[Freeipa-devel] [freeipa PR#6140][opened] ipa-kdb: refactor KDB driver to prepare for KDB version 9

2022-01-13 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6140
Author: abbra
 Title: #6140: ipa-kdb: refactor KDB driver to prepare for KDB version 9
Action: opened

PR body:
"""
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.

Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.

FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.

KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.

Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.

Related: https://pagure.io/freeipa/issue/9083

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6140/head:pr6140
git checkout pr6140
From 9d6439035d011066ba7d0ef203377c9fe2b889df Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 13 Jan 2022 14:34:55 +0200
Subject: [PATCH] ipa-kdb: refactor KDB driver to prepare for KDB version 9

MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.

Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.

FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.

KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.

Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.

Related: https://pagure.io/freeipa/issue/9083

Signed-off-by: Alexander Bokovoy 
---
 configure.ac|   3 +
 daemons/ipa-kdb/Makefile.am |   8 +-
 daemons/ipa-kdb/ipa_kdb.c   |  41 ++-
 daemons/ipa-kdb/ipa_kdb_mspac.c | 315 ++--
 daemons/ipa-kdb/ipa_kdb_mspac_private.h |  20 +-
 daemons/ipa-kdb/ipa_kdb_mspac_v6.c  | 315 
 daemons/ipa-kdb/ipa_kdb_mspac_v9.c  |  34 +++
 server.m4   |   9 +
 8 files changed, 445 insertions(+), 300 deletions(-)
 create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_v6.c
 create mode 100644 daemons/ipa-kdb/ipa_kdb_mspac_v9.c

diff --git a/configure.ac b/configure.ac
index a64b434fe8b..f10211761d0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -293,6 +293,9 @@ AM_COND_IF([BUILD_IPA_CERTAUTH_PLUGIN], [
 AM_CONDITIONAL([BUILD_IPA_KDCPOLICY_PLUGIN],
[test x$have_kdcpolicy_plugin = xyes])
 
+AM_CONDITIONAL([BUILD_IPA_ISSUE_PAC],
+   [test x$have_kdb_issue_pac = xyes])
+
 dnl ---
 dnl - Check for program paths
 dnl ---
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 5775d408642..05e35f09eca 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -33,7 +33,7 @@ ipadb_la_SOURCES = 		\
 	ipa_kdb_passwords.c	\
 	ipa_kdb_principals.c	\
 	ipa_kdb_pwdpolicy.c	\
-	ipa_kdb_mspac.c		\
+	ipa_kdb_mspac.c	\
 	ipa_kdb_mspac_private.h	\
 	ipa_kdb_delegation.c	\
 	ipa_kdb_audit_as.c	\
@@ -41,6 +41,12 @@ ipadb_la_SOURCES = 		\
 
 dist_noinst_DATA = ipa_kdb.exports
 
+if BUILD_IPA_ISSUE_PAC
+ipadb_la_SOURCES += ipa_kdb_mspac_v9.c
+else
+ipadb_la_SOURCES += ipa_kdb_mspac_v6.c
+endif
+
 if BUILD_IPA_CERTAUTH_PLUGIN
 ipadb_la_SOURCES += ipa_kdb_certauth.c
 endif
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 6e1e3e3513a..59dbe5411e7 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -792,8 +792,47 @@ kdb_vftabl kdb_function_table = {
 };
 #endif
 
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 9)
+#error DAL version 9 is not supported yet
+/* Version 9 removes sign_authdata and adds issue_pac method. It is a complete
+ * revamp of how PAC is issued, so we need to implement it differently to previous
+ * versions. */
+
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.put_principal = ipadb_pu

[Freeipa-devel] [freeipa PR#6134][opened] Support building against OpenLDAP 2.6+

2022-01-11 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6134
Author: abbra
 Title: #6134: Support building against OpenLDAP 2.6+
Action: opened

PR body:
"""
OpenLDAP 2.6 deprecated separate libldap/libldap_r and
liblber/liblber_r, there is only one (reentrant) variant for each
library.

Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.

Fixes: https://pagure.io/freeipa/issue/9080

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6134/head:pr6134
git checkout pr6134
From ff23897eeea1ad20df882df5b59460919b5d1d2d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 11 Jan 2022 16:10:24 +0200
Subject: [PATCH] Support building against OpenLDAP 2.6+

OpenLDAP 2.6 deprecated separate libldap/libldap_r and
liblber/liblber_r, there is only one (reentrant) variant for each
library.

Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.

Fixes: https://pagure.io/freeipa/issue/9080

Signed-off-by: Alexander Bokovoy 
---
 configure.ac | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 1ae4dc8ddee..1480e75808c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -101,9 +101,12 @@ dnl ---
 
 SAVE_CPPFLAGS=$CPPFLAGS
 CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
-AC_CHECK_LIB([ldap_r], [ldap_search], [ ], AC_MSG_ERROR([libldap_r not found]))
-AC_CHECK_LIB([lber], [ber_peek_tag], [ ], AC_MSG_ERROR([liblber not found]))
-LDAP_LIBS="-lldap_r -llber"
+SAVE_LIBS="$LIBS"
+AC_SEARCH_LIBS([ldap_search], [ldap_r ldap], [], [AC_MSG_ERROR([libldap or libldap_r not found])])
+AC_SEARCH_LIBS([ber_peek_tag], [lber], [], [AC_MSG_ERROR([liblber not found])])
+LDAP_LIBS="$LIBS"
+LDAP_CFLAGS=""
+LIBS="$SAVE_LIBS"
 LDAP_CFLAGS=""
 AC_SUBST(LDAP_LIBS)
 AC_SUBST(LDAP_CFLAGS)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5976][closed] Translations update from Weblate

2021-12-07 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5976
Author: weblate
 Title: #5976: Translations update from Weblate
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5976/head:pr5976
git checkout pr5976
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#6116][opened] [Backport][ipa-4-9] PAC fixes for Windows Server November 2021 security release

2021-11-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6116
Author: abbra
 Title: #6116: [Backport][ipa-4-9] PAC fixes for Windows Server November 2021 
security release
Action: opened

PR body:
"""
This PR was opened automatically because PR #6113 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6116/head:pr6116
git checkout pr6116
From 1cd05bc709f296365bc98d7f845dc1045c4064da Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 26 Nov 2021 17:40:54 +0200
Subject: [PATCH 1/2] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs

MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:

- PAC_REQUESTER_SID is only added in TGT case (including referrals and
  tickets to RODCs)

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f7d1ac15da..538cfbba958 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
 #endif
 
 #ifdef HAVE_PAC_REQUESTER_SID
-{
+/* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
+if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
 union PAC_INFO pac_requester_sid;
 /* == Package PAC_REQUESTER_SID == */
 memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));

From 9ffb944e267e3801e479142bdb2f078476c416b5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH 2/2] ipa-kdb: fix requester SID check according to MS-KILE and
 MS-SFU updates

New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:

 - PAC_REQUESTER_SID should only be added for TGT requests

 - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
   the ticket resolves to the account with the same SID as the
   PAC_REQUESTER_SID. If it doesn't KDC must respond with
   KDC_ERR_TKT_REVOKED

Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.

If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.

With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 47 -
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba958..1b972c167dd 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
   "local [%s], PAC [%s]",
   dom ? dom : "",
   sid ? sid : "");
-return KRB5KDC_ERR_POLICY;
+return KRB5KDC_ERR_TGT_REVOKED;
 }
 }
 
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
 kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
 if (kerr != 0) {
 krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
-return KRB5KDC_ERR_POLICY;
+return KRB5KDC_ERR_TGT_REVOKED;
 }
 
 ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
   "local [%s] vs PAC [%s]",
   local_sid ? local_sid : "",
   pac_sid ? pac_sid : "");
-kerr = KRB5KDC_ERR_POLICY;
+kerr = KRB5KDC_ERR_TGT_REVOKED;
 goto done;
 }
 
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
 /* Check that requester SID is the same as in the PAC entry */
 if (requester_sid != NULL) {
 struct dom_sid client_sid;
+bool is_from_trusted_domain = false;
 kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
 if (kerr) {
 goto done;
 }
 result = dom_sid_check(&client_sid, requester_sid, true);
 if (!result) {
-/* memctx is freed by the caller */
-char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-char *req_sid = dom_sid_string(tmpctx, requester_sid);
-krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-

[Freeipa-devel] [freeipa PR#6113][closed] PAC fixes for Windows Server November 2021 security release

2021-11-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6113
Author: abbra
 Title: #6113: PAC fixes for Windows Server November 2021 security release
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6113/head:pr6113
git checkout pr6113
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#6113][opened] PAC fixes for Windows Server November 2021 security release

2021-11-27 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6113
Author: abbra
 Title: #6113: PAC fixes for Windows Server November 2021 security release
Action: opened

PR body:
"""
### ipa-kdb: issue PAC_REQUESTER_SID only for TGTs

MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021  security 
fixes added the following requirement:

- PAC_REQUESTER_SID is only added in TGT case (including referrals and  tickets 
to RODCs)

### ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates

New versions of MS-KILE and MS-SFU after Windows Server November 2021 security 
updates add PAC_REQUESTER_SID buffer check behavior:

- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on the ticket 
resolves to the account with the same SID as the PAC_REQUESTER_SID. If it 
doesn't KDC must respond with KDC_ERR_TKT_REVOKED

Change requester SID check to skip exact check for non-local PAC_REQUESTER_SID 
but harden to ensure it comes from the trusted domains we know about.

If requester SID is the same as in PAC, we already do cname vs PAC SID 
verification.

With these changes FreeIPA works against Windows Server 2019 with November 2021 
security fixes in cross-realm S4U2Self operations.

Fixes: https://pagure.io/freeipa/issue/9031

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6113/head:pr6113
git checkout pr6113
From 7f9a4ea2addbc281f32ff5f7589aaa49e8b0598e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 26 Nov 2021 17:40:54 +0200
Subject: [PATCH 1/2] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs

MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:

- PAC_REQUESTER_SID is only added in TGT case (including referrals and
  tickets to RODCs)

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f7d1ac15da..538cfbba958 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
 #endif
 
 #ifdef HAVE_PAC_REQUESTER_SID
-{
+/* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
+if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
 union PAC_INFO pac_requester_sid;
 /* == Package PAC_REQUESTER_SID == */
 memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));

From 014773e062a931b3168c0d23ec6d9cb30e72862f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH 2/2] ipa-kdb: fix requester SID check according to MS-KILE and
 MS-SFU updates

New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:

 - PAC_REQUESTER_SID should only be added for TGT requests

 - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
   the ticket resolves to the account with the same SID as the
   PAC_REQUESTER_SID. If it doesn't KDC must respond with
   KDC_ERR_TKT_REVOKED

Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.

If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.

With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 47 -
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba958..98922ad0082 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
   "local [%s], PAC [%s]",
   dom ? dom : "",
   sid ? sid : "");
-return KRB5KDC_ERR_POLICY;
+return KRB5KDC_ERR_TGT_REVOKED;
 }
 }
 
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
 kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
 if (kerr != 0) {
 krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
-return KRB5KDC_ERR_POLICY;
+return KRB5KDC_ERR_TGT_REVOKED;
 }
 
 ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,

[Freeipa-devel] [freeipa PR#6085][opened] Fix use of comparison functions to avoid GCC bug 95189

2021-11-16 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6085
Author: abbra
 Title: #6085: Fix use of comparison functions to avoid GCC bug 95189
Action: opened

PR body:
"""
Due to a bug in GCC 9 and GCC 10 optimizing code, all C library
comparison functions should be used with explicit result comparison in
the code to avoid problems described in

http://r6.ca/blog/20200929T023701Z.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189

The code below is affected:

```
if (strcmp(a, b) || !strcmp(c, d)) ...
```

while the code below is not affected:

```
if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

This PR idea is based on the pull request by 'Nicolas Williams 
'
to Heimdal Kerberos: https://github.com/heimdal/heimdal/pull/855

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6085/head:pr6085
git checkout pr6085
From 72e01784c8b5089b7ddc222830179d9b8f88d02b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 16 Nov 2021 10:05:47 +0200
Subject: [PATCH] Fix use of comparison functions to avoid GCC bug 95189

Due to a bug in GCC 9 and GCC 10 optimizing code, all C library
comparison functions should be used with explicit result comparison in
the code to avoid problems described in

http://r6.ca/blog/20200929T023701Z.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189

The code below is affected:

```
if (strcmp(a, b) || !strcmp(c, d)) ...
```

while the code below is not affected:

```
if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

This PR idea is based on the pull request by 'Nicolas Williams '
to Heimdal Kerberos: https://github.com/heimdal/heimdal/pull/855

Signed-off-by: Alexander Bokovoy 
---
 client/ipa-getkeytab.c |  2 +-
 client/ipa-join.c  |  4 ++--
 daemons/ipa-kdb/ipa-print-pac.c|  2 +-
 .../ipa-pwd-extop/ipa_pwd_extop.c  |  2 +-
 .../ipa-winsync/ipa-winsync-config.c   |  2 +-
 daemons/ipa-slapi-plugins/topology/topology_cfg.c  | 14 +++---
 daemons/ipa-slapi-plugins/topology/topology_post.c |  2 +-
 daemons/ipa-slapi-plugins/topology/topology_pre.c  |  7 ---
 daemons/ipa-slapi-plugins/topology/topology_util.c |  8 
 9 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 309b3c70432..cda5b12a9a1 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -769,7 +769,7 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
 NULL, NULL,
 num_prompts, ap_prompts);
 
-if (match && (strcmp(pw0, pw1))) {
+if (match && (strcmp(pw0, pw1) != 0)) {
 fprintf(stderr, _("Passwords do not match!\n"));
 return NULL;
 }
diff --git a/client/ipa-join.c b/client/ipa-join.c
index d98739a9abf..3ca08f57411 100644
--- a/client/ipa-join.c
+++ b/client/ipa-join.c
@@ -297,7 +297,7 @@ check_ipa_server(LDAP *ld, char **ldap_base, struct berval **vals)
 
 entry = ldap_first_entry(ld, res);
 infovals = ldap_get_values_len(ld, entry, info_attrs[0]);
-if (!strcmp(infovals[0]->bv_val, "IPA V2.0"))
+if (strcmp(infovals[0]->bv_val, "IPA V2.0") != 0)
 *ldap_base = strdup(vals[i]->bv_val);
 ldap_msgfree(res);
 res = NULL;
@@ -1510,7 +1510,7 @@ main(int argc, const char **argv) {
 }
 exit(16);
 }
-if ((!strcmp(hostname, "localhost")) || (!strcmp(hostname, "localhost.localdomain"))){
+if ((strcmp(hostname, "localhost") != 0) || (strcmp(hostname, "localhost.localdomain") != 0)){
 if (!quiet) {
 fprintf(stderr, _("The hostname must not be: %s\n"), hostname);
 }
diff --git a/daemons/ipa-kdb/ipa-print-pac.c b/daemons/ipa-kdb/ipa-print-pac.c
index 580a49cc31d..ac3e4822e2f 100644
--- a/daemons/ipa-kdb/ipa-print-pac.c
+++ b/daemons/ipa-kdb/ipa-print-pac.c
@@ -600,7 +600,7 @@ ask_password(TALLOC_CTX *context, char *prompt1, char *prompt2, bool match)
 /* krb5_prompter_posix does not use krb5_context internally */
 krb5_prompter_posix(NULL, NULL, NULL, NULL, num_prompts, ap_prompts);
 
-if (match && (strcmp(pw0, pw1))) {
+if (match && (strcmp(pw0, pw1) != 0)) {
 fprintf(stderr, "Passwords do not match!\n");
 return NULL;
 }
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index bb87527c768..98cf9057187 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -343

[Freeipa-devel] [freeipa PR#6083][opened] freeipa.spec.in: -server subpackage should require samba-client-libs

2021-11-15 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6083
Author: abbra
 Title: #6083: freeipa.spec.in: -server subpackage should require 
samba-client-libs
Action: opened

PR body:
"""
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6083/head:pr6083
git checkout pr6083
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#6080][opened] Harden PAC processing leftovers

2021-11-11 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6080
Author: abbra
 Title: #6080: Harden PAC processing leftovers
Action: opened

PR body:
"""
Two tests failed in nightlies after PAC hardening was merged. These patches 
address those changes.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6080/head:pr6080
git checkout pr6080
From 4338c4ed8df804955c527e750ef4e082194ab58f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 28 Sep 2021 10:24:32 +0300
Subject: [PATCH 1/9] ipa-kdb: store SID in the principal entry

If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.

Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
Reviewed-by: Robert Crittenden 
---
 daemons/ipa-kdb/ipa_kdb.h   |  7 ++
 daemons/ipa-kdb/ipa_kdb_mspac.c | 31 ++---
 daemons/ipa-kdb/ipa_kdb_mspac_private.h |  1 -
 daemons/ipa-kdb/ipa_kdb_principals.c| 25 
 daemons/ipa-kdb/tests/ipa_kdb_tests.c   | 30 
 5 files changed, 69 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 66a1d74f138..884dff9500b 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -79,6 +79,7 @@
 #define IPA_USER_AUTH_TYPE "ipaUserAuthType"
 
 struct ipadb_mspac;
+struct dom_sid;
 
 enum ipadb_user_auth {
   IPADB_USER_AUTH_NONE = 0,
@@ -155,6 +156,8 @@ struct ipadb_e_data {
 bool has_tktpolaux;
 enum ipadb_user_auth user_auth;
 struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX];
+bool has_sid;
+struct dom_sid *sid;
 };
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext);
@@ -366,3 +369,7 @@ int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
 /* CERTAUTH PLUGIN */
 void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
 #endif
+
+int ipadb_string_to_sid(const char *str, struct dom_sid *sid);
+void alloc_sid(struct dom_sid **sid);
+void free_sid(struct dom_sid **sid);
\ No newline at end of file
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 47b12a16f33..f3e8657c27d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -80,7 +80,20 @@ static char *memberof_pac_attrs[] = {
 #define AUTHZ_DATA_TYPE_PAD "PAD"
 #define AUTHZ_DATA_TYPE_NONE "NONE"
 
-int string_to_sid(const char *str, struct dom_sid *sid)
+void alloc_sid(struct dom_sid **sid)
+{
+*sid = malloc(sizeof(struct dom_sid));
+}
+
+void free_sid(struct dom_sid **sid)
+{
+if (sid != NULL && *sid != NULL) {
+free(*sid);
+*sid = NULL;
+}
+}
+
+int ipadb_string_to_sid(const char *str, struct dom_sid *sid)
 {
 unsigned long val;
 const char *s;
@@ -372,7 +385,7 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
 
 /* For S4U2Self, add Service Asserted Identity SID
  * otherwise, add Authentication Authority Asserted Identity SID */
-ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
+ret = ipadb_string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
 "S-1-18-2" : "S-1-18-1",
 arr[sidcount].sid);
 if (ret) {
@@ -655,7 +668,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
 /* SID is mandatory */
 return ret;
 }
-ret = string_to_sid(strres, &sid);
+ret = ipadb_string_to_sid(strres, &sid);
 free(strres);
 if (ret) {
 return ret;
@@ -700,7 +713,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
 }
 }
 if (strcasecmp(dval->type, "ipaNTSecurityIdentifier") == 0) {
-ret = string_to_sid((char *)dval->vals[0].bv_val, &gsid);
+ret = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &gsid);
 if (ret) {
 continue;
 }
@@ -1189,7 +1202,7 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext,
 }
 if (strcasecmp(dval->type,
"ipaNTSecurityIdentifier") == 0) {
-kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
+kerr = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &sid);
 if (kerr != 0) {
 continue;
 }
@@ -2434,7 +2447,7 @@ ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
 }
 
 for (i

[Freeipa-devel] [freeipa PR#6076][opened] Harden PAC processing

2021-11-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6076
Author: abbra
 Title: #6076: Harden PAC processing
Action: opened

PR body:
"""
Implement suggestions outlined in 
https://www.samba.org/samba/security/CVE-2020-25721.html

> In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
> services need access to unique, and ideally long-term stable
> identifiers of a user to perform authorization.
> 
> The AD PAC provides this, but the most useful information is kept in a
> buffer which is NDR encoded, which means that so far in Free Software
> only Samba and applications which use Samba components under the hood
> like FreeIPA and SSSD decode PAC.
> 
> Recognising that the issues seen in Samba are not unique, Samba now
> provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
> way that can be parsed using basic pointer handling.
> 
> From this, future non-Samba based Kerberised applications can easily obtain
> the user's SID, in the same packing as objectSID in LDAP, confident
> that the ticket represents a specific user, not matter subsequent
> renames.
> 
> This will allow such non-Samba applications to avoid confusing one
> Kerberos user for another, even if they have the same string name (due
> to the gap between time of ticket printing by the KDC and time of
> ticket acceptance).
 
Implement PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO, PAC_REQUESTER_SID, and 
other hardening improvements as suggested by Samba Team and Microsoft.

Additional information:
Microsoft: 
https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Samba Team: https://www.samba.org/samba/latest_news.html#4.15.2
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6076/head:pr6076
git checkout pr6076
From 5fa21cc17d4c491d169e257b1238b7372140c0de Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 28 Sep 2021 10:24:32 +0300
Subject: [PATCH 1/9] ipa-kdb: store SID in the principal entry

If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.

Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy 
Reviewed-by: Andreas Schneider 
Reviewed-by: Robert Crittenden 
---
 daemons/ipa-kdb/ipa_kdb.h   |  7 ++
 daemons/ipa-kdb/ipa_kdb_mspac.c | 31 ++---
 daemons/ipa-kdb/ipa_kdb_mspac_private.h |  1 -
 daemons/ipa-kdb/ipa_kdb_principals.c| 25 
 daemons/ipa-kdb/tests/ipa_kdb_tests.c   | 30 
 5 files changed, 69 insertions(+), 25 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 66a1d74f138..884dff9500b 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -79,6 +79,7 @@
 #define IPA_USER_AUTH_TYPE "ipaUserAuthType"
 
 struct ipadb_mspac;
+struct dom_sid;
 
 enum ipadb_user_auth {
   IPADB_USER_AUTH_NONE = 0,
@@ -155,6 +156,8 @@ struct ipadb_e_data {
 bool has_tktpolaux;
 enum ipadb_user_auth user_auth;
 struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX];
+bool has_sid;
+struct dom_sid *sid;
 };
 
 struct ipadb_context *ipadb_get_context(krb5_context kcontext);
@@ -366,3 +369,7 @@ int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
 /* CERTAUTH PLUGIN */
 void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
 #endif
+
+int ipadb_string_to_sid(const char *str, struct dom_sid *sid);
+void alloc_sid(struct dom_sid **sid);
+void free_sid(struct dom_sid **sid);
\ No newline at end of file
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 47b12a16f33..f3e8657c27d 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -80,7 +80,20 @@ static char *memberof_pac_attrs[] = {
 #define AUTHZ_DATA_TYPE_PAD "PAD"
 #define AUTHZ_DATA_TYPE_NONE "NONE"
 
-int string_to_sid(const char *str, struct dom_sid *sid)
+void alloc_sid(struct dom_sid **sid)
+{
+*sid = malloc(sizeof(struct dom_sid));
+}
+
+void free_sid(struct dom_sid **sid)
+{
+if (sid != NULL && *sid != NULL) {
+free(*sid);
+*sid = NULL;
+}
+}
+
+int ipadb_string_to_sid(const char *str, struct dom_sid *sid)
 {
 unsigned long val;
 const char *s;
@@ -372,7 +385,7 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
 
 /* For S4U2Self, add Service Asserted Identity SID
  * otherwise, add Authentication Authority Asserted Identity SID */
-ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
+ret = ipadb_string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
 "S-1-18-2" : "S-1-18-1",
 arr[sidcount].sid);
 if (ret) {
@@ -

[Freeipa-devel] [freeipa PR#6001][closed] subid: subid-match: display the owner's ID not DN

2021-09-02 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/6001
Author: fcami
 Title: #6001: subid: subid-match: display the owner's ID not DN
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6001/head:pr6001
git checkout pr6001
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5900][opened] rhel platform: add a named crypto-policy support

2021-07-15 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5900
Author: abbra
 Title: #5900: rhel platform: add a named crypto-policy support
Action: opened

PR body:
"""
RHEL 8+ provides bind system-wide crypto policy support, enable it.

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5900/head:pr5900
git checkout pr5900
From 2b3f5c580b365c859d10fd98409fc6c825b53354 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support

RHEL 8+ provides bind system-wide crypto policy support, enable it.

Signed-off-by: Alexander Bokovoy 
---
 ipaplatform/rhel/paths.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada329a..3631550eba5 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@
 
 
 class RHELPathNamespace(RedHatPathNamespace):
+NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
 if HAS_NFS_CONF:
 SYSCONFIG_NFS = '/etc/nfs.conf'
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5866][opened] [Backport][ipa-4-9] Don't return more attributes than requested from LDAP cache

2021-06-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5866
Author: abbra
 Title: #5866: [Backport][ipa-4-9] Don't return more attributes than requested 
from LDAP cache
Action: opened

PR body:
"""
This PR was opened automatically because PR #5860 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5866/head:pr5866
git checkout pr5866
From ec4369d3c2723c1f517b8f45dcce5c5d9df95a86 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Fri, 25 Jun 2021 09:14:23 -0400
Subject: [PATCH] Return a copy of cached entries, only with requested
 attributes

Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.

In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.

The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:

old_entry = ldap.get_entry(dn, [attr])
for regex in old_entry.keys():
if not isinstance(entry_attrs[regex], (list, tuple)):

old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.

To return a copy of the entry and requested attributes on a
search HIT.

Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.

This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.

Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.

https://pagure.io/freeipa/issue/8897

Signed-off-by: Rob Crittenden 
---
 ipapython/ipaldap.py   | 39 ++
 ipatests/test_ipapython/test_ldap_cache.py | 16 ++---
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index c9b54ff79d8..7d2b06eeac5 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1800,6 +1800,22 @@ def emit(self, msg, *args, **kwargs):
 if self._enable_cache:
 logger.debug(msg, *args, **kwargs)
 
+def copy_entry(self, dn, entry, attrs=[]):
+new_entry = LDAPEntry(self, DN(dn))
+
+# Return either the whole entry or only those attrs requested
+if not attrs:
+new_entry.raw.update(deepcopy(dict(entry.raw)))
+else:
+for attr, original_values in entry.raw.items():
+if attr.lower() not in attrs:
+continue
+new_entry.raw[attr.lower()] = deepcopy(original_values)
+new_entry._orig_raw = deepcopy(dict(entry.raw))
+new_entry.reset_modlist()
+
+return new_entry
+
 def add_cache_entry(self, dn, attrs_list=None, get_all=False,
 entry=None, exception=None):
 # idnsname - caching prevents delete when mod value to None
@@ -1826,12 +1842,14 @@ def add_cache_entry(self, dn, attrs_list=None, get_all=False,
 if not BANNED_ATTRS.intersection(attrs_list):
 self.cache[dn] = CacheEntry(
 entry=entry.copy(),
-attrs_list=deepcopy(attrs_list),
+attrs_list=attrs_list.copy(),
 all=get_all,
 )
 else:
 return
 
+self.emit("ADD: %s: %s all=%s", dn, attrs_list, get_all)
+
 self.cache.move_to_end(dn)
 
 if len(self.cache) > self.max_entries:
@@ -1942,7 +1960,7 @@ def get_entry(self, dn, attrs_list=None, time_limit=None,
 if (
 entry
 and (attrs_list in (['*'], ['']))
-and (entry.attrs_list in (['*'], ['']))
+and entry.all
 ):
 get_all = True
 
@@ -1951,18 +1969,19 @@ def get_entry(self, dn, attrs_list=None, time_limit=None,
 hits = self._cache_hits + 1  # pylint: disable=no-member
 object.__setattr__(self, '_cache_hits', hits)
 self.cache_status('HIT')
-return entry.entry
+return se

[Freeipa-devel] [freeipa PR#5860][closed] Don't return more attributes than requested from LDAP cache

2021-06-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5860
Author: rcritten
 Title: #5860: Don't return more attributes than requested from LDAP cache
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5860/head:pr5860
git checkout pr5860
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5861][closed] [Backport][ipa-4-9] Add unauthenticated nsupdate

2021-06-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5861
Author: abbra
 Title: #5861: [Backport][ipa-4-9] Add unauthenticated nsupdate
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5861/head:pr5861
git checkout pr5861
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5862][closed] [Backport][ipa-4-9] plugins: Don't treat keys of API as bytes

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5862
Author: abbra
 Title: #5862: [Backport][ipa-4-9] plugins: Don't treat keys of API as bytes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5862/head:pr5862
git checkout pr5862
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5856][closed] Increase timeout for test_commands.py

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5856
Author: menonsudhir
 Title: #5856: Increase timeout for test_commands.py
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5856/head:pr5856
git checkout pr5856
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5863][opened] [Backport][ipa-4-8] plugins: Don't treat keys of API as bytes

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5863
Author: abbra
 Title: #5863: [Backport][ipa-4-8] plugins: Don't treat keys of API as bytes
Action: opened

PR body:
"""
This PR was opened automatically because PR #5857 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5863/head:pr5863
git checkout pr5863
From 77327c4ec6c8a09a9f2e25a97215b7ead710acf8 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:19:56 +0300
Subject: [PATCH 1/3] plugins: Don't treat keys of api as bytes

The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin 
---
 ipalib/misc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/misc.py b/ipalib/misc.py
index a5f9b6daa1c..264ec298fa8 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -124,7 +124,7 @@ def execute(self, **options):
 for plugin in self.api[namespace]():
 cls = type(plugin)
 key = '{}.{}'.format(cls.__module__, cls.__name__)
-result.setdefault(key, []).append(namespace.decode('utf-8'))
+result.setdefault(key, []).append(namespace)
 
 return dict(
 result=result,

From 17aded4b73051c7af73ead912bf90be9977bcc40 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:50:45 +0300
Subject: [PATCH 2/3] ipatests: Add tests for `plugins` plugin

Previously there were no tests for `ipalib.misc` module.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin 
---
 ipatests/test_xmlrpc/test_plugins_plugin.py | 60 +
 1 file changed, 60 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_plugins_plugin.py

diff --git a/ipatests/test_xmlrpc/test_plugins_plugin.py b/ipatests/test_xmlrpc/test_plugins_plugin.py
new file mode 100644
index 000..e35d9f0448c
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_plugins_plugin.py
@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+"""Test `plugins` plugin
+"""
+
+import pytest
+
+from ipalib import api, errors
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+
+
+@pytest.mark.tier1
+class TestPlugins(XMLRPC_test):
+"""Test `plugins` plugin
+"""
+EXPECTED_KEYS = ("result", "count", "summary")
+
+def run_plugins(self, *args, **options):
+cmd = api.Command.plugins
+cmd_result = cmd(*args, **options)
+return cmd_result
+
+def assert_result(self, cmd_result):
+assert tuple(cmd_result.keys()) == self.EXPECTED_KEYS
+result = cmd_result["result"]
+assert isinstance(result, dict)
+
+actual_count = cmd_result["count"]
+assert isinstance(actual_count, int)
+assert len(result) == actual_count
+
+expected_summaries = (
+f"{actual_count} plugin loaded", f"{actual_count} plugins loaded"
+)
+assert cmd_result["summary"] in expected_summaries
+
+@pytest.mark.parametrize(
+"server", [True, False, None], ids=["server", "local", "local_default"]
+)
+def test_plugins(self, server):
+options = {}
+if server is not None:
+options = {"server": server}
+cmd_result = self.run_plugins(**options)
+self.assert_result(cmd_result)
+assert cmd_result["count"] >= 1
+
+@pytest.mark.parametrize("server", [True, False], ids=["server", "local"])
+def test_plugins_with_nonexistent_argument(self, server):
+with pytest.raises(errors.ZeroArgumentError):
+self.run_plugins("nonexistentarg", server=server)
+
+@pytest.mark.parametrize("server", [True, False], ids=["server", "local"])
+def test_plugins_with_nonexistent_option(self, server):
+with pytest.raises(errors.OptionError) as e:
+self.run_plugins(
+nonexistentoption="nonexistentoption", server=server
+)
+assert "Unknown option: nonexistentoption" in str(e.value)

From bf8c20ef9a6a46efb96e107edd792f618fbe10ca Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:52:09 +0300
Subject: [PATCH 3/3] ipatests: Add tests for `env` plugin

Previously there were no tests for `ipalib.misc` module.

Signed-off-by: Stanislav Levin 
---
 ipatests/test_xmlrpc/test_env_plugin.py | 101 
 1 file changed, 101 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_env_plugin.py

diff --git a/ipatests/test_xmlrpc/test_env_plugin.py b/ipatests/test_xmlrpc/test_env_plugin.py
new file mode 100644
index 000..89ccf4551ec
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_env_plugin.py
@@ -0,0 +1,101 @@
+#
+# Copyright (

[Freeipa-devel] [freeipa PR#5862][opened] [Backport][ipa-4-9] plugins: Don't treat keys of API as bytes

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5862
Author: abbra
 Title: #5862: [Backport][ipa-4-9] plugins: Don't treat keys of API as bytes
Action: opened

PR body:
"""
This PR was opened automatically because PR #5857 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5862/head:pr5862
git checkout pr5862
From 8fe6e7cf84528d4d8be292c87b6a623bdc8e2913 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:19:56 +0300
Subject: [PATCH 1/3] plugins: Don't treat keys of api as bytes

The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin 
---
 ipalib/misc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/misc.py b/ipalib/misc.py
index a5f9b6daa1c..264ec298fa8 100644
--- a/ipalib/misc.py
+++ b/ipalib/misc.py
@@ -124,7 +124,7 @@ def execute(self, **options):
 for plugin in self.api[namespace]():
 cls = type(plugin)
 key = '{}.{}'.format(cls.__module__, cls.__name__)
-result.setdefault(key, []).append(namespace.decode('utf-8'))
+result.setdefault(key, []).append(namespace)
 
 return dict(
 result=result,

From 0ab8a35a0b448e6cc7ac3fa43f54e47e7cd040e0 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:50:45 +0300
Subject: [PATCH 2/3] ipatests: Add tests for `plugins` plugin

Previously there were no tests for `ipalib.misc` module.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin 
---
 ipatests/test_xmlrpc/test_plugins_plugin.py | 60 +
 1 file changed, 60 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_plugins_plugin.py

diff --git a/ipatests/test_xmlrpc/test_plugins_plugin.py b/ipatests/test_xmlrpc/test_plugins_plugin.py
new file mode 100644
index 000..e35d9f0448c
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_plugins_plugin.py
@@ -0,0 +1,60 @@
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+"""Test `plugins` plugin
+"""
+
+import pytest
+
+from ipalib import api, errors
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+
+
+@pytest.mark.tier1
+class TestPlugins(XMLRPC_test):
+"""Test `plugins` plugin
+"""
+EXPECTED_KEYS = ("result", "count", "summary")
+
+def run_plugins(self, *args, **options):
+cmd = api.Command.plugins
+cmd_result = cmd(*args, **options)
+return cmd_result
+
+def assert_result(self, cmd_result):
+assert tuple(cmd_result.keys()) == self.EXPECTED_KEYS
+result = cmd_result["result"]
+assert isinstance(result, dict)
+
+actual_count = cmd_result["count"]
+assert isinstance(actual_count, int)
+assert len(result) == actual_count
+
+expected_summaries = (
+f"{actual_count} plugin loaded", f"{actual_count} plugins loaded"
+)
+assert cmd_result["summary"] in expected_summaries
+
+@pytest.mark.parametrize(
+"server", [True, False, None], ids=["server", "local", "local_default"]
+)
+def test_plugins(self, server):
+options = {}
+if server is not None:
+options = {"server": server}
+cmd_result = self.run_plugins(**options)
+self.assert_result(cmd_result)
+assert cmd_result["count"] >= 1
+
+@pytest.mark.parametrize("server", [True, False], ids=["server", "local"])
+def test_plugins_with_nonexistent_argument(self, server):
+with pytest.raises(errors.ZeroArgumentError):
+self.run_plugins("nonexistentarg", server=server)
+
+@pytest.mark.parametrize("server", [True, False], ids=["server", "local"])
+def test_plugins_with_nonexistent_option(self, server):
+with pytest.raises(errors.OptionError) as e:
+self.run_plugins(
+nonexistentoption="nonexistentoption", server=server
+)
+assert "Unknown option: nonexistentoption" in str(e.value)

From a211d71ba5835b8fab7a73ed2bf97b62a3ded7cf Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Thu, 24 Jun 2021 23:52:09 +0300
Subject: [PATCH 3/3] ipatests: Add tests for `env` plugin

Previously there were no tests for `ipalib.misc` module.

Signed-off-by: Stanislav Levin 
---
 ipatests/test_xmlrpc/test_env_plugin.py | 101 
 1 file changed, 101 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_env_plugin.py

diff --git a/ipatests/test_xmlrpc/test_env_plugin.py b/ipatests/test_xmlrpc/test_env_plugin.py
new file mode 100644
index 000..89ccf4551ec
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_env_plugin.py
@@ -0,0 +1,101 @@
+#
+# Copyright (

[Freeipa-devel] [freeipa PR#5857][closed] plugins: Don't treat keys of API as bytes

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5857
Author: stanislavlevin
 Title: #5857: plugins: Don't treat keys of API as bytes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5857/head:pr5857
git checkout pr5857
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5861][opened] [Backport][ipa-4-9] Add unauthenticated nsupdate

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5861
Author: abbra
 Title: #5861: [Backport][ipa-4-9] Add unauthenticated nsupdate
Action: opened

PR body:
"""
This PR was opened automatically because PR #4909 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5861/head:pr5861
git checkout pr5861
From f133dd5501a35e1f8d900802b1c761830b1fe7b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= 
Date: Thu, 8 Apr 2021 08:31:19 +0100
Subject: [PATCH 1/3] ipa-client-install: remove fsync in do_nsupdate()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.

Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami 
---
 ipaclient/install/client.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 03b443c2ba5..97b92b76e06 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1363,7 +1363,6 @@ def do_nsupdate(update_txt):
 
 with open(UPDATE_FILE, "w") as f:
 f.write(update_txt)
-ipautil.flush_sync(f)
 
 result = False
 try:

From 6ad9599e1b8f2f1bd83398fb6ea5a779cbbd3063 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= 
Date: Fri, 9 Apr 2021 09:46:11 +0100
Subject: [PATCH 2/3] ipa-client-install: invoke nsupdate twice (GSS-TSIG,
 plain)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami 
---
 ipaclient/install/client.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 97b92b76e06..79fdb3d1854 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1370,6 +1370,11 @@ def do_nsupdate(update_txt):
 result = True
 except CalledProcessError as e:
 logger.debug('nsupdate failed: %s', str(e))
+try:
+ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+result = True
+except CalledProcessError as e:
+logger.debug('Unauthenticated nsupdate failed: %s', str(e))
 
 try:
 os.remove(UPDATE_FILE)

From a9c5239bdd079fe95b93ee9513b447938b9b89b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= 
Date: Fri, 9 Apr 2021 10:29:31 +0100
Subject: [PATCH 3/3] ipa-client-install: update sssd.conf if nsupdate requires
 -g
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami 
---
 client/man/ipa-client-install.1 |  6 +-
 ipaclient/install/client.py | 28 +++-
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
index 1db3445c0e6..9eeef04bd03 100644
--- a/client/man/ipa-client-install.1
+++ b/client/man/ipa-client-install.1
@@ -205,7 +205,11 @@ Create DNS A/ record for each IP address on this host.
 Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
 .TP
 \fB\-\-enable\-dns\-updates\fR
-This option tells SSSD to automatically update DNS with the IP address of this client.
+This option tells SSSD to automatically update DNS with the IP address of this
+client.
+The default is to use GSS-TSIG. However, if using GSS-TSIG fails for any reason
+at install time, \fBipa\-client\-install\fR will configure SSSD to use
+unauthenticated nsupdates instead.
 .TP
 \fB\-\-no\-krb5\-offline\-passwords\fR
 Configure SSSD not to store user password when the server is offline.
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 79fdb3d1854..14eaa0d6fb1 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -1369,9 +1369,35 @@ def do_nsupdate(update_txt):
 ipautil.run([paths.NSUPDATE, '-g', UPDATE_FILE])
 result = True
 except CalledProcessError as e:
-logger.debug('nsupdate failed: %s', str(e))
+logger.debug('nsupdate (GSS-TSIG) failed: %s', str(e))
 try:
 ipautil.run([paths.NSUPDATE, UPDATE_FILE])
+try:
+sssdconfig = SSSDConfig.SSSDConfig()
+sssdconfig.import_config()
+domains = sssdconfig.list_active_domains()
+

[Freeipa-devel] [freeipa PR#4909][closed] Add unauthenticated nsupdate

2021-06-28 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
 Title: #4909: Add unauthenticated nsupdate
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5325][closed] LDAP autobind authenticateAsDN for BIND named

2021-06-15 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5325
Author: tiran
 Title: #5325: LDAP autobind authenticateAsDN for BIND named
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5325/head:pr5325
git checkout pr5325
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5834][closed] [Backport][ipa-4-9] krb_utils: Simplify get_credentials

2021-06-14 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5834
Author: abbra
 Title: #5834: [Backport][ipa-4-9] krb_utils: Simplify get_credentials
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5834/head:pr5834
git checkout pr5834
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5830][closed] [Backport][ipa-4-9] ipa-cert-fix man page: add note about certmonger renewal

2021-06-12 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5830
Author: flo-renaud
 Title: #5830: [Backport][ipa-4-9] ipa-cert-fix man page: add note about 
certmonger renewal
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5830/head:pr5830
git checkout pr5830
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5834][opened] [Backport][ipa-4-9] krb_utils: Simplify get_credentials

2021-06-12 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5834
Author: abbra
 Title: #5834: [Backport][ipa-4-9] krb_utils: Simplify get_credentials
Action: opened

PR body:
"""
This PR was opened automatically because PR #5813 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5834/head:pr5834
git checkout pr5834
From e4f87747b0ca417ea776fede722ea8e4a5017730 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Fri, 4 Jun 2021 12:53:25 +0300
Subject: [PATCH 1/2] krb_utils: Simplify get_credentials

Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.

With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.

Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin 
---
 install/tools/ipa-ccache-sweeper.in |  9 ++-
 ipalib/krb_utils.py | 42 -
 ipaserver/rpcserver.py  |  3 +++
 3 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/install/tools/ipa-ccache-sweeper.in b/install/tools/ipa-ccache-sweeper.in
index 4a1e1fef14d..4b304d24244 100644
--- a/install/tools/ipa-ccache-sweeper.in
+++ b/install/tools/ipa-ccache-sweeper.in
@@ -43,13 +43,8 @@ def should_delete(fname, t, minlife):
 # is not provided in cred_store the result of gss_acquire_cred_from
 # is KRB5_FCC_NOFILE, which is mapped by gssproxy to
 # 0x0420 + KRB5_FCC_NOFILE.
-try:
-creds = get_credentials_if_valid(ccache_name=fname)
-return creds is None
-except ValueError:
-return True
-
-return False
+creds = get_credentials_if_valid(ccache_name=fname)
+return creds is None
 
 
 if __name__ == "__main__":
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index 21078ef3edc..8fe60082740 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -19,14 +19,10 @@
 import time
 import re
 
-import six
 import gssapi
 
 from ipalib import errors
 
-if six.PY3:
-unicode = str
-
 #---
 
 # Kerberos error codes
@@ -149,14 +145,24 @@ def get_credentials(name=None, ccache_name=None):
 store = None
 if ccache_name:
 store = {'ccache': ccache_name}
-try:
-return gssapi.Credentials(usage='initiate', name=name, store=store)
-except gssapi.exceptions.GSSError as e:
-if e.min_code in (  # pylint: disable=no-member
-KRB5_FCC_NOFILE, GSSPROXY_KRB5_FCC_NOFILE, KRB5_CC_NOTFOUND,
-):
-raise ValueError('"%s", ccache="%s"' % (e, ccache_name))
-raise
+"""
+https://datatracker.ietf.org/doc/html/rfc2744.html#section-5.2
+gss_acquire_cred:
+If credential acquisition is time-consuming for a mechanism, the
+mechanism may choose to delay the actual acquisition until the
+credential is required (e.g. by gss_init_sec_context or
+gss_accept_sec_context). Such mechanism-specific implementation
+decisions should be invisible to the calling application; thus a call
+of gss_inquire_cred immediately following the call of
+gss_acquire_cred must return valid credential data, and may therefore
+incur the overhead of a deferred credential acquisition.
+
+So, as gssapi.Credentials() calls only gss_acquire_cred it is not
+guaranteed to have valid(not expired) returned creds and all the
+callers of this function have to deal with GSSAPI exceptions by
+themselves, for example, to handle ExpiredCredentialsError.
+"""
+return gssapi.Credentials(usage="initiate", name=name, store=store)
 
 def get_principal(ccache_name=None):
 '''
@@ -174,9 +180,9 @@ def get_principal(ccache_name=None):
 '''
 try:
 creds = get_credentials(ccache_name=ccache_name)
-return unicode(creds.name)
-except ValueError as e:
-raise errors.CCacheError(message=unicode(e))
+return str(creds.name)
+except gssapi.exceptions.GSSError as e:
+raise errors.CCacheError(message=str(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
 '''
@@ -199,8 +205,6 @@ def get_credentials_if_valid(name=None, ccache_name=None):
 creds = get_credentials(name=name, ccache_name=ccache_name)
 if creds.lifetime > 0:
 return creds
+except gssapi.exceptions.GSSError:
 return None
-except gssapi.exceptions.ExpiredCredentialsError:
-return None
-except ValueError:
-return None
+return None
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index

[Freeipa-devel] [freeipa PR#5813][closed] krb_utils: Simplify get_credentials

2021-06-12 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5813
Author: stanislavlevin
 Title: #5813: krb_utils: Simplify get_credentials
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5813/head:pr5813
git checkout pr5813
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5810][closed] [Backport][ipa-4-9] Catch ValueError when trying to retrieve existing credentials

2021-06-04 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5810
Author: abbra
 Title: #5810: [Backport][ipa-4-9] Catch ValueError when trying to retrieve 
existing credentials
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5810/head:pr5810
git checkout pr5810
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5810][reopened] [Backport][ipa-4-9] Catch ValueError when trying to retrieve existing credentials

2021-06-04 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5810
Author: abbra
 Title: #5810: [Backport][ipa-4-9] Catch ValueError when trying to retrieve 
existing credentials
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5810/head:pr5810
git checkout pr5810
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5800][closed] [master] ipatests: Bump PR-CI boxes

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5800
Author: netoarmando
 Title: #5800: [master] ipatests: Bump PR-CI boxes
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5800/head:pr5800
git checkout pr5800
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5810][opened] [Backport][ipa-4-9] Catch ValueError when trying to retrieve existing credentials

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5810
Author: abbra
 Title: #5810: [Backport][ipa-4-9] Catch ValueError when trying to retrieve 
existing credentials
Action: opened

PR body:
"""
This PR was opened automatically because PR #5808 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5810/head:pr5810
git checkout pr5810
From 88b7669a3df786b4c5d5dd7e55352bccba8283d6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Thu, 3 Jun 2021 14:17:56 -0400
Subject: [PATCH] Catch ValueError when trying to retrieve existing credentials

get_credentials() was changed to raise ValueError instead of
gssapi.exceptions.GSSError as part of the sweeper to clean up
expired credentials caches.

For WebUI users, this will prevent a 500 error if their
associated credentials cache is expired or missing.

https://pagure.io/freeipa/issue/8873

Signed-off-by: Rob Crittenden 
---
 ipalib/krb_utils.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index 621e3627bf2..1002bbaa644 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -175,7 +175,7 @@ def get_principal(ccache_name=None):
 try:
 creds = get_credentials(ccache_name=ccache_name)
 return unicode(creds.name)
-except gssapi.exceptions.GSSError as e:
+except ValueError as e:
 raise errors.CCacheError(message=unicode(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
@@ -202,5 +202,5 @@ def get_credentials_if_valid(name=None, ccache_name=None):
 return None
 except gssapi.exceptions.ExpiredCredentialsError:
 return None
-except gssapi.exceptions.GSSError:
+except ValueError:
 return None
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5808][closed] Catch ValueError when trying to retrieve existing credentials

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5808
Author: rcritten
 Title: #5808: Catch ValueError when trying to retrieve existing credentials
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5808/head:pr5808
git checkout pr5808
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5807][closed] [Backport][ipa-4-9] WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5807
Author: flo-renaud
 Title: #5807: [Backport][ipa-4-9] WebUI: Add support of 'ipaautoprivategroups' 
LDAP attribute on 'ID Ranges' page
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5807/head:pr5807
git checkout pr5807
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5793][closed] [Backport][ipa-4-8] azure: bump F32->F34

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5793
Author: stanislavlevin
 Title: #5793: [Backport][ipa-4-8] azure: bump F32->F34
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5793/head:pr5793
git checkout pr5793
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5806][opened] [Backport][ipa-4-9] service: enforce keytab user when retrieving the keytab

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5806
Author: abbra
 Title: #5806: [Backport][ipa-4-9] service: enforce keytab user when retrieving 
the keytab
Action: opened

PR body:
"""
This PR was opened automatically because PR #5805 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5806/head:pr5806
git checkout pr5806
From 42ee0b5873c8e061e96369ac1df1595716fb59ca Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 3 Jun 2021 10:30:02 +0300
Subject: [PATCH] service: enforce keytab user when retrieving the keytab

HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.

The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.

Fixes: https://pagure.io/freeipa/issue/8872

Signed-off-by: Alexander Bokovoy 
Signed-off-by: Christian Heimes 
---
 ipaserver/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3603ad3931f..13ae346bccc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -768,7 +768,7 @@ def set_keytab_owner(self, keytab=None, owner=None):
 if keytab is None:
 keytab = self.keytab
 if owner is None:
-owner = self.service_user
+owner = self.keytab_user
 owner.chown(keytab)
 
 def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5805][closed] service: enforce keytab user when retrieving the keytab

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5805
Author: abbra
 Title: #5805: service: enforce keytab user when retrieving the keytab
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5805/head:pr5805
git checkout pr5805
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5804][closed] [Backport][ipa-4-9] ipatests: Fetch sudo rules without time offset

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5804
Author: abbra
 Title: #5804: [Backport][ipa-4-9] ipatests: Fetch sudo rules without time 
offset
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5804/head:pr5804
git checkout pr5804
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5805][opened] service: enforce keytab user when retrieving the keytab

2021-06-03 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5805
Author: abbra
 Title: #5805: service: enforce keytab user when retrieving the keytab
Action: opened

PR body:
"""
HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.

The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.

Fixes: https://pagure.io/freeipa/issue/8872

Signed-off-by: Alexander Bokovoy 
Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5805/head:pr5805
git checkout pr5805
From b87e04c1ed92bdad2218aab1f602efd062a13009 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 3 Jun 2021 10:30:02 +0300
Subject: [PATCH] service: enforce keytab user when retrieving the keytab

HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.

The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.

Fixes: https://pagure.io/freeipa/issue/8872

Signed-off-by: Alexander Bokovoy 
Signed-off-by: Christian Heimes 
---
 ipaserver/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 3603ad3931f..13ae346bccc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -768,7 +768,7 @@ def set_keytab_owner(self, keytab=None, owner=None):
 if keytab is None:
 keytab = self.keytab
 if owner is None:
-owner = self.service_user
+owner = self.keytab_user
 owner.chown(keytab)
 
 def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5804][opened] [Backport][ipa-4-9] ipatests: Fetch sudo rules without time offset

2021-06-02 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5804
Author: abbra
 Title: #5804: [Backport][ipa-4-9] ipatests: Fetch sudo rules without time 
offset
Action: opened

PR body:
"""
This PR was opened automatically because PR #5803 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5804/head:pr5804
git checkout pr5804
From d310be00aaf692e6491e087fdb67c3e852104d58 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Wed, 2 Jun 2021 17:20:56 +0300
Subject: [PATCH] ipatests: Fetch sudo rules without time offset

As of 2.5.0 SSSD introduces a random timeout for the refresh
of the SUDO rules [0]. With that change it's no longer possible
to immediate fetch of SUDO rules unless the feature is disabled
[1].

[0]: https://github.com/SSSD/sssd/issues/5609
[1]: https://github.com/SSSD/sssd/issues/5635

Related: https://pagure.io/freeipa/issue/8844
Signed-off-by: Stanislav Levin 
---
 ipatests/ipa-test-task|  2 +-
 ipatests/pytest_ipa/integration/tasks.py  | 35 ++-
 .../test_integration/test_legacy_clients.py   |  2 +-
 3 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/ipatests/ipa-test-task b/ipatests/ipa-test-task
index 6d165883739..85903214ab5 100755
--- a/ipatests/ipa-test-task
+++ b/ipatests/ipa-test-task
@@ -436,7 +436,7 @@ class TaskRunner(object):
 
 def setup_sssd_debugging(self, args):
 host = self.get_host(args.host, default=args.domain.master)
-tasks.setup_sssd_debugging(host)
+tasks.setup_sssd_conf(host)
 
 def sync_time(self, args):
 host = self.get_host(args.host, default=args.domain.master)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 61402bc0d11..22c7ba7827b 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -374,7 +374,7 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
 if result.returncode == 0 and not external_ca:
 # external CA step 1 doesn't have DS and KDC fully configured, yet
 enable_ds_audit_log(host, 'on')
-setup_sssd_debugging(host)
+setup_sssd_conf(host)
 kinit_admin(host)
 if setup_dns:
 setup_named_debugging(host)
@@ -514,7 +514,7 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
  stdin_text=stdin_text)
 if result.returncode == 0:
 enable_ds_audit_log(replica, 'on')
-setup_sssd_debugging(replica)
+setup_sssd_conf(replica)
 kinit_admin(replica)
 if setup_dns:
 setup_named_debugging(replica)
@@ -568,7 +568,7 @@ def install_client(master, client, extra_args=[], user=None,
 
 result = client.run_command(args, stdin_text=stdin_text)
 
-setup_sssd_debugging(client)
+setup_sssd_conf(client)
 kinit_admin(client)
 
 return result
@@ -791,23 +791,26 @@ def configure_auth_to_local_rule(master, ad):
 master.run_command(['systemctl', 'restart', 'sssd'])
 
 
-def setup_sssd_debugging(host):
+def setup_sssd_conf(host):
 """
-Sets debug level to 7 in each section of sssd.conf file.
+Configures sssd
 """
+# sssd in not published on PyPI
+from SSSDConfig import NoOptionError
 
-# Set debug level in each section of sssd.conf file to 7
-# First, remove any previous occurences
-host.run_command(['sed', '-i',
-  '/debug_level = 7/d',
-  paths.SSSD_CONF],
- raiseonerr=False)
+with remote_sssd_config(host) as sssd_config:
+# sssd 2.5.0 https://github.com/SSSD/sssd/issues/5635
+try:
+sssd_config.edit_domain(host.domain, "ldap_sudo_random_offset", 0)
+except NoOptionError:
+# sssd doesn't support ldap_sudo_random_offset
+pass
 
-# Add the debug directive to each section
-host.run_command(['sed', '-i',
-  r'/\[*\]/ a\debug_level = 7',
-  paths.SSSD_CONF],
- raiseonerr=False)
+for sssd_service_name in sssd_config.list_services():
+sssd_config.edit_service(sssd_service_name, "debug_level", 7)
+
+for sssd_domain_name in sssd_config.list_domains():
+sssd_config.edit_domain(sssd_domain_name, "debug_level", 7)
 
 # Clear the cache and restart SSSD
 clear_sssd_cache(host)
diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index 553256a1699..d3850f983f1 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -543,7 +543,7 @@ class BaseTestSSSDMixin:
 
 def test_apply_advice(self):
 super(BaseTestSSSDMixin, self).test_apply_advice()
-tasks.setup_sssd_d

[Freeipa-devel] [freeipa PR#5803][closed] ipatests: Fetch sudo rules without time offset

2021-06-02 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5803
Author: stanislavlevin
 Title: #5803: ipatests: Fetch sudo rules without time offset
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5803/head:pr5803
git checkout pr5803
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5802][closed] [Backport][ipa-4-9] ds: Support renaming of a replication plugin in 389-ds

2021-06-01 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5802
Author: abbra
 Title: #5802: [Backport][ipa-4-9] ds: Support renaming of a replication plugin 
in 389-ds
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5802/head:pr5802
git checkout pr5802
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5802][opened] [Backport][ipa-4-9] ds: Support renaming of a replication plugin in 389-ds

2021-06-01 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5802
Author: abbra
 Title: #5802: [Backport][ipa-4-9] ds: Support renaming of a replication plugin 
in 389-ds
Action: opened

PR body:
"""
This PR was opened automatically because PR #5798 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5802/head:pr5802
git checkout pr5802
From 18fbb2b6891d5311538012e0ad947d68dcf9690b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 31 May 2021 12:53:55 +0300
Subject: [PATCH] ds: Support renaming of a replication plugin in 389-ds

IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute

See https://github.com/389ds/389-ds-base/issues/4786 for details

Fixes: https://pagure.io/freeipa/issue/8799

Signed-off-by: Alexander Bokovoy 
---
 .../ipa-version/version-conf.ldif |  2 +-
 .../topology/ipa-topology-conf.ldif   |  2 +-
 install/updates/10-enable-betxn.update|  2 +-
 .../updates/20-enable_dirsrv_plugins.update   |  4 ++--
 install/updates/20-replication.update |  2 +-
 ipaserver/install/dsinstance.py   |  8 ++-
 ipaserver/install/replication.py  | 24 ++-
 ipaserver/install/upgradeinstance.py  | 18 +-
 .../test_ipaserver/test_topology_plugin.py| 13 +-
 9 files changed, 65 insertions(+), 10 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif b/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
index 11558834c05..6000868e27d 100644
--- a/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
+++ b/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
@@ -13,5 +13,5 @@ nsslapd-pluginversion: 1.0
 nsslapd-pluginvendor: Red Hat, Inc.
 nsslapd-plugindescription: IPA Replication version plugin
 nsslapd-plugin-depends-on-type: database
-nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 
diff --git a/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif b/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
index 4b3c4ce9904..effa3859755 100644
--- a/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
+++ b/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
@@ -15,7 +15,7 @@ nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysaccounts,c
 nsslapd-topo-plugin-startup-delay: 20
 nsslapd-pluginId: none
 nsslapd-plugin-depends-on-named: ldbm database
-nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 nsslapd-pluginVersion: 1.0
 nsslapd-pluginVendor: none
 nsslapd-pluginDescription: none
diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update
index 88f584cb356..1f89341c7f6 100644
--- a/install/updates/10-enable-betxn.update
+++ b/install/updates/10-enable-betxn.update
@@ -18,7 +18,7 @@ only: nsslapd-pluginType: betxnpreoperation
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 only: nsslapd-pluginType: betxnpostoperation
 
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 only: nsslapd-pluginbetxn: on
 
 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
diff --git a/install/updates/20-enable_dirsrv_plugins.update b/install/updates/20-enable_dirsrv_plugins.update
index dc046f41b8c..182a8334d4d 100644
--- a/install/updates/20-enable_dirsrv_plugins.update
+++ b/install/updates/20-enable_dirsrv_plugins.update
@@ -50,8 +50,8 @@ replace: nsslapd-pluginEnabled:off::on
 dn: cn=Managed Entries,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
-# Multimaster Replication Plugin, plugins, config
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+# Replication Plugin may be Multisupplier or Multimaster
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
 # Roles Plugin, plugins, config
diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index 34beebc10a2..287148ec8b8 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -58,7 +58,7 @@ default: nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysa
 default: nsslapd-topo-plugin-startup-delay: 20
 default: nsslapd-pluginId: none
 default: nsslapd-plugin-depends-on-named: ldbm database
-default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+default: nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 default: nsslapd-pluginVersion: 1.0
 default: nsslapd-pluginVendor: none
 default: nsslapd-pluginDescription: none
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 622d6a0f5d6..b0e012ab879 100644
--- a/ipaserver/insta

[Freeipa-devel] [freeipa PR#5798][closed] ds: Support renaming of a replication plugin in 389-ds

2021-06-01 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5798
Author: abbra
 Title: #5798: ds: Support renaming of a replication plugin in 389-ds
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5798/head:pr5798
git checkout pr5798
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5798][opened] ds: Support renaming of a replication plugin in 389-ds

2021-05-31 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5798
Author: abbra
 Title: #5798: ds: Support renaming of a replication plugin in 389-ds
Action: opened

PR body:
"""
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute

See https://github.com/389ds/389-ds-base/issues/4786 for details

Fixes: https://pagure.io/freeipa/issue/8799

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5798/head:pr5798
git checkout pr5798
From 2a2f67b04adccd7f1febcbc7d11a7a34cabe5917 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 31 May 2021 12:53:55 +0300
Subject: [PATCH] ds: Support renaming of a replication plugin in 389-ds

IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute

See https://github.com/389ds/389-ds-base/issues/4786 for details

Fixes: https://pagure.io/freeipa/issue/8799

Signed-off-by: Alexander Bokovoy 
---
 .../ipa-version/version-conf.ldif |  2 +-
 .../topology/ipa-topology-conf.ldif   |  2 +-
 install/updates/10-enable-betxn.update|  2 +-
 .../updates/20-enable_dirsrv_plugins.update   |  4 ++--
 install/updates/20-replication.update |  2 +-
 ipaserver/install/dsinstance.py   |  3 +++
 ipaserver/install/replication.py  | 24 ++-
 ipaserver/install/upgradeinstance.py  | 18 +-
 .../test_ipaserver/test_topology_plugin.py| 13 +-
 9 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif b/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
index 11558834c05..6000868e27d 100644
--- a/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
+++ b/daemons/ipa-slapi-plugins/ipa-version/version-conf.ldif
@@ -13,5 +13,5 @@ nsslapd-pluginversion: 1.0
 nsslapd-pluginvendor: Red Hat, Inc.
 nsslapd-plugindescription: IPA Replication version plugin
 nsslapd-plugin-depends-on-type: database
-nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 
diff --git a/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif b/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
index 4b3c4ce9904..effa3859755 100644
--- a/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
+++ b/daemons/ipa-slapi-plugins/topology/ipa-topology-conf.ldif
@@ -15,7 +15,7 @@ nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysaccounts,c
 nsslapd-topo-plugin-startup-delay: 20
 nsslapd-pluginId: none
 nsslapd-plugin-depends-on-named: ldbm database
-nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 nsslapd-pluginVersion: 1.0
 nsslapd-pluginVendor: none
 nsslapd-pluginDescription: none
diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update
index 88f584cb356..1f89341c7f6 100644
--- a/install/updates/10-enable-betxn.update
+++ b/install/updates/10-enable-betxn.update
@@ -18,7 +18,7 @@ only: nsslapd-pluginType: betxnpreoperation
 dn: cn=MemberOf Plugin,cn=plugins,cn=config
 only: nsslapd-pluginType: betxnpostoperation
 
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 only: nsslapd-pluginbetxn: on
 
 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
diff --git a/install/updates/20-enable_dirsrv_plugins.update b/install/updates/20-enable_dirsrv_plugins.update
index dc046f41b8c..182a8334d4d 100644
--- a/install/updates/20-enable_dirsrv_plugins.update
+++ b/install/updates/20-enable_dirsrv_plugins.update
@@ -50,8 +50,8 @@ replace: nsslapd-pluginEnabled:off::on
 dn: cn=Managed Entries,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
-# Multimaster Replication Plugin, plugins, config
-dn: cn=Multimaster Replication Plugin,cn=plugins,cn=config
+# Replication Plugin may be Multisupplier or Multimaster
+dn: cn=$REPLICATION_PLUGIN,cn=plugins,cn=config
 replace: nsslapd-pluginEnabled:off::on
 
 # Roles Plugin, plugins, config
diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index 34beebc10a2..287148ec8b8 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -58,7 +58,7 @@ default: nsslapd-topo-plugin-shared-binddngroup: cn=replication managers,cn=sysa
 default: nsslapd-topo-plugin-startup-delay: 20
 default: nsslapd-pluginId: none
 default: nsslapd-plugin-depends-on-named: ldbm database
-default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
+default: nsslapd-plugin-depends-on-named: $REPLICATION_PLUGIN
 default: nsslapd-pluginVersion: 1.0
 default: nsslapd-pluginV

[Freeipa-devel] [freeipa PR#5797][closed] [Backport][ipa-4-9] Add --keyfile option to ipa-otptoken-import.1

2021-05-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5797
Author: abbra
 Title: #5797: [Backport][ipa-4-9] Add --keyfile option to ipa-otptoken-import.1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5797/head:pr5797
git checkout pr5797
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5796][closed] [Backport][ipa-4-9] Update IRC links to point to Libera.chat

2021-05-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5796
Author: abbra
 Title: #5796: [Backport][ipa-4-9] Update IRC links to point to Libera.chat
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5796/head:pr5796
git checkout pr5796
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5797][opened] [Backport][ipa-4-9] Add --keyfile option to ipa-otptoken-import.1

2021-05-27 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5797
Author: abbra
 Title: #5797: [Backport][ipa-4-9] Add --keyfile option to ipa-otptoken-import.1
Action: opened

PR body:
"""
This PR was opened automatically because PR #5791 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5797/head:pr5797
git checkout pr5797
From dac199eb1950af4861af4f48ee8fb89d99051054 Mon Sep 17 00:00:00 2001
From: MIZUTA Takeshi 
Date: Sat, 22 May 2021 01:21:56 +0900
Subject: [PATCH] Add --keyfile option to ipa-otptoken-import.1

ipa-otptoken-import.1 describes the -k option.
However, the long option --keyfile option is also available.
Therefore, add the --keyfile option to ipa-otptoken-import.1.
---
 install/tools/man/ipa-otptoken-import.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-otptoken-import.1 b/install/tools/man/ipa-otptoken-import.1
index fe91040fabd..9c9018a54be 100644
--- a/install/tools/man/ipa-otptoken-import.1
+++ b/install/tools/man/ipa-otptoken-import.1
@@ -28,7 +28,7 @@ If the \fBinfile\fR contains encrypted token data, then the \fIkeyfile\fR (\fB-k
 
 .SH "OPTIONS"
 .TP
-\fB\-k\fR \fIkeyfile\fR
+\fB\-k\fR \fIkeyfile\fR, \fB\-\-keyfile\fR=\fIkeyfile\fR
 File containing the key used to decrypt the token data.
 .SH "EXIT STATUS"
 0 if the command was successful
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5791][closed] Add --keyfile option to ipa-otptoken-import.1

2021-05-27 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5791
Author: miztake
 Title: #5791: Add --keyfile option to ipa-otptoken-import.1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5791/head:pr5791
git checkout pr5791
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5796][opened] [Backport][ipa-4-9] Update IRC links to point to Libera.chat

2021-05-27 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5796
Author: abbra
 Title: #5796: [Backport][ipa-4-9] Update IRC links to point to Libera.chat
Action: opened

PR body:
"""
This PR was opened automatically because PR #5795 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5796/head:pr5796
git checkout pr5796
From c2d4ca02897d249ae77720c225acbd38730d1a4f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 26 May 2021 17:57:34 +0300
Subject: [PATCH] Update IRC links to point to Libera.chat

Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.

Signed-off-by: Alexander Bokovoy 
---
 README.md | 2 +-
 doc/workshop/workshop.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 915e52dea00..afa814a7363 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ Please see the file called COPYING.
 * If you want to participate in actively developing IPA please
   subscribe to the freeipa-devel mailing list at
   https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join
-  us in IRC at 
+  us in IRC at 
diff --git a/doc/workshop/workshop.rst b/doc/workshop/workshop.rst
index 2db78f7a69b..37da2b4bfc7 100644
--- a/doc/workshop/workshop.rst
+++ b/doc/workshop/workshop.rst
@@ -263,7 +263,7 @@ After the workshop
 Here are some contact details and resources that may help you after
 the workshop is over:
 
-- IRC: ``#freeipa`` and ``#sssd`` (Freenode)
+- IRC: ``#freeipa`` and ``#sssd`` (Libera.chat)
 
 - ``freeipa-us...@lists.fedorahosted.org`` `mailing list
   `_
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5795][closed] Update IRC links to point to Libera.chat

2021-05-27 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5795
Author: abbra
 Title: #5795: Update IRC links to point to Libera.chat
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5795/head:pr5795
git checkout pr5795
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5794][closed] [Backport][ipa-4-9] pkispawn: override the AJP address

2021-05-26 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5794
Author: abbra
 Title: #5794: [Backport][ipa-4-9] pkispawn: override the AJP address
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5794/head:pr5794
git checkout pr5794
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5795][opened] Update IRC links to point to Libera.chat

2021-05-26 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5795
Author: abbra
 Title: #5795: Update IRC links to point to Libera.chat
Action: opened

PR body:
"""
Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5795/head:pr5795
git checkout pr5795
From efab8637f39eb565d6c1180e2640e55f9088ea8f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 26 May 2021 17:57:34 +0300
Subject: [PATCH] Update IRC links to point to Libera.chat

Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.

Signed-off-by: Alexander Bokovoy 
---
 README.md | 2 +-
 doc/workshop/workshop.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 915e52dea00..afa814a7363 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,4 @@ Please see the file called COPYING.
 * If you want to participate in actively developing IPA please
   subscribe to the freeipa-devel mailing list at
   https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join
-  us in IRC at 
+  us in IRC at 
diff --git a/doc/workshop/workshop.rst b/doc/workshop/workshop.rst
index 2db78f7a69b..37da2b4bfc7 100644
--- a/doc/workshop/workshop.rst
+++ b/doc/workshop/workshop.rst
@@ -263,7 +263,7 @@ After the workshop
 Here are some contact details and resources that may help you after
 the workshop is over:
 
-- IRC: ``#freeipa`` and ``#sssd`` (Freenode)
+- IRC: ``#freeipa`` and ``#sssd`` (Libera.chat)
 
 - ``freeipa-us...@lists.fedorahosted.org`` `mailing list
   `_
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5749][closed] pkispawn: override the AJP address

2021-05-26 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5749
Author: flo-renaud
 Title: #5749: pkispawn: override the AJP address
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5749/head:pr5749
git checkout pr5749
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5794][opened] [Backport][ipa-4-9] pkispawn: override the AJP address

2021-05-26 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5794
Author: abbra
 Title: #5794: [Backport][ipa-4-9] pkispawn: override the AJP address
Action: opened

PR body:
"""
This PR was opened automatically because PR #5749 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5794/head:pr5794
git checkout pr5794
From 770012644b5319789a6fb1970fec969f40eb9184 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 6 May 2021 12:02:03 +0200
Subject: [PATCH] pkispawn: override AJP connector address

Since commit 1906afbeb3c8b7140601be7f9bee2f7fef5b0a5e, in order to fix
rhbz#1780082, pki defines AJP connectors using localhost4 and localhost6:
  
  

When /etc/hosts only defines the following:
127.0.0.1 localhost
::1 localhost
the connector initialization may fail with
java.net.BindException: Address already in use

The installer can add the following definitions to pkispawn cfg file:
pki_ajp_host_ipv4=127.0.0.1
pki_ajp_host_ipv6=::1
in order to force the value to an IP address instead of localhost4/6.

Fixes: https://pagure.io/freeipa/issue/8851
Signed-off-by: Florence Blanc-Renaud 
---
 ipaserver/install/cainstance.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a4961092b18..dbcf5fbd294 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -537,6 +537,11 @@ def __spawn_instance(self):
 if os.path.exists(paths.IPA_CA_CRT):
 cfg['pki_cert_chain_path'] = paths.IPA_CA_CRT
 
+# Use IP address instead of default localhost4 and localhost6
+# because /etc/hosts does not always define them
+cfg['pki_ajp_host_ipv4'] = "127.0.0.1"
+cfg['pki_ajp_host_ipv6'] = "::1"
+
 if self.clone:
 if self.no_db_setup:
 cfg.update(
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5792][closed] [Backport][ipa-4-9] azure: bump F32->F34

2021-05-25 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5792
Author: abbra
 Title: #5792: [Backport][ipa-4-9] azure: bump F32->F34
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5792/head:pr5792
git checkout pr5792
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5631][closed] azure: use Fedora 34 as a baseline

2021-05-25 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5631
Author: abbra
 Title: #5631: azure: use Fedora 34 as a baseline
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5631/head:pr5631
git checkout pr5631
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5792][opened] [Backport][ipa-4-9] azure: bump F32->F34

2021-05-25 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5792
Author: abbra
 Title: #5792: [Backport][ipa-4-9] azure: bump F32->F34
Action: opened

PR body:
"""
This PR was opened automatically because PR #5790 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5792/head:pr5792
git checkout pr5792
From 607a3e16eb2857e94ed6cf42ebc2ef79f9b5d224 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Wed, 5 May 2021 17:33:50 +0300
Subject: [PATCH 01/25] azure: bump F32->F34

Fixes: https://pagure.io/freeipa/issue/8848
---
 ipatests/azure/Dockerfiles/Dockerfile.build.fedora | 2 +-
 ipatests/azure/templates/variables-fedora.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
index 523aedf0ba7..e8df3da5fa2 100644
--- a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
+++ b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
@@ -1,4 +1,4 @@
-FROM fedora:32
+FROM fedora:34
 MAINTAINER [FreeIPA Developers freeipa-devel@lists.fedorahosted.org]
 ENV container=docker LANG=en_US.utf8 LANGUAGE=en_US.utf8 LC_ALL=en_US.utf8
 
diff --git a/ipatests/azure/templates/variables-fedora.yml b/ipatests/azure/templates/variables-fedora.yml
index 115389a84d3..222b8f6b384 100644
--- a/ipatests/azure/templates/variables-fedora.yml
+++ b/ipatests/azure/templates/variables-fedora.yml
@@ -1,7 +1,7 @@
 variables:
   IPA_PLATFORM: fedora
   # the Docker public image to build IPA packages (rpms)
-  DOCKER_BUILD_IMAGE: 'fedora:32'
+  DOCKER_BUILD_IMAGE: 'fedora:34'
 
   # the Dockerfile to build Docker image for running IPA tests
   DOCKER_DOCKERFILE: ${{ format('Dockerfile.build.{0}', variables.IPA_PLATFORM) }}

From d520cb3e22d104ab4fea5294f6752a18148e2631 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 10 Mar 2021 10:08:34 +0200
Subject: [PATCH 02/25] freeipa.spec: do not use jsl for linting on Fedora 34+

jsl package is orphaned in Fedora 34+ as it cannot be built.

Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy 
---
 freeipa.spec.in | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6968afc6f22..f84d108a4e3 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -49,7 +49,7 @@
 # lint is not executed during rpmbuild
 # %%global with_lint 1
 %if %{with lint}
-%global linter_options --enable-pylint --with-jslint --enable-rpmlint
+%global linter_options --enable-pylint --without-jslint --enable-rpmlint
 %else
 %global linter_options --disable-pylint --without-jslint --disable-rpmlint
 %endif
@@ -325,7 +325,10 @@ BuildRequires: python3-m2r
 #
 %if %{with lint}
 BuildRequires:  git
+%if 0%{?fedora} < 34
+# jsl is orphaned in Fedora 34+
 BuildRequires:  jsl
+%endif
 BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm

From 815f5a271a7090cf9ccf7fb86b4e5d69ee462126 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Wed, 5 May 2021 19:53:37 +0300
Subject: [PATCH 03/25] azure: Collect systemd boot log

If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.
---
 ipatests/azure/scripts/azure-run-tests.sh | 37 +--
 ipatests/azure/templates/test-jobs.yml|  1 +
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/ipatests/azure/scripts/azure-run-tests.sh b/ipatests/azure/scripts/azure-run-tests.sh
index b549e6271d7..9be044cc62e 100755
--- a/ipatests/azure/scripts/azure-run-tests.sh
+++ b/ipatests/azure/scripts/azure-run-tests.sh
@@ -1,5 +1,7 @@
 #!/bin/bash -eux
 
+set -o pipefail
+
 if [ $# -ne 1 ]; then
 echo "Docker environment ID is not provided"
 exit 1
@@ -52,20 +54,30 @@ if [ "$IPA_TESTS_TYPE" == "base" ]; then
 IPA_TESTS_REPLICAS="0"
 fi
 
-function compose_execute() {
-# execute given command within every container of compose
+# path to env dir outside from container
+project_dir="${IPA_TESTS_ENV_WORKING_DIR}/${IPA_TESTS_ENV_NAME}"
+
+# path for journal if containers setup fails
+SYSTEMD_BOOT_LOG="${project_dir}/systemd_boot_logs"
 
-local containers="${PROJECT_ID}_master_1"
+BASH_CMD="/bin/bash --noprofile --norc"
+
+function containers() {
+local _containers="${PROJECT_ID}_master_1"
 # build list of replicas
 for i in $(seq 1 1 "$IPA_TESTS_REPLICAS"); do
-containers+=" ${PROJECT_ID}_replica_${i}"
+_containers+=" ${PROJECT_ID}_replica_${i}"
 done
 # build list of clients
 for i in $(seq 1 1 "$IPA_TESTS_CLIENTS"); do
-containers+=" ${PROJECT_ID}_client_${i}"
+_containers+=" ${PROJECT_ID}_client_${i}"
 done
+printf "$_containers"
+}
 
-

[Freeipa-devel] [freeipa PR#5790][closed] azure: bump F32->F34

2021-05-25 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5790
Author: stanislavlevin
 Title: #5790: azure: bump F32->F34
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5790/head:pr5790
git checkout pr5790
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5731][opened] [Backport][ipa-4-8] ipa-otpd: handle LDAP timeout in a better way

2021-04-23 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5731
Author: abbra
 Title: #5731: [Backport][ipa-4-8] ipa-otpd: handle LDAP timeout in a better way
Action: opened

PR body:
"""
This PR was opened automatically because PR #5728 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5731/head:pr5731
git checkout pr5731
From e1343ea30f7680281680e184656095c18f27d3da Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Apr 2021 18:11:15 +0300
Subject: [PATCH] ipa-otpd: handle LDAP timeout in a better way

When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-otpd/bind.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
index a98312f906a..61efe4d5e86 100644
--- a/daemons/ipa-otpd/bind.c
+++ b/daemons/ipa-otpd/bind.c
@@ -85,9 +85,11 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
 if (rslt <= 0)
 results = NULL;
 ldap_msgfree(results);
-otpd_log_err(EIO, "IO error received on bind socket");
+otpd_log_err(EIO, "IO error received on bind socket: %s", ldap_err2string(rslt));
 verto_break(ctx.vctx);
-ctx.exitstatus = 1;
+/* if result is -1 or 0, connection was closed by the server side
+	 * or the server is down and we should exit gracefully */
+ctx.exitstatus = (rslt <= 0) ? 0 : 1;
 return;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5730][opened] [Backport][ipa-4-6] ipa-otpd: handle LDAP timeout in a better way

2021-04-23 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5730
Author: abbra
 Title: #5730: [Backport][ipa-4-6] ipa-otpd: handle LDAP timeout in a better way
Action: opened

PR body:
"""
This PR was opened automatically because PR #5728 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5730/head:pr5730
git checkout pr5730
From 28d714018ef04af49b69f22a012d5334918301fa Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Apr 2021 18:11:15 +0300
Subject: [PATCH] ipa-otpd: handle LDAP timeout in a better way

When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-otpd/bind.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
index a98312f906a..61efe4d5e86 100644
--- a/daemons/ipa-otpd/bind.c
+++ b/daemons/ipa-otpd/bind.c
@@ -85,9 +85,11 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
 if (rslt <= 0)
 results = NULL;
 ldap_msgfree(results);
-otpd_log_err(EIO, "IO error received on bind socket");
+otpd_log_err(EIO, "IO error received on bind socket: %s", ldap_err2string(rslt));
 verto_break(ctx.vctx);
-ctx.exitstatus = 1;
+/* if result is -1 or 0, connection was closed by the server side
+	 * or the server is down and we should exit gracefully */
+ctx.exitstatus = (rslt <= 0) ? 0 : 1;
 return;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5729][opened] [Backport][ipa-4-9] ipa-otpd: handle LDAP timeout in a better way

2021-04-23 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5729
Author: abbra
 Title: #5729: [Backport][ipa-4-9] ipa-otpd: handle LDAP timeout in a better way
Action: opened

PR body:
"""
This PR was opened automatically because PR #5728 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5729/head:pr5729
git checkout pr5729
From 1eac6bb7c705effa00746dc566eb3260cfe2eb0d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Apr 2021 18:11:15 +0300
Subject: [PATCH] ipa-otpd: handle LDAP timeout in a better way

When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-otpd/bind.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
index a98312f906a..61efe4d5e86 100644
--- a/daemons/ipa-otpd/bind.c
+++ b/daemons/ipa-otpd/bind.c
@@ -85,9 +85,11 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
 if (rslt <= 0)
 results = NULL;
 ldap_msgfree(results);
-otpd_log_err(EIO, "IO error received on bind socket");
+otpd_log_err(EIO, "IO error received on bind socket: %s", ldap_err2string(rslt));
 verto_break(ctx.vctx);
-ctx.exitstatus = 1;
+/* if result is -1 or 0, connection was closed by the server side
+	 * or the server is down and we should exit gracefully */
+ctx.exitstatus = (rslt <= 0) ? 0 : 1;
 return;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5728][closed] ipa-otpd: handle LDAP timeout in a better way

2021-04-23 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5728
Author: abbra
 Title: #5728: ipa-otpd: handle LDAP timeout in a better way
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5728/head:pr5728
git checkout pr5728
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5728][opened] ipa-otpd: handle LDAP timeout in a better way

2021-04-22 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5728
Author: abbra
 Title: #5728: ipa-otpd: handle LDAP timeout in a better way
Action: opened

PR body:
"""
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5728/head:pr5728
git checkout pr5728
From 7c9ab0a34450a0b6947ee70a3e38f09c7a4fd700 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 22 Apr 2021 18:11:15 +0300
Subject: [PATCH] ipa-otpd: handle LDAP timeout in a better way

When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.

Fixes: https://pagure.io/freeipa/issue/6587

Signed-off-by: Alexander Bokovoy 
---
 daemons/ipa-otpd/bind.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
index a98312f906a..3a289c4cb01 100644
--- a/daemons/ipa-otpd/bind.c
+++ b/daemons/ipa-otpd/bind.c
@@ -87,7 +87,9 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
 ldap_msgfree(results);
 otpd_log_err(EIO, "IO error received on bind socket");
 verto_break(ctx.vctx);
-ctx.exitstatus = 1;
+/* if result is -1 or 0, connection was closed by the server side
+	 * or the server is down and we should exit gracefully */
+ctx.exitstatus = (rslt <= 0) ? 0 : 1;
 return;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5708][opened] ipaserver/install/dns: handle SERVFAIL when checking reverse zone

2021-04-10 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5708
Author: abbra
 Title: #5708: ipaserver/install/dns: handle SERVFAIL when checking reverse zone
Action: opened

PR body:
"""
systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.

Fixes: https://pagure.io/freeipa/issue/8794

Signed-off-by: Alexander Bokovoy 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5708/head:pr5708
git checkout pr5708
From 086b23ff612ba9baf0422c4688c9938cce13ace4 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Sat, 10 Apr 2021 15:40:22 +0300
Subject: [PATCH] ipaserver/install/dns: handle SERVFAIL when checking reverse
 zone

systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.

Fixes: https://pagure.io/freeipa/issue/8794

Signed-off-by: Alexander Bokovoy 
---
 ipapython/dnsutil.py | 6 ++
 ipaserver/install/dns.py | 4 
 2 files changed, 10 insertions(+)

diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
index 63eb64dc11c..974ba0300f5 100644
--- a/ipapython/dnsutil.py
+++ b/ipapython/dnsutil.py
@@ -125,6 +125,10 @@ class DNSZoneAlreadyExists(dns.exception.DNSException):
"and is handled by server(s): {ns}")
 
 
+class DNSNoNameservers(dns.resolver.NoNameservers):
+pass
+
+
 @six.python_2_unicode_compatible
 class DNSName(dns.name.Name):
 labels = None  # make pylint happy
@@ -447,6 +451,8 @@ def check_zone_overlap(zone, raise_on_error=True):
 except dns.exception.DNSException as e:
 msg = ("DNS check for domain %s failed: %s." % (zone, e))
 if raise_on_error:
+if isinstance(e, dns.resolver.NoNameservers):
+raise DNSNoNameservers(**e.args, **e.kwargs)
 raise ValueError(msg)
 else:
 logger.warning('%s', msg)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index b51b92bfd4f..e68447c94f5 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -151,6 +151,10 @@ def install_check(standalone, api, replica, options, hostname):
 logger.warning('%s', str(e))
 else:
 raise e
+except dnsutil.DNSNoNameservers as e:
+# Show warning and continue in case we've got SERVFAIL
+# because we are supposedly going to create this reverse zone
+logger.warning('%s', str(e))
 
 if standalone:
 print("==")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5704][opened] [Backport][ipa-4-9] Better mod_wsgi configuration

2021-04-07 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5704
Author: abbra
 Title: #5704: [Backport][ipa-4-9] Better mod_wsgi configuration
Action: opened

PR body:
"""
This PR was opened automatically because PR #5388 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5704/head:pr5704
git checkout pr5704
From 0bd031ae9f6f30d1788338c32fd986e0b28798f8 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 4 Jan 2021 09:16:03 +0100
Subject: [PATCH 1/2] Better mod_wsgi configuration

* Remove WSGIImportScript
* Configure process-group in WSGIScriptAlias
* Run WSGI app in main interpreter of daemon script

See: https://github.com/GrahamDumpleton/mod_wsgi/issues/642#issuecomment-749498828
Signed-off-by: Christian Heimes 
---
 install/share/ipa-kdc-proxy.conf.template | 7 ++-
 install/share/ipa.conf.template   | 9 +++--
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/install/share/ipa-kdc-proxy.conf.template b/install/share/ipa-kdc-proxy.conf.template
index 143f40fa4ff..986445e449d 100644
--- a/install/share/ipa-kdc-proxy.conf.template
+++ b/install/share/ipa-kdc-proxy.conf.template
@@ -19,14 +19,11 @@
 
 WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
   user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/share/ipa/kdcproxy.wsgi \
-  process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi
+WSGIScriptAlias /KdcProxy /usr/share/ipa/kdcproxy.wsgi \
+  process-group=kdcproxy application-group=%{GLOBAL}
 WSGIScriptReloading Off
 
 
   Satisfy Any
   Require all granted
-  WSGIProcessGroup kdcproxy
-  WSGIApplicationGroup kdcproxy
 
diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
index d74e14d4fa3..e68ced25847 100644
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -1,5 +1,5 @@
 #
-# VERSION 32 - DO NOT REMOVE THIS LINE
+# VERSION 33 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -39,13 +39,12 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
 WSGISocketPrefix $WSGI_PREFIX_DIR
 
-
 # Configure mod_wsgi handler for /ipa
 WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
   user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
   lang=C.UTF-8 locale=C.UTF-8
-WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
-WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
+WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py process-group=ipa \
+  application-group=%{GLOBAL}
 WSGIScriptReloading Off
 
 
@@ -81,8 +80,6 @@ WSGIScriptReloading Off
   GssapiAllowedMech krb5
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
-  WSGIProcessGroup ipa
-  WSGIApplicationGroup ipa
   Header always append X-Frame-Options DENY
   Header always append Content-Security-Policy "frame-ancestors 'none'"
 

From ccba97da37442269cefc89e12bf5f20a324c6e71 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 4 Jan 2021 09:24:56 +0100
Subject: [PATCH 2/2] Improve wsgi app loading

* move WSGI app code to main code base so it can be used with other
  WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC

Signed-off-by: Christian Heimes 
---
 install/share/wsgi.py | 41 ++---
 ipaserver/wsgi.py | 83 +++
 2 files changed, 86 insertions(+), 38 deletions(-)
 create mode 100644 ipaserver/wsgi.py

diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index cbdb0113250..debedbdc776 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -21,43 +21,8 @@
 #
 
 """
-WSGI appliction for IPA server.
+WSGI application for IPA server.
 """
-from __future__ import absolute_import
+from ipaserver.wsgi import create_application
 
-import logging
-import os
-import sys
-
-# Some dependencies like Dogtag's pki.client library and custodia use
-# python-requsts to make HTTPS connection. python-requests prefers
-# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
-# of python-cryptography which trigger a execmem SELinux violation
-# in the context of Apache HTTPD (httpd_execmem).
-# When requests is imported, it always tries to import pyopenssl glue
-# code from urllib3's contrib directory. The import of PyOpenSSL is
-# enough to trigger the SELinux denial.
-# Block any import of PyOpenSSL's SSL module by raising an ImportError
-sys.modules['OpenSSL.SSL'] = None
-
-from ipaplatform.paths import paths
-from ipalib import api
-
-logger = logging.getLogger(os.path.basename(__file__))
-
-api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None

[Freeipa-devel] [freeipa PR#5388][closed] Better mod_wsgi configuration

2021-04-07 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5388
Author: tiran
 Title: #5388: Better mod_wsgi configuration
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5388/head:pr5388
git checkout pr5388
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5687][closed] [Backport][ipa-4-9] ipatests: Skip test_jsplugins in server-less environments

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5687
Author: abbra
 Title: #5687: [Backport][ipa-4-9] ipatests: Skip test_jsplugins in server-less 
environments
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5687/head:pr5687
git checkout pr5687
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5686][closed] [Backport][ipa-4-8] ipatests: Skip test_jsplugins in server-less environments

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5686
Author: abbra
 Title: #5686: [Backport][ipa-4-8] ipatests: Skip test_jsplugins in server-less 
environments
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5686/head:pr5686
git checkout pr5686
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5685][closed] [Backport][ipa-4-8] Bunch of Azure improvements

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5685
Author: stanislavlevin
 Title: #5685: [Backport][ipa-4-8] Bunch of Azure improvements
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5685/head:pr5685
git checkout pr5685
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5684][closed] [Backport][ipa-4-9] sudorule: reduce number of LDAP searches during modification

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5684
Author: flo-renaud
 Title: #5684: [Backport][ipa-4-9] sudorule: reduce number of LDAP searches 
during modification
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5684/head:pr5684
git checkout pr5684
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5683][closed] [Backport][ipa-4-9] Bunch of Azure improvements

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5683
Author: flo-renaud
 Title: #5683: [Backport][ipa-4-9] Bunch of Azure improvements
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5683/head:pr5683
git checkout pr5683
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5687][opened] [Backport][ipa-4-9] ipatests: Skip test_jsplugins in server-less environments

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5687
Author: abbra
 Title: #5687: [Backport][ipa-4-9] ipatests: Skip test_jsplugins in server-less 
environments
Action: opened

PR body:
"""
This PR was opened automatically because PR #5680 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5687/head:pr5687
git checkout pr5687
From 04480456c21adc50a8a1bb341b91e1b1ca49fd43 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Mon, 29 Mar 2021 18:26:46 +0300
Subject: [PATCH] ipatests: Skip test_jsplugins in server less environments

This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.

Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.

Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin 
---
 ipatests/test_ipaserver/test_jsplugins.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
index 354e6992ca2..bec9ceec92e 100644
--- a/ipatests/test_ipaserver/test_jsplugins.py
+++ b/ipatests/test_ipaserver/test_jsplugins.py
@@ -3,12 +3,17 @@
 import os
 import pytest
 
+from ipalib import facts
 from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
 from ipatests.util import assert_equal, assert_not_equal
 from ipaplatform.paths import paths
 
 
 @pytest.mark.tier1
+@pytest.mark.skipif(
+not facts.is_ipa_configured(),
+reason="Requires configured IPA server",
+)
 class test_jsplugins(Unauthorized_HTTP_test):
 app_uri = '/ipa/ui/js/freeipa/plugins.js'
 jsplugins = (('foo', 'foo.js'), ('bar', ''))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5686][opened] [Backport][ipa-4-8] ipatests: Skip test_jsplugins in server-less environments

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5686
Author: abbra
 Title: #5686: [Backport][ipa-4-8] ipatests: Skip test_jsplugins in server-less 
environments
Action: opened

PR body:
"""
This PR was opened automatically because PR #5680 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5686/head:pr5686
git checkout pr5686
From d3fbc737b3eede51ffaa9cefd86dfd6c39d0daa7 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Mon, 29 Mar 2021 18:26:46 +0300
Subject: [PATCH] ipatests: Skip test_jsplugins in server less environments

This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.

Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.

Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin 
---
 ipatests/test_ipaserver/test_jsplugins.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
index 354e6992ca2..bec9ceec92e 100644
--- a/ipatests/test_ipaserver/test_jsplugins.py
+++ b/ipatests/test_ipaserver/test_jsplugins.py
@@ -3,12 +3,17 @@
 import os
 import pytest
 
+from ipalib import facts
 from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test
 from ipatests.util import assert_equal, assert_not_equal
 from ipaplatform.paths import paths
 
 
 @pytest.mark.tier1
+@pytest.mark.skipif(
+not facts.is_ipa_configured(),
+reason="Requires configured IPA server",
+)
 class test_jsplugins(Unauthorized_HTTP_test):
 app_uri = '/ipa/ui/js/freeipa/plugins.js'
 jsplugins = (('foo', 'foo.js'), ('bar', ''))
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5680][closed] ipatests: Skip test_jsplugins in server-less environments

2021-03-30 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5680
Author: stanislavlevin
 Title: #5680: ipatests: Skip test_jsplugins in server-less environments
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5680/head:pr5680
git checkout pr5680
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5677][closed] [Backport][ipa-4-8] configure: Make rpmlint optional

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5677
Author: stanislavlevin
 Title: #5677: [Backport][ipa-4-8] configure: Make rpmlint optional 
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5677/head:pr5677
git checkout pr5677
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5679][opened] [Backport][ipa-4-8] ipatests: allocate pseudo-terminal only for specific command

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5679
Author: abbra
 Title: #5679: [Backport][ipa-4-8] ipatests: allocate pseudo-terminal only for 
specific command
Action: opened

PR body:
"""
This PR was opened automatically because PR #5650 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5679/head:pr5679
git checkout pr5679
From efb99898c9ba167cd9a28788902b00a228de29ae Mon Sep 17 00:00:00 2001
From: Sergey Orlov 
Date: Fri, 19 Mar 2021 16:02:34 +0100
Subject: [PATCH 1/2] ipatests: allocate pseudo-terminal only for specific
 command

While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
---
 ipatests/pytest_ipa/integration/host.py  | 8 +---
 ipatests/pytest_ipa/integration/tasks.py | 3 ++-
 ipatests/pytest_ipa/integration/transport.py | 6 --
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/ipatests/pytest_ipa/integration/host.py b/ipatests/pytest_ipa/integration/host.py
index bcadcbae2c4..e85cbc87e8c 100644
--- a/ipatests/pytest_ipa/integration/host.py
+++ b/ipatests/pytest_ipa/integration/host.py
@@ -204,9 +204,11 @@ def run_command(self, argv, set_env=True, stdin_text=None,
 else:
 return result
 
-def spawn_expect(self, argv, default_timeout=10, encoding='utf-8'):
-"""Run command on host using IpaTestExpect"""
-return self.transport.spawn_expect(argv, default_timeout, encoding)
+def spawn_expect(self, argv, default_timeout=10, encoding='utf-8',
+ extra_ssh_options=None):
+"""Run command on remote host using IpaTestExpect"""
+return self.transport.spawn_expect(argv, default_timeout, encoding,
+   extra_ssh_options)
 
 class WinHost(pytest_multihost.host.WinHost):
 """
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index dc686bc500d..fe2d7ade70f 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2166,7 +2166,8 @@ def get_keytab_mtime():
 
 mtime_before = get_keytab_mtime()
 
-with self.host.spawn_expect(paths.KTUTIL, default_timeout=5) as e:
+with self.host.spawn_expect(paths.KTUTIL, default_timeout=5,
+extra_ssh_options=['-t']) as e:
 e.expect_exact('ktutil:')
 e.sendline('rkt {}'.format(keytab))
 e.expect_exact('ktutil:')
diff --git a/ipatests/pytest_ipa/integration/transport.py b/ipatests/pytest_ipa/integration/transport.py
index f12df122542..61aba86b618 100644
--- a/ipatests/pytest_ipa/integration/transport.py
+++ b/ipatests/pytest_ipa/integration/transport.py
@@ -49,9 +49,11 @@ def _get_ssh_argv(self):
 
 return argv
 
-def spawn_expect(self, argv, default_timeout, encoding):
+def spawn_expect(self, argv, default_timeout, encoding, extra_ssh_options):
 self.log.debug('Starting pexpect ssh session')
 if isinstance(argv, str):
 argv = [argv]
-argv = self._get_ssh_argv() + ['-t', '-q'] + argv
+if extra_ssh_options is None:
+extra_ssh_options = []
+argv = self._get_ssh_argv() + ['-q'] + extra_ssh_options + argv
 return IpaTestExpect(argv, default_timeout, encoding)

From 5d1d62520ce523aeb5ce5730ad6437e961352a24 Mon Sep 17 00:00:00 2001
From: Sergey Orlov 
Date: Mon, 22 Mar 2021 17:25:26 +0100
Subject: [PATCH 2/2] ipatests: log command spawned by pexpect

---
 ipatests/pytest_ipa/integration/expect.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/expect.py b/ipatests/pytest_ipa/integration/expect.py
index 85350a10638..5490a99bb41 100644
--- a/ipatests/pytest_ipa/integration/expect.py
+++ b/ipatests/pytest_ipa/integration/expect.py
@@ -68,6 +68,8 @@ def __init__(self, argv, default_timeout=10, encoding='utf-8'):
 else:
 command = argv[0]
 args = argv[1:]
+logger.debug('Expect will spawn command "%s" with args %s',
+ command, args)
 super().__init__(
 command, args, timeout=default_timeout, encoding=encoding,
 echo=False
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedo

[Freeipa-devel] [freeipa PR#5678][opened] [Backport][ipa-4-9] ipatests: allocate pseudo-terminal only for specific command

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5678
Author: abbra
 Title: #5678: [Backport][ipa-4-9] ipatests: allocate pseudo-terminal only for 
specific command
Action: opened

PR body:
"""
This PR was opened automatically because PR #5650 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5678/head:pr5678
git checkout pr5678
From 0c9cd58809fb5a4bbb4d4c590cbe0efbca25c496 Mon Sep 17 00:00:00 2001
From: Sergey Orlov 
Date: Fri, 19 Mar 2021 16:02:34 +0100
Subject: [PATCH 1/2] ipatests: allocate pseudo-terminal only for specific
 command

While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
---
 ipatests/pytest_ipa/integration/host.py  | 8 +---
 ipatests/pytest_ipa/integration/tasks.py | 3 ++-
 ipatests/pytest_ipa/integration/transport.py | 6 --
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/ipatests/pytest_ipa/integration/host.py b/ipatests/pytest_ipa/integration/host.py
index 1e420dfee47..a9758e7dc77 100644
--- a/ipatests/pytest_ipa/integration/host.py
+++ b/ipatests/pytest_ipa/integration/host.py
@@ -206,9 +206,11 @@ def run_command(self, argv, set_env=True, stdin_text=None,
 else:
 return result
 
-def spawn_expect(self, argv, default_timeout=10, encoding='utf-8'):
-"""Run command on host using IpaTestExpect"""
-return self.transport.spawn_expect(argv, default_timeout, encoding)
+def spawn_expect(self, argv, default_timeout=10, encoding='utf-8',
+ extra_ssh_options=None):
+"""Run command on remote host using IpaTestExpect"""
+return self.transport.spawn_expect(argv, default_timeout, encoding,
+   extra_ssh_options)
 
 class WinHost(pytest_multihost.host.WinHost):
 """
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 023179a1e06..8c4dd955371 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2252,7 +2252,8 @@ def get_keytab_mtime():
 
 mtime_before = get_keytab_mtime()
 
-with self.host.spawn_expect(paths.KTUTIL, default_timeout=5) as e:
+with self.host.spawn_expect(paths.KTUTIL, default_timeout=5,
+extra_ssh_options=['-t']) as e:
 e.expect_exact('ktutil:')
 e.sendline('rkt {}'.format(keytab))
 e.expect_exact('ktutil:')
diff --git a/ipatests/pytest_ipa/integration/transport.py b/ipatests/pytest_ipa/integration/transport.py
index f12df122542..61aba86b618 100644
--- a/ipatests/pytest_ipa/integration/transport.py
+++ b/ipatests/pytest_ipa/integration/transport.py
@@ -49,9 +49,11 @@ def _get_ssh_argv(self):
 
 return argv
 
-def spawn_expect(self, argv, default_timeout, encoding):
+def spawn_expect(self, argv, default_timeout, encoding, extra_ssh_options):
 self.log.debug('Starting pexpect ssh session')
 if isinstance(argv, str):
 argv = [argv]
-argv = self._get_ssh_argv() + ['-t', '-q'] + argv
+if extra_ssh_options is None:
+extra_ssh_options = []
+argv = self._get_ssh_argv() + ['-q'] + extra_ssh_options + argv
 return IpaTestExpect(argv, default_timeout, encoding)

From 1e9e8063ef392436864daa1f7d60df674e1b5e3c Mon Sep 17 00:00:00 2001
From: Sergey Orlov 
Date: Mon, 22 Mar 2021 17:25:26 +0100
Subject: [PATCH 2/2] ipatests: log command spawned by pexpect

---
 ipatests/pytest_ipa/integration/expect.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/expect.py b/ipatests/pytest_ipa/integration/expect.py
index 85350a10638..5490a99bb41 100644
--- a/ipatests/pytest_ipa/integration/expect.py
+++ b/ipatests/pytest_ipa/integration/expect.py
@@ -68,6 +68,8 @@ def __init__(self, argv, default_timeout=10, encoding='utf-8'):
 else:
 command = argv[0]
 args = argv[1:]
+logger.debug('Expect will spawn command "%s" with args %s',
+ command, args)
 super().__init__(
 command, args, timeout=default_timeout, encoding=encoding,
 echo=False
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedo

[Freeipa-devel] [freeipa PR#5650][closed] ipatests: allocate pseudo-terminal only for specific command

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5650
Author: wladich
 Title: #5650: ipatests: allocate pseudo-terminal only for specific command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5650/head:pr5650
git checkout pr5650
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5673][closed] [Backport][ipa-4-9] ipa passwd: make help for `--otp` option clearer

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5673
Author: abbra
 Title: #5673: [Backport][ipa-4-9] ipa passwd: make help for `--otp` option 
clearer
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5673/head:pr5673
git checkout pr5673
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5672][closed] [Backport][ipa-4-9] Allow multiple permitopen/permitlisten entries in SSH keys

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5672
Author: abbra
 Title: #5672: [Backport][ipa-4-9] Allow multiple permitopen/permitlisten 
entries in SSH keys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5672/head:pr5672
git checkout pr5672
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5674][closed] [Backport][ipa-4-9] Enhance error message when adding non-posix group with a GID

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5674
Author: abbra
 Title: #5674: [Backport][ipa-4-9] Enhance error message when adding non-posix 
group with a GID
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5674/head:pr5674
git checkout pr5674
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5675][closed] [Backport][ipa-4-9] Return nsaccountlock in user-add as boolean

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5675
Author: abbra
 Title: #5675: [Backport][ipa-4-9] Return nsaccountlock in user-add as boolean
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5675/head:pr5675
git checkout pr5675
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5676][closed] [Backport][ipa-4-9] configure: Make rpmlint optional

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5676
Author: abbra
 Title: #5676: [Backport][ipa-4-9] configure: Make rpmlint optional
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5676/head:pr5676
git checkout pr5676
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5676][opened] [Backport][ipa-4-9] configure: Make rpmlint optional

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5676
Author: abbra
 Title: #5676: [Backport][ipa-4-9] configure: Make rpmlint optional
Action: opened

PR body:
"""
This PR was opened automatically because PR #5658 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5676/head:pr5676
git checkout pr5676
From 4c78b50ae37c9d1d93904489c2e9db3dbd6e75e9 Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Tue, 9 Feb 2021 14:57:37 +0300
Subject: [PATCH 1/2] configure: Make rpmlint optional

Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.

With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.

Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin 
---
 Makefile.am  | 13 +
 configure.ac | 18 ++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 0377808e54a..b42333713f7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -194,7 +194,10 @@ endif WITH_PYLINT
 if WITH_JSLINT
 JSLINT_TARGET = jslint
 endif WITH_JSLINT
-lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) rpmlint yamllint
+if WITH_RPMLINT
+RPMLINT_TARGET = rpmlint
+endif  # WITH_RPMLINT
+lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET) $(RPMLINT_TARGET) yamllint
 
 .PHONY: devcheck
 devcheck: all
@@ -210,12 +213,12 @@ endif
 	@ # just tests, aci, api and pylint on Python 3
 	PATH=$(abspath ipatests):$$PATH PYTHONPATH=$(abspath $(top_srcdir)) \
 	$(PYTHON) ipatests/ipa-run-tests --ipaclient-unittests
-	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint rpmlint yamllint check
+	$(MAKE) $(AM_MAKEFLAGS) acilint apilint polint pylint jslint $(RPMLINT_TARGET) yamllint check
 	@echo "All tests passed."
 
 .PHONY: fastcheck fasttest fastlint
 fastcheck:
-	@$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint rpmlint yamllint fasttest apilint acilint
+	@$(MAKE) -j1 $(AM_MAKEFLAGS) fastlint $(RPMLINT_TARGET) yamllint fasttest apilint acilint
 
 fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
 	@ # --ignore doubles speed of total test run compared to pytest.skip()
@@ -297,8 +300,10 @@ polint:
 	validate-src-strings validate-po test-gettext
 
 .PHONY: rpmlint
+if WITH_RPMLINT
 rpmlint: freeipa.spec
-	rpmlint ./$<
+	@RPMLINT@ ./$<
+endif  # WITH_RPMLINT
 
 # Try to load yml/yaml files via safe_load, which recognizes only standard
 # YAML tags and cannot construct an arbitrary Python object.
diff --git a/configure.ac b/configure.ac
index ca2ab2bee6d..dc79d5dce70 100644
--- a/configure.ac
+++ b/configure.ac
@@ -574,6 +574,23 @@ AS_CASE([$JSLINT],
 AC_SUBST([JSLINT])
 AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"])
 
+
+AC_ARG_ENABLE(
+[rpmlint],
+[AC_HELP_STRING([--enable-rpmlint], [Enable rpmlint for the rpm spec])],
+[case "${enableval}" in
+ yes) ENABLE_RPMLINT=yes ;;
+  no) ENABLE_RPMLINT=no ;;
+   *) AC_MSG_ERROR([bad value ${enableval} for --enable-rpmlint]) ;;
+ esac],
+[ENABLE_RPMLINT=no])
+AS_IF([test "x$ENABLE_RPMLINT" = "xyes"],
+  [AC_PATH_PROG([RPMLINT], [rpmlint])
+   AS_IF([test "x$RPMLINT" = "x"],
+ [AC_MSG_ERROR([Could not find rpmlint])])],
+)
+AM_CONDITIONAL([WITH_RPMLINT], [test "x$ENABLE_RPMLINT" = "xyes"])
+
 AM_CONDITIONAL([HAVE_UNSHARE],
 [test "x${ac_cv_func_unshare}" = "xyes" -a "x${ac_cv_func_chroot}" = "xyes"])
 
@@ -687,6 +704,7 @@ echo "
 Python:   ${PYTHON} (${PYTHON_VERSION})
 pylint:   ${PYLINT}
 jslint:   ${JSLINT}
+rpmlint:  ${ENABLE_RPMLINT}
 LDAP libs:${LDAP_LIBS}
 OpenSSL crypto libs:  ${CRYPTO_LIBS}
 KRB5 libs:${KRB5_LIBS}

From 5424e1418ad872396b8d980c309a0701b0fb985c Mon Sep 17 00:00:00 2001
From: Stanislav Levin 
Date: Wed, 17 Feb 2021 18:29:02 +0300
Subject: [PATCH 2/2] Azure: Run rpmlint on Fedora

Template the autoconf phase.

Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin 
---
 freeipa.spec.in|  4 ++--
 ipatests/azure/azure-pipelines.yml | 18 +++---
 ipatests/azure/templates/autoconf-fedora.yml   | 12 
 ipatests/azure/templates/variables-fedora.yml  |  3 +++
 ipatests/azure/templates/variables-rawhide.yml |  3 +++
 5 files changed, 23 insertions(+), 17 deletions(-)
 create mode 100644 ipatests/azure/templates/autoconf-fedora.yml

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cfa7bc788dd..7a665e0c4d0 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in

[Freeipa-devel] [freeipa PR#5658][closed] configure: Make rpmlint optional

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5658
Author: stanislavlevin
 Title: #5658: configure: Make rpmlint optional
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5658/head:pr5658
git checkout pr5658
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5675][opened] [Backport][ipa-4-9] Return nsaccountlock in user-add as boolean

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5675
Author: abbra
 Title: #5675: [Backport][ipa-4-9] Return nsaccountlock in user-add as boolean
Action: opened

PR body:
"""
This PR was opened automatically because PR #5633 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5675/head:pr5675
git checkout pr5675
From 989822fcbdd2a8017e700c213459c6f41dc95d19 Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Thu, 11 Mar 2021 13:22:24 +0100
Subject: [PATCH 1/2] Return nsaccountlock in user-add as boolean

The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.

Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres 
---
 ipaserver/plugins/baseuser.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index e1b7763f0fd..ae16a978ab0 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -545,6 +545,8 @@ def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
 self.obj.convert_usercertificate_post(entry_attrs, **options)
 self.obj.get_password_attributes(ldap, dn, entry_attrs)
 convert_sshpubkey_post(entry_attrs)
+if 'nsaccountlock' in entry_attrs:
+convert_nsaccountlock(entry_attrs)
 radius_dn2pk(self.api, entry_attrs)
 
 

From 3f8fdc6d568c458abab1dcea261c755af71a14be Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Fri, 12 Mar 2021 11:21:09 +0100
Subject: [PATCH 2/2] ipatests: expect boolean type for nsaccountlock in user
 module

user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.

Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres 
---
 .../test_xmlrpc/tracker/stageuser_plugin.py| 18 +-
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 862810b3356..31a8ce5ece0 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -147,7 +147,7 @@ def track_create(self):
 loginshell=[platformconstants.DEFAULT_SHELL],
 has_keytab=False,
 has_password=False,
-nsaccountlock=[u'true'],
+nsaccountlock=True,
 )
 
 for key in self.kwargs:
@@ -201,14 +201,6 @@ def check_retrieve(self, result, all=False, raw=False):
 else:
 expected = self.filter_attrs(self.retrieve_keys)
 
-# small override because stageuser-find returns different
-# type of nsaccountlock value than DS, but overall the value
-# fits expected result
-if expected[u'nsaccountlock'] == [u'true']:
-expected[u'nsaccountlock'] = True
-elif expected[u'nsaccountlock'] == [u'false']:
-expected[u'nsaccountlock'] = False
-
 assert_deepequal(dict(
 value=self.uid,
 summary=None,
@@ -222,14 +214,6 @@ def check_find(self, result, all=False, raw=False):
 else:
 expected = self.filter_attrs(self.find_keys)
 
-# small override because stageuser-find returns different
-# type of nsaccountlock value than DS, but overall the value
-# fits expected result
-if expected[u'nsaccountlock'] == [u'true']:
-expected[u'nsaccountlock'] = True
-elif expected[u'nsaccountlock'] == [u'false']:
-expected[u'nsaccountlock'] = False
-
 assert_deepequal(dict(
 count=1,
 truncated=False,
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5633][closed] Return nsaccountlock in user-add as boolean

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5633
Author: antoniotorresm
 Title: #5633: Return nsaccountlock in user-add as boolean
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5633/head:pr5633
git checkout pr5633
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5674][opened] [Backport][ipa-4-9] Enhance error message when adding non-posix group with a GID

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5674
Author: abbra
 Title: #5674: [Backport][ipa-4-9] Enhance error message when adding non-posix 
group with a GID
Action: opened

PR body:
"""
This PR was opened automatically because PR #5599 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5674/head:pr5674
git checkout pr5674
From a30df59ca3b61dc0427f159eeaffadfad3703cc3 Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Tue, 2 Mar 2021 18:26:43 +0100
Subject: [PATCH 1/2] Enhance error message when adding non-posix group with a
 GID

Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.

Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres 
---
 ipaserver/plugins/group.py | 9 +
 1 file changed, 9 insertions(+)

diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index 5f463fb56e4..afdad93c105 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -387,6 +387,15 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 entry_attrs['gidnumber'] = baseldap.DNA_MAGIC
 return dn
 
+def exc_callback(self, keys, options, exc, call_func,
+ *call_args, **call_kwargs):
+if isinstance(exc, errors.ObjectclassViolation):
+if options['nonposix'] and 'gidnumber' in options:
+raise errors.ObjectclassViolation(
+info=_('attribute "gidNumber" not allowed with --nonposix')
+)
+raise exc
+
 
 @register()
 class group_del(LDAPDelete):

From 81396b78e1f7313940651fadd51f898b4373a0a8 Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Wed, 3 Mar 2021 18:39:31 +0100
Subject: [PATCH 2/2] ipatests: add test for group creation with GID and
 nonposix option

Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.

Signed-off-by: Antonio Torres 
---
 ipatests/test_xmlrpc/test_group_plugin.py | 9 +
 1 file changed, 9 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
index 90d47c53a40..11c85feb462 100644
--- a/ipatests/test_xmlrpc/test_group_plugin.py
+++ b/ipatests/test_xmlrpc/test_group_plugin.py
@@ -388,6 +388,15 @@ def test_rename_nonexistent(self, group):
 
 @pytest.mark.tier1
 class TestNonposixGroup(XMLRPC_test):
+def test_create_nonposix_with_gid(self, group):
+""" Try to create non-posix group with GID """
+command = group.make_create_command(**dict(nonposix=True,
+   gidnumber=10011))
+
+with raises_exact(errors.ObjectclassViolation(
+info=u'attribute "gidNumber" not allowed with --nonposix')):
+command()
+
 def test_create_nonposix(self, group):
 """ Create a non-posix group """
 group.track_create()
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5599][closed] Enhance error message when adding non-posix group with a GID

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5599
Author: antoniotorresm
 Title: #5599: Enhance error message when adding non-posix group with a GID
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5599/head:pr5599
git checkout pr5599
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5673][opened] [Backport][ipa-4-9] ipa passwd: make help for `--otp` option clearer

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5673
Author: abbra
 Title: #5673: [Backport][ipa-4-9] ipa passwd: make help for `--otp` option 
clearer
Action: opened

PR body:
"""
This PR was opened automatically because PR #5568 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5673/head:pr5673
git checkout pr5673
From 12a5eeed99c51ab5f5716620c680547c4bdffa6b Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Wed, 17 Feb 2021 13:49:39 +0100
Subject: [PATCH] ipa passwd: make help for `--otp` option clearer

Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.

Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres 
---
 ipaserver/plugins/passwd.py | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py
index a61a945b72f..28273b49aa6 100644
--- a/ipaserver/plugins/passwd.py
+++ b/ipaserver/plugins/passwd.py
@@ -47,11 +47,17 @@
 The IPA password policy controls how often a password may be changed,
 what strength requirements exist, and the length of the password history.
 
+If the user authentication method is set to password+OTP, the user should
+pass the --otp option when resetting the password.
+
 EXAMPLES:
 
  To reset your own password:
ipa passwd
 
+ To reset your own password when password+OTP is set as authentication method:
+   ipa passwd --otp
+
  To change another user's password:
ipa passwd tuser1
 """)
@@ -105,7 +111,7 @@ class passwd(Command):
 takes_options =  (
 Password('otp?',
  label=_('OTP'),
- doc=_('One Time Password'),
+ doc=_('The OTP if the user has a token configured'),
  confirm=False,
 ),
 )
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5568][closed] ipa passwd: make help for `--otp` option clearer

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5568
Author: antoniotorresm
 Title: #5568: ipa passwd: make help for `--otp` option clearer
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5568/head:pr5568
git checkout pr5568
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5587][closed] Allow multiple permitopen/permitlisten entries in SSH keys

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5587
Author: antoniotorresm
 Title: #5587: Allow multiple permitopen/permitlisten entries in SSH keys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5587/head:pr5587
git checkout pr5587
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5672][opened] [Backport][ipa-4-9] Allow multiple permitopen/permitlisten entries in SSH keys

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5672
Author: abbra
 Title: #5672: [Backport][ipa-4-9] Allow multiple permitopen/permitlisten 
entries in SSH keys
Action: opened

PR body:
"""
This PR was opened automatically because PR #5587 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5672/head:pr5672
git checkout pr5672
From 945176598ef6ad958bd3e368330f7042104300de Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Thu, 25 Feb 2021 18:08:53 +0100
Subject: [PATCH 1/2] Allow multiple permitopen/permitlisten in SSH keys

SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.

Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres 
---
 ipapython/ssh.py | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/ipapython/ssh.py b/ipapython/ssh.py
index 7d52a205b03..6a594b04c84 100644
--- a/ipapython/ssh.py
+++ b/ipapython/ssh.py
@@ -125,6 +125,9 @@ def _parse_openssh_without_options(self, key):
 def _parse_openssh_with_options(self, key):
 key = key.lstrip('\t ')
 
+# Options that allow multiple entries
+multiple_allowed = ('permitopen', 'permitlisten')
+
 options = {}
 while True:
 match = OPENSSH_OPTIONS_REGEX.match(key)
@@ -136,7 +139,13 @@ def _parse_openssh_with_options(self, key):
 if value:
 value = value.replace('\\"', '"')
 
-options[name] = value
+if name in multiple_allowed:
+if name in options:
+options[name].append(value)
+else:
+options[name] = [value]
+else:
+options[name] = value
 
 key = key[len(match.group(0)):]
 key0, key = key[:1], key[1:]
@@ -179,6 +188,10 @@ def openssh(self):
 value = self._options[name]
 if value is None:
 options.append(name)
+elif type(value) is list:
+for v in value:
+v = v.replace('"', '\\"')
+options.append(u'%s="%s"' % (name, v))
 else:
 value = value.replace('"', '\\"')
 options.append(u'%s="%s"' % (name, value))

From eea79c11770e0ddf9cd631b2e5619da31bbd11cb Mon Sep 17 00:00:00 2001
From: Antonio Torres 
Date: Thu, 25 Feb 2021 18:13:54 +0100
Subject: [PATCH 2/2] ipatests: add test for multiple permitopen entries in SSH
 keys

Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.

Signed-off-by: Antonio Torres 
---
 ipatests/test_ipapython/test_ssh.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipatests/test_ipapython/test_ssh.py b/ipatests/test_ipapython/test_ssh.py
index 4aef498a300..9cba497049e 100644
--- a/ipatests/test_ipapython/test_ssh.py
+++ b/ipatests/test_ipapython/test_ssh.py
@@ -69,6 +69,10 @@
  u'%s this is a comment' % openssh),
 (u'opt3,opt2="\tx ",opt1,opt2="\\"x " %s comment ' % openssh,
  u'opt1,opt2="\\"x ",opt3 %s comment' % openssh),
+(u'permitopen=\"1.1.1.1:111\",permitopen=\"2.2.2.2:222\" %s' % openssh,
+ u'permitopen=\"1.1.1.1:111\",permitopen=\"2.2.2.2:222\" %s' % openssh),
+(u'permitlisten=\"1.1.1.1:111\",permitlisten=\"2.2.2.2:222\" %s' % openssh,
+ u'permitlisten=\"1.1.1.1:111\",permitlisten=\"2.2.2.2:222\" %s' % openssh),
 (u'ssh-rsa\n%s' % b64, ValueError),
 (u'ssh-rsa\t%s' % b64, ValueError),
 (u'vanitas %s' % b64, ValueError),
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5671][opened] [Backport][ipa-4-9] Adapt redhat ipaplatform to RHEL9/ELN

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5671
Author: abbra
 Title: #5671: [Backport][ipa-4-9] Adapt redhat ipaplatform to RHEL9/ELN
Action: opened

PR body:
"""
This PR was opened automatically because PR #5669 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5671/head:pr5671
git checkout pr5671
From dbf1cc6643da7499405294f23edbaf1984ae694c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 26 Mar 2021 17:04:45 +0100
Subject: [PATCH] Adapt redhat ipaplatform to RHEL9/ELN

On RHEL8, ipa is using named-pkcs11.service but RHEL9 is based on
fedora34 and uses named.service instead. There is already some support
for this distinction in ipaplatform, and the patch relies on the
specific settings that can be configured in ipaplatform/xx/services.py
and ipaplatform/xx/constants.py

On RHEL9 ipa also needs to define NAMED_OPENSSL_ENGINE for named
to use openssl's okcs11 engine.

Fixes: https://pagure.io/freeipa/issue/8753
---
 ipaplatform/rhel/constants.py | 4 
 ipaplatform/rhel/services.py  | 6 ++
 2 files changed, 10 insertions(+)

diff --git a/ipaplatform/rhel/constants.py b/ipaplatform/rhel/constants.py
index 58990b79aff..bc8c65a5d35 100644
--- a/ipaplatform/rhel/constants.py
+++ b/ipaplatform/rhel/constants.py
@@ -17,6 +17,8 @@
 # RHEL 7 and earlier use /etc/sysconfig/nfs
 # RHEL 8 uses /etc/nfs.conf
 HAS_NFS_CONF = osinfo.version_number >= (8,)
+# RHEL 9 uses pkcs11 as openssl engine
+HAS_PKCS11_OPENSSL_ENGINE = osinfo.version_number >= (9,)
 
 
 __all__ = ("constants", "User", "Group")
@@ -27,5 +29,7 @@ class RHELConstantsNamespace(RedHatConstantsNamespace):
 IPA_DNS_PACKAGE_NAME = "ipa-server-dns"
 if HAS_NFS_CONF:
 SECURE_NFS_VAR = None
+if HAS_PKCS11_OPENSSL_ENGINE:
+NAMED_OPENSSL_ENGINE = "pkcs11"
 
 constants = RHELConstantsNamespace()
diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
index 9525bef3ad1..1ecf1feac80 100644
--- a/ipaplatform/rhel/services.py
+++ b/ipaplatform/rhel/services.py
@@ -24,11 +24,15 @@
 
 from __future__ import absolute_import
 
+from ipaplatform.osinfo import osinfo
 from ipaplatform.redhat import services as redhat_services
 
 # Mappings from service names as FreeIPA code references to these services
 # to their actual systemd service names
 rhel_system_units = redhat_services.redhat_system_units.copy()
+if osinfo.version_number >= (9,):
+rhel_system_units['named'] = rhel_system_units['named-regular']
+rhel_system_units['named-conflict'] = rhel_system_units['named-pkcs11']
 
 
 # Service classes that implement RHEL-specific behaviour
@@ -41,6 +45,8 @@ class RHELService(redhat_services.RedHatService):
 # of specified name
 
 def rhel_service_class_factory(name, api=None):
+if name in ['named', 'named-conflict']:
+return RHELService(name, api)
 return redhat_services.redhat_service_class_factory(name, api)
 
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5669][closed] Adapt redhat ipaplatform to RHEL9/ELN

2021-03-29 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5669
Author: flo-renaud
 Title: #5669: Adapt redhat ipaplatform to RHEL9/ELN
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5669/head:pr5669
git checkout pr5669
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5631][opened] azure: use Fedora 34 as a baseline

2021-03-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5631
Author: abbra
 Title: #5631: azure: use Fedora 34 as a baseline
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5631/head:pr5631
git checkout pr5631
From bc5bda79c0f3158707c50e5680e2b6384c61eb91 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 10 Mar 2021 09:36:09 +0200
Subject: [PATCH] azure: use Fedora 34 as a baseline

Signed-off-by: Alexander Bokovoy 
---
 ipatests/azure/Dockerfiles/Dockerfile.build.fedora | 2 +-
 ipatests/azure/templates/variables-fedora.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
index 523aedf0ba7..e8df3da5fa2 100644
--- a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
+++ b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
@@ -1,4 +1,4 @@
-FROM fedora:32
+FROM fedora:34
 MAINTAINER [FreeIPA Developers freeipa-devel@lists.fedorahosted.org]
 ENV container=docker LANG=en_US.utf8 LANGUAGE=en_US.utf8 LC_ALL=en_US.utf8
 
diff --git a/ipatests/azure/templates/variables-fedora.yml b/ipatests/azure/templates/variables-fedora.yml
index 3e8f878c221..cd9f4e25a66 100644
--- a/ipatests/azure/templates/variables-fedora.yml
+++ b/ipatests/azure/templates/variables-fedora.yml
@@ -1,7 +1,7 @@
 variables:
   IPA_PLATFORM: fedora
   # the Docker public image to build IPA packages (rpms)
-  DOCKER_BUILD_IMAGE: 'fedora:32'
+  DOCKER_BUILD_IMAGE: 'fedora:34'
 
   # the Dockerfile to build Docker image for running IPA tests
   DOCKER_DOCKERFILE: ${{ format('Dockerfile.build.{0}', variables.IPA_PLATFORM) }}
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5623][closed] [Backport][ipa-4-6] PR 5581 manual backport

2021-03-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5623
Author: abbra
 Title: #5623: [Backport][ipa-4-6] PR 5581 manual backport
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5623/head:pr5623
git checkout pr5623
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5622][closed] [Backport][ipa-4-8] Manual backport of PR 5581

2021-03-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5622
Author: abbra
 Title: #5622: [Backport][ipa-4-8] Manual backport of PR 5581
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5622/head:pr5622
git checkout pr5622
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5624][closed] [Backport][ipa-4-8] DNSSEC key synchronization issues

2021-03-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5624
Author: flo-renaud
 Title: #5624: [Backport][ipa-4-8] DNSSEC key synchronization issues
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5624/head:pr5624
git checkout pr5624
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-devel] [freeipa PR#5625][closed] [Backport][ipa-4-9] DNSSEC key synchronization issues

2021-03-09 Thread abbra via FreeIPA-devel 
   URL: https://github.com/freeipa/freeipa/pull/5625
Author: flo-renaud
 Title: #5625: [Backport][ipa-4-9] DNSSEC key synchronization issues
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5625/head:pr5625
git checkout pr5625
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

  1   2   3   4   5   6   7   8   >