[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

martbab commented:
"""
Since the re-implementation of this test suite is done by @celestian in 
https://github.com/freeipa/freeipa/pull/409 can I close this PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/196#issuecomment-274733248
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg)

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/409
Title: #409: ipatests: nested netgroups (intg)

MartinBasti commented:
"""
Travis:
```
PEP-8 errors:
./ipatests/test_integration/test_netgroup.py:87:80: E501 line too long (84 > 79 
characters)
./ipatests/test_integration/test_netgroup.py:96:80: E501 line too long (88 > 79 
characters)


Pylint:
Pylint is running, please wait ...
* Module ipatests.test_integration.test_netgroup
ipatests/test_integration/test_netgroup.py:2: [W0512(invalid-encoded-data), ] 
Cannot decode using encoding "ascii", unexpected byte at position 9)
ipatests/test_integration/test_netgroup.py:87: [E1101(no-member), 
TestNetgroups.check_users_in_netgroups] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:96: [E1101(no-member), 
TestNetgroups.check_nested_netgroup_hierarchy] Class 'domain' has no 'name' 
member)
ipatests/test_integration/test_netgroup.py:125: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:130: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:131: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:132: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:147: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:148: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
ipatests/test_integration/test_netgroup.py:149: [E1101(no-member), 
TestNetgroups.test_remove_nested_netgroup] Class 'domain' has no 'name' member)
make: *** [pylint] Error 6
```

I'm afraid that pylint cannot handle it, so probably you have to disable 
problematic lines.

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/409#issuecomment-27472
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#411][opened] Remove deprecated ipa-upgradeconfig command

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/411
Author: Akasurde
 Title: #411: Remove deprecated ipa-upgradeconfig command
Action: opened

PR body:
"""
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/411/head:pr411
git checkout pr411
From 8bffdfce38120f9d99c9a0f74e5976f760942d77 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Tue, 24 Jan 2017 12:45:15 +0530
Subject: [PATCH] Remove deprecated ipa-upgradeconfig command

Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde 
---
 freeipa.spec.in   |  2 --
 install/tools/Makefile.am |  1 -
 install/tools/ipa-upgradeconfig   | 26 --
 install/tools/man/Makefile.am |  1 -
 install/tools/man/ipa-upgradeconfig.8 | 42 ---
 5 files changed, 72 deletions(-)
 delete mode 100755 install/tools/ipa-upgradeconfig
 delete mode 100644 install/tools/man/ipa-upgradeconfig.8

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 99820d1..a7e05f3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1099,7 +1099,6 @@ fi
 %{_sbindir}/ipa-nis-manage
 %{_sbindir}/ipa-managed-entries
 %{_sbindir}/ipactl
-%{_sbindir}/ipa-upgradeconfig
 %{_sbindir}/ipa-advise
 %{_sbindir}/ipa-cacert-manage
 %{_sbindir}/ipa-winsync-migrate
@@ -1158,7 +1157,6 @@ fi
 %{_mandir}/man1/ipa-managed-entries.1*
 %{_mandir}/man1/ipa-ldap-updater.1*
 %{_mandir}/man8/ipactl.8*
-%{_mandir}/man8/ipa-upgradeconfig.8*
 %{_mandir}/man1/ipa-backup.1*
 %{_mandir}/man1/ipa-restore.1*
 %{_mandir}/man1/ipa-advise.1*
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 74f428e..f2c2ce2 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -23,7 +23,6 @@ dist_sbin_SCRIPTS =		\
 	ipa-managed-entries \
 	ipa-ldap-updater	\
 	ipa-otptoken-import	\
-	ipa-upgradeconfig	\
 	ipa-backup		\
 	ipa-restore		\
 	ipa-advise		\
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
deleted file mode 100755
index 5f3a2b4..000
--- a/install/tools/ipa-upgradeconfig
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/usr/bin/python2
-#
-# Authors:
-#   Rob Crittenden 
-#
-# Copyright (C) 2009  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
-
-import sys
-
-if __name__ == '__main__':
-sys.exit("Please run the 'ipa-server-upgrade' command to upgrade the "
- "IPA server.")
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index b1fba6d..0d06ec7 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -31,5 +31,4 @@ dist_man1_MANS = 			\
 
 dist_man8_MANS =			\
 	ipactl.8			\
-	ipa-upgradeconfig.8		\
 $(NULL)
diff --git a/install/tools/man/ipa-upgradeconfig.8 b/install/tools/man/ipa-upgradeconfig.8
deleted file mode 100644
index 43e2ab9..000
--- a/install/tools/man/ipa-upgradeconfig.8
+++ /dev/null
@@ -1,42 +0,0 @@
-.\" A man page for ipa-upgradeconfig
-.\" Copyright (C) 2010 Red Hat, Inc.
-.\" 
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation, either version 3 of the License, or
-.\" (at your option) any later version.
-.\" 
-.\" This program is distributed in the hope that it will be useful, but
-.\" WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\" General Public License for more details.
-.\" 
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program.  If not, see .
-.\" 
-.\" Author: Rob Crittenden 
-.\" 
-.TH "ipa-upgradeconfig" "8" "Jun 18 2012" "freeipa" ""
-.SH "NAME"
-ipa\-upgradeconfig \- Upgrade the IPA Apache configuration
-.SH "SYNOPSIS"
-ipa\-upgradeconfig
-.SH "DESCRIPTION"
-A tool to update the IPA Apache configuration during an upgrade.
-
-It examines the VERSION value in the head of \fI/etc/httpd/conf.d/ipa.conf\fR and \fI/etc/httpd/conf.d/ipa\-rewrite.conf\fR and compares this with the templates. If an update is needed then new files are written.
-
-It also will convert a

[Freeipa-devel] [freeipa PR#410][opened] ipa-kdb: support KDB DAL version 6.1

[abbra]

   URL: https://github.com/freeipa/freeipa/pull/410
Author: abbra
 Title: #410: ipa-kdb: support KDB DAL version 6.1
Action: opened

PR body:
"""
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at https://github.com/krb5/krb5/pull/596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

https://fedorahosted.org/freeipa/ticket/6619

On Fedora the required interface is available in krb5-1.15-5.fc26 package.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/410/head:pr410
git checkout pr410
From e4c098202298e3c1da76af576748b5b645b704c5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 23 Jan 2017 22:56:41 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at https://github.com/krb5/krb5/pull/596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

https://fedorahosted.org/freeipa/ticket/6619
---
 configure.ac |  8 +++
 daemons/ipa-kdb/ipa_kdb.c|  5 -
 daemons/ipa-kdb/ipa_kdb.h|  2 ++
 daemons/ipa-kdb/ipa_kdb_principals.c | 42 
 4 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6cd3a89..c01743e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,6 +65,14 @@ krb5rundir="${localstatedir}/run/krb5kdc"
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[struct kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
 dnl ---
 dnl - Check for OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index e96353f..72ac6ec 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -684,7 +684,10 @@ kdb_vftabl kdb_function_table = {
 .check_transited_realms = ipadb_check_transited_realms,
 .check_policy_as = ipadb_check_policy_as,
 .audit_as_req = ipadb_audit_as_req,
-.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+.check_allowed_to_delegate = ipadb_check_allowed_to_delegate,
+#ifdef HAVE_KDB_FREEPRINCIPAL_EDATA
+.free_principal_e_data = ipadb_free_principal_e_data,
+#endif
 };
 
 #else
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 1fdb409..d5a3433 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -180,6 +180,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
 unsigned int flags,
 krb5_db_entry **entry);
 void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry);
+/* Helper function for DAL API 6.1 or later */
+void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data);
 krb5_error_code ipadb_put_principal(krb5_context kcontext,
 krb5_db_entry *entry,
 char **db_args);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 5b80909..3bd8fb8 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1274,12 +1274,33 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
 return kerr;
 }
 
-void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry)
+void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
 {
 struct ipadb_e_data *ied;
-krb5_tl_data *prev, *next;
 int i;
 
+ied = (struct ipadb_e_data *)e_data;
+if (ied->magic == IPA_E_DATA_MAGIC) {
+	ldap_memfree(ied->entry_dn);
+	free(ied->passwd);
+	free(ied->pw_policy_dn);
+	for (i = 0; ied->pw_history && ied->pw_history[i]; i++) {
+	free(ied->pw_history[i]);
+	}
+	free(ied->pw_history);
+	for

[Freeipa-devel] [freeipa PR#409][comment] ipatests: nested netgroups (intg)

[celestian]

  URL: https://github.com/freeipa/freeipa/pull/409
Title: #409: ipatests: nested netgroups (intg)

celestian commented:
"""
I see there are some issues:
1. It seems Travis hit some kind of time out. Maybe it is not connected to my 
proposed test.
2. The QuantifiedCode issues are clear.

I have PTO now and I will be back in work on Friday. But I hope I find a time 
to fix it sooner.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/409#issuecomment-274722816
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

[LiptonB]

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

LiptonB commented:
"""
@HonzaCholasta, I think I see what you mean about these templates not being 
dependent on dogtag, and I'm fine with removing the `userCert` dogtag profile 
from this PR if you don't think it's relevant. Is it ok to leave the `userCert` 
CSR generation profile, as an example of what the tool can do?

So, do you mean we should no longer consider CSR generation profiles to be 
associated with IPA profiles? In 
https://github.com/LiptonB/freeipa/tree/local-cert-build I have code that 
allows you to run `ipa cert-request --autogenerate --principal someserver 
--profile-id caIPAserviceCert` and get a cert for the server back in one step. 
It uses the `caIPAserviceCert` CSR profile to make a CSR that works with the 
`caIPAserviceCert` IPA profile. So it seems to me that having the profiles 
linked makes the cert generation experience simpler, and that was the original 
way this feature was proposed to me. But, if you'd rather have them not be 
linked, should I modify this command so the CSR profile is specified with a 
separate flag from the IPA one?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-274712673
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

[redhatrises]

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

redhatrises commented:
"""
Sorry for the delayed response.

This is useful for environments where utilities like `pwgen` may not be allowed 
to be installed due to compliance/environment reasons. It is also especially 
useful for handling service accounts whose passwords have to be changed 
regularly or for managing passwords for shared user accounts where user's only 
access to the accounts is through sudo. Plus if no one is logging into the 
accounts, service or user, which are required to have passwords change 
regularly, why not have the authentication tool come up with one that is 
sufficient for the organizational requirements (28 different random different 
passwords) without having to come up with a password or having to remember x 
utility (which may not be allowed to be installed) from doing it? 

However, the final iteration of this (which I have not added yet) is to add 
`--user` and/or `--service-account` to handle changing those passwords with a 
generated password for user accounts or service accounts. Another option would 
be to just add an option that behaves the same way such as `--generate` to `ipa 
passwd` e.g. `ipa passwd user1 --generate`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-274684765
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

[redhatrises]

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

redhatrises commented:
"""
Sorry for the delayed response.

This is useful for environments where utilities like `pwgen` may not be allowed 
to be installed due to compliance/environment reasons. It is also especially 
useful for handling service accounts whose passwords have to be changed 
regularly or for managing passwords for shared user accounts where user's only 
access to the accounts is through sudo. Plus if no one is logging into the 
accounts, service or user, which are required to have passwords change 
regularly, why not have the authentication tool come up with one that is 
sufficient for the organizational requirements (28 different random different 
passwords) without having to come up with a password or having to remember x 
utility (which may not be allowed to be installed) from doing it? 

However, the final iteration of this (which I have not added yet) is to add 
`--user` and/or `--service-account` to handle changing those passwords with a 
generated password for user accounts or service accounts. Another option would 
be to just add an option that behaves the same way such as `--generate` to `ipa 
passwd` e.g. `ipa passwd user1 --generate`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-274684765
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

simo5 commented:
"""
The latest rebase installs a replica correctly here, haven't got to fix ca-less 
yet, but everything else should be ready to go.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/314#issuecomment-274577459
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#409][opened] ipatests: nested netgroups (intg)

[celestian]

   URL: https://github.com/freeipa/freeipa/pull/409
Author: celestian
 Title: #409: ipatests: nested netgroups (intg)
Action: opened

PR body:
"""
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/409/head:pr409
git checkout pr409
From aa0707a093a70ecfba67872230b98af09ad67986 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C4=8Cech?= 
Date: Mon, 23 Jan 2017 18:46:42 +0100
Subject: [PATCH] ipatests: nested netgroups (intg)

Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups

The test case tests for direct and indirect membership.

https://fedorahosted.org/freeipa/ticket/6439
---
 ipatests/test_integration/test_netgroup.py | 149 +
 1 file changed, 149 insertions(+)
 create mode 100644 ipatests/test_integration/test_netgroup.py

diff --git a/ipatests/test_integration/test_netgroup.py b/ipatests/test_integration/test_netgroup.py
new file mode 100644
index 000..371311b
--- /dev/null
+++ b/ipatests/test_integration/test_netgroup.py
@@ -0,0 +1,149 @@
+# Authors:
+#   Petr Čech 
+#
+# Copyright (C) 2017  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+
+from __future__ import print_function
+
+import pytest
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.tasks import clear_sssd_cache
+
+
+@pytest.fixture()
+def three_netgroups(request):
+for i in range(1, 4):
+request.cls.master.run_command(['ipa', 'user-add',
+'testuser%d' % i,
+'--first', 'Test',
+'--last', 'User%d' % i])
+
+request.cls.master.run_command(['ipa', 'netgroup-add',
+'test_netgroup%d' % i])
+
+request.cls.master.run_command(['ipa', 'netgroup-add-member',
+'--users=testuser%d' % i,
+'test_netgroup%d' % i])
+
+def teardown_three_netgroups():
+for i in range(1, 4):
+request.cls.master.run_command(['ipa', 'netgroup-del',
+'test_netgroup%d' % i])
+for i in range(1, 4):
+request.cls.master.run_command(['ipa', 'user-del',
+'testuser%d' % i])
+
+request.addfinalizer(teardown_three_netgroups)
+
+
+class TestNetgroups(IntegrationTest):
+"""
+Test Netgroups
+"""
+
+num_clients = 1
+topology = 'line'
+
+@classmethod
+def install(cls, mh):
+super(TestNetgroups, cls).install(mh)
+
+cls.client = cls.clients[0]
+cls.clientname = cls.client.run_command(
+['hostname', '-s']).stdout_text.strip()
+
+cls.domain = cls.get_domains()[0]
+
+@classmethod
+def uninstall(cls, mh):
+super(TestNetgroups, cls).uninstall(mh)
+
+def check_users_in_netgroups(self):
+clear_sssd_cache(self.client)
+for i in range(1, 4):
+result = self.client.run_command(['getent', 'passwd',
+  'testuser%d' % i])
+assert result.returncode == 0
+assert 'Test User%d' % i in result.stdout_text
+
+result = self.client.run_command(['getent', 'netgroup',
+  'test_netgroup%d' % i])
+assert result.returncode == 0
+assert '(-,testuser%d,%s)' % (i, self.domain.name) in result.stdout_text
+
+def check_nested_netgroup_hierarchy(self):
+clear_sssd_cache(self.client)
+for i in range(1, 4):
+result = self.client.run_command(['getent', 'netgroup',
+  'test_netgroup%d' % i])
+assert result.returncode == 0
+for j in range(1, i):
+assert '(-,testuser%d,%s)' % (j, self.domain.name) in result.stdout_text
+
+def prepare_nested_netgroup_hierarchy(self):
+for i in range(1, 3):
+

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

rcritten commented:
"""
I always found the lite-server to be incredibly helpful for server-side plugin 
development. If it isn't being used any more then I'd wonder what is being used 
instead.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274550653
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][comment] New lite-server implementation

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/407
Title: #407: New lite-server implementation

pvoborni commented:
"""
Shouldn't we rather remove lite sever completely?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/407#issuecomment-274538664
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

abbra commented:
"""
@redhatrises, could you please explain more why you need this command as it is?

FreeIPA allows to have multiple password policies. If you want to generate 
passwords that conform to a particular policy, it would be more reasonable to 
retrieve the password policy and use it to supply as arguments of the password 
generator.

The generated password does not need to be transferred over the network. As you 
are adding a command to IPA, it could be a client-side plugin because Python 
client side code always has access to ipapython.util module. 

There could be multiple password generators. For example, on Linux systems you 
can simply use `pwqgen` utility from passwdqc package to generate passwords 
compatible with FreeIPA password policies. Granted, a configuration file needs 
to be created that translates a FreeIPA password policy but this is at least 
something that a command in IPA could do on the client side after fetching a 
policy.

If the password generation is based on a particular policy and is moved to the 
client side, why not creating a plugin to ipa-advise instead? It would actually 
generate a script that calls pwqgen or other generator tool. This would be more 
useful to other environments as the script would also contain a reference to 
the password policy parameters and can be run independent of the FreeIPA 
infrastructure.

Let me know what do you think about it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-274505035
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/359
Title: #359: dogtag: search past the first 100 certificates

tomaskrizek commented:
"""
The behavior of the command seems to be correct now, but I'm also not sure 
about the WebUI. There seems to be a limit of 20 items when displayed in WebUI 
(with pagination). I'm not sure if it's possible to configure that.

@pvomacka Were there any recent changes in the WebUI pagination? Is it possible 
to configure how many items should be displayed?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/359#issuecomment-274504322
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

flo-renaud commented:
"""
This PR has been modified to be consistent with PKI fix for 
[2570](https://fedorahosted.org/pki/ticket/2570). PKI now defines by default 
the AJP redirection to "localhost", meaning that we do not need any more to 
override this setting. Upgrade is also handled by PKI. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-274490123
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][synchronized] Configure PKI ajp redirection to use "localhost" instead of "::1"

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/395
Author: flo-renaud
 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/395/head:pr395
git checkout pr395
From 143689cac6fd954380c09d55a6ed78114c5d5c18 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"

When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.

https://fedorahosted.org/freeipa/ticket/6575
---
 ipaserver/install/cainstance.py | 4 
 1 file changed, 4 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index f933479..77c603a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -595,10 +595,6 @@ def __spawn_instance(self):
 config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
 config.set("CA", "pki_external_step_two", "True")
 
-# PKI IPv6 Configuration
-config.add_section("Tomcat")
-config.set("Tomcat", "pki_ajp_host", "::1")
-
 # Generate configuration file
 with open(cfg_file, "wb") as f:
 config.write(f)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 1f195bb418a1a0edbce3371e1fd315263ccb7f5f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/4] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 11 ++-
 ipaserver/plugins/hbactest.py | 19 ---
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index a7817c4..691f4e9 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,7 +2,6 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
@@ -17,6 +16,11 @@
 from ipalib import _, ngettext
 from ipapython.dn import DN
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
 if six.PY3:
 unicode = str
 
@@ -152,6 +156,11 @@ def _acl_make_rule(principal_type, obj):
 
 
 def acl_evaluate(principal_type, principal, ca_id, profile_id):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_('pyhbac is not available on the server.')
+)
 req = _acl_make_request(principal_type, principal, ca_id, profile_id)
 acls = api.Command.caacl_find(no_members=False)['result']
 rules = [_acl_make_rule(principal_type, obj) for obj in acls]
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 626e894..e156568 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -29,9 +29,14 @@
 except ImportError:
 _dcerpc_bindings_installed = False
 
-import pyhbac
 import six
 
+try:
+import pyhbac
+except ImportError:
+pyhbac = None
+
+
 if six.PY3:
 unicode = str
 
@@ -210,7 +215,7 @@
 
 register = Registry()
 
-def convert_to_ipa_rule(rule):
+def _convert_to_ipa_rule(rule):
 # convert a dict with a rule to an pyhbac rule
 ipa_rule = pyhbac.HbacRule(rule['cn'][0])
 ipa_rule.enabled = rule['ipaenabledflag'][0]
@@ -309,6 +314,14 @@ def canonicalize(self, host):
 return host
 
 def execute(self, *args, **options):
+if pyhbac is None:
+raise errors.ValidationError(
+name=_('missing pyhbac'),
+error=_(
+'pyhbac is not available on the server.'
+)
+)
+
 # First receive all needed information:
 # 1. HBAC rules (whether enabled or disabled)
 # 2. Required options are (user, target host, service)
@@ -356,7 +369,7 @@ def execute(self, *args, **options):
 # --disabled will import all disabled rules
 # --rules will implicitly add the rules from a rule list
 for rule in hbacset:
-ipa_rule = convert_to_ipa_rule(rule)
+ipa_rule = _convert_to_ipa_rule(rule)
 if ipa_rule.name in testrules:
 ipa_rule.enabled = True
 rules.append(ipa_rule)

From c69c30c2e62b065d061b509fe054f17097fbeec0 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:57:33 +0100
Subject: [PATCH 2/4] Add extra_requires for additional dependencies

ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes 
---
 ipaserver/setup.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipaserver/setup.py b/ipaserver/setup.py
index 1f1b424..1468a24 100755
--- a/ipaserver/setup.py
+++ b/ipaserver/setup.py
@@ -61,12 +61,6 @@
 "python-memcached",
 "python-nss",
 "six",
-# not available on PyPI
-# "python-libipa_hbac",
-# "python-sss",
-# "python-sss-murmur",
-# "python-SSSDConfig",
-# "samba-python",
 ],
 entry_points={
 

[Freeipa-devel] [freeipa PR#379][comment] Packaging: Add placeholder and IPA commands packages

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add placeholder and IPA commands packages

tiran commented:
"""
The ```ipa``` and ```freeipa``` packages are necessary to prevent typo 
squatting or name squatting attacks, e.g. 
http://arstechnica.com/security/2016/06/college-student-schools-govs-and-mils-on-perils-of-arbitrary-code-execution/
 . We want to make sure that a developer gets FreeIPA when he does ```pip 
install freeipa```.

I already reserved the names on PyPI. It is necessary to upload new packages 
for ```ipa``` and ```freeipa``` regularly. Otherwise PyPI considers our 
packages obsolete and may remove them. See 
https://www.python.org/dev/peps/pep-0541/
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/379#issuecomment-274478485
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][synchronized] ipaldap: properly escape raw binary values in LDAP filters

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/408
Author: HonzaCholasta
 Title: #408: ipaldap: properly escape raw binary values in LDAP filters
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/408/head:pr408
git checkout pr408
From 03a2a1729106195979eb98361b20002f929bd6e0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 23 Jan 2017 10:26:50 +0100
Subject: [PATCH] ipaldap: properly escape raw binary values in LDAP filters

Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index daee068..3ee40bf 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -19,6 +19,7 @@
 # along with this program.  If not, see .
 #
 
+import binascii
 import time
 import datetime
 from decimal import Decimal
@@ -1245,11 +1246,13 @@ def make_filter_from_attr(
 return cls.combine_filters(flts, rules)
 elif value is not None:
 if isinstance(value, bytes):
-if six.PY3:
-value = value.decode('raw_unicode_escape')
+value = binascii.hexlify(value).decode('ascii')
+# value[-2:0] is empty string for the initial '\\'
+value = u'\\'.join(
+value[i:i+2] for i in six.moves.range(-2, len(value), 2))
 else:
 value = value_to_utf8(value)
-value = ldap.filter.escape_filter_chars(value)
+value = ldap.filter.escape_filter_chars(value)
 if not exact:
 template = '%s'
 if leading_wildcard:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2)

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/337
Title: #337: Client-side CSR autogeneration (take 2)

HonzaCholasta commented:
"""
@LiptonB, there's still one issue which I'd like to be resolved in this PR, and 
that's that currently CSR templates are tied to certificate profiles. IMO this 
needs to be changed, as certificate profiles in IPA are Dogtag-specific, but 
Dogtag is not required to generate CSRs with this feature, and it should be 
possible to use this feature even in CA-less mode when Dogtag is not installed 
and certificate profiles are not available. Luckily this PR has no hard 
dependency on certificate profiles, with the exception of the 
`validate_profile_id()` call and the inclusion of the `userCert` profile, both 
of which I would like to be removed before the PR is merged.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/337#issuecomment-274463063
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#408][synchronized] ipaldap: properly escape raw binary values in LDAP filters

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/408
Author: HonzaCholasta
 Title: #408: ipaldap: properly escape raw binary values in LDAP filters
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/408/head:pr408
git checkout pr408
From b944716bf4123c232bf3adcda032b8796a3c7e38 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 23 Jan 2017 10:26:50 +0100
Subject: [PATCH] ipaldap: properly escape raw binary values in LDAP filters

Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index daee068..7622a95 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -19,6 +19,7 @@
 # along with this program.  If not, see .
 #
 
+import binascii
 import time
 import datetime
 from decimal import Decimal
@@ -1245,11 +1246,12 @@ def make_filter_from_attr(
 return cls.combine_filters(flts, rules)
 elif value is not None:
 if isinstance(value, bytes):
-if six.PY3:
-value = value.decode('raw_unicode_escape')
+value = binascii.hexlify(value).decode('ascii')
+# value[-2:0] is empty string for the initial '\\'
+value = u'\\'.join(
+value[i:i+2] for i in six.moves.range(-2, len(value), 2))
 else:
-value = value_to_utf8(value)
-value = ldap.filter.escape_filter_chars(value)
+value = ldap.filter.escape_filter_chars(value)
 if not exact:
 template = '%s'
 if leading_wildcard:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add placeholder and IPA commands packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 0f274963d6b0e839f237f9a61cee531a222d62e3 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 9 Jan 2017 11:02:25 +0100
Subject: [PATCH] Packaging: Add placeholder and IPA commands packages

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore|   7 ++
 Makefile.am   |   5 +-
 Makefile.python.am|  21 +++--
 configure.ac  |   4 +
 packaging/Makefile.am |  11 +++
 packaging/freeipa/Makefile.am |   3 +
 packaging/freeipa/README.txt  |   2 +
 packaging/freeipa/setup.cfg   |   6 ++
 packaging/freeipa/setup.py|  36 +++
 packaging/ipa/Makefile.am |   3 +
 packaging/ipa/README.txt  |   2 +
 packaging/ipa/setup.cfg   |   6 ++
 packaging/ipa/setup.py|  36 +++
 packaging/ipacommands/MANIFEST.in |  25 +
 packaging/ipacommands/Makefile.am |  79 
 packaging/ipacommands/setup.cfg   |   5 +
 packaging/ipacommands/setup.py| 194 ++
 17 files changed, 436 insertions(+), 9 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py
 create mode 100644 packaging/ipacommands/MANIFEST.in
 create mode 100644 packaging/ipacommands/Makefile.am
 create mode 100644 packaging/ipacommands/setup.cfg
 create mode 100644 packaging/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 04553fd..249f158 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,3 +112,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/packaging/ipacommands/COPYING
+/packaging/ipacommands/Contributors.txt
+/packaging/ipacommands/asn1
+/packaging/ipacommands/client
+/packaging/ipacommands/ipasetup.py
+/packaging/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index 9bfc899..e25cea3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -202,6 +202,9 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipacommands sdist || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_b

[Freeipa-devel] [freeipa PR#408][opened] ipaldap: properly escape raw binary values in LDAP filters

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/408
Author: HonzaCholasta
 Title: #408: ipaldap: properly escape raw binary values in LDAP filters
Action: opened

PR body:
"""
Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/408/head:pr408
git checkout pr408
From ffedfcbaae1627c3acbc4bcb82194802d0c2834f Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 23 Jan 2017 10:26:50 +0100
Subject: [PATCH] ipaldap: properly escape raw binary values in LDAP filters

Manually escape each byte in the value, do not use
ldap.filter.escape_filter_chars() as it does not work with bytes in
Python 3.

https://fedorahosted.org/freeipa/ticket/4985
---
 ipapython/ipaldap.py | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index daee068..3d4aea4 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1245,11 +1245,10 @@ def make_filter_from_attr(
 return cls.combine_filters(flts, rules)
 elif value is not None:
 if isinstance(value, bytes):
-if six.PY3:
-value = value.decode('raw_unicode_escape')
+value = u''.join(
+u'\\{:02x}'.format(i) for i in six.iterbytes(value))
 else:
-value = value_to_utf8(value)
-value = ldap.filter.escape_filter_chars(value)
+value = ldap.filter.escape_filter_chars(value)
 if not exact:
 template = '%s'
 if leading_wildcard:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#407][synchronized] New lite-server implementation

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/407
Author: tiran
 Title: #407: New lite-server implementation
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/407/head:pr407
git checkout pr407
From d40069c49ee7e4f4b2dcab09aeb7a307457f4641 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Sat, 21 Jan 2017 19:34:12 +0100
Subject: [PATCH] New lite-server implementation

The new development server depends on werkzeug instead of paste. The
werkzeug WSGI server comes with some additional features, most
noticeable multi-processing server. The IPA framework is not compatible
with threaded servers. Werkzeug can serve static files easily and has a
fast auto-reloader.

The new lite-server implementation depends on PR 314 (privilege
separation). For Python 3 support, it additionally depends on PR 393.

Signed-off-by: Christian Heimes 
---
 lite-server.py | 269 +
 1 file changed, 158 insertions(+), 111 deletions(-)

diff --git a/lite-server.py b/lite-server.py
index cd4f09c..9a46aa5 100755
--- a/lite-server.py
+++ b/lite-server.py
@@ -1,125 +1,135 @@
-#!/usr/bin/python2
-
-# Authors:
-#   Jason Gerard DeRose 
-#
-# Copyright (C) 2008  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
+#!/usr/bin/env python
 #
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
 #
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
+"""In-tree development server
 
-"""
-In-tree paste-based test server.
+The dev server requires a Kerberos TGT and a file based credential cache:
 
-This uses the *Python Paste* WSGI server.  For more info, see:
+$ mkdir -p ~/.ipa
+$ export KRB5CCNAME=~/.ipa/ccache
+$ kinit admin
+$ ./lite-server.py
 
-http://pythonpaste.org/
+Optionally you can set KRB5_CONFIG to use a custom Kerberos configuration
+instead of /etc/krb5.conf.
 
-Unfortunately, SSL support is broken under Python 2.6 with paste 1.7.2, see:
+By default the dev server supports HTTP only. To switch to HTTPS, you can put
+a PEM file at ~/.ipa/lite.pem. The PEM file must contain a server certificate,
+its unencrypted private key and intermediate chain certs (if applicable).
 
-http://trac.pythonpaste.org/pythonpaste/ticket/314
-"""
+Prerequisite
+
+
+Additionally to build and runtime requirements of FreeIPA, the dev server
+depends on the werkzeug framework and optionally watchdog for auto-reloading.
+You may also have to enable a development COPR.
 
-from os import path, getcwd
+$ sudo dnf install -y dnf-plugins-core
+$ sudo dnf builddep --spec freeipa.spec.in
+$ sudo dnf install -y python-werkzeug python2-watchdog \
+python3-werkzeug python3-watchdog
+$ ./autogen.sh
+$ make
+
+For more information see
+
+  * http://www.freeipa.org/page/Build
+  * http://www.freeipa.org/page/Testing
+
+"""
+import os
 import optparse  # pylint: disable=deprecated-module
-from paste import httpserver
-import paste.gzipper
-from paste.urlmap import URLMap
-from ipalib import api
-from subprocess import check_output, CalledProcessError
-import re
-
-# Ugly hack for test purposes only. GSSAPI has no way to get default ccache
-# name, but we don't need it outside test server
-def get_default_ccache_name():
-try:
-out = check_output(['klist'])
-except CalledProcessError:
-raise RuntimeError("Default ccache not found. Did you kinit?")
-match = re.match(r'^Ticket cache:\s*(\S+)', out)
-if not match:
-raise RuntimeError("Cannot obtain ccache name")
-return match.group(1)
+import ssl
+import sys
+
+# pylint: disable=import-error
+from werkzeug.exceptions import NotFound
+from werkzeug.serving import run_simple
+from werkzeug.utils import redirect, append_slash_redirect
+from werkzeug.wsgi import DispatcherMiddleware, SharedDataMiddleware
+# pylint: enable=import-error
+
+
+HERE = os.path.dirname(os.path.abspath(__file__))
+STATIC_FILES = {
+'/ipa/ui': os.path.join(HERE, 'install/ui'),
+'/ipa/ui/js': os.path.join(HERE, 'install/ui/src'),
+'/ipa/ui/js/dojo': os.path.join(HERE, 'install/ui/build/dojo'),
+'/ipa/ui/fonts': '/usr/share/fonts',
+}
+
+# import ipa Python packages from script directory
+sys.path.insert(0, HERE)
+from ipalib import api  # noqa: E402
+from ipalib.krb_utils import krb5_parse_