[Freeipa-devel] [Testplan] External trust to AD

[Lenka Doudova]

Hi all,

here's [1] a draft of test plan for V4 RFE External trust to Active 
Directory.


Please review this and let me know if there's something missing or wrong.


Thanks,

Lenka


[1] http://www.freeipa.org/page/V4/External_trust_to_AD/Test_Plan

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0490] Tests: fix failing host_test

[Martin Basti]

Regression caused by patches related to 
https://fedorahosted.org/freeipa/ticket/5710



Patch attached and pushed under one-liner rule

master:
* 05c8808c76c39d697008912477dc45a76409ac67 Test: fix failing host_test
ipa-4-3:
* be65f1e2352e02086c3511f6f5a3cb4e4b5cb883 Test: fix failing host_test

From 64a7678c6a4954b87ea4cebd6867d7f07386a4ca Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 1 Jun 2016 08:23:59 +0200
Subject: [PATCH] Test: fix failing host_test

Regression caused by patches related to empty zones

https://fedorahosted.org/freeipa/ticket/5710
---
 ipatests/test_xmlrpc/test_host_plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index d0d2be2b6770c5763ef53ae551719cb896a59ae0..e6fc68a15cb9e7176979148462c469d1a737b040 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -311,7 +311,7 @@ class TestCRUD(XMLRPC_test):
 def test_try_add_not_in_dns(self, host):
 host.ensure_missing()
 command = host.make_create_command(force=False)
-with raises_exact(errors.DNSNotARecordError(hostname=host)):
+with raises_exact(errors.DNSNotARecordError(hostname=host.fqdn)):
 command()
 
 def test_add_host_with_null_password(self, host):
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Testplan] Thin client

[Lenka Doudova]

Hi,

thanks for reviewing, I changed the test plan to reflect your comments.

Lenka


On 05/31/2016 06:07 PM, Petr Vobornik wrote:

On 05/31/2016 03:30 PM, Lenka Doudova wrote:

Hi all,

here's [1] a draft of test plan for V4 RFE Thin client.

Please review this and let me know if there's something missing or wrong.


Thanks,

Lenka


[1] http://www.freeipa.org/page/V4/Thin_Client/Test_Plan


Hi Lenka,

It is implied, but somewhere should be mentioned that "the command" is a
command of IPA CLI - `ipa`. E.g. once in overview.

Missing:

Install 4.4 client against newer server, e.g. non-existant 4.5. Could be
simulated. I'm not sure if API version file is still relevant here.
Maybe it could be simulated by adding custom plugin which would
automatically change version hash (assuming it was implemented that way,
if not, please correct me).


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0059..0064 Lightweight sub-CAs

[Fraser Tweedale]

Hi team,

This patchset implements the 'ca' plugin for creating and managing
lightweight sub-CAs, and updates the 'caacl' plugin and
'cert-request' command to support multiple CAs.

A brief overview of the patches:

0059
  'ca' plugin, associated schema changes and container objects,
  Dogtag REST API wrapper
0060
  Add CA entry for the IPA CA on install/upgrade
0061
  Update 'caacl' plugin with CA support (including enforcement)
0062
  Update ra.request_certificate() to support specifying target CA
0063
  Add '--ca' option to 'cert-request' command
0064
  Add '--issuer' option to 'cert-find' command

These patches depend on other pending patches:

0051, 0052, 0053, 0054, 0055, 0056

Signing key replication depends on unmerged Dogtag patches.  Builds
of Dogtag with the required patches, and of FreeIPA with all
completed sub-CAs work, should be available from my COPR soon:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/

Some parts of the design are not implemented in the current
patchset, including:

- local parent CA (ipaca object) references
- sub-CA certificate renewal
- 'cert-show' command '--ca=NAME' option
- certmonger support for specifying CA
- revocation of deleted CAs

I look forward to your reviews!

Thanks,
Fraser
From bd30332dee424aebdedec9de1615320c3384bbac Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 14 May 2015 01:46:06 -0400
Subject: [PATCH 59/64] Add 'ca' plugin

This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ACI.txt   |   8 ++
 API.txt   |  60 +
 VERSION   |   4 +-
 install/conf/ipa-pki-proxy.conf   |   4 +-
 install/share/60certificate-profiles.ldif |   2 +
 install/share/bootstrap-template.ldif |   6 +
 install/updates/41-subca.update   |   4 +
 install/updates/Makefile.am   |   1 +
 ipalib/constants.py   |   2 +
 ipalib/plugins/ca.py  | 206 ++
 ipaserver/install/cainstance.py   |   7 +
 ipaserver/install/server/upgrade.py   |  16 ++-
 ipaserver/plugins/dogtag.py   |  44 ++-
 13 files changed, 358 insertions(+), 6 deletions(-)
 create mode 100644 install/updates/41-subca.update
 create mode 100644 ipalib/plugins/ca.py

diff --git a/ACI.txt b/ACI.txt
index 
cea814a0ceb7aea48b709236f0f88677e851ac92..dfa962ad9d43f9e7d7c750b865123150d282d4e5
 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example
 aci: (targetattr = "automountmapname || description")(targetfilter = 
"(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify 
Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount 
Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=automount,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl 
"permission:System: Remove Automount Maps";allow (delete) groupdn = 
"ldap:///cn=System: Remove Automount 
Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl 
"permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add 
CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl 
"permission:System: Delete CA";allow (delete) groupdn = "ldap:///cn=System: 
Delete CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipacaid")(targetfilter = 
"(objectclass=ipaca)")(version 3.0;acl "permission:System: Modify CA";allow 
(write) groupdn = "ldap:///cn=System: Modify 
CA,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=cas,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || 
ipacaid || modifytimestamp || objectclass")(targetfilter = 
"(objectclass=ipaca)")(version 3.0;acl "permission:System: Read CAs";allow 
(compare,read,search) userdn = "ldap:///all";;)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl 
"permission:System: Add CA ACL";allow (add) groupdn = "ldap:///cn=System: Add 
CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 
3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..ad5691a035e261afa329fbdb33461c4cd3a0051a
 100644
--- a/API.txt
+++ b/API.txt
@@ -450,12 +450,72 @@ arg: Any('methods*')
 option: Str('version?')
 output: Output('count', type=[])
 

Re: [Freeipa-devel] V4/Sub-CAs review

[Fraser Tweedale]

On Mon, May 23, 2016 at 10:02:44AM +0200, Jan Cholasta wrote:
> > > > > 2) 
> > > > > 
> > > > > It should be mentioned here that the primary CA is also handled by 
> > > > > this
> > > > > plugin.
> > > > > 
> > > > > I would like to propose two additional fields:
> > > > > 
> > > > >   * subject (required) - subject name of the CA, to be able to look up
> > > > > sub-CA that issued a certificate from its issuer name.
> > > > > 
> > > > >   * issuer_ca (optional) - name of the sub-CA which issued 
> > > > > certificate for
> > > > > this CA, to have information about the sub-CA hierarchy. If there is 
> > > > > no
> > > > > sub-CA entry for the issuer, it would be unset.
> > > > > 
> > > > These data exist in the Dogtag database.  Adding them to IPA might
> > > > be useful for avoiding round trips so it is probably worth doing,
> > > > but are you aware of use cases that would absolutely require them?
> > > 
> > > As for subject, we are adding the ability to look up information about
> > > arbitrary certificates to cert-{show,find} as part of
> > > . Part of this information
> > > should be whether the certificate was issued by our CA and what CA it was,
> > > so that the web UI can present an appropriate "revoke certificate" button
> > > for the certificate.
> > > 
> > > As for issuer CA, I believe we need it to fix automatic CA certificate
> > > renewal. The current renewal code uses virtual "profiles" to handle CA
> > > certificate renewal, but that turned out to be an issue, especially with
> > > externally signed CA certificates:
> > > . Instead it could 
> > > use
> > > the issuer CA information from LDAP to figure out what needs to be done.
> > > (Note that during the renewal, Dogtag is offline.)
> > > 
> > > Also, both the attributes should be included for compatibility with 
> > > external
> > > CAs. At this point, I think it's only a matter of time when support for 
> > > them
> > > will be added (there were already several requests for such a feature), 
> > > and
> > > I would very much prefer to have to maintain only a single code path for 
> > > the
> > > generic stuff (which includes both of the attributes), instead of one for
> > > Dogtag and one for external CAs.
> > > 
> > OK, I'll add issuer DN and subject DN attributes to the ipaCa
> > objectClass.
> 
> Just to be clear, what I meant is for the issuer attribute to contain the DN
> of the CA entry in LDAP, not the issuer DN itself.
> 
I see; thanks for the clarification.  I'm going to publish the first
version of the patchset soon - it will not have this implemented
yet, but I think it's more important for me to get patches out for
review ASAP, and add this aspect in a subsequent patchset.

> > > > > """
> > > > > The Python script shall be installed at 
> > > > > /usr/libexec/pki-ipa-retrieve-key
> > > > > and shall be executed as pkiuser.
> > > > > """
> > > > > 
> > > > > Could you please use a subdirectory? Like /usr/libexec/pki (if the 
> > > > > script is
> > > > > going to be distributed with Dogtag) or /usr/libexec/ipa (if the 
> > > > > script is
> > > > > going to be distributed with IPA).
> > > > > 
> > > > What is the rationale - is it a packaging guideline or just common
> > > > sense?
> > > 
> > > I'm not sure if it's an actual guideline, but IMHO it's definitely common
> > > sense - I don't think littering the global namespace (i.e. /usr/libexec) 
> > > is
> > > ever preferable to keeping your stuff in your own namespace.
> > > 
> > I'll drop the script in a subdir.  While I'm at it, I think I will
> > move it to the IPA codebase, to improve locality of the Python code.
> > e.g. if CustodiaClient API or any other IPA Python API changes, the
> > code in pki repo will be too easily missed.
> 
> OK, makes sense.
> 
Latest version of patch 0054 installs the helper program under
/usr/libexec/ipa.

> > > Please don't use ipaUniqueId as the RDN unless absolutely necessary. Not
> > > only it makes debugging harder (because you can't tell which object is 
> > > which
> > > just by looking at the DN), it also requires the framework to do an extra
> > > LDAP search every time the DN needs to be translated to primary key.
> > > 
> > If cn is used in RDN, will changing cn (which then will be a modrdn
> > operation) correctly update the references from CA ACLs?
> 
> Yes, the referint DS plugin takes care of that.
> 
cn it is; no more ipaUniqueId.

> > 
> > > "host-authority" does not strike me as something familiar, and the "host"
> > > bit is kind of confusing, since it is not at all related to IPA hosts. 
> > > Could
> > > we use something more obvious ("default", "root", ...)?
> > > 
> > We shouldn't use "root" because it might not be a root CA.
> > 
> > We probably shouldn't use "default" because we might later want to
> > allow different default CAs for different profiles or princi

Re: [Freeipa-devel] [PATCH] 0052..0054 Configure lightweight CA key replication

[Fraser Tweedale]

Updated patches attached; comments inline.

On Thu, May 05, 2016 at 04:52:29PM +1000, Fraser Tweedale wrote:
> > I would rather add a new ACI than have one super-ACI for everything. That
> > way you don't have to invent any complicated naming schemes *and* it will be
> > more apparent what the ACI does.
> > 
> OK, I'll simplify the scheme and create corresponding ACIs.
> 
I added new ACIs for hosts to manage Dogtag keys; they keys live in
a container with RDN cn=dogtag, nested under the main custodia keys
container.

> > >>However, calling `CAInstance.setup_lightweight_ca_key_retrieval()'
> > >>*directly* from `ca.install_step_1' would probably work.  Are you
> > >>happy with putting it there, instead of `configure_instance()'?
> > 
> > Works for me.
> > 
> Cool, thanks.
> 
This is implemented in the latest patch.

Cheers,
Fraser
From 7395f98bcec1e54b076cf9e2ceac1e4368cfe7c9 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 3 May 2016 13:22:39 +1000
Subject: [PATCH] Add ACIs for Dogtag custodia client

The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys.  Add an ACI to permit this.

Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 install/updates/20-aci.update | 8 
 1 file changed, 8 insertions(+)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 
4802ae0458e8b870bf3127764ebabac1a48f7cf2..0d617d849be8a1fdc76bdeeda7560b032a45e629
 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -136,3 +136,11 @@ add:aci: (target = 
"ldap:///cn=replication,cn=etc,$SUFFIX";)(targetattr = "nsDS5R
 dn: cn=ipa,cn=etc,$SUFFIX
 add:aci: (target = 
"ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; acl "IPA 
server hosts can create own Custodia secrets"; allow(add) groupdn = 
"ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; and userdn = 
"ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
 add:aci: (target = 
"ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = 
"ipaPublicKey")(version 3.0; acl "IPA server hosts can manage own Custodia 
secrets"; allow(write) groupdn = 
"ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; and userdn = 
"ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
+# IPA server hosts can create and manage Dogtag Custodia secrets for same host
+dn: cn=ipa,cn=etc,$SUFFIX
+add:aci: (target = 
"ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(version 3.0; 
acl "IPA server hosts can create Dogtag Custodia secrets for same host"; 
allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; 
and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+add:aci: (target = 
"ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = 
"ipaPublicKey")(version 3.0; acl "IPA server hosts can manage Dogtag Custodia 
secrets for same host"; allow(write) groupdn = 
"ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"; and userdn = 
"ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
+
+# Dogtag service principals can search Custodia keys
+add:aci: (target = 
"ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX";)(targetattr = "ipaPublicKey || 
ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals 
can search Custodia keys"; allow(read, search, compare) userdn = 
"ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";;)
-- 
2.5.5

From 78bdf20af5dfaaa67ba0ba8b160f18c8cf31d54c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 11 Apr 2016 12:42:35 +1000
Subject: [PATCH 53/54] Optionally add service name to Custodia key DNs

Lightweight CAs support introduces new service principals for
Dogtag, with Custodia keys.  The current Custodia key creation uses
a DN that contains only they key type and the hostname, so keys for
multiple services on the same host cannot be created.

Add the 'generate_keys' method to generate keys for a host or an
arbitrary service.  When a service name is given, add the key
entries in a nested container with RDN 'cn='.  (The
container is assumed to exist).

This change does not affect searching because subtree search is
used, filtering on the ipaKeyUsage and memberPrincipal attributes.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipapython/secrets/kem.py | 26 +-
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py
index 
0abf28ae4403a7b6225404df361d12cb07ccc70b..0b810b090a0e7dff09d64a5ef8752eba2676babc
 100644
--- a/ipapython/secrets/kem.py
+++ b/ipapython/secrets/kem.py
@@ -3,6 +3,7 @@
 from __future__ import print_function
 from ipaplatform.paths import paths
 from six.moves.configparser import ConfigParser
+from ipapython.dn impor

Re: [Freeipa-devel] [PATCH] 0051 Allow CustodiaClient to be used by arbitrary principals

[Fraser Tweedale]

Updated patch attached; comments inline below.

On Mon, Apr 25, 2016 at 07:55:46AM +0200, Jan Cholasta wrote:
> I think it would be better to merge the `client` and `client_servicename`
> into a single `client_principal` argument, as both of the arguments are used
> only to specify the principal name of the client.
> 
Done.

> Also I would prefer if the keyfile and keytab arguments were required,
> because it's better if you can explicitly see what values are used at the
> call site.
> 
Done.

> Why is init_creds() now called from __init__()? Why is it still called from
> _auth_header()?
> 
I invoke it from __init__ for more eager failure if there's a
problem (e.g. service is not in keytab), giving better error
locality.

It remains necessary to invoke it from _auth_header in case of
short-lived credentials.  I added some comments to the source.

> Why is ldap_uri now passed to IPAKEMKeys()?
> 
It tries to use LDAPI by default, so ldap_uri needs to be passed
through if process owner cannot access LDAPI socket.  I added
commentary to source.

Regarding your suggestion to make a base class and override class
variables, I prefer to pass values around.  There are very few
instantiations of CustodiaClient so it is easy enough to follow.

Thanks,
Fraser
From ba34a8f5c9b3e31a511e01266e3d3fedd53bcca6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 8 Apr 2016 15:21:19 +1000
Subject: [PATCH] Allow CustodiaClient to be used by arbitrary principals

Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab.  Update call sites accordingly.

Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.

Part of: https://fedorahosted.org/freeipa/ticket/4559
---
 ipapython/secrets/client.py   | 20 +---
 ipaserver/install/custodiainstance.py | 14 +++---
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 
5b671988ddc66eedd9ae1cd4ddec0e1308bc5a93..56ed6f7944c46393ed225cde1b5e0bb80fe6bef0
 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -41,16 +41,22 @@ class CustodiaClient(object):
 
 return iSecStore(config)
 
-def __init__(self, client, server, realm, ldap_uri=None, auth_type=None):
-self.client = client
-self.creds = None
+def __init__(
+self, client_service, keyfile, keytab, server, realm,
+ldap_uri=None, auth_type=None):
+self.client_service = client_service
+self.keytab = keytab
+
+# Init creds immediately to make sure they are valid.  Creds
+# can also be re-inited by _auth_header to avoid expiry.
+#
+self.creds = self.init_creds()
 
 self.service_name = gssapi.Name('HTTP@%s' % (server,),
 gssapi.NameType.hostbased_service)
 self.server = server
 
-keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
-self.ikk = IPAKEMKeys({'server_keys': keyfile})
+self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
 
 self.kemcli = KEMClient(self._server_keys(server, realm),
 self._client_keys())
@@ -61,9 +67,9 @@ class CustodiaClient(object):
 requests.packages.urllib3.disable_warnings()
 
 def init_creds(self):
-name = gssapi.Name('host@%s' % (self.client,),
+name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
-store = {'client_keytab': paths.KRB5_KEYTAB,
+store = {'client_keytab': self.keytab,
  'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
 return gssapi.Credentials(name=name, store=store, usage='initiate')
 
diff --git a/ipaserver/install/custodiainstance.py 
b/ipaserver/install/custodiainstance.py
index 
d5c5bf738752ab4cf84f98285a37b820c80fa3be..be3f661caa4291bba91a90d5adaf17d63f903d30
 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -12,6 +12,7 @@ from ipaserver.install import ldapupdate
 from ipaserver.install import sysupgrade
 from base64 import b64encode, b64decode
 from jwcrypto.common import json_decode
+import functools
 import shutil
 import os
 import tempfile
@@ -28,6 +29,13 @@ clas

Re: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout

[Martin Basti]

On 31.05.2016 09:41, Stanislav Laznicka wrote:

On 05/30/2016 02:12 PM, Petr Spacek wrote:

On 28.5.2016 15:59, Martin Basti wrote:

On 27.05.2016 14:52, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/5833




Is possible to remove timeout completely as it used to be before?

Even if this timeout is exceeded, command continue in execution and 
it just

doesnt print result to user
I agree with Martin. The timeout is pointless, please remove it or 
set it to

2^31 or so.

The documentation does not clearly state what happens in the corner 
cases of this setting. However, by looking at the source code, I'm 
guessing that 0 is the default value which would eventually point to 
the Apache TimeOut and negative values seem just wrong for them here. 
They are converting it with atoi(), so I propose to set this to 2^31-1.




Please put your findings to the ticket, patch LGTM I will test it today.

Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0037] Added /etc/krb5.conf.d/ to krb5.conf

[Robbie Harwood]

Alexander Bokovoy  writes:

> On Sat, 28 May 2016, Robbie Harwood wrote:
>> Alexander Bokovoy  writes:
>>> On Fri, 27 May 2016, Robbie Harwood wrote:
 Stanislav Laznicka  writes:
> From: Stanislav Laznicka 
>
> The include of /etc/krb5.conf.d/ is required for crypto-policies
> to work properly
>
> https://fedorahosted.org/freeipa/ticket/5912

 Thank you for working on this.  Is the intent on the part of
 FreeIPA to keep a separate, freeipa-speicifc directory?  And if so,
 can I suggest that we not do that?
>>>
>>> SSSD cannot write to /etc and I don't think we have to change it.
>>
>> Can you elaborate on this?  Why can't sssd write the stuff it puts in
>> /var/lib into /etc, or symlink it?
>
> Writing to /etc is considered a privilege of a system administrator. A
> runtime override is typically done outside it, in /run like systemd
> allows for its configuration for volatile setups and in /var/lib
> for non-volatile ones. The latter has long been a state of affairs in
> Linux.
>
> Currently SSSD runs under root but it is already made possible to run as
> non-root user and we intend to switch to that mode in future releases.

I guess I don't see a meaningful difference here.  We're still writing
to /etc when we modify krb5.conf.

My reading of the FHS is that this is not an intended use of /var/lib:
/var/lib is for state information [0], and the only time the FHS
mentions config files is to point out that they go in the /etc tree.

Anyway, I've said my piece and won't derail this further.  If you want
to merge, this is a cosmetic issue and I can live with it.

[0]: http://www.pathname.com/fhs/pub/fhs-2.3.html#VARLIBVARIABLESTATEINFORMATION


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Testplan Review]

[Petr Vobornik]

On 05/23/2016 09:23 AM, Oleg Fayans wrote:
> Hi Petr,
> 
> The test plan is updated.

Thanks,

is it possible to number test cases? It is hard to refer to them without
copying the full name.

1. first test case: `ipa host-find` will show the host entry, but cert
will be revoked and kerb key removed

2. "Test case: server_del API call is executed at ipa-server-install
--uninstall on the replica under domain "
In dom. lvl 1(after step 3), checks/output from first test case should
apply here + server should be uninstalled.

3. *-ruv subcommands of ipa-replica-manage are extended to handle
CA-specific RUVs

I'll assume that '97' is just an example. It might be different.

It is possible that step 3 will fail - it's racy.

4. Last test case with the "autogenerated" placeholder is not much
important - so only if you have nothing more important to do.

Web UI will get interactive add of segments + some other improvements in
a topology graph but I don't know if it can be tested easily.

> 
> On 05/19/2016 12:54 PM, Petr Vobornik wrote:
>> On 05/19/2016 12:38 PM, Oleg Fayans wrote:
>>> Hi all,
>>>
>>> I've created the first versio of the testplan for Topology Management
>>> feature in 4.4 release:
>>> http://www.freeipa.org/page/V4/Manage_replication_topology_4_4/Test_Plan
>>>
>>> Could someone please review it?
>>>
>>
>> I'll mention what are the important parts.
>>
>> 1. In the 3 scenarios, the most important one is testing the
>> `ipa-server-install --uninstall`. There it is more important to check
>> whether it did the same as `ipa-csreplica-manage del`,
>> `ipa-replica-manage del` and `ipa-server-install --uninstall` procedure.
>> Which means removal of master entry, DNS records, Kerberos keys,
>> revocation of certificates... Checking RUVs is not the critical part.
>>
>> 2. I miss test for move of `ipa-replica-manage set-renewal-master` to API
> 
> Isn't it more related to the server roles feature? Will it be one of the
> ipa server* commands?

True

> 
>>
>> 3. test of new `ipa server-del` method
>>
>> when these three are done then I'd focus on RUVs
>>
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Testplan Review] Server Roles

[Petr Vobornik]

On 05/25/2016 04:14 PM, Oleg Fayans wrote:
> Hi guys. Here is a rather schematic (as neither the feature not the
> design document is not complete) of the server roles testplan. Could you
> please review it and tell me what is missing?
> 
> http://www.freeipa.org/page/V4/Server_Roles/Test_Plan
> 

Note: I've not done thorough review.

1. you have wrong command for showing and setting renewal master. It's
done using config-mod|show

Today the design page[1] got an update, but still, I think it was there
even before.

2. Roles will be also shown in dnsconfig-show, trustconfig-show,
vaultconfig-show commands.

[1] http://www.freeipa.org/page/V4/Server_Roles
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Testplan] Thin client

[Petr Vobornik]

On 05/31/2016 03:30 PM, Lenka Doudova wrote:
> Hi all,
> 
> here's [1] a draft of test plan for V4 RFE Thin client.
> 
> Please review this and let me know if there's something missing or wrong.
> 
> 
> Thanks,
> 
> Lenka
> 
> 
> [1] http://www.freeipa.org/page/V4/Thin_Client/Test_Plan
> 

Hi Lenka,

It is implied, but somewhere should be mentioned that "the command" is a
command of IPA CLI - `ipa`. E.g. once in overview.

Missing:

Install 4.4 client against newer server, e.g. non-existant 4.5. Could be
simulated. I'm not sure if API version file is still relevant here.
Maybe it could be simulated by adding custom plugin which would
automatically change version hash (assuming it was implemented that way,
if not, please correct me).
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0038] Reduced time for IO blocking of DS

[Stanislav Laznicka]

Hello,

This is a fix to https://fedorahosted.org/freeipa/ticket/5383. From the 
comments I am not sure if nsslapd-idletimeout should be reduced as well. 
If so, could you please propose a value that you find reasonable?


Thanks,
Standa
From 812566cc687fedc1df2f00950440e9e7abd67d99 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 31 May 2016 17:01:29 +0200
Subject: [PATCH] Decreased timeout for IO blocking for DS

Should fix the DS from going unresponsive in some cases

https://fedorahosted.org/freeipa/ticket/5383
---
 install/updates/10-config.update | 4 
 1 file changed, 4 insertions(+)

diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 0914fb93880942cdd1f0bb142461256e9b960167..f725bbfdcdb8171f8954ed19fc31ac5f6b4242eb 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -68,3 +68,7 @@ only:nsslapd-sasl-max-buffer-size:2097152
 # setting, password migration fails
 dn: cn=config
 only:nsslapd-allow-hashed-passwords:on
+
+# Decrease default value for IO blocking to prevent server unresponsiveness
+dn: cn=config
+only:nsslapd-ioblocktimeout:1
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0033] Fix CA being presented as running even if it weren't

[Stanislav Laznicka]

On 05/31/2016 11:40 AM, Stanislav Laznicka wrote:

On 05/31/2016 10:22 AM, Stanislav Laznicka wrote:

On 05/30/2016 12:54 PM, Jan Cholasta wrote:

On 30.5.2016 12:36, Martin Basti wrote:



On 26.05.2016 19:31, Stanislav Laznicka wrote:


Self NACK. I should not post patches when tired, sorry. Minor fix is
attached.


On 05/26/2016 07:21 PM, Stanislav Laznicka wrote:

Hello,

Please, see the attached patch. Fixes
https://fedorahosted.org/freeipa/ticket/5898

Standa





LGTM, if nobody is against this, I will push it in 2 days


NACK, please add `wait` argument and call self.wait_until_running(), 
same as in start() and restart().



A pretty good point, please see the modified patch.
Self.NACK - can't add 'wait' agrument to service.Service.is_running 
this easy.



Should be fixed now.
From 7de58955f4876a3c9cfbfb22b38931b9dd95062e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 26 May 2016 15:24:15 +0200
Subject: [PATCH] Fixes CA always being presented as running

Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.

https://fedorahosted.org/freeipa/ticket/5898
---
 ipaplatform/base/services.py   |  4 ++--
 ipaplatform/redhat/services.py | 17 +
 ipaserver/install/service.py   |  4 ++--
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 641a654183c52c0330cb4ece2a54c6bd0a96394c..a36b2f4ff7f325f882bdb9974e59259656b9a10e 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -148,7 +148,7 @@ class PlatformService(object):
 def restart(self, instance_name="", capture_output=True, wait=True):
 return
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 return False
 
 def is_installed(self):
@@ -303,7 +303,7 @@ class SystemdService(PlatformService):
 if wait and self.is_running(instance_name):
 self.wait_for_open_ports(self.service_instance(instance_name))
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 instance = self.service_instance(instance_name, 'is-active')
 
 while True:
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 92dae452a31a0b3680e9c407eccb120881cc9e25..849737059d54df5af47ae288ef97b933d9e869fe 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -222,6 +222,23 @@ class RedHatCAService(RedHatService):
 if wait:
 self.wait_until_running()
 
+def is_running(self, instance_name="", wait=True):
+if instance_name:
+return super(RedHatCAService, self).is_running(instance_name)
+try:
+status = dogtag.ca_status()
+if status == 'running':
+return True
+elif status == 'starting' and wait:
+# Exception is raised if status is 'starting' even after wait
+self.wait_until_running()
+return True
+except Exception as e:
+root_logger.debug(
+'Failed to check CA status: {err}'.format(err=e)
+)
+return False
+
 
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 40767acd57d5e1fa8126144ca64f6951848ce214..c09dc9013b091e6eebcf9b297fef8337671ce40e 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -346,8 +346,8 @@ class Service(object):
 def restart(self, instance_name="", capture_output=True, wait=True):
 self.service.restart(instance_name, capture_output=capture_output, wait=wait)
 
-def is_running(self):
-return self.service.is_running()
+def is_running(self, instance_name="", wait=True):
+return self.service.is_running(instance_name, wait)
 
 def install(self):
 self.service.install()
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] Enable service authentication indicator management

[Nathaniel McCallum]

On Tue, 2016-05-31 at 15:25 +0200, Petr Vobornik wrote:
> On 05/31/2016 02:49 PM, Nathaniel McCallum wrote:
> > On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
> > > On Mon, 30 May 2016, Petr Vobornik wrote:
> > > > On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
> > > > > Pavel, since we made the change here from a StrEnum to a Str,
> > > > > we
> > > > > need
> > > > > to update the UI patch accordingly.
> > > > 
> > > > How should admin know what to write there intuitively?
> > > > 
> > > > Shouldn't Web UI or CLI advertise the indicators supported by
> > > > IPA?
> > > > E.g.
> > > > CLI in doc string. Web UI might even combine checkboxes (otp,
> > > > radius)
> > > > with textbox.
> > > That would be better, I think. We still need to keep the API with
> > > a
> > > free
> > > text field but Web UI, of course, should provide some pre-defined
> > > labels.
> > 
> > I *think* this means that this patch doesn't need any changes. Is
> > that
> > correct? If so, can I get a review? :)
> > 
> 
> I meant that the param's 'doc' attribute can get the supported
> values.
> So that they would be shown in `ipa service-mod --help`
> 
> Btw, the `required: false` and `multivalued: true` can be simplified
> into Str('krbprincipalauthind*')

I fixed the doc string as well as the verbosity. I also rebased against
the current master.From 786ca520566fa5ae7ffe7c309f33cea6096781ff Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Wed, 4 May 2016 17:08:45 -0400
Subject: [PATCH] Enable service authentication indicator management

https://fedorahosted.org/freeipa/ticket/433
---
 API.txt   |  9 ++---
 VERSION   |  4 ++--
 ipalib/plugins/service.py | 10 +-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index 3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69..94e2cb71bc5fe777b219b7174c3057bc222fbb78 100644
--- a/API.txt
+++ b/API.txt
@@ -3901,7 +3901,7 @@ output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
 command: service_add
-args: 1,11,3
+args: 1,12,3
 arg: Str('krbprincipalname', cli_name='principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -3909,6 +3909,7 @@ option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
+option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
@@ -4011,10 +4012,11 @@ output: Output('completed', type=[])
 output: Output('failed', type=[])
 output: Entry('result')
 command: service_find
-args: 1,11,4
+args: 1,12,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('krbprincipalname?', autofill=False, cli_name='principal')
 option: Str('man_by_host*', cli_name='man_by_hosts')
 option: Flag('no_members', autofill=True, default=True)
@@ -4029,7 +4031,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: service_mod
-args: 1,12,3
+args: 1,13,3
 arg: Str('krbprincipalname', cli_name='principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4037,6 +4039,7 @@ option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Flag('rights', autofill=True, default=False)
diff --git a/VERSION b/VERSION
index 45fdb09788dbc6496272da786bb6d6afa45bf118..29e67f3d7ed232de8d6e71ea6b58bd1f1cbbea5d 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=170
-# Last change: mbasti - *-find: do not search for members by default
+IPA_API_VERSION_MINOR=171
+# Last change: npmccallum - enable setting authinds on services
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 2d3476e832dc8694eae04a0ecd5c

Re: [Freeipa-devel] Provisioning throughput

[thierry bordaz]

On 05/31/2016 02:02 PM, Petr Vobornik wrote:

On 05/04/2016 02:20 PM, thierry bordaz wrote:

Hello,

 I have been doing some tests/measures using
 https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py.
 The tool creates a set of typical users/hosts/groups... to import with a
 ldapadd.

 I wrote down some finding in
 
http://www.freeipa.org/page/V4/Performance_Improvements#Provisioning_throughput_and_DS_plugins.
 I still have to do some cleanup around the performance but the basic of a
 possible improvement is to do provisioning in several steps (disabling
 plugins, provisioning, enabling plugin, running fixup tasks).

 Before going further in the design I wanted to share those ideas and know 
if
 it raise any concern.

 thanks
 thierry


Let me conclude the previous sub-thread and also continue with
discussion we had over phone.

The subthread ended with proposal to go with offline provisioning by
disabling LDAP ports similar to ipa-server-upgrade tool and then using
LDAPI to add records by using ipalib in server mode e.g., as in
ipa_otptoken_import.py

So these are the tasks to solve/investigate:

1. Provide guidance/write script which would disable memberof plugin and
other plugins. Disable ldap and ldaps port


I started describing the operations 
http://www.freeipa.org/page/V4/Performance_Improvements#Algorithm.
It needs to be updated with disabling regular ports and accessing 
through ldapi


2. Provide guidance/script how to use ipalib in server mode and how to
import date. This could be even script which would load file in some
format(e.g. JSON) and executed commands from the file. Basically what
was Alexander proposing and I was against it. After some thought, I
agree that the tool could be easy to write but I'd rather avoid adding
it to 4.4 release maybe even to future releases. Because:
  - It's almost the same as `[RFE] run multiple CLI commands in a batch`
 With the distinction that
it connects directly LDAPI and not public API. First I'd like to see
#5821 and then we can think of using same logic(input) to work in
"migration" mode.
- I don't want to include a quickly baked tool so late in 4.4
development. It will have design flaws which will be harder to fix
later. I don't want to loose time with discussion about design of the
tool in this phase of 4.4.
Investigating a ldap bulk load, there is a quite limited set of 
operations to prepare the instance, run a ldap bulk load and run fixup.
However, starting yesterday looking at ipa-otptoken-import I am still 
unable to connect through ldapi and do those really simple operations... 
so even it could be easy to write tool my progress start slowly


Regarding the batch commands, it looks quite different than bulk import 
because batch commands (like user-add) run  several ldap ops 
(SRCH/ADD/MOD) and also batch commands does expect that DS plugins like 
memberof are enabled.




3. Provide guidance/script to revert #1 and run memberof fixup task.

4. Investigate how replication of so many records with member attributes
will affect other replicas. I.e. if it would not brick entire topology.

*Right now #4 seems to be the most important*.


This was shortly described in 
http://www.freeipa.org/page/V4/Performance_Improvements#Memberof_plugin 
and 
http://www.freeipa.org/page/V4/Performance_Improvements#Replication_being_late.


The topology will slowly converge and eventually all provisioned entries 
will be available everywhere.
But slowly can mean hours or even days before it converges. During that 
period, a provisioned rules can grant some rights on one replica (where 
it was imported) but will not grant it on an other where the rule is not 
yet replicated.


If the topology is a production topology, it can be better to rely on 
total init of the replicas than on replication.






Then #1, #2, #3 could be delivered as sample script included in
documentation and/or blog post/github. It would allow us to change it
later. I would not focus on #2 before other core 4.4 items are finished.
A lot of guidance is already written in tree design page but it will
need to be transform to easily consumable form for admins. The scripts
can be prepared even when 4.4 is out.

In other words I would not create any official new ipa utility yet.


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [Testplan] Authentication indicators

[Lenka Doudova]

Hi all,

here's [1] a draft of test plan for V4 RFE Authentication Indicators.

Please review this and let me know if there's something missing or wrong.


Thanks,

Lenka


[1] http://www.freeipa.org/page/V4/Authentication_Indicators/Test_Plan

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [Testplan] Thin client

[Lenka Doudova]

Hi all,

here's [1] a draft of test plan for V4 RFE Thin client.

Please review this and let me know if there's something missing or wrong.


Thanks,

Lenka


[1] http://www.freeipa.org/page/V4/Thin_Client/Test_Plan

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] Enable service authentication indicator management

[Petr Vobornik]

On 05/31/2016 02:49 PM, Nathaniel McCallum wrote:
> On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
>> On Mon, 30 May 2016, Petr Vobornik wrote:
>>> On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
 Pavel, since we made the change here from a StrEnum to a Str, we
 need
 to update the UI patch accordingly.
>>>
>>> How should admin know what to write there intuitively?
>>>
>>> Shouldn't Web UI or CLI advertise the indicators supported by IPA?
>>> E.g.
>>> CLI in doc string. Web UI might even combine checkboxes (otp,
>>> radius)
>>> with textbox.
>> That would be better, I think. We still need to keep the API with a
>> free
>> text field but Web UI, of course, should provide some pre-defined
>> labels.
> 
> I *think* this means that this patch doesn't need any changes. Is that
> correct? If so, can I get a review? :)
> 

I meant that the param's 'doc' attribute can get the supported values.
So that they would be shown in `ipa service-mod --help`

Btw, the `required: false` and `multivalued: true` can be simplified
into Str('krbprincipalauthind*')

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] Enable service authentication indicator management

[Nathaniel McCallum]

On Mon, 2016-05-30 at 19:08 +0300, Alexander Bokovoy wrote:
> On Mon, 30 May 2016, Petr Vobornik wrote:
> > On 05/27/2016 06:00 PM, Nathaniel McCallum wrote:
> > > Pavel, since we made the change here from a StrEnum to a Str, we
> > > need
> > > to update the UI patch accordingly.
> > 
> > How should admin know what to write there intuitively?
> > 
> > Shouldn't Web UI or CLI advertise the indicators supported by IPA?
> > E.g.
> > CLI in doc string. Web UI might even combine checkboxes (otp,
> > radius)
> > with textbox.
> That would be better, I think. We still need to keep the API with a
> free
> text field but Web UI, of course, should provide some pre-defined
> labels.

I *think* this means that this patch doesn't need any changes. Is that
correct? If so, can I get a review? :)

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches

[Martin Basti]

On 31.05.2016 14:08, Martin Babinsky wrote:

On 05/31/2016 01:57 PM, Martin Basti wrote:



On 31.05.2016 12:44, Martin Babinsky wrote:

On 05/28/2016 01:17 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4995

Patches attached





Hi,

PATCH 0488: LGTM

PATCH 0489:

@@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters,
topo_errors, starting_host):
 i = 0
 while True:
 left = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentleftnode=hostname,
sizelimit=0
+suffix_name, iparepltoposegmentleftnode=hostname,
sizelimit=0,
 )['result']
 right = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentrightnode=hostname,
sizelimit=0
+suffix_name, iparepltoposegmentrightnode=hostname,
sizelimit=0,
 )['result']

it seems that you added 'no_members=True' there and then removed it
because reasons. Please revert the this part to the original code so
that it does not stick out.



Better (the right one) patches attached.


ACK


master:
* 91572afc60f590f0d81ad18234189a0b48144bf5 Make option --no-members 
public in CLI
* 5f42b42bd4557a669ab5cfcf1af6596f1a2535f1 Performance: Find commands: 
do not process members by default


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches

[Martin Babinsky]

On 05/31/2016 01:57 PM, Martin Basti wrote:



On 31.05.2016 12:44, Martin Babinsky wrote:

On 05/28/2016 01:17 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4995

Patches attached





Hi,

PATCH 0488: LGTM

PATCH 0489:

@@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters,
topo_errors, starting_host):
 i = 0
 while True:
 left = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentleftnode=hostname,
sizelimit=0
+suffix_name, iparepltoposegmentleftnode=hostname,
sizelimit=0,
 )['result']
 right = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentrightnode=hostname,
sizelimit=0
+suffix_name, iparepltoposegmentrightnode=hostname,
sizelimit=0,
 )['result']

it seems that you added 'no_members=True' there and then removed it
because reasons. Please revert the this part to the original code so
that it does not stick out.



Better (the right one) patches attached.


ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Provisioning throughput

[Petr Vobornik]

On 05/04/2016 02:20 PM, thierry bordaz wrote:
> Hello,
> 
> I have been doing some tests/measures using
> https://github.com/freeipa/freeipa-tools/blob/master/create-test-data.py.
> The tool creates a set of typical users/hosts/groups... to import with a
> ldapadd.
> 
> I wrote down some finding in
> 
> http://www.freeipa.org/page/V4/Performance_Improvements#Provisioning_throughput_and_DS_plugins.
> I still have to do some cleanup around the performance but the basic of a
> possible improvement is to do provisioning in several steps (disabling
> plugins, provisioning, enabling plugin, running fixup tasks).
> 
> Before going further in the design I wanted to share those ideas and know 
> if
> it raise any concern.
> 
> thanks
> thierry
> 

Let me conclude the previous sub-thread and also continue with
discussion we had over phone.

The subthread ended with proposal to go with offline provisioning by
disabling LDAP ports similar to ipa-server-upgrade tool and then using
LDAPI to add records by using ipalib in server mode e.g., as in
ipa_otptoken_import.py

So these are the tasks to solve/investigate:

1. Provide guidance/write script which would disable memberof plugin and
other plugins. Disable ldap and ldaps port

2. Provide guidance/script how to use ipalib in server mode and how to
import date. This could be even script which would load file in some
format(e.g. JSON) and executed commands from the file. Basically what
was Alexander proposing and I was against it. After some thought, I
agree that the tool could be easy to write but I'd rather avoid adding
it to 4.4 release maybe even to future releases. Because:
 - It's almost the same as `[RFE] run multiple CLI commands in a batch`
 With the distinction that
it connects directly LDAPI and not public API. First I'd like to see
#5821 and then we can think of using same logic(input) to work in
"migration" mode.
- I don't want to include a quickly baked tool so late in 4.4
development. It will have design flaws which will be harder to fix
later. I don't want to loose time with discussion about design of the
tool in this phase of 4.4.

3. Provide guidance/script to revert #1 and run memberof fixup task.

4. Investigate how replication of so many records with member attributes
will affect other replicas. I.e. if it would not brick entire topology.

*Right now #4 seems to be the most important*.

Then #1, #2, #3 could be delivered as sample script included in
documentation and/or blog post/github. It would allow us to change it
later. I would not focus on #2 before other core 4.4 items are finished.
A lot of guidance is already written in tree design page but it will
need to be transform to easily consumable form for admins. The scripts
can be prepared even when 4.4 is out.

In other words I would not create any official new ipa utility yet.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches

[Martin Basti]

On 31.05.2016 12:44, Martin Babinsky wrote:

On 05/28/2016 01:17 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4995

Patches attached





Hi,

PATCH 0488: LGTM

PATCH 0489:

@@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters, 
topo_errors, starting_host):

 i = 0
 while True:
 left = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0,

 )['result']
 right = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0,

 )['result']

it seems that you added 'no_members=True' there and then removed it 
because reasons. Please revert the this part to the original code so 
that it does not stick out.




Better (the right one) patches attached.
From 6e39ae4ba31a2f1839655c593c2bcc9952e16712 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 17 Mar 2016 11:06:54 +0100
Subject: [PATCH 1/2] Make option --no-members public in CLI

With many members commands became slow. Making this option public allows
users to speedup searches.

https://fedorahosted.org/freeipa/ticket/4995
---
 ipalib/plugins/baseldap.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 72e7e0725ec41bb72fcef124734150970fa06062..8a696f3c8e6c239f6ac38621de9f2fb403e4f99b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1117,7 +1117,7 @@ last, after all sets and adds."""),
 yield Flag('no_members',
 doc=_('Suppress processing of membership attributes.'),
 exclude='webui',
-flags=['no_option', 'no_output'],
+flags=['no_output'],
 )
 break
 
-- 
2.5.5

From 034d3ea3d9e97da6ffb143957f0988f45ceef62d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 19 May 2016 13:50:38 +0200
Subject: [PATCH 2/2] Performance: Find commands: do not process members by
 default

In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.

To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.

For other commands processing of members stays unchanged. WebUI is not
affected by this change.

https://fedorahosted.org/freeipa/ticket/4995
---
 API.txt|  44 ++--
 VERSION|   4 +-
 install/tools/ipa-replica-manage   |   6 +-
 ipalib/plugins/baseldap.py |   7 +-
 ipalib/plugins/caacl.py|   2 +-
 ipalib/plugins/hbactest.py |   3 +-
 ipalib/plugins/otptoken.py |   3 +-
 ipalib/plugins/topology.py |   6 +-
 ipalib/plugins/user.py |   3 +-
 ipaserver/install/replication.py   |   3 +-
 ipaserver/install/server/install.py|   3 +-
 ipatests/test_xmlrpc/test_group_plugin.py  |  54 +++-
 ipatests/test_xmlrpc/test_hbacsvcgroup_plugin.py   |  21 +-
 ipatests/test_xmlrpc/test_hostgroup_plugin.py  |   5 +
 ipatests/test_xmlrpc/test_netgroup_plugin.py   | 115 -
 ipatests/test_xmlrpc/test_old_permission_plugin.py | 272 ++--
 ipatests/test_xmlrpc/test_permission_plugin.py | 273 -
 ipatests/test_xmlrpc/test_privilege_plugin.py  |  60 -
 ipatests/test_xmlrpc/test_role_plugin.py   |  85 ++-
 ipatests/test_xmlrpc/test_service_plugin.py|  20 +-
 .../test_xmlrpc/test_servicedelegation_plugin.py   |  30 ++-
 ipatests/test_xmlrpc/test_sudocmdgroup_plugin.py   |   5 +
 ipatests/test_xmlrpc/test_user_plugin.py   |   2 +-
 ipatests/test_xmlrpc/tracker/host_plugin.py|   5 +-
 ipatests/test_xmlrpc/tracker/hostgroup_plugin.py   |  13 +-
 ipatests/test_xmlrpc/tracker/sudocmd_plugin.py |   7 +-
 .../test_xmlrpc/tracker/sudocmdgroup_plugin.py |   9 +-
 ipatests/test_xmlrpc/tracker/user_plugin.py|   3 +-
 28 files changed, 973 insertions(+), 90 deletions(-)

diff --git a/API.txt b/API.txt
index dbc6f1adc614607fab106ab0de7163961e7ecedc..3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69 100644
--- a/API.txt
+++ b/API.txt
@@ -551,7 +551,7 @@ option: Str('description?', autofill=False, cli_name='desc')
 option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all'])
 option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u

Re: [Freeipa-devel] [PATCH 0486, 0487] Update zanata config

[Martin Basti]

On 31.05.2016 13:46, Martin Basti wrote:



On 31.05.2016 13:04, Martin Babinsky wrote:

On 05/26/2016 04:52 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5915

Patches attached




ACK.


Even better patches attached.






Wrong thread :D

The original patches were pushed

ipa-4-2:
* c404d6586d6fd76d04bcf656b811b04f29704a41 Set proper zanata project-version
* 776ef9ab63ee5bddc8ce0468570492b31180b70a Translations: remove 
deprecated locale configuration


ipa-4-3:
* 304bc038129229f6bd97e4415e6eec137f5fb3f8 Set proper zanata project-version
* 67633d42bcd78dc44d2bdfb18597942b49734eee Translations: remove 
deprecated locale configuration


master:
* 204a18986a1923f75bc75215d20dfa2eb9229729 Translations: remove 
deprecated locale configuration
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0486, 0487] Update zanata config

[Martin Basti]

On 31.05.2016 13:04, Martin Babinsky wrote:

On 05/26/2016 04:52 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5915

Patches attached




ACK.


Even better patches attached.


From 1918df3017504354834c9175faf8d09108feb07a Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 13 May 2016 18:39:47 +0200
Subject: [PATCH 1/2] DNS Locations: prevent to remove used locations

User should be notified that location is used by IPA server(s) and
deletion should be aborted without --force option.

Referint plugin is configured to remove references of deleted locations.

https://fedorahosted.org/freeipa/ticket/2008
---
 API.txt|  3 ++-
 VERSION|  4 ++--
 install/updates/25-referint.update |  1 +
 ipalib/plugins/location.py | 27 ++-
 4 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 608f1083faf2b03214432c134f403c40ccdb6700..10a2d9f076391f1a9133cf0899dd07d81043b0a3 100644
--- a/API.txt
+++ b/API.txt
@@ -2772,9 +2772,10 @@ output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
 command: location_del
-args: 1,2,3
+args: 1,3,3
 arg: DNSNameParam('idnsname+', cli_name='name')
 option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Flag('force', autofill=True, default=False)
 option: Str('version?')
 output: Output('result', type=[])
 output: Output('summary', type=[, ])
diff --git a/VERSION b/VERSION
index 93ea86438d56f6206b28decbf95d2e7ccd57f8ed..90b240383a95bdc1783de99f416df1551641bfba 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=172
-# Last change: mbasti - location-show: list servers in the location
+IPA_API_VERSION_MINOR=173
+# Last change: mbasti - server-del: prevent to remove used locations
diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update
index 3f78ee9755823fb3d5838d3069f4506c57a69d05..b887ede9c98f100709d24aae26b75d501f581016 100644
--- a/install/updates/25-referint.update
+++ b/install/updates/25-referint.update
@@ -19,3 +19,4 @@ add: referint-membership-attr: ipaassignedidview
 add: referint-membership-attr: ipaallowedtarget
 add: referint-membership-attr: ipamemberca
 add: referint-membership-attr: ipamembercertprofile
+add: referint-membership-attr: ipalocation
diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py
index 6d876d51204f9957a091c12d89414fead0fc95c6..c38ff580964f314675dc0743a52dca27638a1f06 100644
--- a/ipalib/plugins/location.py
+++ b/ipalib/plugins/location.py
@@ -9,8 +9,10 @@ from ipalib import (
 ngettext,
 api,
 Str,
-DNSNameParam
+DNSNameParam,
+Flag,
 )
+from ipalib.errors import DependentEntry
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import (
 LDAPCreate,
@@ -134,6 +136,29 @@ class location_del(LDAPDelete):
 
 msg_summary = _('Deleted IPA location "%(value)s"')
 
+takes_options = LDAPDelete.takes_options + (
+Flag(
+'force',
+label=_('Force'),
+doc=_('force location removal'),
+),
+)
+
+def pre_callback(self, ldap, dn, *keys, **options):
+assert isinstance(dn, DN)
+if not options.get('force'):
+servers = self.api.Command.server_find(
+in_location=keys[-1])['result']
+location_members = u', '.join(
+server['cn'][0] for server in servers)
+if location_members:
+raise DependentEntry(
+label=_('IPA Server(s)'),
+key=keys[-1],
+dependent=location_members
+)
+return dn
+
 
 @register()
 class location_mod(LDAPUpdate):
-- 
2.5.5

From bdd9280996de8d28dfb8b74fe07dd597eeb13bc5 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 17 May 2016 13:08:59 +0200
Subject: [PATCH 2/2] DNS Locations: extend tests with server-* commands

https://fedorahosted.org/freeipa/ticket/2008
---
 ipatests/test_xmlrpc/test_location_plugin.py| 101 +-
 ipatests/test_xmlrpc/tracker/location_plugin.py |  29 +--
 ipatests/test_xmlrpc/tracker/server_plugin.py   | 107 
 3 files changed, 230 insertions(+), 7 deletions(-)
 create mode 100644 ipatests/test_xmlrpc/tracker/server_plugin.py

diff --git a/ipatests/test_xmlrpc/test_location_plugin.py b/ipatests/test_xmlrpc/test_location_plugin.py
index 1ca3eac7c72e0662034cb67039e1d0925bd1acca..a5d0797958b62e72714ac0f3e1e8c50dd5836d6b 100644
--- a/ipatests/test_xmlrpc/test_location_plugin.py
+++ b/ipatests/test_xmlrpc/test_location_plugin.py
@@ -5,12 +5,14 @@ from __future__ import absolute_import
 
 import pytest
 
-from ipalib import errors
+from ipalib import errors, a

Re: [Freeipa-devel] [PATCH 0486, 0487] Update zanata config

[Martin Babinsky]

On 05/26/2016 04:52 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5915

Patches attached




ACK.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches

[Martin Basti]

On 31.05.2016 12:44, Martin Babinsky wrote:

On 05/28/2016 01:17 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4995

Patches attached





Hi,

PATCH 0488: LGTM

PATCH 0489:

@@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters, 
topo_errors, starting_host):

 i = 0
 while True:
 left = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0,

 )['result']
 right = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0,

 )['result']

it seems that you added 'no_members=True' there and then removed it 
because reasons. Please revert the this part to the original code so 
that it does not stick out.




Thanks,

updated patches attached.

Martin
From 034d3ea3d9e97da6ffb143957f0988f45ceef62d Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 19 May 2016 13:50:38 +0200
Subject: [PATCH 1/2] Performance: Find commands: do not process members by
 default

In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.

To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.

For other commands processing of members stays unchanged. WebUI is not
affected by this change.

https://fedorahosted.org/freeipa/ticket/4995
---
 API.txt|  44 ++--
 VERSION|   4 +-
 install/tools/ipa-replica-manage   |   6 +-
 ipalib/plugins/baseldap.py |   7 +-
 ipalib/plugins/caacl.py|   2 +-
 ipalib/plugins/hbactest.py |   3 +-
 ipalib/plugins/otptoken.py |   3 +-
 ipalib/plugins/topology.py |   6 +-
 ipalib/plugins/user.py |   3 +-
 ipaserver/install/replication.py   |   3 +-
 ipaserver/install/server/install.py|   3 +-
 ipatests/test_xmlrpc/test_group_plugin.py  |  54 +++-
 ipatests/test_xmlrpc/test_hbacsvcgroup_plugin.py   |  21 +-
 ipatests/test_xmlrpc/test_hostgroup_plugin.py  |   5 +
 ipatests/test_xmlrpc/test_netgroup_plugin.py   | 115 -
 ipatests/test_xmlrpc/test_old_permission_plugin.py | 272 ++--
 ipatests/test_xmlrpc/test_permission_plugin.py | 273 -
 ipatests/test_xmlrpc/test_privilege_plugin.py  |  60 -
 ipatests/test_xmlrpc/test_role_plugin.py   |  85 ++-
 ipatests/test_xmlrpc/test_service_plugin.py|  20 +-
 .../test_xmlrpc/test_servicedelegation_plugin.py   |  30 ++-
 ipatests/test_xmlrpc/test_sudocmdgroup_plugin.py   |   5 +
 ipatests/test_xmlrpc/test_user_plugin.py   |   2 +-
 ipatests/test_xmlrpc/tracker/host_plugin.py|   5 +-
 ipatests/test_xmlrpc/tracker/hostgroup_plugin.py   |  13 +-
 ipatests/test_xmlrpc/tracker/sudocmd_plugin.py |   7 +-
 .../test_xmlrpc/tracker/sudocmdgroup_plugin.py |   9 +-
 ipatests/test_xmlrpc/tracker/user_plugin.py|   3 +-
 28 files changed, 973 insertions(+), 90 deletions(-)

diff --git a/API.txt b/API.txt
index dbc6f1adc614607fab106ab0de7163961e7ecedc..3ad250e74f48ef3c54494ba6bd2d398a7c5d1b69 100644
--- a/API.txt
+++ b/API.txt
@@ -551,7 +551,7 @@ option: Str('description?', autofill=False, cli_name='desc')
 option: StrEnum('hostcategory?', autofill=False, cli_name='hostcat', values=[u'all'])
 option: StrEnum('ipacertprofilecategory?', autofill=False, cli_name='profilecat', values=[u'all'])
 option: Bool('ipaenabledflag?', autofill=False)
-option: Flag('no_members', autofill=True, default=False)
+option: Flag('no_members', autofill=True, default=True)
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: StrEnum('servicecategory?', autofill=False, cli_name='servicecat', values=[u'all'])
@@ -1598,7 +1598,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('no_group*', cli_name='no_groups')
-option: Flag('no_members', autofill=True, default=False)
+option: Flag('no_members', autofill=True, default=True)
 option: Str('no_user*', cli_name='no_users')
 option: Flag('nonposix', autofill=True, cli_name='nonposix', default=False)
 option: Str('not_in_group*', cli_name='not_in_groups')
@@ -1763,7 +1763,7 @@ option: Str('description?', autofill=False, cli_name='desc')
 option: Str('externalhost*', autofill=False)
 option: St

Re: [Freeipa-devel] [PATCH 0488-0489] Perfomance: membership processing related patches

[Martin Babinsky]

On 05/28/2016 01:17 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/4995

Patches attached





Hi,

PATCH 0488: LGTM

PATCH 0489:

@@ -996,10 +997,10 @@ def check_deleted_segments(hostname, masters, 
topo_errors, starting_host):

 i = 0
 while True:
 left = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentleftnode=hostname, 
sizelimit=0,

 )['result']
 right = api.Command.topologysegment_find(
-suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0
+suffix_name, iparepltoposegmentrightnode=hostname, 
sizelimit=0,

 )['result']

it seems that you added 'no_members=True' there and then removed it 
because reasons. Please revert the this part to the original code so 
that it does not stick out.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0033] Fix CA being presented as running even if it weren't

[Stanislav Laznicka]

On 05/31/2016 10:22 AM, Stanislav Laznicka wrote:

On 05/30/2016 12:54 PM, Jan Cholasta wrote:

On 30.5.2016 12:36, Martin Basti wrote:



On 26.05.2016 19:31, Stanislav Laznicka wrote:


Self NACK. I should not post patches when tired, sorry. Minor fix is
attached.


On 05/26/2016 07:21 PM, Stanislav Laznicka wrote:

Hello,

Please, see the attached patch. Fixes
https://fedorahosted.org/freeipa/ticket/5898

Standa









LGTM, if nobody is against this, I will push it in 2 days


NACK, please add `wait` argument and call self.wait_until_running(), 
same as in start() and restart().



A pretty good point, please see the modified patch.


Self.NACK - can't add 'wait' agrument to service.Service.is_running this 
easy.
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0033] Fix CA being presented as running even if it weren't

[Stanislav Laznicka]

On 05/30/2016 12:54 PM, Jan Cholasta wrote:

On 30.5.2016 12:36, Martin Basti wrote:



On 26.05.2016 19:31, Stanislav Laznicka wrote:


Self NACK. I should not post patches when tired, sorry. Minor fix is
attached.


On 05/26/2016 07:21 PM, Stanislav Laznicka wrote:

Hello,

Please, see the attached patch. Fixes
https://fedorahosted.org/freeipa/ticket/5898

Standa









LGTM, if nobody is against this, I will push it in 2 days


NACK, please add `wait` argument and call self.wait_until_running(), 
same as in start() and restart().



A pretty good point, please see the modified patch.
From bce6e608e3b952a61ecb49542d43f576689a93aa Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 26 May 2016 15:24:15 +0200
Subject: [PATCH] Fixes CA always being presented as running

Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.

https://fedorahosted.org/freeipa/ticket/5898
---
 ipaplatform/redhat/services.py | 17 +
 ipaserver/install/service.py   |  4 ++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 92dae452a31a0b3680e9c407eccb120881cc9e25..849737059d54df5af47ae288ef97b933d9e869fe 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -222,6 +222,23 @@ class RedHatCAService(RedHatService):
 if wait:
 self.wait_until_running()
 
+def is_running(self, instance_name="", wait=True):
+if instance_name:
+return super(RedHatCAService, self).is_running(instance_name)
+try:
+status = dogtag.ca_status()
+if status == 'running':
+return True
+elif status == 'starting' and wait:
+# Exception is raised if status is 'starting' even after wait
+self.wait_until_running()
+return True
+except Exception as e:
+root_logger.debug(
+'Failed to check CA status: {err}'.format(err=e)
+)
+return False
+
 
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 40767acd57d5e1fa8126144ca64f6951848ce214..c09dc9013b091e6eebcf9b297fef8337671ce40e 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -346,8 +346,8 @@ class Service(object):
 def restart(self, instance_name="", capture_output=True, wait=True):
 self.service.restart(instance_name, capture_output=capture_output, wait=wait)
 
-def is_running(self):
-return self.service.is_running()
+def is_running(self, instance_name="", wait=True):
+return self.service.is_running(instance_name, wait)
 
 def install(self):
 self.service.install()
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0036] Increased mod_wsgi socket-timeout

[Stanislav Laznicka]

On 05/30/2016 02:12 PM, Petr Spacek wrote:

On 28.5.2016 15:59, Martin Basti wrote:

On 27.05.2016 14:52, Stanislav Laznicka wrote:

https://fedorahosted.org/freeipa/ticket/5833




Is possible to remove timeout completely as it used to be before?

Even if this timeout is exceeded, command continue in execution and it just
doesnt print result to user

I agree with Martin. The timeout is pointless, please remove it or set it to
2^31 or so.

The documentation does not clearly state what happens in the corner 
cases of this setting. However, by looking at the source code, I'm 
guessing that 0 is the default value which would eventually point to the 
Apache TimeOut and negative values seem just wrong for them here. They 
are converting it with atoi(), so I propose to set this to 2^31-1.
From 8fe005387d6952f112246a66298c521676a73224 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 27 May 2016 14:44:30 +0200
Subject: [PATCH] Increased mod_wsgi socket-timeout

Longer-running CLI commands sometimes fail with "gateway time out" although
the task still runs and finishes on server, not notifying the CLI back.
Increasing socket-timeout should solve this.

https://fedorahosted.org/freeipa/ticket/5833
---
 install/conf/ipa.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index cf10fc815640bcfc56152d342ee70d7d363ba4e5..c6457485a19ccdd469b96d8d29c71039290ed9da 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -41,7 +41,8 @@ WSGISocketPrefix /run/httpd/wsgi
 
 
 # Configure mod_wsgi handler for /ipa
-WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 display-name=%{GROUP}
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
+ display-name=%{GROUP} socket-timeout=2147483647
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code