[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa, purge ffextension

2016-09-29 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Fri, 30 Sep 2016 01:00:02 +0300
Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa

This is more consistent with the other daemons.
---
 daemons/ipa-otpd/Makefile.am  | 3 ++-
 daemons/ipa-otpd/ipa-o...@.service.in | 2 +-
 freeipa.spec.in   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index 8392174..d2e1679 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
 AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
 
 noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
 dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py
 systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
 
diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in
index b85d5a1..92afb40 100644
--- a/daemons/ipa-otpd/ipa-o...@.service.in
+++ b/daemons/ipa-otpd/ipa-o...@.service.in
@@ -3,7 +3,7 @@ Description=ipa-otpd service
 
 [Service]
 EnvironmentFile=@sysconfdir@/ipa/default.conf
-ExecStart=@libexecdir@/ipa-otpd $ldap_uri
+ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri
 StandardInput=socket
 StandardOutput=socket
 StandardError=syslog
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3b0e4b2..8972cb9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1056,13 +1056,13 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
-%{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf

From b8c50254e3208b25e746eab6a821b51319e80c63 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 29 Mar 2016 21:33:15 +0300
Subject: [PATCH 2/2] Purge obsolete firefox extension

---
 freeipa.spec.in|  12 --
 install/Makefile.am|   1 -
 install/configure.ac   |   5 -
 install/ffextension/Makefile.am|  23 ---
 install/ffextension/bootstrap.js   |  88 -
 install/ffextension/chrome.manifest|   4 -
 install/ffextension/chrome/Makefile.am |  19 --
 install/ffextension/chrome/content/Makefile.am |  17 --
 install/ffextension/chrome/content/kerberosauth.js | 197 -
 .../chrome/content/kerberosauth_overlay.xul|   9 -
 install/ffextension/install.rdf|  26 ---
 install/ffextension/locale/Makefile.am |  19 --
 install/ffextension/locale/en-US/Makefile.am   |  16 --
 .../locale/en-US/kerberosauth.properties   |   4 -
 install/share/Makefile.am  |   1 -
 install/share/krb.js.template  |   2 -
 ipaplatform/base/paths.py  |   4 -
 ipaserver/install/httpinstance.py  |  42 +
 ipaserver/install/server/replicainstall.py |   4 +-
 ipaserver/install/server/upgrade.py|  11 --
 20 files changed, 2 insertions(+), 502 deletions(-)
 delete mode 100644 install/ffextension/Makefile.am
 delete mode 100644 install/ffextension/bootstrap.js
 delete mode 100644 install/ffextension/chrome.manifest
 delete mode 100644 install/ffextension/chrome/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/kerberosauth.js
 delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul
 delete mode 100644 install/ffextension/install.rdf
 delete mode 100644 install/ffextension/locale/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties
 delete mode 100644 install/share/krb.js.template

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8972cb9..a6cba4f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.3-3
 Requires: pki-kra >= 10.3.3-3
 Requires(preun): python systemd-units

[Freeipa-devel] [freeipa PR#127][edited] Move ipa-otpd to $libexecdir/ipa, purge ffextension

2016-09-29 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension
Action: edited

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa

2016-09-29 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Fri, 30 Sep 2016 01:00:02 +0300
Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa

This is more consistent with the other daemons.
---
 daemons/ipa-otpd/Makefile.am  | 3 ++-
 daemons/ipa-otpd/ipa-o...@.service.in | 2 +-
 freeipa.spec.in   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index 8392174..d2e1679 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
 AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
 
 noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
 dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py
 systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
 
diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in
index b85d5a1..92afb40 100644
--- a/daemons/ipa-otpd/ipa-o...@.service.in
+++ b/daemons/ipa-otpd/ipa-o...@.service.in
@@ -3,7 +3,7 @@ Description=ipa-otpd service
 
 [Service]
 EnvironmentFile=@sysconfdir@/ipa/default.conf
-ExecStart=@libexecdir@/ipa-otpd $ldap_uri
+ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri
 StandardInput=socket
 StandardOutput=socket
 StandardError=syslog
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3b0e4b2..8972cb9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1056,13 +1056,13 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
-%{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf

From d661e1b3b181e82475b32b3c87aba6703940256b Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 29 Mar 2016 21:33:15 +0300
Subject: [PATCH 2/2] Purge obsolete firefox extension

---
 freeipa.spec.in|  12 --
 install/Makefile.am|   1 -
 install/configure.ac   |   5 -
 install/ffextension/Makefile.am|  23 ---
 install/ffextension/bootstrap.js   |  88 -
 install/ffextension/chrome.manifest|   4 -
 install/ffextension/chrome/Makefile.am |  19 --
 install/ffextension/chrome/content/Makefile.am |  17 --
 install/ffextension/chrome/content/kerberosauth.js | 197 -
 .../chrome/content/kerberosauth_overlay.xul|   9 -
 install/ffextension/install.rdf|  26 ---
 install/ffextension/locale/Makefile.am |  19 --
 install/ffextension/locale/en-US/Makefile.am   |  16 --
 .../locale/en-US/kerberosauth.properties   |   4 -
 install/share/Makefile.am  |   1 -
 install/share/krb.js.template  |   2 -
 ipaplatform/base/paths.py  |   4 -
 ipaserver/install/httpinstance.py  |  40 +
 ipaserver/install/server/replicainstall.py |   4 +-
 ipaserver/install/server/upgrade.py|  11 --
 20 files changed, 2 insertions(+), 500 deletions(-)
 delete mode 100644 install/ffextension/Makefile.am
 delete mode 100644 install/ffextension/bootstrap.js
 delete mode 100644 install/ffextension/chrome.manifest
 delete mode 100644 install/ffextension/chrome/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/Makefile.am
 delete mode 100644 install/ffextension/chrome/content/kerberosauth.js
 delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul
 delete mode 100644 install/ffextension/install.rdf
 delete mode 100644 install/ffextension/locale/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/Makefile.am
 delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties
 delete mode 100644 install/share/krb.js.template

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8972cb9..a6cba4f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.3-3
 Requires: pki-kra >= 10.3.3-3
 Requires(preun): python systemd-units
 Requires(postun): python

[Freeipa-devel] [freeipa PR#127][opened] Move ipa-otpd to $libexecdir/ipa

2016-09-29 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/127
Author: tjaalton
 Title: #127: Move ipa-otpd to $libexecdir/ipa
Action: opened

PR body:
"""
This is more consistent with the other daemons.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/127/head:pr127
git checkout pr127
From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Fri, 30 Sep 2016 01:00:02 +0300
Subject: [PATCH] Move ipa-otpd to $libexecdir/ipa

This is more consistent with the other daemons.
---
 daemons/ipa-otpd/Makefile.am  | 3 ++-
 daemons/ipa-otpd/ipa-o...@.service.in | 2 +-
 freeipa.spec.in   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index 8392174..d2e1679 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
 AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
 
 noinst_HEADERS = internal.h
-libexec_PROGRAMS = ipa-otpd
+appdir = $(libexecdir)/ipa/
+app_PROGRAMS = ipa-otpd
 dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py
 systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
 
diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in
index b85d5a1..92afb40 100644
--- a/daemons/ipa-otpd/ipa-o...@.service.in
+++ b/daemons/ipa-otpd/ipa-o...@.service.in
@@ -3,7 +3,7 @@ Description=ipa-otpd service
 
 [Service]
 EnvironmentFile=@sysconfdir@/ipa/default.conf
-ExecStart=@libexecdir@/ipa-otpd $ldap_uri
+ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri
 StandardInput=socket
 StandardOutput=socket
 StandardError=syslog
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3b0e4b2..8972cb9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1056,13 +1056,13 @@ fi
 %{_sbindir}/ipa-winsync-migrate
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
-%{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
+%{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN

2016-09-29 Thread apophys 
  URL: https://github.com/freeipa/freeipa/pull/73
Title: #73: Tests for certificates with SAN

apophys commented:
"""
I have fixed typos and implemented the proposed test cases. I have also 
provided docstring to the change_principal context manager.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/73#issuecomment-250461484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN

2016-09-29 Thread apophys 
   URL: https://github.com/freeipa/freeipa/pull/73
Author: apophys
 Title: #73: Tests for certificates with SAN
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/73/head:pr73
git checkout pr73
From 7ef1437d1edca904ef6528ca3b9571e35351b8ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 12 Sep 2016 14:52:05 +0200
Subject: [PATCH 1/3] ipatests: provide context manager for keytab usage in RPC
 tests

https://fedorahosted.org/freeipa/ticket/6366
---
 ipatests/util.py | 72 
 1 file changed, 67 insertions(+), 5 deletions(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 0b50f85..aed5cc5 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -40,7 +40,9 @@
 from ipalib.plugable import Plugin
 from ipalib.request import context
 from ipapython.dn import DN
-from ipapython.ipautil import private_ccache, kinit_password, run
+from ipapython.ipautil import (
+private_ccache, kinit_password, kinit_keytab, run
+)
 from ipaplatform.paths import paths
 
 if six.PY3:
@@ -693,8 +695,28 @@ def unlock_principal_password(user, oldpw, newpw):
 
 
 @contextmanager
-def change_principal(user, password, client=None, path=None,
- canonicalize=False, enterprise=False):
+def change_principal(principal, password=None, client=None, path=None,
+ canonicalize=False, enterprise=False, keytab=None):
+"""Temporarily change the kerberos principal
+
+Most of the test cases run with the admin ipa user which is granted
+all access and exceptions from rules on some occasions.
+
+When the test needs to test for an application of some kind
+of a restriction it needs to authenticate as a different principal
+with required set of rights to the operation.
+
+The context manager changes the principal identity in two ways:
+
+* using password
+* using keytab
+
+If the context manager is to be used with a keytab, the keytab
+option must be its absolute path.
+
+The context manager can be used to authenticate with enterprise
+principals and aliases when given respective options.
+"""
 
 if path:
 ccache_name = path
@@ -709,8 +731,12 @@ def change_principal(user, password, client=None, path=None,
 
 try:
 with private_ccache(ccache_name):
-kinit_password(user, password, ccache_name,
-   canonicalize=canonicalize, enterprise=enterprise)
+if keytab:
+kinit_keytab(principal, keytab, ccache_name)
+else:
+kinit_password(principal, password, ccache_name,
+   canonicalize=canonicalize,
+   enterprise=enterprise)
 client.Backend.rpcclient.connect()
 
 try:
@@ -720,6 +746,42 @@ def change_principal(user, password, client=None, path=None,
 finally:
 client.Backend.rpcclient.connect()
 
+
+@contextmanager
+def get_entity_keytab(principal, options=None):
+"""Requests a keytab for an entity
+
+The keytab will generate new keys if not specified
+otherwise in the options.
+To retrieve existing keytab, use the -r option
+"""
+keytab_filename = os.path.join('/tmp', str(uuid.uuid4()))
+
+try:
+cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename]
+
+if options:
+cmd.extend(options)
+run(cmd)
+
+yield keytab_filename
+finally:
+os.remove(keytab_filename)
+
+
+@contextmanager
+def host_keytab(hostname, options=None):
+"""Retrieves keytab for a particular host
+
+After leaving the context manager, the keytab file is
+deleted.
+"""
+principal = u'host/{}'.format(hostname)
+
+with get_entity_keytab(principal, options) as keytab:
+yield keytab
+
+
 def get_group_dn(cn):
 return DN(('cn', cn), api.env.container_group, api.env.basedn)
 

From 0b39203678b709da375740f9e78349f3903c8035 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Mon, 12 Sep 2016 14:53:48 +0200
Subject: [PATCH 2/3] ipatests: Fix name property on a service tracker

https://fedorahosted.org/freeipa/ticket/6366
---
 ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py
index a0bb884..0a90115 100644
--- a/ipatests/test_xmlrpc/tracker/service_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/service_plugin.py
@@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker):
 
 def __init__(self, name, host_fqdn, options=None):
 super(ServiceTracker, self).__init__(default_version=None)
-self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm)
+self._name =

[Freeipa-devel] [freeipa PR#126][opened] Fix ipa migrate-ds when it finds a search reference

2016-09-29 Thread flo-renaud 
   URL: https://github.com/freeipa/freeipa/pull/126
Author: flo-renaud
 Title: #126: Fix ipa migrate-ds when it finds a search reference
Action: opened

PR body:
"""
When ipa migrate-ds finds user entries and a search reference, it complains
that the LDAP search did not return any result and does not migrate the
entries or the groups.

The issue comes from LDAPClient._convert_result which returns an empty result
list when the input is a search reference. In turn LDAPClient.find_entries
assumes that the empty result list corresponds to a Search Result Done and
returns without any entry.

The fix is to return a LDAPUrl inside _convert_result and properly process
LDAPUrl in find_entries.

https://fedorahosted.org/freeipa/ticket/6358
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/126/head:pr126
git checkout pr126
From 1996aed2da149fed87f6d64ba439bb99a0a03c0c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 29 Sep 2016 13:46:05 +0200
Subject: [PATCH] Fix ipa migrate-ds when it finds a search reference

When ipa migrate-ds finds user entries and a search reference, it complains
that the LDAP search did not return any result and does not migrate the
entries or the groups.

The issue comes from LDAPClient._convert_result which returns an empty result
list when the input is a search reference. In turn LDAPClient.find_entries
assumes that the empty result list corresponds to a Search Result Done and
returns without any entry.

The fix is to return a LDAPUrl inside _convert_result and properly process
LDAPUrl in find_entries.

https://fedorahosted.org/freeipa/ticket/6358
---
 ipapython/ipaldap.py   | 15 ++-
 ipaserver/plugins/migration.py |  6 ++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 2dfc5b3..4110121 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -906,7 +906,7 @@ def decode(self, val, attr):
 else:
 raise TypeError("attempt to pass unsupported type from ldap, value=%s type=%s" %(val, type(val)))
 
-def _convert_result(self, result):
+def _convert_result(self, result, search_refs=False):
 '''
 result is a python-ldap result tuple of the form (dn, attrs),
 where dn is a string containing the dn (distinguished name) of
@@ -924,10 +924,15 @@ def _convert_result(self, result):
 
 # original_dn is None if referral instead of an entry was
 # returned from the LDAP server, we need to skip this item
+# if search_refs=False
+# otherwise convert the ref to a LDAPUrl
 if original_dn is None:
-log_msg = 'Referral entry ignored: {ref}'\
-  .format(ref=str(original_attrs))
-self.log.debug(log_msg)
+if search_refs:
+ipa_result.append(ldapurl.LDAPUrl(original_attrs[0]))
+else:
+log_msg = 'Referral entry ignored: {ref}'\
+  .format(ref=str(original_attrs))
+self.log.debug(log_msg)
 
 continue
 
@@ -1385,7 +1390,7 @@ def find_entries(self, filter=None, attrs_list=None, base_dn=None,
 while True:
 result = self.conn.result3(id, 0)
 objtype, res_list, res_id, res_ctrls = result
-res_list = self._convert_result(res_list)
+res_list = self._convert_result(res_list, search_refs)
 if not res_list:
 break
 if (objtype == ldap.RES_SEARCH_ENTRY or
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index b1fcdea..425e693 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -20,6 +20,7 @@
 import re
 from ldap import MOD_ADD
 from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
+import ldapurl
 
 import six
 
@@ -800,6 +801,11 @@ def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):
 context['migrate_cnt'] = migrate_cnt
 s = datetime.datetime.now()
 
+if isinstance(entry_attrs, ldapurl.LDAPUrl):
+failed[ldap_obj_name][str(entry_attrs)] = unicode(
+_ref_err_msg)
+continue
+
 ava = entry_attrs.dn[0][0]
 if ava.attr == ldap_obj.primary_key.name:
 # In case if pkey attribute is in the migrated object DN
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path

2016-09-29 Thread tomaskrizek 
   URL: https://github.com/freeipa/freeipa/pull/115
Author: tomaskrizek
 Title: #115: Don't show traceback when ipa config file is not an absolute path
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/115/head:pr115
git checkout pr115
From d625b8071a828e283cad863958acc832b9a33da9 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 27 Sep 2016 17:23:17 +0200
Subject: [PATCH 1/2] ipa: allow relative paths for config file

Remove unnecessary check for absolute file paths for config file.

https://fedorahosted.org/freeipa/ticket/6114
---
 ipalib/config.py | 15 +--
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index eb6c3ae..a273e3d 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -352,23 +352,10 @@ def _merge_from_file(self, config_file):
 containing first the number of variables that were actually set, and
 second the total number of variables found in ``config_file``.
 
-This method will raise a ``ValueError`` if ``config_file`` is not an
-absolute path.  For example:
-
->>> env = Env()
->>> env._merge_from_file('my/config.conf')
-Traceback (most recent call last):
-  ...
-ValueError: config_file must be an absolute path; got 'my/config.conf'
-
 Also see `Env._merge()`.
 
-:param config_file: Absolute path of the configuration file to load.
+:param config_file: Path of the configuration file to load.
 """
-if path.abspath(config_file) != config_file:
-raise ValueError(
-'config_file must be an absolute path; got %r' % config_file
-)
 if not path.isfile(config_file):
 return
 parser = RawConfigParser()

From 3e45d56bb71318aa074024ddbd1525135cd22b1f Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 27 Sep 2016 17:23:38 +0200
Subject: [PATCH 2/2] ipa: check if provided config file exists

Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.

https://fedorahosted.org/freeipa/ticket/6114
---
 ipalib/plugable.py | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index af35f5b..76fb9fd 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -44,6 +44,7 @@
 from ipalib.util import classproperty
 from ipalib.base import ReadOnly, lock, islocked
 from ipalib.constants import DEFAULT_CONFIG
+from ipapython import ipautil
 from ipapython.ipa_log_manager import (
 log_mgr,
 LOGGING_FORMAT_FILE,
@@ -494,6 +495,13 @@ def build_global_parser(self, parser=None, context=None):
 """
 Add global options to an optparse.OptionParser instance.
 """
+def config_file_callback(option, opt, value, parser):
+if not ipautil.file_exists(value):
+parser.error(
+_("%(filename)s: file not found") % dict(filename=value))
+
+parser.values.conf = value
+
 if parser is None:
 parser = optparse.OptionParser(
 add_help_option=False,
@@ -517,8 +525,9 @@ def build_global_parser(self, parser=None, context=None):
 parser.add_option('-e', dest='env', metavar='KEY=VAL', action='append',
 help='Set environment variable KEY to VAL',
 )
-parser.add_option('-c', dest='conf', metavar='FILE',
-help='Load configuration from FILE',
+parser.add_option('-c', dest='conf', metavar='FILE', action='callback',
+callback=config_file_callback, type='string',
+help='Load configuration from FILE.',
 )
 parser.add_option('-d', '--debug', action='store_true',
 help='Produce full debuging output',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path

2016-09-29 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/115
Title: #115: Don't show traceback when ipa config file is not an absolute path

mbasti-rh commented:
"""
nack, please see comments
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/115#issuecomment-250442693
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#108][comment] Bump pki min version and add commentary about sub-CA revocation on delete

2016-09-29 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/108
Title: #108: Bump pki min version and add commentary about sub-CA revocation on 
delete

mbasti-rh commented:
"""
I don't think that bumping BuildRequires is needed

Also you are changing strings used for translations, so I'd use this change and 
rather add new things to doc string using 
http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings
 It will help translators in future
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/108#issuecomment-250439798
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#114][+ack] Raise errors from service.py:_ldap_mod() by default

2016-09-29 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/114
Title: #114: Raise errors from service.py:_ldap_mod() by default

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] webui: Fix coverity bugs

2016-09-29 Thread Pavel Vomacka 

Bump for review.


On 08/05/2016 02:33 PM, Pavel Vomacka wrote:



On 08/01/2016 05:53 PM, Petr Vobornik wrote:

On 07/29/2016 03:25 PM, Alexander Bokovoy wrote:

On Fri, 29 Jul 2016, Pavel Vomacka wrote:

Hello,

please review attached patches which fixes errors from Coverity.

--
Pavel^3 Vomacka

 From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 
2001

From: Pavel Vomacka 
Date: Mon, 25 Jul 2016 10:36:47 +0200
Subject: [PATCH 01/13] Coverity - null pointer exception

Variable 'option' can be null and there will be error of reading
property of null.
---
install/ui/src/freeipa/widget.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39 


100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) {
 var child_values = [];
 var option = that.get_option(value);

-if (option.widget) {
+if (option && option.widget) {
 child_values = option.widget.save();
 values.push.apply(values, child_values);
 }
--
2.5.5


ACK

ACK

 From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 
2001

From: Pavel Vomacka 
Date: Mon, 25 Jul 2016 10:43:00 +0200
Subject: [PATCH 02/13] Coverity - null pointer exception

Variable 'row' could be null in some cases. And set css to variable
which is pointing to null
causes error. Therefore there is new check.
---
install/ui/src/freeipa/widget.js | 2 ++
1 file changed, 2 insertions(+)

diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2 


100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout =
function(spec) {
 that.on_visible_change = function(event) {

 var row = that._get_row(event);
+if (!row) return;
+
 if (event.visible) {
 row.css('display', '');
 } else {
--
2.5.5


ACK


ACK



 From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 
2001

From: Pavel Vomacka 
Date: Mon, 25 Jul 2016 13:48:16 +0200
Subject: [PATCH 03/13] Coverity - not initialized variable

The variable hasn't been initialized, now it is set to null by 
default.

---
install/ui/src/freeipa/widget.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js
b/install/ui/src/freeipa/widget.js
index
5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df 


100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) {

 that.child_spec = spec.child_spec;
 that.size = spec.size || 30;
-that.undo_control;
+that.undo_control = null;
 that.initialized = true;
 that.updating = false;

--
2.5.5


ACK

ACK



 From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 
2001

From: Pavel Vomacka 
Date: Mon, 25 Jul 2016 14:42:50 +0200
Subject: [PATCH 04/13] Coverity - identical code for different 
branches


In both cases when the condition is true or false ut is set the same
value.
Changed to assign the value directly.
---
install/ui/src/freeipa/topology_graph.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/ui/src/freeipa/topology_graph.js
b/install/ui/src/freeipa/topology_graph.js
index
ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..712d38fbe67e87ffa773e0a3a1f8937e9595c9a6 


100644
--- a/install/ui/src/freeipa/topology_graph.js
+++ b/install/ui/src/freeipa/topology_graph.js
@@ -325,8 +325,8 @@ topology_graph.TopoGraph = declare([Evented], {
 off = dir ? -1 : 1, // determines shift direction of
curve
 ns = 5, // shift on normal vector
 s = target_count > 1 ? 1 : 0, // shift from center?
-spad = d.left ? 18 : 18, // source padding
-tpad = d.right ? 18 : 18, // target padding
+spad = d.left = 18, // source padding
+tpad = d.right = 18, // target padding
 sourceX = d.source.x + (spad * ux) + off * nx * ns 
* s,
 sourceY = d.source.y + (spad * uy) + off * ny * ns 
* s,
 targetX = d.target.x - (tpad * ux) + off * nx * ns 
* s,

--
2.5.5


ACK

NACK

following lines are not equivalent
spad = d.left ? 18 : 18
spad = d.left = 18

same with tpad

Fixed
 From f1f2b55247d6c7f41f8053f372a47945c93fc8a4 Mon Sep 17 00:00:00 
2001

From: Pavel Vomacka 
Date: Mon, 25 Jul 2016 14:52:15 +0200

[Freeipa-devel] [freeipa PR#120][+ack] Pretty-print structures in assert_deepequal

2016-09-29 Thread mbasti-rh 
  URL: https://github.com/freeipa/freeipa/pull/120
Title: #120: Pretty-print structures in assert_deepequal

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API

2016-09-29 Thread Martin Basti 



On 29.09.2016 10:14, Alexander Bokovoy wrote:

On to, 29 syys 2016, Martin Babinsky wrote:

Hi list,

today I noticed the following exceptions in my VMs when 
installing/using FreeIPA:


"""
# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 
258, in handshake_callback

   channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: 
invalid arguments.


IPA server version 4.4.90. API version 2.215

"""

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to 
updates-testing. Reverting the package to previous versions fixed the 
problem.

python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
which is a packaging bug, but that's should not be bringing any
difference as the tarball (1.0.0) is the same and no additional patches
were applied.

Also, we didn't have any changes between 4.4.1 and git master that could
have affected ipapython/nsslib.py other than 
0f88f8fe889ae4801fc8d5ece1ad51c5246718ac,

which is this chunk of changes:

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 1573de9..f9f64c1 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
NSSAddressFamilyFallback):
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min, 
self.tls_version_max)

-except NSPRError as e:
+except NSPRError:
root_logger.error('Failed to set TLS range to %s, %s' % 
(self.tls_version_min, self.tls_version_max))

raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)

e.g. nothing that is relevant to the trace you provided.



Sorry I cannot reproduce it as well

[root@vm-058-017 ~]# ipa ping

IPA server version 4.4.90. API version 2.215


[root@vm-058-017 ~]# dnf upgrade python-nss ...
Running transaction
  Upgrading   : python-nss-1.0.0-2.fc24.x86_64 1/4
  Upgrading   : python3-nss-1.0.0-2.fc24.x86_64 2/4
  Cleanup : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
  Cleanup : python-nss-1.0.0-beta1.2.fc24.1.x86_64 4/4
  Verifying   : python3-nss-1.0.0-2.fc24.x86_64 1/4
  Verifying   : python-nss-1.0.0-2.fc24.x86_64 2/4
  Verifying   : python-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4
  Verifying   : python3-nss-1.0.0-beta1.2.fc24.1.x86_64

[root@vm-058-017 ~]# ipa ping

IPA server version 4.4.90. API version 2.215


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl

2016-09-29 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/118
Title: #118: WebUI: hide buttons in certificate widget according to acl

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/81ead980fb808b70d7590800518b655abe64948b
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/5ac1f367139d4c2fac804c057afadc7849880431
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/118#issuecomment-250413176
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#118][+pushed] WebUI: hide buttons in certificate widget according to acl

2016-09-29 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/118
Title: #118: WebUI: hide buttons in certificate widget according to acl

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#118][closed] WebUI: hide buttons in certificate widget according to acl

2016-09-29 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/118
Author: pvomacka
 Title: #118: WebUI: hide buttons in certificate widget according to acl
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/118/head:pr118
git checkout pr118
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl

2016-09-29 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/118
Title: #118: WebUI: hide buttons in certificate widget according to acl

martbab commented:
"""
Works as expected
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/118#issuecomment-250412691
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#118][+ack] WebUI: hide buttons in certificate widget according to acl

2016-09-29 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/118
Title: #118: WebUI: hide buttons in certificate widget according to acl

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#124][+ack] Fix: find OSCP certificate test

2016-09-29 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/124
Title: #124: Fix: find OSCP certificate test

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API

2016-09-29 Thread Alexander Bokovoy 

On to, 29 syys 2016, Martin Babinsky wrote:

Hi list,

today I noticed the following exceptions in my VMs when 
installing/using FreeIPA:


"""
# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 
258, in handshake_callback

   channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: 
invalid arguments.


IPA server version 4.4.90. API version 2.215

"""

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to 
updates-testing. Reverting the package to previous versions fixed the 
problem.

python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25
which is a packaging bug, but that's should not be bringing any
difference as the tarball (1.0.0) is the same and no additional patches
were applied.

Also, we didn't have any changes between 4.4.1 and git master that could
have affected ipapython/nsslib.py other than 
0f88f8fe889ae4801fc8d5ece1ad51c5246718ac,
which is this chunk of changes:

diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 1573de9..f9f64c1 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection,
NSSAddressFamilyFallback):
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
try:
self.sock.set_ssl_version_range(self.tls_version_min, 
self.tls_version_max)
-except NSPRError as e:
+except NSPRError:
root_logger.error('Failed to set TLS range to %s, %s' % 
(self.tls_version_min, self.tls_version_max))
raise
self.sock.set_ssl_option(ssl_require_safe_negotiation, False)

e.g. nothing that is relevant to the trace you provided.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN

2016-09-29 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/73
Title: #73: Tests for certificates with SAN

martbab commented:
"""
NACK: you probably forgot to add service fixtures as params to the added test 
cases: https://paste.fedoraproject.org/437721/51355181/

In addition please write sensible commit message to commit f43833d and probably 
squash the last commit into 2d75883

I have also noticed that you linked the commits to a ticket in a already closed 
milestone. Per our process guidelines you need to open a new ticket and go 
through a new triage, sorry.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/73#issuecomment-250397011
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API

2016-09-29 Thread Martin Babinsky 

Hi list,

today I noticed the following exceptions in my VMs when installing/using 
FreeIPA:


"""
# ipa ping
exception in SSLSocket.handshake_callback
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 
258, in handshake_callback

channel = sock.get_ssl_channel_info()
nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid 
arguments.


IPA server version 4.4.90. API version 2.215

"""

This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to 
updates-testing. Reverting the package to previous versions fixed the 
problem.


We may wish to provide negative karma to this build[1] until we figure 
out whether it is a bug in the package or we need to update our client libs.


[1] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c93fd2726a

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#117][+ack] Make ipa-replica-install run in interactive mode

2016-09-29 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/117
Title: #117: Make ipa-replica-install run in interactive mode

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode

2016-09-29 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/117
Title: #117: Make ipa-replica-install run in interactive mode

tomaskrizek commented:
"""
ACK

Running the command in interactive mode by default is desirable behaviour. 
Since the `-U` flag was present in previous versions, we don't have to worry 
about backward compatibility.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/117#issuecomment-250389651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code