[Freeipa-devel] Re: Contribute/Code wiki page update

[Fraser Tweedale via FreeIPA-devel]

On Mon, Mar 12, 2018 at 10:11:24AM +0100, Florence Blanc-Renaud via 
FreeIPA-devel wrote:
> Hi all,
> 
> I recently updated the Contribute/Code wiki page
> (https://www.freeipa.org/page/Contribute/Code), especially the sections
> related to Code Review Process.
> 
> As developers, we often prefer to deliver code rather than review other
> people's code, but I really think that the code reviews are an essential
> part of our job. They allow to ensure that code quality is preserved, but
> also foster discussions and help share experience.
> 
> So as always, comments or suggestions are welcome!
> 
> Flo
>
Thanks Flo,

I know I can always do more reviews.  A new resolution I have made
this year is to review at least one PR for each PR I submit.  That
way I will not contribute to the problem of PR backlog, and maybe
improve it a little :) (Please hold me accountable to this, request
reviews, etc).

Cheers,
Fraser
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1666][closed] [testing_master] Nightly PR

[freeipa-pr-ci via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1666
Author: freeipa-pr-ci
 Title: #1666: [testing_master] Nightly PR
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1666/head:pr1666
git checkout pr1666
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1674][opened] [testing_master] Nightly PR

[freeipa-pr-ci via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1674
Author: freeipa-pr-ci
 Title: #1674: [testing_master] Nightly PR
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1674/head:pr1674
git checkout pr1674
From db07bad45b38ba7a494e7ed62017b599fcb44aaa Mon Sep 17 00:00:00 2001
From: root 
Date: Mon, 12 Mar 2018 23:45:07 +
Subject: [PATCH] automated commit

---
 .freeipa-pr-ci.yaml | 667 +++-
 1 file changed, 658 insertions(+), 9 deletions(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index b98a27835c..e1cfbbb7ac 100644
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -11,6 +11,18 @@ topologies:
 name: master_1repl_1client
 cpu: 4
 memory: 6700
+  ipaserver: 
+name: ipaserver
+cpu: 1
+memory: 2400
+  master_2repl_1client: _2repl_1client
+name: master_2repl_1client
+cpu: 5
+memory: 9100
+  master_3repl_1client: _3repl_1client
+name: master_3repl_1client
+cpu: 6
+memory: 11500
 
 jobs:
   fedora-27/build:
@@ -23,23 +35,264 @@ jobs:
 git_refspec: '{git_refspec}'
 template: 
   name: freeipa/ci-master-f27
-  version: 1.0.2
+  version: 1.0.3
 timeout: 1800
 topology: *build
 
-  fedora-27/simple_replication:
+  fedora-27/test_server_del:
 requires: [fedora-27/build]
 priority: 50
 job:
   class: RunPytest
   args:
 build_url: '{fedora-27/build_url}'
-test_suite: test_integration/test_simple_replication.py
+test_suite: test_integration/test_server_del.py
 template: *ci-master-f27
-timeout: 3600
+timeout: 8000
+topology: *master_2repl_1client
+
+  fedora-27/test_installation_InstallTestBase1:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::InstallTestBase1
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+
+  fedora-27/test_installation_InstallTestBase2:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::InstallTestBase2
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA1:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA1
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA2:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA2
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA_KRA1:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA_KRA2:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA2
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA_DNS1:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS1
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA_DNS2:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-27/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS2
+template: *ci-master-f27
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-27/test_installation_TestInstallWithCA_KRA_DNS1:
+requires: [fedora-27/build]
+priority: 50
+job:
+  class: 

[Freeipa-devel] [freeipa PR#1673][opened] [testing_rawhide] Nightly PR

[freeipa-pr-ci via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1673
Author: freeipa-pr-ci
 Title: #1673: [testing_rawhide] Nightly PR
Action: opened

PR body:
"""
None
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1673/head:pr1673
git checkout pr1673
From 7ac68468f85945a145ed7b26733991d4319f77e2 Mon Sep 17 00:00:00 2001
From: root 
Date: Mon, 12 Mar 2018 22:10:13 +
Subject: [PATCH] automated commit

---
 .freeipa-pr-ci.yaml | 691 ++--
 1 file changed, 670 insertions(+), 21 deletions(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index b98a27835c..9406051ec7 100644
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -11,9 +11,21 @@ topologies:
 name: master_1repl_1client
 cpu: 4
 memory: 6700
+  ipaserver: 
+name: ipaserver
+cpu: 1
+memory: 2400
+  master_2repl_1client: _2repl_1client
+name: master_2repl_1client
+cpu: 5
+memory: 9100
+  master_3repl_1client: _3repl_1client
+name: master_3repl_1client
+cpu: 6
+memory: 11500
 
 jobs:
-  fedora-27/build:
+  fedora-rawhide/build:
 requires: []
 priority: 100
 job:
@@ -21,44 +33,681 @@ jobs:
   args:
 git_repo: '{git_repo}'
 git_refspec: '{git_refspec}'
-template: 
-  name: freeipa/ci-master-f27
-  version: 1.0.2
+template: 
+  name: freeipa/ci-master-frawhide
+  version: 0.0.4
 timeout: 1800
 topology: *build
 
-  fedora-27/simple_replication:
-requires: [fedora-27/build]
+  fedora-rawhide/test_server_del:
+requires: [fedora-rawhide/build]
 priority: 50
 job:
   class: RunPytest
   args:
-build_url: '{fedora-27/build_url}'
-test_suite: test_integration/test_simple_replication.py
-template: *ci-master-f27
-timeout: 3600
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_server_del.py
+template: *ci-master-frawhide
+timeout: 8000
+topology: *master_2repl_1client
+
+  fedora-rawhide/test_installation_InstallTestBase1:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::InstallTestBase1
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+
+  fedora-rawhide/test_installation_InstallTestBase2:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::InstallTestBase2
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA1:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA1
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA2:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA2
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA_KRA1:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA_KRA2:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA2
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA_DNS1:
+requires: [fedora-rawhide/build]
+priority: 50
+job:
+  class: RunPytest
+  args:
+build_url: '{fedora-rawhide/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS1
+template: *ci-master-frawhide
+timeout: 10800
+topology: *master_3repl_1client
+
+  fedora-rawhide/test_installation_TestInstallWithCA_DNS2:
+

[Freeipa-devel] [freeipa PR#1665][closed] [testing_rawhide] Nightly PR

[freeipa-pr-ci via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1665
Author: freeipa-pr-ci
 Title: #1665: [testing_rawhide] Nightly PR
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1665/head:pr1665
git checkout pr1665
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1672][opened] ipa-restore: remove /etc/httpd/conf.d/nss.conf

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1672
Author: flo-renaud
 Title: #1672: ipa-restore: remove /etc/httpd/conf.d/nss.conf
Action: opened

PR body:
"""
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.

https://pagure.io/freeipa/issue/7440
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1672/head:pr1672
git checkout pr1672
From 756c5f48f9b6af306fcfe691cdbf9d1b5789a466 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Mon, 12 Mar 2018 15:59:33 +0100
Subject: [PATCH] ipa-restore: remove /etc/httpd/conf.d/nss.conf

When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.

https://pagure.io/freeipa/issue/7440
---
 ipaserver/install/ipa_restore.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index bae71b0907..3e84f84551 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -147,7 +147,9 @@ class Restore(admintool.AdminTool):
 paths.DNSSEC_TOKENS_DIR,
 ]
 
-FILES_TO_BE_REMOVED = []
+FILES_TO_BE_REMOVED = [
+paths.HTTPD_NSS_CONF,
+]
 
 def __init__(self, options, args):
 super(Restore, self).__init__(options, args)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1671][opened] Log errors from NSS during FIPS OTP key import

[frozencemetery via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1671
Author: frozencemetery
 Title: #1671: Log errors from NSS during FIPS OTP key import
Action: opened

PR body:
"""
This is the requested logging from #1621 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1671/head:pr1671
git checkout pr1671
From 4c6e48f64753aa32fd219f2cbeb56a6c3e8825cf Mon Sep 17 00:00:00 2001
From: Robbie Harwood 
Date: Thu, 1 Mar 2018 14:25:55 -0500
Subject: [PATCH] Log errors from NSS during FIPS OTP key import

Signed-off-by: Robbie Harwood 
---
 daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 0c9de96d37..1b9110ebf8 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -49,7 +49,9 @@
 #include 
 #include 
 #include 
+#include 
 #include 
+#include 
 
 struct digest_buffer {
 uint8_t buf[SHA512_LENGTH];
@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
  PK11_ATTR_SESSION |
  PK11_ATTR_PRIVATE |
  PK11_ATTR_SENSITIVE, NULL);
-if (!ekey)
+if (!ekey) {
+syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d",
+   PR_GetError());
 goto egress;
+}
 
 /* Encrypt the input key. */
 if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, , ctitem.data, ,
- ctitem.len, key->data, key->len) != SECSuccess)
+ ctitem.len, key->data, key->len) != SECSuccess) {
+syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d",
+   PR_GetError());
 goto egress;
+}
 
 /* Unwrap the input key. */
 skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, ,
  , mech, CKA_SIGN, key->len);
+if (!skey) {
+syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d",
+   PR_GetError());
+}
 
 egress:
 PK11_FreeSymKey(ekey);
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1670][opened] [Backport][ipa-4-6] OTP FIPS mode fixes

[rcritten via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1670
Author: rcritten
 Title: #1670: [Backport][ipa-4-6] OTP FIPS mode fixes
Action: opened

PR body:
"""
This PR was opened automatically because PR #1621 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1670/head:pr1670
git checkout pr1670
From 4ebd0713edcfa384769bbc9dc9f4464915f76dc6 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Wed, 21 Feb 2018 23:39:55 -0500
Subject: [PATCH 1/3] Fix OTP validation in FIPS mode

NSS doesn't allow keys to be loaded directly in FIPS mode. To work around
this, we encrypt the input key using an ephemeral key and then unwrap the
encrypted key.

https://pagure.io/freeipa/issue/7168
---
 daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++--
 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c
index 619bc63ab1..0c9de96d37 100644
--- a/daemons/ipa-slapi-plugins/libotp/hotp.c
+++ b/daemons/ipa-slapi-plugins/libotp/hotp.c
@@ -46,6 +46,7 @@
 #include 
 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -66,6 +67,49 @@ static const struct {
 { }
 };
 
+static PK11SymKey *
+import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key)
+{
+uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE];
+uint8_t iv[AES_BLOCK_SIZE] = {};
+SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer };
+SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer };
+PK11SymKey *ekey = NULL;
+PK11SymKey *skey = NULL;
+
+/* Try to import the key directly. */
+skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
+ CKA_SIGN, key, NULL);
+if (skey)
+return skey;
+
+/* If we get here, we are probably in FIPS mode. Let's encrypt the key so
+ * that we can unseal it instead of loading it directly. */
+
+/* Generate an ephemeral key. */
+ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL,
+ AES_128_KEY_LENGTH, NULL,
+ CKF_ENCRYPT | CKF_UNWRAP,
+ PK11_ATTR_SESSION |
+ PK11_ATTR_PRIVATE |
+ PK11_ATTR_SENSITIVE, NULL);
+if (!ekey)
+goto egress;
+
+/* Encrypt the input key. */
+if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, , ctitem.data, ,
+ ctitem.len, key->data, key->len) != SECSuccess)
+goto egress;
+
+/* Unwrap the input key. */
+skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, ,
+ , mech, CKA_SIGN, key->len);
+
+egress:
+PK11_FreeSymKey(ekey);
+return skey;
+}
+
 /*
  * This code is mostly cargo-cult taken from here:
  *   http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html
@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in,
 }
 }
 
-symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap,
-   CKA_SIGN, key, NULL);
+symkey = import_key(slot, mech, key);
 if (symkey == NULL)
 goto done;
 

From 9993aef9a3b4d27edf16c8a658e7065783629ab3 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Thu, 22 Feb 2018 14:04:10 -0500
Subject: [PATCH 2/3] Increase the default token key size

The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.

https://pagure.io/freeipa/issue/7168
---
 ipaserver/plugins/otptoken.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index 24815c108f..d94ae49fff 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -72,7 +72,7 @@
 }
 
 # NOTE: For maximum compatibility, KEY_LENGTH % 5 == 0
-KEY_LENGTH = 20
+KEY_LENGTH = 35
 
 class OTPTokenKey(Bytes):
 """A binary password type specified in base32."""

From 49604c5d49f5ca7ff8f577b73ac34958a71ffa15 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Mon, 26 Feb 2018 09:48:22 -0500
Subject: [PATCH 3/3] Revert "Don't allow OTP or RADIUS in FIPS mode"

This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.

https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243
---
 ipaserver/plugins/baseuser.py |  3 ---
 ipaserver/plugins/config.py   | 16 
 2 files changed, 19 deletions(-)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 58c3332d2f..4dbf4b6f3e 100644
--- 

[Freeipa-devel] [freeipa PR#1668][opened] Backup HTTPD's mod_ssl config and cert-key pair

[stlaz via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1668
Author: stlaz
 Title: #1668: Backup HTTPD's mod_ssl config and cert-key pair
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/3757
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1668/head:pr1668
git checkout pr1668
From df41810d8ce38a40a7ad4642c24ee1d9fad89879 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Mon, 12 Mar 2018 12:30:01 +0100
Subject: [PATCH] Backup HTTPD's mod_ssl config and cert-key pair

https://pagure.io/freeipa/issue/3757
---
 ipaserver/install/ipa_backup.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 9193eb02cb..f8fc2fdccf 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -113,7 +113,6 @@ class Backup(admintool.AdminTool):
 paths.ROOT_PKI,
 paths.PKI_TOMCAT,
 paths.SYSCONFIG_PKI,
-paths.HTTPD_ALIAS_DIR,
 paths.VAR_LIB_PKI_DIR,
 paths.SYSRESTORE,
 paths.IPA_CLIENT_SYSRESTORE,
@@ -152,7 +151,9 @@ class Backup(admintool.AdminTool):
 paths.HTTPD_IPA_KDCPROXY_CONF,
 paths.HTTPD_IPA_PKI_PROXY_CONF,
 paths.HTTPD_IPA_REWRITE_CONF,
-paths.HTTPD_NSS_CONF,
+paths.HTTPD_SSL_CONF,
+paths.HTTPD_CERT_FILE,
+paths.HTTPD_KEY_FILE,
 paths.HTTPD_IPA_CONF,
 paths.SSHD_CONFIG,
 paths.SSH_CONFIG,
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1667][opened] [WebUI]Error message while adding idrange with untrusted domain

[amitkumar50 via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1667
Author: amitkumar50
 Title: #1667: [WebUI]Error message while adding idrange with untrusted domain
Action: opened

PR body:
"""
While trying to add idrange with untrusted domain name error
message is misleading.

Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.

Resolves: https://pagure.io/freeipa/issue/5078
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1667/head:pr1667
git checkout pr1667
From 8ccec49b7af1db05818f7d4e6f1dbc96d810056b Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Mon, 12 Mar 2018 20:23:36 +0530
Subject: [PATCH] [WebUI]Error message while adding idrange with untrusted
 domain

While trying to add idrange with untrusted domain name error
message is misleading.

Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.

Resolves: https://pagure.io/freeipa/issue/5078
---
 ipaserver/plugins/idrange.py | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 6b37d9d708..ea3d1ff566 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -424,10 +424,10 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if sid is not None:
 entry_attrs['ipanttrusteddomainsid'] = sid
 else:
-raise errors.ValidationError(name='ID Range setup',
-error=_('SID for the specified trusted domain name could '
-'not be found. Please specify the SID directly '
-'using dom-sid option.'))
+raise errors.ValidationError(
+name='ID Range setup',
+error=_('Specified trusted domain name could not be '
+'found.'))
 
 # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range
 if is_set('ipanttrusteddomainsid'):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Contribute/Code wiki page update

[Florence Blanc-Renaud via FreeIPA-devel]

Hi all,

I recently updated the Contribute/Code wiki page 
(https://www.freeipa.org/page/Contribute/Code), especially the sections 
related to Code Review Process.


As developers, we often prefer to deliver code rather than review other 
people's code, but I really think that the code reviews are an essential 
part of our job. They allow to ensure that code quality is preserved, 
but also foster discussions and help share experience.


So as always, comments or suggestions are welcome!

Flo
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback

[Florence Blanc-Renaud via FreeIPA-devel]

On 03/10/2018 12:07 PM, Amit via FreeIPA-devel wrote:

Ping!!


On 03/09/2018 02:08 PM, Amit wrote:

Hello,

Any thoughts would be helpful.

Thanks


On 03/07/2018 02:57 PM, Amit wrote:

Hello,

This is scenario in customer env.
Customer is using fresh machine to install replica.

*IPA-Server
*# ipa-server-install --no-ntp//Success


 *IPA Replica*

 # ipa-replica-install --principal admin --admin-password 
--setup-ca
 DEBUG Traceback (most recent call last):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
504, in start_creationrun_step(full_msg, method)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
494, in run_stepmethod()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line
439, in __setup_replica cacert=self.ca_file)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 1666, in setup_promote_replicationraise RuntimeError("Failed to
start replication")
RuntimeError: Failed to start replication
 2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start
replication
 2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544
 2018-02-06T06:56:48Z DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
 2018-02-06T06:56:48Z DEBUG Saving Index File to
'/var/lib/ipa/sysrestore/sysrestore.index'
 2018-02-06T06:56:48Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
execute
 return_value = self.run()

While I cannot repro in my local lab





Hi Amit,

without any logs it is difficult to tell what could go wrong. The part 
of code that is failing is doing 2 tasks:
- starts the replication by performing a LDAP modification on the 
replication agreement (dn: 
cn=meTo$master,cn=replica,cn=dc\3Ddomain\2Cdc\3Dcom,cn=mapping 
tree,cn=config) in order to set the attribute nsds5BeginReplicaRefresh=start
- checks the replication status by reading the replication agreement 
status (attributes nsds5BeginReplicaRefresh, 
nsds5replicaUpdateInProgress, nsds5ReplicaLastInitStatus, 
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd).


So if you have 389-ds access logs, you can start by checking if the mod 
was successful. Then check the replication status.


Flo
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org