
> keys.
> 
> See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1
> 
> 
>The Kerberos client can use the client's long-term keys, the client's
>X.509 certificates [RFC4556], or any other pre-authentication data,
>to authenticate to the KDC and requests an anonymous ticket in an AS
>exchange where the client's identity is known to the KDC.
> 
>If the client in the AS request is anonymous, the anonymous KDC
>option MUST be set in the request.  Otherwise, the KDC MUST return a
>KRB-ERROR message with the code KDC_ERR_BADOPTION.
> 
> 
> Corresponding code in MIT Kerberos is this: 
> https:

Re: [Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

[Alexander Bokovoy]

On to, 23 maalis 2017, Martin Babinsky wrote:

Hi List,

TL;DR we have to handle FAST channer establishment  when KDC is not issued
PKINIT keypair

I have spent some time studying and fixing bugs/regressions caused by
incomplete consideration of PKINIT and anonymous principal setup regarding to

* replicas standed up against old (3.0.0) masters
* domain level 0 topologies
* CA-less deployments

I want to discuss the impact of these findings on existing functionality and
how to fix them so that 4.5.1 release will be more usable and free of subtle
but serious bugs (more on this later).

From conversation from Alexander and Simo it follows that anonymous PKINIT
feature is supposed to be used in domain level 1 deployments because only these
guarantee the presence of the features (CA ACLs and custom certificate
profiles) which allow for issuing certificates suitable for PKINIT
authentication. This leads to the following considerations:

* on DL0 enforce no_pkinit on server/replica deployments
* during upgrade of DL0 deployments, do not issue PKINIT certificates
* during upgrade of DL1 deployments issue PKINIT certs
* extend ipa-server-certinstall to install/issue PKINIT certificates after
 DL0/DL1 ugrade (have to be manually).

However, I found out that the only case when anonymous PKINIT actually works is
for fresh DL1 server install and upgrade and install of 4.5.0 replica against
4.5.0 master in DL1. The following use-cases either fail to install or leave
the system with unusable password auth (e.g. WebUI login):

* setting up 4.5 replica against <4.5 master fails during anonymous
 principal setup[1] (ticket states domain level 0, but DL1 is also
 affected)
* setting up server-replica with `no_pkinit` option (CA-full or CA-less)
 leaves the installation without non-working WebUI as anonymous PKINIT does
 not work (ticket incoming)
* If we restrict DL0 installs to force no_pkinit[2] we will be left with
 whole topologies where anonymous PKINIT does not work, so no WebUI auth
 for them

We now have to decide how to properly support or avoid non-PKINIT deployments.
The current code which handles armoring of password auth requests[3] does not
actually work without PKINIT certificates, the fallback mechanism still fails
to obtain armor ccache[4].

I have concluded that for non-PKINIT cases we have
to use the old way to armor TGT request (i.e. establish fast channel by
kinit as service principal), but this means that the framewrok has to use a
service principal whose keytab it can read and use. After privilege separation,
however, we do not have direct access to HTTP keytab so how should we proceed
in this case? We definitely need to discuss this further.

Please state your suggestions and comments, and sorry for the long mail.

Thanks, Martin, for the thorough analysis.

I need to clarify *why* we need working Anonymous PKINIT. There are two
separate needs here:

- Enable clients with no access to a separate key to be usable for 2FA
  accounts. This can be best explained as to support Kerberos auth from
  non-enrolled machines or machines where no SSSD is in use. In such
  cases we cannot use another credentials to create FAST channel and
  pass 2FA creds with kinit.

- Enable IPA framework to perform password-based login for 2FA. With
  privilege separation we don't have access to HTTP/... principal's
  keytab anymore (gssproxy does) and neither GSSAPI nor gssproxy
  support FAST channel wrapping for explicitly specified password+2FA
  token.

For DL0 we do not officially support PKINIT, so first case is not
relevant. However, second case is what we need even on DL0 because
otherwise IPA framework does not work, as you have witnessed.

We thought that we could solve this problem by re-using anonymous
principal as 'normal' principal -- by fetching its keytab and
authenticating with the keys from it. But for anonymous principal MIT
Kerberos library does verification of the session key and requires it to
be provided with PKINIT PA DATA when there is no wrapping principal
keys.

See RFC 6112 section 4.1: https://tools.ietf.org/html/rfc6112#section-4.1


  The Kerberos client can use the client's long-term keys, the client's
  X.509 certificates [RFC4556], or any other pre-authentication data,
  to authenticate to the KDC and requests an anonymous ticket in an AS
  exchange where the client's identity is known to the KDC.

  If the client in the AS request is anonymous, the anonymous KDC
  option MUST be set in the request.  Otherwise, the KDC MUST return a
  KRB-ERROR message with the code KDC_ERR_BADOPTION.


Corresponding code in MIT Kerberos is this: 
https://github.com/krb5/krb5/blob/master/src/lib/krb5/krb/get_in_tkt.c#L157


So, using keytab for anonymous principal does not work. We either can
have another principal to perform wrapping or actually fix PKINIT for
DL0 for the purpose of IPA framework.

The latter is easy to achieve. Certmonger maintains two local CAs:
SelfSign and 'local':

# getcert li

[Freeipa-devel] [freeipa PR#634][+ack] cert: do not limit internal searches in cert-find

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/634
Title: #634: cert: do not limit internal searches in cert-find

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#634][comment] cert: do not limit internal searches in cert-find

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/634
Title: #634: cert: do not limit internal searches in cert-find

stlaz commented:
"""
Works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/634#issuecomment-288728368
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#645][opened] Create temporaty directories at the begining of uninstall

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/645
Author: dkupka
 Title: #645: Create temporaty directories at the begining of uninstall
Action: opened

PR body:
"""
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.

https://pagure.io/freeipa/issue/6715
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/645/head:pr645
git checkout pr645
From aa2074218c0aa37fd9711dd6e4fd5d8e992b5084 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 23 Mar 2017 12:48:06 +0100
Subject: [PATCH] Create temporaty directories at the begining of uninstall

Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.

https://pagure.io/freeipa/issue/6715
---
 ipaserver/install/server/install.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index de6b5b3..d7eb0bf 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1042,6 +1042,10 @@ def uninstall(installer):
 
 rv = 0
 
+# further steps assumes that temporary directories exists so rather
+# ensure they are created
+tasks.create_tmpfiles_dirs()
+
 print("Shutting down all IPA services")
 try:
 services.knownservices.ipa.stop()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#639][synchronized] WebUI: Login for AD Users

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/639
Author: pvomacka
 Title: #639: WebUI: Login for AD Users
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/639/head:pr639
git checkout pr639
From 79a2dbfd1459ff4f1e95cbc547625222efa6beb1 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 22 Mar 2017 16:39:21 +0100
Subject: [PATCH 1/3] WebUI: check principals in lowercase

WebUI checks whether principal name of logged user and principal name
in each command is equal. As KDC for our principals is case insensitive
- it does make sense to switch this check also into case insensitive.
So both principals are reformated to lower case and then
compared.

Part of: https://pagure.io/freeipa/issue/3242
---
 install/ui/src/freeipa/rpc.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/rpc.js b/install/ui/src/freeipa/rpc.js
index 7ae1b64..1880f8d 100644
--- a/install/ui/src/freeipa/rpc.js
+++ b/install/ui/src/freeipa/rpc.js
@@ -389,7 +389,8 @@ rpc.command = function(spec) {
 } else if (IPA.version && data.version && IPA.version !== data.version) {
 window.location.reload();
 
-} else if (IPA.principal && data.principal && IPA.principal !== data.principal) {
+} else if (IPA.principal && data.principal &&
+IPA.principal.toLowerCase() !== data.principal.toLowerCase()) {
 window.location.reload();
 
 } else if (data.error) {

From 23c693d8dae97e7b319c0608a5a9203ac4b0a185 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Wed, 22 Mar 2017 16:48:36 +0100
Subject: [PATCH 2/3] WebUI: add method for disabling item in user dropdown
 menu

AD user can do only several things. One of those which are not
allowed is to reset password to itself. Therefore we need to be
able to turn of a item in dropdown menu. In our case
'Password reset' item. Function which disable menu item and detach
the listener on click from the item specified by its name was added.

Part of: https://pagure.io/freeipa/issue/3242
---
 install/ui/src/freeipa/Application_controller.js | 42 
 install/ui/src/freeipa/widgets/App.js|  4 +++
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js
index 32add5f..d809c1f 100644
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -69,6 +69,16 @@ define([
 facet_changing: false,
 
 /**
+ * Listeners for user menu items
+ */
+ on_profile_listener: null,
+ on_passwd_reset_listener: null,
+ on_logout_listener: null,
+ on_item_select_listener: null,
+ on_configuration_listerer: null,
+ on_about_listener: null,
+
+/**
  * Currently displayed facet
  *
  */
@@ -109,12 +119,7 @@ define([
 }
 };
 
-on(this.app_widget.menu_widget, 'item-select', this.on_menu_click.bind(this));
-on(this.app_widget, 'profile-click', this.on_profile.bind(this));
-on(this.app_widget, 'logout-click', this.on_logout.bind(this));
-on(this.app_widget, 'password-reset-click', this.on_password_reset.bind(this));
-on(this.app_widget, 'configuration-click', this.on_configuration.bind(this));
-on(this.app_widget, 'about-click', this.on_about.bind(this));
+this.register_user_menu_listeners();
 
 on(this.router, 'facet-show', this.on_facet_show.bind(this));
 on(this.router, 'facet-change', this.on_facet_change.bind(this));
@@ -133,6 +138,31 @@ define([
 IPA.opened_dialogs.start_handling(this);
 },
 
+register_user_menu_listeners: function() {
+this.on_profile_listener = on(this.app_widget, 'profile-click',
+this.on_profile.bind(this));
+this.on_passwd_reset_listener = on(this.app_widget,
+'password-reset-click', this.on_password_reset.bind(this));
+this.on_logout_listener = on(this.app_widget, 'logout-click',
+this.on_logout.bind(this));
+this.on_item_select_listener = on(this.app_widget.menu_widget,
+'item-select', this.on_menu_click.bind(this));
+this.on_configuration_listerer = on(this.app_widget,
+'configuration-click', this.on_configuration.bind(this));
+this.on_about_listener = on(this.app_widget,
+'about-click', this.on_about.bind(this));
+},
+
+/**
+ * Turns off one item in user dropdown menu and remove its listener.
+ * @param {string} name of the user menu item which should be disabled
+ * @param {Object} listener disable t

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo and HBAC rules

stlaz commented:
"""
The latest patch removes the `rdn_is_private_key` attribute, replaces it with 
`allow_rename` which actually says correctly what's happening. Also, the 
decision whether primary key is in RDN is decided on checking whether the 
primary key is in RDN rather than on anything else.
Also added a comment explaining that the `modrdn` operation is performed also 
when `setattr` is doing changes to the primary key + RDN because it was far 
from obvious in the code.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/617#issuecomment-288705598
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] PKINIT Handling in mixed/CA-less topologies

[Martin Babinsky]

Hi List,

TL;DR we have to handle FAST channer establishment  when KDC is not issued
PKINIT keypair

I have spent some time studying and fixing bugs/regressions caused by
incomplete consideration of PKINIT and anonymous principal setup regarding to

* replicas standed up against old (3.0.0) masters
* domain level 0 topologies
* CA-less deployments

I want to discuss the impact of these findings on existing functionality and
how to fix them so that 4.5.1 release will be more usable and free of subtle
but serious bugs (more on this later).

>From conversation from Alexander and Simo it follows that anonymous PKINIT
feature is supposed to be used in domain level 1 deployments because only these
guarantee the presence of the features (CA ACLs and custom certificate
profiles) which allow for issuing certificates suitable for PKINIT
authentication. This leads to the following considerations:

* on DL0 enforce no_pkinit on server/replica deployments
* during upgrade of DL0 deployments, do not issue PKINIT certificates
* during upgrade of DL1 deployments issue PKINIT certs
* extend ipa-server-certinstall to install/issue PKINIT certificates after
  DL0/DL1 ugrade (have to be manually).

However, I found out that the only case when anonymous PKINIT actually works is
for fresh DL1 server install and upgrade and install of 4.5.0 replica against
4.5.0 master in DL1. The following use-cases either fail to install or leave
the system with unusable password auth (e.g. WebUI login):

* setting up 4.5 replica against <4.5 master fails during anonymous
  principal setup[1] (ticket states domain level 0, but DL1 is also
  affected)
* setting up server-replica with `no_pkinit` option (CA-full or CA-less)
  leaves the installation without non-working WebUI as anonymous PKINIT does
  not work (ticket incoming)
* If we restrict DL0 installs to force no_pkinit[2] we will be left with
  whole topologies where anonymous PKINIT does not work, so no WebUI auth
  for them

We now have to decide how to properly support or avoid non-PKINIT deployments.
The current code which handles armoring of password auth requests[3] does not
actually work without PKINIT certificates, the fallback mechanism still fails
to obtain armor ccache[4].

I have concluded that for non-PKINIT cases we have
to use the old way to armor TGT request (i.e. establish fast channel by
kinit as service principal), but this means that the framewrok has to use a
service principal whose keytab it can read and use. After privilege separation,
however, we do not have direct access to HTTP keytab so how should we proceed
in this case? We definitely need to discuss this further.

Please state your suggestions and comments, and sorry for the long mail.

[1] https://pagure.io/freeipa/issue/6799 
[2] https://github.com/freeipa/freeipa/pull/640
[3] https://github.com/freeipa/freeipa/blob/master/ipalib/install/kinit.py#L100
[4] 
https://paste.fedoraproject.org/paste/AcM6ymNxg~pipF~1ZIfbdF5M1UNdIGYhyRLivL9gydE=/

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#617][synchronized] Allow renaming of sudo and HBAC rules

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/617
Author: stlaz
 Title: #617: Allow renaming of sudo and HBAC rules
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/617/head:pr617
git checkout pr617
From 1de05a1ae8507aca2fb43a0bccc34a566b7334d7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 16:22:52 +0100
Subject: [PATCH] Allow renaming of HBAC and sudo rules

This allows renaming of some objects that don't necessarily
contain their own private key in their DN.

TODO: control the check whether DN changed

https://pagure.io/freeipa/issue/2466
---
 API.txt|  6 --
 VERSION.m4 |  4 ++--
 ipaserver/plugins/automount.py |  2 +-
 ipaserver/plugins/baseldap.py  | 32 
 ipaserver/plugins/baseuser.py  |  2 +-
 ipaserver/plugins/ca.py|  2 +-
 ipaserver/plugins/dns.py   |  2 +-
 ipaserver/plugins/group.py |  2 +-
 ipaserver/plugins/hbacrule.py  |  1 +
 ipaserver/plugins/idviews.py   |  6 +++---
 ipaserver/plugins/otptoken.py  |  2 +-
 ipaserver/plugins/permission.py|  2 +-
 ipaserver/plugins/privilege.py |  2 +-
 ipaserver/plugins/radiusproxy.py   |  2 +-
 ipaserver/plugins/role.py  |  2 +-
 ipaserver/plugins/servicedelegation.py |  2 +-
 ipaserver/plugins/sudorule.py  |  1 +
 17 files changed, 42 insertions(+), 30 deletions(-)

diff --git a/API.txt b/API.txt
index f0bd1b6..7594157 100644
--- a/API.txt
+++ b/API.txt
@@ -2163,7 +2163,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: hbacrule_mod/1
-args: 1,16,3
+args: 1,17,3
 arg: Str('cn', cli_name='name')
 option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny'])
 option: Str('addattr*', cli_name='addattr')
@@ -2175,6 +2175,7 @@ option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'a
 option: Bool('ipaenabledflag?', autofill=False)
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('rename?', cli_name='rename')
 option: Flag('rights', autofill=True, default=False)
 option: StrEnum('servicecategory?', autofill=False, cli_name='servicecat', values=[u'all'])
 option: Str('setattr*', cli_name='setattr')
@@ -5402,7 +5403,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: sudorule_mod/1
-args: 1,20,3
+args: 1,21,3
 arg: Str('cn', cli_name='sudorule_name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5419,6 +5420,7 @@ option: StrEnum('ipasudorunasgroupcategory?', autofill=False, cli_name='runasgro
 option: StrEnum('ipasudorunasusercategory?', autofill=False, cli_name='runasusercat', values=[u'all'])
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('rename?', cli_name='rename')
 option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Int('sudoorder?', autofill=False, cli_name='order', default=0)
diff --git a/VERSION.m4 b/VERSION.m4
index cfac2a9..6c4213d 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 223)
-# Last change: Add domain resolution order to ID views
+define(IPA_API_VERSION_MINOR, 224)
+# Last change: Add rename option to some *_mod commands
 
 
 
diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py
index c4cf2d6..03f994c 100644
--- a/ipaserver/plugins/automount.py
+++ b/ipaserver/plugins/automount.py
@@ -456,7 +456,7 @@ class automountkey(LDAPObject):
 default_attributes = [
 'automountkey', 'automountinformation', 'description'
 ]
-rdn_is_primary_key = True
+allow_rename = True
 rdn_separator = ' '
 
 takes_params = (
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 79ba7fc..dbe3cbd 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -36,7 +36,7 @@
 from ipalib.util import json_serialize, validate_hostname
 from ipalib.capabilities import client_has_capability
 from ipalib.messages import add_message, SearchResultTruncated
-from ipapython.dn import DN
+from ipapython.dn import DN, RDN
 from ipapython.version import API_VERSION
 
 if six.PY3:
@@ -549,7 +549,7 @@ class LDAPObject(Object):
 rdn_attribute = ''
 

[Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/575
Title: #575: IPA certauth plugin

abbra commented:
"""
The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see 
what CI says.

Authentication indicators' handling would need to be added in a separate PR 
once certmap rules would provide the indicator value.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/575#issuecomment-288686687
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/644
Title: #644: extdom: improve certificate request

abbra commented:
"""
LGTM. I read the code but since SSSD counterpart is currently on review, travis 
fails the build.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/644#issuecomment-288671714
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/617
Title: #617: Allow renaming of sudo and HBAC rules

stlaz commented:
"""
For the record, and I might be wrong, I did a bit of researching, the 
`rdn_is_primary_key` is actually misused in some cases, as RDN is the primary 
key for e.g. `pwpolicy` and `idrange` but these have this attribute set to 
`False`.
I believe in the above cases, `rdn_is_primary_key` might have been used this 
way just so that those objects do not show the `rename` (they are not allowed 
to change the primary key anyway). I thought we won't need `allow_rename` at 
all in the end but for these cases we will probably need to keep it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/617#issuecomment-288664689
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#644][opened] extdom: improve certificate request

[sumit-bose]

   URL: https://github.com/freeipa/freeipa/pull/644
Author: sumit-bose
 Title: #644: extdom: improve certificate request
Action: opened

PR body:
"""
Certificates can be assigned to multiple user so the extdom plugin must use
sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and return a
list of fully-qualified user names.

Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break existing
clients.

Related to https://pagure.io/freeipa/issue/6646

Since I used the revers lookup for the domain separator in patch I added a
second patch which does this where needed in the reminder of the code as well
to be consistent. Allthough using @-signs in short names is not common practice
it might happen as can be see in https://pagure.io/SSSD/sssd/issue/3219.

The sss_nss_getlistbycert() call is added to SSSD in
https://github.com/SSSD/sssd/pull/207.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/644/head:pr644
git checkout pr644
From ae483eff6cd3db7309e60090334c17aac7c88947 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 17 Mar 2017 14:10:52 +0100
Subject: [PATCH 1/2] extdom: do reverse search for domain separator

To avoid issues which @-signs in the short user or group names it is
better to search for the domain separator starting at the end of the
fully-qualified name.
---
 daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index e629247..aa1ff10 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -515,7 +515,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
 char *short_user_name = NULL;
 
 short_user_name = strdup(user_name);
-if ((locat = strchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_user_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
@@ -626,7 +626,7 @@ int pack_ber_group(enum response_types response_type,
 char *short_group_name = NULL;
 
 short_group_name = strdup(group_name);
-if ((locat = strchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+if ((locat = strrchr(short_group_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
 if (strcasecmp(locat+1, domain_name) == 0  ) {
 locat[0] = '\0';
 } else {
@@ -901,7 +901,7 @@ static int handle_sid_or_cert_request(struct ipa_extdom_ctx *ctx,
 goto done;
 }
 
-sep = strchr(fq_name, SSSD_DOMAIN_SEPARATOR);
+sep = strrchr(fq_name, SSSD_DOMAIN_SEPARATOR);
 if (sep == NULL) {
 set_err_msg(req, "Failed to split fully qualified name");
 ret = LDAP_OPERATIONS_ERROR;

From 7d0c6a9358602331721213a921ccf39e112245f3 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Fri, 17 Mar 2017 14:48:50 +0100
Subject: [PATCH 2/2] extdom: improve cert request

Certificates can be assigned to multiple user so the extdom plugin must
use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and
return a list of fully-qualified user names.

Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break
existing clients.

Related to https://pagure.io/freeipa/issue/6646
---
 .../ipa-extdom-extop/ipa_extdom.h  |   3 +-
 .../ipa-extdom-extop/ipa_extdom_common.c   | 157 ++---
 server.m4  |   2 +-
 3 files changed, 143 insertions(+), 19 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 34e2d3c..bc29f06 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -95,7 +95,8 @@ enum response_types {
 RESP_USER,
 RESP_GROUP,
 RESP_USER_GROUPLIST,
-RESP_GROUP_MEMBERS
+RESP_GROUP_MEMBERS,
+RESP_NAME_LIST
 };
 
 struct extdom_req {
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index aa1ff10..fe225fa 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -698,6 +698,90 @@ int pack_ber_group(enum response_types response_type,
 return ret;
 }
 
+int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
+   struct berval **berval)
+{
+BerElement *ber = NULL;
+int ret;
+char *sep;
+size_t c;
+size_t len;
+size_t name_len;
+
+/* count

[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

tomaskrizek commented:
"""
master:

* 2612c092dd797c9c8f772c785aae1f152f06847d Backup ipa-specific httpd unit-file
ipa-4-5:

* 59342a7f6fffe2aaf0b8ce4e10bb41444d8fa25f Backup ipa-specific httpd unit-file
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-288659254
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][closed] Backup ipa-specific httpd unit-file

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/607
Author: stlaz
 Title: #607: Backup ipa-specific httpd unit-file
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/607/head:pr607
git checkout pr607
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][+pushed] Backup ipa-specific httpd unit-file

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#642][closed] [4.4] Bump python-dns to improve processing of non-complete resolv.conf

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/642
Author: MartinBasti
 Title: #642: [4.4] Bump python-dns to improve processing of non-complete 
resolv.conf
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/642/head:pr642
git checkout pr642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#642][+pushed] [4.4] Bump python-dns to improve processing of non-complete resolv.conf

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/642
Title: #642: [4.4] Bump python-dns to improve processing of non-complete 
resolv.conf

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#642][comment] [4.4] Bump python-dns to improve processing of non-complete resolv.conf

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/642
Title: #642: [4.4] Bump python-dns to improve processing of non-complete 
resolv.conf

tomaskrizek commented:
"""
ipa-4-4:

* 951d27ecc591a71c4a1297623b6920136c01bb4b Bump python-dns to improve 
processing of non-complete resolv.conf
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/642#issuecomment-288655781
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#642][+ack] [4.4] Bump python-dns to improve processing of non-complete resolv.conf

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/642
Title: #642: [4.4] Bump python-dns to improve processing of non-complete 
resolv.conf

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/643
Author: dkupka
 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login 
in WebUI work
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/643/head:pr643
git checkout pr643
From c179b1a4cd0aa900fe3d3a044f0d40dab8106a03 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 23 Mar 2017 08:43:51 +0100
Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI
 work

gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34..144d0cd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,9 +267,11 @@ Requires: ntp
 Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
-Requires: mod_nss >= 1.0.8-26
+# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
+Requires: mod_nss >= 1.0.14-3
 Requires: mod_session
-Requires: mod_lookup_identity
+# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
+Requires: mod_lookup_identity >= 0.9.9
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
@@ -297,9 +299,10 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
-Requires: gssproxy >= 0.7.0
-# Require 1.15.1 for the certificate identity mapping feature
-Requires: sssd-dbus >= 1.15.1
+# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
+Requires: gssproxy >= 0.7.0-2
+# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
+Requires: sssd-dbus >= 1.15.2
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/643
Author: dkupka
 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login 
in WebUI work
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/643/head:pr643
git checkout pr643
From 5d7c233bd7d77d50ef95496659367e79671132a5 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 23 Mar 2017 08:43:51 +0100
Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI
 work

gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34..d5ab377 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,9 +267,11 @@ Requires: ntp
 Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
-Requires: mod_nss >= 1.0.8-26
+# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
+Requires: mod_nss >= 1.0.14-3
 Requires: mod_session
-Requires: mod_lookup_identity
+# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
+Requires: mod_lookup_identity >= 0.9.9
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
@@ -297,9 +299,10 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
-Requires: gssproxy >= 0.7.0
-# Require 1.15.1 for the certificate identity mapping feature
-Requires: sssd-dbus >= 1.15.1
+# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
+Requires: gssproxy >= 0.7.0-2
+# 1.15.2: FindByNameAndCertificate
+Requires: sssd-dbus >= 1.15.2
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#643][synchronized] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/643
Author: dkupka
 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login 
in WebUI work
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/643/head:pr643
git checkout pr643
From 8395a58e556db4aca1c8ead40dc37dcdde51fdb6 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 23 Mar 2017 08:43:51 +0100
Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI
 work

gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34..24868e6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,9 +267,11 @@ Requires: ntp
 Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
-Requires: mod_nss >= 1.0.8-26
+# Require 1.0.14-3 for certificate login to WebUI
+Requires: mod_nss >= 1.0.14-3
 Requires: mod_session
-Requires: mod_lookup_identity
+# Require 0.9.9 for certificate login to WebUI
+Requires: mod_lookup_identity >= 0.9.9
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
@@ -297,9 +299,10 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
-Requires: gssproxy >= 0.7.0
-# Require 1.15.1 for the certificate identity mapping feature
-Requires: sssd-dbus >= 1.15.1
+# Require 0.7.0-2 for certificate login to WebUI
+Requires: gssproxy >= 0.7.0-2
+# Require 1.15.2 for the certificate identity mapping feature
+Requires: sssd-dbus >= 1.15.2
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#643][opened] [master, 4.5] spec file: Bump requires to make Certificate Login in WebUI work

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/643
Author: dkupka
 Title: #643: [master, 4.5] spec file: Bump requires to make Certificate Login 
in WebUI work
Action: opened

PR body:
"""
gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to 
multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6225
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/643/head:pr643
git checkout pr643
From 1b76443a2638c6a6bdaf2ef49db83afa251e8f08 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 23 Mar 2017 08:43:51 +0100
Subject: [PATCH] spec file: Bump requires to make Certificate Login in WebUI
 work

gssproxy >= 0.7.0-2 - fixes impersonator checking
mod_lookup_identity >= 0.9.9 - adds support for single certificate assigned to multiple users
mod_nss >= 1.0.14-3 - no longer sets remote user in fixup hook
sssd-dbus >= 1.15.2 - adds FindByNameAndCertificate DBus method

https://pagure.io/freeipa/issue/6225
---
 freeipa.spec.in | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f776b34..88b5753 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -267,9 +267,9 @@ Requires: ntp
 Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.5.0
-Requires: mod_nss >= 1.0.8-26
+Requires: mod_nss >= 1.0.14-3
 Requires: mod_session
-Requires: mod_lookup_identity
+Requires: mod_lookup_identity >= 0.9.9
 Requires: python-ldap >= 2.4.15
 Requires: python-gssapi >= 1.2.0
 Requires: acl
@@ -297,9 +297,9 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
-Requires: gssproxy >= 0.7.0
-# Require 1.15.1 for the certificate identity mapping feature
-Requires: sssd-dbus >= 1.15.1
+Requires: gssproxy >= 0.7.0-2
+# Require 1.15.2 for the certificate identity mapping feature
+Requires: sssd-dbus >= 1.15.2
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code