[Freeipa-devel] [PATCH] 0002 Add support for user parameter for /ipa/ui/reset_password.html

[Pavel Vomacka]

Hello again, 

another patch is ready for reviewing. Now it is the patch which adds support 
for user parameter for /ipa/ui/reset_password.html page. That means that you 
can prefill username field by using url parameter 'user'. Here is the ticket 
link: https://fedorahosted.org/freeipa/ticket/5001 .

Pavel Vomacka 
InternFrom 1ee0ea7aad2ccb39a070e3a5dc4a8732a2ff08cc Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 25 Jan 2016 14:44:51 +0100
Subject: [PATCH] Add support for the 'user' url parameter for the
 reset_password.html

The /ipa/ui/reset_password.html page is now able to use url paramater 'user'. The value of this parameter is used for pre-filling the username field.

https://fedorahosted.org/freeipa/ticket/5001
---
 install/ui/reset_password.js | 4 
 1 file changed, 4 insertions(+)

diff --git a/install/ui/reset_password.js b/install/ui/reset_password.js
index 2e0db7db8049aa3edc9bccbfe87b7224d3a68878..8dcdefdd03295450a715405a2cf8d66f9bbc44ac 100644
--- a/install/ui/reset_password.js
+++ b/install/ui/reset_password.js
@@ -207,6 +207,10 @@ RP.redir_count_down = function() {
 
 
 RP.init = function() {
+var opts = RP.parse_uri();
+if (opts['user']) {
+$("#user").val(opts['user']);
+}
 
 $('#reset_password').submit(function() {
 RP.on_submit();
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0031] ipatests: fix the install of external ca

[Milan Kubík]

On 01/22/2016 02:22 PM, Martin Babinsky wrote:

On 01/19/2016 05:56 PM, Milan Kubík wrote:

On 01/19/2016 05:31 PM, Milan Kubík wrote:

Patch attached.




This actually has a ticket opened. Patch with fixed commit message. ;)

--
Milan Kubik





Hi Milan,

for the step 1 installation I would rather reuse the 
tasks:install_master function which already does (nearly) all CLI 
option-related magic. You can extend its signature by adding a 
parameter to pass on additional options like this:


--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -258,7 +258,7 @@ def enable_replication_debugging(host):
  stdin_text=logging_ldif)


-def install_master(host, setup_dns=True, setup_kra=False):
+def install_master(host, setup_dns=True, setup_kra=False, 
extra_args=()):

 host.collect_log(paths.IPASERVER_INSTALL_LOG)
 host.collect_log(paths.IPACLIENT_INSTALL_LOG)
 inst = host.domain.realm.replace('.', '-')
@@ -284,6 +284,8 @@ def install_master(host, setup_dns=True, 
setup_kra=False):

 '--auto-reverse'
 ])

+args.extend(extra_args)
+
 host.run_command(args)
 enable_replication_debugging(host)
 setup_sssd_debugging(host)

Thanks for the suggestion. Though, this is not possible without larger 
changes to tasks.install_master. The external ca test needs to skip 
several steps that occur in the general install task. In this case, I'd 
remain with customized install in the test itself.


--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0007 Refactor test_sudocmd_plugin

[Filip Skola]

Hello,

attaching refactored sudocmd_plugin.

FilipFrom ad926d3a9bdf4fae2504c60e0facb26485f91941 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Mon, 18 Jan 2016 13:56:44 +0100
Subject: [PATCH] Refactor test_sudocmd_plugin

---
 ipatests/test_xmlrpc/test_sudocmd_plugin.py | 561 +---
 1 file changed, 262 insertions(+), 299 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_sudocmd_plugin.py b/ipatests/test_xmlrpc/test_sudocmd_plugin.py
index 2056118ba763be45e78ddf6643059e32d7680af8..bf056a606248d001889af3ee8d9dcec7118be502 100644
--- a/ipatests/test_xmlrpc/test_sudocmd_plugin.py
+++ b/ipatests/test_xmlrpc/test_sudocmd_plugin.py
@@ -21,309 +21,272 @@
 Test the `ipalib/plugins/sudocmd.py` module.
 """
 
-from ipalib import errors
-from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_sudocmddn,
-fuzzy_uuid)
+from ipalib import api, errors
+from ipatests.util import assert_deepequal
+from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_sudocmddn,
+  fuzzy_uuid, raises_exact)
 from ipatests.test_xmlrpc import objectclasses
+from nose.tools import raises
 import pytest
 
-sudocmd1 = u'/usr/bin/sudotestcmd1'
-sudocmd1_camelcase = u'/usr/bin/sudoTestCmd1'
 
-sudorule1 = u'test_sudorule1'
+sudocmd_nonexistent = u'testing_sudocmd'
+sudocmd1_desc = u'Test sudo command 1'
+sudocmd2_desc = u'Test sudo command 2'
+
+
+def create_sudocmd(command, description):
+""" Create sudocmd and check the result """
+result = api.Command['sudocmd_add'](
+command, description=description
+)
+assert_deepequal(dict(
+value=command,
+summary=u'Added Sudo Command "%s"' % command,
+result=dict(
+dn=fuzzy_sudocmddn,
+sudocmd=[command],
+description=[description],
+objectclass=objectclasses.sudocmd,
+ipauniqueid=[fuzzy_uuid])),
+result)
+
+
+def delete_sudocmd(command):
+""" Delete sudocmd and check the result """
+result = api.Command['sudocmd_del'](command)
+assert_deepequal(dict(
+value=[command],
+summary=u'Deleted Sudo Command "%s"' % command,
+result=dict(failed=[])),
+result)
+
+
+@pytest.fixture(scope='class')
+def sudocmd1(request):
+command = u'/usr/bin/sudotestcmd1'
+description = sudocmd1_desc
+create_sudocmd(command, description)
+
+def fin():
+delete_sudocmd(command)
+request.addfinalizer(fin)
+return command
+
+
+@pytest.fixture(scope='class')
+def sudocmd2(request):
+command = u'/usr/bin/sudoTestCmd1'
+description = sudocmd2_desc
+create_sudocmd(command, description)
+
+def fin():
+delete_sudocmd(command)
+request.addfinalizer(fin)
+return command
+
+
+@pytest.fixture(scope='class')
+def sudorule1(request):
+name = u'test_sudorule1'
+
+def fin():
+api.Command['sudorule_del'](name)
+request.addfinalizer(fin)
+return name
+
+
+@pytest.mark.tier1
+class TestNonexistentSudoCmd(XMLRPC_test):
+@raises(errors.NotFound)
+def test_retrieve_nonexistent(self):
+""" Try to retrieve non-existent sudocmd """
+api.Command['sudocmd_show'](sudocmd_nonexistent)
+
+@raises(errors.NotFound)
+def test_update_nonexistent(self):
+""" Try to update non-existent sudocmd """
+api.Command['sudocmd_mod'](sudocmd_nonexistent, description=u'Nope')
+
+@raises(errors.NotFound)
+def test_delete_nonexistent(self):
+""" Try to delete non-existent sudocmd """
+api.Command['sudocmd_del'](sudocmd_nonexistent)
+
+
+@pytest.mark.tier1
+class TestSudoCmd(XMLRPC_test):
+def test_create(self, sudocmd1, sudocmd2):
+""" Create sudocmd and sudocmd with camelcase'd command """
+# sudocmds get created by the fixtures
+
+def test_create_duplicate(self, sudocmd1):
+""" Try to create duplicate sudocmd """
+with raises_exact(errors.DuplicateEntry(
+message=u'sudo command with name "%s" already exists' % sudocmd1)):
+create_sudocmd(sudocmd1, '')
+
+def test_create_duplicate_camelcase(self, sudocmd2):
+""" Try to create duplicate camelcase'd sudocmd """
+with raises_exact(errors.DuplicateEntry(
+message=u'sudo command with name "%s" already exists' % sudocmd2)):
+create_sudocmd(sudocmd2, '')
+
+def test_retrieve(self, sudocmd1):
+""" Retrieve sudocmd """
+result = api.Command['sudocmd_show'](sudocmd1)
+assert_deepequal(dict(
+value=sudocmd1,
+summary=None,
+result=dict(
+dn=fuzzy_sudocmddn,
+sudocmd=[sudocmd1],
+description=[sudocmd1_desc])),
+result)
+
+def test_search(self, sudocmd1):
+""" Search for sudocmd """
+result = api.Command['sudocmd_find'](sudocmd1)
+assert_deepequal(dict(

Re: [Freeipa-devel] [PATCH] 0760 - Split ipa-client/ into ipaclient/ and client/

[Jan Cholasta]

On 14.1.2016 17:49, Petr Viktorin wrote:

On 01/14/2016 11:09 AM, Jan Cholasta wrote:

On 14.1.2016 10:48, Petr Viktorin wrote:

On 01/14/2016 07:55 AM, Jan Cholasta wrote:

Hi,

On 13.1.2016 13:03, Martin Babinsky wrote:

On 01/13/2016 11:34 AM, Petr Viktorin wrote:

Hello,
I'm planning to port the ipa-client to Python 3, and I'm likely to end
up shaking out some dusty corners of the codebase, rather than
doing the
minimal amount of work :)
So I'd like to get your opinions before I commit significant time to
this.


Here's a patch for review.
(I'm sending the full diff for applying; the result is nicer to look at
with `git show -C`)



[...]

client-tools/
- man/*
- *.c
- *.h
- all the automake stuff
- current contents of ipa-install (Python scripts that go in
/usr/sbin)


I would rather s/client-tools/client/, as this stuff goes into the
freeipa-*client* subpackage.


OK. It's just that there's no admintools/ or server/ either.

Putting the scripts into install/tools/ (or install/client/) is another
possibility.


Right. I guess we have to decide whether we want a directory layout
based on the component/subpackage or not. install/tools/ works for me
equally well.


I put the scripts in client/. IPA supports building just the client
bits, and that's easier if the server and client scripts are separate.


I'm not sure if this is what you are suggesting or not, but I would like
the man page files to be in the same directory as the corresponding
source code files.


Do you mean not having the man/ subdirectory?


Yes. (I don't insist though.)


Even if you did insist, I think it would be better to ditch
install/tools/man/ and ipatests/man/ at the same time as client/man/, so
I'm leaving this for a potential future patch.


It could be done gradually (there already is /ipa.1 for /ipa), but OK.

The patch needs a rebase on top of master and ipa-4-3. Otherwise ACK.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Aleš Mareček]

Tested + several other dependent tests executed as well - PASS.
The patch looks good, ACK.

- Original Message -
> From: "Filip Skola" 
> To: "Milan Kubík" 
> Cc: freeipa-devel@redhat.com, "Aleš Mareček" 
> Sent: Monday, January 25, 2016 11:55:35 AM
> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> 
> 
> 
> - Original Message -
> > On 01/15/2016 03:41 PM, Filip Skola wrote:
> > > Hi,
> > >
> > > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad.
> > >
> > > Includes a "fix" for the rename-to-invalid-username issue for the new
> > > version.
> > >
> > > F.
> > >
> > > - Original Message -
> > >> Hi,
> > >>
> > >> I don't know what is causing the \r\n issue. I use vim and than send
> > >> each
> > >> email with claws-mail. Didn't spot this issue when trying emailing the
> > >> patch
> > >> to my other address. I'm trying to send it from zimbra now, let me know
> > >> if
> > >> that helped pls.
> > >>
> > >> Fix for the stageuser plugin issues caused by this patch should have
> > >> been
> > >> included in the last update; I think the remaining issue is not caused
> > >> by
> > >> UserTracker changes. Please correct me, if I'm wrong.
> > >>
> > >>> There is some issue with "test_rename_to_too_long_login" test. It fails
> > >>> but
> > >>> actually this is false positive because it is possible to create login
> > >>> upto
> > >>> 255 characters. I don't know why test mentions 32 characters without
> > >>> any
> > >>> other modified setup.
> > >>> NACK for now.
> > >>>   - alich -
> > >> This has been changed. This test still fails, though.
> > >>
> > >> Filip
> > >>
> > >>>
> > >>> - Original Message -
> >  From: "Aleš Mareček" 
> >  To: "Filip Škola" 
> >  Cc: freeipa-devel@redhat.com, "Milan Kubík" 
> >  Sent: Thursday, December 10, 2015 4:11:47 PM
> >  Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > 
> >  Ah, sorry, haven't realized there had been devel list attached.
> >  Ok, there is some problem with \r\n in the patch.
> >  Filip, please take a look at it...
> >  Thanks...
> >    - alich -
> > 
> >  - Original Message -
> > > From: "Filip Škola" 
> > > To: "Aleš Mareček" 
> > > Cc: freeipa-devel@redhat.com, "Milan Kubík" 
> > > Sent: Thursday, December 10, 2015 11:29:52 AM
> > > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > >
> > > Hi,
> > >
> > > this if fixed. Also issues with test_stageuser_plugin caused by
> > > UserTracker changes should be fixed here.
> > >
> > > Filip
> > >
> > >
> > > On Mon, 7 Dec 2015 09:29:31 -0500 (EST)
> > > Aleš Mareček  wrote:
> > >
> > >> NACK.
> > >>
> > >> $ ./make-lint
> > >> * Module ipatests.test_xmlrpc.test_user_plugin
> > >> ipatests/test_xmlrpc/test_user_plugin.py:42:
> > >> [E0611(no-name-in-module), ] No name 'ldaptracker' in module
> > >> 'ipatests.test_xmlrpc')
> > >>
> > >> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py
> > >> from ipatests.test_xmlrpc.ldaptracker import Tracker
> > >> $ ls ipatests/test_xmlrpc/ldaptracker*
> > >> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or
> > >> directory
> > >>
> > >>
> > >> - Original Message -
> > >>> From: "Filip Škola" 
> > >>> To: "Milan Kubík" 
> > >>> Cc: freeipa-devel@redhat.com
> > >>> Sent: Thursday, December 3, 2015 5:38:43 PM
> > >>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> > >>>
> > >>> Hi,
> > >>>
> > >>> sending corrected version.
> > >>>
> > >>> F.
> > >>>
> > >>> On Thu, 12 Nov 2015 14:03:19 +0100
> > >>> Milan Kubík  wrote:
> > >>>
> >  On 11/10/2015 12:13 PM, Filip Škola wrote:
> > > Hi,
> > >
> > > fixed.
> > >
> > > F.
> > >
> > > On Tue, 10 Nov 2015 10:52:45 +0100
> > > Milan Kubík  wrote:
> > >
> > >> On 11/09/2015 04:35 PM, Filip Škola wrote:
> > >>> Another patch was applied in the meantime.
> > >>>
> > >>> Attaching an updated version.
> > >>>
> > >>> F.
> > >>>
> > >>> On Mon, 9 Nov 2015 13:35:02 +0100
> > >>> Milan Kubík  wrote:
> > >>>
> >  On 11/06/2015 11:32 AM, Filip Škola wrote:
> >  Hi,
> >  the patch doesn't apply.
> > 
> > >> Please fix this.
> > >>
> > >>ipatests/test_xmlrpc/test_user_plugin.py:1419:
> > 

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Martin Basti]

On 25.01.2016 15:12, Aleš Mareček wrote:

Tested + several other dependent tests executed as well - PASS.
The patch looks good, ACK.

- Original Message -

From: "Filip Skola" 
To: "Milan Kubík" 
Cc: freeipa-devel@redhat.com, "Aleš Mareček" 
Sent: Monday, January 25, 2016 11:55:35 AM
Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin



- Original Message -

On 01/15/2016 03:41 PM, Filip Skola wrote:

Hi,

sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad.

Includes a "fix" for the rename-to-invalid-username issue for the new
version.

F.

- Original Message -

Hi,

I don't know what is causing the \r\n issue. I use vim and than send
each
email with claws-mail. Didn't spot this issue when trying emailing the
patch
to my other address. I'm trying to send it from zimbra now, let me know
if
that helped pls.

Fix for the stageuser plugin issues caused by this patch should have
been
included in the last update; I think the remaining issue is not caused
by
UserTracker changes. Please correct me, if I'm wrong.


There is some issue with "test_rename_to_too_long_login" test. It fails
but
actually this is false positive because it is possible to create login
upto
255 characters. I don't know why test mentions 32 characters without
any
other modified setup.
NACK for now.
   - alich -

This has been changed. This test still fails, though.

Filip


- Original Message -

From: "Aleš Mareček" 
To: "Filip Škola" 
Cc: freeipa-devel@redhat.com, "Milan Kubík" 
Sent: Thursday, December 10, 2015 4:11:47 PM
Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

Ah, sorry, haven't realized there had been devel list attached.
Ok, there is some problem with \r\n in the patch.
Filip, please take a look at it...
Thanks...
   - alich -

- Original Message -

From: "Filip Škola" 
To: "Aleš Mareček" 
Cc: freeipa-devel@redhat.com, "Milan Kubík" 
Sent: Thursday, December 10, 2015 11:29:52 AM
Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

Hi,

this if fixed. Also issues with test_stageuser_plugin caused by
UserTracker changes should be fixed here.

Filip


On Mon, 7 Dec 2015 09:29:31 -0500 (EST)
Aleš Mareček  wrote:


NACK.

$ ./make-lint
* Module ipatests.test_xmlrpc.test_user_plugin
ipatests/test_xmlrpc/test_user_plugin.py:42:
[E0611(no-name-in-module), ] No name 'ldaptracker' in module
'ipatests.test_xmlrpc')

$ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py
from ipatests.test_xmlrpc.ldaptracker import Tracker
$ ls ipatests/test_xmlrpc/ldaptracker*
ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or
directory


- Original Message -

From: "Filip Škola" 
To: "Milan Kubík" 
Cc: freeipa-devel@redhat.com
Sent: Thursday, December 3, 2015 5:38:43 PM
Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

Hi,

sending corrected version.

F.

On Thu, 12 Nov 2015 14:03:19 +0100
Milan Kubík  wrote:


On 11/10/2015 12:13 PM, Filip Škola wrote:

Hi,

fixed.

F.

On Tue, 10 Nov 2015 10:52:45 +0100
Milan Kubík  wrote:


On 11/09/2015 04:35 PM, Filip Škola wrote:

Another patch was applied in the meantime.

Attaching an updated version.

F.

On Mon, 9 Nov 2015 13:35:02 +0100
Milan Kubík  wrote:


On 11/06/2015 11:32 AM, Filip Škola wrote:
Hi,
the patch doesn't apply.


Please fix this.

ipatests/test_xmlrpc/test_user_plugin.py:1419:
[E0602(undefined-variable),
TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined
variable 'user1')

Also, use the version numbers for your changed patches.


Thanks for the patch. Several issues:

1. Use dict.items instead of dict.iteritems, for python3
compatibility

2. What is the purpose of TestPrepare class? The 'purge' methods
do not call any ipa commands.
Tracker.make_fixture should be used to make the Tracked resources
clean themselves up when they're out of scope.

3. Why reference the resources by hardcoded name if they have a
fixture representation?

4. Rewrite {create,delete}_test_group to a fixture. You may want
to use different scope (or not).

5. In `def atest_rename_to_invalid_login(self, user):` - use
pytest.skipif decorator and provide a reason if you must,
do not obfuscate method name in order not to run it.



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

NACK, there are errors occuring that do not 

Re: [Freeipa-devel] [PATCH 0408] CI DNSSEC: add missing glue record

[Martin Basti]

On 23.01.2016 10:34, Petr Spacek wrote:

On 22.1.2016 17:47, Martin Basti wrote:

-# make BIND happy, and delegate zone which contains A record of master
+# make BIND happy: add the glue record and delegate zone
+args = [
+"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
+"--a-rec=" + self.master.ip
+]
+self.master.run_command(args)
+time.sleep(10)  # sleep a bit until data are provided by 
bind-dyndb-ldap
+

LGTM, ACK. In the worst case it will not fix the test :-)


Pushed to:
ipa-4-3: 47422b0f3913e352cd28cac24128afed178701e8
master: cdf08a0a869f83a6111d9560b69c582d2c04f89c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 948 stop installer when setup-ds.pl fail

[Martin Basti]

On 22.01.2016 10:17, Martin Babinsky wrote:

On 01/21/2016 07:28 PM, Petr Vobornik wrote:


Petr Vobornik

ACK.


Pushed to:
master: b0894a84932c3b02c495f29b7c110dd072da745f
ipa-4-3: 0b2961e87c1978dc49395aba6df50269ef359ba4

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs

[Stanislav Laznicka]

Hi,

Worked those comments into the code. Also added a bit different info 
message in clean_ruv with ca=True (ipa-replica-manage:430).


Also adding stepst to reproduce:
1. Create a master and some replica (3 replicas is a good solution - 1 
with CA, 1 without, 1 to be dangling (with CA))

2. Change domain level to 0 and ipactl restart
3. Remove the "dangling-to-be" replica from masters.ipa.etc and from 
both ipaca and domain subtrees in mapping tree.config

4. Try to remove the dangling ruvs with the command

Cheers,
Standa


On 01/22/2016 01:22 PM, Martin Basti wrote:

Hello,

I have a few comments

PATCH Automatically detect and remove dangling RUVs

1)
+# get the Directory Manager password
+if options.dirman_passwd:
+dirman_passwd = options.dirman_passwd
+else:
+dirman_passwd = installutils.read_password('Directory Manager',
+confirm=False, validate=False, retry=False)
+if dirman_passwd is None:
+sys.exit('Directory Manager password is required')
+
+options.dirman_passwd = dirman_passwd

IMO you need only else branch here

if not options.dirman_password:
dirman_passwd = installutils.read_password('Directory Manager',
confirm=False, validate=False, retry=False)
if dirman_passwd is None:
sys.exit('Directory Manager password is required')
   options.dirman_passwd = dirman_passwd


2)
We should use new formatting in new code (more times in code)

+sys.exit(
+"Failed to get data from '%s' while trying to list 
replicas: %s" %

+(host, e)
+)

sys.exit(
"Failed to get data from '{host}' while trying to list 
replicas: {e}".format(

  host=host, e=e
)
)

3)
+# get all masters
+masters_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+ipautil.realm_to_suffix(realm))

IMO you should use constants:
 masters_dn = DN(api.env.container_masters, api.env.basedn)

4)
+# Get realm string for config tree
+s = realm.split('.')
+s = ['dc={dc},'.format(dc=x.lower()) for x in s]
+realm_config = DN(('cn', ''.join(s)[0:-1]))

Can be api.env.basedn used instead of this block of code?

5)
+masters = [x.single_value['cn'] for x in masters]

+for master in masters:

is there any reason why not iterate over the keys in info dict?

for master_name, master_data/values/whatever in info.items():
   master_data['online'] = True

Looks better than: info[master]['online'] = True

6)
I asked python gurus, for empty lists and dicts, please use [] and {} 
instead of list() and dict()

It is preferred and faster.

7)
+if(info[master]['ca']):
+entry = conn.get_entry(csreplica_dn)
+csruv = (master, 
entry.single_value.get('nsDS5ReplicaID'))

+if csruv not in csruvs:
+csruvs.append(csruv)

I dont like too much adding tuples into list and then doing search 
there, but it is as designed


However can you use set() instead of list when the purpose of variable 
is only testing existence?


related to:
csruvs
ruvs
offlines
clean_list
cleaned

8)
conn in finally block may be undefined

9)
unused local variables

clean_list
entry on line 570

10)
optional, comment what keys means in info structure



From a1421841c88ab233179f175f49000995b2db4acc Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 18 Dec 2015 10:30:44 +0100
Subject: [PATCH 1/2] Listing and cleaning RUV extended for CA suffix

https://fedorahosted.org/freeipa/ticket/5411
---
 install/tools/ipa-replica-manage | 44 ++--
 ipaserver/install/replication.py |  2 +-
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index e4af7b2fd9a40482dfa75d275d528221a1bc22ad..d0a9598985a0c43a25c04ba9a0005eb231052fd1 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -345,7 +345,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 
 return True
 
-def get_ruv(realm, host, dirman_passwd, nolookup=False):
+def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
 """
 Return the RUV entries as a list of tuples: (hostname, rid)
 """
@@ -354,7 +354,10 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False):
 enforce_host_existence(host)
 
 try:
-thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
+if ca:
+thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd)
+else:
+thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
 except Exception as e:
 print("Failed to connect to server %s: %s" % (host, e))
 sys.exit(1)
@@ -362,7 +365,7 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False):
 

[Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

[Ludwig Krispenz]

Hi,

this is from a discussion on the user-list, there is a difference in 
acis on 4.2.0 and 4.2.3


this is the aci which is present in 4.2.0 and is missing in 4.2.3:

aci: (targetattr = "cn || createtimestamp || description || entryusn || 
modify
 timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
 t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
 sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn 
|| nsds
 5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
 nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
 eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
 icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
 tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
 calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
 er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
 nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || 
nsds5re
 plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
 st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
 atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
 sds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task 
|| nsd
 s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
 d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
 ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
 treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic

 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA
 greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
 ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
 =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

 n,dc=net";)

does anybody know if and why this was changed ?



On 01/24/2016 03:22 AM, Nathan Peters wrote:

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (r
  ead, search, compare) userdn ="ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
aci: (target ="ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild Membership Task
  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read  PassSync Manager
  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = "ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify  PassSync Managers Co
  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || ns
  slapd-directory* || objectclass")(target = "ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  LDBM Databas
  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration Sub-Entries,cn=permissions,cn=pbac,dc=
  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn || modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinits
  tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5repli
  calastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsum
  er || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout ||
  nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5re
  plicasessionpausetime || 

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

[Filip Skola]

- Original Message -
> On 01/15/2016 03:38 PM, Filip Skola wrote:
> > Hi,
> >
> > sending rebased patch.
> >
> > F.
> >
> > - Original Message -
> >> Hello,
> >>
> >> sorry for delays. The patch no longer applies to master. Rebase it,
> >> please.
> >>
> >> Milan
> >>
> >> - Original Message -
> >> From: "Filip Škola" 
> >> To: "Milan Kubík" 
> >> Cc: freeipa-devel@redhat.com
> >> Sent: Wednesday, 9 December, 2015 7:01:02 PM
> >> Subject: Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin
> >>
> >> On Mon, 7 Dec 2015 17:49:18 +0100
> >> Milan Kubík  wrote:
> >>
> >>> On 12/03/2015 08:15 PM, Filip Škola wrote:
>  On Mon, 30 Nov 2015 17:18:30 +0100
>  Milan Kubík  wrote:
> 
> > On 11/23/2015 04:42 PM, Filip Škola wrote:
> >> Sending updated patch.
> >>
> >> F.
> >>
> >> On Mon, 23 Nov 2015 14:59:34 +0100
> >> Filip Škola  wrote:
> >>
> >>> Found couple of issues (broke some dependencies).
> >>>
> >>> NACK
> >>>
> >>> F.
> >>>
> >>> On Fri, 20 Nov 2015 13:56:36 +0100
> >>> Filip Škola  wrote:
> >>>
>  Another one.
> 
>  F.
> > Hi, the tests look good. Few remarks, though.
> >
> > 1. Please, use the shortes copyright notice in new modules.
> >
> >#
> ># Copyright (C) 2015  FreeIPA Contributors see COPYING for
> > license #
> >
> > 2. The tests `test_group_remove_group_from_protected_group` and
> > `test_group_full_set_of_objectclass_not_available_post_detach`
> > were not ported. Please, include them in the patch.
> >
> > Also, for less hassle, please rebase your patches on top of
> > freeipa-mkubik-0025-3-Separated-Tracker-implementations-into-standalone-pa.patch
> > Which changes the location of tracker implementations and prevents
> > circular imports.
> >
> > Thanks.
> >
> 
>  Hi,
> 
>  these cases are there, in corresponding classes. They are marked
>  with the original comments. (However I can move them to separate
>  class if desirable.)
> 
>  The copyright notice is changed. Also included a few changes in the
>  test with user without private group.
> 
>  Filip
> >>> NACK
> >>>
> >>> linter:
> >>> * Module tracker.group_plugin
> >>> ipatests/test_xmlrpc/tracker/group_plugin.py:257:
> >>> [E0102(function-redefined), GroupTracker.check_remove_member] method
> >>> already defined line 253)
> >>>
> >>> Probably a leftover after the rebase made on top of my patch. Please
> >>> fix it. You can check youch changes by make-lint script before
> >>> sending them.
> >>>
> >>> Thanks
> >>>
> >>
> >> Hi,
> >>
> >> I learned to use make-lint!
> >>
> >> Thanks,
> >> F.
> >>
> Hello,
> 
> NACK, pylint doesn't seem to like the way the fixtures are imported
> (pytest does a lot of runtime magic) [1].
> One possible solution would be [2]. Though, I don't think this would be
> a good idea in our environment. I suggest to create the fixtures on per
> module basis.
> 
> 
> [1]: http://fpaste.org/311949/53118942/
> [2]:
> https://pytest.org/latest/fixture.html#using-fixtures-from-classes-modules-or-projects
> 
> --
> Milan Kubik
> 
> 

Hi,

the fixtures were copied into corresponding module. Please note that this patch 
has a dependence on my patch 0001 (user plugin).

FilipFrom d0f1815a2df4a98354cdd73360fe8e861368c0f3 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Mon, 9 Nov 2015 16:48:55 +0100
Subject: [PATCH] Refactor test_group_plugin, use GroupTracker for tests

---
 ipatests/test_xmlrpc/test_group_plugin.py | 1758 +
 ipatests/test_xmlrpc/test_stageuser_plugin.py |4 +-
 ipatests/test_xmlrpc/tracker/group_plugin.py  |  146 +-
 3 files changed, 755 insertions(+), 1153 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
index 6eb57c12f18d125de04beefa056f53b4caff1d64..41d28f1cfdbc3d47ea9c47292394637770222ac2 100644
--- a/ipatests/test_xmlrpc/test_group_plugin.py
+++ b/ipatests/test_xmlrpc/test_group_plugin.py
@@ -1,6 +1,7 @@
 # Authors:
 #   Rob Crittenden 
 #   Pavel Zuna 
+#   Filip Skola 
 #
 # Copyright (C) 2008  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -23,1141 +24,666 @@ Test the `ipalib/plugins/group.py` module.
 
 import pytest
 
-from ipalib import api, errors
+from ipalib import errors
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.xmlrpc_test import (
-Declarative,
-fuzzy_digits,
-fuzzy_uuid,
-fuzzy_set_ci,
-add_sid,
-add_oc)
-from ipapython.dn import DN
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_oc,
+ 

Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

[Martin Basti]

On 25.01.2016 09:30, Ludwig Krispenz wrote:

Hi,

this is from a discussion on the user-list, there is a difference in 
acis on 4.2.0 and 4.2.3


this is the aci which is present in 4.2.0 and is missing in 4.2.3:

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
 timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
 t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
 sds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn 
|| nsds
 5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
 nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
 eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
 icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
 tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
 calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
 er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
 nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || 
nsds5re
 plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
 st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
 atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
 sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
 s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
 d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
 ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
 treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic
 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA 

 greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
 ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
 =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

 n,dc=net";)

does anybody know if and why this was changed ?

This ACI is created by 
ipaserver/install/plugins/update_managed_permissions.py


It haven't been touched for a while, did upgrade/install work well?

Maybe re-run ipa-server-upgrade should recreate this entry.




On 01/24/2016 03:22 AM, Nathan Peters wrote:

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; 
allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync Managers 
Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

  nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ns
  slapd-directory* || objectclass")(target = 
"ldap:///cn=config,cn=ldbm  databas
  e,cn=plugins,cn=config")(version 3.0;acl "permission:Read LDBM 
Database Confi
  guration";allow (compare,read,search) groupdn = "ldap:///cn=Read  
LDBM Databas

  e Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (version 3.0;acl "permission:Add Configuration 
Sub-Entries";allow (add) g
  roupdn = "ldap:///cn=Add  Configuration 
Sub-Entries,cn=permissions,cn=pbac,dc=

  ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
  timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
  t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
  sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
  5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
  nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
  eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
  icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
  tart || nsds5replicalastinitstatus || 

Re: [Freeipa-devel] Fwd: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

[Ludwig Krispenz]

Hi Martin,
this is what the guy on freeipa-users said he did:

>>>

I can now confirm that this is a 100% reproducible bug, and a pretty severe one 
at that.  You should be able to reproduce this issue at will if you follow 
these steps.  It may actually be possible with less servers and less steps, but 
here is what I did in a test lab today:

1. Create a brand new FreeIPA domain in CentOS 7.2 / FreeIPA 4.2.0 with 3 
servers, dc1, dc2, dc3, replicating any way you want.
3. Use ipa-replica-manage del dc2.ipatestdomain.net, and then delete the server 
/ vm / whatever you have it running on
3. Install Fedora 23 on the same IP address and hostname 
(dc2.ipatestdomain.net).  Install FreeIPA server 4.2.3 from replica file 
created on CA master (dc1).

Check aci on dc2.  You will notice it's now missing a bunch of stuff.  So 
basically, all it takes to lose that ACL is to create a Fedora FreeIPA server 
and join it to a CentOS domain.
After I had upgraded all 3 to Fedora, that ACLS was lost permanently as it no 
longer existed on any server because there were no CentOS servers left.

<<<

If you have more questions on the test case, could you ask directly on 
the user list, thanks


On 01/25/2016 10:09 AM, Martin Basti wrote:



On 25.01.2016 09:30, Ludwig Krispenz wrote:

Hi,

this is from a discussion on the user-list, there is a difference in 
acis on 4.2.0 and 4.2.3


this is the aci which is present in 4.2.0 and is missing in 4.2.3:

aci: (targetattr = "cn || createtimestamp || description || entryusn 
|| modify
 timestamp || nsds50ruv || nsds5beginreplicarefresh || 
nsds5debugreplicatimeou
 t || nsds5flags || nsds5replicaabortcleanruv || 
nsds5replicaautoreferral || n
 sds5replicabackoffmax || nsds5replicabackoffmin || 
nsds5replicabinddn || nsds
 5replicabindmethod || nsds5replicabusywaittime || 
nsds5replicachangecount ||
 nsds5replicachangessentsincestartup || nsds5replicacleanruv || 
nsds5replicacl
 eanruvnotified || nsds5replicacredentials || nsds5replicaenabled || 
nsds5repl
 icahost || nsds5replicaid || nsds5replicalastinitend || 
nsds5replicalastinits
 tart || nsds5replicalastinitstatus || nsds5replicalastupdateend || 
nsds5repli
 calastupdatestart || nsds5replicalastupdatestatus || 
nsds5replicalegacyconsum
 er || nsds5replicaname || nsds5replicaport || 
nsds5replicaprotocoltimeout ||
 nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot 
|| nsds5re
 plicasessionpausetime || nsds5replicastripattrs || 
nsds5replicatedattributeli
 st || nsds5replicatedattributelisttotal || nsds5replicatimeout || 
nsds5replic
 atombstonepurgeinterval || nsds5replicatransportinfo || 
nsds5replicatype || n
 sds5replicaupdateinprogress || nsds5replicaupdateschedule || 
nsds5task || nsd
 s7directoryreplicasubtree || nsds7dirsynccookie || 
nsds7newwingroupsyncenable
 d || nsds7newwinusersyncenabled || nsds7windowsdomain || 
nsds7windowsreplicas
 ubtree || nsruvreplicalastmodified || nsstate || objectclass || 
onewaysync ||
  winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || 
winsyncsub
 treepair || winsyncwindowsfilter")(targetfilter = 
"(|(objectclass=nsds5Replic
 a)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationA 

 greement)(objectClass=nsMappingTree))")(version 3.0;acl 
"permission:System: R
 ead Replication Agreements";allow (compare,read,search) groupdn = 
"ldap:///cn
 =System: Read Replication 
Agreements,cn=permissions,cn=pbac,dc=ipatestdomai

 n,dc=net";)

does anybody know if and why this was changed ?

This ACI is created by 
ipaserver/install/plugins/update_managed_permissions.py


It haven't been touched for a while, did upgrade/install work well?

Maybe re-run ipa-server-upgrade should recreate this entry.




On 01/24/2016 03:22 AM, Nathan Peters wrote:

# config
dn: cn=config
aci: (targetattr != aci)(version 3.0; aci "cert manager read 
access"; allow (r
  ead, search, compare) userdn 
="ldap:///uid=pkidbuser,ou=people,o=ipaca;;)
aci: (target ="ldap:///cn=automember rebuild 
membership,cn=tasks,cn=config")(
  targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild 
Membership T
  ask";allow (add) groupdn = "ldap:///cn=Add  Automember Rebuild 
Membership Task

  ,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || entryusn || 
modifytimestamp || ob
  jectclass || passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,cn=plu
  gins,cn=config")(version 3.0;acl "permission:Read PassSync 
Managers Configura
  tion";allow (compare,read,search) groupdn = "ldap:///cn=Read 
PassSync Manager

  s Configuration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "passsyncmanagersdns*")(target = 
"ldap:///cn=ipa_pwd_extop,
  cn=plugins,cn=config")(version 3.0;acl "permission:Modify PassSync 
Managers C
  onfiguration";allow (write) groupdn = "ldap:///cn=Modify PassSync 
Managers Co

nfiguration,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr = "cn || createtimestamp || 

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

[Filip Skola]

- Original Message -
> On 01/15/2016 03:41 PM, Filip Skola wrote:
> > Hi,
> >
> > sending rebased patch on top of 58c42ddac0964a8cce7c1e1faa7516da53f028ad.
> >
> > Includes a "fix" for the rename-to-invalid-username issue for the new
> > version.
> >
> > F.
> >
> > - Original Message -
> >> Hi,
> >>
> >> I don't know what is causing the \r\n issue. I use vim and than send each
> >> email with claws-mail. Didn't spot this issue when trying emailing the
> >> patch
> >> to my other address. I'm trying to send it from zimbra now, let me know if
> >> that helped pls.
> >>
> >> Fix for the stageuser plugin issues caused by this patch should have been
> >> included in the last update; I think the remaining issue is not caused by
> >> UserTracker changes. Please correct me, if I'm wrong.
> >>
> >>> There is some issue with "test_rename_to_too_long_login" test. It fails
> >>> but
> >>> actually this is false positive because it is possible to create login
> >>> upto
> >>> 255 characters. I don't know why test mentions 32 characters without any
> >>> other modified setup.
> >>> NACK for now.
> >>>   - alich -
> >> This has been changed. This test still fails, though.
> >>
> >> Filip
> >>
> >>>
> >>> - Original Message -
>  From: "Aleš Mareček" 
>  To: "Filip Škola" 
>  Cc: freeipa-devel@redhat.com, "Milan Kubík" 
>  Sent: Thursday, December 10, 2015 4:11:47 PM
>  Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> 
>  Ah, sorry, haven't realized there had been devel list attached.
>  Ok, there is some problem with \r\n in the patch.
>  Filip, please take a look at it...
>  Thanks...
>    - alich -
> 
>  - Original Message -
> > From: "Filip Škola" 
> > To: "Aleš Mareček" 
> > Cc: freeipa-devel@redhat.com, "Milan Kubík" 
> > Sent: Thursday, December 10, 2015 11:29:52 AM
> > Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> >
> > Hi,
> >
> > this if fixed. Also issues with test_stageuser_plugin caused by
> > UserTracker changes should be fixed here.
> >
> > Filip
> >
> >
> > On Mon, 7 Dec 2015 09:29:31 -0500 (EST)
> > Aleš Mareček  wrote:
> >
> >> NACK.
> >>
> >> $ ./make-lint
> >> * Module ipatests.test_xmlrpc.test_user_plugin
> >> ipatests/test_xmlrpc/test_user_plugin.py:42:
> >> [E0611(no-name-in-module), ] No name 'ldaptracker' in module
> >> 'ipatests.test_xmlrpc')
> >>
> >> $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py
> >> from ipatests.test_xmlrpc.ldaptracker import Tracker
> >> $ ls ipatests/test_xmlrpc/ldaptracker*
> >> ls: cannot access ipatests/test_xmlrpc/ldaptracker*: No such file or
> >> directory
> >>
> >>
> >> - Original Message -
> >>> From: "Filip Škola" 
> >>> To: "Milan Kubík" 
> >>> Cc: freeipa-devel@redhat.com
> >>> Sent: Thursday, December 3, 2015 5:38:43 PM
> >>> Subject: Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin
> >>>
> >>> Hi,
> >>>
> >>> sending corrected version.
> >>>
> >>> F.
> >>>
> >>> On Thu, 12 Nov 2015 14:03:19 +0100
> >>> Milan Kubík  wrote:
> >>>
>  On 11/10/2015 12:13 PM, Filip Škola wrote:
> > Hi,
> >
> > fixed.
> >
> > F.
> >
> > On Tue, 10 Nov 2015 10:52:45 +0100
> > Milan Kubík  wrote:
> >
> >> On 11/09/2015 04:35 PM, Filip Škola wrote:
> >>> Another patch was applied in the meantime.
> >>>
> >>> Attaching an updated version.
> >>>
> >>> F.
> >>>
> >>> On Mon, 9 Nov 2015 13:35:02 +0100
> >>> Milan Kubík  wrote:
> >>>
>  On 11/06/2015 11:32 AM, Filip Škola wrote:
>  Hi,
>  the patch doesn't apply.
> 
> >> Please fix this.
> >>
> >>ipatests/test_xmlrpc/test_user_plugin.py:1419:
> >> [E0602(undefined-variable),
> >> TestDeniedBindWithExpiredPrincipal.teardown_class] Undefined
> >> variable 'user1')
> >>
> >> Also, use the version numbers for your changed patches.
> >>
> >
>  Thanks for the patch. Several issues:
> 
>  1. Use dict.items instead of dict.iteritems, for python3
>  compatibility
> 
>  2. What is the purpose of TestPrepare class? The 'purge' methods
>  do not call any ipa commands.
>  Tracker.make_fixture should be used to make the Tracked resources
>  clean themselves up when they're out of scope.
> 
> 

Re: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8

[Martin Basti]

On 22.01.2016 16:24, Petr Viktorin wrote:

On 01/21/2016 01:14 PM, Jan Cholasta wrote:

We got rid of both default_encoding_utf8 and _ipap11helper, so
python-ipalib can be packaged as noarch. See the attached patch.

The patch looks good to me, so ACK (though an ACK for me probably
doesn't count).


ACK

Pushed to:
master: 6896035af2c5ba7468fdab183a385c4a88a1ab77
ipa-4-3: 385693a30862bf370e32e1d66e5efa2f5a641ebb

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code