date:20170118

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

tiran commented:
"""
@LiptonB yes, it's correct.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-273705203
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

2017-01-18 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

stlaz commented:
"""
Hello and thank you for the contribution! However, I do not see what's in this 
for us. I do not think FreeIPA is intended to be used as a password generator. 
There are other tools that do this just right, `pwgen` being just an example.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-273697438
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/113
Title: #113: ipalib.constants: Remove default domain, realm, basedn, 
xmlrpc_uri, ldap_uri

HonzaCholasta commented:
"""
@pvoborni, my plan is to amend / extend this patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/113#issuecomment-273696077
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][opened] Add new ipa passwd-generate command

2017-01-18 Thread redhatrises

   URL: https://github.com/freeipa/freeipa/pull/403
Author: redhatrises
 Title: #403: Add new ipa passwd-generate command
Action: opened

PR body:
"""
This PR adds a new command line option `ipa passwd-generate` that uses the 
refactored `ipa_password_generate()` function. This is useful for generating 
secure passwords for service and system accounts or passwords for applications 
that may not be able to handle all character types. This could also be useful 
in the future for generating a temporary password for any portal efforts.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/403/head:pr403
git checkout pr403
From 4b454ecbf89ad87e46a160412defff881d0b6f26 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Wed, 18 Jan 2017 20:40:37 -0700
Subject: [PATCH] Add new ipa passwd-generate command

Adds new `ipa passwd-generate` command which has the ability to create
complex passwords using the refactored ipa_generate_password function
which is useful for deriving secure passwords for system/service accounts
rather than relying on system administrators to come up with their own
form of password.
---
 API.txt | 11 +++
 VERSION.m4  |  4 +--
 ipaserver/plugins/passwd.py | 78 -
 3 files changed, 90 insertions(+), 3 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..ddf38b3 100644
--- a/API.txt
+++ b/API.txt
@@ -3461,6 +3461,16 @@ option: Str('version?')
 output: Output('result', type=[])
 output: Output('summary', type=[, ])
 output: Output('value', type=[])
+command: passwd_generate/1
+args: 0,7,1
+option: Int('digits?')
+option: Int('entropy?')
+option: Int('length?')
+option: Int('lowercase?')
+option: Int('special?')
+option: Int('uppercase?')
+option: Str('version?')
+output: Output('summary', type=[, ])
 command: permission_add/1
 args: 1,21,3
 arg: Str('cn', cli_name='name')
@@ -6546,6 +6556,7 @@ default: param/1
 default: param_find/1
 default: param_show/1
 default: passwd/1
+default: passwd_generate/1
 default: permission/1
 default: permission_add/1
 default: permission_add_member/1
diff --git a/VERSION.m4 b/VERSION.m4
index 36929ee..c4fd931 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 217)
-# Last change: Add options to write lightweight CA cert or chain to file
+define(IPA_API_VERSION_MINOR, 218)
+# Last change: Add new command line option to generate a password
 
 
 
diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py
index 8cac145..a501bcb 100644
--- a/ipaserver/plugins/passwd.py
+++ b/ipaserver/plugins/passwd.py
@@ -21,7 +21,7 @@
 
 from ipalib import api, errors, krb_utils
 from ipalib import Command
-from ipalib import Password
+from ipalib import Password, Int
 from ipalib import _
 from ipalib import output
 from ipalib.parameters import Principal
@@ -29,6 +29,7 @@
 from ipalib.request import context
 from ipapython import kerberos
 from ipapython.dn import DN
+from ipapython.ipautil import ipa_generate_password
 from ipaserver.plugins.baseuser import normalize_user_principal
 from ipaserver.plugins.service import validate_realm
 
@@ -147,3 +148,78 @@ def execute(self, principal, password, current_password, **options):
 result=True,
 value=principal,
 )
+
+
+@register()
+class passwd_generate(Command):
+__doc__ = _("Autogenerate a password.")
+
+takes_options = (
+Int('uppercase',
+label=_('Uppercase'),
+doc=_('Number of uppercase characters'),
+required=False,
+),
+Int('lowercase',
+label=_('Lowercase'),
+doc=_('Number of lowercase characters'),
+required=False,
+),
+Int('digits',
+label=_('Digits'),
+doc=_('Number of digits'),
+required=False,
+),
+Int('special',
+label=_('Special characters'),
+doc=_('Number of special characters'),
+required=False,
+),
+Int('length',
+label=_('Length'),
+doc=_('Password Length'),
+required=False,
+),
+Int('entropy',
+label=_('Entropy'),
+doc=_('Number of entropy bits'),
+required=False,
+),
+)
+
+has_output = (
+output.summary,
+)
+
+def execute(self, *keys, **options):
+pwd_length = options.get('length')
+entropy = options.get('entropy')
+ucase = options.get('uppercase')
+lcase = options.get('lowercase')
+numbers = options.get('digits')
+schar =

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-18 Thread LiptonB

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

LiptonB commented:
"""
@tiran Thanks to the team for resuming the review, too! Added the dependency, 
does that look right?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-273658159
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][synchronized] Client-side CSR autogeneration (take 2)

2017-01-18 Thread LiptonB

   URL: https://github.com/freeipa/freeipa/pull/337
Author: LiptonB
 Title: #337: Client-side CSR autogeneration (take 2)
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/337/head:pr337
git checkout pr337
From 4ead459036761600c43c414cb91a21c591ad906a Mon Sep 17 00:00:00 2001
From: Ben Lipton 
Date: Tue, 5 Jul 2016 14:19:35 -0400
Subject: [PATCH 1/8] Add code to generate scripts that generate CSRs

Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899
---
 configure.ac   |   1 +
 freeipa.spec.in|   9 +
 install/share/Makefile.am  |   1 +
 install/share/csr/templates/ipa_macros.tmpl|  42 +++
 install/share/csrgen/Makefile.am   |  27 ++
 install/share/csrgen/templates/certutil_base.tmpl  |  14 +
 install/share/csrgen/templates/openssl_base.tmpl   |  35 +++
 install/share/csrgen/templates/openssl_macros.tmpl |  29 ++
 ipaclient/csrgen.py| 320 +
 ipaclient/plugins/csrgen.py| 116 
 ipalib/errors.py   |  28 ++
 ipaplatform/base/paths.py  |   1 +
 12 files changed, 623 insertions(+)
 create mode 100644 install/share/csr/templates/ipa_macros.tmpl
 create mode 100644 install/share/csrgen/Makefile.am
 create mode 100644 install/share/csrgen/templates/certutil_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_base.tmpl
 create mode 100644 install/share/csrgen/templates/openssl_macros.tmpl
 create mode 100644 ipaclient/csrgen.py
 create mode 100644 ipaclient/plugins/csrgen.py

diff --git a/configure.ac b/configure.ac
index e8a4701..01fc81e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -530,6 +530,7 @@ AC_CONFIG_FILES([
 install/share/Makefile
 install/share/advise/Makefile
 install/share/advise/legacy/Makefile
+install/share/csrgen/Makefile
 install/share/profiles/Makefile
 install/share/schema.d/Makefile
 install/ui/Makefile
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c4420a0..8396105 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -147,6 +147,7 @@ BuildRequires:  python-sssdconfig
 BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
+BuildRequires:  python2-jinja2
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -602,6 +603,7 @@ Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
+Requires: python2-jinja2
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -1208,6 +1210,13 @@ fi
 %{_usr}/share/ipa/advise/legacy/*.template
 %dir %{_usr}/share/ipa/profiles
 %{_usr}/share/ipa/profiles/*.cfg
+%dir %{_usr}/share/ipa/csrgen
+%dir %{_usr}/share/ipa/csrgen/templates
+%{_usr}/share/ipa/csrgen/templates/*.tmpl
+%dir %{_usr}/share/ipa/csrgen/profiles
+%{_usr}/share/ipa/csrgen/profiles/*.json
+%dir %{_usr}/share/ipa/csrgen/rules
+%{_usr}/share/ipa/csrgen/rules/*.json
 %dir %{_usr}/share/ipa/html
 %{_usr}/share/ipa/html/ffconfig.js
 %{_usr}/share/ipa/html/ffconfig_page.js
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 10de84d..715912d 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
 
 SUBDIRS =  \
 	advise\
+	csrgen\
 	profiles			\
 	schema.d			\
 	$(NULL)
diff --git a/install/share/csr/templates/ipa_macros.tmpl b/install/share/csr/templates/ipa_macros.tmpl
new file mode 100644
index 000..e790d4e
--- /dev/null
+++ b/install/share/csr/templates/ipa_macros.tmpl
@@ -0,0 +1,42 @@
+{% set rendersyntax = {} %}
+
+{% set renderdata = {} %}
+
+{# Wrapper for syntax rules. We render the contents of the rule into a
+variable, so that if we find that none of the contained data rules rendered we
+can suppress the whole syntax rule. That is, a syntax rule is rendered either
+if no data rules are specified (unusual) or if at least one of the data rules
+rendered successfully. #}
+{% macro syntaxrule() -%}
+{% do rendersyntax.update(none=true, any=false) -%}
+{% set contents -%}
+{{ caller() -}}
+{% endset -%}
+{% if rendersyntax['none'] or rendersyntax['any'] -%}
+{{ contents -}}
+{% endif -%}
+{% endmacro %}
+
+{# Wrapper for data rules. A data rule is rendered only when all of the data
+fields it contains have data available. #}
+{% macro datarule() -%}
+{% do rendersyntax.update(none=false) -%}
+{% do renderdata.update(all=true) -%}
+{% set contents -%}
+{{ caller() -}}
+{%

[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values

2017-01-18 Thread gkaihorodova

   URL: https://github.com/freeipa/freeipa/pull/181
Author: gkaihorodova
 Title: #181: Tests : User Tracker creation of user with minimal values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/181/head:pr181
git checkout pr181
From 101bbd93b832787ab0c7d252ac6e9018536ddc77 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:06:36 +0100
Subject: [PATCH 1/2] User Tracker: creation of user with minimal values

Fix provide possibility to create user-add test with minimal values,
where uid is not specified, to provide better coverage. Also provide
check for non-empty unicode string for attributes required in init method

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/tracker/user_plugin.py | 42 +
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
index 1b35a5c..d57db93 100644
--- a/ipatests/test_xmlrpc/tracker/user_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
@@ -62,22 +62,42 @@ class UserTracker(KerberosAliasMixin, Tracker):
 
 primary_keys = {u'uid', u'dn'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not (isinstance(givenname, six.string_types) and givenname):
+raise ValueError(
+"Invalid first name provided: {!r}".format(givenname)
+)
+if not (isinstance(sn, six.string_types) and sn):
+raise ValueError("Invalid second name provided: {!r}".format(sn))
+
 super(UserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn)
 
 self.kwargs = kwargs
 
-def make_create_command(self):
-""" Make function that crates a user using user-add """
-return self.make_command(
-'user_add', self.uid,
-givenname=self.givenname,
-sn=self.sn, **self.kwargs
-)
+def make_create_command(self, force=None):
+
+""" Make function that creates a user using user-add
+with all set of attributes and with minimal values,
+where uid is not specified """
+
+if self.uid is not None:
+return self.make_command(
+'user_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'user_add', givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self, no_preserve=True, preserve=False):
 """ Make function that deletes a user using user-del

From 43ee2ff50b9bf0a86eafb2fb5226c30216c1edb4 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Thu, 8 Dec 2016 15:08:41 +0100
Subject: [PATCH 2/2] User Tracker: Test to create user with minimal values

Test to create user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6126
---
 ipatests/test_xmlrpc/test_user_plugin.py | 13 +
 1 file changed, 13 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index c09d793..d33c4d7 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -79,6 +79,13 @@
 
 
 @pytest.fixture(scope='class')
+def user_min(request):
+""" User tracker fixture for testing user with uid no specified """
+tracker = UserTracker(givenname=u'Testmin', sn=u'Usermin')
+return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
 def user(request):
 tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1')
 return tracker.make_fixture(request)
@@ -405,6 +412,12 @@ def test_rename_to_invalid_login(self, user):
 
 @pytest.mark.tier1
 class TestCreate(XMLRPC_test):
+def test_create_user_with_min_values(self, user_min):
+""" Create user with uid not specified """
+user_min.ensure_missing()
+command = user_min.make_create_command()
+command()
+
 def test_create_with_krb_ticket_policy(self):
 """ Try to create user with krbmaxticketlife set """
 testuser = UserTracker(
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation

2017-01-18 Thread gkaihorodova

   URL: https://github.com/freeipa/freeipa/pull/210
Author: gkaihorodova
 Title: #210: Tests: Stage User Tracker implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/210/head:pr210
git checkout pr210
From dbdf3f26a5a4f2663a0ed0fd9be3267f45299db6 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 2 Nov 2016 15:02:30 +0100
Subject: [PATCH 1/2] Tests: Stage User Tracker implementation

Fix provide possibility of creation stage user with minimal values,
with uid not specified and check for non-empty unicode string
for attributes requested in init method

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 38 +++-
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 4f87163..27f56d3 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -61,23 +61,45 @@ class StageUserTracker(Tracker):
 find_keys = retrieve_keys - {u'has_keytab', u'has_password'}
 find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'}
 
-def __init__(self, name, givenname, sn, **kwargs):
+def __init__(self, name=None, givenname=None, sn=None, **kwargs):
+""" Check for non-empty unicode string for the required attributes
+in the init method """
+
+if not (isinstance(givenname, six.string_types) and givenname):
+raise ValueError(
+"Invalid first name provided: {!r}".format(givenname)
+)
+if not (isinstance(sn, six.string_types) and sn):
+raise ValueError("Invalid second name provided: {!r}".format(sn))
+
 super(StageUserTracker, self).__init__(default_version=None)
-self.uid = name
-self.givenname = givenname
-self.sn = sn
+self.uid = unicode(name)
+self.givenname = unicode(givenname)
+self.sn = unicode(sn)
 self.dn = DN(
 ('uid', self.uid), api.env.container_stageuser, api.env.basedn)
 
 self.kwargs = kwargs
 
 def make_create_command(self, options=None):
-""" Make function that creates a staged user using stageuser-add """
+""" Make function that creates a staged user using stageuser-add
+with all set of attributes and with minimal values,
+where uid is not specified  """
+
 if options is not None:
 self.kwargs = options
-return self.make_command('stageuser_add', self.uid,
- givenname=self.givenname,
- sn=self.sn, **self.kwargs)
+if self.uid is not None:
+return self.make_command(
+'stageuser_add', self.uid,
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
+else:
+return self.make_command(
+'stageuser_add',
+givenname=self.givenname,
+sn=self.sn, **self.kwargs
+)
 
 def make_delete_command(self):
 """ Make function that deletes a staged user using stageuser-del """

From e3b0ab2aedd1027bad44f066c2491f3fcb35b46a Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Mon, 12 Dec 2016 14:11:52 +0100
Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values

Test to create stage user with minimal values, where uid is not specified

https://fedorahosted.org/freeipa/ticket/6448
---
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index e61bf7a..a2f0650 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -85,6 +85,11 @@ def stageduser(request):
 return tracker.make_fixture(request)
 
 
+@pytest.fixture(scope='class')
+def stageduser_min(request):
+tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin')
+return tracker.make_fixture(request)
+
 @pytest.fixture(scope='class', params=options_ok, ids=options_ids)
 def stageduser2(request):
 tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param)
@@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser):
 
 @pytest.mark.tier1
 class TestStagedUser(XMLRPC_test):
+def test_create_with_min_values(self, stageduser_min):
+""" Create user with uid not specified """
+stageduser_min.ensure_missing()
+command = stageduser_min.make_create_command()
+command()
+
 def test_create_duplicate(self, stageduser):
 stageduser.ensure_exists()
 command =

[Freeipa-devel] [freeipa PR#402][opened] [master] wait_for_entry improvements

2017-01-18 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/402
Author: MartinBasti
 Title: #402: [master] wait_for_entry improvements
Action: opened

PR body:
"""
Backport useful commits from #401 to master
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/402/head:pr402
git checkout pr402
From 3344c7001d68560be2a88daa65396b9d7f8c357c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 12:55:13 +0100
Subject: [PATCH 1/2] wait_for_entry: use only DN as parameter

Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/replication.py| 6 ++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 4c02d73..2ebff6b 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -459,7 +459,7 @@ def setup_admin(self):
 ldap_uri = ipaldap.get_ldap_uri(self.master_host)
 master_conn = ipaldap.LDAPClient(ldap_uri)
 master_conn.gssapi_bind()
-replication.wait_for_entry(master_conn, entry)
+replication.wait_for_entry(master_conn, entry.dn)
 del master_conn
 
 def __remove_admin_from_group(self, group):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 9ce93fc..c4260dd 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -155,7 +155,7 @@ def wait_for_task(conn, dn):
 return exit_code
 
 
-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 """Wait for entry and/or attr to show up"""
 
 filter = "(objectclass=*)"
@@ -165,8 +165,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
 attrlist.append(attr)
 timeout += int(time.time())
 
-dn = entry.dn
-
 if not quiet:
 sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
 sys.stdout.flush()
@@ -733,7 +731,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
 # that we will have to set the memberof fixup task
 self.need_memberof_fixup = True
 
-wait_for_entry(a_conn, entry)
+wait_for_entry(a_conn, entry.dn)
 
 def needs_memberof_fixup(self):
 return self.need_memberof_fixup

From de575f6df7bb0aaf0c0de665f259d51c81636b2f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 17:08:19 +0100
Subject: [PATCH 2/2] Use proper logging for error messages

https://fedorahosted.org/freeipa/ticket/6588r
---
 ipaserver/install/replication.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index c4260dd..1f13783 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -176,7 +176,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 except errors.NotFound:
 pass  # no entry yet
 except Exception as e:  # badness
-print("\nError reading entry", dn, e)
+root_logger.error("Error reading entry %s: %s", dn, e)
 break
 if not entry:
 if not quiet:
@@ -185,11 +185,13 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 time.sleep(1)
 
 if not entry and int(time.time()) > timeout:
-print("\nwait_for_entry timeout for %s for %s" % (connection, dn))
+root_logger.error(
+"wait_for_entry timeout for %s for %s", connection, dn)
 elif entry and not quiet:
-print("\nThe waited for entry is:", entry)
+root_logger.error("The waited for entry is: %s", entry)
 elif not entry:
-print("\nError: could not read entry %s from %s" % (dn, connection))
+root_logger.error(
+"Error: could not read entry %s from %s", dn, connection)
 
 
 class ReplicationManager(object):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica

2017-01-18 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/401
Author: MartinBasti
 Title: #401: [4.4] Wait until http principal entry is replicated to replica
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/401/head:pr401
git checkout pr401
From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 12:55:13 +0100
Subject: [PATCH 1/3] wait_for_entry: use only DN as parameter

Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/replication.py| 6 ++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index b656282..2a2ab6f 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -470,7 +470,7 @@ def setup_admin(self):
   port=389,
   protocol='ldap')
 master_conn.do_sasl_gssapi_bind()
-replication.wait_for_entry(master_conn, entry)
+replication.wait_for_entry(master_conn, entry.dn)
 del master_conn
 
 def __remove_admin_from_group(self, group):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index fe62626..d0e4a20 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -152,7 +152,7 @@ def wait_for_task(conn, dn):
 return exit_code
 
 
-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 """Wait for entry and/or attr to show up"""
 
 filter = "(objectclass=*)"
@@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
 attrlist.append(attr)
 timeout += int(time.time())
 
-dn = entry.dn
-
 if not quiet:
 sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
 sys.stdout.flush()
@@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
 # that we will have to set the memberof fixup task
 self.need_memberof_fixup = True
 
-wait_for_entry(a_conn, entry)
+wait_for_entry(a_conn, entry.dn)
 
 def needs_memberof_fixup(self):
 return self.need_memberof_fixup

From 3838aa549710f6447a9e7d62013eb6c3d88df35c Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 13:56:24 +0100
Subject: [PATCH 2/3] Wait until HTTPS principal entry is replicated to replica

Without HTTP principal the steps later fails.

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/server/replicainstall.py | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aefe158..5b613ba 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -40,7 +40,7 @@
 from ipaserver.install.installutils import (
 create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
 from ipaserver.install.replication import (
-ReplicationManager, replica_conn_check)
+ReplicationManager, replica_conn_check, wait_for_entry)
 import SSSDConfig
 from subprocess import CalledProcessError
 from binascii import hexlify
@@ -90,6 +90,14 @@ def install_http_certs(config, fstore, remote_api):
 config.master_host_name,
 paths.IPA_KEYTAB,
 force_service_add=True)
+dn = DN(
+('krbprincipalname', principal),
+api.env.container_service, api.env.basedn
+)
+conn = ipaldap.IPAdmin(realm=config.realm_name, ldapi=True)
+conn.do_external_bind()
+wait_for_entry(conn, dn)
+conn.unbind()
 
 # Obtain certificate for the HTTP service
 nssdir = certs.NSS_DIR

From 42050b4fae9326dc4b35e19428014ca82c355da8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 17:08:19 +0100
Subject: [PATCH 3/3] Use proper logging for error messages

https://fedorahosted.org/freeipa/ticket/6588r
---
 ipaserver/install/replication.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index d0e4a20..5da96e7 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -173,7 +173,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 except errors.NotFound:
 pass  # no entry yet
 except Exception as e:  # badness
-print("\nError reading

[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri

2017-01-18 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/113
Title: #113: ipalib.constants: Remove default domain, realm, basedn, 
xmlrpc_uri, ldap_uri

pvoborni commented:
"""
@HonzaCholasta with @pspacek  no longer caring about this PR, we should close 
it. But before we do it, what are your thoughts on what should be the right 
approach.  Are you going to amend this path or replace it with something 
different?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/113#issuecomment-273537412
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][synchronized] Support for Certificate Identity Mapping

2017-01-18 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 068cbf841121bab1df02cbe6200c1e675c48385f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt|  16 +-
 API.txt| 184 +++
 VERSION.m4 |   4 +-
 install/share/73certmap.ldif   |  17 ++
 install/share/Makefile.am  |   1 +
 install/updates/73-certmap.update  |  27 +++
 install/updates/Makefile.am|   1 +
 ipalib/constants.py|   4 +
 ipapython/dn.py|   7 +
 ipaserver/install/dsinstance.py|   1 +
 ipaserver/plugins/baseuser.py  | 175 +-
 ipaserver/plugins/certmap.py   | 357 +
 ipaserver/plugins/stageuser.py |  16 +-
 ipaserver/plugins/user.py  |  23 ++-
 ipatests/test_ipapython/test_dn.py |  24 +++
 15 files changed, 846 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..a87fec1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S
 dn:

[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica

2017-01-18 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/401
Author: MartinBasti
 Title: #401: [4.4] Wait until http principal entry is replicated to replica
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/401/head:pr401
git checkout pr401
From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 12:55:13 +0100
Subject: [PATCH 1/3] wait_for_entry: use only DN as parameter

Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/replication.py| 6 ++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index b656282..2a2ab6f 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -470,7 +470,7 @@ def setup_admin(self):
   port=389,
   protocol='ldap')
 master_conn.do_sasl_gssapi_bind()
-replication.wait_for_entry(master_conn, entry)
+replication.wait_for_entry(master_conn, entry.dn)
 del master_conn
 
 def __remove_admin_from_group(self, group):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index fe62626..d0e4a20 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -152,7 +152,7 @@ def wait_for_task(conn, dn):
 return exit_code
 
 
-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 """Wait for entry and/or attr to show up"""
 
 filter = "(objectclass=*)"
@@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
 attrlist.append(attr)
 timeout += int(time.time())
 
-dn = entry.dn
-
 if not quiet:
 sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
 sys.stdout.flush()
@@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
 # that we will have to set the memberof fixup task
 self.need_memberof_fixup = True
 
-wait_for_entry(a_conn, entry)
+wait_for_entry(a_conn, entry.dn)
 
 def needs_memberof_fixup(self):
 return self.need_memberof_fixup

From c60a897a0feb1208aaf83ec5621bbb7c2bda2235 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 13:56:24 +0100
Subject: [PATCH 2/3] Wait until HTTPS principal entry is replicated to replica

Without HTTP principal the steps later fails.

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aefe158..fa4a6d2 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -40,7 +40,7 @@
 from ipaserver.install.installutils import (
 create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
 from ipaserver.install.replication import (
-ReplicationManager, replica_conn_check)
+ReplicationManager, replica_conn_check, wait_for_entry)
 import SSSDConfig
 from subprocess import CalledProcessError
 from binascii import hexlify
@@ -90,6 +90,13 @@ def install_http_certs(config, fstore, remote_api):
 config.master_host_name,
 paths.IPA_KEYTAB,
 force_service_add=True)
+dn = DN(
+('krbprincipalname', principal),
+api.env.container_service, api.env.basedn
+)
+api.Backend.ldap2.connect(autobind=True)
+wait_for_entry(api.Backend.ldap2, dn)
+api.Backend.ldap2.disconnect()
 
 # Obtain certificate for the HTTP service
 nssdir = certs.NSS_DIR

From 60ec3905c46805a14e0e5fb192546c0fa1ead1a9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 17:08:19 +0100
Subject: [PATCH 3/3] Use proper logging for error messages

https://fedorahosted.org/freeipa/ticket/6588r
---
 ipaserver/install/replication.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index d0e4a20..5da96e7 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -173,7 +173,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 except errors.NotFound:
 pass  # no entry yet
 except Exception as e:  # badness
-print("\nError reading entry", dn, e)
+

[Freeipa-devel] [freeipa PR#401][synchronized] [4.4] Wait until http principal entry is replicated to replica

2017-01-18 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/401
Author: MartinBasti
 Title: #401: [4.4] Wait until http principal entry is replicated to replica
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/401/head:pr401
git checkout pr401
From 045413aeec8862d9cdd0f3057671f28bb85735a1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 12:55:13 +0100
Subject: [PATCH 1/2] wait_for_entry: use only DN as parameter

Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/replication.py| 6 ++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index b656282..2a2ab6f 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -470,7 +470,7 @@ def setup_admin(self):
   port=389,
   protocol='ldap')
 master_conn.do_sasl_gssapi_bind()
-replication.wait_for_entry(master_conn, entry)
+replication.wait_for_entry(master_conn, entry.dn)
 del master_conn
 
 def __remove_admin_from_group(self, group):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index fe62626..d0e4a20 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -152,7 +152,7 @@ def wait_for_task(conn, dn):
 return exit_code
 
 
-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
 """Wait for entry and/or attr to show up"""
 
 filter = "(objectclass=*)"
@@ -162,8 +162,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
 attrlist.append(attr)
 timeout += int(time.time())
 
-dn = entry.dn
-
 if not quiet:
 sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
 sys.stdout.flush()
@@ -734,7 +732,7 @@ def setup_agreement(self, a_conn, b_hostname, port=389,
 # that we will have to set the memberof fixup task
 self.need_memberof_fixup = True
 
-wait_for_entry(a_conn, entry)
+wait_for_entry(a_conn, entry.dn)
 
 def needs_memberof_fixup(self):
 return self.need_memberof_fixup

From 01eddb7b33a7802d7949b0b5572bf2d1dda5e47b Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 18 Jan 2017 13:56:24 +0100
Subject: [PATCH 2/2] Wait until HTTPS principal entry is replicated to replica

Without HTTP principal the steps later fails.

https://fedorahosted.org/freeipa/ticket/6588
---
 ipaserver/install/server/replicainstall.py | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index aefe158..9dbe4b0 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -40,7 +40,7 @@
 from ipaserver.install.installutils import (
 create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
 from ipaserver.install.replication import (
-ReplicationManager, replica_conn_check)
+ReplicationManager, replica_conn_check, wait_for_entry)
 import SSSDConfig
 from subprocess import CalledProcessError
 from binascii import hexlify
@@ -90,6 +90,13 @@ def install_http_certs(config, fstore, remote_api):
 config.master_host_name,
 paths.IPA_KEYTAB,
 force_service_add=True)
+dn = DN(
+('krbprincipalname', principal),
+api.env.container_service, api.env.basedn
+)
+api.Backend.ldap2.connect(ldapi=True)
+wait_for_entry(api.Backend.ldap2, dn)
+api.Backend.ldap2.disconnect()
 
 # Obtain certificate for the HTTP service
 nssdir = certs.NSS_DIR
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tomaskrizek commented:
"""
@HonzaCholasta Perhaps it's more of a personal preference, but I'd rather see 
an existing version of a certain package. Since the spec file is processed 
automatically, I guess it doesn't make a difference. But it could confuse 
someone who reads the file and looks for a certain version of the mentioned 
package.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273521294
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#386][comment] Tests: Add tree root domain role in legacy client tests

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/386
Title: #386: Tests: Add tree root domain role in legacy client tests

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/822a119100f8ab93aacdb14b982609f1dc69531d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/52527d6323eec1a2ae4bf01dd64412a3822c516d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/386#issuecomment-273510158
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#386][closed] Tests: Add tree root domain role in legacy client tests

2017-01-18 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/386
Author: gkaihorodova
 Title: #386: Tests: Add tree root domain role in legacy client tests
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/386/head:pr386
git checkout pr386
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#386][+pushed] Tests: Add tree root domain role in legacy client tests

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/386
Title: #386: Tests: Add tree root domain role in legacy client tests

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

HonzaCholasta commented:
"""
I see, didn't notice that. In this case, IMO either the current `pki-base >= 
10.2.1` or an unversioned `pki-base-python2` is fine.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273498651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tiran commented:
"""
You would still depend on potentially non-existing package. 
```pki-base-python2``` was introduced in 10.3. ```pki-base``` will switch to 
Python 3 as soon as RHEL has Python 3 in its base distribution.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273493381
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

HonzaCholasta commented:
"""
@tiran, I'm sorry to have to point this out, but the decision whether this PR 
is accepted or not is not yours to make, you are not a member of the core team 
and this is in no way related to your integration work.

As a maintainer of IPA packages in RHEL I obviously prefer it my way. What you 
prefer when you co-maintain PKI Python packages is your bussiness and is not 
relevant here. A compromise I would be willing to accept is that the 
`pki-base-python3` dependency will be unversioned, but `pki-base-python2` must 
stay `>= 10.2.1`.

@tomaskrizek, why do you think it's a bad practice? The condition merely limits 
the set of package versions that satisfy the dependency, but the set is still 
infinite and an infinite number of non-existents packages *always* fall in the 
set. Strictly speaking, `10.3.5-6` is not an existing package version either, 
you won't find an `pki-base-python2-10.3.5-6.rpm` anywhere.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273488422
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test

2017-01-18 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From 0f5f8531edce915c02cabdcb215f0f2134b880a1 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 +
 3 files changed, 273 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..4086333
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,101 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import pytest
+import itertools
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+'ipaassociateddomain',
+'ipacertmappriority',
+)
+
+

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tomaskrizek commented:
"""
I agree with @tiran here. Even though `>= 10.2.1` will match the correct 
package, I don't think it's a good practice to use non-existent package numbers 
in `BuildRequires`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273468841
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tiran commented:
"""
I can't see a valid argument in your response. As a co-maintainer of PKI's 
Python packages I'm strictly against claiming compatibility with a non-existing 
package version range. The PR is fine as it stands and I'm going to ACK it 
tomorrow. If you still like to veto against my ACK, please start a motion on 
the developer list and ask the rest of the team for their opinion.

You also mentioned that CI might not pick up build requirements correctly. I 
agree that this is a problem and must be fixed ASAP. We must be able to rely on 
CI tests. Please open a separate ticket.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273465183
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

HonzaCholasta commented:
"""
That is of no concern to us. `pki-base-python3 >= 10.2.1` will get us the 
correct package in all cases and under no circumstances will it cause an 
attempt to install a non-existent package. Note that `pki-base-python2 >= 
10.2.1` means that FreeIPA is also compatible with 
`pki-base-python2-10.2.1.0.1.2.3`, which clearly doesn't exist either, but that 
doesn't make the dependency wrong in any way whatsoever.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273459096
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

MartinBasti commented:
"""
I would like to have `py3 str` <=> `py2 unicode`, `py3 bytes` <=> `py2 str`, 
but framework is far away from this ideal state.

So I have no strong opinion, and once we will drop py2, so I'm not sure if we 
want to migrate everything in py2 to unicode if it work in other cases.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273450333
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

HonzaCholasta commented:
"""
We are OK with the patch because fixing the root cause is out of the scope of 
this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273448687
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC]

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/244
Title: #244: Add templating to ipaplatform path [RFC]

tiran commented:
"""
My PoC is a bit too magic and complicated. PR #373 for Debian support comes 
along nicely without additional magic. I'm closing the PR. I'll keep the branch 
around in case we want to tackle the problem in the future.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/244#issuecomment-273437189
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#244][closed] Add templating to ipaplatform path [RFC]

2017-01-18 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/244
Author: tiran
 Title: #244: Add templating to ipaplatform path [RFC]
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/244/head:pr244
git checkout pr244
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Certificate Identity Mapping

2017-01-18 Thread Sumit Bose

On Wed, Jan 18, 2017 at 09:59:49AM +0100, David Kupka wrote:
> Hello everyone!
> I would like to bring your attention to just published PRs implementing
> FreeIPA part of Certificate Identity Mapping feature [0]:
> 
> - certmap plugin [1] by Flo
> - WebUI for certmap plugin [3] by Pavel
> - tests for certmap plugin [2] by me
> 
> Also please think about names of the commands, parameters, entries and
> attributes. We've figured them somehow but if you have any suggestion that
> would improve the understanding please share.

Hi,

thank you for the patches.

Just a general comment about an open question in the design. Honza
suggested to use a priority instead of an issuer name to make sure that
only specific rules are used for a given issuer. The latest mail in the
thread about it is
https://www.redhat.com/archives/freeipa-devel/2017-January/msg00229.html.

Do you have any opinions here?

I think it won't change much in your patches but we should find an
agreement before e.g. the OID are registered.

bye,
Sumit

> 
> Please review them thoroughly, thanks!
> 
> [0] https://www.freeipa.org/page/V4/Certificate_Identity_Mapping
> [1] https://github.com/freeipa/freeipa/pull/398
> [2] https://github.com/freeipa/freeipa/pull/399
> [3] https://github.com/freeipa/freeipa/pull/400
> 
> -- 
> David Kupka
> 
> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

HonzaCholasta commented:
"""
@tiran, namespace keys are always ASCII. But feel free to open a ticket to 
convert all remaining uses of `str` as text to `unicode`, changing it for one 
random bit in this unrelated PR isn't particularly helpful when you take the 
big picture into account.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273429342
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][comment] Support for Certificate Identity Mapping

2017-01-18 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/398
Title: #398: Support for Certificate Identity Mapping

MartinBasti commented:
"""
I put some inline commets, @flo-renaud if you don't know where to register OIDs 
feel free to ping me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/398#issuecomment-273428118
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages

2017-01-18 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add placeholder and IPA commands packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 9cc925ee9beae054d114f0f98d278230ff16f9ca Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 9 Jan 2017 11:02:25 +0100
Subject: [PATCH] Packaging: Add placeholder and IPA commands packages

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore|   7 ++
 Makefile.am   |   5 +-
 configure.ac  |   4 +
 packaging/Makefile.am |  11 +++
 packaging/freeipa/Makefile.am |   1 +
 packaging/freeipa/README.txt  |   2 +
 packaging/freeipa/setup.cfg   |   6 ++
 packaging/freeipa/setup.py|  36 +++
 packaging/ipa/Makefile.am |   1 +
 packaging/ipa/README.txt  |   2 +
 packaging/ipa/setup.cfg   |   6 ++
 packaging/ipa/setup.py|  36 +++
 packaging/ipacommands/MANIFEST.in |  25 +
 packaging/ipacommands/Makefile.am |  72 ++
 packaging/ipacommands/setup.cfg   |   5 +
 packaging/ipacommands/setup.py| 194 ++
 16 files changed, 412 insertions(+), 1 deletion(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py
 create mode 100644 packaging/ipacommands/MANIFEST.in
 create mode 100644 packaging/ipacommands/Makefile.am
 create mode 100644 packaging/ipacommands/setup.cfg
 create mode 100644 packaging/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 04553fd..249f158 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,3 +112,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/packaging/ipacommands/COPYING
+/packaging/ipacommands/Contributors.txt
+/packaging/ipacommands/asn1
+/packaging/ipacommands/client
+/packaging/ipacommands/ipasetup.py
+/packaging/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..e25cea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/configure.ac b/configure.ac
index 6cd3a89..12bc880 100644
--- a/configure.ac
+++ b/configure.ac
@@ -556,6 +556,10 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
+packaging/ipacommands/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..e033673
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,11 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	ipacommands		\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..8be72b2
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1 @@
+include $(top_srcdir)/Makefile.python.am
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt
@@ -0,0 +1,2 @@
+This is a dummy package for FreeIPA's ipaclient.
+
diff --git a/packaging/freeipa/setup.cfg

[Freeipa-devel] [freeipa PR#393][comment] [Py3] allow to run wsgi - part1

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/393
Title: #393: [Py3] allow to run wsgi - part1

tiran commented:
"""
@MartinBasti cert tests are failing. I have restarted the failing job. Let's 
see if the error persists or was just caused by a Travis hick up.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/393#issuecomment-273426124
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tiran commented:
"""
```pki-base-python3 >= 10.2.1``` would mean that FreeIPA is compatible with 
```pki-base-python2 == 10.2.1``` which clearly does not exist.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273425618
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#386][comment] Tests: Add tree root domain role in legacy client tests

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/386
Title: #386: Tests: Add tree root domain role in legacy client tests

martbab commented:
"""
Looks good, let's see if it fixes our CI
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/386#issuecomment-273425390
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#386][+ack] Tests: Add tree root domain role in legacy client tests

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/386
Title: #386: Tests: Add tree root domain role in legacy client tests

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

tiran commented:
"""
In Python 2 str is a Chimera with the head of a text object and the body of a 
bytes object. It's just text if all text you got is ASCII. For clean polyglot 
code it's highly recommended to avoid Python 2 str and use Python 2's unicode 
for all text. Most of FreeIPA's Python code has been adopted to unicode for 
text very well. This one of the few places that slipped through.

The benefits are consistent treatment of text as Python 2 unicode, which leads 
to a proper fix instead of a patch (in this case decoding with six.text_type).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273424928
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

HonzaCholasta commented:
"""
The namespace keys *are* text (`str`) in both Python 2 and 3. The issue here is 
that the RPC layer assumes that `str` is binary data, which the patch correctly 
fixes by converting the keys to `unicode` before they enter the RPC layer. 
There is no benefit in making the keys themselves `unicode`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273422664
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

tiran commented:
"""
Why should *Python 2 class names are str instances* prevent us from making the 
namespace keys text? In Python 2 ASCII str and ASCII unicode are equivalent 
dict keys (same hash, compare equaly). In Python 3 the keys are going to be 
text anyway.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273420986
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

tiran commented:
"""
Why should *Python 2 class names are str instances* prevent us from making the 
namespace keys text? In Python 2 ASCII str and ASCII unicode are equivalent 
dict keys (same hash, compare equaly). In Python 3 the keys are going to be 
text anyway.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273420986
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread HonzaCholasta

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

HonzaCholasta commented:
"""
@tiran, the dependency says `>= 10.2.1`, not `== 10.2.1`, so we are not 
depending on any non-existent packages.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273420737
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

Akasurde commented:
"""
@martbab Yes, I will write a test case for this scenario and attach here. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273420038
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#387][comment] Update warning message for ipa server uninstall

2017-01-18 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/387
Title: #387: Update warning message for ipa server uninstall

Akasurde commented:
"""
@martbab Thanks for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/387#issuecomment-273419794
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#179][comment] Fix for handling CalledProcessError in authconfig

2017-01-18 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/179
Title: #179: Fix for handling CalledProcessError in authconfig

Akasurde commented:
"""
@tomaskrizek @martbab Thanks for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/179#issuecomment-273419730
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Certificate Identity Mapping

2017-01-18 Thread David Kupka


Hello everyone!
I would like to bring your attention to just published PRs implementing 
FreeIPA part of Certificate Identity Mapping feature [0]:


- certmap plugin [1] by Flo
- WebUI for certmap plugin [3] by Pavel
- tests for certmap plugin [2] by me

Also please think about names of the commands, parameters, entries and 
attributes. We've figured them somehow but if you have any suggestion 
that would improve the understanding please share.


Please review them thoroughly, thanks!

[0] https://www.freeipa.org/page/V4/Certificate_Identity_Mapping
[1] https://github.com/freeipa/freeipa/pull/398
[2] https://github.com/freeipa/freeipa/pull/399
[3] https://github.com/freeipa/freeipa/pull/400

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][closed] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-18 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/372
Author: tiran
 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/372/head:pr372
git checkout pr372
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/372
Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py

tiran commented:
"""
I have updated the ticket 
https://fedorahosted.org/freeipa/ticket/6540#comment:5 with the result of this 
discussion. I'm going to close the PR. Let's start a new one to remove it and 
update ```ipaserver/install/cainstance.py``` plus builds.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/372#issuecomment-273418019
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][edited] WebUI: Certificate Mapping

2017-01-18 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/400
Author: pvomacka
 Title: #400: WebUI: Certificate Mapping
Action: edited

 Changed field: body
Original value:
"""
Add WebUI for certificate mapping

"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#400][opened] WebUI: Certificate Mapping

2017-01-18 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/400
Author: pvomacka
 Title: #400: WebUI: Certificate Mapping
Action: opened

PR body:
"""
Add WebUI for certificate mapping

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/400/head:pr400
git checkout pr400
From 0044846ee2c657179ec586b61ccec56876b3d6e2 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 13:59:16 +0100
Subject: [PATCH 1/4] WebUI: Add possibility to set widget always writable

If widget will have set attribute 'always_writable' to true, then
'no_update' flag will be ingored. Used in command user-{add,remove}-certmap
which needs to be writable in WebUI and also needs to be omitted from
user-mod command.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js  | 11 ++-
 install/ui/src/freeipa/widget.js |  2 ++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d70a778..2d05ab1 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -484,7 +484,16 @@ field.field = IPA.field = function(spec) {
 writable = false;
 }
 
-if (that.metadata.flags && array.indexOf(that.metadata.flags, 'no_update') > -1) {
+// In case that widget has set always_writable attribute, then
+// 'no_update' flag is ignored in WebUI. It is done because of
+// commands like user-{add,remove}-certmap. They operate with user's
+// attribute, which cannot be changed using user-mod, but only
+// using command user-{add,remove}-certmap. Therefore it has set
+// 'no_update' flag, but we need to show 'Add', 'Remove' buttons in
+// WebUI.
+if (that.metadata.flags &&
+array.indexOf(that.metadata.flags, 'no_update') > -1 &&
+that.widget && !that.widget.always_writable) {
 writable = false;
 }
 }
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 6ad8aad..e6dfef9 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -1516,6 +1516,8 @@ IPA.custom_command_multivalued_widget = function(spec) {
 
 var that = IPA.multivalued_widget(spec);
 
+that.always_writable = spec.always_writable || true;
+
 that.item_name = spec.item_name || '';
 
 that.adder_dialog_spec = spec.adder_dialog_spec;

From 4adde09f3fbb7471d1ef2a0aacd4e92c8e66c280 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 14:12:23 +0100
Subject: [PATCH 2/4] WebUI: Send option:false if checkbox is not checked

A checkbox can have true (checked) as default value, then we need to
send false in case that user uncheck the checkbox.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/field.js | 12 
 1 file changed, 12 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 2d05ab1..01411e4 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -1167,6 +1167,18 @@ field.checkbox_field = IPA.checkbox_field = function(spec) {
 return false;
 };
 
+/** Returns false when checkbox is not checked.
+ * Necessary for checkboxes which has true as default value. i.e.
+ * certmaprule_add
+ */
+that.get_value = function() {
+
+if(that.value.length === 0) {
+that.value = [false];
+}
+return that.value;
+};
+
 return that;
 };
 

From caef2cbe531e83a9bade00a55eb75c76bb34ae63 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 16 Jan 2017 14:13:42 +0100
Subject: [PATCH 3/4] WebUI: Create non editable row widget for mutlivalued
 widget

Old krb-principal widget is changed to general one. And used also for
ipacertmapdata in user.

This widget make every line non-editable.

Part of: https://fedorahosted.org/freeipa/ticket/6601
---
 install/ui/src/freeipa/host.js|  3 ++-
 install/ui/src/freeipa/service.js |  3 ++-
 install/ui/src/freeipa/user.js|  3 ++-
 install/ui/src/freeipa/widget.js  | 26 --
 4 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 87cf264..023530a 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -93,7 +93,8 @@ return {
 name: 'krbprincipalname',
 item_name: 'principal',
 child_spec: {
-$type: 'krb_principal'
+$type: 'non_editable_row',
+data_name: 'krb-principal'
 }

[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/336
Title: #336: [py3] pki: add missing depedency pki-base[-python3]

tiran commented:
"""
What's the hold up here?

Martin and I discussed the necessity to raise the version requirements. Python 
3 packages for PKI simply do not exist until 10.3. I don't want to depend on a 
non-existing package.

In case there are some issues with our CI and proper updates of build 
requirements, then the issue should be handled by a separate ticket.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/336#issuecomment-273416279
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

martbab commented:
"""
@Akasurde are you OK with writing a simple regression test for this command as 
a part of this PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-273416076
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#399][opened] Certificate mapping test

2017-01-18 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/399
Author: dkupka
 Title: #399: Certificate mapping test
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6542
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/399/head:pr399
git checkout pr399
From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:17:35 +0100
Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to
 tracker

Prepare tracker for easier testing of *-{en,dis}able commands.
---
 ipatests/test_xmlrpc/tracker/base.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py
index aa88e6b..d8cd3a6 100644
--- a/ipatests/test_xmlrpc/tracker/base.py
+++ b/ipatests/test_xmlrpc/tracker/base.py
@@ -198,6 +198,14 @@ def make_update_command(self, updates):
 """Make function that modifies the entry using ${CMD}_mod"""
 raise NotImplementedError(self._override_me_msg)
 
+def make_enable_command(self):
+"""Make function that enables the entry using ${CMD}_enable"""
+raise NotImplementedError(self._override_me_msg)
+
+def make_disable_command(self):
+"""Make function that disables the entry using ${CMD}_disable"""
+raise NotImplementedError(self._override_me_msg)
+
 def create(self):
 """Helper function to create an entry and check the result"""
 self.track_create()
@@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None):
 def check_update(self, result, extra_keys=()):
 """Check the plugin's `mod` command result"""
 raise NotImplementedError(self._override_me_msg)
+
+def enable(self):
+command = self.make_enable_command()
+result = command()
+self.check_enable(result)
+
+def check_enable(self, result):
+"""Check the plugin's `enable` command result"""
+raise NotImplementedError(self._override_me_msg)
+
+def disable(self):
+command = self.make_disable_command()
+result = command()
+self.check_disable(result)
+
+def check_disable(self, result):
+"""Check the plugin's `disable` command result"""
+raise NotImplementedError(self._override_me_msg)

From b9773e1bf5703ee0bbb65287849d6c0062afd15d Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Fri, 13 Jan 2017 13:22:45 +0100
Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands.

https://fedorahosted.org/freeipa/ticket/6542
---
 ipatests/test_xmlrpc/objectclasses.py  |   5 +
 ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++
 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 168 +
 3 files changed, 274 insertions(+)
 create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py
 create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1ea020b..0a15a21 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -227,3 +227,8 @@
 u'top',
 u'ipaca',
 ]
+
+certmaprule = [
+u'top',
+u'ipacertmaprule',
+]
diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
new file mode 100644
index 000..4086333
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -0,0 +1,101 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+import pytest
+import itertools
+
+from ipapython.dn import DN
+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
+from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker
+
+certmaprule_create_params = {
+u'cn': u'test_rule',
+u'description': u'Certificate mapping and matching rule for test '
+u'purposes',
+u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'),
+u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and '
+  u'consumed by SSSD',
+u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+u'and consumed by SSSD',
+u'associateddomain': u'example.org',
+u'ipacertmappriority': u'1',
+}
+
+certmaprule_update_params = {
+u'description': u'Changed description',
+u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'),
+u'ipacertmapmaprule': u'changed arbitrary mapping rule',
+u'ipacertmapmatchrule': u'changed arbitrary maching rule',
+u'associateddomain': u'changed.example.org',
+u'ipacertmappriority': u'5',
+}
+
+certmaprule_optional_params = (
+'description',
+'ipacertmapissuer',
+'ipacertmapmaprule',
+'ipacertmapmatchrule',
+

[Freeipa-devel] [freeipa PR#387][comment] Update warning message for ipa server uninstall

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/387
Title: #387: Update warning message for ipa server uninstall

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ae2d0a221772267ecda30896dc8897a3f4b4a97b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/387#issuecomment-273415717
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#387][+pushed] Update warning message for ipa server uninstall

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/387
Title: #387: Update warning message for ipa server uninstall

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#387][closed] Update warning message for ipa server uninstall

2017-01-18 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/387
Author: Akasurde
 Title: #387: Update warning message for ipa server uninstall
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/387/head:pr387
git checkout pr387
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#387][+ack] Update warning message for ipa server uninstall

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/387
Title: #387: Update warning message for ipa server uninstall

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

2017-01-18 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

MartinBasti commented:
"""
@gkaihorodova you haven't pushed the changes to github repo

```
git push  --force
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-273414761
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/210
Title: #210: Tests: Stage User Tracker implementation

martbab commented:
"""
@gkaihorodova the PR cannot be pushed in current form because the first commit 
298e1a136c6a430e8deaa558a946ba51874ffd95 is already pushed to master.

So to rebase it correctly please do the following:

Pull the changes from the remote repo (or any other label you have for it) into 
your local master branch:

```shell
$ git  checkout master; git pull
```

Then do the rebase against the refreshed master branch. The first commit should 
now disappear as git should detect that it is already there. If not, then abort 
the current rebase, re-start it in interactive mode (git rebase -i master) and 
remove the first commit manually (just remove the first line). Then force-push 
the changes into your fork:

```shell
$ git push -f origin fix-for-6448
``` 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/210#issuecomment-273414412
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#398][opened] Support for Certificate Identity Mapping

2017-01-18 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/398
Author: flo-renaud
 Title: #398: Support for Certificate Identity Mapping
Action: opened

PR body:
"""
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/398/head:pr398
git checkout pr398
From 3ccb98ac3c4e38d0454e47df1c06ae61a19fb5ee Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Tue, 20 Dec 2016 16:21:58 +0100
Subject: [PATCH] Support for Certificate Identity Mapping

See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
---
 ACI.txt   |  16 +-
 API.txt   | 184 
 VERSION.m4|   4 +-
 install/share/73certmap.ldif  |  17 ++
 install/share/Makefile.am |   1 +
 install/updates/73-certmap.update |  27 +++
 install/updates/Makefile.am   |   1 +
 ipalib/constants.py   |   2 +
 ipaserver/install/dsinstance.py   |   1 +
 ipaserver/plugins/baseuser.py | 177 ++-
 ipaserver/plugins/certmap.py  | 345 ++
 ipaserver/plugins/stageuser.py|  14 +-
 ipaserver/plugins/user.py |  23 ++-
 13 files changed, 801 insertions(+), 11 deletions(-)
 create mode 100644 install/share/73certmap.ldif
 create mode 100644 install/updates/73-certmap.update
 create mode 100644 ipaserver/plugins/certmap.py

diff --git a/ACI.txt b/ACI.txt
index 0b47489..ec2eeca 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=caacls,cn=ca,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
@@ -337,6

[Freeipa-devel] [freeipa PR#390][closed] WebUI: Fix Coverity JS bugs

2017-01-18 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/390
Author: pvomacka
 Title: #390: WebUI: Fix Coverity JS bugs
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/390/head:pr390
git checkout pr390
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#378][closed] Clean / ignore make check artefact

2017-01-18 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/378
Author: tiran
 Title: #378: Clean / ignore make check artefact
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/378/head:pr378
git checkout pr378
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#389][closed] Fix build in mock

2017-01-18 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/389
Author: lslebodn
 Title: #389: Fix build in mock
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/389/head:pr389
git checkout pr389
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#378][+pushed] Clean / ignore make check artefact

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/378
Title: #378: Clean / ignore make check artefact

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

2017-01-18 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

tiran commented:
"""
@LiptonB thanks a lot for resuming your work!

Please add jinja2 to ``` ipaclient/setup.py```, too.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-273413601
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#390][comment] WebUI: Fix Coverity JS bugs

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/390
Title: #390: WebUI: Fix Coverity JS bugs

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/a69c4448c58b2438952fd806e2515eea7575b27b
https://fedorahosted.org/freeipa/changeset/9d2ef64fb9e1357dc4a3cde8d93c796daefd2f6e
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/390#issuecomment-273410950
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#389][comment] Fix build in mock

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/389
Title: #389: Fix build in mock

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5c18feaa206bbaee692fc3640b7b79c8d9d6a638
https://fedorahosted.org/freeipa/changeset/3f91469f327d8d9f3b27e0b67c54a4f47ad845c1
https://fedorahosted.org/freeipa/changeset/b82d285a4a75e11cc9291ecca12d2fcc26f43ed1
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/389#issuecomment-27349
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#390][+pushed] WebUI: Fix Coverity JS bugs

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/390
Title: #390: WebUI: Fix Coverity JS bugs

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#378][comment] Clean / ignore make check artefact

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/378
Title: #378: Clean / ignore make check artefact

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d8343a96dd206c9f25cf032a50f3b48fb8166db1
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/378#issuecomment-273411645
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#389][+pushed] Fix build in mock

2017-01-18 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/389
Title: #389: Fix build in mock

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

70 matches

Mail list logo