[Freeipa-devel] [bind-dyndb-ldap PR#15][opened] ignore what configure and make produced

[mingzym]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/15
Author: mingzym
 Title: #15: ignore what configure and make produced
Action: opened

PR body:
"""
let's ignore all the files configure and make created.
"""

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/15/head:pr15
git checkout pr15
From 3771e89e07d39010b213fc1d08f7273b915afb64 Mon Sep 17 00:00:00 2001
From: Zhao Yongming 
Date: Mon, 3 Apr 2017 20:31:19 +0800
Subject: [PATCH] ignore what configure and make produced

---
 .gitignore | 38 ++
 1 file changed, 38 insertions(+)

diff --git a/.gitignore b/.gitignore
index 53d7ed4..22b856b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,6 +21,44 @@ Makefile.in
 /m4
 /missing
 
+# configure
+Makefile
+config.h
+config.log
+config.status
+doc/Makefile
+libtool
+src/.deps/
+src/Makefile
+stamp-h1
+
+# make
+src/.libs/
+src/ldap.la
+src/ldap_la-acl.lo
+src/ldap_la-bindcfg.lo
+src/ldap_la-empty_zones.lo
+src/ldap_la-fs.lo
+src/ldap_la-fwd.lo
+src/ldap_la-fwd_register.lo
+src/ldap_la-krb5_helper.lo
+src/ldap_la-ldap_convert.lo
+src/ldap_la-ldap_driver.lo
+src/ldap_la-ldap_entry.lo
+src/ldap_la-ldap_helper.lo
+src/ldap_la-lock.lo
+src/ldap_la-log.lo
+src/ldap_la-metadb.lo
+src/ldap_la-mldap.lo
+src/ldap_la-rbt_helper.lo
+src/ldap_la-semaphore.lo
+src/ldap_la-settings.lo
+src/ldap_la-str.lo
+src/ldap_la-syncptr.lo
+src/ldap_la-syncrepl.lo
+src/ldap_la-zone.lo
+src/ldap_la-zone_register.lo
+
 # Eclipse
 .project
 .cproject
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

MartinBasti commented:
"""
Should be anon keytab removed by upgrade, are there any leftovers in LDAP to be 
removed during upgrade?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/694#issuecomment-292297598
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches

[redhatrises]

  URL: https://github.com/freeipa/freeipa/pull/688
Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user 
searches

redhatrises commented:
"""
@HonzaCholasta ready for your review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/688#issuecomment-292297176
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
I have re-worked the PR and implemented most of the missing steps (except for 
API for querying PKINIT status in topology). I have also removed the 
PKINIT-specific CA and helper. The installer will now call either `IPA` or 
self-sign CA depending on configuration and passed-in options. The PKINIT state 
recording was also changed to depend on the KDC certificate tracking status and 
CA that tracks it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/694#issuecomment-292254190
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
 Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

 Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [x] removal of anonymous keytab, asi it is now useless (and always was)
- [x] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
 Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

 Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [x] removal of anonymous keytab, asi it is now useless (and always was)
- [ ] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][edited] RFC: implement local PKINIT deployment in server/replica install

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
 Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: edited

 Changed field: body
Original value:
"""
This PR implements a basic local PKINIT functionality for server install with
'--no-pkinit' specified, and replica install against older masters or with
'--no-pkinit'.

These patches unblock WebUI logins/password auths on masters/replicas in the
cases proper PKINIT was not configured for whatever reasons.

Nevertheless, there are following things lacking in this PR that I will either
push on top of this one or create a new PR:

- [ ] removal of anonymous keytab, asi it is now useless (and always was)
- [ ] upgrade and transitions between PKINIT configurations
- [ ] reporting PKINIT state in LDAP
- [ ] API for querying the PKINIT status on all masters

http://www.freeipa.org/page/V4/Kerberos_PKINIT
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][synchronized] RFC: implement local PKINIT deployment in server/replica install

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
 Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
From 7dfa337769079d6f4247aa7306abdc0401b38dd6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 31 Mar 2017 15:06:46 +0200
Subject: [PATCH 1/8] Allow for configuration of all three PKINIT variants when
 deploying KDC

The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master.

http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
---
 ipaserver/install/krbinstance.py | 127 +--
 1 file changed, 81 insertions(+), 46 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6c105f7..c3d56dc 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -38,6 +38,7 @@
 from ipalib.install import certmonger
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
+from ipapython.dogtag import KDC_PROFILE
 
 from ipaserver.install import replication
 from ipaserver.install import ldapupdate
@@ -354,55 +355,86 @@ def _wait_for_replica_kdc_entry(self):
 remote_ldap.gssapi_bind()
 replication.wait_for_entry(remote_ldap, kdc_dn, timeout=60)
 
+def _call_certmonger(self, certmonger_ca='IPA'):
+subject = str(DN(('cn', self.fqdn), self.subject_base))
+krbtgt = "krbtgt/" + self.realm + "@" + self.realm
+certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
+try:
+prev_helper = None
+# on the first CA-ful master without '--no-pkinit', we issue the
+# certificate by contacting Dogtag directly
+use_dogtag_submit = all(
+[self.master_fqdn is None,
+ self.pkcs12_info is None,
+ self.config_pkinit])
+
+if use_dogtag_submit:
+ca_args = [
+paths.CERTMONGER_DOGTAG_SUBMIT,
+'--ee-url', 'https://%s:8443/ca/ee/ca' % self.fqdn,
+'--certfile', paths.RA_AGENT_PEM,
+'--keyfile', paths.RA_AGENT_KEY,
+'--cafile', paths.IPA_CA_CRT,
+'--agent-submit'
+]
+helper = " ".join(ca_args)
+prev_helper = certmonger.modify_ca_helper(certmonger_ca, helper)
+
+certmonger.request_and_wait_for_cert(
+certpath,
+subject,
+krbtgt,
+ca=certmonger_ca,
+dns=self.fqdn,
+storage='FILE',
+profile=KDC_PROFILE)
+except dbus.DBusException as e:
+# if the certificate is already tracked, ignore the error
+name = e.get_dbus_name()
+if name != 'org.fedorahosted.certmonger.duplicate':
+root_logger.error("Failed to initiate the request: %s", e)
+return
+finally:
+if prev_helper is not None:
+certmonger.modify_ca_helper(certmonger_ca, prev_helper)
+
+def setup_local_pkinit(self):
+self._call_certmonger(certmonger_ca="SelfSign")
+# for self-signed certificate, the certificate is its own CA, copy it
+# as CA cert
+shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM)
+
+def setup_full_pkinit(self):
+try:
+self._call_certmonger()
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+except RuntimeError as e:
+root_logger.error("PKINIT certificate request failed: %s", e)
+root_logger.error("Falling back to local PKINIT with self-signed "
+  "certificate")
+self.stop_tracking_certs()
+self.setup_local_pkinit()
+
+def setup_external_pkinit(self):
+certs.install_pem_from_p12(self.pkcs12_info[0],
+   self.pkcs12_info[1],
+   paths.KDC_CERT)
+certs.install_key_from_p12(self.pkcs12_info[0],
+   self.pkcs12_info[1],
+   paths.KDC_KEY)
+shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
+
 def setup_pkinit(self):
+if self.master_fqdn is not None:
+self._wait_for_replica_kdc_entry()
+
 if self.pkcs12_info:
-certs.install_pem_from_p12(self.pkcs12_info[0],
-   self.pkcs12_info[1],
-   paths.KDC_CERT)
-

[Freeipa-devel] [bind-dyndb-ldap PR#11][comment] Coverity: fix REVERSE_INULL for pevent->inst

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11
Title: #11: Coverity: fix REVERSE_INULL for pevent->inst

tomaskrizek commented:
"""
master:
- 13b185182aeb48562cf63251b84bcf910b57a0fc
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/11#issuecomment-292221521
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#11][+pushed] Coverity: fix REVERSE_INULL for pevent->inst

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11
Title: #11: Coverity: fix REVERSE_INULL for pevent->inst

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#11][closed] Coverity: fix REVERSE_INULL for pevent->inst

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11
Author: tomaskrizek
 Title: #11: Coverity: fix REVERSE_INULL for pevent->inst
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/11/head:pr11
git checkout pr11
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#12][+pushed] README.md: fix markdown formatting

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12
Title: #12: README.md: fix markdown formatting

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#12][comment] README.md: fix markdown formatting

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12
Title: #12: README.md: fix markdown formatting

tomaskrizek commented:
"""
master:
- a9ffcc8eb190d5dc01e018abb9f8bba2013ab5e2
- 55c2ffc2b3aef3e9cf7c9131e40a1057b032527b
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/12#issuecomment-292220201
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#11][+ack] Coverity: fix REVERSE_INULL for pevent->inst

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/11
Title: #11: Coverity: fix REVERSE_INULL for pevent->inst

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#12][closed] README.md: fix markdown formatting

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12
Author: tomaskrizek
 Title: #12: README.md: fix markdown formatting
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/12/head:pr12
git checkout pr12
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#12][+ack] README.md: fix markdown formatting

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/12
Title: #12: README.md: fix markdown formatting

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#14][closed] time_t maybe unsigned or long

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14
Author: mingzym
 Title: #14: time_t maybe unsigned or long
Action: closed

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/14/head:pr14
git checkout pr14
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#14][+ack] time_t maybe unsigned or long

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14
Title: #14: time_t maybe unsigned or long

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#14][comment] time_t maybe unsigned or long

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14
Title: #14: time_t maybe unsigned or long

tomaskrizek commented:
"""
Thanks for the contribution!
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/14#issuecomment-292218042
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation

[tjaalton]

  URL: https://github.com/freeipa/freeipa/pull/697
Title: #697: Create system users for FreeIPA services during package 
installation

tjaalton commented:
"""
if I understood the sysusers.d file format correctly, ipa.sysusers.debian.conf 
would need this line added:

m www-data ipaapi

as you can see from ipaplatform/debian/constants.py. Actually, why not make 
just one template file ipa.sysusers.conf.in and utilize ipaplatform to 
substitute values like for most of the conffiles
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/697#issuecomment-292215096
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#14][opened] time_t maybe unsigned or long

[mingzym]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/14
Author: mingzym
 Title: #14: time_t maybe unsigned or long
Action: opened

PR body:
"""
when compiling with heimdal, the krb5_timestamp is set to long instead of the 
unsigned in mit-krb5.
"""

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/14/head:pr14
git checkout pr14
From 452be8d305674b4bb15e74b41c87d0045c9ee7f9 Mon Sep 17 00:00:00 2001
From: Zhao Yongming 
Date: Mon, 3 Apr 2017 20:31:47 +0800
Subject: [PATCH] time_t maybe unsigned or long

---
 src/krb5_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/krb5_helper.c b/src/krb5_helper.c
index 5466dd8..5d7ee6a 100644
--- a/src/krb5_helper.c
+++ b/src/krb5_helper.c
@@ -65,8 +65,8 @@ check_credentials(krb5_context context,
 
 	krberr = krb5_timeofday(context, );
 	CHECK_KRB5(context, krberr, "Failed to get timeofday");
-	log_debug(2, "krb5_timeofday() = %u ; creds.times.endtime = %u",
-		  now, creds.times.endtime);
+	log_debug(2, "krb5_timeofday() = %ld ; creds.times.endtime = %ld",
+		  (long) now, (long) creds.times.endtime);
 
 	if (now > (creds.times.endtime - MIN_TIME)) {
 		log_debug(2, "Credentials in cache expired");
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#697][opened] Create system users for FreeIPA services during package installation

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/697
Author: dkupka
 Title: #697: Create system users for FreeIPA services during package 
installation
Action: opened

PR body:
"""
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet (and
potentionally similar ones). Now systemd-sysusers service is used to ensure
users freeipa-server package needs exist before any installation or
configuration begins.

https://pagure.io/freeipa/issue/6743
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/697/head:pr697
git checkout pr697
From 84fc1e036861027e7f73e2f1b7a5522df3533aaf Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 6 Apr 2017 12:35:35 +0200
Subject: [PATCH] Create system users for FreeIPA services during package
 installation

Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet (and
potentionally similar ones). Now systemd-sysusers service is used to ensure
users freeipa-server package needs exist before any installation or
configuration begins.

https://pagure.io/freeipa/issue/6743
---
 configure.ac   |  1 +
 freeipa.spec.in|  5 +++
 init/systemd/Makefile.am   | 15 +++--
 init/systemd/ipa.sysusers.base.conf|  5 +++
 init/systemd/ipa.sysusers.debian.conf  |  1 +
 init/systemd/ipa.sysusers.fedora.conf  |  1 +
 init/systemd/ipa.sysusers.redhat.conf  |  1 +
 init/systemd/ipa.sysusers.rhel.conf|  1 +
 ipaplatform/base/tasks.py  | 53 --
 ipaplatform/redhat/tasks.py| 26 ---
 ipaserver/install/cainstance.py| 12 ---
 ipaserver/install/dsinstance.py| 11 ---
 ipaserver/install/httpinstance.py  | 13 
 ipaserver/install/installutils.py  | 13 
 ipaserver/install/ipa_restore.py   |  7 
 ipaserver/install/server/install.py|  6 +---
 ipaserver/install/server/replicainstall.py |  6 +---
 ipaserver/install/server/upgrade.py|  2 --
 server.m4  |  7 
 19 files changed, 37 insertions(+), 149 deletions(-)
 create mode 100644 init/systemd/ipa.sysusers.base.conf
 create mode 12 init/systemd/ipa.sysusers.debian.conf
 create mode 12 init/systemd/ipa.sysusers.fedora.conf
 create mode 12 init/systemd/ipa.sysusers.redhat.conf
 create mode 12 init/systemd/ipa.sysusers.rhel.conf

diff --git a/configure.ac b/configure.ac
index 8f8751a..2cba2cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -627,6 +627,7 @@ AM_COND_IF([ENABLE_SERVER], [
 KRAD libs:${KRAD_LIBS}
 krb5rundir:   ${krb5rundir}
 systemdsystemunitdir: ${systemdsystemunitdir}
+sysusersdir:  ${sysusersdir}
 systemdtmpfilesdir:   ${systemdtmpfilesdir}
 build mode:   server & client"
 ], [
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 61e9acd..765e4aa 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -977,6 +977,10 @@ rm -rf %{buildroot}
 # NOTE: systemd specific section
 /bin/systemctl --system daemon-reload 2>&1 || :
 # END
+
+# ensure system users needed by FreeIPA services are created
+/bin/systemd-sysusers ipa.conf
+
 if [ $1 -gt 1 ] ; then
 /bin/systemctl condrestart certmonger.service 2>&1 || :
 fi
@@ -1176,6 +1180,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_sysusersdir}/ipa.conf
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 945f6ac..1c46cb1 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -4,13 +4,21 @@ AUTOMAKE_OPTIONS = 1.7
 
 dist_noinst_DATA = 			\
 	ipa-custodia.service.in		\
-	ipa.service.in
+	ipa.service.in	\
+	ipa.sysusers.base.conf	\
+	ipa.sysusers.debian.conf	\
+	ipa.sysusers.fedora.conf	\
+	ipa.sysusers.redhat.conf	\
+	ipa.sysusers.rhel.conf
 
 systemdsystemunit_DATA = 	\
 	ipa-custodia.service	\
 	ipa.service
 
-CLEANFILES = $(systemdsystemunit_DATA)
+sysusers_DATA = \
+	ipa.conf
+
+CLEANFILES = $(systemdsystemunit_DATA) $(sysusers_DATA)
 
 %: %.in Makefile
 	sed \
@@ -21,3 +29,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
 		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
 		'$(srcdir)/$@.in' >$@
+
+ipa.conf: 

[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

abbra commented:
"""
LGTM.

`nltest /sc_verify:ipa.example.test` works thanks to this pull request:
```
C:\Users\Administrator>nltest /sc_query:ipa.example.test
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\master.ipa.example.test
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
```

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/632#issuecomment-292167012
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#632][+ack] ipa-sam: create the gidNumber attribute in the trusted domain entry

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/632
Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/677
Title: #677: cert: defer cert-find result post-processing

stlaz commented:
"""
The patched IPA works better than the current 4.4 and 4.5 branches in terms of 
options logic, that's good.
From the code I am not sure which searches we do miss, could you elaborate on 
that a bit, please?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/677#issuecomment-292142416
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/689
Title: #689: Sort SRV records by priority

MartinBasti commented:
"""
```
git reset HEAD~3
git commit add -p
git commit --amend
```

should help
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/689#issuecomment-292142293
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority

[alex-zel]

  URL: https://github.com/freeipa/freeipa/pull/689
Title: #689: Sort SRV records by priority

alex-zel commented:
"""
Sorry I think I messed up trying to squash the commits
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/689#issuecomment-292140831
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority

[alex-zel]

   URL: https://github.com/freeipa/freeipa/pull/689
Author: alex-zel
 Title: #689: Sort SRV records by priority
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/689/head:pr689
git checkout pr689
From 283da88845c65d5cd3b4ce6b5e32c17fc3c5fb98 Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov 
Date: Tue, 4 Apr 2017 09:42:10 +0300
Subject: [PATCH 1/3] Sort SRV records by priority

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.
---
 ipaclient/install/ipadiscovery.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..b30e7de 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -22,13 +22,14 @@
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns import resolver, rdatatype
 from dns.exception import DNSException
+from dns import resolver, rdatatype
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
+from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
+answers = sorted(answers, key=attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []

From 78cac5d5ed7b1b857093667dad66dc1dc6f86670 Mon Sep 17 00:00:00 2001
From: Alex Zel 
Date: Thu, 6 Apr 2017 10:06:36 +0300
Subject: [PATCH 2/3] Update ipadiscovery.py

---
 ipaclient/install/ipadiscovery.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index b30e7de..c929a35 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -17,19 +17,19 @@
 # along with this program.  If not, see .
 #
 
+import operator
 import socket
 
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns.exception import DNSException
 from dns import resolver, rdatatype
+from dns.exception import DNSException
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
-from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -494,7 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
-answers = sorted(answers, key=attrgetter('priority'))
+answers = sorted(answers, key=operator.attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []

From ca4b37023314fc5125defc015a1fdafaacef1be2 Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov 
Date: Tue, 4 Apr 2017 09:42:10 +0300
Subject: [PATCH 3/3] Sort SRV records by priority

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.

Update ipadiscovery.py
---
 ipaclient/install/ipadiscovery.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..c929a35 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -17,6 +17,7 @@
 # along with this program.  If not, see .
 #
 
+import operator
 import socket
 
 import six
@@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
+answers = sorted(answers, key=operator.attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][comment] Sort SRV records by priority

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/689
Title: #689: Sort SRV records by priority

MartinBasti commented:
"""
@alex-zel Please merge your commits into one, thanks.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/689#issuecomment-292138392
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: edited

 Changed field: body
Original value:
"""
* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin

Signed-off-by: Christian Heimes 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][synchronized] Slim down dependencies

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
From b12cb1e72769d43cbe09a77ec79b9b1267e5004c Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 29 Mar 2017 11:20:21 +0200
Subject: [PATCH] Slim down dependencies

* Remove unused install requires
* Correct dependencies for yubico otptoken
* Properly report optional dependency for yubico otptoken
* Make jinja2 an optional dependency and csrgen an optional plugin
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

Signed-off-by: Christian Heimes 
---
 ipaclient/plugins/csrgen.py   | 10 --
 ipaclient/plugins/otptoken_yubikey.py | 11 ---
 ipaclient/setup.py|  6 ++
 ipapython/setup.py|  6 ++
 ipaserver/setup.py|  3 ++-
 ipasetup.py.in| 15 +++
 ipatests/setup.py |  3 ++-
 7 files changed, 35 insertions(+), 19 deletions(-)

diff --git a/ipaclient/plugins/csrgen.py b/ipaclient/plugins/csrgen.py
index 568a79f..d18a90c 100644
--- a/ipaclient/plugins/csrgen.py
+++ b/ipaclient/plugins/csrgen.py
@@ -6,8 +6,6 @@
 
 import six
 
-from ipaclient import csrgen
-from ipaclient import csrgen_ffi
 from ipalib import api
 from ipalib import errors
 from ipalib import output
@@ -18,6 +16,14 @@
 from ipalib.text import _
 from ipapython import dogtag
 
+try:
+import jinja2  # pylint: disable=unused-import
+except ImportError:
+raise errors.SkipPluginModule(reason=_("jinja2 is not installed."))
+else:
+from ipaclient import csrgen
+from ipaclient import csrgen_ffi
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 759b722..9993ec8 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -20,15 +20,20 @@
 import os
 
 import six
-import usb.core
-import yubico
 
 from ipalib import _, api, IntEnum
-from ipalib.errors import NotFound
+from ipalib.errors import NotFound, SkipPluginModule
 from ipalib.frontend import Command, Method, Object
 from ipalib.plugable import Registry
 from ipalib.util import classproperty
 
+try:
+import usb.core
+import yubico
+except ImportError:
+# python-yubico depends on pyusb
+raise SkipPluginModule(reason=_("python-yubico is not installed."))
+
 if six.PY3:
 unicode = str
 
diff --git a/ipaclient/setup.py b/ipaclient/setup.py
index f5be7ea..43e1164 100644
--- a/ipaclient/setup.py
+++ b/ipaclient/setup.py
@@ -54,15 +54,13 @@
 "cryptography",
 "ipalib",
 "ipapython",
-"jinja2",
-"python-yubico",
-"pyusb",
 "qrcode",
 "six",
 ],
 extras_require={
 "install": ["ipaplatform"],
-"otptoken_yubikey": ["yubico", "usb"]
+"otptoken_yubikey": ["python-yubico", "pyusb"],
+"csrgen": ["cffi", "jinja2"],
 },
 zip_safe=False,
 )
diff --git a/ipapython/setup.py b/ipapython/setup.py
index f4bc3f8..4f71530 100755
--- a/ipapython/setup.py
+++ b/ipapython/setup.py
@@ -41,16 +41,14 @@
 "cryptography",
 "dnspython",
 "gssapi",
-"jwcrypto",
 # "ipalib",  # circular dependency
-"pyldap",
 "netaddr",
 "netifaces",
-"requests",
 "six",
 ],
 extras_require={
-":python_version<'3'": ["enum34"],
+":python_version<'3'": ["enum34", "python-ldap"],
+":python_version>='3'": ["pyldap"],
 "install": ["dbus-python"],  # for certmonger
 },
 )
diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 097508f..307e7a8 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -58,7 +58,6 @@
 "lxml",
 "netaddr",
 "pyasn1",
-"pyldap",
 "six",
 ],
 entry_points={
@@ -70,6 +69,8 @@
 ],
 },
 extras_require={
+":python_version<'3'": ["python-ldap"],
+":python_version>='3'": ["pyldap"],
 # These packages are currently not available on PyPI.
 "dcerpc": ["samba", "pysss", "pysss_nss_idmap"],
 "hbactest": ["pyhbac"],
diff --git a/ipasetup.py.in b/ipasetup.py.in
index b0a5051..4bdd890 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -138,13 +138,20 @@ def ipasetup(name, doc, **kwargs):
 cmdclass = setup_kwargs.setdefault('cmdclass', {})
 cmdclass['build_py'] = build_py
 
-# Env markers like ":python_version<'3.3'" are not supported by
+# Env 

[Freeipa-devel] [freeipa PR#671][edited] Slim down dependencies

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: edited

 Changed field: title
Original value:
"""
[WIP] Slim down dependencies
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#693][comment] [tests] collect audit.log for easier selinux investigation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/693
Title: #693: [tests] collect audit.log for easier selinux investigation

MartinBasti commented:
"""
master:

* fd597f83aed53bf3281ce9ec6b94f601868cfc75 collect audit.log for easier selinux 
investigation


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/693#issuecomment-292100630
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#693][+pushed] [tests] collect audit.log for easier selinux investigation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/693
Title: #693: [tests] collect audit.log for easier selinux investigation

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#693][closed] [tests] collect audit.log for easier selinux investigation

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/693
Author: MartinBasti
 Title: #693: [tests] collect audit.log for easier selinux investigation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/693/head:pr693
git checkout pr693
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

martbab commented:
"""
@MartinBasti I haven't thought about CA-less -> CA-full but in this case you 
would have local PKINIT and should configure full PKINIT manually

All the other scenarios should be covered by the incoming code.

Regarding your comment on the certmonger helper/special CA, we (me and 
@HonzaCholasta ) decided to remove it and use a self-sign CA instead.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/694#issuecomment-292096092
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#689][synchronized] Sort SRV records by priority

[alex-zel]

   URL: https://github.com/freeipa/freeipa/pull/689
Author: alex-zel
 Title: #689: Sort SRV records by priority
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/689/head:pr689
git checkout pr689
From 283da88845c65d5cd3b4ce6b5e32c17fc3c5fb98 Mon Sep 17 00:00:00 2001
From: Alex Zeleznikov 
Date: Tue, 4 Apr 2017 09:42:10 +0300
Subject: [PATCH 1/2] Sort SRV records by priority

In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.
---
 ipaclient/install/ipadiscovery.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index 46e05c9..b30e7de 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -22,13 +22,14 @@
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns import resolver, rdatatype
 from dns.exception import DNSException
+from dns import resolver, rdatatype
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
+from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -493,6 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
+answers = sorted(answers, key=attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []

From 78cac5d5ed7b1b857093667dad66dc1dc6f86670 Mon Sep 17 00:00:00 2001
From: Alex Zel 
Date: Thu, 6 Apr 2017 10:06:36 +0300
Subject: [PATCH 2/2] Update ipadiscovery.py

---
 ipaclient/install/ipadiscovery.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/ipadiscovery.py b/ipaclient/install/ipadiscovery.py
index b30e7de..c929a35 100644
--- a/ipaclient/install/ipadiscovery.py
+++ b/ipaclient/install/ipadiscovery.py
@@ -17,19 +17,19 @@
 # along with this program.  If not, see .
 #
 
+import operator
 import socket
 
 import six
 
 from ipapython.ipa_log_manager import root_logger
-from dns.exception import DNSException
 from dns import resolver, rdatatype
+from dns.exception import DNSException
 from ipalib import errors
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipapython.ipautil import valid_ip, realm_to_suffix
 from ipapython.dn import DN
-from operator import attrgetter
 
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
@@ -494,7 +494,7 @@ def ipadns_search_srv(self, domain, srv_record_name, default_port,
 
 try:
 answers = resolver.query(qname, rdatatype.SRV)
-answers = sorted(answers, key=attrgetter('priority'))
+answers = sorted(answers, key=operator.attrgetter('priority'))
 except DNSException as e:
 root_logger.debug("DNS record not found: %s", e.__class__.__name__)
 answers = []
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code