[Freeipa-devel] Re: Contribute/Code wiki page update
On Mon, Mar 12, 2018 at 10:11:24AM +0100, Florence Blanc-Renaud via FreeIPA-devel wrote: > Hi all, > > I recently updated the Contribute/Code wiki page > (https://www.freeipa.org/page/Contribute/Code), especially the sections > related to Code Review Process. > > As developers, we often prefer to deliver code rather than review other > people's code, but I really think that the code reviews are an essential > part of our job. They allow to ensure that code quality is preserved, but > also foster discussions and help share experience. > > So as always, comments or suggestions are welcome! > > Flo > Thanks Flo, I know I can always do more reviews. A new resolution I have made this year is to review at least one PR for each PR I submit. That way I will not contribute to the problem of PR backlog, and maybe improve it a little :) (Please hold me accountable to this, request reviews, etc). Cheers, Fraser ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1666][closed] [testing_master] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1666 Author: freeipa-pr-ci Title: #1666: [testing_master] Nightly PR Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1666/head:pr1666 git checkout pr1666 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1674][opened] [testing_master] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1674 Author: freeipa-pr-ci Title: #1674: [testing_master] Nightly PR Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1674/head:pr1674 git checkout pr1674 From db07bad45b38ba7a494e7ed62017b599fcb44aaa Mon Sep 17 00:00:00 2001 From: rootDate: Mon, 12 Mar 2018 23:45:07 + Subject: [PATCH] automated commit --- .freeipa-pr-ci.yaml | 667 +++- 1 file changed, 658 insertions(+), 9 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index b98a27835c..e1cfbbb7ac 100644 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -11,6 +11,18 @@ topologies: name: master_1repl_1client cpu: 4 memory: 6700 + ipaserver: +name: ipaserver +cpu: 1 +memory: 2400 + master_2repl_1client: _2repl_1client +name: master_2repl_1client +cpu: 5 +memory: 9100 + master_3repl_1client: _3repl_1client +name: master_3repl_1client +cpu: 6 +memory: 11500 jobs: fedora-27/build: @@ -23,23 +35,264 @@ jobs: git_refspec: '{git_refspec}' template: name: freeipa/ci-master-f27 - version: 1.0.2 + version: 1.0.3 timeout: 1800 topology: *build - fedora-27/simple_replication: + fedora-27/test_server_del: requires: [fedora-27/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-27/build_url}' -test_suite: test_integration/test_simple_replication.py +test_suite: test_integration/test_server_del.py template: *ci-master-f27 -timeout: 3600 +timeout: 8000 +topology: *master_2repl_1client + + fedora-27/test_installation_InstallTestBase1: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::InstallTestBase1 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + + fedora-27/test_installation_InstallTestBase2: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::InstallTestBase2 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA1: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA1 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA2: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA2 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA_KRA1: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA_KRA2: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA2 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA_DNS1: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS1 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA_DNS2: +requires: [fedora-27/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-27/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS2 +template: *ci-master-f27 +timeout: 10800 +topology: *master_3repl_1client + + fedora-27/test_installation_TestInstallWithCA_KRA_DNS1: +requires: [fedora-27/build] +priority: 50 +job: + class:
[Freeipa-devel] [freeipa PR#1673][opened] [testing_rawhide] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1673 Author: freeipa-pr-ci Title: #1673: [testing_rawhide] Nightly PR Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1673/head:pr1673 git checkout pr1673 From 7ac68468f85945a145ed7b26733991d4319f77e2 Mon Sep 17 00:00:00 2001 From: rootDate: Mon, 12 Mar 2018 22:10:13 + Subject: [PATCH] automated commit --- .freeipa-pr-ci.yaml | 691 ++-- 1 file changed, 670 insertions(+), 21 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index b98a27835c..9406051ec7 100644 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -11,9 +11,21 @@ topologies: name: master_1repl_1client cpu: 4 memory: 6700 + ipaserver: +name: ipaserver +cpu: 1 +memory: 2400 + master_2repl_1client: _2repl_1client +name: master_2repl_1client +cpu: 5 +memory: 9100 + master_3repl_1client: _3repl_1client +name: master_3repl_1client +cpu: 6 +memory: 11500 jobs: - fedora-27/build: + fedora-rawhide/build: requires: [] priority: 100 job: @@ -21,44 +33,681 @@ jobs: args: git_repo: '{git_repo}' git_refspec: '{git_refspec}' -template: - name: freeipa/ci-master-f27 - version: 1.0.2 +template: + name: freeipa/ci-master-frawhide + version: 0.0.4 timeout: 1800 topology: *build - fedora-27/simple_replication: -requires: [fedora-27/build] + fedora-rawhide/test_server_del: +requires: [fedora-rawhide/build] priority: 50 job: class: RunPytest args: -build_url: '{fedora-27/build_url}' -test_suite: test_integration/test_simple_replication.py -template: *ci-master-f27 -timeout: 3600 +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_server_del.py +template: *ci-master-frawhide +timeout: 8000 +topology: *master_2repl_1client + + fedora-rawhide/test_installation_InstallTestBase1: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::InstallTestBase1 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + + fedora-rawhide/test_installation_InstallTestBase2: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::InstallTestBase2 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA1: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA1 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA2: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA2 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA_KRA1: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA1 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA_KRA2: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_KRA2 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA_DNS1: +requires: [fedora-rawhide/build] +priority: 50 +job: + class: RunPytest + args: +build_url: '{fedora-rawhide/build_url}' +test_suite: test_integration/test_installation.py::TestInstallWithCA_DNS1 +template: *ci-master-frawhide +timeout: 10800 +topology: *master_3repl_1client + + fedora-rawhide/test_installation_TestInstallWithCA_DNS2: +
[Freeipa-devel] [freeipa PR#1665][closed] [testing_rawhide] Nightly PR
URL: https://github.com/freeipa/freeipa/pull/1665 Author: freeipa-pr-ci Title: #1665: [testing_rawhide] Nightly PR Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1665/head:pr1665 git checkout pr1665 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1672][opened] ipa-restore: remove /etc/httpd/conf.d/nss.conf
URL: https://github.com/freeipa/freeipa/pull/1672 Author: flo-renaud Title: #1672: ipa-restore: remove /etc/httpd/conf.d/nss.conf Action: opened PR body: """ When ipa-restore is called, it needs to delete the file nss.conf, otherwise httpd server will try to initialize the NSS engine and access NSSCertificateDatabase. This is a regression introduced with the switch from NSS to SSL. https://pagure.io/freeipa/issue/7440 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1672/head:pr1672 git checkout pr1672 From 756c5f48f9b6af306fcfe691cdbf9d1b5789a466 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Mon, 12 Mar 2018 15:59:33 +0100 Subject: [PATCH] ipa-restore: remove /etc/httpd/conf.d/nss.conf When ipa-restore is called, it needs to delete the file nss.conf, otherwise httpd server will try to initialize the NSS engine and access NSSCertificateDatabase. This is a regression introduced with the switch from NSS to SSL. https://pagure.io/freeipa/issue/7440 --- ipaserver/install/ipa_restore.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index bae71b0907..3e84f84551 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -147,7 +147,9 @@ class Restore(admintool.AdminTool): paths.DNSSEC_TOKENS_DIR, ] -FILES_TO_BE_REMOVED = [] +FILES_TO_BE_REMOVED = [ +paths.HTTPD_NSS_CONF, +] def __init__(self, options, args): super(Restore, self).__init__(options, args) ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1671][opened] Log errors from NSS during FIPS OTP key import
URL: https://github.com/freeipa/freeipa/pull/1671 Author: frozencemetery Title: #1671: Log errors from NSS during FIPS OTP key import Action: opened PR body: """ This is the requested logging from #1621 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1671/head:pr1671 git checkout pr1671 From 4c6e48f64753aa32fd219f2cbeb56a6c3e8825cf Mon Sep 17 00:00:00 2001 From: Robbie HarwoodDate: Thu, 1 Mar 2018 14:25:55 -0500 Subject: [PATCH] Log errors from NSS during FIPS OTP key import Signed-off-by: Robbie Harwood --- daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c index 0c9de96d37..1b9110ebf8 100644 --- a/daemons/ipa-slapi-plugins/libotp/hotp.c +++ b/daemons/ipa-slapi-plugins/libotp/hotp.c @@ -49,7 +49,9 @@ #include #include #include +#include #include +#include struct digest_buffer { uint8_t buf[SHA512_LENGTH]; @@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key) PK11_ATTR_SESSION | PK11_ATTR_PRIVATE | PK11_ATTR_SENSITIVE, NULL); -if (!ekey) +if (!ekey) { +syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d", + PR_GetError()); goto egress; +} /* Encrypt the input key. */ if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, , ctitem.data, , - ctitem.len, key->data, key->len) != SECSuccess) + ctitem.len, key->data, key->len) != SECSuccess) { +syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d", + PR_GetError()); goto egress; +} /* Unwrap the input key. */ skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, , , mech, CKA_SIGN, key->len); +if (!skey) { +syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d", + PR_GetError()); +} egress: PK11_FreeSymKey(ekey); ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1670][opened] [Backport][ipa-4-6] OTP FIPS mode fixes
URL: https://github.com/freeipa/freeipa/pull/1670 Author: rcritten Title: #1670: [Backport][ipa-4-6] OTP FIPS mode fixes Action: opened PR body: """ This PR was opened automatically because PR #1621 was pushed to master and backport to ipa-4-6 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1670/head:pr1670 git checkout pr1670 From 4ebd0713edcfa384769bbc9dc9f4464915f76dc6 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallumDate: Wed, 21 Feb 2018 23:39:55 -0500 Subject: [PATCH 1/3] Fix OTP validation in FIPS mode NSS doesn't allow keys to be loaded directly in FIPS mode. To work around this, we encrypt the input key using an ephemeral key and then unwrap the encrypted key. https://pagure.io/freeipa/issue/7168 --- daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c index 619bc63ab1..0c9de96d37 100644 --- a/daemons/ipa-slapi-plugins/libotp/hotp.c +++ b/daemons/ipa-slapi-plugins/libotp/hotp.c @@ -46,6 +46,7 @@ #include #include +#include #include #include #include @@ -66,6 +67,49 @@ static const struct { { } }; +static PK11SymKey * +import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key) +{ +uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE]; +uint8_t iv[AES_BLOCK_SIZE] = {}; +SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer }; +SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer }; +PK11SymKey *ekey = NULL; +PK11SymKey *skey = NULL; + +/* Try to import the key directly. */ +skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, + CKA_SIGN, key, NULL); +if (skey) +return skey; + +/* If we get here, we are probably in FIPS mode. Let's encrypt the key so + * that we can unseal it instead of loading it directly. */ + +/* Generate an ephemeral key. */ +ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL, + AES_128_KEY_LENGTH, NULL, + CKF_ENCRYPT | CKF_UNWRAP, + PK11_ATTR_SESSION | + PK11_ATTR_PRIVATE | + PK11_ATTR_SENSITIVE, NULL); +if (!ekey) +goto egress; + +/* Encrypt the input key. */ +if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, , ctitem.data, , + ctitem.len, key->data, key->len) != SECSuccess) +goto egress; + +/* Unwrap the input key. */ +skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, , + , mech, CKA_SIGN, key->len); + +egress: +PK11_FreeSymKey(ekey); +return skey; +} + /* * This code is mostly cargo-cult taken from here: * http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html @@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in, } } -symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, - CKA_SIGN, key, NULL); +symkey = import_key(slot, mech, key); if (symkey == NULL) goto done; From 9993aef9a3b4d27edf16c8a658e7065783629ab3 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Thu, 22 Feb 2018 14:04:10 -0500 Subject: [PATCH 2/3] Increase the default token key size The previous default token key size would fail in FIPS mode for the sha384 and sha512 algorithms. With the updated key size, the default will work in all cases. https://pagure.io/freeipa/issue/7168 --- ipaserver/plugins/otptoken.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py index 24815c108f..d94ae49fff 100644 --- a/ipaserver/plugins/otptoken.py +++ b/ipaserver/plugins/otptoken.py @@ -72,7 +72,7 @@ } # NOTE: For maximum compatibility, KEY_LENGTH % 5 == 0 -KEY_LENGTH = 20 +KEY_LENGTH = 35 class OTPTokenKey(Bytes): """A binary password type specified in base32.""" From 49604c5d49f5ca7ff8f577b73ac34958a71ffa15 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Mon, 26 Feb 2018 09:48:22 -0500 Subject: [PATCH 3/3] Revert "Don't allow OTP or RADIUS in FIPS mode" This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622. OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping traffic in a VPN. https://pagure.io/freeipa/issue/7168 https://pagure.io/freeipa/issue/7243 --- ipaserver/plugins/baseuser.py | 3 --- ipaserver/plugins/config.py | 16 2 files changed, 19 deletions(-) diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 58c3332d2f..4dbf4b6f3e 100644 ---
[Freeipa-devel] [freeipa PR#1668][opened] Backup HTTPD's mod_ssl config and cert-key pair
URL: https://github.com/freeipa/freeipa/pull/1668 Author: stlaz Title: #1668: Backup HTTPD's mod_ssl config and cert-key pair Action: opened PR body: """ https://pagure.io/freeipa/issue/3757 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1668/head:pr1668 git checkout pr1668 From df41810d8ce38a40a7ad4642c24ee1d9fad89879 Mon Sep 17 00:00:00 2001 From: Stanislav LaznickaDate: Mon, 12 Mar 2018 12:30:01 +0100 Subject: [PATCH] Backup HTTPD's mod_ssl config and cert-key pair https://pagure.io/freeipa/issue/3757 --- ipaserver/install/ipa_backup.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 9193eb02cb..f8fc2fdccf 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -113,7 +113,6 @@ class Backup(admintool.AdminTool): paths.ROOT_PKI, paths.PKI_TOMCAT, paths.SYSCONFIG_PKI, -paths.HTTPD_ALIAS_DIR, paths.VAR_LIB_PKI_DIR, paths.SYSRESTORE, paths.IPA_CLIENT_SYSRESTORE, @@ -152,7 +151,9 @@ class Backup(admintool.AdminTool): paths.HTTPD_IPA_KDCPROXY_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_REWRITE_CONF, -paths.HTTPD_NSS_CONF, +paths.HTTPD_SSL_CONF, +paths.HTTPD_CERT_FILE, +paths.HTTPD_KEY_FILE, paths.HTTPD_IPA_CONF, paths.SSHD_CONFIG, paths.SSH_CONFIG, ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1667][opened] [WebUI]Error message while adding idrange with untrusted domain
URL: https://github.com/freeipa/freeipa/pull/1667 Author: amitkumar50 Title: #1667: [WebUI]Error message while adding idrange with untrusted domain Action: opened PR body: """ While trying to add idrange with untrusted domain name error message is misleading. Changing the error message to: invalid 'ID Range setup':Specified trusted domain name could not be found. Resolves: https://pagure.io/freeipa/issue/5078 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1667/head:pr1667 git checkout pr1667 From 8ccec49b7af1db05818f7d4e6f1dbc96d810056b Mon Sep 17 00:00:00 2001 From: amitkumaDate: Mon, 12 Mar 2018 20:23:36 +0530 Subject: [PATCH] [WebUI]Error message while adding idrange with untrusted domain While trying to add idrange with untrusted domain name error message is misleading. Changing the error message to: invalid 'ID Range setup':Specified trusted domain name could not be found. Resolves: https://pagure.io/freeipa/issue/5078 --- ipaserver/plugins/idrange.py | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py index 6b37d9d708..ea3d1ff566 100644 --- a/ipaserver/plugins/idrange.py +++ b/ipaserver/plugins/idrange.py @@ -424,10 +424,10 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): if sid is not None: entry_attrs['ipanttrusteddomainsid'] = sid else: -raise errors.ValidationError(name='ID Range setup', -error=_('SID for the specified trusted domain name could ' -'not be found. Please specify the SID directly ' -'using dom-sid option.')) +raise errors.ValidationError( +name='ID Range setup', +error=_('Specified trusted domain name could not be ' +'found.')) # ipaNTTrustedDomainSID attribute set, this is AD Trusted domain range if is_set('ipanttrusteddomainsid'): ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Contribute/Code wiki page update
Hi all, I recently updated the Contribute/Code wiki page (https://www.freeipa.org/page/Contribute/Code), especially the sections related to Code Review Process. As developers, we often prefer to deliver code rather than review other people's code, but I really think that the code reviews are an essential part of our job. They allow to ensure that code quality is preserved, but also foster discussions and help share experience. So as always, comments or suggestions are welcome! Flo ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] Re: ipa-replica-install --principal admin --admin-password --setup-ca Traceback
On 03/10/2018 12:07 PM, Amit via FreeIPA-devel wrote: Ping!! On 03/09/2018 02:08 PM, Amit wrote: Hello, Any thoughts would be helpful. Thanks On 03/07/2018 02:57 PM, Amit wrote: Hello, This is scenario in customer env. Customer is using fresh machine to install replica. *IPA-Server *# ipa-server-install --no-ntp//Success *IPA Replica* # ipa-replica-install --principal admin --admin-password --setup-ca DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creationrun_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_stepmethod() File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 439, in __setup_replica cacert=self.ca_file) File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 1666, in setup_promote_replicationraise RuntimeError("Failed to start replication") RuntimeError: Failed to start replication 2018-02-06T06:56:48Z DEBUG [error] RuntimeError: Failed to start replication 2018-02-06T06:56:48Z DEBUG Destroyed connection context.ldap2_113870544 2018-02-06T06:56:48Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2018-02-06T06:56:48Z DEBUG Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index' 2018-02-06T06:56:48Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() While I cannot repro in my local lab Hi Amit, without any logs it is difficult to tell what could go wrong. The part of code that is failing is doing 2 tasks: - starts the replication by performing a LDAP modification on the replication agreement (dn: cn=meTo$master,cn=replica,cn=dc\3Ddomain\2Cdc\3Dcom,cn=mapping tree,cn=config) in order to set the attribute nsds5BeginReplicaRefresh=start - checks the replication status by reading the replication agreement status (attributes nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress, nsds5ReplicaLastInitStatus, nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd). So if you have 389-ds access logs, you can start by checking if the mod was successful. Then check the replication status. Flo ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org