Re: [Freeipa-devel] [freeipa PR#724][opened] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
On 20.04.2017 20:52, Alexander Bokovoy wrote: On to, 20 huhti 2017, flo-renaud wrote: URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Action: opened PR body: """ … installed During upgrade, the plugin update_tdo_gidnumber is launched in order to add a gidnumber to the Trusted Domain Object. This plugin should not be run when ad trust is not installed, otherwise an error message is displayed. https://pagure.io/freeipa/issue/6881 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 I acked this PR on github but it looks like email hook is broken. There was no patch attached to this email. Thanks for reporting this, it was just temporal issue, github returned 404 instead of patch, but so far I don't see more errors in logs than this particular one for #724 [freeipagithubconsumer ERROR]: Cannot download patch: https://github.com/freeipa/freeipa/pull/724.patch ... HTTPError: HTTP Error 404: Not Found -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Pagure issue template
On 04/21/2017 08:12 AM, Abhijeet Kasurde wrote: +1 On 20/04/17 9:36 PM, Petr Vobornik wrote: Hi all, I'd like to improve quality of bug reports and RFEs. A possibility I see is to create and issue template [1]. Sounds like a good idea! Please see my comments. What do you think of the following template? Should we use it? ### Request for enhancement As , I want so that . This sounds very labored. How about using: "I am a and I want ..." ### Bug What doesn't work (what was the goal) "What's not working" proposes the situation will change and sounds better IMO Steps to Reproduce Actual results Expected results Version/Release/Distribution $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server Additional info: 1. Can we add pre-defined set of components in title ? for example, [CERT] some_cert_related bug description [installer] some installer related bug description This is what Pagure has tags for. But you're right we might be missing some, although "CERT" is probably not a good example, installer is. On the other hand, "userstory" is a tag I will myself never use on purpose. 2. Also, Having a bot in place which will enforce or atleast suggest reporter to modify bug report. [1] https://docs.pagure.org/pagure/usage/ticket_templates.html My hope is that the issue template should do itself. For the record, I love the way Atom guides you through their issue creation: https://github.com/atom/atom/issues/new. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Pagure issue template
+1 On 20/04/17 9:36 PM, Petr Vobornik wrote: Hi all, I'd like to improve quality of bug reports and RFEs. A possibility I see is to create and issue template [1]. What do you think of the following template? Should we use it? ### Request for enhancement As , I want so that . ### Bug What doesn't work (what was the goal) Steps to Reproduce Actual results Expected results Version/Release/Distribution $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server Additional info: 1. Can we add pre-defined set of components in title ? for example, [CERT] some_cert_related bug description [installer] some installer related bug description 2. Also, Having a bot in place which will enforce or atleast suggest reporter to modify bug report. [1] https://docs.pagure.org/pagure/usage/ticket_templates.html -- Abhijeet Kasurde Red Hat Identity management, RHCSA, Red Hat APAC akasu...@redhat.com www.redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#726][opened] Add check for directory name
URL: https://github.com/freeipa/freeipa/pull/726
Author: Akasurde
Title: #726: Add check for directory name
Action: opened
PR body:
"""
Fix adds check to verify if user provided input is not
a directory when filename is required.
Fixes: https://pagure.io/freeipa/issue/6883
Signed-off-by: Abhijeet Kasurde
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/726/head:pr726
git checkout pr726
From 2bb6825daf43925772357be3d5483cfc9996f8f5 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Fri, 21 Apr 2017 10:11:38 +0530
Subject: [PATCH] Add check for directory name
Fix adds check to verify if user provided input is not
a directory when filename is required.
Fixes: https://pagure.io/freeipa/issue/6883
Signed-off-by: Abhijeet Kasurde
---
ipalib/util.py | 4
1 file changed, 4 insertions(+)
diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..7c267e7 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -170,6 +170,10 @@ def check_writable_file(filename):
"""
if filename is None:
raise errors.FileError(reason=_('Filename is empty'))
+
+if os.path.isdir(filename):
+raise errors.FileError(reason=_('Directory name found instead of '
+'Filename'))
try:
if os.path.exists(filename):
if not os.access(filename, os.W_OK):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#725][opened] Fix certificate_out check in CertRetrieveOverride
URL: https://github.com/freeipa/freeipa/pull/725
Author: Akasurde
Title: #725: Fix certificate_out check in CertRetrieveOverride
Action: opened
PR body:
"""
Fixes: https://pagure.io/freeipa/issue/6885
Signed-off-by: Abhijeet Kasurde
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/725/head:pr725
git checkout pr725
From b324d3250c6455afd8bdbf71cd09496344dab40d Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde
Date: Fri, 21 Apr 2017 10:04:19 +0530
Subject: [PATCH] Fix certificate_out check in CertRetrieveOverride
Fixes: https://pagure.io/freeipa/issue/6885
Signed-off-by: Abhijeet Kasurde
---
ipaclient/plugins/cert.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index a4ee9a9..78b7e29 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -50,8 +50,7 @@ class CertRetrieveOverride(MethodOverride):
def forward(self, *args, **options):
certificate_out = options.pop('certificate_out', None)
-if certificate_out is not None:
-util.check_writable_file(certificate_out)
+util.check_writable_file(certificate_out)
result = super(CertRetrieveOverride, self).forward(*args, **options)
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [freeipa PR#724][opened] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
On to, 20 huhti 2017, flo-renaud wrote: URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Action: opened PR body: """ … installed During upgrade, the plugin update_tdo_gidnumber is launched in order to add a gidnumber to the Trusted Domain Object. This plugin should not be run when ad trust is not installed, otherwise an error message is displayed. https://pagure.io/freeipa/issue/6881 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 I acked this PR on github but it looks like email hook is broken. There was no patch attached to this email. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][comment] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/724#issuecomment-295855495 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][+ack] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Pagure issue template
Hi all, I'd like to improve quality of bug reports and RFEs. A possibility I see is to create and issue template [1]. What do you think of the following template? Should we use it? ### Request for enhancement As , I want so that . ### Bug What doesn't work (what was the goal) Steps to Reproduce Actual results Expected results Version/Release/Distribution $ rpm -q freeipa-server ipa-server 389-ds-base pki-ca krb5-server Additional info: [1] https://docs.pagure.org/pagure/usage/ticket_templates.html -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#724][opened] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…
URL: https://github.com/freeipa/freeipa/pull/724 Author: flo-renaud Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Action: opened PR body: """ … installed During upgrade, the plugin update_tdo_gidnumber is launched in order to add a gidnumber to the Trusted Domain Object. This plugin should not be run when ad trust is not installed, otherwise an error message is displayed. https://pagure.io/freeipa/issue/6881 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/724/head:pr724 git checkout pr724 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][edited] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: edited Changed field: body Original value: """ In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ Yep. Then this PR can be merged once you removed distinction external/full. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295731813 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ We can query that PKINIT was not configured at all by a) checking the presence of KDC keypair, b) checking the sysupgrade (no presence of pkinit flag implies no configuration is present), and c) querying LDAP (no presence of ipaConfigString) so we have multiple redundant ways to determine that PKINIT is not configured at all. As for the removal of pkinit status, I intend to replace the existing command by `ipa pkinit-status` as a follow-up PR once this one is merged. I will then update the design page to reflect this discussion and update the implementation in this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295727092 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ Should this also go into the 4.5 branch? """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-295713837 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches redhatrises commented: """ Bump for review """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-295713616 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I agree that it is internal detail whether we use local pkinit or not. However, we need to know that it is existing as oposed to not existing at all for older systems where we are going to perform upgrades. However, as you can derive this information by presence or lack of actual KDC certificate file in the file system during upgrade, this can be reduced, indeed. One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`) which has `ipa pkinit-anonymous enable/disable` command. This command cannot now be used because even for 'local' case we require anonymous PKINIT to be usable and this means we cannot disable the principal. Perhaps, you can remove this command and add instead `ipa pkinit-status` command to show the status? It would show list of KDCs and their status. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295696911 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install martbab commented: """ @abbra I received an interactive review from @HonzaCholasta today and he is not very keen on idea of having ternary (absent/local/external/full) PKINIT configuration. He suggests to only have it absent/off (local implementation)/on and thus drop differentiation between PKINIT configured with IPA CA issued or 3rd party certificates. The main concern here is that the 'local' PKINIT configuration is actually an implementation detail we should not leak to clients, they should be only able to tell if it is configured for them or not. If you look into the design page, the two states (full/external) behave the same during replica installation and upgrade so the differentiation does not bring much new information to the users. So a simple on/off switch (something like pkinitStatus: off/on) could be enough and it could simplify the transition and UX. What do you think? """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295692167 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][+ack] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][closed] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Author: stlaz Title: #722: Fix server upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/722/head:pr722 git checkout pr722 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][comment] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade HonzaCholasta commented: """ master: * b38750eaa82025aad56f8eca849f47775b2cbc75 Fix CAInstance.import_ra_cert for empty passwords ipa-4-5: * e3f2878909c1f92a0d92ed2a8ce00c96135e1346 Fix CAInstance.import_ra_cert for empty passwords """ See the full comment at https://github.com/freeipa/freeipa/pull/722#issuecomment-295669731 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][+pushed] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][synchronized] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 From 317c89410b4e43f8fdc617695b613d9ef7cac32e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 20 Apr 2017 10:39:08 +0200 Subject: [PATCH] Store GSSAPI session key in /var/run/ipa Runtime data should be stored in /var/run instead of /etc/httpd/alias. This change is also compatible with selinux policy. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 75c122e..56c8995 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 25 - DO NOT REMOVE THIS LINE +# VERSION 26 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:/var/run/ipa/session.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:/var/run/ipa/session.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd MartinBasti commented: """ Sure """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295643034 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd HonzaCholasta commented: """ Could we put the mod_auth_gssapi session key in `/var/run/ipa/session.key`? `/var/run/ipa` is where we store IPA-specific stuff, including mod_auth_gssapi ccaches. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295641802 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][opened] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: opened PR body: """ Runtime data should be stored in /var/run instead of /etc/httpd/alias. This change is also compatible with selinux policy. https://pagure.io/freeipa/issue/6880 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 From 3573ba7d262d7761781b54f956bc35ae663694ee Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 20 Apr 2017 10:39:08 +0200 Subject: [PATCH] Store GSSAPI session key in /var/run/httpd Runtime data should be stored in /var/run instead of /etc/httpd/alias. This change is also compatible with selinux policy. https://pagure.io/freeipa/issue/6880 --- install/conf/ipa.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 75c122e..92524b3 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 25 - DO NOT REMOVE THIS LINE +# VERSION 26 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -78,7 +78,7 @@ WSGIScriptReloading Off SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:/var/run/httpd/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches @@ -127,7 +127,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION SessionMaxAge 1800 - GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiSessionKey file:/var/run/httpd/ipasession.key Header unset Set-Cookie -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][opened] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722
Author: stlaz
Title: #722: Fix server upgrade
Action: opened
PR body:
"""
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/722/head:pr722
git checkout pr722
From 7945c8a9a021978c5dc82bbfe8b3b52410be5d53 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka
Date: Thu, 20 Apr 2017 10:09:05 +0200
Subject: [PATCH] Fix CAInstance.import_ra_cert for empty passwords
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
---
ipaserver/install/cainstance.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b6b915c..84d60bf 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -690,7 +690,7 @@ def import_ra_cert(self, rafile, password=''):
Used when setting up replication
"""
-with ipautil.write_tmp_file(password) as f:
+with ipautil.write_tmp_file(password + '\n') as f:
pwdarg = 'file:{file}'.format(file=f.name)
# get the private key from the file
ipautil.run([paths.OPENSSL,
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I read through the code and I believe it addresses all use cases we have been discussing. LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295613748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][closed] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Author: realsobek Title: #715: use correct option name Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/715/head:pr715 git checkout pr715 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][+rejected] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#715][comment] use correct option name
URL: https://github.com/freeipa/freeipa/pull/715 Title: #715: use correct option name stlaz commented: """ Since the changes here are part of https://github.com/freeipa/freeipa/pull/716, I am going to close this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/715#issuecomment-295607975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
