Re: [Freeipa-devel] [PATCH] 0090, 0092..0094 cert-show: show subject alternative names

2016-08-04 Thread Petr Vobornik
On 07/22/2016 07:13 AM, Fraser Tweedale wrote:
> On Tue, Jul 19, 2016 at 08:50:34AM +0200, Jan Cholasta wrote:
>> Hi,
>>
>> On 14.7.2016 13:44, Fraser Tweedale wrote:
>>> Hi all,
>>>
>>> The attached patch includes SANs in cert-show output.  If you have
>>> certs with esoteric altnames (especially any that are more than just
>>> ASN.1 string types), please test with those certs.
>>>
>>> https://fedorahosted.org/freeipa/ticket/6022
>>
>> I think it would be better to have a separate attribute for each supported
>> SAN type rather than cramming everything into subject_alt_name. That way if
>> you care only about a single specific type you won't have to go through all
>> the values and parse them. Also it would allow you to use param types
>> appropriate to the SAN types (DNSNameParam for DNS names, Principal for
>> principal names, etc.)
>>
>> Nitpick: please don't mix moving existing stuff and adding new stuff in a
>> single patch.
>>
> Updated patches attached.
> 
> Patches 0092..0094 are refactors and bugfixes.
> Patch 0090-2 is the main feature (depends on 0092..0094).
> 
> Thanks,
> Fraser
> 

bump for review
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] certmonger proxy configuration not possible ?

2016-08-04 Thread Alexander Bokovoy

On Thu, 04 Aug 2016, Marx, Peter wrote:

I tried it and found out it can't work this way - when issuing a CSR
with getcert, the parameters of this request are normally handed over
by getcert to the scep-submit helper. I see no way to intercept these
parameters  and pass them to the proxy-shellscript. Only the -u
paramter is known beforehand, as it is configured in the ca description
file or in the proxy shellscript itself.

On systemd-enabled systems certmonger runs as a service. You can affect
the environment of the service by adding files ending in .conf in
/etc/systemd/system/certmonger.service.d/

See systemd.service and systemd.unit man pages.



Peter

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Wednesday, August 03, 2016 3:52 PM
To: Marx, Peter; 'freeipa-devel@redhat.com'
Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ?

Marx, Peter wrote:

Hi,

i have to access an external PKI server with SCEP protocol through our
corporate proxy.  On command line I can set the proxy and trigger a
CSR with the scep-submit helper successfully.


What are you setting, environment variables I assume?


But same operation with getcert fails, as there is no proxy
configuration possibility in e.g. certmonger.conf.

How can I work around this ?


A quick kludge might be to replace scep-submit with a shell script that exports 
the proxy config and then calls the real scep-submit.

A perhaps better and more supportable idea would be to add a CA pointing to 
this new helper, something like:

getcert add-ca -c exampleSCEPca -e \
"/usr/libexec/certmonger/scep-submit-proxy -u 
http://ca.example.com/cgi-bin/pkiclient.exe";

So scep-submit-proxy would setup the environment and call scep-submit.

rob



Peter



Knorr-Bremse IT-Services GmbH
Sitz: München
Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald
Schneider Registergericht München, HR B 167 268

This transmission is intended solely for the addressee and contains
confidential information.
If you are not the intended recipient, please immediately inform the
sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents
to anyone unless agreed otherwise. To the extent permitted by law we
shall in no way be liable for any damages, whatever their nature,
arising out of transmission failures, viruses, external influence, delays and 
the like.





automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91
InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210
IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131

Knorr-Bremse IT-Services GmbH
Sitz: Muenchen
Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald 
Schneider
Registergericht Muenchen, HR B 167 268

This transmission is intended solely for the addressee and contains 
confidential information.
If you are not the intended recipient, please immediately inform the sender and 
delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone 
unless agreed otherwise. To the extent permitted by law we shall in no way be 
liable for any damages, whatever their nature, arising out of transmission 
failures, viruses, external influence, delays and the like.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] External plugin integration

2016-08-04 Thread Alexander Bokovoy

Hi!

I've stumbled into an interesting problem.

Suppose, I have a plugin that adds schema and a subtree where entries it
manages will be stored. This subtree will have ACIs applied based on the
plugin permissions' configuration. Now, I put schema file in
/usr/ipa/share, and updates file in /usr/share/ipa/updates, and also add
plugin code to the ipaserver/plugins/ (let's say, rpm does it for me).
Next, I want to install IPA server. The install will run through up to
server upgrade phase which will fail because generation of ACIs will
reference schema attributes/classes which aren't loaded to the dirsrv by
installer. How to solve it? 


Installer uses hard-coded list of schema files and this is a third-party
plugin, it needs to extend the list of active schema files.

If we can define a place where third-party plugins could drop schema and
we just load everything from there before processing updates, it would
probably be enough.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0153] Fix ipa-replica-prepare's error message about missing local CA instanc

2016-08-04 Thread Petr Spacek
On 3.8.2016 22:56, Ben Lipton wrote:
> 
> On 08/01/2016 11:38 AM, Petr Spacek wrote:
>> Hello,
>>
>> Fix ipa-replica-prepare's error message about missing local CA instance
>>
>> ipa-replica-prepare must be run on a replica with CA or all the certs
>> needs to be provided (for CA-less case).
>>
>> The old messages were utterly confusing because they mixed errors about
>> missing certs and missing local CA instance into one text.
>>
>> https://fedorahosted.org/freeipa/ticket/6134
>>
>>
>>
> The error message in the patch says "must be ran" instead of "must be run".

Thanks! Fixed patch is attached.

-- 
Petr^2 Spacek
From 22bba42b7ac8ec4a11af0e08609adf03f3aa2332 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Mon, 1 Aug 2016 17:32:04 +0200
Subject: [PATCH] Fix ipa-replica-prepare's error message about missing local
 CA instance

ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).

The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.

https://fedorahosted.org/freeipa/ticket/6134
---
 ipaserver/install/ipa_replica_prepare.py | 11 ---
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index fdd32f0c8437a0d8c3947d57089662ea09bb2304..a6f0f1e393707d40c62276d4c355afba82fc83f5 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -236,6 +236,10 @@ class ReplicaPrepare(admintool.AdminTool):
 except errors.DatabaseError as e:
 raise admintool.ScriptError(e.desc)
 
+if ca_enabled and not ipautil.file_exists(paths.CA_CS_CFG_PATH):
+raise admintool.ScriptError(
+"CA is not installed on this server. "
+"ipa-replica-prepare must be run on an IPA server with CA.")
 if not ca_enabled and not options.http_cert_files:
 raise admintool.ScriptError(
 "Cannot issue certificates: a CA is not installed. Use the "
@@ -347,13 +351,6 @@ class ReplicaPrepare(admintool.AdminTool):
 "Apache Server SSL certificate and Directory Server SSL "
  "certificate are not signed by the same CA certificate")
 
-if (not ipautil.file_exists(paths.CA_CS_CFG_PATH) and
-options.dirsrv_pin is None):
-self.log.info("If you installed IPA with your own certificates "
-"using PKCS#12 files you must provide PKCS#12 files for any "
-"replicas you create as well.")
-raise admintool.ScriptError("The replica must be created on the "
-"primary IPA server.")
 
 def run(self):
 options = self.options
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

2016-08-04 Thread Jan Pazdziora
On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>
> Got it. One thing I would correct, though, -- don't use kadmin.local, we
> do support setting ok_as_delegate on the service principals via IPA CLI:
> $ ipa service-mod --help |grep -A1 ok-as-delegate
>  --ok-as-delegate=BOOL
>Client credentials may be delegated to the service

I've tried

ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH] 0013 Fix ipa hbactest output

2016-08-04 Thread Martin Basti



On 04.08.2016 16:19, Florence Blanc-Renaud wrote:

On 08/03/2016 05:49 PM, Martin Basti wrote:



On 02.08.2016 13:22, Florence Blanc-Renaud wrote:

Hi,

please find attached a patch related to 'ipa hbactest' producing a
Traceback.

https://fedorahosted.org/freeipa/ticket/6157

Flo.



Hello Flo,


1)
can you please move that check, right bellow the for?

 for o in self.output:
+if o == 'value':
+continue

It is peformance improvements :)  We should not waste time with getting
values from dict if we will not use them

2)
 elif isinstance(result, (unicode, bool)):
 if o == 'summary':
 textui.print_summary(result)
 else:
 textui.print_indented(result)

Here you should remove the 'bool' from isinstance or update
print_indented to allow work with boolean (I prefer the first one).
Because with any other bool value it will fail again.

Thanks,
Martin^2

Hi Martin,

thanks for the review. Please find an updated patch with your comments.
Flo.

Pushed to master: cad6a551d6558441ead4b2b71d0b906ecefbdb63
ACK

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] certmonger proxy configuration not possible ?

2016-08-04 Thread Marx, Peter
I tried it and found out it can't work this way - when issuing a CSR with 
getcert, the parameters of this request are normally handed over by getcert to 
the scep-submit helper. I see no way to intercept 
these parameters  and pass them to the proxy-shellscript. Only the -u paramter 
is known beforehand, as it is configured in the ca description file or in the 
proxy shellscript itself.

Peter

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, August 03, 2016 3:52 PM
To: Marx, Peter; 'freeipa-devel@redhat.com'
Subject: Re: [Freeipa-devel] certmonger proxy configuration not possible ?

Marx, Peter wrote:
> Hi,
>
> i have to access an external PKI server with SCEP protocol through our 
> corporate proxy.  On command line I can set the proxy and trigger a 
> CSR with the scep-submit helper successfully.

What are you setting, environment variables I assume?

> But same operation with getcert fails, as there is no proxy 
> configuration possibility in e.g. certmonger.conf.
>
> How can I work around this ?

A quick kludge might be to replace scep-submit with a shell script that exports 
the proxy config and then calls the real scep-submit.

A perhaps better and more supportable idea would be to add a CA pointing to 
this new helper, something like:

getcert add-ca -c exampleSCEPca -e \
 "/usr/libexec/certmonger/scep-submit-proxy -u 
http://ca.example.com/cgi-bin/pkiclient.exe";

So scep-submit-proxy would setup the environment and call scep-submit.

rob

>
> Peter
>
>
>
> Knorr-Bremse IT-Services GmbH
> Sitz: München
> Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald 
> Schneider Registergericht München, HR B 167 268
>
> This transmission is intended solely for the addressee and contains 
> confidential information.
> If you are not the intended recipient, please immediately inform the 
> sender and delete the message and any attachments from your system.
> Furthermore, please do not copy the message or disclose the contents 
> to anyone unless agreed otherwise. To the extent permitted by law we 
> shall in no way be liable for any damages, whatever their nature, 
> arising out of transmission failures, viruses, external influence, delays and 
> the like.
>
>


automechanika - 13.09.-17.09.2016 - Messe Frankfurt - Hall 3.0 - Stand G98 + E91
InnoTrans - 20.09.-23.09.2016 - Messe Berlin - Hall 1.2b - Stand 104 + 210
IAA - 22.09.-29.09.2016 - Messe Hannover - Hall 17 - Stand A30 + D131

Knorr-Bremse IT-Services GmbH
Sitz: Muenchen
Geschaeftsfuehrer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald 
Schneider
Registergericht Muenchen, HR B 167 268

This transmission is intended solely for the addressee and contains 
confidential information.
If you are not the intended recipient, please immediately inform the sender and 
delete the message and any attachments from your system. 
Furthermore, please do not copy the message or disclose the contents to anyone 
unless agreed otherwise. To the extent permitted by law we shall in no way be 
liable for any damages, whatever their nature, arising out of transmission 
failures, viruses, external influence, delays and the like.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCH 0112-7] Speeding up cli help

2016-08-04 Thread David Kupka

On 03/08/16 16:33, Jan Cholasta wrote:

On 3.8.2016 16:23, David Kupka wrote:

On 21/07/16 10:12, Jan Cholasta wrote:

Hi,

On 20.7.2016 14:32, David Kupka wrote:

On 15/07/16 12:53, David Kupka wrote:

Hello!

After Honza introduced thin client that builds plugins and commands
dynamically from schema client became much slower. This is only
logical,
instead of importing a module client now must fetch the schema from
server, parse it and instantiate the commands using the data.

First step to speed it up was addition of schema cache to client. That
removed the RTT and download time of fetching schema every time.

Now the most time consuming task became displaying help for lists of
topics and command and displaying individual topics. This is simply
because of the need to instantiate all the commands to find the
relations between topics and commands.

All the necessary bits for server commands and topics are already in
the
schema cache so we can skip this part and generate help from it,
right?
Not so fast!

There are client plugins with commands and topics. So we can generate
basic bits (list of all topics, list of all commands, list of commands
for each topic) from schema and store it in cache. Then we need to go
through all client plugins and get similar bits for client plugins.
Then
we can merge and print.

Still the client response is not as fast as before and I this it even
can't be. Also first time you display particular topic or list takes
longer because it must be freshly generated and stored in cache for
next
use. And this is what the attached patches do.

https://fedorahosted.org/freeipa/ticket/6048


Reimplemented so there is no need to distinguish client plugins and
remote plugins.
The main idea of this approach is to avoid creating instances of the
commands just to get the information about topic, name and summary
needed for displaying help. Instead class properties are used to access
the information directly in schema.


Patch 0112:

I think this would better be done in Schema.read_namespace_member,
because Schema is where all the state is.

(BTW does _SchemaNameSpace.__getitem__ raise KeyError for non-existent
keys? It looks like it doesn't.)


Patch 0113:

How about setting _schema_cached to False in Schema.__init__() rather
that getattr()-ing it in _ensure_cached()?


Patch 0116:

ClientCommand.doc should be a class property as well, otherwise .summary
won't work on it correctly.

_SchemaCommand.doc should not be a property, as it's not needed for
.summary to work on it correctly.


Otherwise works fine for me.

Honza



Updated patches attached.


Thanks, ACK.

Pushed to master: 229e2a1ed9ea9877cb5e879fadd99f9040f77c96



I've made and reviewer overlooked some errors. Attached patches fix them.

--
David Kupka
From ae1a9d024e37a153b6e9e4ada657f0e1e78300ef Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 4 Aug 2016 16:02:24 +0200
Subject: [PATCH 1/3] schema cache: Do not reset ServerInfo dirty flag

Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.

https://fedorahosted.org/freeipa/ticket/6048
---
 ipaclient/remote_plugins/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py
index 444651d30fd0cd96299fecb7ee7b5e4532b0abd4..976d6968724088d8e1fe8d3615990accf585ffeb 100644
--- a/ipaclient/remote_plugins/__init__.py
+++ b/ipaclient/remote_plugins/__init__.py
@@ -59,7 +59,8 @@ class ServerInfo(collections.MutableMapping):
 return self._dict[key]
 
 def __setitem__(self, key, value):
-self._dirty = key not in self._dict or self._dict[key] != value
+if key not in self._dict or self._dict[key] != value:
+self._dirty = True
 self._dict[key] = value
 
 def __delitem__(self, key):
-- 
2.7.4

From a6e9b17e0ad109f3237f4417828f7a3cfb5aa743 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 4 Aug 2016 16:07:08 +0200
Subject: [PATCH 2/3] schema cache: Write format information in cache

When format is not in cache '0' is assumed and client expecting higher
format refuses to load such cache.

https://fedorahosted.org/freeipa/ticket/6048
---
 ipaclient/remote_plugins/schema.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py
index a215452ea0d2c1278a6121b3806b0daee02abd6e..13b1c365b111faae673c5ed78a7e5439a869c330 100644
--- a/ipaclient/remote_plugins/schema.py
+++ b/ipaclient/remote_plugins/schema.py
@@ -524,6 +524,7 @@ class Schema(object):
 
 schema.writestr('_help',
 json.dumps(self._generate_help(self._dict)))
+schema.writestr('format', json.dumps(FORMAT))
 
 def _read(self, path):
 with self._open_schema(self._fingerprint, 'r') as zf:
-- 
2.7.4

From c57a1b98ca518db8909d4d1176c99c4b2daec606 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Thu, 

Re: [Freeipa-devel] [PATCH] 0013 Fix ipa hbactest output

2016-08-04 Thread Florence Blanc-Renaud

On 08/03/2016 05:49 PM, Martin Basti wrote:



On 02.08.2016 13:22, Florence Blanc-Renaud wrote:

Hi,

please find attached a patch related to 'ipa hbactest' producing a
Traceback.

https://fedorahosted.org/freeipa/ticket/6157

Flo.



Hello Flo,


1)
can you please move that check, right bellow the for?

 for o in self.output:
+if o == 'value':
+continue

It is peformance improvements :)  We should not waste time with getting
values from dict if we will not use them

2)
 elif isinstance(result, (unicode, bool)):
 if o == 'summary':
 textui.print_summary(result)
 else:
 textui.print_indented(result)

Here you should remove the 'bool' from isinstance or update
print_indented to allow work with boolean (I prefer the first one).
Because with any other bool value it will fail again.

Thanks,
Martin^2

Hi Martin,

thanks for the review. Please find an updated patch with your comments.
Flo.
>From 29d13ada32b00567e2dffb632dfac827689ba475 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 2 Aug 2016 10:40:54 +0200
Subject: [PATCH] Fix ipa hbactest output

ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).

Note that the issue did not appear before because the 'value' field
had a flag no_display.

https://fedorahosted.org/freeipa/ticket/6157
---
 ipaclient/plugins/hbactest.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py
index 2518719522c4eddff2e6bc341ee9a7c34b431938..1b54530b236cf654bc8ece7ab4e329850f5a6815 100644
--- a/ipaclient/plugins/hbactest.py
+++ b/ipaclient/plugins/hbactest.py
@@ -39,13 +39,15 @@ class hbactest(CommandOverride):
 # to be printed as our execute() method will return None for corresponding
 # entries and None entries will be skipped.
 for o in self.output:
+if o == 'value':
+continue
 outp = self.output[o]
 if 'no_display' in outp.flags:
 continue
 result = output[o]
 if isinstance(result, (list, tuple)):
 textui.print_attribute(unicode(outp.doc), result, '%s: %s', 1, True)
-elif isinstance(result, (unicode, bool)):
+elif isinstance(result, unicode):
 if o == 'summary':
 textui.print_summary(result)
 else:
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][patch-0056] Fixed incorrect returncode assert in test

2016-08-04 Thread Martin Basti



On 04.08.2016 13:38, Oleg Fayans wrote:





Pushed to master: 2df047b8c51098bae9224b88dbdf03e5f9504f21

ACK
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation

2016-08-04 Thread Martin Basti



On 29.07.2016 06:21, Fraser Tweedale wrote:

On Thu, Jul 28, 2016 at 09:56:30AM +0200, Martin Babinsky wrote:

On 07/28/2016 03:31 AM, Fraser Tweedale wrote:

The attached patch fixes a kerberos.Principal-related regression.

Thanks,
Fraser


Hi Fraser,

The ticket you linked in the commit message points to a closed milestone.
You have to open a new ticket which needs to be triaged. Sorry, those are
the processes.


Filed ticket: https://fedorahosted.org/freeipa/ticket/6146
Updated patch attached (rebase and update commit message only).

Thanks,
Fraser




ACK, works for me
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 684] vault: add missing salt option to vault_mod

2016-08-04 Thread Jan Cholasta

Hi,

the attached patch fixes .

Pushed under the one-liner rule to master: 
1a73477e1561b0a2a66852575010a136edc014a6


Honza

--
Jan Cholasta
From 4f416db82a6f335e9d727730c782f9ad2b0be20e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 4 Aug 2016 14:14:15 +0200
Subject: [PATCH] vault: add missing salt option to vault_mod

The option was accidentally removed in commit
4b119e21a2f93ca16c5edf3d1058552b44feeaf8.

https://fedorahosted.org/freeipa/ticket/6154
---
 ipaclient/plugins/vault.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index ed75a0e..1e715fd 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -418,7 +418,7 @@ class vault_mod(Local):
 
 def get_options(self):
 for option in self.api.Command.vault_mod_internal.options():
-if option.name not in ('ipavaultsalt', 'version'):
+if option.name != 'version':
 yield option
 for option in super(vault_mod, self).get_options():
 yield option
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [Test][patch-0056] Fixed incorrect returncode assert in test

2016-08-04 Thread Oleg Fayans


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 8b8732c3d86820124c117c88c6f892d9bb41cbc3 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 4 Aug 2016 12:42:23 +0200
Subject: [PATCH] Fixed incorrect return code assert

The assert checked that the returncode of the replica uninstallation is zero
where in fact the uninstallation was expected to fail with the certain error
message
---
 ipatests/test_integration/test_replica_promotion.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 7bc1d5281880221578df3c269a3d7715777bb8e0..e4cac69738bd9c265c88ccc23392adad38486c1a 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -345,7 +345,7 @@ class TestProhibitReplicaUninstallation(IntegrationTest):
 result = self.replicas[0].run_command(['ipa-server-install',
'--uninstall', '-U'],
   raiseonerr=False)
-assert(result.returncode == 0), ("The replica was removed without "
+assert(result.returncode > 0), ("The replica was removed without "
  "'--ignore-topology-disconnect' option")
 assert("Uninstallation leads to disconnected topology"
in result.stdout_text), ("Expected error message was not found")
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 683] install: fix external CA cert validation

2016-08-04 Thread Jan Cholasta

Hi,

the attached patch fixes .

Pushed under the one-liner rule to:
master: a42b456b91cb345e977c6f0febf5c30f15a954d3
ipa-4-3: 44401d26c29e35d38bc94a7a87b9f2dd205e0643

Honza

--
Jan Cholasta
From 35856043cb92fd99268c4b7afb87909efba74ed7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 4 Aug 2016 09:58:38 +0200
Subject: [PATCH] install: fix external CA cert validation

The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).

https://fedorahosted.org/freeipa/ticket/6166
---
 ipaserver/install/installutils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 25f48ae..66ba333 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1038,7 +1038,7 @@ def load_external_cert(files, subject_base):
 raise ScriptError(
 "IPA CA certificate not found in %s" % (", ".join(files)))
 
-trust_chain = reversed(nssdb.get_trust_chain(ca_nickname))
+trust_chain = list(reversed(nssdb.get_trust_chain(ca_nickname)))
 ca_cert_chain = []
 for nickname in trust_chain:
 cert, subject, issuer = cache[nickname]
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0196] baseldap: Fix MidairCollision instantiation during entry modification

2016-08-04 Thread Lenka Doudova



On 07/26/2016 05:22 PM, Alexander Bokovoy wrote:

On Tue, 26 Jul 2016, Martin Babinsky wrote:

Fix for https://fedorahosted.org/freeipa/ticket/6097

Since this issue was found during investigation of other ticket[1], 
you can test it by performing steps to reproduce #6041, but instead 
of internal error you should see the MidairCollision raised as public 
error with the right error message.


[1] https://fedorahosted.org/freeipa/ticket/6041

I have a preliminary patch for slapi-nis to fix 6041 (attached).


Bump for review on this.




As for this fix -- ACK.



--
Martin^3 Babinsky



From 8f0d6dab08f61fe2fd1ad64a63f7ab91fc5227d4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 25 Jul 2016 14:05:08 +0200
Subject: [PATCH] baseldap: Fix MidairCollision instantiation during 
entry

modification

https://fedorahosted.org/freeipa/ticket/6097
---
ipaserver/plugins/baseldap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py 
b/ipaserver/plugins/baseldap.py
index 
6107e43a6ee17d9b9a63d9dc109664d8b232069f..f7844e3e7c59c259b9c8367d135b2dbefc3f0016 
100644

--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1466,7 +1466,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
entry_attrs.dn, attrs_list)
except errors.NotFound:
raise errors.MidairCollision(
-format=_('the entry was deleted while being modified')
+message=_('the entry was deleted while being modified')
)

self.obj.get_indirect_members(entry_attrs, attrs_list)
@@ -2344,7 +2344,7 @@ class BaseLDAPModAttribute(LDAPQuery):
entry_attrs.dn, attrs_list)
except errors.NotFound:
raise errors.MidairCollision(
-format=_('the entry was deleted while being modified')
+message=_('the entry was deleted while being modified')
)

for callback in self.get_callbacks('post'):
--
2.7.4




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code







-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [Tests][patch-0066] Fixed incorrect domainlevel determination in integration tests

2016-08-04 Thread Oleg Fayans


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 2deee8b3baeb091904eb7c2ba61b90e669cc8df2 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Thu, 4 Aug 2016 09:22:31 +0200
Subject: [PATCH] Fixed incorrect domainlevel determination in tests

https://fedorahosted.org/freeipa/ticket/6167
---
 ipatests/test_integration/tasks.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 7f6c79e65cda31bdba3d882a72bb5e2dcdb1f355..b01738aa14594560f70c98ccfb1faf25f44559b2 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -301,6 +301,7 @@ def get_replica_filename(replica):
 def domainlevel(host):
 # Dynamically determines the domainlevel on master. Needed for scenarios
 # when domainlevel is changed during the test execution.
+kinit_admin(host)
 result = host.run_command(['ipa', 'domainlevel-get'], raiseonerr=False)
 level = 0
 domlevel_re = re.compile('.*(\d)')
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code