Re: [Freeipa-devel] CSR autogeneration next steps
On 19.12.2016 21:59, Ben Lipton wrote: On 12/15/2016 11:11 PM, Ben Lipton wrote: On 12/12/2016 03:52 AM, Jan Cholasta wrote: On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. This is probably doable with the cffi, but I'm concerned about usability. A user can run the current command to get a (reusable) script, and run the script to get a CSR. It works with keys in both PEM files and NSS databases already. If we change to outputting a CertificationRequestInfo, in order to make this usable on the command line, we'll need: - An additional tool to sign a CSR given a CertificationRequestInfo (for both types of key storage). - A way to extract a SubjectPublicKeyInfo structure from a key within the ipa command (like [1] but we need it for both types of key storage) Since as far as I know there's no standard encoding for files containing only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be writing and distributing these ourselves. I think that's where most of the extra work will come in. For PEM files, this is easily doable using python-cryptography (to extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and PyASN1 (to create a CSR from the CertificationRequestInfo and the signature). I didn't realize that python-cryptography knew about SubjectPublicKeyInfo structures, but indeed this seems to be pretty straightforward: key = load_pem_private_key(key_bytes, None, default_backend()) pubkey_info = key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) Thanks for letting me know this functionality already existed. For NSS databases, this will be trickier and will require calling C functions, as neither certutil nor python-nss provide a way to a) address existing keys in the database by key ID b) get SubjectPublicKeyInfo for a given key. This can be worked around by: 1. Generating a key + temporary certificate: n=$(head -c 40 /dev/urandom | base32) certutil -S -n $n -s CN=$n -x -t ,, 2. Extracting the public key from the certificate: certutil -L -n $n -a >temp.crt (extract the public key using python-cryptography) 3. Deleting the temporary certificate: certutil -D -n $n 4. Importing the newly issued certificate: certutil -A -n $n -t ,, -a As for encoding, the obvious choice is DER. It does not really matter there is no standard file format, as we won't be transferring these as files anyway. Agreed. I just meant there aren't tools already because this isn't a type of file one often needs to process. Would it be ok to stick with the current design in this PR? I'd feel much better if we could get the basic functionality into the repo and then iterate on it rather than changing the plan at this point. I can create a separate PR to change cert_get_requestdata to this new interface and at the same time add the necessary adapters (bullet points above) to make it user-friendly. Works for me. Updated the PR to fix conflicts with master. Had some trouble with CI but creating a new PR with the same commits fixed it (https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed permanently, so I guess I'll just keep the two PRs synchronized now, or we could close the old one. You can close the old one. Just to make sure we are on the same page, you want this PR to be merged before submitting additional PRs built on top of it? I would probably just implement the adapters within the cert_build/cert_request client code unless you think having standalone tools is valuable. I suppose certmonger is going to need these features too, but I don't know how well sharing code between them is going to work. cert-request is exactly the
[Freeipa-devel] [freeipa PR#384][opened] Add fix for user prompt in dnsrecord-add
URL: https://github.com/freeipa/freeipa/pull/384 Author: Akasurde Title: #384: Add fix for user prompt in dnsrecord-add Action: opened PR body: """ Fix added to skip optional parameter in dnsrecord-add interactive prompts Fixes https://fedorahosted.org/freeipa/ticket/6457 Signed-off-by: Abhijeet Kasurde """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/384/head:pr384 git checkout pr384 From 2cd64fe35fb2b910f54ec489ceb0a51befcd6c42 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 10 Jan 2017 09:59:38 +0530 Subject: [PATCH] Add fix for user prompt in dnsrecord-add Fix added to skip optional parameter in dnsrecord-add interactive prompts Fixes https://fedorahosted.org/freeipa/ticket/6457 Signed-off-by: Abhijeet Kasurde --- ipaclient/plugins/dns.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py index 42ccd3d..6468949 100644 --- a/ipaclient/plugins/dns.py +++ b/ipaclient/plugins/dns.py @@ -254,7 +254,7 @@ def interactive_prompt_callback(self, kw): continue ok = True -user_options = prompt_parts(rrtype, self) +user_options = prompt_missing_parts(rrtype, self, kw) kw.update(user_options) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#383][opened] Remove duplicated step from DS install
URL: https://github.com/freeipa/freeipa/pull/383
Author: mbasti-rh
Title: #383: Remove duplicated step from DS install
Action: opened
PR body:
"""
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/383/head:pr383
git checkout pr383
From 63cc402b393ff13a75e3c91abc789a177ec0953f Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Mon, 9 Jan 2017 19:49:26 +0100
Subject: [PATCH] Remove duplicated step from DS install
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
---
ipaserver/install/dsinstance.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89315b6..3f410a3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -340,8 +340,6 @@ def create_instance(self, realm_name, fqdn, domain_name,
self.step("adding range check plugin", self.__add_range_check_plugin)
if hbac_allow:
self.step("creating default HBAC rule allow_all", self.add_hbac)
-self.step("adding sasl mappings to the directory",
- self.__configure_sasl_mappings)
self.step("adding entries for topology management", self.__add_topology_entries)
self.__common_post_setup()
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#382][opened] [WIP] Py3 ipa-server-install fixes
URL: https://github.com/freeipa/freeipa/pull/382 Author: mbasti-rh Title: #382: [WIP] Py3 ipa-server-install fixes Action: opened PR body: """ This PR should allow to install server with py3 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/382/head:pr382 git checkout pr382 From 0ba8877d4f0a6e96d4e338a88f8638d00ad980b1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 11:53:59 +0100 Subject: [PATCH 1/6] py3: create_cert_db: write to file in a compatible way Py3 expect bytes to be writed using os.write. Instead of that using io module is more pythonic. https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/httpinstance.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index bacd5fc..ded0553 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -19,6 +19,7 @@ from __future__ import print_function +import io import os import os.path import pwd @@ -314,9 +315,8 @@ def create_cert_db(self): # Create the password file for this db password = ipautil.ipa_generate_password() -f = os.open(pwd_file, os.O_CREAT | os.O_RDWR) -os.write(f, password) -os.close(f) +with io.open(pwd_file, 'w') as f: +f.write(password) ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"]) From e4358f451556f67dcdf4f064656cc3e6c976fb9b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:16:57 +0100 Subject: [PATCH 2/6] py3: encode str to bytes when writing to tempfile String must be encoded to bytes to be writable by os.write() Make sure the passwords are generated as string/unicode https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipautil.py | 2 +- ipaserver/install/service.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index e3e4611..34d10ef 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1, rnd = random.SystemRandom() todo_entropy = entropy_bits -password = '' +password = u'' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 6451f92..b18d4ba 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -209,7 +209,7 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True, if dm_password: [pw_fd, pw_name] = tempfile.mkstemp() -os.write(pw_fd, dm_password) +os.write(pw_fd, dm_password.encode()) os.close(pw_fd) auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name] # Use GSSAPI auth when not using DM password or not being root From d4785bf830c2461d1dcdb8b868ef701b873cb7be Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 12:42:23 +0100 Subject: [PATCH 3/6] py3: open temporary ldif file in text mode ldif parser uses file in text mode, so we have to open it in text mode in py3 Also values passed to parser should be bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipaserver/install/dsinstance.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 89315b6..2721d88 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -582,14 +582,15 @@ def __update_dse_ldif(self): 'dse.ldif' ) -with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif: +with tempfile.NamedTemporaryFile( +mode='w', delete=False) as new_dse_ldif: temp_filename = new_dse_ldif.name with open(dse_filename, "r") as input_file: parser = installutils.ModifyLDIF(input_file, new_dse_ldif) parser.replace_value( 'cn=config,cn=ldbm database,cn=plugins,cn=config', 'nsslapd-db-locks', -['5'] +[b'5'] ) if self.config_ldif: # parse modifications from ldif file supplied by the admin From fcfb4e5a444639cb61ee7089df1ea969f58754a7 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 9 Jan 2017 19:01:29 +0100 Subject: [PATCH 4/6] py3: ldap modlist must have keys as string, not bytes https://fedorahosted.org/freeipa/ticket/4985 --- ipapython/ipaldap.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
[Freeipa-devel] [freeipa PR#378][comment] Integrate make check into CI
URL: https://github.com/freeipa/freeipa/pull/378 Title: #378: Integrate make check into CI martbab commented: """ IIRC cmocka tests are already ran as a part of build process, seee the following excerpt from the build log: ``` PASS: ipa_kdb_tests Testsuite summary for freeipa 4.4.90.dev201701091412+git5dd9c32 # TOTAL: 1 # PASS: 1 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ``` I am not sure if we need to run them as a separate step right now. """ See the full comment at https://github.com/freeipa/freeipa/pull/378#issuecomment-271334743 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#381][opened] disable hostname canonicalization by Kerberos library
URL: https://github.com/freeipa/freeipa/pull/381
Author: martbab
Title: #381: disable hostname canonicalization by Kerberos library
Action: opened
PR body:
"""
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.
Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.
https://fedorahosted.org/freeipa/ticket/6584
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/381/head:pr381
git checkout pr381
From be97823a0475218306bce192d7bf5797a1663857 Mon Sep 17 00:00:00 2001
From: Martin Babinsky
Date: Mon, 9 Jan 2017 14:36:33 +0100
Subject: [PATCH] disable hostname canonicalization by Kerberos library
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.
Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.
https://fedorahosted.org/freeipa/ticket/6584
---
ipaclient/install/client.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2ff6122..08576eb 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -676,6 +676,7 @@ def configure_krb5_conf(
])
libopts.extend([
krbconf.setOption('rdns', 'false'),
+krbconf.setOption('dns_canonicalize_hostname', 'false'),
krbconf.setOption('ticket_lifetime', '24h'),
krbconf.setOption('forwardable', 'true'),
krbconf.setOption('udp_preference_limit', '0')
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig
URL: https://github.com/freeipa/freeipa/pull/179 Title: #179: Fix for handling CalledProcessError in authconfig tomaskrizek commented: """ I investigated some other options for the displayed error message, but I haven't found anything more appropriate. [Comment#4](https://fedorahosted.org/freeipa/ticket/5244#comment:4) in the ticket says the message should mention an SSSD restart issue. Perhaps someone else has a suggestion for a more descriptive message then `Failed to execute authconfig command`? If this message is fine, the code has an ack. """ See the full comment at https://github.com/freeipa/freeipa/pull/179#issuecomment-271320161 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#374][+ack] pytest: set rules to find test files and functions
URL: https://github.com/freeipa/freeipa/pull/374 Title: #374: pytest: set rules to find test files and functions Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][closed] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Author: martbab Title: #380: Travis CI: actually return non-zero exit status when the test job fails Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/380/head:pr380 git checkout pr380 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9b5b7131502a73fa24dc56c72a9648528c5aceee """ See the full comment at https://github.com/freeipa/freeipa/pull/380#issuecomment-271296037 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][+pushed] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][synchronized] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Author: martbab Title: #380: Travis CI: actually return non-zero exit status when the test job fails Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/380/head:pr380 git checkout pr380 From 1f6a7917a6ff69c6a3ca9ea29ebe5bb0d38786c4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 9 Jan 2017 12:27:36 +0100 Subject: [PATCH] Travis CI: actually return non-zero exit status when the test job fails The original code did not actually propagate the test runner exit status to parent process so Travis CI job was always green. --- .travis_run_task.sh | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis_run_task.sh b/.travis_run_task.sh index 9fd1c1c..7d050b0 100755 --- a/.travis_run_task.sh +++ b/.travis_run_task.sh @@ -47,7 +47,11 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \ --git-repo $TRAVIS_BUILD_DIR \ $TASK_TO_RUN $test_set -if $? +exit_status="$?" + +if [[ "$exit_status" -ne 0 ]] then truncate_log_to_test_failures fi + +exit $exit_status -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails stlaz commented: """ It works but for some reason there are many extra newlines in the failure log **edit:** nvm, displayes correctly now, apparently it's a Travis streaming issue. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][+ack] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails stlaz commented: """ It works but for some reason there are many extra newlines in the failure log """ See the full comment at https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Title: #380: Travis CI: actually return non-zero exit status when the test job fails stlaz commented: """ It works but for some reason there are many extra newlines in the failure log """ See the full comment at https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions
URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions
tomaskrizek commented:
"""
Please see my feedback in in-line comments.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/347#issuecomment-271272632
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#380][opened] Travis CI: actually return non-zero exit status when the test job fails
URL: https://github.com/freeipa/freeipa/pull/380 Author: martbab Title: #380: Travis CI: actually return non-zero exit status when the test job fails Action: opened PR body: """ Thanks to @stlaz for catching this. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/380/head:pr380 git checkout pr380 From 1f6a7917a6ff69c6a3ca9ea29ebe5bb0d38786c4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 9 Jan 2017 12:27:36 +0100 Subject: [PATCH 1/2] Travis CI: actually return non-zero exit status when the test job fails The original code did not actually propagate the test runner exit status to parent process so Travis CI job was always green. --- .travis_run_task.sh | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis_run_task.sh b/.travis_run_task.sh index 9fd1c1c..7d050b0 100755 --- a/.travis_run_task.sh +++ b/.travis_run_task.sh @@ -47,7 +47,11 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \ --git-repo $TRAVIS_BUILD_DIR \ $TASK_TO_RUN $test_set -if $? +exit_status="$?" + +if [[ "$exit_status" -ne 0 ]] then truncate_log_to_test_failures fi + +exit $exit_status From bd5715a6a773d7bd9a59677988e8156460485310 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 9 Jan 2017 12:31:43 +0100 Subject: [PATCH 2/2] DO NOT PUSH: intentionally failing test for verification --- ipatests/test_ipaserver/test_kadmin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_ipaserver/test_kadmin.py b/ipatests/test_ipaserver/test_kadmin.py index 1b38791..c7fb13b 100644 --- a/ipatests/test_ipaserver/test_kadmin.py +++ b/ipatests/test_ipaserver/test_kadmin.py @@ -86,7 +86,7 @@ def assert_success(self, command, *args): to catch the command's stderr and check that it is empty """ result = command(*args) -assert not result.error_output +assert result.error_output def test_create_keytab(self, service, keytab): """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 tomaskrizek commented: """ Required version of BIND is a subject to change. When a version with fixed `named-pkcs11` issue ([BZ 1410433](https://bugzilla.redhat.com/show_bug.cgi?id=1410433)) is released, I will update it. Patch should not be merged until then. """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-271259526 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From 2b7becb7f6d6cc15679b7f0aa76d6fa0164e961e Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 1/2] named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
---
install/share/bind.named.conf.template | 16 +++-
ipaplatform/redhat/paths.py| 1 +
ipaserver/install/bindinstance.py | 1 +
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e8ea8fb..b7c3a0b 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,13 +43,11 @@ zone "." IN {
include "$RFC1912_ZONES";
include "$ROOT_KEY";
-dynamic-db "ipa" {
- library "ldap.so";
- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
- arg "base cn=dns, $SUFFIX";
- arg "server_id $FQDN";
- arg "auth_method sasl";
- arg "sasl_mech GSSAPI";
- arg "sasl_user DNS/$FQDN";
- arg "serial_autoincrement yes";
+dyndb "ipa" "$BIND_LDAP_SO" {
+ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
+ base "cn=dns, $SUFFIX";
+ server_id "$FQDN";
+ auth_method "sasl";
+ sasl_mech "GSSAPI";
+ sasl_user "DNS/$FQDN";
};
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065..8212f40 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
if sys.maxsize > 2**32:
LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
paths = RedHatPathNamespace()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index e24249a..c9097c2 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -769,6 +769,7 @@ def __setup_sub_dict(self):
RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
NAMED_PID=paths.NAMED_PID,
NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
+BIND_LDAP_SO=paths.BIND_LDAP_SO,
)
def __setup_dns_container(self):
From c00ae001855e997b2e3ce7ae2c614ce270c40f09 Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 19 Dec 2016 16:52:08 +0100
Subject: [PATCH 2/2] bump required version of BIND, bind-dyndb-ldap
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
---
freeipa.spec.in | 17 +
1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..99b3a0f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -295,18 +295,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 10.0
-%if 0%{?fedora} >= 21
-Requires: bind >= 9.9.6-3
-Requires: bind-utils >= 9.9.6-3
-Requires: bind-pkcs11 >= 9.9.6-3
-Requires: bind-pkcs11-utils >= 9.9.6-3
-%else
-Requires: bind >= 9.9.4-21
-Requires: bind-utils >= 9.9.4-21
-Requires: bind-pkcs11 >= 9.9.4-21
-Requires: bind-pkcs11-utils >= 9.9.4-21
-%endif
+Requires: bind-dyndb-ldap >= 11.0
+Requires: bind >= 9.11.0-2
+Requires: bind-utils >= 9.11.0-2
+Requires: bind-pkcs11 >= 9.11.0-2
+Requires: bind-pkcs11-utils >= 9.11.0-2
Requires: opendnssec >= 1.4.6-4
Provides: %{alt_name}-server-dns = %{version}
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#379][opened] Packaging: Add placeholder and IPA commands packages
URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
Title: #379: Packaging: Add placeholder and IPA commands packages
Action: opened
PR body:
"""
The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.
https://fedorahosted.org/freeipa/ticket/6484
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From b01a51e15c86601806318d5d096ac5286afbfbd7 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 9 Jan 2017 11:02:25 +0100
Subject: [PATCH] Packaging: Add placeholder and IPA commands packages
The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.
https://fedorahosted.org/freeipa/ticket/6484
Signed-off-by: Christian Heimes
---
.gitignore| 7 ++
Makefile.am | 5 +-
configure.ac | 4 +
packaging/Makefile.am | 11 +++
packaging/freeipa/Makefile.am | 1 +
packaging/freeipa/README.txt | 2 +
packaging/freeipa/setup.cfg | 6 ++
packaging/freeipa/setup.py| 36 +++
packaging/ipa/Makefile.am | 1 +
packaging/ipa/README.txt | 2 +
packaging/ipa/setup.cfg | 6 ++
packaging/ipa/setup.py| 36 +++
packaging/ipacommands/MANIFEST.in | 25 +
packaging/ipacommands/Makefile.am | 72 ++
packaging/ipacommands/setup.cfg | 5 +
packaging/ipacommands/setup.py| 194 ++
16 files changed, 412 insertions(+), 1 deletion(-)
create mode 100644 packaging/Makefile.am
create mode 100644 packaging/freeipa/Makefile.am
create mode 100644 packaging/freeipa/README.txt
create mode 100644 packaging/freeipa/setup.cfg
create mode 100755 packaging/freeipa/setup.py
create mode 100644 packaging/ipa/Makefile.am
create mode 100644 packaging/ipa/README.txt
create mode 100644 packaging/ipa/setup.cfg
create mode 100755 packaging/ipa/setup.py
create mode 100644 packaging/ipacommands/MANIFEST.in
create mode 100644 packaging/ipacommands/Makefile.am
create mode 100644 packaging/ipacommands/setup.cfg
create mode 100644 packaging/ipacommands/setup.py
diff --git a/.gitignore b/.gitignore
index 6dcda76..ab00e98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -107,3 +107,10 @@ freeipa2-dev-doc
/ipaplatform/paths.py
/ipaplatform/services.py
/ipaplatform/tasks.py
+
+/packaging/ipacommands/COPYING
+/packaging/ipacommands/Contributors.txt
+/packaging/ipacommands/asn1
+/packaging/ipacommands/client
+/packaging/ipacommands/ipasetup.py
+/packaging/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..e25cea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
ACLOCAL_AMFLAGS = -I m4
IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR):
mkdir -p $(WHEELBUNDLEDIR)
bdist_wheel: $(WHEELDISTDIR)
+ $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1;
+ $(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+ $(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
for dir in $(IPACLIENT_SUBDIRS); do \
$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
done
diff --git a/configure.ac b/configure.ac
index e8a4701..58988f8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -553,6 +553,10 @@ AC_CONFIG_FILES([
ipaserver/Makefile
ipatests/Makefile
ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
+packaging/ipacommands/Makefile
po/Makefile.in
po/Makefile.hack
util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..e033673
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,11 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS = \
+ freeipa \
+ ipa \
+ ipacommands \
+ $(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..8be72b2
--- /dev/null
+++ b/pack
[Freeipa-devel] [freeipa PR#378][opened] Integrate make check into CI
URL: https://github.com/freeipa/freeipa/pull/378
Author: tiran
Title: #378: Integrate make check into CI
Action: opened
PR body:
"""
make check runs cmocka tests for our C code. The patch also adds some
additional files to gitignore and cleanup.
Signed-off-by: Christian Heimes
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/378/head:pr378
git checkout pr378
From 9443df633997cacbce5372c126d8346d62e24eb4 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Mon, 9 Jan 2017 11:23:32 +0100
Subject: [PATCH] Integrate make check into CI
make check runs cmocka tests for our C code. The patch also adds some
additional files to gitignore and cleanup.
Signed-off-by: Christian Heimes
---
.gitignore | 5 +
.test_runner_config.yaml| 1 +
daemons/ipa-kdb/Makefile.am | 3 +++
3 files changed, 9 insertions(+)
diff --git a/.gitignore b/.gitignore
index 6dcda76..04553fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -72,9 +72,14 @@ freeipa2-dev-doc
/daemons/dnssec/ipa-dnskeysyncd.service
/daemons/dnssec/ipa-ods-exporter.service
/daemons/dnssec/ipa-ods-exporter.socket
+/daemons/ipa-kdb/ipa_kdb_tests
+/daemons/ipa-kdb/tests/.dirstamp
/daemons/ipa-otpd/ipa-otpd
/daemons/ipa-otpd/ipa-otpd.socket
/daemons/ipa-otpd/ipa-otpd@.service
+/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_tests
+/daemons/ipa-slapi-plugins/ipa-extdom-extop/extdom_cmocka_tests
+/daemons/ipa-slapi-plugins/libotp/t_hotp
/daemons/ipa-version.h
/daemons/test-driver
diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index 2aece9a..676c8e7 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -47,6 +47,7 @@ steps:
- echo ${server_password} > ~/.ipa/.dmpw
- echo 'wait_for_dns=5' >> ~/.ipa/default.conf
run_tests:
+ - make -s VERBOSITY=--quiet check
- ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path}
tests:
ignore:
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 19583c9..6a2caa0 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -85,6 +85,9 @@ ipa_kdb_tests_LDADD = \
dist_noinst_DATA = ipa_kdb.exports
+clean-local:
+ rm -f tests/.dirstamp
+
EXTRA_DIST = \
README \
README.s4u2proxy.txt \
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7 Title: #7: Added named.conf API transformation script to spec tomaskrizek commented: """ This patch is meant to fix existing IPA installations when they're upgraded to use BIND-9.11. New IPA installations are covered by freeipa/freeipa#351 The script is written in sed. I added some inline comments for better clarity. """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-271244266 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [bind-dyndb-ldap PR#7][opened] Added named.conf API transformation script to spec
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Author: tomaskrizek
Title: #7: Added named.conf API transformation script to spec
Action: opened
PR body:
"""
A script that converts old-style configuration API of named.conf
to the new-style API after rpm isntallation was added to contrib
specfile.
Required version of BIND was also bumped to 9.11.
"""
To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/7/head:pr7
git checkout pr7
From d3c41fae42b3c1c1c7e9426df0153afd0f95234b Mon Sep 17 00:00:00 2001
From: Tomas Krizek
Date: Mon, 9 Jan 2017 10:29:31 +0100
Subject: [PATCH] Added named.conf API transformation script to spec
A script that converts old-style configuration API of named.conf
to the new-style API after rpm isntallation was added to contrib
specfile.
Required version of BIND was also bumped to 9.11.
---
contrib/bind-dyndb-ldap.spec | 41 +++--
1 file changed, 39 insertions(+), 2 deletions(-)
diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 6f5b1f3..87c3394 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -11,13 +11,13 @@ URL:https://fedorahosted.org/bind-dyndb-ldap
Source0:https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: bind-devel >= 32:9.9.0, bind-lite-devel >= 32:9.9.0
+BuildRequires: bind-devel >= 32:9.11.0, bind-lite-devel >= 32:9.11.0
BuildRequires: krb5-devel
BuildRequires: openldap-devel
BuildRequires: libuuid-devel
BuildRequires: automake, autoconf, libtool
-Requires: bind >= 32:9.9.0
+Requires: bind >= 32:9.11.0
%description
This package provides an LDAP back-end plug-in for BIND. It features
@@ -42,6 +42,39 @@ mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
rm %{buildroot}%{_libdir}/bind/ldap.la
rm -r %{buildroot}%{_datadir}/doc/%{name}
+%post
+# Transform named.conf if it still has old-style API.
+PLATFORM=$(uname -m)
+
+if [ $PLATFORM == "x86_64" ] ; then
+LIBPATH=/usr/lib64
+else
+LIBPATH=/usr/lib
+fi
+
+while read -r PATTERN
+do
+SEDSCRIPT+="$PATTERN"
+done <
+- Added named.conf API transofrmation script
+- Bumped the required BIND version to 9.11
+
* Tue Jan 28 2014 Petr Spacek
- package /var/named/dyndb-ldap directory
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values gkaihorodova commented: """ Thank you for review! """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-271236642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#363][comment] ipaclient: schema cache: Handle malformed server info data gracefully
URL: https://github.com/freeipa/freeipa/pull/363 Title: #363: ipaclient: schema cache: Handle malformed server info data gracefully HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d15ccde20fcc97a597180255ee9f5eb38caa206c """ See the full comment at https://github.com/freeipa/freeipa/pull/363#issuecomment-271228271 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#363][+pushed] ipaclient: schema cache: Handle malformed server info data gracefully
URL: https://github.com/freeipa/freeipa/pull/363 Title: #363: ipaclient: schema cache: Handle malformed server info data gracefully Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#363][closed] ipaclient: schema cache: Handle malformed server info data gracefully
URL: https://github.com/freeipa/freeipa/pull/363 Author: dkupka Title: #363: ipaclient: schema cache: Handle malformed server info data gracefully Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/363/head:pr363 git checkout pr363 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#363][+ack] ipaclient: schema cache: Handle malformed server info data gracefully
URL: https://github.com/freeipa/freeipa/pull/363 Title: #363: ipaclient: schema cache: Handle malformed server info data gracefully Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
