Re: [Freeipa-devel] [PATCH 0096] check whether replica exists before executing the domain level 1 deletion code

[Martin Basti]

On 04.12.2015 17:23, Martin Babinsky wrote:

On 12/04/2015 05:12 PM, Petr Vobornik wrote:

On 12/01/2015 09:18 AM, Martin Basti wrote:



On 18.11.2015 13:25, Martin Babinsky wrote:

Additional fix for https://fedorahosted.org/freeipa/ticket/5424

In current implementation the topology suffices are checked first and
after that the error about non-existent host is raised. This does not
make much sense to me, we should check for host existence before any
work is done.




ACK



Any reason to use host-show and not server-show?

host-show will be successful on any host, server-show only if the host
is an IPA server.
Good catch, I have fixed it in this patch. I have also modified the 
error message slightly.



ACK
Pushed to master: ee853a3d35701d1d799f902f823b8a8cedb90013

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0109-0110] fix auto-forwarders in standalone DNS installer and update man pages

[Martin Basti]

On 04.12.2015 20:14, Martin Babinsky wrote:

Additional fixes for https://fedorahosted.org/freeipa/ticket/5438




ACK

Pushed to master: 0997f6b9aadfe996a02004b4f3d03411ff5d141c

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] Migrate wget references to curl

[Gabe Alford]

My bad. Copy and paste error. Updated patch attached.

Thanks,

Gabe

On Fri, Dec 4, 2015 at 12:17 PM, Martin Basti  wrote:

>
>
> On 01.12.2015 15:00, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5458
>
> Thanks,
>
> Gabe
>
>
> Hello,
>
> I haven't looked closer, but your patch is causing this:
>
> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30
> seconds
>   [1/27]: creating certificate server user
>   [2/27]: configuring certificate server instance
>   [3/27]: stopping certificate server instance to update CS.cfg
>   [4/27]: backing up CS.cfg
>   [5/27]: disabling nonces
>   [6/27]: set up CRL publishing
>   [7/27]: enable PKIX certificate path discovery and validation
>   [8/27]: starting certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [9/27]: creating RA agent certificate database
>   [10/27]: importing CA chain to RA certificate database
>   [11/27]: fixing RA database permissions
>   [12/27]: setting up signing cert profile
>   [13/27]: setting audit signing renewal to 2 years
>   [14/27]: restarting certificate server
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [15/27]: requesting RA certificate from CA
>   [16/27]: issuing RA agent certificate
>   [17/27]: adding RA agent as a trusted user
>   [18/27]: authorizing RA to modify profiles
>   [19/27]: configure certmonger for renewals
>   [20/27]: configure certificate renewals
>   [21/27]: configure RA certificate renewal
>   [22/27]: configure Server-Cert certificate renewal
>   [23/27]: Configure HTTP to proxy connections
>   [24/27]: restarting certificate server
>
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> the Dogtag instance.See the installation log for details.
>   [25/27]: migrating certificate profiles to LDAP
>   [26/27]: importing IPA certificate profiles
>   [27/27]: adding default CA ACL
>
>
> CA is operational and ready, but IPA installer is not able to detect it
> correctly
>
> 2015-12-04T19:08:54Z DEBUG stderr=curl: option --connect-timeout 30: is
> unknown
> curl: try 'curl --help' or 'curl --manual' for more information
>
> Martin^2
>
From bbeac791988e3bc9a2dc98b9d782b397baab4ba1 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 4 Dec 2015 14:52:03 -0700
Subject: [PATCH] Migrate wget references and usage to curl

https://fedorahosted.org/freeipa/ticket/5458
---
 freeipa.spec.in|  4 ++--
 ipa-client/ipa-install/ipa-client-install  |  2 +-
 ipaplatform/base/paths.py  |  2 +-
 ipaplatform/redhat/services.py |  8 
 ipaserver/advise/plugins/legacy_clients.py | 14 +++---
 ipatests/test_integration/test_advise.py   | 10 +-
 6 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a60d9b63f363773b6ca1b0969fa56b369a94092f..0d022a915bb89245c96ab9c02e10a41b38646a9c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -262,7 +262,7 @@ Requires: ntp
 Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
-Requires: wget
+Requires: curl
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.13.1
@@ -330,7 +330,7 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: wget
+Requires: curl
 Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 974dd1da8bf3f5836170ca67d2f4c298e7ec6844..20c9b05532c10b1c5789f26f87c2aebfc9a859b3 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1922,7 +1922,7 @@ def get_ca_certs_from_http(url, warn=True):
 root_logger.debug("trying to retrieve CA cert via HTTP from %s", url)
 try:
 
-stdout, stderr, rc = run([paths.BIN_WGET, "-O", "-", url])
+stdout, stderr, rc = run([paths.BIN_CURL, "-o", "-", url])
 except CalledProcessError as e:
 raise errors.NoCertificateError(entry=url)
 
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 9ee488f9fdef19cb409752d66775bcbee6665ba8..762a38136e6c612767705389ee667b6f2ddab397 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -179,7 +179,7 @@ class BasePathNamespace(object):
 SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
 BIN_TIMEOUT = "/usr/bin/timeout"
 UPDATE_CA_TRUST = "/usr/bin/update-ca-trust"
-BIN_WGET = "/usr/bin/wget"
+BIN_CURL = "/usr/bin/curl"
 ZIP = "/usr/bin/zip"
 BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
 BIND_LDAP_DNS_IPA_WORKDIR = "/var/named/dyndb-ldap/ipa/"
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services

Re: [Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

[Martin Basti]

On 04.12.2015 20:49, Rob Crittenden wrote:

Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5409

Should it also warn about the potential loss of the DNSSEC master?

rob


IMO we can detect from statefiles if there were DNSSEC installed.

Then it also should warn about potential loss of CA and KRA in case that 
it is the last replica containing it.



Otherwise the patch LGTM.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

[Rob Crittenden]

Martin Babinsky wrote:
> https://fedorahosted.org/freeipa/ticket/5409

Should it also warn about the potential loss of the DNSSEC master?

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

[Martin Babinsky]

https://fedorahosted.org/freeipa/ticket/5409

--
Martin^3 Babinsky
From 2b710f7dbc2017bfc0a0b090d55f631c7017f79f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 4 Dec 2015 20:29:18 +0100
Subject: [PATCH] prevent crashes of server uninstall check caused by failed
 LDAP connections

https://fedorahosted.org/freeipa/ticket/5409
---
 ipaserver/install/server/install.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b6f1b98c544f46608ecb4b9a3267ab733b916617..6c1c65618695d3035868dc9a931677728e8aab53 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1091,6 +1091,8 @@ def uninstall_check(installer):
 realm=api.env.realm
 )
 conn.do_external_bind(pwd.getpwuid(os.geteuid()).pw_name)
+api.Backend.ldap2.connect(autobind=True)
+domain_level = dsinstance.get_domain_level(api)
 except Exception:
 msg = ("\nWARNING: Failed to connect to Directory Server to find "
"information about replication agreements. Uninstallation "
@@ -1098,9 +1100,7 @@ def uninstall_check(installer):
"agreements.\n\n")
 print(textwrap.fill(msg, width=80, replace_whitespace=False))
 else:
-api.Backend.ldap2.connect(autobind=True)
 dns.uninstall_check(options)
-domain_level = dsinstance.get_domain_level(api)
 
 if domain_level == constants.DOMAIN_LEVEL_0:
 if options.ignore_topology_disconnect:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] Migrate wget references to curl

[Martin Basti]

On 01.12.2015 15:00, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5458

Thanks,

Gabe



Hello,

I haven't looked closer, but your patch is causing this:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 
30 seconds

  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart 
the Dogtag instance.See the installation log for details.

  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [11/27]: fixing RA database permissions
  [12/27]: setting up signing cert profile
  [13/27]: setting audit signing renewal to 2 years
  [14/27]: restarting certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart 
the Dogtag instance.See the installation log for details.

  [15/27]: requesting RA certificate from CA
  [16/27]: issuing RA agent certificate
  [17/27]: adding RA agent as a trusted user
  [18/27]: authorizing RA to modify profiles
  [19/27]: configure certmonger for renewals
  [20/27]: configure certificate renewals
  [21/27]: configure RA certificate renewal
  [22/27]: configure Server-Cert certificate renewal
  [23/27]: Configure HTTP to proxy connections
  [24/27]: restarting certificate server

ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart 
the Dogtag instance.See the installation log for details.

  [25/27]: migrating certificate profiles to LDAP
  [26/27]: importing IPA certificate profiles
  [27/27]: adding default CA ACL


CA is operational and ready, but IPA installer is not able to detect it 
correctly


2015-12-04T19:08:54Z DEBUG stderr=curl: option --connect-timeout 30: is 
unknown

curl: try 'curl --help' or 'curl --manual' for more information

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Rob Crittenden]

Martin Kosek wrote:
> On 12/04/2015 07:17 PM, Tomas Babej wrote:
>> Hi,
>>
>> Avoids failing in the later stages during the ipa-client-install
>> command.
>>
>> Tomas
> 
> Is this change needed? Wouldn't it be better to update
> ipa-client-install or ipa-replica-install to not require the --domain
> option? I would hope that --domain can be figured out during
> installation and not passed to ipa-replica-install manually by the admin.
> 
> I just think that calling
> # ipa-replica-install --server=master.example.com
> is better than
> # ipa-replica-install --server=master.example.com --domain example.com
> if possible.

IIRC this is for service discovery when using a specific server and not
LDAP. This is the domain used to search for the kerberos realm, for
example.

That isn't to say this isn't discoverable but it would require another
function in discovery to query what the IPA domain is from the given
master but it gets tricky if anonymous search is disabled, for example.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Martin Basti]

On 04.12.2015 20:15, Martin Kosek wrote:

On 12/04/2015 07:17 PM, Tomas Babej wrote:

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas


Is this change needed? Wouldn't it be better to update 
ipa-client-install or ipa-replica-install to not require the --domain 
option? I would hope that --domain can be figured out during 
installation and not passed to ipa-replica-install manually by the admin.


I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.

Martin


How about hostname 'my.ipa.example.com' and and domain 'example.com'

We already have plenty of code that is trying to use a crystal ball to 
detect what is right, we do not need additional one.


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Martin Kosek]

On 12/04/2015 07:17 PM, Tomas Babej wrote:

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas


Is this change needed? Wouldn't it be better to update ipa-client-install or 
ipa-replica-install to not require the --domain option? I would hope that 
--domain can be figured out during installation and not passed to 
ipa-replica-install manually by the admin.


I just think that calling
# ipa-replica-install --server=master.example.com
is better than
# ipa-replica-install --server=master.example.com --domain example.com
if possible.

Martin

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0109-0110] fix auto-forwarders in standalone DNS installer and update man pages

[Martin Babinsky]

Additional fixes for https://fedorahosted.org/freeipa/ticket/5438

--
Martin^3 Babinsky
From 2f6c7183bcfd3dc04e0a76b622bedb6db0b7feb8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 4 Dec 2015 20:09:46 +0100
Subject: [PATCH 2/2] add '--auto-forwarders' description to server/replica/DNS
 installer man pages

https://fedorahosted.org/freeipa/ticket/5438
---
 install/tools/man/ipa-dns-install.1 | 3 +++
 install/tools/man/ipa-replica-install.1 | 3 +++
 install/tools/man/ipa-server-install.1  | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 66afe7fae5e82f48c7dc4d7c763f0483a41ecda1..2f2d43db7d14fd2cf8b2190c74b5dc9cbca35d69 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -38,6 +38,9 @@ A forwarder is a DNS server where queries for a specific non\-resolvable address
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root servers.
 .TP
+\fB\-\-auto\-forwarders\fR
+Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
+.TP
 \fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
 The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
 .TP
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 6b323c55cfbac6f9035291832a5efff348cdc403..68976e7f9d40e79df409d8ad61e38ea61fb292dd 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -146,6 +146,9 @@ the \fB\-\-no\-forwarders\fR option is specified.
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders. Root DNS servers will be used instead.
 .TP
+\fB\-\-auto\-forwarders\fR
+Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
+.TP
 \fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
 The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
 .TP
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 8d79755c9f07697eb1533788edbc6027c8d6fbd5..7106e9ed57dee6bc4ce921c48459cd33522c7ac2 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -155,6 +155,9 @@ the \fB\-\-no\-forwarders\fR option is specified.
 \fB\-\-no\-forwarders\fR
 Do not add any DNS forwarders. Root DNS servers will be used instead.
 .TP
+\fB\-\-auto\-forwarders\fR
+Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
+.TP
 \fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
 The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
 .TP
-- 
2.5.0

From e61d8fb14d5c1f47f48a60bc2057c317e8b5a067 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 4 Dec 2015 20:07:29 +0100
Subject: [PATCH 1/2] add auto-forwarders option to standalone DNS installer

https://fedorahosted.org/freeipa/ticket/5438
---
 install/tools/ipa-dns-install | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index b6b922e881c21e00994a8fba696d6858f018ac0e..bdaffd30b2554c100dc29bd18e0474165d05c024 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -49,6 +49,9 @@ def parse_options():
   type="ip", help="Add a DNS forwarder. This option can be used multiple times")
 parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
   default=False, help="Do not add any DNS forwarders, use root servers instead")
+parser.add_option("--auto-forwarders", dest="auto_forwarders",
+  action="store_true", default=False,
+  help="Use DNS forwarders configured in /etc/resolv.conf")
 parser.add_option("--reverse-zone", dest="reverse_zones",
   default=[], action="append", metavar="REVERSE_ZONE",
   help="The reverse DNS zone to use. This option can be used multiple times")
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 941 Extend topology help

[Petr Vobornik]

On 12/04/2015 07:04 PM, Tomas Babej wrote:



On 12/04/2015 06:58 PM, Tomas Babej wrote:



On 12/03/2015 04:58 PM, Petr Vobornik wrote:

`ipa help topology` is improved.




Looks good. I changed one part of the documentation for more clarity,
see the attached patch.

Otherwise ACK from me.

Tomas





Fixed a typo.

s/the/that

Tomas




ACK on the change.

Pushed to master: 81c06327b955f71cbbd89e5cfa47594157c3fcae
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0108] replica install: improvements in the handling of CA-related IPA config entries

[Martin Basti]

On 03.12.2015 17:05, Martin Babinsky wrote:
This patch fixes https://fedorahosted.org/freeipa/ticket/5506 and also 
reorganizes the way CA installer updates IPA default.conf.


Maybe a simpler patch would suffice, but I had a need to improve 
things a bit.


This one is for master branch only. IIRC the situation described in 
#5506 does not occur in domain level 0, however the root cause 
(incorrect forwarding of certmonger requests by CA-less replicas) 
manifests when enrolling a client against CA-less replica and 
requesting host certificate.


Should I open a separate ticket for that?




ACK
Pushed to master: a497288b3eafe00ab9c819dd4a51d0b421824b36

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

[Tomas Babej]

Hi,

Avoids failing in the later stages during the ipa-client-install
command.

Tomas
From 477a9a197524ff39373f5e58cf7c7ee173657c91 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Fri, 4 Dec 2015 19:13:07 +0100
Subject: [PATCH] replicainstall: Add check for domain if server is specified

Avoids failing in the later stages during the ipa-client-install
command.
---
 ipaserver/install/server/replicainstall.py | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ec77ab21b1e4969bdcd8d9e588eed7b97e3a9079..4ab40256d15bbd534e910c0ca008bb79a15b268b 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1353,6 +1353,12 @@ class Replica(BaseServer):
 raise RuntimeError("--dirsrv-cert-file and --http-cert-file "
"are required if any PKCS#12 options are "
"used")
+
+if self.server and not self.domain_name:
+raise RuntimeError("The --server option cannot be used "
+   "without providing domain via the --domain "
+   "option")
+
 else:
 if not ipautil.file_exists(self.replica_file):
 raise RuntimeError("Replica file %s does not exist"
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 941 Extend topology help

[Tomas Babej]

On 12/04/2015 06:58 PM, Tomas Babej wrote:
> 
> 
> On 12/03/2015 04:58 PM, Petr Vobornik wrote:
>> `ipa help topology` is improved.
>>
>>
> 
> Looks good. I changed one part of the documentation for more clarity,
> see the attached patch.
> 
> Otherwise ACK from me.
> 
> Tomas
> 
> 
> 

Fixed a typo.

s/the/that

Tomas
From 80b12c6198fc3c845ddeb8d361a65dbb59fb09aa Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Thu, 3 Dec 2015 16:29:27 +0100
Subject: [PATCH] Extend topology help

`ipa help topology` is improved.
---
 ipalib/plugins/topology.py | 53 --
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index 40f9fa8038d4bcb6c0eeb82a37ac796d732b82fd..128a347484939be3e1f1ce59a2fcd8d1fcedb3e4 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -22,9 +22,58 @@ if six.PY3:
 __doc__ = _("""
 Topology
 
-Management of a replication topology.
+Management of a replication topology at domain level 1.
+""") + _("""
+IPA server's data is stored in LDAP server in two suffixes:
+* domain suffix, e.g., 'dc=example,dc=com', contains all domain related data
+* ca suffix, 'o=ipaca', is present only on server with CA installed. It
+  contains data for Certificate Server component
+""") + _("""
+Data stored on IPA servers is replicated to other IPA servers. The way it is
+replicated is defined by replication agreements. Replication agreements needs
+to be set for both suffixes separately. On domain level 0 they are managed
+using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1
+they are managed centrally using `ipa topology*` commands.
+""") + _("""
+Agreements are represented by topology segments. By default topology segment
+represents 2 replication agreements - one for each direction, e.g., A to B and
+B to A. Creation of unidirectional segments is not allowed.
+""") + _("""
+To verify that no server is disconnected in the topology of the given suffix,
+use:
+  ipa topologysuffix-verify $suffix
+""") + _("""
 
-Requires minimum domain level 1.
+Examples:
+  Find all IPA servers:
+ipa server-find
+""") + _("""
+  Find all suffixes:
+ipa topologysuffix-find
+""") + _("""
+  Add topology segment to 'domain' suffix:
+ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_B
+""") + _("""
+  Add topology segment to 'ca' suffix:
+ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_B
+""") + _("""
+  List all topology segments in 'domain' suffix:
+ipa topologysegment-find domain
+""") + _("""
+  List all topology segments in 'ca' suffix:
+ipa topologysegment-find ca
+""") + _("""
+  Delete topology segment in 'domain' suffix:
+ipa topologysegment-del domain segment_name
+""") + _("""
+  Delete topology segment in 'ca' suffix:
+ipa topologysegment-del ca segment_name
+""") + _("""
+  Verify topology of 'domain' suffix:
+ipa topologysuffix-verify domain
+""") + _("""
+  Verify topology of 'ca' suffix:
+ipa topologysuffix-verify ca
 """)
 
 register = Registry()
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 941 Extend topology help

[Tomas Babej]

On 12/03/2015 04:58 PM, Petr Vobornik wrote:
> `ipa help topology` is improved.
> 
> 

Looks good. I changed one part of the documentation for more clarity,
see the attached patch.

Otherwise ACK from me.

Tomas
From b460994c2a0f454ffcfdc8345d58c0c963155c7d Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Thu, 3 Dec 2015 16:29:27 +0100
Subject: [PATCH] Extend topology help

`ipa help topology` is improved.
---
 ipalib/plugins/topology.py | 53 --
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index 40f9fa8038d4bcb6c0eeb82a37ac796d732b82fd..662a8e2f354992336a21316ee06cb19af7c31bf2 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -22,9 +22,58 @@ if six.PY3:
 __doc__ = _("""
 Topology
 
-Management of a replication topology.
+Management of a replication topology at domain level 1.
+""") + _("""
+IPA server's data is stored in LDAP server in two suffixes:
+* domain suffix, e.g., 'dc=example,dc=com', contains all domain related data
+* ca suffix, 'o=ipaca', is present only on server with CA installed. It
+  contains data for Certificate Server component
+""") + _("""
+Data stored on IPA servers is replicated to other IPA servers. The way it is
+replicated is defined by replication agreements. Replication agreements needs
+to be set for both suffixes separately. On domain level 0 they are managed
+using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1
+they are managed centrally using `ipa topology*` commands.
+""") + _("""
+Agreements are represented by topology segments. By default topology segment
+represents 2 replication agreements - one for each direction, e.g., A to B and
+B to A. Creation of unidirectional segments is not allowed.
+""") + _("""
+To verify the no server is disconnected in the topology of the given suffix,
+use:
+  ipa topologysuffix-verify $suffix
+""") + _("""
 
-Requires minimum domain level 1.
+Examples:
+  Find all IPA servers:
+ipa server-find
+""") + _("""
+  Find all suffixes:
+ipa topologysuffix-find
+""") + _("""
+  Add topology segment to 'domain' suffix:
+ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_B
+""") + _("""
+  Add topology segment to 'ca' suffix:
+ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_B
+""") + _("""
+  List all topology segments in 'domain' suffix:
+ipa topologysegment-find domain
+""") + _("""
+  List all topology segments in 'ca' suffix:
+ipa topologysegment-find ca
+""") + _("""
+  Delete topology segment in 'domain' suffix:
+ipa topologysegment-del domain segment_name
+""") + _("""
+  Delete topology segment in 'ca' suffix:
+ipa topologysegment-del ca segment_name
+""") + _("""
+  Verify topology of 'domain' suffix:
+ipa topologysuffix-verify domain
+""") + _("""
+  Verify topology of 'ca' suffix:
+ipa topologysuffix-verify ca
 """)
 
 register = Registry()
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 940 Update ipa-(cs)replica-manage man pages

[Tomas Babej]

On 12/04/2015 12:09 PM, Petr Vobornik wrote:
> On 12/03/2015 04:58 PM, Petr Vobornik wrote:
>> SSIA
>>
> 
> Updated patch attached.
> 
> 

ACK, Pushed to master: 95d659b634b2ea13d18d26cacbd73e19972145f2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0390] man: Update the ipa-replica-install manpage with promotion

[Tomas Babej]

On 12/04/2015 12:08 PM, Petr Vobornik wrote:
> On 12/03/2015 12:54 PM, Petr Vobornik wrote:
>> On 12/03/2015 12:06 PM, Tomas Babej wrote:
>>> Hi,
>>>
>>> this patch updates the man page for the ipa-replica-install given the
>>> latest changes (including the Jan's OTP patch).
>>>
>>> Tomas
>>>
>>
>>
>> Questions/suggestions:
>>
>> 1. "you cannot provide an replica file"
>>
>> It's true, but wouldn't it be better to say that "you don't need to". Or
>> communicate that it is a good thing. Cannot sounds too negative to me.
>>
>> 2. Why options: --password, --admin-password are in 'BASIC OPTIONS'
>> section and not also in new 'ENROLLMENT OPTIONS' section together with
>> --principal, --keytab, etc..? Maybe 'ENROLLMENT OPTIONS' should be
>> before "BASIC OPTIONS" and "BASIC OPTIONS" renamed.
>>
>>
>> General ideas, not related to this patch:
>> """
>> If the installation fails you may need to run ipa-server-install
>> --uninstall and ipa-client-install before running ipa-replica-install
>> again.
>>
>> The installation will fail if the host you are installing the
>> replica on exists as a host in IPA or an existing replication agreement
>> exists (for example, from a previously failed installation)
>> """
>>
>> I believe validators check this situation, right? So do we need to write
>> it in the man page.
> 
> 
> Attaching updated patch which reflects off-line cooperation with Tomas.
> 
> New option sections were added:
> DOMAIN LEVEL 1 OPTIONS
> DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS
> DOMAIN LEVEL 0 OPTIONS

ACK, Pushed to master: bb7934e3bc91155f21b45b5d5186bfda76a21f15.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0096] check whether replica exists before executing the domain level 1 deletion code

[Martin Babinsky]

On 12/04/2015 05:12 PM, Petr Vobornik wrote:

On 12/01/2015 09:18 AM, Martin Basti wrote:



On 18.11.2015 13:25, Martin Babinsky wrote:

Additional fix for https://fedorahosted.org/freeipa/ticket/5424

In current implementation the topology suffices are checked first and
after that the error about non-existent host is raised. This does not
make much sense to me, we should check for host existence before any
work is done.




ACK



Any reason to use host-show and not server-show?

host-show will be successful on any host, server-show only if the host
is an IPA server.
Good catch, I have fixed it in this patch. I have also modified the 
error message slightly.


--
Martin^3 Babinsky
From e4da5ca71d20ba7645f207bdfd31e09e83084517 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 18 Nov 2015 13:12:50 +0100
Subject: [PATCH] check whether replica exists before executing the domain
 level 1 deletion code

Move this check before the parts that check topology suffix connectivity, wait
for removed segments etc. If the hostname does not exist, it should really be
one of the first errors user encounters during ipa-replica-manage del.

https://fedorahosted.org/freeipa/ticket/5424
---
 install/tools/ipa-replica-manage | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 6d303e6f008325648461287448ef3d2712e23911..5124731255807287a7857b1a4cdc2e6799cd7278 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -668,6 +668,16 @@ def del_master_managed(realm, hostname, options):
 print("Can't remove itself: %s" % (options.host))
 sys.exit(1)
 
+try:
+api.Command.server_show(hostname_u)
+except errors.NotFound:
+if not options.cleanup:
+print("{hostname} is not listed among IPA masters.".format(
+hostname=hostname))
+print("Please specify an actual server or add the --cleanup "
+  "option to force clean up.")
+sys.exit(1)
+
 # 1. Connect to the local server
 try:
 thisrepl = replication.ReplicationManager(realm, options.host,
@@ -702,13 +712,7 @@ def del_master_managed(realm, hostname, options):
 try:
 api.Command.server_del(hostname_u)
 except errors.NotFound:
-if not options.cleanup:
-print("{hostname} does not exist.".format(hostname=hostname))
-print("Please specify an actual server or add the --cleanup "
-  "option to force clean up.")
-sys.exit(1)
-else:
-print("Server entry already deleted: %s" % (hostname))
+print("Server entry already deleted: %s" % (hostname))
 
 # 6. Cleanup
 try:
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0096] check whether replica exists before executing the domain level 1 deletion code

[Petr Vobornik]

On 12/01/2015 09:18 AM, Martin Basti wrote:



On 18.11.2015 13:25, Martin Babinsky wrote:

Additional fix for https://fedorahosted.org/freeipa/ticket/5424

In current implementation the topology suffices are checked first and
after that the error about non-existent host is raised. This does not
make much sense to me, we should check for host existence before any
work is done.




ACK



Any reason to use host-show and not server-show?

host-show will be successful on any host, server-show only if the host 
is an IPA server.

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication

[Simo Sorce]

On Fri, 2015-12-04 at 15:39 +0100, Jan Cholasta wrote:
> On 4.12.2015 15:16, Jan Cholasta wrote:
> > On 4.12.2015 15:12, Jan Cholasta wrote:
> >> On 4.12.2015 11:15, Petr Vobornik wrote:
> >>> On 12/03/2015 03:11 PM, Martin Basti wrote:
> 
> 
>  On 01.12.2015 12:19, Jan Cholasta wrote:
> > On 23.11.2015 15:47, Simo Sorce wrote:
> >> On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:
> >>>
> >>> Ad alternative is to add the host to ipaservers before the checks
> >>> are
> >>> done and remove it again if any of them fail.
> >>
> >> Too error prone, I am ok with the current way in your patches
> >> until/unless I can think of a fail safe way. :-)
> >
> > Updated patches attached. Note that 520 should be applied between 509
> > and 510.
> >
> >
> >
>  Functional ACK
> 
> >>>
> >>> Simo, do you want to review the ACIs or other things it the patches? Or
> >>> can the patches be pushed?
> >>
> >> There were no changes in the ACIs since last time.
> >
> > Actually, memberPrincipal was removed from the "IPA server hosts can
> > manage own Custodia secrets" ACI, as per Simo's request.
> >
> >>
> >> Rebased patches attached.
> 
> Note that 520 should still be applied between 509 and 510.
> 

LGTM

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0004] Refactor test_attr

[Filip Škola]

Hi,

sending a new version of test_attr.

F.>From e1c0cf5dacc5624c9678458e3293a146a98729a5 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Fri, 27 Nov 2015 15:41:47 +0100
Subject: [PATCH] Refactor test_attr

---
 ipatests/test_xmlrpc/test_attr.py | 671 --
 1 file changed, 281 insertions(+), 390 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_attr.py b/ipatests/test_xmlrpc/test_attr.py
index 9248ce0448cfd08fcfe194d402c6819a283c2c07..125e0830aa00bb3960deb6144b8c76937cc2f883 100644
--- a/ipatests/test_xmlrpc/test_attr.py
+++ b/ipatests/test_xmlrpc/test_attr.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden 
+#   Filip Skola 
 #
 # Copyright (C) 2010  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -22,397 +23,287 @@ Test --setattr and --addattr and other attribute-specific issues
 """
 
 from ipalib import errors
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, raises_exact
+from ipatests.test_xmlrpc.test_user_plugin import UserTracker
 import pytest
 
-user1=u'tuser1'
-
-
-@pytest.mark.tier1
-class test_attr(Declarative):
-
-cleanup_commands = [
-('user_del', [user1], {}),
-]
-
-tests = [
-
-dict(
-desc='Try to add user %r with single-value attribute set via '
- 'option and --addattr' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-addattr=u'sn=User2')
-),
-expected=errors.OnlyOneValueAllowed(attr='sn'),
-),
-
-dict(
-desc='Create %r' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-setattr=None)
-),
-expected=dict(
-value=user1,
-summary=u'Added user "tuser1"',
-result=get_user_result(user1, u'Test', u'User1', 'add'),
-),
-),
-
-
-dict(
-desc='Change givenname, add mail %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=(u'givenname=Finkle', u'mail=t...@example.com'))
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add another mail %r' % user1,
-command=(
-'user_mod', [user1], dict(addattr=u'mail=te...@example.com')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add two phone numbers at once %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=u'telephoneNumber=410-555-1212', addattr=u'telephoneNumber=301-555-1212')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-telephonenumber=[u'410-555-1212', u'301-555-1212'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Go from two phone numbers to one %r' % user1,
-command=(
-'user_mod', [user1], dict(setattr=u'telephoneNumber=301-555-1212')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-telephonenumber=[u'301-555-1212'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Add two more phone numbers %r' % user1,
-command=(
-'user_mod', [user1], dict(addattr=(u'telephoneNumber=703-555-1212', u'telephoneNumber=202-888-9833'))
-),
-expected=dict(
-result=get_user_result(
-user1, u'Finkle', u'User1', 'mod',
-mail=[u't...@example.com', u'te...@example.com'],
-telephonenumber=[u'301-555-1212', u'703-555-1212',
- u'202-888-9833'],
-),
-summary=u'Modified user "tuser

Re: [Freeipa-devel] patch acceptance criteria

[Petr Vobornik]

On 12/02/2015 07:14 PM, Rob Crittenden wrote:

Is it still mandatory that tests pass the unit tests before acceptance?
I've seen a number of cases over the past couple of months where a
change goes through then shortly afterward a patch to fix the tests.
IMHO this should be caught in advance.

Things slip through and goodness knows I've acked more than a few
patches without running the full suite. I just have a feeling it has
become more frequent lately.

rob



At 4.2 retrospective a review check list was discussed.

I have a draft [1]. Comments welcome! I'm sorry, that it's only pdf at 
the moment.


Maybe sanity checks should be less verbose, but I wanted to have it 
spelled out.


My goal is to have both wiki page and a printable check list which can 
lie on a table.


[1] https://pvoborni.fedorapeople.org/FreeIPAdeveloperschecklist.pdf
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication

[Jan Cholasta]

On 4.12.2015 15:16, Jan Cholasta wrote:

On 4.12.2015 15:12, Jan Cholasta wrote:

On 4.12.2015 11:15, Petr Vobornik wrote:

On 12/03/2015 03:11 PM, Martin Basti wrote:



On 01.12.2015 12:19, Jan Cholasta wrote:

On 23.11.2015 15:47, Simo Sorce wrote:

On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:


Ad alternative is to add the host to ipaservers before the checks
are
done and remove it again if any of them fail.


Too error prone, I am ok with the current way in your patches
until/unless I can think of a fail safe way. :-)


Updated patches attached. Note that 520 should be applied between 509
and 510.




Functional ACK



Simo, do you want to review the ACIs or other things it the patches? Or
can the patches be pushed?


There were no changes in the ACIs since last time.


Actually, memberPrincipal was removed from the "IPA server hosts can
manage own Custodia secrets" ACI, as per Simo's request.



Rebased patches attached.


Note that 520 should still be applied between 509 and 510.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication

[Jan Cholasta]

On 4.12.2015 15:12, Jan Cholasta wrote:

On 4.12.2015 11:15, Petr Vobornik wrote:

On 12/03/2015 03:11 PM, Martin Basti wrote:



On 01.12.2015 12:19, Jan Cholasta wrote:

On 23.11.2015 15:47, Simo Sorce wrote:

On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:


Ad alternative is to add the host to ipaservers before the checks are
done and remove it again if any of them fail.


Too error prone, I am ok with the current way in your patches
until/unless I can think of a fail safe way. :-)


Updated patches attached. Note that 520 should be applied between 509
and 510.




Functional ACK



Simo, do you want to review the ACIs or other things it the patches? Or
can the patches be pushed?


There were no changes in the ACIs since last time.


Actually, memberPrincipal was removed from the "IPA server hosts can 
manage own Custodia secrets" ACI, as per Simo's request.




Rebased patches attached.



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication

[Jan Cholasta]

On 4.12.2015 11:15, Petr Vobornik wrote:

On 12/03/2015 03:11 PM, Martin Basti wrote:



On 01.12.2015 12:19, Jan Cholasta wrote:

On 23.11.2015 15:47, Simo Sorce wrote:

On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:


Ad alternative is to add the host to ipaservers before the checks are
done and remove it again if any of them fail.


Too error prone, I am ok with the current way in your patches
until/unless I can think of a fail safe way. :-)


Updated patches attached. Note that 520 should be applied between 509
and 510.




Functional ACK



Simo, do you want to review the ACIs or other things it the patches? Or
can the patches be pushed?


There were no changes in the ACIs since last time.

Rebased patches attached.

--
Jan Cholasta
From 0b7455460928df1376029e7b3b9d5c76308eb148 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 1 Dec 2015 10:42:38 +0100
Subject: [PATCH 1/2] aci: add IPA servers host group 'ipaservers'

https://fedorahosted.org/freeipa/ticket/3416
---
 ACI.txt|  4 ++--
 install/share/bootstrap-template.ldif  | 11 +++
 install/updates/20-ipaservers_hostgroup.update | 13 +
 install/updates/Makefile.am|  1 +
 ipalib/plugins/host.py |  6 ++
 ipalib/plugins/hostgroup.py| 26 ++
 ipaserver/install/krbinstance.py   |  7 +++
 7 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 install/updates/20-ipaservers_hostgroup.update

diff --git a/ACI.txt b/ACI.txt
index 40fa822..bbc2e66 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -119,7 +119,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=computers,cn=accounts,dc=ipa,dc=example
@@ -137,7 +137,7 @@ aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Add Hostgroups";allow (add) groupdn = "ldap:///cn=System: Add Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "member")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "member")(targetfilter = "(&(!(cn=ipaservers))(objectclass=ipahostgroup))")(version 3.0;acl "permission:System: Modify Hostgroup Membership";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "cn || description")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Modify Hostgroups";allow (write) groupdn = "ldap:///cn=System: Modify Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hostgroups,cn=accounts,dc=ipa,dc=example
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 3570627..628a8e2 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -261,6 +261,17 @@ description: Limited admins who can edit other users
 cn: editors
 ipaUniqueID: autogenerate
 
+dn: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupOfNames
+objectClass: nestedGroup
+objectClass: ipaobject
+objectClass: ipa

Re: [Freeipa-devel] patch acceptance criteria

[Rob Crittenden]

Lukas Slebodnik wrote:
> On (03/12/15 09:59), Rob Crittenden wrote:
>> Lukas Slebodnik wrote:
>>> On (02/12/15 13:14), Rob Crittenden wrote:
 Is it still mandatory that tests pass the unit tests before acceptance?
>>> Unit test could be executed as part of "%check" phase in spec files.
>>> I recently added C-base unit tests there.
>>>
>>> I was not bale to run "make tests" there because many tests failed.
>>> If they require real IPA server for execution ( or lite server)
>>> then they are not unit test but integration tests.
>>> One solution would be to skip them or to usw cwrap[1] + lite server.
>>> So it can be run also in mock/koji which has many restrictions.
>>
>> It would represent quite a lot of work but it may be a good idea to
>> investigate. Ipsilon uses cwrap for its tests so some of the
>> configuration can be gleaned from that.
>>
>> I would definitely be opposed to this as part of the freeipa.spec in the
>^^^
> What do you mean by this part?
> 
> Did you mean "running make tests" in spec file?
> If yes, could you elaborate why it's not good idea?
> many projects run tests in "%check"
> sssd, certmonger, glibc ...
> 
> Currently only C-based test are executed. And I added it only recently.

Because it would be overkill during development. The expectation is that
developers and reviewers run the tests before submission/acceptance. If
they fail to do that then it will be obvious.

>> git tree. In Fedora it might help find problems when rawhide becomes
>> Fedora.next so it would provide some value there.
>>
>>>
>>> Also lint should be also part of "%check" phase and not part of
>>> ordinary build.
>>> BTW I could not see a lint[2] in fedora build at all. So I'm not sure
>>> if it is executed with upstream spec file.
>>
>> It isn't there because the expectation is that lint already passes as
>> part of the release process. I don't see the value on running lint on
>> release tarballs.
>>
> That's just an expectation. It needn't be true. Your initial mail was about
> stricter review process. And automating things is best way how to
> enforce it. So reviewer would just build rpms and if "%check" phase
> will not pass then he will not continue with review.
> If it will be part of "%check" then you can use mock and easily ensure
> that test passes on stable fedora and fedora rawhide (and maybe centOS)

By the time downstream gets a tarball it is too late to fix lint errors.
If upstream is doing a release with lint errors then there is something
deeply wrong with the release process. If someone wants to add it to the
downstream spec files I'm not going to complain, I just find it
extremely unlikely that it will provide any value, ever.

I guess the question to ask is: since implementing lint in the dev
process has a release ever gone out where things failed that would have
been caught? I'm pretty sure the answer is no.

>> I also want to keep the focus on the reviewer's responsibility to ensure
>> that patches do what they are supposed to and don't break things.
>>
> yes, but it does not mean that we cannot simplify/automate reviewer's tasks.
> IMHO, as much as possible should be done in spec file; "%check".

It would be grossly inefficient to run the tests with every make rpms.
Are you at all familiar with the IPA build and install process? It is
usually build here and test over there over and over again. Running the
tests with each iterative build would be horrible. It is sometimes bad
enough waiting for the lint to finish.

If someone wants to setup a Jenkins service to automate testing then
fine. It just needs to be done in some way, and it clearly isn't on a
regular basis and it is easily solved without inventing a whole new CI.

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0751 spec: Split out python-ipap11helper and, python-default_encoding_utf8

[Jan Cholasta]

Hi,

On 3.12.2015 17:32, Petr Viktorin wrote:

Hello,
This specfile patch makes python-ipalib noarch, by splitting out the
arch-dependent stuff.


I'm not sure if this should be done at all. Both py_default_encoding and 
(especially) _ipap11helper are internal submodules of ipapython and I 
don't think they should be packaged separately.


If this is just about packaging arch-specific code separately from 
noarch code, I'm not sure either - all other packages with both Python 
and C modules I have seen (e.g. python-ldap, PyYAML) simply do not care 
and put everything in a single arch-specific package. IMHO we should follow.




It depends on Honza Cholasta's patches 516 and 517.

Part of https://fedorahosted.org/freeipa/ticket/3197



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names

[Martin Babinsky]

On 12/01/2015 10:08 PM, Simo Sorce wrote:

On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote:

On 11/30/2015 07:42 PM, Simo Sorce wrote:

On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote:

On 11/24/2015 10:20 PM, Simo Sorce wrote:

This addresses #3860, giving admins the option to not require preauth
for Hosts and services.

I did not add this option by default, although it does reduce the load
on the KDC as well as speed up TGT acquisition for service principal
accounts that acquire TGTs.

Tested and working as expected (SPNs are not returned PREAUTH_NEEDED
error while normal users are).

HTH,
Simo.




Hi Simo,

I was not able to apply the patch on current master branch:

"""
git am
../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch
-3

Applying: Allow admins to disable preauth for SPNs.
error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b
for 'ipalib/plugins/config.py'
fatal: git-write-tree: error building trees
Repository lacks necessary blobs to fall back on 3-way merge.
Cannot fall back to three-way merge.
Patch failed at 0001 Allow admins to disable preauth for SPNs.
"""

It seems that I nedd to apply some of your other patches first (which one?)


Sorry did not see this question earlier, it requires 556 and 557, I just
bumped that thread.

Simo.


It seems that I need something else, patch 556-2 applies cleanly, but
patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master
and 4-2 branch.



Rebased 556,557 in their thread, and here is the rebase for 558 on top
of them.

Simo.



ACK. I'm afraid that this patch and 556, 557 will require another round 
of rebase before pushing, though.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 938 rename topology suffixes to "domain" and "ca"

[Martin Basti]

On 01.12.2015 19:01, Petr Vobornik wrote:

On 12/01/2015 09:04 AM, Jan Cholasta wrote:

On 30.11.2015 12:41, Petr Vobornik wrote:

see
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html 



LGTM, but I would s/_SUFFIX/_SUFFIX_NAME/.



Updated patch attached.




ACK

Pushed to master: 517aa84569ae144a8b781ef7ad67e356d9021757

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0748 Handle encoding for ipautil.run

[Jan Cholasta]

On 4.12.2015 12:43, Petr Viktorin wrote:

On 12/04/2015 12:15 PM, Jan Cholasta wrote:

On 4.12.2015 10:53, Petr Viktorin wrote:

On 12/04/2015 08:51 AM, Jan Cholasta wrote:

On 3.12.2015 15:42, Petr Viktorin wrote:

On 12/03/2015 10:55 AM, Jan Cholasta wrote:

[...]

If we do encode/decode in run(), I think there should be a way to
override the default encoding. My idea was to either accept/return
only
bytes and let the caller handle encoding themselves, or to handle
encoding in run(), but be able to override the defaults.

Given we handle encoding in run(), I would imagine it like this:

   def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
   capture_stdout=False, skip_output=False, cwd=None,
   runas=None, timeout=None, suplementary_groups=[],
   capture_stderr=False, encode_stdout=False,
   encode_stderr=False, encoding=None):

i.e. nothing is captured by default, when stdout or stderr are
captured
they are returned as bytes by default, when stdout or stderr are
returned as text they are decoded using the locale encoding by
default,
or the encoding can be explicitly specified.

Do you think this is feasible?


Feasible, yes.
In the majority of cases where the output is needed, we want text
encoded with locale.getpreferredencoding(), so I'd rather make that the
default rather than bytes.

Or we could make "encode_stdout" imply "capture_stdout", so you
wouldn't
have to always specify both. (It would be better named "encoded_stdout"
in that case.)


I think it should be OK to decode by default. (IMO it would be best to
reverse the logic and name it "raw_stdout", with False default. Do we
need "raw_stderr" at all? I don't think we do.)


Actually, now that I think about it: if the result was a namedtuple
subclass, we can always set extra raw_stdout/raw_stderr attributes on
it. (Unless skip_output=True, of course.)

 result = run(['generate_binary_data'])
 use(result.raw_stdout)

 # and for backcompat,
 rc, _out, _err = result


Good idea.

Perhaps we should use the same names as CalledProcessError for the
attributes, i.e. "returncode", "output", and "error_output",
"raw_output", "raw_error_output" for the new attributes?


(Actually, since "returncode" is not "return_code", it should probably 
be "returncode", "output", "erroroutput", "raw_output", "raw_erroroutput".)




OK. It's also good to use different names than Popen's stdout/stderr,
which are file-like objects rather than strings. But then,
capture_stdout/capture_stderr should be capture_output/capture_error_output.


Works for me.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0748 Handle encoding for ipautil.run

[Petr Viktorin]

On 12/04/2015 12:15 PM, Jan Cholasta wrote:
> On 4.12.2015 10:53, Petr Viktorin wrote:
>> On 12/04/2015 08:51 AM, Jan Cholasta wrote:
>>> On 3.12.2015 15:42, Petr Viktorin wrote:
 On 12/03/2015 10:55 AM, Jan Cholasta wrote:
[...]
> If we do encode/decode in run(), I think there should be a way to
> override the default encoding. My idea was to either accept/return
> only
> bytes and let the caller handle encoding themselves, or to handle
> encoding in run(), but be able to override the defaults.
>
> Given we handle encoding in run(), I would imagine it like this:
>
>   def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
>   capture_stdout=False, skip_output=False, cwd=None,
>   runas=None, timeout=None, suplementary_groups=[],
>   capture_stderr=False, encode_stdout=False,
>   encode_stderr=False, encoding=None):
>
> i.e. nothing is captured by default, when stdout or stderr are
> captured
> they are returned as bytes by default, when stdout or stderr are
> returned as text they are decoded using the locale encoding by
> default,
> or the encoding can be explicitly specified.
>
> Do you think this is feasible?

 Feasible, yes.
 In the majority of cases where the output is needed, we want text
 encoded with locale.getpreferredencoding(), so I'd rather make that the
 default rather than bytes.

 Or we could make "encode_stdout" imply "capture_stdout", so you
 wouldn't
 have to always specify both. (It would be better named "encoded_stdout"
 in that case.)
>>>
>>> I think it should be OK to decode by default. (IMO it would be best to
>>> reverse the logic and name it "raw_stdout", with False default. Do we
>>> need "raw_stderr" at all? I don't think we do.)
>>
>> Actually, now that I think about it: if the result was a namedtuple
>> subclass, we can always set extra raw_stdout/raw_stderr attributes on
>> it. (Unless skip_output=True, of course.)
>>
>> result = run(['generate_binary_data'])
>> use(result.raw_stdout)
>>
>> # and for backcompat,
>> rc, _out, _err = result
> 
> Good idea.
> 
> Perhaps we should use the same names as CalledProcessError for the
> attributes, i.e. "returncode", "output", and "error_output",
> "raw_output", "raw_error_output" for the new attributes?

OK. It's also good to use different names than Popen's stdout/stderr,
which are file-like objects rather than strings. But then,
capture_stdout/capture_stderr should be capture_output/capture_error_output.

-- 
Petr Viktorin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] patch acceptance criteria

[Lukas Slebodnik]

On (03/12/15 09:59), Rob Crittenden wrote:
>Lukas Slebodnik wrote:
>> On (02/12/15 13:14), Rob Crittenden wrote:
>>> Is it still mandatory that tests pass the unit tests before acceptance?
>> Unit test could be executed as part of "%check" phase in spec files.
>> I recently added C-base unit tests there.
>> 
>> I was not bale to run "make tests" there because many tests failed.
>> If they require real IPA server for execution ( or lite server)
>> then they are not unit test but integration tests.
>> One solution would be to skip them or to usw cwrap[1] + lite server.
>> So it can be run also in mock/koji which has many restrictions.
>
>It would represent quite a lot of work but it may be a good idea to
>investigate. Ipsilon uses cwrap for its tests so some of the
>configuration can be gleaned from that.
>
>I would definitely be opposed to this as part of the freeipa.spec in the
   ^^^
What do you mean by this part?

Did you mean "running make tests" in spec file?
If yes, could you elaborate why it's not good idea?
many projects run tests in "%check"
sssd, certmonger, glibc ...

Currently only C-based test are executed. And I added it only recently.

>git tree. In Fedora it might help find problems when rawhide becomes
>Fedora.next so it would provide some value there.
>
>> 
>> Also lint should be also part of "%check" phase and not part of
>> ordinary build.
>> BTW I could not see a lint[2] in fedora build at all. So I'm not sure
>> if it is executed with upstream spec file.
>
>It isn't there because the expectation is that lint already passes as
>part of the release process. I don't see the value on running lint on
>release tarballs.
>
That's just an expectation. It needn't be true. Your initial mail was about
stricter review process. And automating things is best way how to
enforce it. So reviewer would just build rpms and if "%check" phase
will not pass then he will not continue with review.
If it will be part of "%check" then you can use mock and easily ensure
that test passes on stable fedora and fedora rawhide (and maybe centOS)

>I also want to keep the focus on the reviewer's responsibility to ensure
>that patches do what they are supposed to and don't break things.
>
yes, but it does not mean that we cannot simplify/automate reviewer's tasks.
IMHO, as much as possible should be done in spec file; "%check".

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0748 Handle encoding for ipautil.run

[Jan Cholasta]

On 4.12.2015 10:53, Petr Viktorin wrote:

On 12/04/2015 08:51 AM, Jan Cholasta wrote:

On 3.12.2015 15:42, Petr Viktorin wrote:

On 12/03/2015 10:55 AM, Jan Cholasta wrote:
[...]

If we don't care about output somewhere, we should not capture it
there
at all.


Then people need to remember to put "capture_output=True"
everywhere
(except that also disables logging of the output, so we'd need an
additional option).


capture_output=True is the default and capture_output=False
should be
set where output is not needed.


"capture_output=True" being the default would mean that it's still
possible to leave "capture_output=False" out, but ignore the
output. It
would make the wrong usage easier to type than the right one,
which is
something to avoid.


I'm not sure I understand what are you trying to say here.

My point is that capture_output=True is currently the default (see for
yourself) and it is indeed possible to leave capture_output=False but
ignore the output. I believe this is wrong and that you should always
have to explicitly request the output to be captured.


OK, looks like I will need to refactor ipautil.run even for Python 2,
then.


If this is just about changing the default and fixing all run()
invocations, I can provide the patch myself, if that would work better
for you.


I seem to have have problems coming up with a solution that would match
your expectations, so let me write the semantics as I understand you'd
like hem:

Would you be happy with the following signature?

def run(args, stdin=None, raiseonerr=True,
   nolog=(), env=None,
   capture_output=False, skip_output=False,
   cwd=None, runas=None, timeout=None, suplementary_groups=[],
   capture_stderr=False,
   encode_stdout=True,
   encode_stderr=True,
  ):

Output and error would be always logged, except if skip_output is set.
But they would be only returned if capture_output/capture_stderr were
set.


I would personally also rename capture_output to capture_stdout. If we
change the default, we have to update its every use, so we might as well
rename it. (Again, I can provide the patch.)


If we agree on the semantics, writing the patch isn't that big a deal.


Right.




If encode_* is False, bytes are returned, by default
locale.getpreferredencoding() is used. (If the caller wants any other
encoding, it can do that by itself.)


I thought bytes should be the default after all? See my comment in the
previous mail.


If the default is no capturing, I'd rather go with text by default.
With capturing by deafult, "run(args)" could raise encoding errors *if
the output is then ignored*. If it's "run(args, capture_stdout=True)", I
think it's fine to encode.


OK, makes sense.




stdin it encoded using locale.getpreferredencoding() if it's unicode.


If we do encode/decode in run(), I think there should be a way to
override the default encoding. My idea was to either accept/return only
bytes and let the caller handle encoding themselves, or to handle
encoding in run(), but be able to override the defaults.

Given we handle encoding in run(), I would imagine it like this:

  def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
  capture_stdout=False, skip_output=False, cwd=None,
  runas=None, timeout=None, suplementary_groups=[],
  capture_stderr=False, encode_stdout=False,
  encode_stderr=False, encoding=None):

i.e. nothing is captured by default, when stdout or stderr are captured
they are returned as bytes by default, when stdout or stderr are
returned as text they are decoded using the locale encoding by default,
or the encoding can be explicitly specified.

Do you think this is feasible?


Feasible, yes.
In the majority of cases where the output is needed, we want text
encoded with locale.getpreferredencoding(), so I'd rather make that the
default rather than bytes.

Or we could make "encode_stdout" imply "capture_stdout", so you wouldn't
have to always specify both. (It would be better named "encoded_stdout"
in that case.)


I think it should be OK to decode by default. (IMO it would be best to
reverse the logic and name it "raw_stdout", with False default. Do we
need "raw_stderr" at all? I don't think we do.)


Actually, now that I think about it: if the result was a namedtuple
subclass, we can always set extra raw_stdout/raw_stderr attributes on
it. (Unless skip_output=True, of course.)

result = run(['generate_binary_data'])
use(result.raw_stdout)

# and for backcompat,
rc, _out, _err = result


Good idea.

Perhaps we should use the same names as CalledProcessError for the 
attributes, i.e. "returncode", "output", and "error_output", 
"raw_output", "raw_error_output" for the new attributes?


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 940 Update ipa-(cs)replica-manage man pages

[Petr Vobornik]

On 12/03/2015 04:58 PM, Petr Vobornik wrote:

SSIA



Updated patch attached.
--
Petr Vobornik
From d9b65ef8366d6f94a1d2fba679bb610388fa Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Thu, 3 Dec 2015 16:28:51 +0100
Subject: [PATCH] Update ipa-(cs)replica-manage man pages

---
 install/tools/man/ipa-csreplica-manage.1 | 17 -
 install/tools/man/ipa-replica-manage.1   | 13 +
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1
index 3164ea60d67db99445dac168fad967cb48be428e..ab5bfddd884f65b6806c4e69f212324dc5b67c5f 100644
--- a/install/tools/man/ipa-csreplica-manage.1
+++ b/install/tools/man/ipa-csreplica-manage.1
@@ -22,16 +22,20 @@ ipa\-csreplica\-manage \- Manage an IPA CS replica
 .SH "SYNOPSIS"
 ipa\-csreplica\-manage [\fIOPTION\fR]...  [connect|disconnect|del|list|re\-initialize|force\-sync]
 .SH "DESCRIPTION"
-Manages the CA replication agreements of an IPA server.
+Manages the CA replication agreements of an IPA server for domain at domain level 0.
+
+To manage CA replication agreements in a domain at domain level 1, use IPA CLI or Web UI, see `ipa help topology` for additional information.
+
 .TP
 \fBconnect\fR [SERVER_A] 
-\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
+\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
 .TP
 \fBdisconnect\fR [SERVER_A] 
-\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
+\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
 .TP
 \fBdel\fR 
-\- Removes all replication agreements and data about SERVER
+\- Removes all replication agreements and data about SERVER. Applicable only at domain level 0.
+
 .TP
 \fBlist\fR [SERVER]
 \- Lists all the servers or the list of agreements of SERVER
@@ -86,9 +90,12 @@ Add a new replication agreement:
 Remove an existing replication agreement:
  # ipa\-csreplica\-manage disconnect srv1.example.com srv3.example.com
 .TP
-Completely remove a replica:
+Completely remove a replica at domain level 0:
  # ipa\-csreplica\-manage del srv4.example.com
 .TP
+Completely remove a replica at domain level 1:
+ # ipa\-replica\-manage del srv4.example.com
+.TP
 Using connect/disconnect you can manage the replication topology.
 .SH "EXIT STATUS"
 0 if the command was successful
diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1
index c09ed362f3143e6e38716e1b3a96e90001a64674..3ed1c5734e3054501f39ffb4346f05c22361a584 100644
--- a/install/tools/man/ipa-replica-manage.1
+++ b/install/tools/man/ipa-replica-manage.1
@@ -22,16 +22,21 @@ ipa\-replica\-manage \- Manage an IPA replica
 .SH "SYNOPSIS"
 ipa\-replica\-manage [\fIOPTION\fR]... [COMMAND]
 .SH "DESCRIPTION"
-Manages the replication agreements of an IPA server. The available commands are:
+Manages the replication agreements of an IPA server.
+
+To manage IPA replication agreements in a domain at domain level 1, use IPA CLI
+or Web UI, see `ipa help topology` for additional information.
+
+The available commands are:
 .TP
 \fBconnect\fR [SERVER_A] 
-\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B
+\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements.
 .TP
 \fBdisconnect\fR [SERVER_A] 
-\- Removes a replication agreement between SERVER_A/localhost and SERVER_B
+\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements.
 .TP
 \fBdel\fR 
-\- Removes all replication agreements and data about SERVER
+\- Removes all replication agreements and data about SERVER. At domain level 1 it removes data and agreements for both suffixes - domain and ca.
 .TP
 \fBlist\fR [SERVER]
 \- Lists all the servers or the list of agreements of SERVER
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0390] man: Update the ipa-replica-install manpage with promotion

[Petr Vobornik]

On 12/03/2015 12:54 PM, Petr Vobornik wrote:

On 12/03/2015 12:06 PM, Tomas Babej wrote:

Hi,

this patch updates the man page for the ipa-replica-install given the
latest changes (including the Jan's OTP patch).

Tomas




Questions/suggestions:

1. "you cannot provide an replica file"

It's true, but wouldn't it be better to say that "you don't need to". Or
communicate that it is a good thing. Cannot sounds too negative to me.

2. Why options: --password, --admin-password are in 'BASIC OPTIONS'
section and not also in new 'ENROLLMENT OPTIONS' section together with
--principal, --keytab, etc..? Maybe 'ENROLLMENT OPTIONS' should be
before "BASIC OPTIONS" and "BASIC OPTIONS" renamed.


General ideas, not related to this patch:
"""
If the installation fails you may need to run ipa-server-install
--uninstall and ipa-client-install before running ipa-replica-install
again.

The installation will fail if the host you are installing the
replica on exists as a host in IPA or an existing replication agreement
exists (for example, from a previously failed installation)
"""

I believe validators check this situation, right? So do we need to write
it in the man page.



Attaching updated patch which reflects off-line cooperation with Tomas.

New option sections were added:
DOMAIN LEVEL 1 OPTIONS
DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS
DOMAIN LEVEL 0 OPTIONS
--
Petr Vobornik
From a3b28d5c14063fe4ff8190251285166c53fb12d9 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Dec 2015 11:42:03 +0100
Subject: [PATCH] man: Update the ipa-replica-install manpage with promotion
 related info

---
 install/tools/man/ipa-replica-install.1 | 71 +++--
 1 file changed, 58 insertions(+), 13 deletions(-)

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index df01c616c89abeb5c1f421c6e29b1034b2ec9ea7..6b323c55cfbac6f9035291832a5efff348cdc403 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -20,34 +20,75 @@
 .SH "NAME"
 ipa\-replica\-install \- Create an IPA replica
 .SH "SYNOPSIS"
+.SS "DOMAIN LEVEL 0"
+.TP
 ipa\-replica\-install [\fIOPTION\fR]... replica_file
+.SS "DOMAIN LEVEL 1"
+.TP
+ipa\-replica\-install [\fIOPTION\fR]...
 .SH "DESCRIPTION"
-Configures a new IPA server that is a replica of the server that generated it. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
+Configures a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
 
-The replica_file is created using the ipa\-replica\-prepare utility.
+To create a replica in a domain at domain level 0, you need to provide an replica file. The replica_file is created using the ipa\-replica\-prepare utility.
 
-If the installation fails you may need to run ipa\-server\-install \-\-uninstall before running ipa\-replica\-install again.
+To create a replica in a domain at domain level 1, you don't have to provide a replica file, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
+
+If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
+
+To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step.
+
+If the installation fails you may need to run ipa\-server\-install \-\-uninstall and ipa\-client\-install before running ipa\-replica\-install again.
 
 The installation will fail if the host you are installing the replica on exists as a host in IPA or an existing replication agreement exists (for example, from a previously failed installation).
 
 A replica should only be installed on the same or higher version of IPA on the remote system.
 .SH "OPTIONS"
+.SS "DOMAIN LEVEL 1 OPTIONS"
+.TP
+\fB\-P\fR, \fB\-\-principal\fR
+The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary.
+.TP
+\fB\-w\fR, \fB\-\-admin\-password\fR
+The Kerberos password for the given principal.
+
+.SS "DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS"
+To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation.
+
+--server, --domain, --realm  options are autodiscovered via DNS record

Re: [Freeipa-devel] [PATCH 0003] Refactor test_replace

[Filip Škola]

On Fri, 4 Dec 2015 10:08:40 +0100
Milan Kubík  wrote:

> On 12/04/2015 10:04 AM, Filip Škola wrote:
> > Hi,
> >
> > sending rather short one this time.
> >
> > F.
> NACK, UserTracker is implemented in 
> ipatests.test_xmlrpc.tracker.user_plugin.
> 

Ah, sorry for this.


F.
>From 1bffd8f743de9c8c16744a7451311bdb14549fe1 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Tue, 24 Nov 2015 14:34:03 +0100
Subject: [PATCH] Refactor test_replace

---
 ipatests/test_xmlrpc/test_replace.py | 174 ++-
 1 file changed, 48 insertions(+), 126 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_replace.py b/ipatests/test_xmlrpc/test_replace.py
index 1420e7d87f8f2f5d371b1f2fc093bcc062670537..76f7d1c2c7c7c43387abbbc531c3c9df30cd90ae 100644
--- a/ipatests/test_xmlrpc/test_replace.py
+++ b/ipatests/test_xmlrpc/test_replace.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden 
+#   Filip Skola 
 #
 # Copyright (C) 2011  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -25,134 +26,55 @@ Note that member management in other tests also exercises the
 gen_modlist code.
 """
 
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
 import pytest
 
-user1=u'tuser1'
+
+@pytest.fixture(scope='class')
+def user(request):
+tracker = UserTracker(
+name=u'user1', givenname=u'Test', sn=u'User1',
+mail=[u'te...@example.com', u'te...@example.com']
+)
+return tracker.make_fixture(request)
 
 
 @pytest.mark.tier1
-class test_replace(Declarative):
-
-cleanup_commands = [
-('user_del', [user1], {}),
-]
-
-tests = [
-
-dict(
-desc='Create %r with 2 e-mail accounts' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-mail=[u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-value=user1,
-summary=u'Added user "tuser1"',
-result=get_user_result(
-user1, u'Test', u'User1', 'add',
-mail=[u'te...@example.com', u'te...@example.com'],
-),
-),
-),
-
-
-dict(
-desc='Drop one e-mail account, add another to %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=[u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com', u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Set mail to a new single value %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=u'te...@example.com')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Set mail to three new values %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=[u'te...@example.com', u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com', u'te...@example.com',
-  u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Remove all mail values %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=u'')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-omit=['mail'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Ensure single-value mods work too, replace initials %r' % user1,
-command=(
-'user_mod', [user1], dict(initials=u'ABC')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-initials=[u'ABC'],
-omit=['mail'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-   

Re: [Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication

[Petr Vobornik]

On 12/03/2015 03:11 PM, Martin Basti wrote:



On 01.12.2015 12:19, Jan Cholasta wrote:

On 23.11.2015 15:47, Simo Sorce wrote:

On Mon, 2015-11-23 at 15:37 +0100, Jan Cholasta wrote:


Ad alternative is to add the host to ipaservers before the checks are
done and remove it again if any of them fail.


Too error prone, I am ok with the current way in your patches
until/unless I can think of a fail safe way. :-)


Updated patches attached. Note that 520 should be applied between 509
and 510.




Functional ACK



Simo, do you want to review the ACIs or other things it the patches? Or 
can the patches be pushed?

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0748 Handle encoding for ipautil.run

[Petr Viktorin]

On 12/04/2015 08:51 AM, Jan Cholasta wrote:
> On 3.12.2015 15:42, Petr Viktorin wrote:
>> On 12/03/2015 10:55 AM, Jan Cholasta wrote:
>> [...]
> If we don't care about output somewhere, we should not capture it
> there
> at all.

 Then people need to remember to put "capture_output=True"
 everywhere
 (except that also disables logging of the output, so we'd need an
 additional option).
>>>
>>> capture_output=True is the default and capture_output=False
>>> should be
>>> set where output is not needed.
>>
>> "capture_output=True" being the default would mean that it's still
>> possible to leave "capture_output=False" out, but ignore the
>> output. It
>> would make the wrong usage easier to type than the right one,
>> which is
>> something to avoid.
>
> I'm not sure I understand what are you trying to say here.
>
> My point is that capture_output=True is currently the default (see for
> yourself) and it is indeed possible to leave capture_output=False but
> ignore the output. I believe this is wrong and that you should always
> have to explicitly request the output to be captured.

 OK, looks like I will need to refactor ipautil.run even for Python 2,
 then.
>>>
>>> If this is just about changing the default and fixing all run()
>>> invocations, I can provide the patch myself, if that would work better
>>> for you.
>>>
 I seem to have have problems coming up with a solution that would match
 your expectations, so let me write the semantics as I understand you'd
 like hem:

 Would you be happy with the following signature?

 def run(args, stdin=None, raiseonerr=True,
   nolog=(), env=None,
   capture_output=False, skip_output=False,
   cwd=None, runas=None, timeout=None, suplementary_groups=[],
   capture_stderr=False,
   encode_stdout=True,
   encode_stderr=True,
  ):

 Output and error would be always logged, except if skip_output is set.
 But they would be only returned if capture_output/capture_stderr were
 set.
>>>
>>> I would personally also rename capture_output to capture_stdout. If we
>>> change the default, we have to update its every use, so we might as well
>>> rename it. (Again, I can provide the patch.)
>>
>> If we agree on the semantics, writing the patch isn't that big a deal.
> 
> Right.
> 
>>
 If encode_* is False, bytes are returned, by default
 locale.getpreferredencoding() is used. (If the caller wants any other
 encoding, it can do that by itself.)
>>>
>>> I thought bytes should be the default after all? See my comment in the
>>> previous mail.
>>
>> If the default is no capturing, I'd rather go with text by default.
>> With capturing by deafult, "run(args)" could raise encoding errors *if
>> the output is then ignored*. If it's "run(args, capture_stdout=True)", I
>> think it's fine to encode.
> 
> OK, makes sense.
> 
>>
 stdin it encoded using locale.getpreferredencoding() if it's unicode.
>>>
>>> If we do encode/decode in run(), I think there should be a way to
>>> override the default encoding. My idea was to either accept/return only
>>> bytes and let the caller handle encoding themselves, or to handle
>>> encoding in run(), but be able to override the defaults.
>>>
>>> Given we handle encoding in run(), I would imagine it like this:
>>>
>>>  def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
>>>  capture_stdout=False, skip_output=False, cwd=None,
>>>  runas=None, timeout=None, suplementary_groups=[],
>>>  capture_stderr=False, encode_stdout=False,
>>>  encode_stderr=False, encoding=None):
>>>
>>> i.e. nothing is captured by default, when stdout or stderr are captured
>>> they are returned as bytes by default, when stdout or stderr are
>>> returned as text they are decoded using the locale encoding by default,
>>> or the encoding can be explicitly specified.
>>>
>>> Do you think this is feasible?
>>
>> Feasible, yes.
>> In the majority of cases where the output is needed, we want text
>> encoded with locale.getpreferredencoding(), so I'd rather make that the
>> default rather than bytes.
>>
>> Or we could make "encode_stdout" imply "capture_stdout", so you wouldn't
>> have to always specify both. (It would be better named "encoded_stdout"
>> in that case.)
> 
> I think it should be OK to decode by default. (IMO it would be best to
> reverse the logic and name it "raw_stdout", with False default. Do we
> need "raw_stderr" at all? I don't think we do.)

Actually, now that I think about it: if the result was a namedtuple
subclass, we can always set extra raw_stdout/raw_stderr attributes on
it. (Unless skip_output=True, of course.)

   result = run(['generate_binary_data'])
   use(result.raw_stdout)

   # and for backcompat,
   rc, _out, 

Re: [Freeipa-devel] [PATCH 0003] Refactor test_replace

[Milan Kubík]

On 12/04/2015 10:04 AM, Filip Škola wrote:

Hi,

sending rather short one this time.

F.
NACK, UserTracker is implemented in 
ipatests.test_xmlrpc.tracker.user_plugin.


--
Milan Kubik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0003] Refactor test_replace

[Filip Škola]

Hi,

sending rather short one this time.

F.
>From 2b8718e0423bfca737b7a33678521e4e08007191 Mon Sep 17 00:00:00 2001
From: Filip Skola 
Date: Tue, 24 Nov 2015 14:34:03 +0100
Subject: [PATCH] Refactor test_replace

---
 ipatests/test_xmlrpc/test_replace.py | 174 ++-
 1 file changed, 48 insertions(+), 126 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_replace.py b/ipatests/test_xmlrpc/test_replace.py
index 1420e7d87f8f2f5d371b1f2fc093bcc062670537..2a882565f4b998355bda6e1d25303f4a1a8c8edd 100644
--- a/ipatests/test_xmlrpc/test_replace.py
+++ b/ipatests/test_xmlrpc/test_replace.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden 
+#   Filip Skola 
 #
 # Copyright (C) 2011  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -25,134 +26,55 @@ Note that member management in other tests also exercises the
 gen_modlist code.
 """
 
-from ipatests.test_xmlrpc.xmlrpc_test import Declarative
-from ipatests.test_xmlrpc.test_user_plugin import get_user_result
+
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.test_user_plugin import UserTracker
 import pytest
 
-user1=u'tuser1'
+
+@pytest.fixture(scope='class')
+def user(request):
+tracker = UserTracker(
+name=u'user1', givenname=u'Test', sn=u'User1',
+mail=[u'te...@example.com', u'te...@example.com']
+)
+return tracker.make_fixture(request)
 
 
 @pytest.mark.tier1
-class test_replace(Declarative):
-
-cleanup_commands = [
-('user_del', [user1], {}),
-]
-
-tests = [
-
-dict(
-desc='Create %r with 2 e-mail accounts' % user1,
-command=(
-'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
-mail=[u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-value=user1,
-summary=u'Added user "tuser1"',
-result=get_user_result(
-user1, u'Test', u'User1', 'add',
-mail=[u'te...@example.com', u'te...@example.com'],
-),
-),
-),
-
-
-dict(
-desc='Drop one e-mail account, add another to %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=[u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com', u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Set mail to a new single value %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=u'te...@example.com')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Set mail to three new values %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=[u'te...@example.com', u'te...@example.com', u'te...@example.com'])
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-mail=[u'te...@example.com', u'te...@example.com',
-  u'te...@example.com'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Remove all mail values %r' % user1,
-command=(
-'user_mod', [user1], dict(mail=u'')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-omit=['mail'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Ensure single-value mods work too, replace initials %r' % user1,
-command=(
-'user_mod', [user1], dict(initials=u'ABC')
-),
-expected=dict(
-result=get_user_result(
-user1, u'Test', u'User1', 'mod',
-initials=[u'ABC'],
-omit=['mail'],
-),
-summary=u'Modified user "tuser1"',
-value=user1,
-),
-),
-
-
-dict(
-desc='Drop a single-value attribute %r' % user1,
-command=(
-'user_mod', [user1], dict(initials=u'')
-),
-expected=dict(
-