[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

HonzaCholasta commented:
"""
I forgot to say that in the CLI, the certificate should be specified using a 
file. PR #557 implements this.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-285268909
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#557][opened] certmap: load certificate from file in certmap-match CLI

2017-03-08 Thread HonzaCholasta
   URL: https://github.com/freeipa/freeipa/pull/557
Author: HonzaCholasta
 Title: #557: certmap: load certificate from file in certmap-match CLI
Action: opened

PR body:
"""
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/557/head:pr557
git checkout pr557
From 1dd6a438aabf3fe3f03a8b75d5dbed5aeb1b2fc4 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 9 Mar 2017 07:19:26 +0100
Subject: [PATCH] certmap: load certificate from file in certmap-match CLI

Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.

https://pagure.io/freeipa/issue/6646
---
 ipaclient/plugins/certmap.py | 49 
 1 file changed, 49 insertions(+)
 create mode 100644 ipaclient/plugins/certmap.py

diff --git a/ipaclient/plugins/certmap.py b/ipaclient/plugins/certmap.py
new file mode 100644
index 000..50a594f
--- /dev/null
+++ b/ipaclient/plugins/certmap.py
@@ -0,0 +1,49 @@
+#
+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license
+#
+
+from ipaclient.frontend import MethodOverride
+from ipalib import errors, x509
+from ipalib.parameters import File
+from ipalib.plugable import Registry
+from ipalib.text import _
+
+register = Registry()
+
+
+@register(override=True, no_fail=True)
+class certmap_match(MethodOverride):
+takes_args = (
+File(
+'file?',
+label=_("Input file"),
+doc=_("File to load the certificate from"),
+include='cli',
+),
+)
+
+def get_args(self):
+for arg in super(certmap_match, self).get_args():
+if arg.name != 'certificate' or self.api.env.context != 'cli':
+yield arg
+
+def get_options(self):
+for arg in super(certmap_match, self).get_args():
+if arg.name == 'certificate' and self.api.env.context == 'cli':
+yield arg.clone(required=False)
+for option in super(certmap_match, self).get_options():
+yield option
+
+def forward(self, *args, **options):
+if self.api.env.context == 'cli':
+if args and 'certificate' in options:
+raise errors.MutuallyExclusiveError(
+reason=_("cannot specify both raw certificate and file"))
+if args:
+args = [x509.strip_header(args[0])]
+elif 'certificate' in options:
+args = [options.pop('certificate')]
+else:
+args = []
+
+return super(certmap_match, self).forward(*args, **options)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors

2017-03-08 Thread frasertweedale
  URL: https://github.com/freeipa/freeipa/pull/539
Title: #539: Define errors_by_code in ipalib.errors

frasertweedale commented:
"""
Righto.  I'll withdraw this PR for now and it will make a comeback closer to 
landing the gssapi work.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/539#issuecomment-285268049
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#539][closed] Define errors_by_code in ipalib.errors

2017-03-08 Thread frasertweedale
   URL: https://github.com/freeipa/freeipa/pull/539
Author: frasertweedale
 Title: #539: Define errors_by_code in ipalib.errors
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/539/head:pr539
git checkout pr539
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#539][comment] Define errors_by_code in ipalib.errors

2017-03-08 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/539
Title: #539: Define errors_by_code in ipalib.errors

HonzaCholasta commented:
"""
Seems like an overkill for the ~2 types of errors which the code uses. Anyway, 
I would rather wait before making any kind of decision based on cert-request 
code until after it is refactored to be less insane 
(https://pagure.io/freeipa/issue/6531).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/539#issuecomment-285261846
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

MartinBasti commented:
"""
Probably you we should fix this before we double number of alerts
https://pagure.io/freeipa/issue/6598
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285116330
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#544][+ack] Don't use weak ciphers for client HTTPS connections

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/544
Title: #544: Don't use weak ciphers for client HTTPS connections

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

MartinBasti commented:
"""
JFTR: KRA uninstall commit is here #556 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285093976
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread abbra
  URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command

abbra commented:
"""
We can disable it for CLI, that's not a problem.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/535#issuecomment-285085254
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#544][synchronized] Don't use weak ciphers for client HTTPS connections

2017-03-08 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/544
Author: stlaz
 Title: #544: Don't use weak ciphers for client HTTPS connections
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/544/head:pr544
git checkout pr544
From 2ba5889ff71093b9b8fffd03a310412e3bf60f2d Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 23 Feb 2017 14:31:50 +0100
Subject: [PATCH] Don't use weak ciphers for client HTTPS connections

https://pagure.io/freeipa/issue/6730
---
 ipalib/constants.py | 3 +++
 ipalib/util.py  | 6 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ipalib/constants.py b/ipalib/constants.py
index 8789a95..5a26173 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -296,3 +296,6 @@
 "tls1.2"
 ]
 TLS_VERSION_MINIMAL = "tls1.0"
+# high ciphers without RC4, MD5, TripleDES, pre-shared key
+# and secure remote password
+TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP"
diff --git a/ipalib/util.py b/ipalib/util.py
index 2beabf1..e9d4105 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -52,7 +52,7 @@
 from ipalib import errors, messages
 from ipalib.constants import (
 DOMAIN_LEVEL_0,
-TLS_VERSIONS, TLS_VERSION_MINIMAL
+TLS_VERSIONS, TLS_VERSION_MINIMAL, TLS_HIGH_CIPHERS
 )
 from ipalib.text import _
 from ipapython.ssh import SSHPublicKey
@@ -303,6 +303,10 @@ def create_https_connection(
 ssl.OP_SINGLE_ECDH_USE
 )
 
+# high ciphers without RC4, MD5, TripleDES, pre-shared key
+# and secure remote password
+ctx.set_ciphers(TLS_HIGH_CIPHERS)
+
 # pylint: enable=no-member
 # set up the correct TLS version flags for the SSL context
 for version in TLS_VERSIONS:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#556][opened] Don't allow standalone KRA uninstalls

2017-03-08 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/556
Author: stlaz
 Title: #556: Don't allow standalone KRA uninstalls
Action: opened

PR body:
"""
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/556/head:pr556
git checkout pr556
From b6e514f2e04629d350c8545bc31c5efa7a0c26bf Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 16:38:12 +0100
Subject: [PATCH] Don't allow standalone KRA uninstalls

KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538
---
 install/tools/man/ipa-kra-install.1  |  5 +
 ipaserver/install/ipa_kra_install.py | 30 +-
 ipaserver/install/kra.py | 17 +++--
 ipaserver/install/server/install.py  |  2 +-
 4 files changed, 10 insertions(+), 44 deletions(-)

diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
index e3133ee..0aa9073 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins
 
 The replica_file is created using the ipa\-replica\-prepare utility.  A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
 
-The uninstall option can be  used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected.  The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall.
+KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
 .SH "OPTIONS"
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
@@ -39,9 +39,6 @@ Directory Manager (existing master) password
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
-\fB\-\-uninstall\fR
-Uninstall the KRA from the local IPA server.
-.TP
 \fB\-v\fR, \fB\-\-verbose\fR
 Enable debug output when more verbose output is needed
 .TP
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 99ff4a6..a6cdb1e 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -21,6 +21,7 @@
 from __future__ import print_function
 
 import tempfile
+from optparse import SUPPRESS_HELP
 
 from textwrap import dedent
 from ipalib import api
@@ -69,8 +70,7 @@ def add_options(cls, parser, debug_option=True):
 parser.add_option(
 "--uninstall",
 dest="uninstall", action="store_true", default=False,
-help="uninstall an existing installation. The uninstall can "
- "be run with --unattended option")
+help=SUPPRESS_HELP)
 
 def validate_options(self, needs_root=True):
 super(KRAInstall, self).validate_options(needs_root=True)
@@ -83,33 +83,13 @@ def validate_options(self, needs_root=True):
 @classmethod
 def get_command_class(cls, options, args):
 if options.uninstall:
-return KRAUninstaller
+raise RuntimeError(
+'Standalone KRA uninstalling was removed in FreeIPA 4.5 as it '
+'had never worker properly and only caused issues.')
 else:
 return KRAInstaller
 
 
-class KRAUninstaller(KRAInstall):
-log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
-
-def validate_options(self, needs_root=True):
-super(KRAUninstaller, self).validate_options(needs_root=True)
-
-if self.args:
-self.option_parser.error("Too many parameters provided.")
-
-_kra = krainstance.KRAInstance(api)
-if not _kra.is_installed():
-self.option_parser.error(
-"Cannot uninstall.  There is no KRA installed on this system."
-)
-
-def run(self):
-super(KRAUninstaller, self).run()
-api.Backend.ldap2.connect()
-kra.uninstall(True)
-api.Backend.ldap2.disconnect()
-
-
 class KRAInstaller(KRAInstall):
 log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
 
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 5a7a6ef..c39472a 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -9,12 +9,11 @@
 import os
 import shutil
 
-from ipalib import api, errors
+from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ip

[Freeipa-devel] [freeipa PR#555][+ack] ipa-managed-entries: use server-mode API

2017-03-08 Thread tomaskrizek
  URL: https://github.com/freeipa/freeipa/pull/555
Title: #555: ipa-managed-entries: use server-mode API

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#555][synchronized] ipa-managed-entries: use server-mode API

2017-03-08 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/555
Author: martbab
 Title: #555: ipa-managed-entries: use server-mode API
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/555/head:pr555
git checkout pr555
From e898abfec45119a3bc980500fae1b513326e9718 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Mar 2017 12:16:31 +0100
Subject: [PATCH 1/2] ipa-managed-entries: use server-mode API

During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735
---
 install/tools/ipa-managed-entries | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index efcf3ec..d50faf7 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -73,7 +73,11 @@ def main():
 sys.exit("Unrecognized action [" + args[0] + "]")
 standard_logging_setup(None, debug=options.debug)
 
-api.bootstrap(context='cli', debug=options.debug, confdir=paths.ETC_IPA)
+api.bootstrap(
+context='cli',
+in_server=True,
+debug=options.debug,
+confdir=paths.ETC_IPA)
 api.finalize()
 api.Backend.ldap2.connect(bind_pw=options.dirman_password)
 

From 93dc9584ab35bf08851fb316e0f6d01f64bb7f4f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Mar 2017 16:45:08 +0100
Subject: [PATCH 2/2] ipa-managed-entries: only permit running the command on
 IPA master

https://pagure.io/freeipa/issue/6735
---
 install/tools/ipa-managed-entries | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index d50faf7..731dcc3 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -63,6 +63,9 @@ def get_dirman_password():
 def main():
 retval = 0
 def_dn = None
+
+installutils.check_server_configuration()
+
 options, args = parse_options()
 
 if options.list_managed_entries:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

stlaz commented:
"""
Split done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285077007
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server

2017-03-08 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/553
Author: stlaz
 Title: #553: Add check for removing last KRA server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/553/head:pr553
git checkout pr553
From d03f868d2e9396231a2bcb1e754a1ed853716699 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 09:58:38 +0100
Subject: [PATCH 1/2] Add check to prevent removal of last KRA

https://pagure.io/freeipa/issue/6538
---
 ipaserver/plugins/server.py | 13 +
 1 file changed, 13 insertions(+)

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 08caa1c..b1ee472 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -494,6 +494,19 @@ def handler(msg, ignore_last_of_role):
   "without a DNS."), ignore_last_of_role)
 
 if self.api.Command.ca_is_enabled()['result']:
+try:
+vault_config = self.api.Command.vaultconfig_show()['result']
+kra_servers = vault_config.get('kra_server_server', [])
+except errors.InvocationError:
+# KRA is not configured
+pass
+else:
+if kra_servers == [hostname]:
+handler(
+_("Deleting this server is not allowed as it would "
+  "leave your installation without a KRA."),
+ignore_last_of_role)
+
 ca_servers = ipa_config.get('ca_server_server', [])
 ca_renewal_master = ipa_config.get(
 'ca_renewal_master_server', [])

From 5842402368985752c078d3f1f0d8edd33f708e57 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 13:07:12 +0100
Subject: [PATCH 2/2] Add message about last KRA to WebUI Topology view

https://pagure.io/freeipa/issue/6538
---
 install/ui/src/freeipa/topology.js | 37 -
 install/ui/test/data/ipa_init.json |  3 ++-
 ipaserver/plugins/internal.py  |  3 ++-
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
index c33adba..c4f3f65 100644
--- a/install/ui/src/freeipa/topology.js
+++ b/install/ui/src/freeipa/topology.js
@@ -497,23 +497,40 @@ topology.servers_search_facet = function(spec, no_init) {
 on_success(data, text_status, xhr);
 
 var result = data.result.results;
-var counter = 0;
+var ca_counter = 0;
+var kra_counter = 0;
 
 for (var i=0, l=result.length; i-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command

stlaz commented:
"""
Ok. It just doesn't seem right to have a command which shows something that's 
not immediately useful to the user. I am not sure whether we should have it 
enabled for CLI.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/535#issuecomment-285073261
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#555][opened] ipa-managed-entries: use server-mode API

2017-03-08 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/555
Author: martbab
 Title: #555: ipa-managed-entries: use server-mode API
Action: opened

PR body:
"""
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/555/head:pr555
git checkout pr555
From e898abfec45119a3bc980500fae1b513326e9718 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Mar 2017 12:16:31 +0100
Subject: [PATCH] ipa-managed-entries: use server-mode API

During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735
---
 install/tools/ipa-managed-entries | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index efcf3ec..d50faf7 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -73,7 +73,11 @@ def main():
 sys.exit("Unrecognized action [" + args[0] + "]")
 standard_logging_setup(None, debug=options.debug)
 
-api.bootstrap(context='cli', debug=options.debug, confdir=paths.ETC_IPA)
+api.bootstrap(
+context='cli',
+in_server=True,
+debug=options.debug,
+confdir=paths.ETC_IPA)
 api.finalize()
 api.Backend.ldap2.connect(bind_pw=options.dirman_password)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][closed] WebUI: certmap match

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/549
Author: pvomacka
 Title: #549: WebUI: certmap match
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/549/head:pr549
git checkout pr549
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][+pushed] WebUI: certmap match

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

dkupka commented:
"""
master:

* 6be32edde0ae16473d4d109747adae78f9d725e4 WebUI: Add possibility to turn of 
autoload when details.load is called
* 1d6cc35c03669ea67d9e9ee9ca0ff62401d1b157 WebUI: Possibility to choose object 
when API call returns list of objects
* 358caa7da44c997b505f54ec70cb6be58d188751 WebUI: Add Adapter for certmap_match 
result table
* 61cd4372e142662c06c881886709fe1b573102a9 WebUI: Add cermapmatch module
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/549#issuecomment-285070442
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][+pushed] config: re-add `init_config` and `config`

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/551
Title: #551: config: re-add `init_config` and `config`

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][comment] config: re-add `init_config` and `config`

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/551
Title: #551: config: re-add `init_config` and `config`

dkupka commented:
"""
master:

* 0c7ca279c78bc23d45582e92bb1638865ec3059e config: re-add `init_config` and 
`config`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/551#issuecomment-285066448
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][closed] config: re-add `init_config` and `config`

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/551
Author: HonzaCholasta
 Title: #551: config: re-add `init_config` and `config`
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/551/head:pr551
git checkout pr551
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][+ack] config: re-add `init_config` and `config`

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/551
Title: #551: config: re-add `init_config` and `config`

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][comment] config: re-add `init_config` and `config`

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/551
Title: #551: config: re-add `init_config` and `config`

MartinBasti commented:
"""
Works for me I was able to install Ipsilon using this: 
https://ipsilon-project.org/doc/quickstart-ipa.html
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/551#issuecomment-285065144
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][comment] Move csrgen templates into ipaclient package

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

dkupka commented:
"""
master:

* 80be18162921268be9c8981495c9e8a4de0c85cd Move csrgen templates into ipaclient 
package
* 177f07e163d6d591a1e609d35e0a6f6f5347551e Chain CSR generator file loaders
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/534#issuecomment-285063710
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread abbra
  URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command

abbra commented:
"""
Uhm, no, I don't want that. It makes the command behaving differently depending 
on a context and that would be broken. For client-side plugin that would also 
be an abuse of interface, I'd say.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/535#issuecomment-285063732
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][+pushed] Move csrgen templates into ipaclient package

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][closed] Move csrgen templates into ipaclient package

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/534
Author: tiran
 Title: #534: Move csrgen templates into ipaclient package
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/534/head:pr534
git checkout pr534
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/535
Title: #535: add whoami command

stlaz commented:
"""
I believe that in CLI `ipa whoami` should actually output the output of the 
command it found with the arguments and options it found since in WebUI this is 
eventually done as well.
I can go ahead and try to implement it if we can agree on such behavior.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/535#issuecomment-285062912
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

pvoborni commented:
"""
But let's wait with pushing for travis, to be sure.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/549#issuecomment-285062900
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

dkupka commented:
"""
master:

* f8d7e37a091c1df4c989b80b8d19e12ab35533c8 Allow login to WebUI using Kerberos 
aliases/enterprise principals
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/420#issuecomment-285062778
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][+pushed] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][closed] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/420
Author: martbab
 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/420/head:pr420
git checkout pr420
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][+ack] WebUI: certmap match

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#534][+ack] Move csrgen templates into ipaclient package

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/534
Title: #534: Move csrgen templates into ipaclient package

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#505][comment] dns: fix `dnsrecord_add` interactive mode

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/505
Title: #505: dns: fix `dnsrecord_add` interactive mode

dkupka commented:
"""
master:

* 1e912f5b83166154806e0382f3f028d0eac81731 dns: fix `dnsrecord_add` interactive 
mode
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/505#issuecomment-285061777
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#505][closed] dns: fix `dnsrecord_add` interactive mode

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/505
Author: HonzaCholasta
 Title: #505: dns: fix `dnsrecord_add` interactive mode
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/505/head:pr505
git checkout pr505
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#505][+pushed] dns: fix `dnsrecord_add` interactive mode

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/505
Title: #505: dns: fix `dnsrecord_add` interactive mode

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match

2017-03-08 Thread pvomacka
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

pvomacka commented:
"""
@pvoborni  Yes, we should make a lint rule for leading spaces.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/549#issuecomment-285061561
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#548][+pushed] ipa-server-install: add --setup-kra option

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/548
Title: #548: ipa-server-install: add --setup-kra option

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match

2017-03-08 Thread pvomacka
   URL: https://github.com/freeipa/freeipa/pull/549
Author: pvomacka
 Title: #549: WebUI: certmap match
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/549/head:pr549
git checkout pr549
From 5fb22584c08ee50afce10bdd4ba6572d7a6b00ae Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 7 Mar 2017 21:28:32 +0100
Subject: [PATCH 1/4] WebUI: Add possibility to turn of autoload when
 details.load is called

When field on details facet has set 'autoload_value' to false, then it won't
be loaded using that.load method of details facet. That means that field
might stay unchanged even that loading of data was performed.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/details.js | 3 ++-
 install/ui/src/freeipa/field.js   | 8 
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index 9f0e632..87b355a 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -743,7 +743,8 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
 var fields = that.fields.get_fields();
 for (var i=0; i
Date: Tue, 7 Mar 2017 21:30:00 +0100
Subject: [PATCH 2/4] WebUI: Possibility to choose object when API call returns
 list of objects

In case that API call returns array of objects which contains data, using
'object_index' attribute in adapter specification we can set which object
should be used.

It is possible to choose only one object specified by its index in array.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/field.js | 13 +
 1 file changed, 13 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 3c027bc..ea548c0 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -819,6 +819,15 @@ field.Adapter = declare(null, {
 result_index: 0,
 
 /**
+ * When result of API call is an array of object this object index
+ * allows to specify exact object in array according to its position.
+ * Default value is null which means do not use object_index.
+ *
+ * @type {Number|null}
+ */
+object_index: null,
+
+/**
  * Name of the record which we want to extract from the result.
  * Used in dnslocations.
  * @type {String}
@@ -849,6 +858,10 @@ field.Adapter = declare(null, {
 else if (dr.results) {
 var result = dr.results[this.result_index];
 if (result) record = result[this.result_name];
+var res_type = typeof record;
+var obj_in_type = typeof this.object_index;
+if (res_type === 'object' && obj_in_type === 'number')
+record = record[this.object_index];
 }
 }
 return record;

From 29d75b30edc2af4a4709b3d55b6d8cbc5855aed7 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 7 Mar 2017 21:30:45 +0100
Subject: [PATCH 3/4] WebUI: Add Adapter for certmap_match result table

Result of certmap_match command is in the following format:
[{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2',
uid:[uid21, uid22, uid23},...]

For correct displaying in table we need to reformat it to the following:
[{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},...

This can be done using this Adapter.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/field.js | 79 +
 1 file changed, 79 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index ea548c0..5df2f6c 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -1495,6 +1495,84 @@ field.AlternateAttrFieldAdapter = declare([field.Adapter], {
 
 
 /**
+ * Custom adapter specifically implemented for certmap_match where it
+ * transform items in format {domain: "xxx", uid: [arrayof_uids]} to
+ * {[{domain: "xxx", uid: "uid1"}, {domain: "xxx", uid: 'uid2'}, ...]}.
+ * This is necessary for possibility to correctly display table.
+ *
+ * @class
+ * @extends field.Adapter
+ */
+field.CertMatchTransformAdapter = declare([field.Adapter], {
+
+/**
+* @param {Array} record
+*/
+transform_one_record: function(record) {
+var domain = record.domain;
+var uids = record.uid;
+var results = [];
+
+for (var i=0, l=uids.length; i
Date: Tue, 7 Mar 2017 21:31:22 +0100
Subject: [PATCH 4/4] WebUI: Add cermapmatch module

Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/app.js  |   1 +
 install/ui/src/freeipa/navigation/menu_spec.js |   4 +
 install/ui/src/freeipa/plugin

[Freeipa-devel] [freeipa PR#548][closed] ipa-server-install: add --setup-kra option

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/548
Author: MartinBasti
 Title: #548: ipa-server-install: add --setup-kra option
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/548/head:pr548
git checkout pr548
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#548][comment] ipa-server-install: add --setup-kra option

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/548
Title: #548: ipa-server-install: add --setup-kra option

dkupka commented:
"""
master:

* 4006cbbc02c368ac9e5e3721613158decb34fd37 KRA: add --setup-kra to 
ipa-server-install
* 25fa2bb6c9fa1b498330b13c9a6116b646eb75ba tests: use --setup-kra in tests
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/548#issuecomment-285061152
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][+pushed] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/331
Title: #331: WebUI: don't change casing of Auth Indicators values

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#548][+ack] ipa-server-install: add --setup-kra option

2017-03-08 Thread tomaskrizek
  URL: https://github.com/freeipa/freeipa/pull/548
Title: #548: ipa-server-install: add --setup-kra option

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][closed] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/331
Author: pvomacka
 Title: #331: WebUI: don't change casing of Auth Indicators values
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/331/head:pr331
git checkout pr331
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/331
Title: #331: WebUI: don't change casing of Auth Indicators values

dkupka commented:
"""
master:

* 0220fc8986e4fef017185bde675dc9cf0f90afd8 WebUI: Allow disabling lowering text 
in custom_checkbox_widget
* ad3451067ad474ea52872913d6789b1652f9a9c4 WebUI: don't change casing of Auth 
Indicators values
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/331#issuecomment-285058994
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#554][closed] webui: fixes normalization of value in attributes widget

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/554
Author: pvoborni
 Title: #554: webui: fixes normalization of value in attributes widget
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/554/head:pr554
git checkout pr554
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#554][comment] webui: fixes normalization of value in attributes widget

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/554
Title: #554: webui: fixes normalization of value in attributes widget

dkupka commented:
"""
master:

* 56a2642af0a29328df4defef138b9fa65624335a webui: fixes normalization of value 
in attributes widget
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/554#issuecomment-285058484
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#554][+pushed] webui: fixes normalization of value in attributes widget

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/554
Title: #554: webui: fixes normalization of value in attributes widget

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread abbra
  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

abbra commented:
"""
Thanks. LGTM and works for me with IPA user, IPA host principal, and AD user. 
The latter cannot yet actually use Web UI but that is a separate PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/420#issuecomment-285058056
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#420][+ack] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread abbra
  URL: https://github.com/freeipa/freeipa/pull/420
Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#505][+ack] dns: fix `dnsrecord_add` interactive mode

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/505
Title: #505: dns: fix `dnsrecord_add` interactive mode

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#554][+ack] webui: fixes normalization of value in attributes widget

2017-03-08 Thread pvomacka
  URL: https://github.com/freeipa/freeipa/pull/554
Title: #554: webui: fixes normalization of value in attributes widget

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

MartinBasti commented:
"""
Please create a separate commit for KRA Uninstall
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285050412
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][+pushed] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][closed] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread dkupka
   URL: https://github.com/freeipa/freeipa/pull/516
Author: flo-renaud
 Title: #516: IdM Server: list all Employees with matching Smart Card
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/516/head:pr516
git checkout pr516
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

dkupka commented:
"""
master:

* ea34e17a46a60efb9c4dc81dab919a1639dec73b IdM Server: list all Employees with 
matching Smart Card
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-285049801
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][+ack] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread dkupka
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

dkupka commented:
"""
@flo-renaud Thank you.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-285049667
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

MartinBasti commented:
"""
needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-285048889
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#300][closed] WebUI: Add support for custom table pagination size

2017-03-08 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/300
Author: pvomacka
 Title: #300: WebUI: Add support for custom table pagination size
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/300/head:pr300
git checkout pr300
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#300][comment] WebUI: Add support for custom table pagination size

2017-03-08 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/300
Title: #300: WebUI: Add support for custom table pagination size

martbab commented:
"""
master:

* 7b699105a52d4d8c26a73044ba182d752b4a9833 Add javascript integer validator
* f78cc8932626de667c6e3a4461141a10a5d9c2e6 Make singleton from config module
* e1dfc51e48050ac1ad431d56003dc26e17ca653e Add support for custom table 
pagination size
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/300#issuecomment-285046345
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#300][+pushed] WebUI: Add support for custom table pagination size

2017-03-08 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/300
Title: #300: WebUI: Add support for custom table pagination size

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#310][comment] WIP: CLI testing

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/310
Title: #310: WIP: CLI testing

pvoborni commented:
"""
Marking as postponed. We cannot expect the changes to be addressed by @mirielka 
any time soon. And CLI testing might  need design discussion.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/310#issuecomment-285045089
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#310][+postponed] WIP: CLI testing

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/310
Title: #310: WIP: CLI testing

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

stlaz commented:
"""
@MartinBasti ah, sorry, I completely overlooked it. The current PR version 
implements your suggestion.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285044830
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][synchronized] Add check for removing last KRA server

2017-03-08 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/553
Author: stlaz
 Title: #553: Add check for removing last KRA server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/553/head:pr553
git checkout pr553
From 27b50f5d77382459f7495dd07ecaeea4852fb0a9 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 09:58:38 +0100
Subject: [PATCH 1/2] Add check to prevent removal of last KRA

https://pagure.io/freeipa/issue/6538
---
 install/tools/man/ipa-kra-install.1  |  5 +
 ipaserver/install/ipa_kra_install.py | 28 
 ipaserver/install/kra.py | 17 +++--
 ipaserver/install/server/install.py  |  2 +-
 ipaserver/plugins/server.py  | 13 +
 5 files changed, 22 insertions(+), 43 deletions(-)

diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
index e3133ee..0aa9073 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins
 
 The replica_file is created using the ipa\-replica\-prepare utility.  A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
 
-The uninstall option can be  used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected.  The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall.
+KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
 .SH "OPTIONS"
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
@@ -39,9 +39,6 @@ Directory Manager (existing master) password
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
-\fB\-\-uninstall\fR
-Uninstall the KRA from the local IPA server.
-.TP
 \fB\-v\fR, \fB\-\-verbose\fR
 Enable debug output when more verbose output is needed
 .TP
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 99ff4a6..7d7ece4 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -70,7 +70,7 @@ def add_options(cls, parser, debug_option=True):
 "--uninstall",
 dest="uninstall", action="store_true", default=False,
 help="uninstall an existing installation. The uninstall can "
- "be run with --unattended option")
+ "be run with --unattended option", deprecated=True)
 
 def validate_options(self, needs_root=True):
 super(KRAInstall, self).validate_options(needs_root=True)
@@ -83,33 +83,13 @@ def validate_options(self, needs_root=True):
 @classmethod
 def get_command_class(cls, options, args):
 if options.uninstall:
-return KRAUninstaller
+raise RuntimeError(
+'Standalone KRA uninstalling was removed in FreeIPA 4.5 as it '
+'had never worker properly and only caused issues.')
 else:
 return KRAInstaller
 
 
-class KRAUninstaller(KRAInstall):
-log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
-
-def validate_options(self, needs_root=True):
-super(KRAUninstaller, self).validate_options(needs_root=True)
-
-if self.args:
-self.option_parser.error("Too many parameters provided.")
-
-_kra = krainstance.KRAInstance(api)
-if not _kra.is_installed():
-self.option_parser.error(
-"Cannot uninstall.  There is no KRA installed on this system."
-)
-
-def run(self):
-super(KRAUninstaller, self).run()
-api.Backend.ldap2.connect()
-kra.uninstall(True)
-api.Backend.ldap2.disconnect()
-
-
 class KRAInstaller(KRAInstall):
 log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
 
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 5a7a6ef..c39472a 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -9,12 +9,11 @@
 import os
 import shutil
 
-from ipalib import api, errors
+from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import certdb
 from ipapython import ipautil
-from ipapython.dn import DN
 from ipaserver.install import custodiainstance
 from ipaserver.install import cainstance
 from ipaserver.install import krainstance
@@ -124,19 +123,9 @@ def install(api, replica_config, options):
 services.knownservices.httpd.restart(capture_output=True)
 
 
-def uninstall(standalone):
+def uninstall():
 kra = krainstance.KRAInstance(api.env.realm)
-
-if standalone:
-try:
-api.Backend.ldap2.delete_entr

[Freeipa-devel] [freeipa PR#331][comment] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/331
Title: #331: WebUI: don't change casing of Auth Indicators values

pvoborni commented:
"""
ACK but I've find out that the change is not enough because of existing bug. 
See pr #554 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/331#issuecomment-285043268
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#331][+ack] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/331
Title: #331: WebUI: don't change casing of Auth Indicators values

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#554][opened] webui: fixes normalization of value in attributes widget

2017-03-08 Thread pvoborni
   URL: https://github.com/freeipa/freeipa/pull/554
Author: pvoborni
 Title: #554: webui: fixes normalization of value in attributes widget
Action: opened

PR body:
"""
Fix is in checkboxes widget but the only affected one is attributes widget.

Reproduction:
 1. Add permission with attribute with uppercase character
   $ ipa permission-add aa_test --type=stageuser --attrs=businessCategory 
--right=read
 2. Check if it is correctly displayed in Web UI

Actual result:
 - businesscategory is not checked
Expected result:
 - businesscategory is checked
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/554/head:pr554
git checkout pr554
From 9fbbc727bfc15e7dc509099bfaca3651d6decb49 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 8 Mar 2017 14:34:20 +0100
Subject: [PATCH] webui: fixes normalization of value in attributes widget

Fix is in checkboxes widget but the only affected one is attributes widget.

Reproduction:
 1. Add permission with attribute with uppercase character
   $ ipa permission-add aa_test --type=stageuser --attrs=businessCategory --right=read
 2. Check if it is correctly displayed in Web UI

Actual result:
 - businesscategory is not checked
Expected result:
 - businesscategory is checked
---
 install/ui/src/freeipa/widget.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 17b1376..bdcb896 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2626,7 +2626,7 @@ IPA.custom_checkboxes_widget = function(spec) {
 that.populate();
 that.append();
 that.owb_create(that.container);
-that.owb_update(values);
+that.owb_update(that.values);
 };
 
 /**
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#300][+ack] WebUI: Add support for custom table pagination size

2017-03-08 Thread pvoborni
  URL: https://github.com/freeipa/freeipa/pull/300
Title: #300: WebUI: Add support for custom table pagination size

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

MartinBasti commented:
"""
@stlaz I wrote it to ticket
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285033127
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#553][comment] Add check for removing last KRA server

2017-03-08 Thread stlaz
  URL: https://github.com/freeipa/freeipa/pull/553
Title: #553: Add check for removing last KRA server

stlaz commented:
"""
Hm, I forgot that KRA is the only IPA component that has a standalone 
uninstaller, this is therefore only a partial fix.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/553#issuecomment-285032496
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread flo-renaud
  URL: https://github.com/freeipa/freeipa/pull/516
Title: #516: IdM Server: list all Employees with matching Smart Card

flo-renaud commented:
"""
@dkupka 
I added the following explanation in the doc for certmap_match:
"""
Search for users matching the provided certificate.

This command relies on SSSD to retrieve the list of matching users and
may return cached data. For more information on purging SSSD cache,
please refer to sss_cache documentation.
"""
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/516#issuecomment-285031435
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#516][synchronized] IdM Server: list all Employees with matching Smart Card

2017-03-08 Thread flo-renaud
   URL: https://github.com/freeipa/freeipa/pull/516
Author: flo-renaud
 Title: #516: IdM Server: list all Employees with matching Smart Card
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/516/head:pr516
git checkout pr516
From 18fd166aec9da8dda24f0811aae4725a39699b18 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 23 Feb 2017 18:04:47 +0100
Subject: [PATCH] IdM Server: list all Employees with matching Smart Card

Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646
---
 API.txt  |  12 
 freeipa.spec.in  |   2 +
 ipaserver/plugins/certmap.py | 166 ++-
 3 files changed, 179 insertions(+), 1 deletion(-)

diff --git a/API.txt b/API.txt
index a8f8ff1..ace3101 100644
--- a/API.txt
+++ b/API.txt
@@ -824,6 +824,16 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
+command: certmap_match/1
+args: 1,3,4
+arg: Bytes('certificate', cli_name='certificate')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Output('count', type=[])
+output: ListOfEntries('result')
+output: Output('summary', type=[, ])
+output: Output('truncated', type=[])
 command: certmapconfig_mod/1
 args: 0,8,3
 option: Str('addattr*', cli_name='addattr')
@@ -6517,6 +6527,8 @@ default: cert_request/1
 default: cert_revoke/1
 default: cert_show/1
 default: cert_status/1
+default: certmap/1
+default: certmap_match/1
 default: certmapconfig/1
 default: certmapconfig_mod/1
 default: certmapconfig_show/1
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5b736b6..cc7422a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -284,6 +284,8 @@ Requires: gzip
 Requires: oddjob
 # Require 0.6.0 for the new delegation access control features
 Requires: gssproxy >= 0.6.0
+# Require 1.15.1 for the certificate identity mapping feature
+Requires: sssd-dbus >= 1.15.1
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/ipaserver/plugins/certmap.py b/ipaserver/plugins/certmap.py
index c37eae3..e28b397 100644
--- a/ipaserver/plugins/certmap.py
+++ b/ipaserver/plugins/certmap.py
@@ -17,9 +17,14 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see .
 
+import base64
+import dbus
 import six
 
-from ipalib import api, errors
+from ipalib import api, errors, x509
+from ipalib import Bytes
+from ipalib.crud import Search
+from ipalib.frontend import Object
 from ipalib.parameters import Bool, DNSNameParam, Flag, Int, Str
 from ipalib.plugable import Registry
 from .baseldap import (
@@ -33,6 +38,7 @@
 pkey_to_value)
 from ipalib import _, ngettext
 from ipalib import output
+from ipaserver.plugins.service import validate_certificate
 
 
 if six.PY3:
@@ -389,3 +395,161 @@ def execute(self, cn, **options):
 result=True,
 value=pkey_to_value(cn, options),
 )
+
+
+DBUS_SSSD_NAME = 'org.freedesktop.sssd.infopipe'
+DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties'
+DBUS_SSSD_USERS_PATH = '/org/freedesktop/sssd/infopipe/Users'
+DBUS_SSSD_USERS_IF = 'org.freedesktop.sssd.infopipe.Users'
+DBUS_SSSD_USER_IF = 'org.freedesktop.sssd.infopipe.Users.User'
+
+
+class _sssd(object):
+"""
+Auxiliary class for SSSD infopipe DBus.
+"""
+def __init__(self, log):
+"""
+Initialize the Users object and interface.
+
+   :raise RemoteRetrieveError: if DBus error occurs
+"""
+try:
+self.log = log
+self._bus = dbus.SystemBus()
+self._users_obj = self._bus.get_object(
+DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH)
+self._users_iface = dbus.Interface(
+self._users_obj, DBUS_SSSD_USERS_IF)
+except dbus.DBusException as e:
+self.log.error(
+'Failed to initialize DBus interface {iface}. DBus '
+'exception is {exc}.'.format(iface=DBUS_SSSD_USERS_IF, exc=e)
+)
+raise errors.RemoteRetrieveError(
+reason=_('Failed to connect to sssd over SystemBus. '
+ 'See details in the error_log'))
+
+def list_users_by_cert(self, cert):
+"""
+Look for users matching the cert.
+
+Call Users.ListByCertificate interface and return a dict
+with key = domain, value = list of uids
+corresponding to the users matching the provided cert
+:param cert: DER c

[Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match

2017-03-08 Thread pvomacka
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

pvomacka commented:
"""
In last sync I changed string of clear button title.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/549#issuecomment-285025740
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#549][synchronized] WebUI: certmap match

2017-03-08 Thread pvomacka
   URL: https://github.com/freeipa/freeipa/pull/549
Author: pvomacka
 Title: #549: WebUI: certmap match
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/549/head:pr549
git checkout pr549
From 230fcbb463266a957da60b28ee4251361027 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 7 Mar 2017 21:28:32 +0100
Subject: [PATCH 1/4] WebUI: Add possibility to turn of autoload when
 details.load is called

When field on details facet has set 'autoload_value' to false, then it won't
be loaded using that.load method of details facet. That means that field
might stay unchanged even that loading of data was performed.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/details.js | 3 ++-
 install/ui/src/freeipa/field.js   | 8 
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index 9f0e632..87b355a 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -743,7 +743,8 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
 var fields = that.fields.get_fields();
 for (var i=0; i
Date: Tue, 7 Mar 2017 21:30:00 +0100
Subject: [PATCH 2/4] WebUI: Possibility to choose object when API call returns
 list of objects

In case that API call returns array of objects which contains data, using
'object_index' attribute in adapter specification we can set which object
should be used.

It is possible to choose only one object specified by its index in array.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/field.js | 13 +
 1 file changed, 13 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 4a63242..3b6b97b 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -819,6 +819,15 @@ field.Adapter = declare(null, {
 result_index: 0,
 
 /**
+ * When result of API call is an array of object this object index
+ * allows to specify exact object in array according to its position.
+ * Default value is null which means do not use object_index.
+ *
+ * @type {Number|null}
+ */
+ object_index: null,
+
+/**
  * Name of the record which we want to extract from the result.
  * Used in dnslocations.
  * @type {String}
@@ -849,6 +858,10 @@ field.Adapter = declare(null, {
 else if (dr.results) {
 var result = dr.results[this.result_index];
 if (result) record = result[this.result_name];
+var res_type = typeof record;
+var obj_in_type = typeof this.object_index;
+if (res_type === 'object' && obj_in_type === 'number')
+record = record[this.object_index];
 }
 }
 return record;

From 7d30594f88572970ee3428234af9a49a5397b10f Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 7 Mar 2017 21:30:45 +0100
Subject: [PATCH 3/4] WebUI: Add Adapter for certmap_match result table

Result of certmap_match command is in the following format:
[{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2',
uid:[uid21, uid22, uid23},...]

For correct displaying in table we need to reformat it to the following:
[{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},...

This can be done using this Adapter.

Part of: https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/field.js | 79 +
 1 file changed, 79 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 3b6b97b..dde2837 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -1462,6 +1462,84 @@ field.AlternateAttrFieldAdapter = declare([field.Adapter], {
 
 
 /**
+ * Custom adapter specifically implemented for certmap_match where it
+ * transform items in format {domain: "xxx", uid: [arrayof_uids]} to
+ * {[{domain: "xxx", uid: "uid1"}, {domain: "xxx", uid: 'uid2'}, ...]}.
+ * This is necessary for possibility to correctly display table.
+ *
+ * @class
+ * @extends field.Adapter
+ */
+field.CertMatchTransformAdapter = declare([field.Adapter], {
+
+/**
+* @param {Array} record
+*/
+transform_one_record: function(record) {
+var domain = record.domain;
+var uids = record.uid;
+var results = [];
+
+for (var i=0, l=uids.length; i
Date: Tue, 7 Mar 2017 21:31:22 +0100
Subject: [PATCH 4/4] WebUI: Add cermapmatch module

Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601
---
 install/ui/src/freeipa/app.js  |   1 +
 install/ui/src/freeipa/navigation/menu_spec.js |   4 +
 install/ui/src/freeipa/plugi

[Freeipa-devel] [freeipa PR#300][comment] WebUI: Add support for custom table pagination size

2017-03-08 Thread pvomacka
  URL: https://github.com/freeipa/freeipa/pull/300
Title: #300: WebUI: Add support for custom table pagination size

pvomacka commented:
"""
@pvoborni Thank you for review. Proposed changes fixed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/300#issuecomment-285025154
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#300][synchronized] WebUI: Add support for custom table pagination size

2017-03-08 Thread pvomacka
   URL: https://github.com/freeipa/freeipa/pull/300
Author: pvomacka
 Title: #300: WebUI: Add support for custom table pagination size
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/300/head:pr300
git checkout pr300
From 79e2cf9282a562384ac6710a0972477500ab440c Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 15:51:33 +0200
Subject: [PATCH 1/3] Add javascript integer validator

Javascript integer validator checks whether value entered into field is number
and is not higher than Number.MAX_SAFE_INTEGER constant.

Part of: https://fedorahosted.org/freeipa/ticket/5742
---
 install/ui/src/freeipa/field.js | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index 9f287dd..f410557 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -971,6 +971,39 @@ field.validator = IPA.validator = function(spec) {
 };
 
 /**
+ * Javascript integer validator
+ *
+ * It allows to insert only integer numbers which can be safely represented by
+ * Javascript.
+ *
+ * @class
+ * @alternateClassName IPA.integer_validator
+ * @extends IPA.validator
+ */
+ field.integer_validator = IPA.integer_validator = function(spec) {
+
+ var that = IPA.validator(spec);
+
+ /**
+  * @inheritDoc
+  */
+ that.validate = function(value) {
+
+ if (!value.match(/^-?\d+$/)) {
+ return that.false_result(text.get('@i18n:widget.validation.integer'));
+ }
+
+ if (!Number.isSafeInteger(parseInt(value, 10))) {
+ return that.false_result(text.get('@i18n:widget.validation.unsupported'));
+ }
+
+ return that.true_result();
+ };
+
+ return that;
+ };
+
+/**
  * Metadata validator
  *
  * Validates value according to supplied metadata
@@ -1710,6 +1743,7 @@ field.register = function() {
 v.register('metadata', field.metadata_validator);
 v.register('unsupported', field.unsupported_validator);
 v.register('same_password', field.same_password_validator);
+v.register('integer', field.integer_validator);
 
 l.register('adapter', field.Adapter);
 l.register('object_adapter', field.ObjectAdapter);

From 899219f77bc47f52b518f8cefd3fd5722f631782 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 15:56:01 +0200
Subject: [PATCH 2/3] Make singleton from config module

Also added general setter and getter for attributes of config.

Part of: https://fedorahosted.org/freeipa/ticket/5742
---
 install/ui/src/freeipa/config.js | 51 +++-
 1 file changed, 45 insertions(+), 6 deletions(-)

diff --git a/install/ui/src/freeipa/config.js b/install/ui/src/freeipa/config.js
index 61922d4..3bf017b 100644
--- a/install/ui/src/freeipa/config.js
+++ b/install/ui/src/freeipa/config.js
@@ -20,14 +20,18 @@
 
 
 
-define([], function() {
+define([
+'dojo/_base/declare',
+'dojo/topic'
+],
+function(declare, topic) {
 
 /**
  * Application configuration
  * @class config
  * @singleton
  */
-var config = {
+var config = declare([], {
 
 /**
  * Selector for application container node
@@ -82,8 +86,43 @@ define([], function() {
  * Hide sections without any visible widget
  * @property {boolean}
  */
-hide_empty_sections: true
-};
+hide_empty_sections: true,
 
-return config;
-});
\ No newline at end of file
+/**
+ * Number of lines in table on table_facets
+ * @property {Integer}
+ */
+table_page_size: 20,
+
+/**
+ * Genereal setter for config values.
+ * @param item_name {string}
+ * @param value
+ * @param store {Boolean} sets whether the value will be stored into
+ *  local storage
+ */
+set: function(item_name, value, store) {
+if (!item_name) return;
+this[item_name] = value;
+
+if (store) {
+window.localStorage.setItem(item_name, value);
+}
+},
+
+/**
+ * Genereal setter for config values.
+ * @param item_name {string}
+ */
+get: function(item_name) {
+return this[item_name];
+},
+
+constructor: function() {
+var user_limit = window.localStorage.getItem('table_page_size');
+if (user_limit) this.table_page_size = user_limit;
+}
+});
+
+return new config();
+});

From f9cfc6f18c92cf9e064caa8573259deaa8722550 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 15:58:23 +0200
Subject: [PATCH 3/3] Add support for custom table pagination size

New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new to

[Freeipa-devel] [freeipa PR#553][opened] Add check for removing last KRA server

2017-03-08 Thread stlaz
   URL: https://github.com/freeipa/freeipa/pull/553
Author: stlaz
 Title: #553: Add check for removing last KRA server
Action: opened

PR body:
"""
This patchset adds a check for removal of a last KRA server + adds a message 
about there only being one KRA to WebUI.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/553/head:pr553
git checkout pr553
From 144daf338c291790daebfa7ed97a712dbbb79416 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 09:58:38 +0100
Subject: [PATCH 1/2] Add check to prevent removal of last KRA

https://pagure.io/freeipa/issue/6538
---
 ipaserver/plugins/server.py | 13 +
 1 file changed, 13 insertions(+)

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 08caa1c..b1ee472 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -494,6 +494,19 @@ def handler(msg, ignore_last_of_role):
   "without a DNS."), ignore_last_of_role)
 
 if self.api.Command.ca_is_enabled()['result']:
+try:
+vault_config = self.api.Command.vaultconfig_show()['result']
+kra_servers = vault_config.get('kra_server_server', [])
+except errors.InvocationError:
+# KRA is not configured
+pass
+else:
+if kra_servers == [hostname]:
+handler(
+_("Deleting this server is not allowed as it would "
+  "leave your installation without a KRA."),
+ignore_last_of_role)
+
 ca_servers = ipa_config.get('ca_server_server', [])
 ca_renewal_master = ipa_config.get(
 'ca_renewal_master_server', [])

From 48493e07190038163323af5a441b238e594008b6 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 8 Mar 2017 13:07:12 +0100
Subject: [PATCH 2/2] Add message about last KRA to WebUI Topology view

https://pagure.io/freeipa/issue/6538
---
 install/ui/src/freeipa/topology.js | 37 -
 install/ui/test/data/ipa_init.json |  3 ++-
 ipaserver/plugins/internal.py  |  3 ++-
 3 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/install/ui/src/freeipa/topology.js b/install/ui/src/freeipa/topology.js
index c33adba..c4f3f65 100644
--- a/install/ui/src/freeipa/topology.js
+++ b/install/ui/src/freeipa/topology.js
@@ -497,23 +497,40 @@ topology.servers_search_facet = function(spec, no_init) {
 on_success(data, text_status, xhr);
 
 var result = data.result.results;
-var counter = 0;
+var ca_counter = 0;
+var kra_counter = 0;
 
 for (var i=0, l=result.length; i-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#552][closed] man: add missing --setup-adtrust option to manpage

2017-03-08 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/552
Author: MartinBasti
 Title: #552: man: add missing --setup-adtrust option to manpage
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/552/head:pr552
git checkout pr552
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#552][+pushed] man: add missing --setup-adtrust option to manpage

2017-03-08 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/552
Title: #552: man: add missing --setup-adtrust option to manpage

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#552][comment] man: add missing --setup-adtrust option to manpage

2017-03-08 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/552
Title: #552: man: add missing --setup-adtrust option to manpage

martbab commented:
"""
master:

* 6c95f33d37a2c346fc56d9890d594f1e40029c77 man: add missing --setup-adtrust 
option to manpage
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/552#issuecomment-285022594
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#552][+ack] man: add missing --setup-adtrust option to manpage

2017-03-08 Thread martbab
  URL: https://github.com/freeipa/freeipa/pull/552
Title: #552: man: add missing --setup-adtrust option to manpage

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#552][opened] man: add missing --setup-adtrust option to manpage

2017-03-08 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/552
Author: MartinBasti
 Title: #552: man: add missing --setup-adtrust option to manpage
Action: opened

PR body:
"""
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options

https://pagure.io/freeipa/issue/6630
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/552/head:pr552
git checkout pr552
From 7ab691bea65e7cdc6cbba6e8c19d2516005fb611 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 8 Mar 2017 12:50:44 +0100
Subject: [PATCH] man: add missing --setup-adtrust option to manpage

ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options

https://pagure.io/freeipa/issue/6630
---
 install/tools/man/ipa-replica-install.1 | 3 +++
 install/tools/man/ipa-server-install.1  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index f9ebd87..362ce03 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -201,6 +201,9 @@ Disable DNSSEC validation on this server.
 
 .SS "AD TRUST OPTIONS"
 .TP
+\fB\-\-setup\-adtrust\fR
+Configure AD Trust capability on a replica.
+.TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined
 based on the leading component of the DNS domain name. Running
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index cd68f72..81663b0 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -198,6 +198,9 @@ Allow creatin of (reverse) zone even if the zone is already resolvable. Using th
 .SS "AD TRUST OPRIONS"
 
 .TP
+\fB\-\-setup\-adtrust\fR
+Configure AD Trust capability.
+.TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined
 based on the leading component of the DNS domain name. Running
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#548][comment] ipa-server-install: add --setup-kra option

2017-03-08 Thread MartinBasti
  URL: https://github.com/freeipa/freeipa/pull/548
Title: #548: ipa-server-install: add --setup-kra option

MartinBasti commented:
"""
Given that there is no time, I dropped commit you NACKed as it unneeded for 
this PR, but please note my disagreement about a way how `kra.py` handles 
`--setup-kra` option for the future release.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/548#issuecomment-285020252
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#548][synchronized] ipa-server-install: add --setup-kra option

2017-03-08 Thread MartinBasti
   URL: https://github.com/freeipa/freeipa/pull/548
Author: MartinBasti
 Title: #548: ipa-server-install: add --setup-kra option
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/548/head:pr548
git checkout pr548
From 7e48767e475e3dfc804d1f721f0fe0bc6e51342e Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 2 Mar 2017 17:08:59 +0100
Subject: [PATCH 1/2] KRA: add --setup-kra to ipa-server-install

This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731
---
 .test_runner_config.yaml|  3 +--
 install/tools/man/ipa-replica-install.1 |  6 ++
 install/tools/man/ipa-server-install.1  |  5 +
 ipaserver/install/server/__init__.py|  1 -
 ipaserver/install/server/install.py | 13 +
 5 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml
index e473d49..b7896c3 100644
--- a/.test_runner_config.yaml
+++ b/.test_runner_config.yaml
@@ -47,8 +47,7 @@ steps:
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   install_server:
   - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
--a ${server_password} --setup-dns --auto-forwarders
-  - ipa-kra-install -p ${server_password}
+-a ${server_password} --setup-dns --setup-kra --auto-forwarders
   lint:
   - PYTHON=/usr/bin/python2 make V=0 lint
   - PYTHON=/usr/bin/python3 make V=0 pylint
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index f9ebd87..960f102 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -146,6 +146,12 @@ Name of the Kerberos KDC SSL certificate to install
 \fB\-\-skip\-schema\-check\fR
 Skip check for updated CA DS schema on the remote master
 
+.SS "SECRET MANAGEMENT OPTIONS"
+.TP
+\fB\-\-setup\-kra\fR
+Install and configure a KRA on this replica. If a KRA is not configured then
+vault operations will be forwarded to a master with a KRA installed.
+
 .SS "DNS OPTIONS"
 .TP
 \fB\-\-setup\-dns\fR
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index cd68f72..dd4ee41 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -134,6 +134,11 @@ The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs ar
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
 
+.SS "SECRET MANAGEMENT OPTIONS"
+.TP
+\fB\-\-setup\-kra\fR
+Install and configure a KRA on this server.
+
 .SS "DNS OPTIONS"
 IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
 
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 65dfa21..5a079ee 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -533,7 +533,6 @@ class ServerMasterInstall(ServerMasterInstallInterface):
 host_password = None
 keytab = None
 setup_ca = True
-setup_kra = False
 
 domain_name = knob(
 bases=ServerMasterInstallInterface.domain_name,
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 1e6aad9..1e67a16 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -367,9 +367,9 @@ def install_check(installer):
 if not setup_ca and options.subject_base:
 raise ScriptError(
 "--subject-base cannot be used with CA-less installation")
-
-# first instance of KRA must be installed by ipa-kra-install
-options.setup_kra = False
+if not setup_ca and options.setup_kra:
+raise ScriptError(
+"--setup-kra cannot be used with CA-less installation")
 
 print("==="
   "===")
@@ -384,6 +384,8 @@ def install_check(installer):
 print("  * Create and configure an instance of Directory Server")
 print("  * Create and configure a Kerberos Key Distribution Center (KDC)")
 print("  * Configure Apache (httpd)")
+if options.setup_kra:
+print("  * Configure KRA (dogtag) f

[Freeipa-devel] [freeipa PR#420][synchronized] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread martbab
   URL: https://github.com/freeipa/freeipa/pull/420
Author: martbab
 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/420/head:pr420
git checkout pr420
From 7ebf11365f97767540ac518f809631a6cab359ce Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 22 Sep 2016 09:58:47 +0200
Subject: [PATCH] Allow login to WebUI using Kerberos aliases/enterprise
 principals

The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.

https://fedorahosted.org/freeipa/ticket/6343
---
 ipalib/krb_utils.py| 14 --
 ipaserver/rpcserver.py | 51 --
 2 files changed, 16 insertions(+), 49 deletions(-)

diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index 47d24c9..471009c 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -79,20 +79,6 @@ def krb5_parse_ccache(ccache_name):
 def krb5_unparse_ccache(scheme, name):
 return '%s:%s' % (scheme.upper(), name)
 
-def krb5_format_principal_name(user, realm):
-'''
-Given a Kerberos user principal name and a Kerberos realm
-return the Kerberos V5 user principal name.
-
-:parameters:
-  user
-User principal name.
-  realm
-The Kerberos realm the user exists in.
-:returns:
-  Kerberos V5 user principal name.
-'''
-return '%s@%s' % (user, realm)
 
 def krb5_format_service_principal_name(service, host, realm):
 '''
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 25f2740..65b8998 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -50,13 +50,12 @@
 from ipalib.request import context, destroy_context
 from ipalib.rpc import (xml_dumps, xml_loads,
 json_encode_binary, json_decode_binary)
-from ipalib.util import normalize_name
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
 from ipalib.backend import Backend
 from ipalib.krb_utils import (
-krb5_format_principal_name,
 get_credentials_if_valid)
+from ipapython import kerberos
 from ipapython import ipautil
 from ipaplatform.paths import paths
 from ipapython.version import VERSION
@@ -872,34 +871,15 @@ def __call__(self, environ, start_response):
 return self.bad_request(environ, start_response, "no user specified")
 
 # allows login in the form user@SERVER_REALM or user@server_realm
-# FIXME: uppercasing may be removed when better handling of UPN
-#is introduced
-
-parts = normalize_name(user)
-
-if "domain" in parts:
-# username is of the form user@SERVER_REALM or user@server_realm
-
-# check whether the realm is server's realm
-# Users from other realms are not supported
-# (they do not have necessary LDAP entry, LDAP connect will fail)
-
-if parts["domain"].upper()==self.api.env.realm:
-user=parts["name"]
-else:
-return self.unauthorized(environ, start_response, '', 'denied')
-
-elif "flatname" in parts:
-# username is of the form NetBIOS\user
+# we kinit as enterprise principal so we can assume that unknown realms
+# are UPN
+try:
+user_principal = kerberos.Principal(user)
+except Exception:
+# the principal is malformed in some way (e.g. user@REALM1@REALM2)
+# netbios names (NetBIOS1\user) are also not accepted (yet)
 return self.unauthorized(environ, start_response, '', 'denied')
 
-else:
-# username is of the form user or of some wild form, e.g.
-# user@REALM1@REALM2 or NetBIOS1\NetBIOS2\user (see normalize_name)
-
-# wild form username will fail at kinit, so nothing needs to be done
-pass
-
 password = query_dict.get('password', None)
 if password is not None:
 if len(password) == 1:
@@ -918,7 +898,7 @@ def __call__(self, environ, start_response):
 except OSError:
 pass
 try:
-self.kinit(user, self.api.env.realm, password, ipa_ccache_name)
+self.kinit(user_principal, password, ipa_ccache_name)
 except PasswordExpired as e:
 return self.unauthorized(environ, start_response, str(e), 'password-expired')
 except InvalidSessionPassword as e:
@@ -944,7 +924,7 @@ def __call__(self, environ, start_response):
 pass
 return result
 
-def kinit(self, user, realm, password, ccache_name):
+def kinit(self, principal, password, ccache_name):
 # get anonymous ccache as an armor for FAST to enable OTP auth
 armor_path = os.pa

[Freeipa-devel] [freeipa PR#331][synchronized] WebUI: don't change casing of Auth Indicators values

2017-03-08 Thread pvomacka
   URL: https://github.com/freeipa/freeipa/pull/331
Author: pvomacka
 Title: #331: WebUI: don't change casing of Auth Indicators values
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/331/head:pr331
git checkout pr331
From 1b068b1f0710bdfaef252ae4c81da41bfd91ebbd Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 13 Dec 2016 13:21:29 +0100
Subject: [PATCH 1/2] WebUI: Allow disabling lowering text in
 custom_checkbox_widget

Add new attribute which keeps information whether each text added
using custom_checkbox_widget shoud be transformed to lowercase.

Part of: https://fedorahosted.org/freeipa/ticket/6308
---
 install/ui/src/freeipa/aci.js| 3 +++
 install/ui/src/freeipa/widget.js | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/install/ui/src/freeipa/aci.js b/install/ui/src/freeipa/aci.js
index 6ac7f4c..b1629cd 100644
--- a/install/ui/src/freeipa/aci.js
+++ b/install/ui/src/freeipa/aci.js
@@ -546,6 +546,9 @@ aci.attributes_widget = function(spec) {
 spec.add_field_label = spec.add_field_label ||
 '@i18n:objects.permission.attribute';
 
+spec.set_value_to_lowercase = spec.set_value_to_lowercase === undefined ?
+true : spec.set_value_to_lowercase;
+
 var that = IPA.custom_checkboxes_widget(spec);
 
 that.object_type = spec.object_type;
diff --git a/install/ui/src/freeipa/widget.js b/install/ui/src/freeipa/widget.js
index 17b1376..375b85e 100644
--- a/install/ui/src/freeipa/widget.js
+++ b/install/ui/src/freeipa/widget.js
@@ -2502,6 +2502,8 @@ IPA.custom_checkboxes_widget = function(spec) {
 
 var that = IPA.checkboxes_widget(spec);
 
+that.set_value_to_lowercase = spec.set_value_to_lowercase || false;
+
 that.add_dialog_title = spec.add_dialog_title ||
 "@i18n:dialogs.add_custom_value";
 that.add_field_label = spec.add_field_label ||
@@ -2619,7 +2621,7 @@ IPA.custom_checkboxes_widget = function(spec) {
 
 if (!value || value === '') continue;
 
-value = value.toLowerCase();
+if (that.set_value_to_lowercase) value = value.toLowerCase();
 that.values.push(value);
 }
 

From ec7923f7bbfdf88d1b1f04db7aaa663bf62b8a58 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 13 Dec 2016 13:25:48 +0100
Subject: [PATCH 2/2] WebUI: don't change casing of Auth Indicators values

All values were previously converted to lowercase which was not
coresponding with CLI behaviour. Now they stay as they are
inserted. I also have to change the strings to lowercase because
the otp and radius should be inserted as lowercase words.

https://fedorahosted.org/freeipa/ticket/6308
---
 install/ui/src/freeipa/host.js| 4 ++--
 install/ui/src/freeipa/service.js | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index a09535c..ac434d8 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -124,11 +124,11 @@ return {
 add_field_label: '@i18n:authtype.auth_indicator',
 options: [
 {
-label: '@i18n:authtype.otp',
+label: 'otp',
 value: 'otp'
 },
 {
-label: '@i18n:authtype.type_radius',
+label: 'radius',
 value: 'radius'
 }
 ],
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index 10f86ce..279f842 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -134,11 +134,11 @@ return {
 add_field_label: '@i18n:authtype.auth_indicator',
 options: [
 {
-label: '@i18n:authtype.otp',
+label: 'otp',
 value: 'otp'
 },
 {
-label: '@i18n:authtype.type_radius',
+label: 'radius',
 value: 'radius'
 }
 ],
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#551][opened] config: re-add `init_config` and `config`

2017-03-08 Thread HonzaCholasta
   URL: https://github.com/freeipa/freeipa/pull/551
Author: HonzaCholasta
 Title: #551: config: re-add `init_config` and `config`
Action: opened

PR body:
"""
Re-add `init_config` and `config` to `ipapython.config`, because they are
used by Ipsilon (see https://pagure.io/ipsilon/issue/265).

This partially reverts commit 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9.

https://pagure.io/freeipa/issue/6707

This supersedes PR #515.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/551/head:pr551
git checkout pr551
From c5b251c0480142be159acfd9ff9b2e3301b82505 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 8 Mar 2017 10:39:51 +
Subject: [PATCH] config: re-add `init_config` and `config`

Re-add `init_config` and `config` to `ipapython.config`, because they are
used by Ipsilon (see https://pagure.io/ipsilon/issue/265).

This partially reverts commit 7b966e8577fdb56f069cf26a6ab4d6c77b8743b9.

https://pagure.io/freeipa/issue/6707
---
 ipapython/config.py | 149 
 1 file changed, 149 insertions(+)

diff --git a/ipapython/config.py b/ipapython/config.py
index 5f1295c..b983a72 100644
--- a/ipapython/config.py
+++ b/ipapython/config.py
@@ -22,9 +22,35 @@
 Option, Values, OptionParser, IndentedHelpFormatter, OptionValueError)
 # pylint: enable=deprecated-module
 from copy import copy
+import socket
+
+from dns import resolver, rdatatype
+from dns.exception import DNSException
+import dns.name
+# pylint: disable=import-error
+from six.moves.configparser import SafeConfigParser
+from six.moves.urllib.parse import urlsplit
+# pylint: enable=import-error
 
 from ipapython.dn import DN
 
+try:
+from ipaplatform.paths import paths
+except ImportError:
+IPA_DEFAULT_CONF = '/etc/ipa/default.conf'
+else:
+IPA_DEFAULT_CONF = paths.IPA_DEFAULT_CONF
+
+
+class IPAConfigError(Exception):
+def __init__(self, msg=''):
+self.msg = msg
+Exception.__init__(self, msg)
+
+def __repr__(self):
+return self.msg
+
+__str__ = __repr__
 
 class IPAFormatter(IndentedHelpFormatter):
 """Our own optparse formatter that indents multiple lined usage string."""
@@ -111,8 +137,131 @@ def verify_args(parser, args, needed_args = None):
 parser.error("no %s specified" % needed_list[len_have])
 
 
+class IPAConfig(object):
+def __init__(self):
+self.default_realm = None
+self.default_server = []
+self.default_domain = None
+
+def get_realm(self):
+if self.default_realm:
+return self.default_realm
+else:
+raise IPAConfigError("no default realm")
+
+def get_server(self):
+if len(self.default_server):
+return self.default_server
+else:
+raise IPAConfigError("no default server")
+
+def get_domain(self):
+if self.default_domain:
+return self.default_domain
+else:
+raise IPAConfigError("no default domain")
+
+# Global library config
+config = IPAConfig()
+
+def __parse_config(discover_server = True):
+p = SafeConfigParser()
+p.read(IPA_DEFAULT_CONF)
+
+try:
+if not config.default_realm:
+config.default_realm = p.get("global", "realm")
+except Exception:
+pass
+if discover_server:
+try:
+s = p.get("global", "xmlrpc_uri")
+server = urlsplit(s)
+config.default_server.append(server.netloc)
+except Exception:
+pass
+try:
+if not config.default_domain:
+config.default_domain = p.get("global", "domain")
+except Exception:
+pass
+
+def __discover_config(discover_server = True):
+servers = []
+try:
+if not config.default_domain:
+# try once with REALM -> domain
+domain = str(config.default_realm).lower()
+name = "_ldap._tcp." + domain
+
+try:
+servers = resolver.query(name, rdatatype.SRV)
+except DNSException:
+# try cycling on domain components of FQDN
+try:
+domain = dns.name.from_text(socket.getfqdn())
+except DNSException:
+return False
+
+while True:
+domain = domain.parent()
+
+if str(domain) == '.':
+return False
+name = "_ldap._tcp.%s" % domain
+try:
+servers = resolver.query(name, rdatatype.SRV)
+break
+except DNSException:
+pass
+
+config.default_domain = str(domain).rstrip(".")
+
+if discover_server:
+if not servers:
+name = "_ldap._tcp.%s." % config.default_domain
+try:
+servers = resolver.query(nam

[Freeipa-devel] [freeipa PR#492][comment] [WIP] config: remove meaningless defaults

2017-03-08 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/492
Title: #492: [WIP] config: remove meaningless defaults

HonzaCholasta commented:
"""
I took the hard way and removed the URI argument from `ldap2.__init__()`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/492#issuecomment-285003106
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification

2017-03-08 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/490
Title: #490: certdb: use certutil and match_hostname for cert verification

HonzaCholasta commented:
"""
I think this PR is ready now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/490#issuecomment-285002490
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#490][edited] [WIP] certdb: use certutil and match_hostname for cert verification

2017-03-08 Thread HonzaCholasta
   URL: https://github.com/freeipa/freeipa/pull/490
Author: HonzaCholasta
 Title: #490: [WIP] certdb: use certutil and match_hostname for cert 
verification
Action: edited

 Changed field: title
Original value:
"""
[WIP] certdb: use certutil and match_hostname for cert verification
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#492][synchronized] [WIP] config: remove meaningless defaults

2017-03-08 Thread HonzaCholasta
   URL: https://github.com/freeipa/freeipa/pull/492
Author: HonzaCholasta
 Title: #492: [WIP] config: remove meaningless defaults
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/492/head:pr492
git checkout pr492
From a6ac65697b212a02e3032d34bcc847a56d757afa Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:44:04 +
Subject: [PATCH 1/6] user, migration: use LDAPClient for ad-hoc LDAP
 connections

Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
---
 ipaserver/plugins/migration.py | 15 +--
 ipaserver/plugins/user.py  | 12 +---
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index 72abd14..e8d102a 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -28,13 +28,9 @@
 from ipalib.cli import to_cli
 from ipalib.plugable import Registry
 from .user import NO_UPG_MAGIC
-if api.env.in_server and api.env.context in ['lite', 'server']:
-try:
-from ipaserver.plugins.ldap2 import ldap2
-except Exception as e:
-raise e
 from ipalib import _
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import write_tmp_file
 from ipapython.kerberos import Principal
 import datetime
@@ -885,8 +881,6 @@ def execute(self, ldapuri, bindpw, **options):
 return dict(result={}, failed={}, enabled=False, compat=True)
 
 # connect to DS
-ds_ldap = ldap2(self.api, ldap_uri=ldapuri)
-
 cacert = None
 if options.get('cacertfile') is not None:
 # store CA cert into file
@@ -894,12 +888,13 @@ def execute(self, ldapuri, bindpw, **options):
 cacert = tmp_ca_cert_f.name
 
 # start TLS connection
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw,
-cacert=cacert)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 tmp_ca_cert_f.close()
 else:
-ds_ldap.connect(bind_dn=options['binddn'], bind_pw=bindpw)
+ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ds_ldap.simple_bind(options['binddn'], bindpw)
 
 # check whether the compat plugin is enabled
 if not options.get('compat'):
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 2d29dfb..afaa828 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -21,7 +21,7 @@
 import time
 from time import gmtime, strftime
 import posixpath
-import os
+
 import six
 
 from ipalib import api
@@ -63,12 +63,10 @@
 from ipalib import output
 from ipaplatform.paths import paths
 from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipalib.capabilities import client_has_capability
 
-if api.env.in_server:
-from ipaserver.plugins.ldap2 import ldap2
-
 if six.PY3:
 unicode = str
 
@@ -1124,9 +1122,9 @@ def execute(self, *keys, **options):
 if host == api.env.host:
 other_ldap = self.obj.backend
 else:
-other_ldap = ldap2(self.api, ldap_uri='ldap://%s' % host)
 try:
-other_ldap.connect(ccache=os.environ['KRB5CCNAME'])
+other_ldap = LDAPClient(ldap_uri='ldap://%s' % host)
+other_ldap.gssapi_bind()
 except Exception as e:
 self.error("user_status: Connecting to %s failed with %s" % (host, str(e)))
 newresult = {'dn': dn}
@@ -1171,7 +1169,7 @@ def execute(self, *keys, **options):
 count += 1
 
 if host != api.env.host:
-other_ldap.disconnect()
+other_ldap.close()
 
 return dict(result=entries,
 count=count,

From ceacb79493bd1ffa0c048a58bf97a9f161081a79 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 23 Feb 2017 09:52:51 +
Subject: [PATCH 2/6] {ca,kra}instance: drop redundant URI argument from ad-hoc
 ldap2 connections

Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
---
 ipaserver/install/cainstance.py  | 19 +--
 ipaserver/install/krainstance.py |  4 +---
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 0991883..b3aeec6 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -726,9 +726,7 @@ def __create_ca_agent(self):
 cert_data = self.ra_cert.public_bytes(serialization.Encoding.DER)
 
 # connect to CA database
-

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-08 Thread Jan Cholasta

On 8.3.2017 10:30, Martin Babinsky wrote:

On Tue, Feb 28, 2017 at 01:29:50PM +0100, Martin Babinsky wrote:

Hello list,

I have put together a draft of design page describing server-side
implementation of user short name -> fully-qualified name resolution.[1]

In the end I have taken the liberty to change a few aspects of the design we
have agreed on before and I will be grad if we can discuss them further.

Me and Honza have discussed the object that should hold the domain resolution
order and given the fact that IPA domain can also be a part of this list, we
have decided that this information is no longer bound to trust configuration
and should be a part of the global config instead.

Also we have purposefully cut down the API only to a raw manipulation of the
attribute using an option of `ipa config-mod`. The reasons for this are
twofold:

 * the developer resources are quite scarce and it may be good to follow
YAGNI[2] principle to implement the dumbest API now and not to invest into
more high-level interface unless there is a demand for it

 * we can imagine that the manipulation of the domain resolution order is a
rare operation (ideally only once all trusts are established), so I am not
convinced that it is worth investing into designing higher-level API

I propose we first develop the "dumber" parts first to unblock the SSSD part.
If we have spare cycle afterwards then we can design and implement more
bells-and-whistles afterwards.

[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


I have updated the design page[1] and incorporated most of the comments from all
reviewers. The most dramatic change is that I have expanded the discussion by
the possibility for overriding global domain resolution order by ID
view-specific settings. I have also expanded How-To section accordingly.

Please try to review and comment during today as the window for development is
quickly closing.


LGTM.



[1] http://www.freeipa.org/page/V4/AD_User_Short_Names




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation

2017-03-08 Thread HonzaCholasta
  URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

HonzaCholasta commented:
"""
I would rather make things simple and remove the abstraction.

We can support NSS databases by PKCS#12 export/import until we have first-class 
support:

1. generate private key and temporary cert in the NSS database:
   `certutil -S ...`
2. export the private key from the NSS database into a temporary PKCS#12 file:
   `pk12util -o key.p12 ...`
3. delete the temporary cert from the NSS database:
   `certutil -D ...`
4. extract the private key from the temporary PKCS#12 file into a temporary 
PKCS#8 file:
   `openssl pkcs12 -in key.p12 -nocerts -out key.pem ...`
5. delete the temporary PKCS#12 file
6. request a certificate using the OpenSSL workflow on the temporary PKCS#8 file
7. import the certificate into the NSS database

Granted, this won't work with HSMs, but I think that's OK, given it is only a 
temporary solution.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/542#issuecomment-284995622
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-08 Thread Martin Babinsky
On Tue, Feb 28, 2017 at 01:29:50PM +0100, Martin Babinsky wrote:
>Hello list,
>
>I have put together a draft of design page describing server-side
>implementation of user short name -> fully-qualified name resolution.[1]
>
>In the end I have taken the liberty to change a few aspects of the design we
>have agreed on before and I will be grad if we can discuss them further.
>
>Me and Honza have discussed the object that should hold the domain resolution
>order and given the fact that IPA domain can also be a part of this list, we
>have decided that this information is no longer bound to trust configuration
>and should be a part of the global config instead.
>
>Also we have purposefully cut down the API only to a raw manipulation of the
>attribute using an option of `ipa config-mod`. The reasons for this are
>twofold:
>
>  * the developer resources are quite scarce and it may be good to follow
>YAGNI[2] principle to implement the dumbest API now and not to invest into
>more high-level interface unless there is a demand for it
>
>  * we can imagine that the manipulation of the domain resolution order is a
>rare operation (ideally only once all trusts are established), so I am not
>convinced that it is worth investing into designing higher-level API
>
>I propose we first develop the "dumber" parts first to unblock the SSSD part.
>If we have spare cycle afterwards then we can design and implement more
>bells-and-whistles afterwards.
>
>[1] https://www.freeipa.org/page/V4/AD_User_Short_Names
>[2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
>
>-- 
>Martin^3 Babinsky
>
>-- 
>Manage your subscription for the Freeipa-devel mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-devel
>Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

I have updated the design page[1] and incorporated most of the comments from all
reviewers. The most dramatic change is that I have expanded the discussion by
the possibility for overriding global domain resolution order by ID
view-specific settings. I have also expanded How-To section accordingly.

Please try to review and comment during today as the window for development is
quickly closing.

[1] http://www.freeipa.org/page/V4/AD_User_Short_Names

-- 
Martin Babinsky

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


[Freeipa-devel] [freeipa PR#549][comment] WebUI: certmap match

2017-03-08 Thread pvomacka
  URL: https://github.com/freeipa/freeipa/pull/549
Title: #549: WebUI: certmap match

pvomacka commented:
"""
Rebased. PR #400 already merged. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/549#issuecomment-284989778
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

  1   2   >