[Freeipa-devel] [PATCH 0138] only search for Kerberos SRV records when autodiscovery was requested

[Martin Babinsky]

A quick fix for https://fedorahosted.org/freeipa/ticket/4305

I'm aware that we were talking about putting realmd discovery into 
IPADiscovery class and stuff, but that is a bit beyond the scope of this 
ticket.


I will open ticket(s) tracking:

1.) Offload at least the IPA realm DNS discovery to realmd D-Bus interface
2.) rewrite (not refactoring: the stuff also needs a substantial 
functional redesign IMHO) of the DNS discovery in the client-side 
installers.


I will make sure that this effort is not forgotten and we are not left 
with yet-another temporary fix.


--
Martin^3 Babinsky
From 36f5626c3bbd930193f03576b01574fa00bdcf2f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 7 Mar 2016 17:41:15 +0100
Subject: [PATCH] only search for Kerberos SRV records when autodiscovery was
 requested

When a list of servers is passed to ipa-client-{install,automount} the search
of Kerberos and LDAP SRV records should be suppressed and the specified
hostnames used directly as LDAP servers/KDCs. We thus should not performed
search for KDCs when the autodiscovery was actually not requested.

https://fedorahosted.org/freeipa/ticket/4305
---
 ipaclient/ipadiscovery.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipaclient/ipadiscovery.py b/ipaclient/ipadiscovery.py
index ed59529fbbf7f3973872439de377175c7a9d5589..1ba7c1a2d6ae071543b76812463d114de494c296 100644
--- a/ipaclient/ipadiscovery.py
+++ b/ipaclient/ipadiscovery.py
@@ -273,9 +273,13 @@ class IPADiscovery(object):
 if not servers and not realm:
 return REALM_NOT_FOUND
 
-self.kdc = self.ipadnssearchkrbkdc()
-self.kdc_source = (
-'Discovered Kerberos DNS records from %s' % self.domain)
+if autodiscovered:
+self.kdc = self.ipadnssearchkrbkdc()
+self.kdc_source = (
+'Discovered Kerberos DNS records from %s' % self.domain)
+else:
+self.kdc = ', '.join(servers)
+self.kdc_source = "Kerberos DNS record discovery bypassed"
 
 # We may have received multiple servers corresponding to the domain
 # Iterate through all of those to check if it is IPA LDAP server
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [TESTS][PATCH 0011] WebUI: Creating user without private group

[Pavel Vomacka]

On 02/25/2016 03:08 PM, Lenka Doudova wrote:

Hi,

here's a patch for webUI tests that provides test for creating user 
without private group.

Related to ticket https://fedorahosted.org/freeipa/ticket/4986

Since the option to specify GID when creating a user is not available 
https://fedorahosted.org/freeipa/ticket/5505 the test creates a new 
posix group, makes it a default user group instead of 'ipausers' and 
then attemps to create the user without private group. Returning 
default user group value to 'ipausers' is provided even for cases when 
the test fails so it would not block other tests from performing 
properly.


Lenka



Hi,

ACK, works well.

Pavel^3 Vomacka
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

[Martin Kosek]

On 03/07/2016 03:17 PM, Petr Spacek wrote:
> On 7.3.2016 13:27, Jan Cholasta wrote:
>> Hi,
>>
>> On 7.3.2016 12:47, Martin Babinsky wrote:
>>> https://fedorahosted.org/freeipa/ticket/5696
>>
>> Shouldn't we rather fix IPA to work with bind running in chroot (which is
>> AFAIK considered good security practice)?
> 
> I would not invest into it:
> http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature

+1

Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

[Petr Spacek]

On 7.3.2016 13:27, Jan Cholasta wrote:
> Hi,
> 
> On 7.3.2016 12:47, Martin Babinsky wrote:
>> https://fedorahosted.org/freeipa/ticket/5696
> 
> Shouldn't we rather fix IPA to work with bind running in chroot (which is
> AFAIK considered good security practice)?

I would not invest into it:
http://www.freeipa.org/page/Howto/FreeIPA_with_integrated_BIND_inside_chroot#NOTE:_Chroot_should_not_be_considered_a_security_feature

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin

[Filip Škola]

Sorry, forgot to cc you, Milan.

F.

On Tue, 22 Dec 2015 05:57:50 -0500 (EST)
Filip Skola  wrote:

> And also sending refactored hostgroup plugin test.
> 
> F

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

[Jan Cholasta]

Hi,

On 7.3.2016 12:47, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5696


Shouldn't we rather fix IPA to work with bind running in chroot (which 
is AFAIK considered good security practice)?


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] French translation for FreeIPA

[Martin Kosek]

On 03/07/2016 12:57 PM, Lukas Slebodnik wrote:
> On (07/03/16 12:20), Martin Kosek wrote:
>> On 03/07/2016 11:48 AM, Jérôme Fenal wrote:
>>> 2016-02-29 18:45 GMT+01:00 Jérôme Fenal :
>>>
 Hi all,

 Just a quick note to let you that I completed the translation of what
 was available to translate on Zanata.

 Can you please check it passes the QA, that the strings available on
 Zanata are the latest ones, and that it can flow back into RHEL7?

>>>
>>> ​Hello there,
>>>
>>> No news good news, or everybody is swamped in BZs? :-)​
>>
>> Hi Jérôme,
>>
>> Thanks for the translation! The new strings should get to FreeIPA 4.3.1, 
>> right
>> Tomas?
> FreeIPA 4.2.x will be released sooner :-)
> Do you plan to include new translation there?

As we do not have branches with our translations, I am actually not sure adding
new translations there is a good idea, there may be too big differences with
current master in Zanata and what is in FreeIPA 4.2.x.

Tomas should know better than I.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] French translation for FreeIPA

[Lukas Slebodnik]

On (07/03/16 12:20), Martin Kosek wrote:
>On 03/07/2016 11:48 AM, Jérôme Fenal wrote:
>> 2016-02-29 18:45 GMT+01:00 Jérôme Fenal :
>> 
>>> Hi all,
>>>
>>> Just a quick note to let you that I completed the translation of what
>>> was available to translate on Zanata.
>>>
>>> Can you please check it passes the QA, that the strings available on
>>> Zanata are the latest ones, and that it can flow back into RHEL7?
>>>
>> 
>> ​Hello there,
>> 
>> No news good news, or everybody is swamped in BZs? :-)​
>
>Hi Jérôme,
>
>Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right
>Tomas?
FreeIPA 4.2.x will be released sooner :-)
Do you plan to include new translation there?

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0137] spec: add conflict with bind-chroot to freeipa-server-dns

[Martin Babinsky]

https://fedorahosted.org/freeipa/ticket/5696

--
Martin^3 Babinsky
From 2be6f975868ef897d273550365dafdfeaf060c54 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 7 Mar 2016 12:41:53 +0100
Subject: [PATCH] spec: add conflict with bind-chroot to freeipa-server-dns

https://fedorahosted.org/freeipa/ticket/5696
---
 freeipa.spec.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index bc47df4c916bd8f091fc2f70330d95bd116ad187..cd6f188c540d22de648df8bc19a3ddc1dcc10eb1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -262,6 +262,7 @@ Requires: bind-utils >= 9.9.4-21
 Requires: bind-pkcs11 >= 9.9.4-21
 Requires: bind-pkcs11-utils >= 9.9.4-21
 %endif
+Conflicts: bind-chroot
 Requires: opendnssec >= 1.4.6-4
 
 Provides: %{alt_name}-server-dns = %{version}
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] FreeIPA COPR repos for 4.2.4 and 4.3.1 release candidates

[Lukas Slebodnik]

On (04/03/16 17:33), Petr Vobornik wrote:
>Hello all,
>
>COPR repostories for testing of upcoming 4.3.1 and 4.2.4 releases were
>created in new @freeipa group:
>* @freeipa/freeipa-4-2-rc for f23
>* @freeipa/freeipa-4-3-rc for f23, f24, rawhide
>
>@freeipa/freeipa-4-2-rc is undergoing pre-release testing. It also means that
>there is push freeze in ipa-4-2 branch.
>
>4.3.1 is not finished yet, but the COPR repository already contains initial
>package matching state of ipa-4-3 branch from today.
>
>[1] https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-2-rc/
I can see three test failing with freeipa-4.2
test_dnssec.py
  -- it' s known bug in freeipa
test_vault.py
  -- there are failures due to problem with installation of replica
test_caless.py
  -- TypeError: install() takes exactly 2 arguments (1 given)
  -- It should be already fixed in master
 e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f
 3507bcd3dfe2b0f1e7fae6f219a925ec6904ab47

BTW I'm  lazy to file bugs in track. Feel free to file it yourselft if you need
to backport/fix tests.

LS

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism

[Tomas Babej]

On 03/07/2016 10:58 AM, Petr Spacek wrote:
> On 4.3.2016 14:13, Tomas Babej wrote:
>> On 03/01/2016 03:46 PM, Petr Spacek wrote:
>>> Hello,
>>>
>>> Pylint: enable parallelism
>>>
>>> The config file specifies 8 cores but Pylint very quickly
>>> ends up with 3 cores so do not worry about overwhelming your system.
>>
>> I like the idea of the patch, however, on my single-CPU VM this causes
>> additional overhead and lint ends up taking more time (+15%).
>>
>> >From the pylint docs [1]:
>>
>>  If the provided number is 0 then the number of CPUs will be used.
>>
>> I'd suggest we use this value instead, to get the best of both worlds :)
> 
> Here you go.
> 
> Petr^2 Spacek
> 
> 
>> Tomas
>>
>> [1] https://docs.pylint.org/run.html
>>
>>

Thanks, ACK.

Pushed to master: 42c01eb3270d8c47c41f7f9b0da7064edb4b0e47

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0404] ipalib: Fix user certificate docstrings

[Tomas Babej]

On 03/07/2016 05:50 AM, Fraser Tweedale wrote:
> On Fri, Mar 04, 2016 at 12:49:46PM +0100, Tomas Babej wrote:
>> Hi,
>>
>> this fixes incorrect usercertificate attribute docstrings in several IPA
>> objects.
>>
>> Tomas
>>
> ACK.
> 

Pushed to master: 8bf6aa2c1c957025c7d466f7a33202a191764f0b

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] French translation for FreeIPA

[Martin Kosek]

On 03/07/2016 11:48 AM, Jérôme Fenal wrote:
> 2016-02-29 18:45 GMT+01:00 Jérôme Fenal :
> 
>> Hi all,
>>
>> Just a quick note to let you that I completed the translation of what
>> was available to translate on Zanata.
>>
>> Can you please check it passes the QA, that the strings available on
>> Zanata are the latest ones, and that it can flow back into RHEL7?
>>
> 
> ​Hello there,
> 
> No news good news, or everybody is swamped in BZs? :-)​

Hi Jérôme,

Thanks for the translation! The new strings should get to FreeIPA 4.3.1, right
Tomas?

As for RHEL, there is not special process around adding the translated strings.
The new ones should get there whenever the FreeIPA is rebased.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] French translation for FreeIPA

[Jérôme Fenal]

2016-02-29 18:45 GMT+01:00 Jérôme Fenal :

> Hi all,
>
> Just a quick note to let you that I completed the translation of what
> was available to translate on Zanata.
>
> Can you please check it passes the QA, that the strings available on
> Zanata are the latest ones, and that it can flow back into RHEL7?
>

​Hello there,

No news good news, or everybody is swamped in BZs? :-)​

​Cheers,

J.
​-​-
Jérôme Fenal
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0007 webui: Add a field for GID in the user add dialog

[Pavel Vomacka]

On 03/04/2016 07:03 PM, Petr Vobornik wrote:

On 03/01/2016 01:37 PM, Pavel Vomacka wrote:

Hi,

The patch adds new field in user add dialog. This combo box lists GIDs
of posix groups
so user can choose one. It is also possible to fill a GID number
which is not in the list.

Link to the ticket: https://fedorahosted.org/freeipa/ticket/5505

--
Pavel^3 Vomacka



1. We can keep default label 'GID' by removing 'label' from spec, 
which is also used on details page. No need to add a new string.


2. It is hard to pick a group from a list because the only thing 
administrator see are GID numbers, e.g.,:

  * 33080
  * 33082

It would be good to show a group name there or group name + GID
  * admins
  * editors

Reasoning:
a) If admin wants to set arbitrary GID number not manage in IPA, he 
already knows it and can enter it directly.
b) If he want's to set a specific group then he will search for it by 
name.


Such change will require a change in combobox widget so that we can 
specify a label field and a value field. E.g. list will operate with  
e.g.:

[
   { label: 'admins', value: 33080 },
   { label: 'editors', value: 33080 }
]

and not [ 33080, 33080 ]

I tried if it is possible to do easily and yes. See attached wippatch. 
Would be good to check if it breaks anything. If not then we can merge 
it into your patch.

Hi,

thank you for your patch. It's definitely better to see names of groups 
instead of numbers. Your solution works well.


I merged your patch with mine and the result is attached. I also removed 
definitions of new string (was used as label) from my first patch .


Pavel^3 Vomacka
>From 553b7388e480123443e1c788daf95228422ed530 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 1 Mar 2016 12:17:04 +0100
Subject: [PATCH] Add field for group id in user add dialog

Add new field in user add dialog. This combo box lists all posix groups
so user can choose one. It is also possible to fill a GID number
which is not in the list.

https://fedorahosted.org/freeipa/ticket/5505
---
 install/ui/src/freeipa/user.js   | 10 ++
 install/ui/src/freeipa/widget.js |  6 --
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index a920e088aacd02585cd131dce725272f47e4cf1c..a9727f57d69e7126d87707f541786ffab4d0c999 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -447,6 +447,16 @@ return {
 name: 'noprivate',
 label: '@i18n:objects.user.noprivate',
 metadata: '@mc-opt:user_add:noprivate'
+},
+{
+$type: 'entity_select',
+name: 'gidnumber',
+editable: true,
+searchable: true,
+other_entity: 'group',
+other_field: 'gidnumber',
+label_field: 'cn',
+filter_options: {'posix': true}
 }
 ]
 },
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 41d75fe0cd80024f6bb44405456bedc5f3fbca47..fc2d6ef0bf9fd9361a88c9bf7523077739dc615f 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -4299,6 +4299,7 @@ IPA.entity_select_widget = function(spec) {
 
 that.other_entity = IPA.get_entity(spec.other_entity);
 that.other_field = spec.other_field;
+that.label_field = spec.label_field || spec.other_field;
 
 that.options = spec.options || [];
 that.filter_options = spec.filter_options || {};
@@ -4339,9 +4340,10 @@ IPA.entity_select_widget = function(spec) {
 for (var i=0; i

Re: [Freeipa-devel] [PATCH 0087] Pylint: enable parallelism

[Petr Spacek]

On 4.3.2016 14:13, Tomas Babej wrote:
> On 03/01/2016 03:46 PM, Petr Spacek wrote:
>> Hello,
>>
>> Pylint: enable parallelism
>>
>> The config file specifies 8 cores but Pylint very quickly
>> ends up with 3 cores so do not worry about overwhelming your system.
> 
> I like the idea of the patch, however, on my single-CPU VM this causes
> additional overhead and lint ends up taking more time (+15%).
> 
>>From the pylint docs [1]:
> 
>  If the provided number is 0 then the number of CPUs will be used.
> 
> I'd suggest we use this value instead, to get the best of both worlds :)

Here you go.

Petr^2 Spacek


> Tomas
> 
> [1] https://docs.pylint.org/run.html
From 700579ca97956e85c7501a96003627d301f5ebb8 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 1 Mar 2016 15:42:48 +0100
Subject: [PATCH] Pylint: enable parallelism

The config file specifies 8 cores but Pylint very quickly
ends up with 3 cores so do not worry about overwhelming your system.
---
 pylintrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pylintrc b/pylintrc
index 1003e49217ec9761ea5e17d3e965376a0cca1a32..2a4dd7b09ef8b7ab052fc12e382c88a7af2ed568 100644
--- a/pylintrc
+++ b/pylintrc
@@ -7,7 +7,7 @@ persistent=no
 load-plugins=pylint_plugins
 
 # Use multiple processes to speed up Pylint.
-jobs=1
+jobs=0
 
 [MESSAGES CONTROL]
 
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code