[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/782
Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup

pvomacka commented:
"""
Sorry I haven't refresh the page so I didn't see @pvoborni comment before I 
sent mine. The suggestion which Petr wrote into Bugzilla should be discussed 
with @MartinBasti  and if I recall correctly he did not recommend it from point 
of view of DNS. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/782#issuecomment-301117428
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/782
Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup

pvomacka commented:
"""
Hello @felipevolpone ,
Thank you for your patch. 
For adding arbitrary text into a dialog or details page is probably the most 
suitable IPA.html_widget (but it has a big disadvantage - described below in 
section A). You can put it into the section you created. It might look like 
this: 
```
{
  name: 'dnszone_title',
  show_header: false,
  fields: [
{
  field: false,
  $type: 'html',
  name: 'info',
  html: "Select the required zone type."
}
  ],
  layout: {
$factory: IPA.fluid_layout,
widget_cls: "col-sm-12 controls",
label_cls: "hide"
  }
},
```
Layout attribute of the section might not be needed, but I would say that here 
it good to add it. It hides label of field and set width of the field to 100% 
of the dialog. 

(Simpler solutions below - B and C)
A) The html attribute contains text which will be displayed. Text there should 
be taken from translatable strings. It can be done by using 
`text.get('i18n:path.to.the.string')` and writing the string into 
ipaserver/internal.py. The main challenge here might be to find a place where 
the string has to be loaded. It has to be done before building the whole dialog 
and its sections. You will probably need to override `dialog_build_properites` 
attribute of entity specification and there change `$post_ops` operation which 
where is the function which builds adder dialog for entity (add there loading 
of translate string).

B) (not tested) Another solution would be to set text field instead of html one 
and turn off the field in the same way as above and then set it non-writable 
and read_only. Then hide the label and there the `text.get()` should work 
directly in field definition. (should not be needed to change behavior of 
building entity's adder dialog). 

C) Another solution will be to create new widget, which will work in the same 
way as `IPA.html_widget` but it will support translatable strings.

If you have any question feel free to ask. :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/782#issuecomment-301113031
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#785][opened] otptoken-add-yubikey: When --digits not provided use default value

[dkupka]

   URL: https://github.com/freeipa/freeipa/pull/785
Author: dkupka
 Title: #785: otptoken-add-yubikey: When --digits not provided use default value
Action: opened

PR body:
"""
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/785/head:pr785
git checkout pr785
From 0e07bce2d1d57713816821235c9a2b3a9c270e4c Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 12 May 2017 17:17:05 +0200
Subject: [PATCH] otptoken-add-yubikey: When --digits not provided use default
 value

Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900
---
 ipaclient/plugins/otptoken_yubikey.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 9993ec8..60b73a7 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -147,7 +147,10 @@ def forward(self, *args, **kwargs):
 
 # Write the config.
 cfg = yk.init_config()
-cfg.mode_oath_hotp(key, kwargs['ipatokenotpdigits'])
+cfg.mode_oath_hotp(key, kwargs.get(
+'ipatokenotpdigits',
+self.get_default_of('ipatokenotpdigits')
+))
 cfg.extended_flag('SERIAL_API_VISIBLE', True)
 yk.write_config(cfg, slot=kwargs['slot'])
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports

[Tomas Krizek]

On 05/12/2017 10:42 AM, Martin Bašti wrote:
> Hello all,
>
> I created a wiki page that should help people to provide right logs
> for investigation depending on a issue.
>
> https://www.freeipa.org/page/Files_to_be_attached_to_bug_report
>
> Feel free to fix errors, update sections, add new sections or provide
> feedback. Once this page is polished I will link it to wiki on right
> places.
>
>
> Martin^2
>
Thanks for the page, it's a great idea!

I suggest we use '-r' option for all journalctl logs. On a running
server, the journal can be quite long and someone might post an
old/unrelated error by accident. Using '-r' will ensure the user will
see the most recent and relevant log output.

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#757][synchronized] ca, kra install: validate DM password

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/757
Author: tomaskrizek
 Title: #757: ca, kra install: validate DM password
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/757/head:pr757
git checkout pr757
From 2cce2304491ce575b6803ca4dd7d8f6630c57a35 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:05:25 +0200
Subject: [PATCH 1/3] ca install: merge duplicated code for DM password

Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 install/tools/ipa-ca-install | 40 +---
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 60261aa..da6e5c3 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -116,9 +116,19 @@ def parse_options():
 return safe_options, options, filename
 
 
-def get_dirman_password():
-return installutils.read_password(
-"Directory Manager (existing master)", confirm=False, validate=False)
+def _get_dirman_password(password=None, unattended=False):
+if not password:
+if unattended:
+sys.exit('Directory Manager password required')
+try:
+password = installutils.read_password(
+"Directory Manager (existing master)", confirm=False,
+validate=False)
+except KeyboardInterrupt:
+sys.exit(0)
+if password is None:
+sys.exit("Directory Manager password required")
+return password
 
 
 def install_replica(safe_options, options, filename):
@@ -142,16 +152,8 @@ def install_replica(safe_options, options, filename):
 check_creds(options, api.env.realm)
 
 # get the directory manager password
-dirman_password = options.password
-if not dirman_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dirman_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dirman_password is None:
-sys.exit("Directory Manager password required")
+dirman_password = _get_dirman_password(
+options.password, options.unattended)
 
 if (not options.promote and not options.admin_password and
 not options.skip_conncheck and options.unattended):
@@ -199,16 +201,8 @@ def install_replica(safe_options, options, filename):
 
 
 def install_master(safe_options, options):
-dm_password = options.password
-if not dm_password:
-if options.unattended:
-sys.exit('Directory Manager password required')
-try:
-dm_password = get_dirman_password()
-except KeyboardInterrupt:
-sys.exit(0)
-if dm_password is None:
-sys.exit("Directory Manager password required")
+dm_password = _get_dirman_password(
+options.password, options.unattended)
 
 options.realm_name = api.env.realm
 options.domain_name = api.env.domain

From e3e8f051220970f10a34c8297b1a381d1721b663 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 3 May 2017 10:01:09 +0200
Subject: [PATCH 2/3] installutils: add DM password validator

Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek 
---
 ipaserver/install/installutils.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9230e70..b6f0148 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -50,6 +50,7 @@
 from ipapython import ipautil, admintool, version
 from ipapython.admintool import ScriptError
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipaldap import DIRMAN_DN, LDAPClient
 from ipalib.util import validate_hostname
 from ipalib import api, errors, x509
 from ipapython.dn import DN
@@ -329,6 +330,21 @@ def _read_password_default_validator(password):
 if len(password) < 8:
 raise ValueError("Password must be at least 8 characters long")
 
+
+def validate_dm_password_ldap(password):
+"""
+Validate DM password by attempting to connect to LDAP. api.env has to
+contain valid ldap_uri.
+"""
+client = LDAPClient(api.env.ldap_uri, cacert=paths.IPA_CA_CRT)
+try:
+client.simple_bind(DIRMAN_DN, password)
+except errors.ACIError:
+raise ValueError("Invalid Directory Manager password")
+else:
+client.unbind()
+
+
 def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator):
 correct = False
 pwd = None

From 

[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert validation

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert validation
Action: edited

 Changed field: body
Original value:
"""
When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#783][edited] Provide useful messages during cert verification

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert verification
Action: edited

 Changed field: title
Original value:
"""
Provide useful messages during cert verification
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert verification
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/783/head:pr783
git checkout pr783
From 3c56e3d293f1ab872dddb185b368177e34796d97 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 12 May 2017 10:41:08 +0200
Subject: [PATCH] Provide useful messages during cert validation

When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945
---
 ipapython/certdb.py  | 26 --
 ipatests/test_integration/test_caless.py | 32 ++--
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..b86a705 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,8 @@
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
 return format % realm
@@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname):
 cert = x509.load_certificate(cert, x509.DER)
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a SSL server')
+self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a SSL server.'
+raise ValueError(msg)
 
 try:
 x509.match_hostname(cert, hostname)
@@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname):
 raise ValueError("not a CA certificate")
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a CA')
+self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a CA.'
+raise ValueError(msg)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d7692ec..62ebba3 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -38,6 +38,8 @@
 
 assert_error = tasks.assert_error
 
+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+
 
 def get_install_stdin(cert_passwords=()):
 lines = [
@@ -495,9 +497,8 @@ def test_expired_http(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in http.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_expired_ds(self):
@@ -511,9 +512,8 @@ def test_expired_ds(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in dirsrv.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in dirsrv.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_http_bad_usage(self):
@@ -884,9 +884,8 @@ def test_expired_http(self):
 result = self.prepare_replica(http_pkcs12='http.p12',
   dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in http.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @replica_install_teardown

[Freeipa-devel] [freeipa PR#782][comment] [WIP] Improving GUI text in "Add DNS Zones" popup

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/782
Title: #782: [WIP] Improving GUI text in "Add DNS Zones" popup

pvoborni commented:
"""
I'm not completely sure that the approach suggested in bug report is correct. 
That is why I suggested alternative in  
https://bugzilla.redhat.com/show_bug.cgi?id=1419834#c2  

So before implementing it a small conversation could have happen to agree on 
the approach.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/782#issuecomment-301081271
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#778][+ack] ipaclient: fix missing RPM ownership

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/778
Title: #778: ipaclient: fix missing RPM ownership

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#784][opened] ipa-replica-manage del (dl 0): remove server from defaultServerList

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/784
Author: flo-renaud
 Title: #784: ipa-replica-manage del (dl 0): remove server from 
defaultServerList
Action: opened

PR body:
"""
ipa-replica-manage del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6946
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/784/head:pr784
git checkout pr784
From 8f98b3eb08c2f7994017459c7bb3f9eeb9f50cd2 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 12 May 2017 09:54:40 +0200
Subject: [PATCH] ipa-replica-manage del (dl 0): remove server from
 defaultServerList

ipa-replica-manage del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6946
---
 ipaserver/install/replication.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 3cd871e..f3bae53 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -1336,12 +1336,12 @@ def replica_cleanup(self, replica, realm, force=False):
 dn = DN(('cn', 'default'), ('ou', 'profile'), self.suffix)
 ret = self.conn.get_entry(dn)
 srvlist = ret.single_value.get('defaultServerList', '')
-srvlist = srvlist[0].split()
+srvlist = srvlist.split()
 if replica in srvlist:
 srvlist.remove(replica)
 attr = ' '.join(srvlist)
-mod = [(ldap.MOD_REPLACE, 'defaultServerList', attr)]
-self.conn.modify_s(dn, mod)
+ret['defaultServerList'] = attr
+self.conn.update_entry(ret)
 except errors.NotFound:
 pass
 except ldap.NO_SUCH_ATTRIBUTE:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#783][synchronized] Provide useful messages during cert verification

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert verification
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/783/head:pr783
git checkout pr783
From a811c5fb7d1ee68c8f987e1ca228af58326f9a3a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 12 May 2017 10:41:08 +0200
Subject: [PATCH] Provide useful messages during cert verification

When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945
---
 ipapython/certdb.py  | 26 --
 ipatests/test_integration/test_caless.py | 32 ++--
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..b86a705 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,8 @@
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
 return format % realm
@@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname):
 cert = x509.load_certificate(cert, x509.DER)
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a SSL server')
+self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a SSL server.'
+raise ValueError(msg)
 
 try:
 x509.match_hostname(cert, hostname)
@@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname):
 raise ValueError("not a CA certificate")
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a CA')
+self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a CA.'
+raise ValueError(msg)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d7692ec..62ebba3 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -38,6 +38,8 @@
 
 assert_error = tasks.assert_error
 
+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+
 
 def get_install_stdin(cert_passwords=()):
 lines = [
@@ -495,9 +497,8 @@ def test_expired_http(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in http.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_expired_ds(self):
@@ -511,9 +512,8 @@ def test_expired_ds(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in dirsrv.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in dirsrv.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_http_bad_usage(self):
@@ -884,9 +884,8 @@ def test_expired_http(self):
 result = self.prepare_replica(http_pkcs12='http.p12',
   dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in http.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 

[Freeipa-devel] [freeipa PR#757][comment] ca, kra install: validate DM password

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/757
Title: #757: ca, kra install: validate DM password

stlaz commented:
"""
You forgot an import in ipa-ca-install:
```
* Module ipa-ca-install

install/tools/ipa-ca-install:37: [W0611(unused-import), ] Unused ScriptError 
imported from ipapython.admintool)
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/757#issuecomment-301058163
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Don't work with Pagure right now

[Standa Laznicka]

On 05/12/2017 08:36 AM, Standa Laznicka wrote:

Hello,

This morning I found out that "https://pagure.io/freeipa/; resolves to 
a different project, originally https://pagure.io/freeIPA/. I pointed 
the problem to the developer of the system, we'll see what he can do 
about it, but for now, we're missing about 200 issues.


Please, don't open any new issues, as that's just pointless and would 
only cause us problems as these would need to be merged back to our 
project (should it be recoverable, which I hope it should).


Luckily enough, `git clone https://g...@pagure.io/freeipa.git` seemed 
to have resolved to the correct repo so our git repos should hopefully 
not be affected.


Sorry for inconvenience,
Standa


Hopefully everything is back on track now.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#728][+ack] ipa-cacert-manage: add --external-ca-type

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/728
Title: #728: ipa-cacert-manage: add --external-ca-type

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type

[dkupka]

  URL: https://github.com/freeipa/freeipa/pull/728
Title: #728: ipa-cacert-manage: add --external-ca-type

dkupka commented:
"""
Work for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/728#issuecomment-301046744
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#728][comment] ipa-cacert-manage: add --external-ca-type

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/728
Title: #728: ipa-cacert-manage: add --external-ca-type

stlaz commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/728#issuecomment-301043646
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#783][opened] Provide useful messages during cert verification

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/783
Author: stlaz
 Title: #783: Provide useful messages during cert verification
Action: opened

PR body:
"""
When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/783/head:pr783
git checkout pr783
From 159ed99baebf29fcd928e5fdbc27036564243414 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 12 May 2017 10:41:08 +0200
Subject: [PATCH] Provide useful messages during cert verification

When the certificate verification was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.
---
 ipapython/certdb.py  | 26 --
 ipatests/test_integration/test_caless.py | 32 ++--
 2 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 4d7f6e7..b86a705 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -52,6 +52,8 @@
 
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
 
+BAD_USAGE_ERR = 'Certificate key usage inadequate for attempted operation.'
+
 
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
 return format % realm
@@ -547,9 +549,15 @@ def verify_server_cert_validity(self, nickname, hostname):
 cert = x509.load_certificate(cert, x509.DER)
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'V'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a SSL server')
+self.run_certutil(['-V', '-n', nickname, '-u', 'V'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a SSL server.'
+raise ValueError(msg)
 
 try:
 x509.match_hostname(cert, hostname)
@@ -573,6 +581,12 @@ def verify_ca_cert_validity(self, nickname):
 raise ValueError("not a CA certificate")
 
 try:
-self.run_certutil(['-V', '-n', nickname, '-u', 'L'])
-except ipautil.CalledProcessError:
-raise ValueError('invalid for a CA')
+self.run_certutil(['-V', '-n', nickname, '-u', 'L'],
+  capture_output=True)
+except ipautil.CalledProcessError as e:
+# certutil output in case of error is
+# 'certutil: certificate is invalid: \n'
+msg = e.output.split(': ')[2].strip()
+if msg == BAD_USAGE_ERR:
+msg = 'invalid for a CA.'
+raise ValueError(msg)
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index d7692ec..62ebba3 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -38,6 +38,8 @@
 
 assert_error = tasks.assert_error
 
+CERT_EXPIRED_MSG = "Peer's Certificate has expired."
+
 
 def get_install_stdin(cert_passwords=()):
 lines = [
@@ -495,9 +497,8 @@ def test_expired_http(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in http.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_expired_ds(self):
@@ -511,9 +512,8 @@ def test_expired_ds(self):
 result = self.install_server(http_pkcs12='http.p12',
  dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in dirsrv.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in dirsrv.p12 is not valid: {err}'
+ .format(err=CERT_EXPIRED_MSG))
 
 @server_install_teardown
 def test_http_bad_usage(self):
@@ -884,9 +884,8 @@ def test_expired_http(self):
 result = self.prepare_replica(http_pkcs12='http.p12',
   dirsrv_pkcs12='dirsrv.p12')
 assert_error(result,
- 'The server certificate in http.p12 is not valid: '
- "(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has "
- 'expired.')
+ 'The server certificate in 

[Freeipa-devel] [WIKI DRAFT] Files to be attached to bug reports

[Martin Bašti]

Hello all,

I created a wiki page that should help people to provide right logs for 
investigation depending on a issue.


https://www.freeipa.org/page/Files_to_be_attached_to_bug_report

Feel free to fix errors, update sections, add new sections or provide 
feedback. Once this page is polished I will link it to wiki on right places.



Martin^2

--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Don't work with Pagure right now

[Standa Laznicka]

Hello,

This morning I found out that "https://pagure.io/freeipa/; resolves to a 
different project, originally https://pagure.io/freeIPA/. I pointed the 
problem to the developer of the system, we'll see what he can do about 
it, but for now, we're missing about 200 issues.


Please, don't open any new issues, as that's just pointless and would 
only cause us problems as these would need to be merged back to our 
project (should it be recoverable, which I hope it should).


Luckily enough, `git clone https://g...@pagure.io/freeipa.git` seemed to 
have resolved to the correct repo so our git repos should hopefully not 
be affected.


Sorry for inconvenience,
Standa

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code