[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Fri, 30 Sep 2016 01:00:02 +0300 Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa This is more consistent with the other daemons. --- daemons/ipa-otpd/Makefile.am | 3 ++- daemons/ipa-otpd/ipa-o...@.service.in | 2 +- freeipa.spec.in | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..d2e1679 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h -libexec_PROGRAMS = ipa-otpd +appdir = $(libexecdir)/ipa/ +app_PROGRAMS = ipa-otpd dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in index b85d5a1..92afb40 100644 --- a/daemons/ipa-otpd/ipa-o...@.service.in +++ b/daemons/ipa-otpd/ipa-o...@.service.in @@ -3,7 +3,7 @@ Description=ipa-otpd service [Service] EnvironmentFile=@sysconfdir@/ipa/default.conf -ExecStart=@libexecdir@/ipa-otpd $ldap_uri +ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b0e4b2..8972cb9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1056,13 +1056,13 @@ fi %{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf From b8c50254e3208b25e746eab6a821b51319e80c63 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 29 Mar 2016 21:33:15 +0300 Subject: [PATCH 2/2] Purge obsolete firefox extension --- freeipa.spec.in| 12 -- install/Makefile.am| 1 - install/configure.ac | 5 - install/ffextension/Makefile.am| 23 --- install/ffextension/bootstrap.js | 88 - install/ffextension/chrome.manifest| 4 - install/ffextension/chrome/Makefile.am | 19 -- install/ffextension/chrome/content/Makefile.am | 17 -- install/ffextension/chrome/content/kerberosauth.js | 197 - .../chrome/content/kerberosauth_overlay.xul| 9 - install/ffextension/install.rdf| 26 --- install/ffextension/locale/Makefile.am | 19 -- install/ffextension/locale/en-US/Makefile.am | 16 -- .../locale/en-US/kerberosauth.properties | 4 - install/share/Makefile.am | 1 - install/share/krb.js.template | 2 - ipaplatform/base/paths.py | 4 - ipaserver/install/httpinstance.py | 42 + ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py| 11 -- 20 files changed, 2 insertions(+), 502 deletions(-) delete mode 100644 install/ffextension/Makefile.am delete mode 100644 install/ffextension/bootstrap.js delete mode 100644 install/ffextension/chrome.manifest delete mode 100644 install/ffextension/chrome/Makefile.am delete mode 100644 install/ffextension/chrome/content/Makefile.am delete mode 100644 install/ffextension/chrome/content/kerberosauth.js delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul delete mode 100644 install/ffextension/install.rdf delete mode 100644 install/ffextension/locale/Makefile.am delete mode 100644 install/ffextension/locale/en-US/Makefile.am delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties delete mode 100644 install/share/krb.js.template diff --git a/freeipa.spec.in b/freeipa.spec.in index 8972cb9..a6cba4f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.3-3 Requires: pki-kra >= 10.3.3-3 Requires(preun): python systemd-units
[Freeipa-devel] [freeipa PR#127][edited] Move ipa-otpd to $libexecdir/ipa, purge ffextension
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa, purge ffextension Action: edited To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#127][synchronized] Move ipa-otpd to $libexecdir/ipa
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Fri, 30 Sep 2016 01:00:02 +0300 Subject: [PATCH 1/2] Move ipa-otpd to $libexecdir/ipa This is more consistent with the other daemons. --- daemons/ipa-otpd/Makefile.am | 3 ++- daemons/ipa-otpd/ipa-o...@.service.in | 2 +- freeipa.spec.in | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..d2e1679 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h -libexec_PROGRAMS = ipa-otpd +appdir = $(libexecdir)/ipa/ +app_PROGRAMS = ipa-otpd dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in index b85d5a1..92afb40 100644 --- a/daemons/ipa-otpd/ipa-o...@.service.in +++ b/daemons/ipa-otpd/ipa-o...@.service.in @@ -3,7 +3,7 @@ Description=ipa-otpd service [Service] EnvironmentFile=@sysconfdir@/ipa/default.conf -ExecStart=@libexecdir@/ipa-otpd $ldap_uri +ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b0e4b2..8972cb9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1056,13 +1056,13 @@ fi %{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf From d661e1b3b181e82475b32b3c87aba6703940256b Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Tue, 29 Mar 2016 21:33:15 +0300 Subject: [PATCH 2/2] Purge obsolete firefox extension --- freeipa.spec.in| 12 -- install/Makefile.am| 1 - install/configure.ac | 5 - install/ffextension/Makefile.am| 23 --- install/ffextension/bootstrap.js | 88 - install/ffextension/chrome.manifest| 4 - install/ffextension/chrome/Makefile.am | 19 -- install/ffextension/chrome/content/Makefile.am | 17 -- install/ffextension/chrome/content/kerberosauth.js | 197 - .../chrome/content/kerberosauth_overlay.xul| 9 - install/ffextension/install.rdf| 26 --- install/ffextension/locale/Makefile.am | 19 -- install/ffextension/locale/en-US/Makefile.am | 16 -- .../locale/en-US/kerberosauth.properties | 4 - install/share/Makefile.am | 1 - install/share/krb.js.template | 2 - ipaplatform/base/paths.py | 4 - ipaserver/install/httpinstance.py | 40 + ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py| 11 -- 20 files changed, 2 insertions(+), 500 deletions(-) delete mode 100644 install/ffextension/Makefile.am delete mode 100644 install/ffextension/bootstrap.js delete mode 100644 install/ffextension/chrome.manifest delete mode 100644 install/ffextension/chrome/Makefile.am delete mode 100644 install/ffextension/chrome/content/Makefile.am delete mode 100644 install/ffextension/chrome/content/kerberosauth.js delete mode 100644 install/ffextension/chrome/content/kerberosauth_overlay.xul delete mode 100644 install/ffextension/install.rdf delete mode 100644 install/ffextension/locale/Makefile.am delete mode 100644 install/ffextension/locale/en-US/Makefile.am delete mode 100644 install/ffextension/locale/en-US/kerberosauth.properties delete mode 100644 install/share/krb.js.template diff --git a/freeipa.spec.in b/freeipa.spec.in index 8972cb9..a6cba4f 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -165,7 +165,6 @@ Requires: pki-ca >= 10.3.3-3 Requires: pki-kra >= 10.3.3-3 Requires(preun): python systemd-units Requires(postun): python
[Freeipa-devel] [freeipa PR#127][opened] Move ipa-otpd to $libexecdir/ipa
URL: https://github.com/freeipa/freeipa/pull/127 Author: tjaalton Title: #127: Move ipa-otpd to $libexecdir/ipa Action: opened PR body: """ This is more consistent with the other daemons. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/127/head:pr127 git checkout pr127 From 5ca9bc72163674deca40c1516ee516f311aa9760 Mon Sep 17 00:00:00 2001 From: Timo AaltonenDate: Fri, 30 Sep 2016 01:00:02 +0300 Subject: [PATCH] Move ipa-otpd to $libexecdir/ipa This is more consistent with the other daemons. --- daemons/ipa-otpd/Makefile.am | 3 ++- daemons/ipa-otpd/ipa-o...@.service.in | 2 +- freeipa.spec.in | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index 8392174..d2e1679 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -2,7 +2,8 @@ AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h -libexec_PROGRAMS = ipa-otpd +appdir = $(libexecdir)/ipa/ +app_PROGRAMS = ipa-otpd dist_noinst_DATA = ipa-otpd.socket.in ipa-o...@.service.in test.py systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service diff --git a/daemons/ipa-otpd/ipa-o...@.service.in b/daemons/ipa-otpd/ipa-o...@.service.in index b85d5a1..92afb40 100644 --- a/daemons/ipa-otpd/ipa-o...@.service.in +++ b/daemons/ipa-otpd/ipa-o...@.service.in @@ -3,7 +3,7 @@ Description=ipa-otpd service [Service] EnvironmentFile=@sysconfdir@/ipa/default.conf -ExecStart=@libexecdir@/ipa-otpd $ldap_uri +ExecStart=@libexecdir@/ipa/ipa-otpd $ldap_uri StandardInput=socket StandardOutput=socket StandardError=syslog diff --git a/freeipa.spec.in b/freeipa.spec.in index 3b0e4b2..8972cb9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1056,13 +1056,13 @@ fi %{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard -%{_libexecdir}/ipa-otpd %dir %{_libexecdir}/ipa %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Title: #73: Tests for certificates with SAN apophys commented: """ I have fixed typos and implemented the proposed test cases. I have also provided docstring to the change_principal context manager. """ See the full comment at https://github.com/freeipa/freeipa/pull/73#issuecomment-250461484 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#73][synchronized] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Author: apophys Title: #73: Tests for certificates with SAN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/73/head:pr73 git checkout pr73 From 7ef1437d1edca904ef6528ca3b9571e35351b8ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?=Date: Mon, 12 Sep 2016 14:52:05 +0200 Subject: [PATCH 1/3] ipatests: provide context manager for keytab usage in RPC tests https://fedorahosted.org/freeipa/ticket/6366 --- ipatests/util.py | 72 1 file changed, 67 insertions(+), 5 deletions(-) diff --git a/ipatests/util.py b/ipatests/util.py index 0b50f85..aed5cc5 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -40,7 +40,9 @@ from ipalib.plugable import Plugin from ipalib.request import context from ipapython.dn import DN -from ipapython.ipautil import private_ccache, kinit_password, run +from ipapython.ipautil import ( +private_ccache, kinit_password, kinit_keytab, run +) from ipaplatform.paths import paths if six.PY3: @@ -693,8 +695,28 @@ def unlock_principal_password(user, oldpw, newpw): @contextmanager -def change_principal(user, password, client=None, path=None, - canonicalize=False, enterprise=False): +def change_principal(principal, password=None, client=None, path=None, + canonicalize=False, enterprise=False, keytab=None): +"""Temporarily change the kerberos principal + +Most of the test cases run with the admin ipa user which is granted +all access and exceptions from rules on some occasions. + +When the test needs to test for an application of some kind +of a restriction it needs to authenticate as a different principal +with required set of rights to the operation. + +The context manager changes the principal identity in two ways: + +* using password +* using keytab + +If the context manager is to be used with a keytab, the keytab +option must be its absolute path. + +The context manager can be used to authenticate with enterprise +principals and aliases when given respective options. +""" if path: ccache_name = path @@ -709,8 +731,12 @@ def change_principal(user, password, client=None, path=None, try: with private_ccache(ccache_name): -kinit_password(user, password, ccache_name, - canonicalize=canonicalize, enterprise=enterprise) +if keytab: +kinit_keytab(principal, keytab, ccache_name) +else: +kinit_password(principal, password, ccache_name, + canonicalize=canonicalize, + enterprise=enterprise) client.Backend.rpcclient.connect() try: @@ -720,6 +746,42 @@ def change_principal(user, password, client=None, path=None, finally: client.Backend.rpcclient.connect() + +@contextmanager +def get_entity_keytab(principal, options=None): +"""Requests a keytab for an entity + +The keytab will generate new keys if not specified +otherwise in the options. +To retrieve existing keytab, use the -r option +""" +keytab_filename = os.path.join('/tmp', str(uuid.uuid4())) + +try: +cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename] + +if options: +cmd.extend(options) +run(cmd) + +yield keytab_filename +finally: +os.remove(keytab_filename) + + +@contextmanager +def host_keytab(hostname, options=None): +"""Retrieves keytab for a particular host + +After leaving the context manager, the keytab file is +deleted. +""" +principal = u'host/{}'.format(hostname) + +with get_entity_keytab(principal, options) as keytab: +yield keytab + + def get_group_dn(cn): return DN(('cn', cn), api.env.container_group, api.env.basedn) From 0b39203678b709da375740f9e78349f3903c8035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Milan=20Kub=C3=ADk?= Date: Mon, 12 Sep 2016 14:53:48 +0200 Subject: [PATCH 2/3] ipatests: Fix name property on a service tracker https://fedorahosted.org/freeipa/ticket/6366 --- ipatests/test_xmlrpc/tracker/service_plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py index a0bb884..0a90115 100644 --- a/ipatests/test_xmlrpc/tracker/service_plugin.py +++ b/ipatests/test_xmlrpc/tracker/service_plugin.py @@ -52,7 +52,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker): def __init__(self, name, host_fqdn, options=None): super(ServiceTracker, self).__init__(default_version=None) -self._name = "{0}/{1}@{2}".format(name, host_fqdn, api.env.realm) +self._name =
[Freeipa-devel] [freeipa PR#126][opened] Fix ipa migrate-ds when it finds a search reference
URL: https://github.com/freeipa/freeipa/pull/126 Author: flo-renaud Title: #126: Fix ipa migrate-ds when it finds a search reference Action: opened PR body: """ When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix is to return a LDAPUrl inside _convert_result and properly process LDAPUrl in find_entries. https://fedorahosted.org/freeipa/ticket/6358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/126/head:pr126 git checkout pr126 From 1996aed2da149fed87f6d64ba439bb99a0a03c0c Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Thu, 29 Sep 2016 13:46:05 +0200 Subject: [PATCH] Fix ipa migrate-ds when it finds a search reference When ipa migrate-ds finds user entries and a search reference, it complains that the LDAP search did not return any result and does not migrate the entries or the groups. The issue comes from LDAPClient._convert_result which returns an empty result list when the input is a search reference. In turn LDAPClient.find_entries assumes that the empty result list corresponds to a Search Result Done and returns without any entry. The fix is to return a LDAPUrl inside _convert_result and properly process LDAPUrl in find_entries. https://fedorahosted.org/freeipa/ticket/6358 --- ipapython/ipaldap.py | 15 ++- ipaserver/plugins/migration.py | 6 ++ 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 2dfc5b3..4110121 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -906,7 +906,7 @@ def decode(self, val, attr): else: raise TypeError("attempt to pass unsupported type from ldap, value=%s type=%s" %(val, type(val))) -def _convert_result(self, result): +def _convert_result(self, result, search_refs=False): ''' result is a python-ldap result tuple of the form (dn, attrs), where dn is a string containing the dn (distinguished name) of @@ -924,10 +924,15 @@ def _convert_result(self, result): # original_dn is None if referral instead of an entry was # returned from the LDAP server, we need to skip this item +# if search_refs=False +# otherwise convert the ref to a LDAPUrl if original_dn is None: -log_msg = 'Referral entry ignored: {ref}'\ - .format(ref=str(original_attrs)) -self.log.debug(log_msg) +if search_refs: +ipa_result.append(ldapurl.LDAPUrl(original_attrs[0])) +else: +log_msg = 'Referral entry ignored: {ref}'\ + .format(ref=str(original_attrs)) +self.log.debug(log_msg) continue @@ -1385,7 +1390,7 @@ def find_entries(self, filter=None, attrs_list=None, base_dn=None, while True: result = self.conn.result3(id, 0) objtype, res_list, res_id, res_ctrls = result -res_list = self._convert_result(res_list) +res_list = self._convert_result(res_list, search_refs) if not res_list: break if (objtype == ldap.RES_SEARCH_ENTRY or diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py index b1fcdea..425e693 100644 --- a/ipaserver/plugins/migration.py +++ b/ipaserver/plugins/migration.py @@ -20,6 +20,7 @@ import re from ldap import MOD_ADD from ldap import SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE +import ldapurl import six @@ -800,6 +801,11 @@ def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): context['migrate_cnt'] = migrate_cnt s = datetime.datetime.now() +if isinstance(entry_attrs, ldapurl.LDAPUrl): +failed[ldap_obj_name][str(entry_attrs)] = unicode( +_ref_err_msg) +continue + ava = entry_attrs.dn[0][0] if ava.attr == ldap_obj.primary_key.name: # In case if pkey attribute is in the migrated object DN -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#115][synchronized] Don't show traceback when ipa config file is not an absolute path
URL: https://github.com/freeipa/freeipa/pull/115 Author: tomaskrizek Title: #115: Don't show traceback when ipa config file is not an absolute path Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/115/head:pr115 git checkout pr115 From d625b8071a828e283cad863958acc832b9a33da9 Mon Sep 17 00:00:00 2001 From: Tomas KrizekDate: Tue, 27 Sep 2016 17:23:17 +0200 Subject: [PATCH 1/2] ipa: allow relative paths for config file Remove unnecessary check for absolute file paths for config file. https://fedorahosted.org/freeipa/ticket/6114 --- ipalib/config.py | 15 +-- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/ipalib/config.py b/ipalib/config.py index eb6c3ae..a273e3d 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -352,23 +352,10 @@ def _merge_from_file(self, config_file): containing first the number of variables that were actually set, and second the total number of variables found in ``config_file``. -This method will raise a ``ValueError`` if ``config_file`` is not an -absolute path. For example: - ->>> env = Env() ->>> env._merge_from_file('my/config.conf') -Traceback (most recent call last): - ... -ValueError: config_file must be an absolute path; got 'my/config.conf' - Also see `Env._merge()`. -:param config_file: Absolute path of the configuration file to load. +:param config_file: Path of the configuration file to load. """ -if path.abspath(config_file) != config_file: -raise ValueError( -'config_file must be an absolute path; got %r' % config_file -) if not path.isfile(config_file): return parser = RawConfigParser() From 3e45d56bb71318aa074024ddbd1525135cd22b1f Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Tue, 27 Sep 2016 17:23:38 +0200 Subject: [PATCH 2/2] ipa: check if provided config file exists Add a parser check to verify config file supplied to the ipa command exists. Previously, invalid file paths would not results in any error and would just silently proceed with default config. https://fedorahosted.org/freeipa/ticket/6114 --- ipalib/plugable.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipalib/plugable.py b/ipalib/plugable.py index af35f5b..76fb9fd 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -44,6 +44,7 @@ from ipalib.util import classproperty from ipalib.base import ReadOnly, lock, islocked from ipalib.constants import DEFAULT_CONFIG +from ipapython import ipautil from ipapython.ipa_log_manager import ( log_mgr, LOGGING_FORMAT_FILE, @@ -494,6 +495,13 @@ def build_global_parser(self, parser=None, context=None): """ Add global options to an optparse.OptionParser instance. """ +def config_file_callback(option, opt, value, parser): +if not ipautil.file_exists(value): +parser.error( +_("%(filename)s: file not found") % dict(filename=value)) + +parser.values.conf = value + if parser is None: parser = optparse.OptionParser( add_help_option=False, @@ -517,8 +525,9 @@ def build_global_parser(self, parser=None, context=None): parser.add_option('-e', dest='env', metavar='KEY=VAL', action='append', help='Set environment variable KEY to VAL', ) -parser.add_option('-c', dest='conf', metavar='FILE', -help='Load configuration from FILE', +parser.add_option('-c', dest='conf', metavar='FILE', action='callback', +callback=config_file_callback, type='string', +help='Load configuration from FILE.', ) parser.add_option('-d', '--debug', action='store_true', help='Produce full debuging output', -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#115][comment] Don't show traceback when ipa config file is not an absolute path
URL: https://github.com/freeipa/freeipa/pull/115 Title: #115: Don't show traceback when ipa config file is not an absolute path mbasti-rh commented: """ nack, please see comments """ See the full comment at https://github.com/freeipa/freeipa/pull/115#issuecomment-250442693 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#108][comment] Bump pki min version and add commentary about sub-CA revocation on delete
URL: https://github.com/freeipa/freeipa/pull/108 Title: #108: Bump pki min version and add commentary about sub-CA revocation on delete mbasti-rh commented: """ I don't think that bumping BuildRequires is needed Also you are changing strings used for translations, so I'd use this change and rather add new things to doc string using http://www.freeipa.org/page/Coding_Best_Practices#Split_long_translatable_strings It will help translators in future """ See the full comment at https://github.com/freeipa/freeipa/pull/108#issuecomment-250439798 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#114][+ack] Raise errors from service.py:_ldap_mod() by default
URL: https://github.com/freeipa/freeipa/pull/114 Title: #114: Raise errors from service.py:_ldap_mod() by default Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] webui: Fix coverity bugs
Bump for review. On 08/05/2016 02:33 PM, Pavel Vomacka wrote: On 08/01/2016 05:53 PM, Petr Vobornik wrote: On 07/29/2016 03:25 PM, Alexander Bokovoy wrote: On Fri, 29 Jul 2016, Pavel Vomacka wrote: Hello, please review attached patches which fixes errors from Coverity. -- Pavel^3 Vomacka From 0391289b3f6844897e2a9f3ae549bd4c33233ffc Mon Sep 17 00:00:00 2001 From: Pavel VomackaDate: Mon, 25 Jul 2016 10:36:47 +0200 Subject: [PATCH 01/13] Coverity - null pointer exception Variable 'option' can be null and there will be error of reading property of null. --- install/ui/src/freeipa/widget.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 9151ebac9438e9e674f81bfb1ccfe7a63872b1ae..cfdf5d4750951e4549c16a2b9b9c355f61e90c39 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -2249,7 +2249,7 @@ IPA.option_widget_base = function(spec, that) { var child_values = []; var option = that.get_option(value); -if (option.widget) { +if (option && option.widget) { child_values = option.widget.save(); values.push.apply(values, child_values); } -- 2.5.5 ACK ACK From 6df8e608232e25daa9aefe4fccbdeca4dbaf1998 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jul 2016 10:43:00 +0200 Subject: [PATCH 02/13] Coverity - null pointer exception Variable 'row' could be null in some cases. And set css to variable which is pointing to null causes error. Therefore there is new check. --- install/ui/src/freeipa/widget.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index cfdf5d4750951e4549c16a2b9b9c355f61e90c39..5844436abf090f12d5a9d65efe7a1aaee14097e2 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -5766,6 +5766,8 @@ exp.fluid_layout = IPA.fluid_layout = function(spec) { that.on_visible_change = function(event) { var row = that._get_row(event); +if (!row) return; + if (event.visible) { row.css('display', ''); } else { -- 2.5.5 ACK ACK From 6f2ddc9e1c5323a640bdf744d2da00bfee7ab766 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jul 2016 13:48:16 +0200 Subject: [PATCH 03/13] Coverity - not initialized variable The variable hasn't been initialized, now it is set to null by default. --- install/ui/src/freeipa/widget.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js index 5844436abf090f12d5a9d65efe7a1aaee14097e2..43804c5ea524ca741017d02f6e12ccf60d50b5df 100644 --- a/install/ui/src/freeipa/widget.js +++ b/install/ui/src/freeipa/widget.js @@ -1047,7 +1047,7 @@ IPA.multivalued_widget = function(spec) { that.child_spec = spec.child_spec; that.size = spec.size || 30; -that.undo_control; +that.undo_control = null; that.initialized = true; that.updating = false; -- 2.5.5 ACK ACK From b9ddd32ec45aadae5a79e372c3e1b70990071e60 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jul 2016 14:42:50 +0200 Subject: [PATCH 04/13] Coverity - identical code for different branches In both cases when the condition is true or false ut is set the same value. Changed to assign the value directly. --- install/ui/src/freeipa/topology_graph.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/install/ui/src/freeipa/topology_graph.js b/install/ui/src/freeipa/topology_graph.js index ce2ebeaff611987ae27f2655b5da80bdcd1b4f8a..712d38fbe67e87ffa773e0a3a1f8937e9595c9a6 100644 --- a/install/ui/src/freeipa/topology_graph.js +++ b/install/ui/src/freeipa/topology_graph.js @@ -325,8 +325,8 @@ topology_graph.TopoGraph = declare([Evented], { off = dir ? -1 : 1, // determines shift direction of curve ns = 5, // shift on normal vector s = target_count > 1 ? 1 : 0, // shift from center? -spad = d.left ? 18 : 18, // source padding -tpad = d.right ? 18 : 18, // target padding +spad = d.left = 18, // source padding +tpad = d.right = 18, // target padding sourceX = d.source.x + (spad * ux) + off * nx * ns * s, sourceY = d.source.y + (spad * uy) + off * ny * ns * s, targetX = d.target.x - (tpad * ux) + off * nx * ns * s, -- 2.5.5 ACK NACK following lines are not equivalent spad = d.left ? 18 : 18 spad = d.left = 18 same with tpad Fixed From f1f2b55247d6c7f41f8053f372a47945c93fc8a4 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 25 Jul 2016 14:52:15 +0200
[Freeipa-devel] [freeipa PR#120][+ack] Pretty-print structures in assert_deepequal
URL: https://github.com/freeipa/freeipa/pull/120 Title: #120: Pretty-print structures in assert_deepequal Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API
On 29.09.2016 10:14, Alexander Bokovoy wrote: On to, 29 syys 2016, Martin Babinsky wrote: Hi list, today I noticed the following exceptions in my VMs when installing/using FreeIPA: """ # ipa ping exception in SSLSocket.handshake_callback Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback channel = sock.get_ssl_channel_info() nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. IPA server version 4.4.90. API version 2.215 """ This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem. python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25 which is a packaging bug, but that's should not be bringing any difference as the tarball (1.0.0) is the same and no additional patches were applied. Also, we didn't have any changes between 4.4.1 and git master that could have affected ipapython/nsslib.py other than 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac, which is this chunk of changes: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 1573de9..f9f64c1 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) -except NSPRError as e: +except NSPRError: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise self.sock.set_ssl_option(ssl_require_safe_negotiation, False) e.g. nothing that is relevant to the trace you provided. Sorry I cannot reproduce it as well [root@vm-058-017 ~]# ipa ping IPA server version 4.4.90. API version 2.215 [root@vm-058-017 ~]# dnf upgrade python-nss ... Running transaction Upgrading : python-nss-1.0.0-2.fc24.x86_64 1/4 Upgrading : python3-nss-1.0.0-2.fc24.x86_64 2/4 Cleanup : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4 Cleanup : python-nss-1.0.0-beta1.2.fc24.1.x86_64 4/4 Verifying : python3-nss-1.0.0-2.fc24.x86_64 1/4 Verifying : python-nss-1.0.0-2.fc24.x86_64 2/4 Verifying : python-nss-1.0.0-beta1.2.fc24.1.x86_64 3/4 Verifying : python3-nss-1.0.0-beta1.2.fc24.1.x86_64 [root@vm-058-017 ~]# ipa ping IPA server version 4.4.90. API version 2.215 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl
URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/81ead980fb808b70d7590800518b655abe64948b ipa-4-4: https://fedorahosted.org/freeipa/changeset/5ac1f367139d4c2fac804c057afadc7849880431 """ See the full comment at https://github.com/freeipa/freeipa/pull/118#issuecomment-250413176 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#118][+pushed] WebUI: hide buttons in certificate widget according to acl
URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#118][closed] WebUI: hide buttons in certificate widget according to acl
URL: https://github.com/freeipa/freeipa/pull/118 Author: pvomacka Title: #118: WebUI: hide buttons in certificate widget according to acl Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/118/head:pr118 git checkout pr118 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#118][comment] WebUI: hide buttons in certificate widget according to acl
URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl martbab commented: """ Works as expected """ See the full comment at https://github.com/freeipa/freeipa/pull/118#issuecomment-250412691 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#118][+ack] WebUI: hide buttons in certificate widget according to acl
URL: https://github.com/freeipa/freeipa/pull/118 Title: #118: WebUI: hide buttons in certificate widget according to acl Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#124][+ack] Fix: find OSCP certificate test
URL: https://github.com/freeipa/freeipa/pull/124 Title: #124: Fix: find OSCP certificate test Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API
On to, 29 syys 2016, Martin Babinsky wrote: Hi list, today I noticed the following exceptions in my VMs when installing/using FreeIPA: """ # ipa ping exception in SSLSocket.handshake_callback Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback channel = sock.get_ssl_channel_info() nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. IPA server version 4.4.90. API version 2.215 """ This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem. python-nss-1.0.0-1.fc25 (note fc25) works fine. There is no 1.0.0-2.fc25 which is a packaging bug, but that's should not be bringing any difference as the tarball (1.0.0) is the same and no additional patches were applied. Also, we didn't have any changes between 4.4.1 and git master that could have affected ipapython/nsslib.py other than 0f88f8fe889ae4801fc8d5ece1ad51c5246718ac, which is this chunk of changes: diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py index 1573de9..f9f64c1 100644 --- a/ipapython/nsslib.py +++ b/ipapython/nsslib.py @@ -234,7 +234,7 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback): self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True) try: self.sock.set_ssl_version_range(self.tls_version_min, self.tls_version_max) -except NSPRError as e: +except NSPRError: root_logger.error('Failed to set TLS range to %s, %s' % (self.tls_version_min, self.tls_version_max)) raise self.sock.set_ssl_option(ssl_require_safe_negotiation, False) e.g. nothing that is relevant to the trace you provided. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#73][comment] Tests for certificates with SAN
URL: https://github.com/freeipa/freeipa/pull/73 Title: #73: Tests for certificates with SAN martbab commented: """ NACK: you probably forgot to add service fixtures as params to the added test cases: https://paste.fedoraproject.org/437721/51355181/ In addition please write sensible commit message to commit f43833d and probably squash the last commit into 2d75883 I have also noticed that you linked the commits to a ticket in a already closed milestone. Per our process guidelines you need to open a new ticket and go through a new triage, sorry. """ See the full comment at https://github.com/freeipa/freeipa/pull/73#issuecomment-250397011 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] python-nss-1.0.0-2.fc24.x86_64 from updates-testing breaks FreeIPA client API
Hi list, today I noticed the following exceptions in my VMs when installing/using FreeIPA: """ # ipa ping exception in SSLSocket.handshake_callback Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipapython/nsslib.py", line 258, in handshake_callback channel = sock.get_ssl_channel_info() nss.error.NSPRError: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. IPA server version 4.4.90. API version 2.215 """ This was caused by python-nss-1.0.0-2.fc24.x86_64 which was pushed to updates-testing. Reverting the package to previous versions fixed the problem. We may wish to provide negative karma to this build[1] until we figure out whether it is a bug in the package or we need to update our client libs. [1] https://bodhi.fedoraproject.org/updates/FEDORA-2016-c93fd2726a -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#117][+ack] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode
URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode tomaskrizek commented: """ ACK Running the command in interactive mode by default is desirable behaviour. Since the `-U` flag was present in previous versions, we don't have to worry about backward compatibility. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-250389651 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code