Re: [Freeipa-devel] [PATCH 0297] ULC: add user-stage command
On 08/20/2015 07:17 PM, thierry bordaz wrote: On 08/20/2015 05:21 PM, Martin Basti wrote: On 08/20/2015 11:27 AM, Jan Cholasta wrote: On 19.8.2015 10:57, Jan Cholasta wrote: On 19.8.2015 10:47, thierry bordaz wrote: On 08/19/2015 10:34 AM, Jan Cholasta wrote: On 19.8.2015 09:39, thierry bordaz wrote: Hi, It worked like a charm. I had a problem to commit it because of the VERSION stuff that changed. Except that (changing VERSION), the fix looks good to me thanks thierry On 08/18/2015 07:21 PM, Martin Basti wrote: Thank you for the patch, I checked it, I just changed permission name to have all first letters in uppercase as others. Updated merged patch attached. On 08/18/2015 05:34 PM, thierry bordaz wrote: On 08/18/2015 04:13 PM, thierry bordaz wrote: On 08/18/2015 04:04 PM, Martin Basti wrote: On 08/18/2015 03:49 PM, thierry bordaz wrote: On 08/18/2015 03:06 PM, Martin Basti wrote: On 08/18/2015 11:32 AM, thierry bordaz wrote: On 08/18/2015 10:02 AM, Martin Basti wrote: On 08/18/2015 09:59 AM, thierry bordaz wrote: On 08/18/2015 09:55 AM, Martin Basti wrote: On 08/18/2015 09:50 AM, thierry bordaz wrote: On 08/17/2015 08:33 PM, Martin Basti wrote: Hello, the 'user-stage' command replaces 'stageuser-add --from-delete' command. https://fedorahosted.org/freeipa/ticket/5041 Thierry can you check If I don't break everything, it works for me, but the one never knows. Honza can you please check the framework side? I use self.api.Object.stageuser.add.* in user command, I'm not sure if this is right way, but it works. Patch attached. I created it in hurry, I'm expecting NACK :D Just question at the end: should I implement way Active user - stageuser? IMHO it would be implemented internally by calling 'user-del --preserve' inside 'user-stage'. Hi Martin, There is a small failure with VERSION (edewata pushed his patch first ;-) ) git apply -v /tmp/freeipa-mbasti-0297-Add-user-stage-command.patch Checking patch API.txt... Checking patch VERSION... error: while searching for: # # IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MINOR=148 # Last change: ftweedal - add --out option to user-show error: patch failed: VERSION:90 error: VERSION: patch does not apply Checking patch ipalib/plugins/stageuser.py... Checking patch ipalib/plugins/user.py... There is many pending patches that may change VERSION number, I will change it to right one before push. Does code looks good for you? Hi Martin, Just a question, there is no additional permission. Did you test being 'admin' ? thanks theirry No I didn't,. I preserver all permission, the original permissions should work. Martin Hi Martin, Running a test script, I have an issue with ipa stageuser-add --first=t --last=b tb1 ipa: ERROR: an internal error has occurred [Tue Aug 18 11:16:56.440658 2015] [wsgi:error] [pid 10486] ipa: INFO: [jsonserver_kerb] stage...@abc.idm.lab.eng.brq.redhat.com: stageuser_add(u'tb1', givenname=u't', sn=u'b', cn=u't b', displayname=u't b', initials=u'tb', gecos=u't b', krbprincipalname=u't...@abc.idm.lab.eng.brq.redhat.com', random=False, all=False, raw=False, version=u'2.149', no_members=False): AttributeError [Tue Aug 18 11:21:25.198021 2015] [wsgi:error] [pid 10485] ipa: ERROR: non-public: AttributeError: 'DN' object has no attribute 'setdefault' [Tue Aug 18 11:21:25.198053 2015] [wsgi:error] [pid 10485] Traceback (most recent call last): [Tue Aug 18 11:21:25.198058 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347, in wsgi_execute [Tue Aug 18 11:21:25.198062 2015] [wsgi:error] [pid 10485] result = self.Command[name](*args, **options) [Tue Aug 18 11:21:25.198066 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ [Tue Aug 18 11:21:25.198070 2015] [wsgi:error] [pid 10485] ret = self.run(*args, **options) [Tue Aug 18 11:21:25.198081 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run [Tue Aug 18 11:21:25.198133 2015] [wsgi:error] [pid 10485] return self.execute(*args, **options) [Tue Aug 18 11:21:25.198139 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1227, in execute [Tue Aug 18 11:21:25.198144 2015] [wsgi:error] [pid 10485] *keys, **options) [Tue Aug 18 11:21:25.198147 2015] [wsgi:error] [pid 10485] File /usr/lib/python2.7/site-packages/ipalib/plugins/stageuser.py, line 373, in pre_callback [Tue Aug 18 11:21:25.198151 2015] [wsgi:error] [pid 10485] attrs_list, *keys, **options) [Tue Aug 18 11:21:25.198155 2015] [wsgi:error] [pid 10485] File
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] conflict in the 4.2 packages freeipa-server and freeipa-server-dns
$ yum install freeipa-*.rpm Yum command has been deprecated, redirecting to '/usr/bin/dnf install freeipa-admintools-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-client-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-debuginfo-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-python-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-dns-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-trust-ad-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-tests-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate dnf-2 migrate' Last metadata expiration check performed 0:00:39 ago on Fri Aug 21 09:48:30 2015. Error: package freeipa-server-dns-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
On Fri, 2015-08-21 at 15:52 +0200, Michael Šimáček wrote: On 2015-08-20 20:42, Robbie Harwood wrote: Michael Šimáček msima...@redhat.com writes: On 2015-08-20 12:32, Michael Šimáček wrote: Michael Šimáček msima...@redhat.com writes: Attaching new revision of the patch. Changes from the previous: - ldap2's connect now chooses the bind type same way as in ipaldap - get_default_realm usages replaced by api.env.realm - fixed missing third kinit attempt in trust-fetch-domains - removed rewrapping gssapi errors to ccache errors in krb_utils - updated some parts of exception handling Rebased on top of current master. One of the commits reintroduced krbV dependency that I didn't notice. Attaching updated revision. Only changes against previous revision are in files daemons/dnssec/ipa-dnskeysync-replica and daemons/dnssec/ipa-ods-exporter. This is much better, thanks! I've got some comments inline. +except gssapi.exceptions.GSSError: # If there was failure on using keytab, assume it is stale and retrieve again retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal) This code still bothers me a bit, but I think fixing it is probably beyond the scope of a python-gssapi port. The code catches all GSSAPI exceptions and retries to do the same thing with different keytab. So if there was a problem unrelated to keytab, the same exception will be raised again. Nothing will be ignored silently. +try: +creds = get_credentials(name=name, ccache_name=ccache_name) +# property access would raise exception if expired +if creds.lifetime 0: +return creds +except gssapi.exceptions.ExpiredCredentialsError: +return None Per rfc2744, lifetime is unsigned. It's not immediately clear what will happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in that case? I think the check is probably redundant, gssapi raises exception upon inquiring expired credentials. In trust-fetch-domains I just access the lifetime in try-except without using the value, so I could do the same here. It would be nice if gssapi provided some 'is_valid' or 'is_expired' method, so I wouldn't need to rely on side-effects of property access, which is hard to read and confuses pylint. Inquiring the credentials *is* the method to check if they are valid or expired, what don't you like about it? The fact it raises when they are expired ? # Setup LDAP connection try: -ctx = krbV.default_context() -ccache = ctx.default_ccache() -api.Backend.ldap2.connect(ccache) +api.Backend.ldap2.connect() cls.ldap = api.Backend.ldap2 -except krbV.Krb5Error as e: +except gssapi.exceptions.GSSError: sys.exit(Must have Kerberos credentials to migrate Winsync users.) Can you log the error here? The other places GSSError is being caught are doing a great job of either filtering-and-raising or logging-and-exiting, so thanks for fixing those. Yes, I'll update it in next revision of the patch. +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache +# name, but we don't need it outside test server +def get_default_ccache_name(): +try: +out = check_output(['klist']) +except CalledProcessError: +raise RuntimeError(Default ccache not found. Did you kinit?) +match = re.match(r'^Ticket cache:\s*(\S+)', out) +if not match: +raise RuntimeError(Cannot obtain ccache name) +return match.group(1) Yup, this is still ugly. Ah well, it's only test code. I was trying to modify the code to not need the variable and just use the default, but it is used for manipulating it as a file - in production it is always defined by mod_auth_gssapi. So I'd keep this as is. Ideally we use export_cred/store_cred and not manipulate files directly, but with memcache in the picture we have to compromise anyway, oh well ... Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] conflict in the 4.2 packages freeipa-server and freeipa-server-dns
On 08/21/2015 04:25 PM, Oleg Fayans wrote: $ yum install freeipa-*.rpm Yum command has been deprecated, redirecting to '/usr/bin/dnf install freeipa-admintools-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-client-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-debuginfo-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-python-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-dns-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-server-trust-ad-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm freeipa-tests-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64.rpm'. See 'man dnf' and 'man yum2dnf' for more information. To transfer transaction metadata from yum to DNF, run: 'dnf install python-dnf-plugins-extras-migrate dnf-2 migrate' Last metadata expiration check performed 0:00:39 ago on Fri Aug 21 09:48:30 2015. Error: package freeipa-server-dns-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64 obsoletes freeipa-server = 4.2.0.0 provided by freeipa-server-4.2.0-20150821123735Zjenkins41git6b86238.fc22.x86_64 This is already being discussed in the following thread: https://www.redhat.com/archives/freeipa-devel/2015-August/msg00085.html -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES] 0696-0710 More modernization
On 2015-08-21 12:55, Petr Viktorin wrote: On 08/14/2015 07:44 PM, Petr Viktorin wrote: Hello, These patches bring IPA another step towards compatibility with Python 3. Most of these were made by fixers from the python-modernize tool, but I reviewed and edited the results. Here are the patches rebased to current master. 0696.2-Remove-use-of-sys.exc_value ACK 0697.2-Don-t-use-a-tuple-in-function-arguments I prefer operator.itemgetter() over the hard-to-read lambda expression key=lambda k_v: (k_v[1], k_v[0]). import operator example = dict(a=3, ba=2, b=2, c=1) sorted(example.items(), key=operator.itemgetter(1, 0)) [('c', 1), ('b', 2), ('ba', 2), ('a', 3)] 0698.2-Add-python-six-to-dependencies ACK 0699.2-Remove-the-unused-pygettext-script ACK 0700.2-Use-six.string_types-instead-of-basestring LGTM, but I need to have a closer look at some places. I noticed a couple of asserts that should be if ... raise ValueError instead. python -o disables asserts. 0701.2-Use-Python3-compatible-dict-method-names NACK Why are you replacing iteritems() with items() instead of using six.iteritems()? Please use sorted(reference) instead of sorted(reference.keys()), set(tree) instead of set(tree.keys()) and list(somedict) instead of list(somedict.keys()), too. The keys() call is unnecessary and frowned upon. 0702.2-Replace-filter-calls-with-list-comprehensions In Python 2 list comprehensions leak the internal loop variable. It might be better to write a generator expression with list() instead of [] list comprehension. 0703.2-Use-six.moves.input-instead-of-raw_input ACK The code is fine, but pylint won't like it. For Dogtag I had to disable pylint warnings W0622 and F0401. 0704.2-Use-six.integer_types-instead-of-long-int ACK hint: For type checks you can also use the numbers module. 0705.2-Replace-uses-of-map See comment for 0702 706.2-Use-next-function-on-iterators ACK 0707.2-Use-the-print-function LGTM There are too many chances to review. Let's hope the automatic conversion tool did its job correctly. 0708.2-Use-new-style-raise-syntax ACK 0709.2-Use-six.reraise ACK 0710.2-Modernize-use-of-range NACK Please use six.moves.range. It defaults to xrange() in Python 2. I also see a couple of additional opportunities for enumerate(): for i in range(len(kw['attrs'])): kw['attrs'][i] = unicode(kw['attrs'][i]) for i, s in enumerate(kw['attrs']): kw['attrs'][i] = unicode(s) 0711.2-Convert-zip-result-to-list ACK The code isn't beautiful but it's just a test. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [Freeipa-users] Dns SOA MNAME not resolving from LDAP data
confirmed working. Does this default value make any sense if this value is changeable in the UI and using the IPA client? Kind Regards, David 2015-08-20 14:38 GMT+02:00 Martin Basti mba...@redhat.com: On 08/20/2015 02:35 PM, David Dejaeghere wrote: Aha, Correct. But i never set this. This option seems to be set by default. I verified this issue on multiple installs. It seems they all have this option set by default? Can i safely change named.conf without fearing my modifications will be lost on an update? Kind Regards, David (Adding freeipa-users back) I checked code, it is default. You can change named.conf, upgrade will not replace it. Martin 2015-08-20 14:32 GMT+02:00 Martin Basti mba...@redhat.com: On 08/20/2015 02:22 PM, Martin Basti wrote: On 08/20/2015 01:48 PM, David Dejaeghere wrote: Hi, I noticed that changing the authoritarive nameserver in FreeIPA reflects correctly to its directory data but bind will not resolve the soa record with the updated mname details. For example I add a zone test.be and change the mname record. [root@ns02 ~]# ipa dnszone-add Zone name: test.be Zone name: test.be. Active zone: TRUE * Authoritative nameserver: ns02.tokiogroup.be http://ns02.tokiogroup.be.* Administrator e-mail address: hostmaster SOA serial: 1440070999 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TOKIOGROUP.BE krb5-self * A; grant TOKIOGROUP.BE krb5-self * ; grant TOKIOGROUP.BE krb5-self * SSHFP; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@ns02 ~]# ipa dnszone-mod --nameserver anaconda-ks.cfg .bash_logout .bashrc .ipa/.ssh/ .bash_history.bash_profile.cshrc .pki/ .tcshrc [root@ns02 ~]# ipa dnszone-mod --name-server* ns7.tokiogroup.be http://ns7.tokiogroup.be*. Zone name: test.be ipa: WARNING: Semantic of setting Authoritative nameserver was changed. It is used only for setting the SOA MNAME attribute. NS record(s) can be edited in zone apex - '@'. Zone name: test.be. Active zone: TRUE *Authoritative nameserver: ns7.tokiogroup.be http://ns7.tokiogroup.be.* Administrator e-mail address: hostmaster SOA serial: 1440071001 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; [root@ns02 ~]# nslookup set q=SOA test.be Server: 127.0.0.1 Address:127.0.0.1#53 test.be * origin = ns02.tokiogroup.be http://ns02.tokiogroup.be* mail addr = hostmaster.test.be serial = 1440071001 refresh = 3600 retry = 900 expire = 1209600 minimum = 3600 As you can see the SOA record still shows the original default value. Kind Regards, David Dejaeghere Thank you for this bug report. I opened bind-dyndb-ldap ticket https://fedorahosted.org/bind-dyndb-ldap/ticket/159 https://fedorahosted.org/bind-dyndb-ldap/ticket/159 Martin I maybe found why do you have this issue, do you have fake_mname configured in bind_dyndb_ldap section of named.conf? If yes then remove this option to use SOA MNAME from LDAP. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0003] Bump python-gssapi version to 1.1.2
python-gssapi had a bug in exception handling that caused exceptions to be shadowed by LookupError. The new version should fix the problem. https://fedorahosted.org/freeipa/ticket/5225 From 0798416ea4a21b4baa9a9f38b1525f47d153d2df Mon Sep 17 00:00:00 2001 From: Michael Simacek msima...@redhat.com Date: Fri, 21 Aug 2015 17:06:51 +0200 Subject: [PATCH] Bump python-gssapi version to 1.1.2 python-gssapi had a bug in exception handling that caused exceptions to be shadowed by LookupError. The new version should fix the problem. --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index ddb108cc1b0cee781b71fcc758eaa0d2d4c6c028..5d6c160f005203d664066cef851d03399f66942a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -71,7 +71,7 @@ BuildRequires: python-setuptools BuildRequires: python-nss BuildRequires: python-cryptography BuildRequires: python-netaddr -BuildRequires: python-gssapi = 1.1.1 +BuildRequires: python-gssapi = 1.1.2 BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint = 1.0 @@ -127,7 +127,7 @@ Requires: mod_wsgi Requires: mod_auth_gssapi = 1.1.0-2 Requires: mod_nss = 1.0.8-26 Requires: python-ldap = 2.4.15 -Requires: python-gssapi = 1.1.1 +Requires: python-gssapi = 1.1.2 Requires: python-sssdconfig Requires: acl Requires: python-pyasn1 -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0003] Bump python-gssapi version to 1.1.2
On Fri, 2015-08-21 at 17:13 +0200, Michael Šimáček wrote: python-gssapi had a bug in exception handling that caused exceptions to be shadowed by LookupError. The new version should fix the problem. https://fedorahosted.org/freeipa/ticket/5225 ACK. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0003] Added PyYAML as a dependency for ipa-tests, fixed a replica preparation in RHEL
On 08/20/2015 12:08 PM, Martin Babinsky wrote: On 08/20/2015 11:48 AM, Oleg Fayans wrote: Fixed two failures of integration tests under RHEL: 1. PyYAML, needed for integration tests is not installed as a dependency 2. ipa-replica-prepare requests a reverse zone info under RHEL. Hi Oleg, it is a good practice to fix unrelated issues in separate patches, not a single one. Also, I am not sure PyYAML should be marked as required dependency. According to http://www.freeipa.org/page/Integration_testing_configuration the YAML/JSON configuration of tests is optional besides using environment variables. I might be better to handle the ImportError when IPATEST_YAML_CONFIG is set without PyYAML installed (see `ipatests/test_integration/env_config.py` line 110) and print some error message instructing the user to install the package. This is correct, YAML is not a required dependency, environment variables can be used as a substitute. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code