[Freeipa-devel] [freeipa PR#10] Client-side CSR autogeneration (synchronize)

[LiptonB]

LiptonB's pull request #10: "Client-side CSR autogeneration" was synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/10
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/10/head:pr10
git checkout pr10
From eeeb57fa9ff1642dbd1e32fbfe435052de2541ee Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 01/10] Add code to generate scripts that generate CSRs

Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899
---
 freeipa.spec.in |   8 +
 install/configure.ac|   1 +
 install/share/Makefile.am   |   1 +
 install/share/csr/Makefile.am   |  27 +++
 install/share/csr/templates/certutil_base.tmpl  |  14 ++
 install/share/csr/templates/ipa_macros.tmpl |  42 
 install/share/csr/templates/openssl_base.tmpl   |  35 +++
 install/share/csr/templates/openssl_macros.tmpl |  29 +++
 ipaclient/plugins/certmapping.py| 105 +
 ipalib/certmapping.py   | 285 
 ipalib/errors.py|   9 +
 ipapython/templating.py |  31 +++
 12 files changed, 587 insertions(+)
 create mode 100644 install/share/csr/Makefile.am
 create mode 100644 install/share/csr/templates/certutil_base.tmpl
 create mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csr/templates/openssl_base.tmpl
 create mode 100644 install/share/csr/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/plugins/certmapping.py
 create mode 100644 ipalib/certmapping.py
 create mode 100644 ipapython/templating.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e3ad5b6..ab8e8e6 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -507,6 +507,7 @@ Requires: python-custodia
 Requires: python-dns >= 1.11.1
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
+Requires: python-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -1178,6 +1179,13 @@ fi
 %{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/profiles
 %{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csr
+%dir %{_usr}/share/ipa/csr/templates
+%{_usr}/share/ipa/csr/templates/*.tmpl
+%dir %{_usr}/share/ipa/csr/profiles
+%{_usr}/share/ipa/csr/profiles/*.json
+%dir %{_usr}/share/ipa/csr/rules
+%{_usr}/share/ipa/csr/rules/*.json
 %dir %{_usr}/share/ipa/ffextension
 %{_usr}/share/ipa/ffextension/bootstrap.js
 %{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index 81f17b9..365f0e9 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -87,6 +87,7 @@ AC_CONFIG_FILES([
 share/Makefile
 share/advise/Makefile
 share/advise/legacy/Makefile
+share/csr/Makefile
 share/profiles/Makefile
 share/schema.d/Makefile
 ui/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index d8845ee..0a15635 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
 
 SUBDIRS =  \
 	advise\
+	csr\
 	profiles			\
 	schema.d			\
 	$(NULL)
diff --git a/install/share/csr/Makefile.am b/install/share/csr/Makefile.am
new file mode 100644
index 000..5a8ef5c
--- /dev/null
+++ b/install/share/csr/Makefile.am
@@ -0,0 +1,27 @@
+NULL =
+
+profiledir = $(IPA_DATA_DIR)/csr/profiles
+profile_DATA =\
+	$(NULL)
+
+ruledir = $(IPA_DATA_DIR)/csr/rules
+rule_DATA =\
+	$(NULL)
+
+templatedir = $(IPA_DATA_DIR)/csr/templates
+template_DATA =			\
+	templates/certutil_base.tmpl	\
+	templates/openssl_base.tmpl	\
+	templates/openssl_macros.tmpl	\
+	templates/ipa_macros.tmpl	\
+	$(NULL)
+
+EXTRA_DIST =\
+	$(profile_DATA)			\
+	$(rule_DATA)			\
+	$(template_DATA)		\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~\
+	Makefile.in
diff --git a/install/share/csr/templates/certutil_base.tmpl b/install/share/csr/templates/certutil_base.tmpl
new file mode 100644
index 000..6c6425f
--- /dev/null
+++ b/install/share/csr/templates/certutil_base.tmpl
@@ -0,0 +1,14 @@
+{% raw -%}
+{% import "ipa_macros.tmpl" as ipa -%}
+{%- endraw %}
+#!/bin/bash -e
+
+if [[ $# -lt 1 ]]; then
+echo "Usage: $0  [  ]"
+echo "Called as: $0 $@"
+exit 1
+fi
+
+CSR="$1"
+shift
+certutil -R -a -z <(head -c 4096 /dev/urandom) -o "$CSR" {{ options|join(' ') }} "$@"
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 000..e790d4e
--- /dev/null
+++ 

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Alexander Bokovoy]

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:53, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:



On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default 
trust ID view is added just by ipa-adtrust-install, adding 
trust is not needed for current implementation. You don't need 
AD for this, IDviews is generic feature not just for AD. Is 
that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, 
so using

some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this 
feature with proper output validation.



How can be this tested with SSSD?

You need to log into the system with a certificate...
Is this possible from test? We are logged remotely as root, is there 
any cmdline util which allows us to test certificate against AD user?

https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD

The only thing that differentiates AD user from IPA is the fact that
you'd need to trust a certificate authority that issued the certificate
for this user.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Sumit Bose]

On Wed, Sep 14, 2016 at 06:03:37PM +0200, Martin Basti wrote:
> 
> 
> On 14.09.2016 17:53, Alexander Bokovoy wrote:
> > On Wed, 14 Sep 2016, Martin Basti wrote:
> > > 
> > > 
> > > On 14.09.2016 17:41, Alexander Bokovoy wrote:
> > > > On Wed, 14 Sep 2016, Martin Basti wrote:
> > > > > 1)
> > > > > I still don't see the reason why AD trust is needed. Default
> > > > > trust ID view is added just by ipa-adtrust-install, adding
> > > > > trust is not needed for current implementation. You don't
> > > > > need AD for this, IDviews is generic feature not just for
> > > > > AD. Is that user configured on AD side?
> > > > You cannot add non-AD user to 'default trust view', so you will not be
> > > > able to set up certificates to ID override which does not exist.
> > > > 
> > > > For non-'default trust view' you can add both IPA and AD users,
> > > > so using
> > > > some other view and then assign certificate for a ID override in that
> > > > one.
> > > > 
> > > 
> > > Ok then, but anyway I would like to see API/CLI tests for this
> > > feature with proper output validation.
> > > 
> > > 
> > > How can be this tested with SSSD?
> > You need to log into the system with a certificate...
> Is this possible from test? We are logged remotely as root, is there any
> cmdline util which allows us to test certificate against AD user?


You can use 'sss_ssh_authorizedkeys aduser@ad.domain' which should
return the ssh key derived from the public key in the certificate. This
should work for certificate stored in AD as well as for overrides.

You can also you the DBus lookup by certificate as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate .

HTH

bye,
Sumit

> 
> Martin^2
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 14.09.2016 17:41, Alexander Bokovoy wrote:

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so using
some other view and then assign certificate for a ID override in that
one.



Ok then, but anyway I would like to see API/CLI tests for this feature 
with proper output validation.



How can be this tested with SSSD?

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Alexander Bokovoy]

On Wed, 14 Sep 2016, Martin Basti wrote:

1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?

You cannot add non-AD user to 'default trust view', so you will not be
able to set up certificates to ID override which does not exist.

For non-'default trust view' you can add both IPA and AD users, so using
some other view and then assign certificate for a ID override in that
one.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Martin Basti]

On 06.09.2016 13:57, Oleg Fayans wrote:

The test is updated to clean up after itself

On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:
The test was redesigned so that it actually tests against an AD 
user.

cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', 
'>',

+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', 
'>',

+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the 
same

evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3












1)
I still don't see the reason why AD trust is needed. Default trust ID 
view is added just by ipa-adtrust-install, adding trust is not needed 
for current implementation. You don't need AD for this, IDviews is 
generic feature not just for AD. Is that user configured on AD side?


2)
The test itself looks for me as just API/CLI test. IMO it can be in 
ipatests/test_xmlrpc/test_idviews_plugin.py or 
ipatests/test_xmlrpc/test_add_remove_cert_cmd.py


3)
I don't see any integration with SSSD in that test, just pure IPA CLI 
test, shouldn't be this tested against SSSD here?



Martin^2
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (comment)

[dkupka]

dkupka commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1c96ff7a6c7e1733a6492f9b3c93265f5bc8ff5b
https://fedorahosted.org/freeipa/changeset/cd2c10d7ca97ffc76682159ad58161eab413532d
https://fedorahosted.org/freeipa/changeset/d13a4c2f395c08b514a51a19eaad3fa7d32e7538
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/dee950d88ec969b36c1271a3ef9fe4e4f5b48b01
https://fedorahosted.org/freeipa/changeset/b7fcbe9a59cbb748087f8f2b29511d2ead484e1c
https://fedorahosted.org/freeipa/changeset/bb2c1790ea14381fa3e0f6ab11484300a2bcb746
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/78#issuecomment-247013555
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (closed)

[dkupka]

mbasti-rh's pull request #78: "Fix Ip-addr validation" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/78
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/78/head:pr78
git checkout pr78
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+pushed)

[dkupka]

mbasti-rh's pull request #78: "Fix Ip-addr validation" label *pushed* has been 
added

See the full pull-request at https://github.com/freeipa/freeipa/pull/78
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#78] Fix Ip-addr validation (+ack)

[dkupka]

mbasti-rh's pull request #78: "Fix Ip-addr validation" label *ack* has been 
added

See the full pull-request at https://github.com/freeipa/freeipa/pull/78
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (closed)

[martbab]

mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/81
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/81/head:pr81
git checkout pr81
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (comment)

[martbab]

martbab commented on a pull request

"""
Fixed upstream
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/2d011b97c8a56d9eabae2ca3d88c30314e0adb58
https://fedorahosted.org/freeipa/changeset/93756dc719723bbec93497ecd6e06e325e6eecbd
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/afeb4bd8a6039173c24201803f1253fae2529a83
https://fedorahosted.org/freeipa/changeset/e39cc53d90175e3cae6805302f318a96bc0e1af1
master:
https://fedorahosted.org/freeipa/changeset/22fd6f020940b5b2a1258f8e0e6058c95f7a1ba5
https://fedorahosted.org/freeipa/changeset/271a4f098230112ee0e3ea3ffb3a509977ee7330
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/81#issuecomment-247004156
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (+pushed)

[martbab]

mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" label *pushed* has 
been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/81
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (closed)

[mbasti-rh]

ofayans's pull request #52: "Removed incorrect check for returncode" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/52/head:pr52
git checkout pr52
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+pushed)

[martbab]

martbab's pull request #80: "ipa passwd: use correct normalizer for user 
principals" label *pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/80
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)

[martbab]

martbab commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f3f9087ee8d1b1531730cf1e91fe404092e8c81d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/0fe08fdce78b8a26cae1ad238cfea20fe86b8332
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/80#issuecomment-246979841
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (closed)

[martbab]

martbab's pull request #80: "ipa passwd: use correct normalizer for user 
principals" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/80
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/80/head:pr80
git checkout pr80
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#82] Fix regexp in user/group name (opened)

[mbasti-rh]

mbasti-rh's pull request #82: "Fix regexp in user/group name" was opened

PR body:
"""
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.

https://fedorahosted.org/freeipa/ticket/5822
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/82
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/82/head:pr82
git checkout pr82
From e387fb3bb71f59d8554a7ae046fc534eaf07d470 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 14 Sep 2016 12:55:01 +0200
Subject: [PATCH] Fix regexp in user/group name

Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.

https://fedorahosted.org/freeipa/ticket/5822
---
 ipaserver/plugins/baseuser.py | 2 +-
 ipaserver/plugins/group.py| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 5e36a66..608e2d4 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -172,7 +172,7 @@ class baseuser(LDAPObject):
 
 takes_params = (
 Str('uid',
-pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
+pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$',
 pattern_errmsg='may only include letters, numbers, _, -, . and $',
 maxlength=255,
 cli_name='login',
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
index dcd4a91..5f0e9af 100644
--- a/ipaserver/plugins/group.py
+++ b/ipaserver/plugins/group.py
@@ -260,7 +260,7 @@ class group(LDAPObject):
 
 takes_params = (
 Str('cn',
-pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
+pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?$',
 pattern_errmsg='may only include letters, numbers, _, -, . and $',
 maxlength=255,
 cli_name='group_name',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/7cac8392036bf6d6bbd74f5a781986dec21149d6
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/6d04220dc3071782cf303b2e94e06da4ee26e512
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/32a6528dade8a6bcf1be2885b0ae714669a06d62
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/27#issuecomment-246975562
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+pushed)

[mbasti-rh]

mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo 
tests setup and checks" label *pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/27
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (closed)

[mbasti-rh]

mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo 
tests setup and checks" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/27
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/27/head:pr27
git checkout pr27
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (+ack)

[mbasti-rh]

mirielka's pull request #27: "[master, ipa-4-3] Tests: Fix integration sudo 
tests setup and checks" label *ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/27
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#27] [master, ipa-4-3] Tests: Fix integration sudo tests setup and checks (comment)

[lslebodn]

lslebodn commented on a pull request

"""
Test passed on fedora 24 + freeipa-4_4.
ACK
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/27#issuecomment-246969936
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][Patch-0049, 0050] Certs in ID overrides test

[Oleg Fayans]

Ping for review.

On 09/06/2016 01:57 PM, Oleg Fayans wrote:

The test is updated to clean up after itself

On 09/06/2016 12:57 PM, Oleg Fayans wrote:

Hi Martin,

Thanks for the review. The updated patches are attached. Please, see my
comments below

On 08/30/2016 01:58 PM, Martin Basti wrote:



On 22.08.2016 13:18, Oleg Fayans wrote:

ping for review

On 08/02/2016 01:11 PM, Oleg Fayans wrote:

Hi Martin,

I did! Thank you!

On 08/02/2016 12:31 PM, Martin Basti wrote:



On 01.08.2016 22:46, Oleg Fayans wrote:

The test was redesigned so that it actually tests against an AD
user.
cleanly applies, passes lint and passes

https://paste.fedoraproject.org/399504/00843641/


Okay

Did you forget to send patches?

Martin^2



On 06/28/2016 01:40 PM, Oleg Fayans wrote:

Patch-0050 rebased against latest upstream branch

On 06/28/2016 10:45 AM, Oleg Fayans wrote:

Passing test output:

https://paste.fedoraproject.org/385774/71035231/



















NACK for 0049.1

1)
PEP8: you must use 2 empty lines between functions


Fixed



2)
+new_args = " ".join(new_args + args)

you don't need this, run_command takes list as argument too
new_args.extend(args)


The list-based approach does not work with shell redirects which are
heavily used in the certs_id_idoverrides test. Thus, this trick is
really needed



3)
To make it more usable you should add raiseonerr as kwarg to
run_certutil (True as default)


Done



NACK for 0050.2

1)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert1, '-a', '>',
+cls.adcert1_file], cls.reqdir)
+tasks.run_certutil(master, ['-L', '-n', cls.adcert2, '-a', '>',
+cls.adcert2_file], cls.reqdir)

IMO thus should raise an error if failed, but previously you set
raiseonerr=False (multiple times)


Agreed. Done



2)
+cls.ad = cls.ad_domains[0].ads[0]
+cls.ad_domain = cls.ad.domain.name
+cls.aduser = "testuser@%s" % cls.ad_domain
+cls.adcert1 = 'MyCert1'
+cls.adcert2 = 'MyCert2'
+cls.adcert1_file = cls.adcert1 + '.crt'
+cls.adcert2_file = cls.adcert2 + '.crt'

New definitions of variables/constants should be directly in class not
in install method, adding new class variables in classmethod is the same
evil as adding instance variables outside __init__


Fair point. Fixed



3)
I have question, why do you need AD for this test? AFAIK you can use ID
overrides without AD


Correct. You can, but the workflow would be slightly different. For
example, you can not issue and sign cert requests for AD-users the way
you would do it for local users. We want to have tests that can be taken
by end-users as example how to use our software, that's why it is better
to be as close to real-world use-cases as it is possible.



Martin^3











--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI

[Oleg Fayans]

Again ping for review, please it completely blocks the whole job.

On 09/07/2016 03:27 PM, Oleg Fayans wrote:

ping for review

On 08/24/2016 01:58 PM, Oleg Fayans wrote:

And here is how the run looks like:

$ ipa-run-tests test_integration/test_topology.py
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'


test session starts
=


platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 3 items

test_integration/test_topology.py ..x

===

2 passed, 1 xfailed in 1558.66 seconds
===




On 08/12/2016 04:05 PM, Martin Basti wrote:



On 12.08.2016 15:48, Oleg Fayans wrote:

Hi Martin,



On 08/11/2016 10:05 AM, Martin Basti wrote:



On 10.08.2016 20:32, Oleg Fayans wrote:





Hello,

before we jump into fixing tests, my question is: Was this planned
change and not reflected by test, or switched values are unwanted side
effect and thus bug for us?


That's a marvelous question! The test used to pass, which means that
at some point the convention of naming the segments must have changed.
Is it a bug? I do not think so: the feature still works as expected.


Ludwig, do you know details about this change, why positions of server
names are different than used to be in topology name?





Ticket contains almost no info, except a traceback and it says
nothing.
Commit message says at least something.

I'm not sure if this patch fixes that ticket, because traceback in
test
shows error message that "removal of segment will disconnect
topology",
but this patch only swap order of replica names in segment name. I
would
expect that you should get different error, something like segment
does
not exist.

Which I do get in jenkins job N 37: "segment not found"

In fact, the error in the issue is unrelated to the fix, you are right.



To tell the truth, I just put a random error from one of the jenkins
topology testruns into the issue.

This is very good way how to report tickets:
* nobody knows what happened
* nobody can search in current tickets,  what is wrong without proper
description
* developers cannot investigate issue, because there is even no name of
exact test in ticket, no steps to reproduce, nothing
* without proper tickets it is hard to backport patches correctly, if
patch fixes different issue than is reported

I'm closing ticket as invalid, please follow
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new
proper ticket.


This particular error message was caused by a previous replica
installation failure, which resulted in existing only one segment
instead of three:
master <-> replica1
instead of:
master <-> replica1,
master <-> replica2
replica1 <-> replica2

In fact the patch supplied fixes 2 tests at once:
The first test tries to remove the unexisting segment master <->
replica2 and fails, the second test expects the line topology
master <-> replica1 <-> replica2.
It removes the connection between replica1 and replica2, expects the
operation to fail but it does not because the connection between
master and replica2 exists

the output from the testrun with the patch applied:


-bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'



test session starts
=



platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 3 items

test_integration/test_topology.py ...




3 passed in 2156.82 seconds
=






I don't care about test output until there is no valid description of
problem, fixing test may just cover real issue.
Martin^2


Martin^2












--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: 

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+pushed)

[martbab]

martbab's pull request #79: "trust-fetch-domains: contact forest DCs when 
fetching trust domain info" label *pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/79
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)

[martbab]

martbab commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b0d40b80e8d9a4960296ce70d843ad987657696b
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/6755cbbc3346910bcd4be1577351cc15ab7d3140
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/79#issuecomment-246944496
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (closed)

[martbab]

martbab's pull request #79: "trust-fetch-domains: contact forest DCs when 
fetching trust domain info" was closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/79
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/79/head:pr79
git checkout pr79
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (+ack)

[abbra]

martbab's pull request #79: "trust-fetch-domains: contact forest DCs when 
fetching trust domain info" label *ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/79
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#79] trust-fetch-domains: contact forest DCs when fetching trust domain info (comment)

[abbra]

abbra commented on a pull request

"""
LGTM. We discussed the placement of populate_remote_domain() but decided to 
keep it there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/79#issuecomment-246935619
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+pushed)

[mbasti-rh]

ofayans's pull request #52: "Removed incorrect check for returncode" label 
*pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
**Xfailed the tests due to a known bug with replica preparation**

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1e484d010b653b8ac06425ca602ba5c9e950ed89

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-246934600
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
**Changed addressing to the client hosts to be replicas**

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ac78d191ded6721cf1051413cdd6862c0362e66b
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/de4a1fc0df5474f268c7ed08ffb802110631c13f
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/8ed4a4ba6392deb7972ddc07593d649926065c72

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-246934259
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
**Several fixes in replica_promotion tests**

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/39c15ecdcdcbc2a0b651b0f89080789dd806e998
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/cd6adafbf699da48ab877e77ac9c1cc1dd26bf61

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-246933583
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
**Removed incorrect check for returncode**

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/22b0e8a9eb9eb3d47131c6784d70dd409d5b889b
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/e265853d055caf7e3d17316eee6e25aa26bbf2a9

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/52#issuecomment-246933097
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (+ack)

[abbra]

martbab's pull request #80: "ipa passwd: use correct normalizer for user 
principals" label *ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/80
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#80] ipa passwd: use correct normalizer for user principals (comment)

[abbra]

abbra commented on a pull request

"""
Looks good, thanks!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/80#issuecomment-246931189
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#81] Fix emptyzones dns upgrade (synchronize)

[mbasti-rh]

mbasti-rh's pull request #81: "Fix emptyzones dns upgrade" was synchronize

See the full pull-request at https://github.com/freeipa/freeipa/pull/81
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/81/head:pr81
git checkout pr81
From b1aeee9e57fdaa39545a437d65f6520f1cfbff53 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 13 Sep 2016 18:37:43 +0200
Subject: [PATCH 1/2] Start named during configuration upgrade.

Some upgrade steps require bind running, to be succesfull. Upgrader
makes sure that bind starts.

https://fedorahosted.org/freeipa/ticket/6205
---
 ipaserver/install/server/upgrade.py | 12 
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index aec84dc..19ea8ca 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1706,6 +1706,15 @@ def upgrade_configuration():
 cleanup_kdc(fstore)
 cleanup_adtrust(fstore)
 setup_firefox_extension(fstore)
+
+bind = bindinstance.BindInstance(fstore)
+if bind.is_configured() and not bind.is_running():
+# some upgrade steps may require bind running
+bind_started = True
+bind.start()
+else:
+bind_started = False
+
 add_ca_dns_records()
 
 # Any of the following functions returns True iff the named.conf file
@@ -1737,6 +1746,9 @@ def upgrade_configuration():
 except ipautil.CalledProcessError as e:
 root_logger.error("Failed to restart %s: %s", bind.service_name, e)
 
+if bind_started:
+bind.stop()
+
 custodia = custodiainstance.CustodiaInstance(api.env.host, api.env.realm)
 custodia.upgrade_instance()
 

From 7c81de901f66c279238b164e1dfbf829ea670533 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 13 Sep 2016 19:12:40 +0200
Subject: [PATCH 2/2] Catch DNS exceptions during emptyzones named.conf upgrade

For some reasons named may not be runnig and this cause fail of this
upgrade step. This step is not critical so only ERROR message with
recommendation is shown.

https://fedorahosted.org/freeipa/ticket/6205
---
 ipaserver/install/server/upgrade.py | 17 ++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 19ea8ca..b47d8fa 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -11,6 +11,8 @@
 import fileinput
 import sys
 
+import dns.exception
+
 import six
 from six.moves.configparser import SafeConfigParser
 
@@ -840,9 +842,18 @@ def named_update_global_forwarder_policy():
 'forward_policy_conflict_with_empty_zones_handled',
 True
 )
-if not dnsutil.has_empty_zone_addresses(api.env.host):
-# guess: local server does not have IP addresses from private ranges
-# so hopefully automatic empty zones are not a problem
+try:
+if not dnsutil.has_empty_zone_addresses(api.env.host):
+# guess: local server does not have IP addresses from private
+# ranges so hopefully automatic empty zones are not a problem
+return False
+except dns.exception.DNSException as ex:
+root_logger.error(
+'Skipping update of global DNS forwarder in named.conf: '
+'Unable to determine if local server is using an '
+'IP address belonging to an automatic empty zone. '
+'Consider changing forwarding policy to "only". '
+'DNS exception: %s', ex)
 return False
 
 if bindinstance.named_conf_get_directive(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#52] Removed incorrect check for returncode (+ack)

[mbasti-rh]

ofayans's pull request #52: "Removed incorrect check for returncode" label 
*ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/52
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#50] Add cert checks in ipa-server-certinstall (comment)

[flo-renaud]

flo-renaud commented on a pull request

"""
Bump for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/50#issuecomment-246921696
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code