Re: [Freeipa-devel] CSR autogeneration next steps

[Jan Cholasta]

On 19.12.2016 21:59, Ben Lipton wrote:


On 12/15/2016 11:11 PM, Ben Lipton wrote:


On 12/12/2016 03:52 AM, Jan Cholasta wrote:

On 5.12.2016 16:48, Ben Lipton wrote:

Hi Jan, thanks for the comments.


On 12/05/2016 04:25 AM, Jan Cholasta wrote:

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to
leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's
ready
for review can get reviewed and the ideas that have been discussed
get
prototyped or at least recorded so they won't be forgotten.


Thanks, I have some questions and comments, see below.



Code that's ready for review (I will continue to put in as much
time as
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10


How hard would it be to update the PR to use the "new" interface from
the design thread? By this I mean that currently there is a command
(cert_get_requestdata), which creates a CSR from profile id +
principal + helper, but in the design we discussed a command which
creates a CertificationRequestInfo from profile id + principal +
public key.

Internally it could use the OpenSSL helper, no need to implement the
full "new" design. With your build_requestinfo.c code below it looks
like it should be pretty straightforward.


This is probably doable with the cffi, but I'm concerned about
usability. A user can run the current command to get a (reusable)
script, and run the script to get a CSR. It works with keys in both PEM
files and NSS databases already. If we change to outputting a
CertificationRequestInfo, in order to make this usable on the command
line, we'll need:
- An additional tool to sign a CSR given a CertificationRequestInfo
(for
both types of key storage).
- A way to extract a SubjectPublicKeyInfo structure from a key within
the ipa command (like [1] but we need it for both types of key storage)
Since as far as I know there's no standard encoding for files
containing
only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be
writing and distributing these ourselves. I think that's where most of
the extra work will come in.


For PEM files, this is easily doable using python-cryptography (to
extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and
PyASN1 (to create a CSR from the CertificationRequestInfo and the
signature).


I didn't realize that python-cryptography knew about
SubjectPublicKeyInfo structures, but indeed this seems to be pretty
straightforward:

key = load_pem_private_key(key_bytes, None, default_backend())
pubkey_info = key.public_key().public_bytes(Encoding.DER,
PublicFormat.SubjectPublicKeyInfo)

Thanks for letting me know this functionality already existed.


For NSS databases, this will be trickier and will require calling C
functions, as neither certutil nor python-nss provide a way to a)
address existing keys in the database by key ID b) get
SubjectPublicKeyInfo for a given key.


This can be worked around by:

1. Generating a key + temporary certificate:

n=$(head -c 40 /dev/urandom | base32)
certutil -S -n $n -s CN=$n -x -t ,,

2. Extracting the public key from the certificate:

certutil -L -n $n -a >temp.crt
(extract the public key using python-cryptography)

3. Deleting the temporary certificate:

certutil -D -n $n

4. Importing the newly issued certificate:

certutil -A -n $n -t ,, -a 

As for encoding, the obvious choice is DER. It does not really matter
there is no standard file format, as we won't be transferring these
as files anyway.


Agreed. I just meant there aren't tools already because this isn't a
type of file one often needs to process.




Would it be ok to stick with the current design in this PR? I'd feel
much better if we could get the basic functionality into the repo and
then iterate on it rather than changing the plan at this point. I can
create a separate PR to change cert_get_requestdata to this new
interface and at the same time add the necessary adapters (bullet
points
above) to make it user-friendly.


Works for me.


Updated the PR to fix conflicts with master. Had some trouble with CI
but creating a new PR with the same commits fixed it
(https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed
permanently, so I guess I'll just keep the two PRs synchronized now,
or we could close the old one.


You can close the old one.

Just to make sure we are on the same page, you want this PR to be merged 
before submitting additional PRs built on top of it?






I would probably just implement the adapters within the
cert_build/cert_request client code unless you think having standalone
tools is valuable. I suppose certmonger is going to need these features
too, but I don't know how well sharing code between them is going to
work.


cert-request is exactly 

[Freeipa-devel] [freeipa PR#384][opened] Add fix for user prompt in dnsrecord-add

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/384
Author: Akasurde
 Title: #384: Add fix for user prompt in dnsrecord-add
Action: opened

PR body:
"""
Fix added to skip optional parameter in dnsrecord-add
interactive prompts

Fixes https://fedorahosted.org/freeipa/ticket/6457

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/384/head:pr384
git checkout pr384
From 2cd64fe35fb2b910f54ec489ceb0a51befcd6c42 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Tue, 10 Jan 2017 09:59:38 +0530
Subject: [PATCH] Add fix for user prompt in dnsrecord-add

Fix added to skip optional parameter in dnsrecord-add
interactive prompts

Fixes https://fedorahosted.org/freeipa/ticket/6457

Signed-off-by: Abhijeet Kasurde 
---
 ipaclient/plugins/dns.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaclient/plugins/dns.py b/ipaclient/plugins/dns.py
index 42ccd3d..6468949 100644
--- a/ipaclient/plugins/dns.py
+++ b/ipaclient/plugins/dns.py
@@ -254,7 +254,7 @@ def interactive_prompt_callback(self, kw):
 continue
 ok = True
 
-user_options = prompt_parts(rrtype, self)
+user_options = prompt_missing_parts(rrtype, self, kw)
 kw.update(user_options)
 
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#383][opened] Remove duplicated step from DS install

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/383
Author: mbasti-rh
 Title: #383: Remove duplicated step from DS install
Action: opened

PR body:
"""
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/383/head:pr383
git checkout pr383
From 63cc402b393ff13a75e3c91abc789a177ec0953f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:49:26 +0100
Subject: [PATCH] Remove duplicated step from DS install

"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
---
 ipaserver/install/dsinstance.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89315b6..3f410a3 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -340,8 +340,6 @@ def create_instance(self, realm_name, fqdn, domain_name,
 self.step("adding range check plugin", self.__add_range_check_plugin)
 if hbac_allow:
 self.step("creating default HBAC rule allow_all", self.add_hbac)
-self.step("adding sasl mappings to the directory",
-  self.__configure_sasl_mappings)
 self.step("adding entries for topology management", self.__add_topology_entries)
 
 self.__common_post_setup()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#382][opened] [WIP] Py3 ipa-server-install fixes

[mbasti-rh]

   URL: https://github.com/freeipa/freeipa/pull/382
Author: mbasti-rh
 Title: #382: [WIP] Py3 ipa-server-install fixes
Action: opened

PR body:
"""
This PR should allow to install server  with py3
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/382/head:pr382
git checkout pr382
From 0ba8877d4f0a6e96d4e338a88f8638d00ad980b1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 11:53:59 +0100
Subject: [PATCH 1/6] py3: create_cert_db: write to file in a compatible way

Py3 expect bytes to be writed using os.write. Instead of that using
io module is more pythonic.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/httpinstance.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index bacd5fc..ded0553 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import io
 import os
 import os.path
 import pwd
@@ -314,9 +315,8 @@ def create_cert_db(self):
 
 # Create the password file for this db
 password = ipautil.ipa_generate_password()
-f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
-os.write(f, password)
-os.close(f)
+with io.open(pwd_file, 'w') as f:
+f.write(password)
 
 ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
 

From e4358f451556f67dcdf4f064656cc3e6c976fb9b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:16:57 +0100
Subject: [PATCH 2/6] py3: encode str to bytes when writing to tempfile

String must be encoded to bytes to be writable by os.write()

Make sure the passwords are generated as string/unicode

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipautil.py | 2 +-
 ipaserver/install/service.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index e3e4611..34d10ef 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -852,7 +852,7 @@ def ipa_generate_password(entropy_bits=256, uppercase=1, lowercase=1, digits=1,
 rnd = random.SystemRandom()
 
 todo_entropy = entropy_bits
-password = ''
+password = u''
 # Generate required character classes:
 # The order of generated characters is fixed to comply with check in
 # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6451f92..b18d4ba 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -209,7 +209,7 @@ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=True,
 
 if dm_password:
 [pw_fd, pw_name] = tempfile.mkstemp()
-os.write(pw_fd, dm_password)
+os.write(pw_fd, dm_password.encode())
 os.close(pw_fd)
 auth_parms = ["-x", "-D", "cn=Directory Manager", "-y", pw_name]
 # Use GSSAPI auth when not using DM password or not being root

From d4785bf830c2461d1dcdb8b868ef701b873cb7be Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 12:42:23 +0100
Subject: [PATCH 3/6] py3: open temporary ldif file in text mode

ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipaserver/install/dsinstance.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 89315b6..2721d88 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -582,14 +582,15 @@ def __update_dse_ldif(self):
 'dse.ldif'
 )
 
-with tempfile.NamedTemporaryFile(delete=False) as new_dse_ldif:
+with tempfile.NamedTemporaryFile(
+mode='w', delete=False) as new_dse_ldif:
 temp_filename = new_dse_ldif.name
 with open(dse_filename, "r") as input_file:
 parser = installutils.ModifyLDIF(input_file, new_dse_ldif)
 parser.replace_value(
 'cn=config,cn=ldbm database,cn=plugins,cn=config',
 'nsslapd-db-locks',
-['5']
+[b'5']
 )
 if self.config_ldif:
 # parse modifications from ldif file supplied by the admin

From fcfb4e5a444639cb61ee7089df1ea969f58754a7 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 9 Jan 2017 19:01:29 +0100
Subject: [PATCH 4/6] py3: ldap modlist must have keys as string, not bytes

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 3 ++-
 1 file changed, 2 

[Freeipa-devel] [freeipa PR#378][comment] Integrate make check into CI

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/378
Title: #378: Integrate make check into CI

martbab commented:
"""
IIRC cmocka tests are already ran as a part of build process, seee the 
following excerpt from the build log:

```

PASS: ipa_kdb_tests
   
Testsuite summary for freeipa 4.4.90.dev201701091412+git5dd9c32
   
# TOTAL: 1 
# PASS:  1 
# SKIP:  0 
# XFAIL: 0 
# FAIL:  0 
# XPASS: 0 
# ERROR: 0 


```

I am not sure if we need to run them as a separate step right now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/378#issuecomment-271334743
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#381][opened] disable hostname canonicalization by Kerberos library

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/381
Author: martbab
 Title: #381: disable hostname canonicalization by Kerberos library
Action: opened

PR body:
"""
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/381/head:pr381
git checkout pr381
From be97823a0475218306bce192d7bf5797a1663857 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 9 Jan 2017 14:36:33 +0100
Subject: [PATCH] disable hostname canonicalization by Kerberos library

By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584
---
 ipaclient/install/client.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2ff6122..08576eb 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -676,6 +676,7 @@ def configure_krb5_conf(
 ])
 libopts.extend([
 krbconf.setOption('rdns', 'false'),
+krbconf.setOption('dns_canonicalize_hostname', 'false'),
 krbconf.setOption('ticket_lifetime', '24h'),
 krbconf.setOption('forwardable', 'true'),
 krbconf.setOption('udp_preference_limit', '0')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

tomaskrizek commented:
"""
I investigated some other options for the displayed error message, but I 
haven't found anything more appropriate. 
[Comment#4](https://fedorahosted.org/freeipa/ticket/5244#comment:4) in the 
ticket says the message should mention an SSSD restart issue. Perhaps someone 
else has a suggestion for a more descriptive message then `Failed to execute 
authconfig command`?

If this message is fine, the code has an ack.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/179#issuecomment-271320161
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][closed] Travis CI: actually return non-zero exit status when the test job fails

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/380
Author: martbab
 Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/380/head:pr380
git checkout pr380
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9b5b7131502a73fa24dc56c72a9648528c5aceee
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/380#issuecomment-271296037
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][+pushed] Travis CI: actually return non-zero exit status when the test job fails

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][synchronized] Travis CI: actually return non-zero exit status when the test job fails

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/380
Author: martbab
 Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/380/head:pr380
git checkout pr380
From 1f6a7917a6ff69c6a3ca9ea29ebe5bb0d38786c4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 9 Jan 2017 12:27:36 +0100
Subject: [PATCH] Travis CI: actually return non-zero exit status when the test
 job fails

The original code did not actually propagate the test runner exit status
to parent process so Travis CI job was always green.
---
 .travis_run_task.sh | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 9fd1c1c..7d050b0 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -47,7 +47,11 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set
 
-if $?
+exit_status="$?"
+
+if [[ "$exit_status" -ne 0 ]]
 then
 truncate_log_to_test_failures
 fi
+
+exit $exit_status
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

stlaz commented:
"""
It works but for some reason there are many extra newlines in the failure log

**edit:** nvm, displayes correctly now, apparently it's a Travis streaming 
issue. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][+ack] Travis CI: actually return non-zero exit status when the test job fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

stlaz commented:
"""
It works but for some reason there are many extra newlines in the failure log
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][comment] Travis CI: actually return non-zero exit status when the test job fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/380
Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails

stlaz commented:
"""
It works but for some reason there are many extra newlines in the failure log
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/380#issuecomment-271276855
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/347
Title: #347: Improvements in {get|set}_directive functions

tomaskrizek commented:
"""
Please see my feedback in in-line comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/347#issuecomment-271272632
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#380][opened] Travis CI: actually return non-zero exit status when the test job fails

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/380
Author: martbab
 Title: #380: Travis CI: actually return non-zero exit status when the test job 
fails
Action: opened

PR body:
"""
Thanks to @stlaz for catching this.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/380/head:pr380
git checkout pr380
From 1f6a7917a6ff69c6a3ca9ea29ebe5bb0d38786c4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 9 Jan 2017 12:27:36 +0100
Subject: [PATCH 1/2] Travis CI: actually return non-zero exit status when the
 test job fails

The original code did not actually propagate the test runner exit status
to parent process so Travis CI job was always green.
---
 .travis_run_task.sh | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.travis_run_task.sh b/.travis_run_task.sh
index 9fd1c1c..7d050b0 100755
--- a/.travis_run_task.sh
+++ b/.travis_run_task.sh
@@ -47,7 +47,11 @@ ipa-docker-test-runner -l $CI_RESULTS_LOG \
 --git-repo $TRAVIS_BUILD_DIR \
 $TASK_TO_RUN $test_set
 
-if $?
+exit_status="$?"
+
+if [[ "$exit_status" -ne 0 ]]
 then
 truncate_log_to_test_failures
 fi
+
+exit $exit_status

From bd5715a6a773d7bd9a59677988e8156460485310 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Mon, 9 Jan 2017 12:31:43 +0100
Subject: [PATCH 2/2] DO NOT PUSH: intentionally failing test for verification

---
 ipatests/test_ipaserver/test_kadmin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/test_ipaserver/test_kadmin.py b/ipatests/test_ipaserver/test_kadmin.py
index 1b38791..c7fb13b 100644
--- a/ipatests/test_ipaserver/test_kadmin.py
+++ b/ipatests/test_ipaserver/test_kadmin.py
@@ -86,7 +86,7 @@ def assert_success(self, command, *args):
 to catch the command's stderr and check that it is empty
 """
 result = command(*args)
-assert not result.error_output
+assert result.error_output
 
 def test_create_keytab(self, service, keytab):
 """
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/351
Title: #351: [fedora-26] named.conf template: update API for bind 9.11

tomaskrizek commented:
"""
Required version of BIND is a subject to change. When a version with fixed 
`named-pkcs11` issue ([BZ 
1410433](https://bugzilla.redhat.com/show_bug.cgi?id=1410433)) is released, I 
will update it. Patch should not be merged until then.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/351#issuecomment-271259526
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/351
Author: tomaskrizek
 Title: #351: [fedora-26] named.conf template: update API for bind 9.11
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/351/head:pr351
git checkout pr351
From 2b7becb7f6d6cc15679b7f0aa76d6fa0164e961e Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 19 Dec 2016 13:12:19 +0100
Subject: [PATCH 1/2] named.conf template: update API for bind 9.11

Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.

This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.

https://fedorahosted.org/freeipa/ticket/6565
---
 install/share/bind.named.conf.template | 16 +++-
 ipaplatform/redhat/paths.py|  1 +
 ipaserver/install/bindinstance.py  |  1 +
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template
index e8ea8fb..b7c3a0b 100644
--- a/install/share/bind.named.conf.template
+++ b/install/share/bind.named.conf.template
@@ -43,13 +43,11 @@ zone "." IN {
 include "$RFC1912_ZONES";
 include "$ROOT_KEY";
 
-dynamic-db "ipa" {
-	library "ldap.so";
-	arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
-	arg "base cn=dns, $SUFFIX";
-	arg "server_id $FQDN";
-	arg "auth_method sasl";
-	arg "sasl_mech GSSAPI";
-	arg "sasl_user DNS/$FQDN";
-	arg "serial_autoincrement yes";
+dyndb "ipa" "$BIND_LDAP_SO" {
+	uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
+	base "cn=dns, $SUFFIX";
+	server_id "$FQDN";
+	auth_method "sasl";
+	sasl_mech "GSSAPI";
+	sasl_user "DNS/$FQDN";
 };
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index b27b065..8212f40 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace):
 if sys.maxsize > 2**32:
 LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
 PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64
+BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64
 
 
 paths = RedHatPathNamespace()
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index e24249a..c9097c2 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -769,6 +769,7 @@ def __setup_sub_dict(self):
 RFC1912_ZONES=paths.NAMED_RFC1912_ZONES,
 NAMED_PID=paths.NAMED_PID,
 NAMED_VAR_DIR=paths.NAMED_VAR_DIR,
+BIND_LDAP_SO=paths.BIND_LDAP_SO,
 )
 
 def __setup_dns_container(self):

From c00ae001855e997b2e3ce7ae2c614ce270c40f09 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 19 Dec 2016 16:52:08 +0100
Subject: [PATCH 2/2] bump required version of BIND, bind-dyndb-ldap

bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.

https://fedorahosted.org/freeipa/ticket/6565
---
 freeipa.spec.in | 17 +
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..99b3a0f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -295,18 +295,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 Group: System Environment/Base
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 10.0
-%if 0%{?fedora} >= 21
-Requires: bind >= 9.9.6-3
-Requires: bind-utils >= 9.9.6-3
-Requires: bind-pkcs11 >= 9.9.6-3
-Requires: bind-pkcs11-utils >= 9.9.6-3
-%else
-Requires: bind >= 9.9.4-21
-Requires: bind-utils >= 9.9.4-21
-Requires: bind-pkcs11 >= 9.9.4-21
-Requires: bind-pkcs11-utils >= 9.9.4-21
-%endif
+Requires: bind-dyndb-ldap >= 11.0
+Requires: bind >= 9.11.0-2
+Requires: bind-utils >= 9.11.0-2
+Requires: bind-pkcs11 >= 9.11.0-2
+Requires: bind-pkcs11-utils >= 9.11.0-2
 Requires: opendnssec >= 1.4.6-4
 
 Provides: %{alt_name}-server-dns = %{version}
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][opened] Packaging: Add placeholder and IPA commands packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add placeholder and IPA commands packages
Action: opened

PR body:
"""
The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From b01a51e15c86601806318d5d096ac5286afbfbd7 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 9 Jan 2017 11:02:25 +0100
Subject: [PATCH] Packaging: Add placeholder and IPA commands packages

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore|   7 ++
 Makefile.am   |   5 +-
 configure.ac  |   4 +
 packaging/Makefile.am |  11 +++
 packaging/freeipa/Makefile.am |   1 +
 packaging/freeipa/README.txt  |   2 +
 packaging/freeipa/setup.cfg   |   6 ++
 packaging/freeipa/setup.py|  36 +++
 packaging/ipa/Makefile.am |   1 +
 packaging/ipa/README.txt  |   2 +
 packaging/ipa/setup.cfg   |   6 ++
 packaging/ipa/setup.py|  36 +++
 packaging/ipacommands/MANIFEST.in |  25 +
 packaging/ipacommands/Makefile.am |  72 ++
 packaging/ipacommands/setup.cfg   |   5 +
 packaging/ipacommands/setup.py| 194 ++
 16 files changed, 412 insertions(+), 1 deletion(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py
 create mode 100644 packaging/ipacommands/MANIFEST.in
 create mode 100644 packaging/ipacommands/Makefile.am
 create mode 100644 packaging/ipacommands/setup.cfg
 create mode 100644 packaging/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 6dcda76..ab00e98 100644
--- a/.gitignore
+++ b/.gitignore
@@ -107,3 +107,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/packaging/ipacommands/COPYING
+/packaging/ipacommands/Contributors.txt
+/packaging/ipacommands/asn1
+/packaging/ipacommands/client
+/packaging/ipacommands/ipasetup.py
+/packaging/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..e25cea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/configure.ac b/configure.ac
index e8a4701..58988f8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -553,6 +553,10 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
+packaging/ipacommands/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..e033673
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,11 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	ipacommands		\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new 

[Freeipa-devel] [freeipa PR#378][opened] Integrate make check into CI

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/378
Author: tiran
 Title: #378: Integrate make check into CI
Action: opened

PR body:
"""
make check runs cmocka tests for our C code. The patch also adds some
additional files to gitignore and cleanup.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/378/head:pr378
git checkout pr378
From 9443df633997cacbce5372c126d8346d62e24eb4 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 9 Jan 2017 11:23:32 +0100
Subject: [PATCH] Integrate make check into CI

make check runs cmocka tests for our C code. The patch also adds some
additional files to gitignore and cleanup.

Signed-off-by: Christian Heimes 
---
 .gitignore  | 5 +
 .test_runner_config.yaml| 1 +
 daemons/ipa-kdb/Makefile.am | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.gitignore b/.gitignore
index 6dcda76..04553fd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -72,9 +72,14 @@ freeipa2-dev-doc
 /daemons/dnssec/ipa-dnskeysyncd.service
 /daemons/dnssec/ipa-ods-exporter.service
 /daemons/dnssec/ipa-ods-exporter.socket
+/daemons/ipa-kdb/ipa_kdb_tests
+/daemons/ipa-kdb/tests/.dirstamp
 /daemons/ipa-otpd/ipa-otpd
 /daemons/ipa-otpd/ipa-otpd.socket
 /daemons/ipa-otpd/ipa-otpd@.service
+/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_tests
+/daemons/ipa-slapi-plugins/ipa-extdom-extop/extdom_cmocka_tests
+/daemons/ipa-slapi-plugins/libotp/t_hotp
 /daemons/ipa-version.h
 /daemons/test-driver
 
diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index 2aece9a..676c8e7 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -47,6 +47,7 @@ steps:
   - echo ${server_password} > ~/.ipa/.dmpw
   - echo 'wait_for_dns=5' >> ~/.ipa/default.conf
   run_tests:
+  - make -s VERBOSITY=--quiet check
   - ipa-run-tests ${tests_ignore} -k-test_dns_soa ${tests_verbose} ${path}
 tests:
   ignore:
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 19583c9..6a2caa0 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -85,6 +85,9 @@ ipa_kdb_tests_LDADD =  \
 
 dist_noinst_DATA = ipa_kdb.exports
 
+clean-local:
+	rm -f tests/.dirstamp
+
 EXTRA_DIST =			\
 	README			\
 	README.s4u2proxy.txt	\
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][comment] Added named.conf API transformation script to spec

[tomaskrizek]

  URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Title: #7: Added named.conf API transformation script to spec

tomaskrizek commented:
"""
This patch is meant to fix existing IPA installations when they're upgraded to 
use BIND-9.11. New IPA installations are covered by freeipa/freeipa#351 

The script is written in sed. I added some inline comments for better clarity.
"""

See the full comment at 
https://github.com/freeipa/bind-dyndb-ldap/pull/7#issuecomment-271244266
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [bind-dyndb-ldap PR#7][opened] Added named.conf API transformation script to spec

[tomaskrizek]

   URL: https://github.com/freeipa/bind-dyndb-ldap/pull/7
Author: tomaskrizek
 Title: #7: Added named.conf API transformation script to spec
Action: opened

PR body:
"""
A script that converts old-style configuration API of named.conf
to the new-style API after rpm isntallation was added to contrib
specfile.
Required version of BIND was also bumped to 9.11.
"""

To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/7/head:pr7
git checkout pr7
From d3c41fae42b3c1c1c7e9426df0153afd0f95234b Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Mon, 9 Jan 2017 10:29:31 +0100
Subject: [PATCH] Added named.conf API transformation script to spec

A script that converts old-style configuration API of named.conf
to the new-style API after rpm isntallation was added to contrib
specfile.
Required version of BIND was also bumped to 9.11.
---
 contrib/bind-dyndb-ldap.spec | 41 +++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/contrib/bind-dyndb-ldap.spec b/contrib/bind-dyndb-ldap.spec
index 6f5b1f3..87c3394 100644
--- a/contrib/bind-dyndb-ldap.spec
+++ b/contrib/bind-dyndb-ldap.spec
@@ -11,13 +11,13 @@ URL:https://fedorahosted.org/bind-dyndb-ldap
 Source0:https://fedorahosted.org/released/%{name}/%{name}-%{VERSION}.tar.bz2
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-BuildRequires:  bind-devel >= 32:9.9.0, bind-lite-devel >= 32:9.9.0
+BuildRequires:  bind-devel >= 32:9.11.0, bind-lite-devel >= 32:9.11.0
 BuildRequires:  krb5-devel
 BuildRequires:  openldap-devel
 BuildRequires:  libuuid-devel
 BuildRequires:  automake, autoconf, libtool
 
-Requires:   bind >= 32:9.9.0
+Requires:   bind >= 32:9.11.0
 
 %description
 This package provides an LDAP back-end plug-in for BIND. It features
@@ -42,6 +42,39 @@ mkdir -m 770 -p %{buildroot}/%{_localstatedir}/named/dyndb-ldap
 rm %{buildroot}%{_libdir}/bind/ldap.la
 rm -r %{buildroot}%{_datadir}/doc/%{name}
 
+%post
+# Transform named.conf if it still has old-style API.
+PLATFORM=$(uname -m)
+
+if [ $PLATFORM == "x86_64" ] ; then
+LIBPATH=/usr/lib64
+else
+LIBPATH=/usr/lib
+fi
+
+while read -r PATTERN
+do
+SEDSCRIPT+="$PATTERN"
+done <
+- Added named.conf API transofrmation script
+- Bumped the required BIND version to 9.11
+
 * Tue Jan 28 2014 Petr Spacek 
 - package /var/named/dyndb-ldap directory
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

[gkaihorodova]

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

gkaihorodova commented:
"""
Thank you for review!
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-271236642
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#363][comment] ipaclient: schema cache: Handle malformed server info data gracefully

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/363
Title: #363: ipaclient: schema cache: Handle malformed server info data 
gracefully

HonzaCholasta commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d15ccde20fcc97a597180255ee9f5eb38caa206c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/363#issuecomment-271228271
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#363][+pushed] ipaclient: schema cache: Handle malformed server info data gracefully

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/363
Title: #363: ipaclient: schema cache: Handle malformed server info data 
gracefully

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#363][closed] ipaclient: schema cache: Handle malformed server info data gracefully

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/363
Author: dkupka
 Title: #363: ipaclient: schema cache: Handle malformed server info data 
gracefully
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/363/head:pr363
git checkout pr363
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#363][+ack] ipaclient: schema cache: Handle malformed server info data gracefully

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/363
Title: #363: ipaclient: schema cache: Handle malformed server info data 
gracefully

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code