[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

HonzaCholasta commented:
"""
@frasertweedale, I'm not aware of any agreement and I'm against this as well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/773#issuecomment-300375495
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#769][synchronized] test_caless: add pkinit option and test it

[Rezney]

   URL: https://github.com/freeipa/freeipa/pull/769
Author: Rezney
 Title: #769: test_caless: add pkinit option and test it
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/769/head:pr769
git checkout pr769
From 1c517ee628fb31f765e21149fcaa3d26fd07d0fa Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Tue, 9 May 2017 16:39:45 +0200
Subject: [PATCH] test_caless: add pkinit option and test it

change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

Signed-off-by: Michal Reznik 
---
 .../test_integration/scripts/caless-create-pki | 112 -
 ipatests/test_integration/test_caless.py   |  76 --
 2 files changed, 151 insertions(+), 37 deletions(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8928e95..816e7dc 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -1,14 +1,29 @@
 #!/bin/bash -e
 
-profile_ca=(-t CT,C,C -v 120)
-profile_server=(-t ,, -v 12)
-
-crl_path=${crl_path-$(readlink -f $dbdir)}
-
-serial_number=0
+profile_ca_request_options=(-1 -2 -4)
+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_ca_create_options=(-v 120)
+profile_ca_add_options=(-t CT,C,C)
+profile_server_request_options=(-4)
+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_server_create_options=(-v 12)
+profile_server_add_options=(-t ,,)
+
+write_chain() {
+local nick="$1"
+
+chain=`certutil -O -d $dbdir -n "$nick" |
+ sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"`
+
+while read -r name; do
+# OpenSSL requires a reverse order to what we get from NSS
+echo -e "`certutil -L -d "$dbdir" -n "$name" -a`\n`cat $dbdir/$nick.pem`
+" > "$dbdir/$nick.pem"
+done <<< "$chain"
+}
 
 gen_cert() {
-local profile="$1" nick="$2" subject="$3" ca options pwfile noise csr crt
+local profile="$1" nick="$2" subject="$3" ca request_options request_input create_options serial add_options pwfile noise csr crt
 shift 3
 
 echo "gen_cert(profile=$profile nick=$nick subject=$subject)"
@@ -18,13 +33,20 @@ gen_cert() {
 ca="$nick"
 fi
 
-eval "options=(\"\${profile_$profile[@]}\")"
+eval "request_options=(\"\${profile_${profile}_request_options[@]}\")"
+eval "eval request_input=\"\${profile_${profile}_request_input}\""
+
+eval "create_options=(\"\${profile_${profile}_create_options[@]}\")"
 if [ "$ca" = "$nick" ]; then
-options=("${options[@]}" -x -m 1)
+create_options=("${create_options[@]}" -x -m 1)
 else
-options=("${options[@]}" -c "$ca")
+eval "serial_${ca//\//_}=\$((\${serial_${ca//\//_}:-1}+1))"
+eval "serial=\$serial_${ca//\//_}"
+create_options=("${create_options[@]}" -c "$ca" -m "$serial")
 fi
 
+eval "add_options=(\"\${profile_${profile}_add_options[@]}\")"
+
 pwfile="$(mktemp)"
 echo "$dbpassword" >"$pwfile"
 
@@ -38,22 +60,14 @@ gen_cert() {
 
 csr="$(mktemp)"
 crt="$(mktemp)"
-certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 -2 >/dev/null  "$dbdir/ext.kdc"
+}
+
+gen_pkinit_cert() {
+local nick="$1" subj="$2" outname="$3"
+shift 3
+
+openssl genrsa -out "$dbdir/$nick/kdc.key" 2048 > /dev/null
+openssl req -new -out "$dbdir/$nick/kdc.req" -key "$dbdir/$nick/kdc.key" \
+

[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN

[frasertweedale]

  URL: https://github.com/freeipa/freeipa/pull/773
Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN

frasertweedale commented:
"""
Was there agreement that this should be implemented?  (I am personally
against it, because the next release should update the default profile to use
the new CommonNameToSanExtDefault profile component).

If we do implement this, IMO it should be a per-profile configuration, because 
there may
be legitimate use cases where SAN is not needed.

If we do pursue the current approach, we should further check not only that SAN
is present, but that it contains a DNSName.  Put another way, with the current 
patch,
SAN can be present, but it might contain only KRB5PrincipalName and no DNSName,
and therefore the warning will not show, but it probably should have warned.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/773#issuecomment-300351130
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][edited] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: edited

 Changed field: body
Original value:
"""
The code is obviously is not the final version, however, I would like to know 
if I'm on the right path. 

AFAIK we should check if the SAN extension is provided and if it has DNSName 
info.

Fix: https://pagure.io/freeipa/issue/6663
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#773][opened] [WIP] Warn in cert-request if CSR doesn't contain SAN

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/773
Author: felipevolpone
 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN
Action: opened

PR body:
"""
The code is obviously is not the final version, however, I would like to know 
if I'm on the right path. 

AFAIK we should check if the SAN extension is provided and if it has DNSName 
info.

Fix: https://pagure.io/freeipa/issue/6663
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/773/head:pr773
git checkout pr773
From caddd601c9f03af5d1aff7732bca566f6391703f Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Tue, 9 May 2017 17:06:55 -0300
Subject: [PATCH] warn in cert-request if CSR doesn't contain SAN

---
 ipaserver/plugins/cert.py | 12 
 1 file changed, 12 insertions(+)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 1a425de..aa960ab 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -771,6 +771,18 @@ def execute(self, csr, all=False, raw=False, chain=False, **kw):
 cn = cns[-1].value  # "most specific" is end of list
 
 if principal_type in (SERVICE, HOST):
+
+has_dns_in_san_ext = False
+if ext_san:
+for gn in x509.process_othernames(ext_san.value):
+if isinstance(gn, cryptography.x509.general_name.DNSName):
+has_dns_in_san_ext = True
+
+if not ext_san or not has_dns_in_san_ext:
+print('Warning: The SAN extension '
+  'should be provided. Please, check the RFC 2818.')
+
+
 if not _dns_name_matches_principal(cn, principal, principal_obj):
 raise errors.ValidationError(
 name='csr',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][comment] Fixing adding authenticator indicators to host

[felipevolpone]

  URL: https://github.com/freeipa/freeipa/pull/761
Title: #761: Fixing adding authenticator indicators to host

felipevolpone commented:
"""
Done
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/761#issuecomment-300266711
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][comment] Travis CI: explicitly update pip before running the builds

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

tiran commented:
"""
Needs to be merged into 4.5.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/772#issuecomment-300255483
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][+blocker] Travis CI: explicitly update pip before running the builds

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

Label: +blocker
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][+ack] Travis CI: explicitly update pip before running the builds

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/772
Title: #772: Travis CI: explicitly update pip before running the builds

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA

[rcritten]

  URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

rcritten commented:
"""
As far as I can tell it is always recoverable using this. I wasn't able to 
force a failure of replication, that could be a potential show-stopper. The PR 
doesn't touch the replication agreements at all except to allow them to already 
be there, so if things were in some sort of halfway state I couldn't say for 
sure what would happen.

The code is there for examination to determine what steps are done, but in 
short:

- call the existing CA uninstaller which mostly just calls pki-destroy (it also 
does some state cleanup, removes the CRLs and untracks the CA certs via 
certmonger)
- A side-effect of the uninstaller is to shutdown certmonger. I start that back 
up
- The service is removed from cn=masters
- The cached services list is removed so ipactl won't fail starting a 
non-existent tomcat instance

To be idempotent would require changes in dogtag, it is that which blows up on 
a re-install attempt.

I would not be in favor of automatically uninstalling dogtag on another 
ipa-ca-install call.

ipa-ca-install would/should never be run on the original master. It already 
prints a big fat warning. I'd be ok making it fatter and requiring (no joke) 
multiple "Are you sure" prompts.

There is no CA install for CAless so not a case I'm interested in.

If you want to rename options I'm ok with that as well, maybe --try-again or 
something of that nature (in which case I WOULD be in favor of doing the 
uninstall automatically).
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/764#issuecomment-300247543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][synchronized] Travis CI: explicitly update pip before running the builds

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/772
Author: martbab
 Title: #772: Travis CI: explicitly update pip before running the builds
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/772/head:pr772
git checkout pr772
From ac03074839f3602df8c95be89d52ef4ae8238033 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 9 May 2017 18:36:51 +0200
Subject: [PATCH] Travis CI: explicitly update pip before running the builds

This is to workaround around
https://github.com/travis-ci/travis-ci/issues/7733 and issues with
implicit requirement of python-requests on newer pip.
---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 1a8f1b3..c275cdc 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,6 +28,8 @@ env:
 test_pkcs10
 test_xmlrpc/test_[l-z]*.py"
 install:
+- pip install --upgrade pip
+- pip3 install --upgrade pip
 - pip install pep8
 - >
   pip3 install
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#772][opened] Travis CI: explicitly update pip before running the builds

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/772
Author: martbab
 Title: #772: Travis CI: explicitly update pip before running the builds
Action: opened

PR body:
"""
This is to workaround around
https://github.com/travis-ci/travis-ci/issues/7733 and issues with
implicit requirement of python-requests on newer pip.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/772/head:pr772
git checkout pr772
From 51de0bc52f48b17fad03a19bc3a094ba797a2c4d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 9 May 2017 18:36:51 +0200
Subject: [PATCH] Travis CI: explicitly update pip before running the builds

This is to workaround around
https://github.com/travis-ci/travis-ci/issues/7733 and issues with
implicit requirement of python-requests on newer pip.
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 1a8f1b3..5835999 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,6 +28,7 @@ env:
 test_pkcs10
 test_xmlrpc/test_[l-z]*.py"
 install:
+- pip install --upgrade pip
 - pip install pep8
 - >
   pip3 install
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#771][opened] cert-show: check if certificate_out is in options

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/771
Author: stlaz
 Title: #771: cert-show: check if certificate_out is in options
Action: opened

PR body:
"""
If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None, though.

https://pagure.io/freeipa/issue/6885
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/771/head:pr771
git checkout pr771
From 46db5c88fa85915f56def93ae7ea20b34b2aac32 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 9 May 2017 17:45:20 +0200
Subject: [PATCH] cert-show: check if certificate_out is in options

If --certificate-out was specified on the command line, it will appear
among the options. If it was empty, it will be None, though.

https://pagure.io/freeipa/issue/6885
---
 ipaclient/plugins/cert.py | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ipaclient/plugins/cert.py b/ipaclient/plugins/cert.py
index a4ee9a9..1809de0 100644
--- a/ipaclient/plugins/cert.py
+++ b/ipaclient/plugins/cert.py
@@ -49,9 +49,14 @@ class CertRetrieveOverride(MethodOverride):
 )
 
 def forward(self, *args, **options):
-certificate_out = options.pop('certificate_out', None)
-if certificate_out is not None:
+if 'certificate_out' in options:
+certificate_out = options.pop('certificate_out')
+if certificate_out is None:
+raise errors.ValidationError(name='certificate-out',
+ error=_(u'cannot be empty'))
 util.check_writable_file(certificate_out)
+else:
+certificate_out = None
 
 result = super(CertRetrieveOverride, self).forward(*args, **options)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#770][opened] cert-show: writable files does not mean dirs

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/770
Author: stlaz
 Title: #770: cert-show: writable files does not mean dirs
Action: opened

PR body:
"""
ipalib.util.check_writable_file didn't check whether the argument
is an actual file which is now fixed.

https://pagure.io/freeipa/issue/6883
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/770/head:pr770
git checkout pr770
From 8e14e41045971193649e8f3acc0bbab0c053b7a8 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 9 May 2017 17:49:56 +0200
Subject: [PATCH] cert-show: writable files does not mean dirs

ipalib.util.check_writable_file didn't check whether the argument
is an actual file which is now fixed.

https://pagure.io/freeipa/issue/6883
---
 ipalib/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..f89ac14 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -171,7 +171,7 @@ def check_writable_file(filename):
 if filename is None:
 raise errors.FileError(reason=_('Filename is empty'))
 try:
-if os.path.exists(filename):
+if os.path.isfile(filename):
 if not os.access(filename, os.W_OK):
 raise errors.FileError(reason=_('Permission denied: %(file)s') % dict(file=filename))
 else:
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#769][opened] test_caless: add pkinit option and test it

[Rezney]

   URL: https://github.com/freeipa/freeipa/pull/769
Author: Rezney
 Title: #769: test_caless: add pkinit option and test it
Action: opened

PR body:
"""
What was done?

~~~
1.) caless-create-pki

The script was kind of merged with 
https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took 
care of PKINIT certificates generation so that write_chain() function was 
introduced which handles cert chain in the pkcs12 files and also reverse chanin 
order for openssl command.

Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT 
certificate generation. See 
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

2.) test_caless.py

As the tests are currently failing due to the pkinit option not provided 
"pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to 
both install_server() and prepare_replica methods and particular options are 
added to installator. Then copy_pkinit() is handling pkinit certs transfer.

TestPKINIT class contains test_server_replica_install_pkinit() test which 
checks both server and replica install with pkinit for a starter.

Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were 
failing there but that whole workaround for ticket 4639 will be removed in 
different commit.
~~~

What can be improved? (at least what I am aware of)

~~~
Currently pkinit certificates are not inside nss db so we copy it separately 
(we could also move it to certdir and copy as whole). Tried to put it there 
with pk12util but the certs were getting nicknames from openssl friendly names 
(I guess). Added -name parameter to "openssl pkcs12 -export" command and the 
nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after 
the "caless-create-pki" script was done all pkinit cert nicknames were just 
prefixed with "ca1/" (instead of ca1/ ca2/ etc.).
~~~

Issues found:

~~~
Replica install with pkinit is not failing anymore with "Certificate issuance 
failed (CA_UNREACHABLE)", however the ERROR message is still presented:


[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/1]: 
installing X509 Certificate for PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORPKINIT certificate request failed: Certificate issuance failed 
(CA_UNREACHABLE)
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORFailed to configure PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done 
configuring Kerberos KDC (krb5kdc).
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP 
updates
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading 
IPA:. Estimated time: 1 minute 30 seconds
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/9]: 
stopping directory server
~~~
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/769/head:pr769
git checkout pr769
From e8fbb3de2436936370b3be3df5c5dfbd59670333 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Tue, 9 May 2017 16:39:45 +0200
Subject: [PATCH] test_caless: add pkinit option and test it

change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

Signed-off-by: Michal Reznik 
---
 .../test_integration/scripts/caless-create-pki | 112 -
 ipatests/test_integration/test_caless.py   |  77 +++---
 2 files changed, 150 insertions(+), 39 deletions(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index 8928e95..816e7dc 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -1,14 +1,29 @@
 #!/bin/bash -e
 
-profile_ca=(-t CT,C,C -v 120)
-profile_server=(-t ,, -v 12)
-
-crl_path=${crl_path-$(readlink -f $dbdir)}
-
-serial_number=0
+profile_ca_request_options=(-1 -2 -4)
+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_ca_create_options=(-v 120)
+profile_ca_add_options=(-t CT,C,C)
+profile_server_request_options=(-4)
+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_server_create_options=(-v 12)
+profile_server_add_options=(-t ,,)
+
+write_chain() {
+local nick="$1"
+
+chain=`certutil -O -d $dbdir -n "$nick" |
+ sed -e '/^\s*$/d' -e "s/\s*\"\(.*\)\" \[.*/\1/g"`
+
+while read -r name; do
+# OpenSSL requires a reverse order to what we get from NSS
+echo -e "`certutil -L -d "$dbdir" -n "$name" -a`\n`cat $dbdir/$nick.pem`
+" > 

[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless

[abbra]

  URL: https://github.com/freeipa/freeipa/pull/768
Title: #768: Ticket#6854 caless

abbra commented:
"""
PKINIT certificates are using by `krb5kdc` which uses OpenSSL. It means they 
cannot be placed in an NSSDB.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/768#issuecomment-300203017
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][+pushed] Slim down dependencies

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/671
Title: #671: Slim down dependencies

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][comment] Slim down dependencies

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/671
Title: #671: Slim down dependencies

MartinBasti commented:
"""
master:

* bd5a5012d24820b54cdca2955f5405b84de1178c Slim down dependencies


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/671#issuecomment-300198093
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][closed] Slim down dependencies

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/671
Author: tiran
 Title: #671: Slim down dependencies
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/671/head:pr671
git checkout pr671
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#671][+ack] Slim down dependencies

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/671
Title: #671: Slim down dependencies

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#768][closed] Ticket#6854 caless

[Rezney]

   URL: https://github.com/freeipa/freeipa/pull/768
Author: Rezney
 Title: #768: Ticket#6854 caless
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/768/head:pr768
git checkout pr768
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#768][edited] Ticket#6854 caless

[Rezney]

   URL: https://github.com/freeipa/freeipa/pull/768
Author: Rezney
 Title: #768: Ticket#6854 caless
Action: edited

 Changed field: body
Original value:
"""
What was done?
~~

1.) caless-create-pki

The script was kind of merged with 
https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took 
care of PKINIT certificates generation so that write_chain() function was 
introduced which handles cert chain in the pkcs12 files and also reverse chanin 
order for openssl command.

Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT 
certificate generation. See 
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

2.) test_caless.py

As the tests are currently failing due to the pkinit option not provided 
"pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to 
both install_server() and prepare_replica methods and particular options are 
added to installator. Then copy_pkinit() is handling pkinit certs transfer.

TestPKINIT class contains test_server_replica_install_pkinit() test which 
checks both server and replica install with pkinit for a starter.

Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were 
failing there but that whole workaround for ticket 4639 will be removed in 
different commit.


What can be improved? (at least what I am aware of)
~

Currently pkinit certificates are not inside nss db so we copy it separately 
(we could also move it to certdir and copy as whole). Tried to put it there 
with pk12util but the certs were getting nicknames from openssl friendly names 
(I guess). Added -name parameter to "openssl pkcs12 -export" command and the 
nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after 
the "caless-create-pki" script was done all pkinit cert nicknames were just 
prefixed with "ca1/" (instead of ca1/ ca2/ etc.).


Issues found:
~

Replica install with pkinit is not failing anymore with "Certificate issuance 
failed (CA_UNREACHABLE)", however the ERROR message is still presented:


[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/1]: 
installing X509 Certificate for PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORPKINIT certificate request failed: Certificate issuance failed 
(CA_UNREACHABLE)
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORFailed to configure PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done 
configuring Kerberos KDC (krb5kdc).
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP 
updates
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading 
IPA:. Estimated time: 1 minute 30 seconds
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/9]: 
stopping directory server
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#761][synchronized] Fixing adding authenticator indicators to host

[felipevolpone]

   URL: https://github.com/freeipa/freeipa/pull/761
Author: felipevolpone
 Title: #761: Fixing adding authenticator indicators to host
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/761/head:pr761
git checkout pr761
From ac19e97b02c65a4728239a134e5d2bc39a08672f Mon Sep 17 00:00:00 2001
From: Felipe Volpone 
Date: Thu, 4 May 2017 09:51:07 -0300
Subject: [PATCH] Fixing adding authenticator indicators to host

The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911
---
 ipaserver/plugins/host.py | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index dcadd54..15bd25d 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -920,7 +920,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = _entry_attrs['objectclass']
-if 'ieee802device' not in obj_classes:
+if 'ieee802device' not in [item.lower() for item in obj_classes]:
 obj_classes.append('ieee802device')
 entry_attrs['objectclass'] = obj_classes
 
@@ -940,7 +940,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 else:
 _entry_attrs = ldap.get_entry(dn, ['objectclass'])
 obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshhost' not in obj_classes:
+if 'ipasshhost' not in [item.lower() for item in obj_classes]:
 obj_classes.append('ipasshhost')
 
 update_krbticketflags(ldap, entry_attrs, attrs_list, options, True)
@@ -949,14 +949,16 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
+if 'krbticketpolicyaux' not in [item.lower() for item in
+entry_attrs['objectclass']]:
 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
 if 'krbprincipalauthind' in entry_attrs:
 if 'objectclass' not in entry_attrs:
 entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
 entry_attrs['objectclass'] = entry_attrs_old['objectclass']
-if 'krbprincipalaux' not in entry_attrs['objectclass']:
+if 'krbprincipalaux' not in [item.lower() for item in
+ entry_attrs['objectclass']]:
 entry_attrs['objectclass'].append('krbprincipalaux')
 
 add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#768][opened] Ticket#6854 caless

[Rezney]

   URL: https://github.com/freeipa/freeipa/pull/768
Author: Rezney
 Title: #768: Ticket#6854 caless
Action: opened

PR body:
"""
What was done?
~~

1.) caless-create-pki

The script was kind of merged with 
https://github.com/freeipa/freeipa-tools/blob/master/makepki.sh. Standa took 
care of PKINIT certificates generation so that write_chain() function was 
introduced which handles cert chain in the pkcs12 files and also reverse chanin 
order for openssl command.

Then gen_pkinit_extensions() and gen_pkinit_cert() are handling the PKINIT 
certificate generation. See 
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

2.) test_caless.py

As the tests are currently failing due to the pkinit option not provided 
"pkinit_pin, pkinit_pkcs12_exists and pkinit_pkcs12" parameters were added to 
both install_server() and prepare_replica methods and particular options are 
added to installator. Then copy_pkinit() is handling pkinit certs transfer.

TestPKINIT class contains test_server_replica_install_pkinit() test which 
checks both server and replica install with pkinit for a starter.

Eventually added "raiseonerr=False" to ipa_certs_cleanup() cause tests were 
failing there but that whole workaround for ticket 4639 will be removed in 
different commit.


What can be improved? (at least what I am aware of)
~

Currently pkinit certificates are not inside nss db so we copy it separately 
(we could also move it to certdir and copy as whole). Tried to put it there 
with pk12util but the certs were getting nicknames from openssl friendly names 
(I guess). Added -name parameter to "openssl pkcs12 -export" command and the 
nicknames were fine (e.g. "ca1/pkinit-server" after certuril -L) however after 
the "caless-create-pki" script was done all pkinit cert nicknames were just 
prefixed with "ca1/" (instead of ca1/ ca2/ etc.).


Issues found:
~

Replica install with pkinit is not failing anymore with "Certificate issuance 
failed (CA_UNREACHABLE)", however the ERROR message is still presented:


[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/1]: 
installing X509 Certificate for PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORPKINIT certificate request failed: Certificate issuance failed 
(CA_UNREACHABLE)
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] ipa : 
ERRORFailed to configure PKINIT
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Done 
configuring Kerberos KDC (krb5kdc).
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Applying LDAP 
updates
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26] Upgrading 
IPA:. Estimated time: 1 minute 30 seconds
[ipa.ipatests.pytest_plugins.integration.host.Host.vm-021.cmd26]   [1/9]: 
stopping directory server
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/768/head:pr768
git checkout pr768
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Moving our wiki back to password login

[Martin Kosek]

Hello all,

As some of you noticed, FreeIPA wiki authentication via OpenID was
broken in the last days. I suspect (but did get reply from Patrick who
running the Fedora infra yet) that it was caused by Fedora moving to
mode modern authentication protocol, i.e. from OpenID to OpenID Connect
(OIDC):
https://fedoraproject.org/wiki/Infrastructure/Authentication

Unfortunately, I cannot make the OIDC login for our current FreeIPA
instance available, given that our wiki runs on OpenShift v2 which uses
PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26.
OIDC mediawiki authentication plugin is supported from 1.27 forward.

So the wiki needs to be either:
- migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance
- migrated to OpenShift v3 (preferred)
to unblock us from this situation and get to proper OIDC authentication.

However, this will need more time and preparation (which I do not even
have right now). For now, I simply disabled OpenID authentication in our
wiki and enabled password logins again! Anonymous account creation is
disabled to avoid spammers. However, given that we now enforce people to
be in a special group (editors) to fight the spammers, there is actually
no big functionality lost in this, except having to use yet another
password.

To summarize, if you want to access the wiki again, please use the
password you may have had before we migrated to Fedora OpenID. If you do
not have the password yet, you should be able to simply reset it before
logging in and you should get an email (the mail part did not work for
martbab this afternoon, though). In the worst case, I can reset the
password for you, just shoot me an email.

Thanks!

-- 
Martin Kosek 
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][+ack] Turn on NSSOCSP check in mod_nss conf

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tiran commented:
"""
@tomaskrizek yes, custodia 0.5 will no longer have the restriction.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300173956
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tomaskrizek commented:
"""
@tiran Once this PR is merged, do you plan to remove the conflict with 
`freeipa-server-common < 4.5` from custodia or do we need to address something 
else as well?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300163978
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][closed] ipa-kra-install: fix check_host_keys

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/766
Author: flo-renaud
 Title: #766: ipa-kra-install: fix check_host_keys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/766/head:pr766
git checkout pr766
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/766
Title: #766: ipa-kra-install: fix check_host_keys

MartinBasti commented:
"""
master:

* 8983ce53e3fdee98926f81f3012146e33bb92d30 ipa-kra-install: fix check_host_keys


ipa-4-5:

* b90dce88e227174aa33270beee9b3d6ff51cce59 ipa-kra-install: fix check_host_keys


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/766#issuecomment-300148119
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][+pushed] ipa-kra-install: fix check_host_keys

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/766
Title: #766: ipa-kra-install: fix check_host_keys

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][+ack] ipa-kra-install: fix check_host_keys

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/766
Title: #766: ipa-kra-install: fix check_host_keys

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

stlaz commented:
"""
Alright, thanks. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300146298
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][+ack] [4.4] Run ipa-custodia under Python 2

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

tiran commented:
"""
The patch doesn't work with custodia 0.1. It needs at least 0.2.0-1.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300143282
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: [4.4] Run ipa-custodia under Python 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
From c804d46f1faa265a6951e782213f63ae2e051ede Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 3 May 2017 16:38:21 +0200
Subject: [PATCH] Run ipa-custodia under Python 2

Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes 
---
 freeipa.spec.in   | 10 ++
 init/systemd/ipa-custodia.service |  3 +--
 install/tools/Makefile.am |  1 +
 install/tools/ipa-custodia|  6 ++
 4 files changed, 14 insertions(+), 6 deletions(-)
 create mode 100755 install/tools/ipa-custodia

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e0f1df2..21f2416 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,8 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
 BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
+# install/tools/ipa-custodia needs custodia 0.2+
+BuildRequires:  custodia >= 0.2
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
 BuildRequires:  python-netifaces >= 0.10.4
@@ -246,7 +247,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.2
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -498,7 +499,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia >= 0.2
 Requires: python-dns >= 1.13
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -546,7 +547,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia >= 0.2
 Requires: python3-requests
 Requires: python3-dns >= 1.11.1
 Requires: python3-netifaces >= 0.10.4
@@ -1069,6 +1070,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service
index ff930fb..63246c4 100644
--- a/init/systemd/ipa-custodia.service
+++ b/init/systemd/ipa-custodia.service
@@ -3,8 +3,7 @@ Description=IPA Custodia Service
 
 [Service]
 Type=simple
-
-ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf
+ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2866a30..66ee9e3 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ EXTRA_DIST =			\
 
 appdir = $(libexecdir)/ipa/
 app_SCRIPTS =			\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..2086a9c
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from custodia.server import main
+
+if __name__ == '__main__':
+main()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][comment] [4.4] Run ipa-custodia under Python 2

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/760
Title: #760: [4.4] Run ipa-custodia under Python 2

stlaz commented:
"""
Works for me. However, I do not see the reason to do `custodia > 0.2`, please, 
either provide some or remove it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/760#issuecomment-300140520
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

stlaz commented:
"""
@pvoborni @rcritten @martbab This discussion at this PR makes no sense. Clearly 
we can see that the impact is much higher and should be discussed on designated 
channels, meaning either **freeipa-devel** mailing list or in our issue 
tracking system (the former would be preferable with having the result in the 
latter). I believe that the guys from the Dogtag project could also have a 
great insight on this.

Here's questions which should answer why I want this to be discussed there:
- how to handle users so they don't use `ipa-ca-install --uninstall` any time?
- at which point is the installation recoverable and when it's not?
- describe what happens in each and every step, mention which files and entries 
are created
- on master
- on replica
- describe what has to be done in case a step fails for each and every step
- on master
- on replica
- describe how `ipa-ca-install` rollback should behave when installing first CA 
in a CA-less setup

These problems are just from the top of my head and I am a CA installation 
noob. I would however be very cautious not knowing an answer to either of those.

@rcritten if you do know the answers, please, share them with us (or maybe just 
me because I sure don't know them), it would help a lot with deciding on where 
to go from here.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/764#issuecomment-300120774
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#762][+ack] fix managed-entries printing IPA not installed

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/762
Title: #762: fix managed-entries printing IPA not installed

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#725][closed] Fix certificate_out check in CertRetrieveOverride

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/725
Author: Akasurde
 Title: #725: Fix certificate_out check in CertRetrieveOverride
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/725/head:pr725
git checkout pr725
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#726][closed] Add check for directory name

[Akasurde]

   URL: https://github.com/freeipa/freeipa/pull/726
Author: Akasurde
 Title: #726: Add check for directory name
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/726/head:pr726
git checkout pr726
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][comment] ipa-kra-install: fix check_host_keys

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/766
Title: #766: ipa-kra-install: fix check_host_keys

flo-renaud commented:
"""
Hi @MartinBasti  @martbab 
thank you for the comment. PR updated with your suggestion.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/766#issuecomment-300101597
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#766][synchronized] ipa-kra-install: fix check_host_keys

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/766
Author: flo-renaud
 Title: #766: ipa-kra-install: fix check_host_keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/766/head:pr766
git checkout pr766
From 3e5250cfcd003b0bd72ba77fff5c1d03d23ebc89 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 5 May 2017 17:06:09 +0200
Subject: [PATCH] ipa-kra-install: fix check_host_keys

ipa-kra-install on a replica checks that the keys are available before
going further to avoid race condition due to replication. The issue is
that the check_host_keys method expects to find exactly one key for
cn=env/host but 2 may exist: one below cn=custodia and one below
cn=dogtag,cn=custodia.
The fix is to check that at least one key exist (not exactly one key).

https://pagure.io/freeipa/issue/6934
---
 ipaserver/secrets/kem.py | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index c1991c6..3363d82 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -72,7 +72,7 @@ def get_key(self, usage, principal):
  'princ': principal})
 r = conn.search_s(self.keysbase, scope, ldap_filter)
 if len(r) != 1:
-raise ValueError("Incorrect number of results (%d) searching for"
+raise ValueError("Incorrect number of results (%d) searching for "
  "public key for %s" % (len(r), principal))
 ipa_public_key = r[0][1]['ipaPublicKey'][0]
 jwk = self._parse_public_key(ipa_public_key)
@@ -85,9 +85,8 @@ def check_host_keys(self, host):
 
 ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host})
 r = conn.search_s(self.keysbase, scope, ldap_filter)
-if len(r) != 1:
-raise ValueError("Incorrect number of results (%d) searching for"
- "public key for %s" % (len(r), host))
+if not r:
+raise ValueError("No public keys were found for %s" % host)
 return True
 
 def _format_public_key(self, key):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

martbab commented:
"""
@pvoborni We can try to move the uninstaller logic to the beginning of the 
install, or make the affected steps idempotent. But still I would be hesitant 
to merge this PR without some design in place.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/764#issuecomment-300098837
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#760][synchronized] [4.4] Run ipa-custodia under Python 2

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/760
Author: tiran
 Title: #760: [4.4] Run ipa-custodia under Python 2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/760/head:pr760
git checkout pr760
From d30ea463bc0671af542e7d86ec9d753209b7dfa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 3 May 2017 16:38:21 +0200
Subject: [PATCH] Run ipa-custodia under Python 2

Closes: https://pagure.io/freeipa/issue/6926
Signed-off-by: Christian Heimes 
---
 freeipa.spec.in   | 9 +
 init/systemd/ipa-custodia.service | 3 +--
 install/tools/Makefile.am | 1 +
 install/tools/ipa-custodia| 6 ++
 4 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100755 install/tools/ipa-custodia

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e0f1df2..0b0761b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -112,7 +112,7 @@ BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
 BuildRequires:  python-six
 BuildRequires:  python-jwcrypto
-BuildRequires:  custodia
+BuildRequires:  custodia > 0.2
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
 BuildRequires:  python-netifaces >= 0.10.4
@@ -246,7 +246,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia > 0.2
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -498,7 +498,7 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
+Requires: python-custodia > 0.2
 Requires: python-dns >= 1.13
 Requires: python-netifaces >= 0.10.4
 Requires: pyusb
@@ -546,7 +546,7 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
+Requires: python3-custodia > 0.2
 Requires: python3-requests
 Requires: python3-dns >= 1.11.1
 Requires: python3-netifaces >= 0.10.4
@@ -1069,6 +1069,7 @@ fi
 %{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/ipa-custodia.service b/init/systemd/ipa-custodia.service
index ff930fb..63246c4 100644
--- a/init/systemd/ipa-custodia.service
+++ b/init/systemd/ipa-custodia.service
@@ -3,8 +3,7 @@ Description=IPA Custodia Service
 
 [Service]
 Type=simple
-
-ExecStart=/usr/sbin/custodia /etc/ipa/custodia/custodia.conf
+ExecStart=/usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2866a30..66ee9e3 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ EXTRA_DIST =			\
 
 appdir = $(libexecdir)/ipa/
 app_SCRIPTS =			\
+	ipa-custodia		\
 	ipa-httpd-kdcproxy	\
 	ipa-pki-retrieve-key	\
 	$(NULL)
diff --git a/install/tools/ipa-custodia b/install/tools/ipa-custodia
new file mode 100755
index 000..2086a9c
--- /dev/null
+++ b/install/tools/ipa-custodia
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+# Copyright (C) 2017  IPA Project Contributors, see COPYING for license
+from custodia.server import main
+
+if __name__ == '__main__':
+main()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#767][closed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/767
Author: tomaskrizek
 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/767/head:pr767
git checkout pr767
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#767][comment] [4.5] upgrade: add missing DN suffix when enabling KDC proxy

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/767
Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy

martbab commented:
"""
ipa-4-5:

* cdefa3030fba0f9a79f65f91aec84a44795c17f5 python2-ipalib: add missing python 
dependency
* 1662b0ef2fff6ee002afd99f86b9075a603b6027 installer service: fix typo in 
service entry
* d10d5066aa60288703f2cf4b1a8dd7ed0aab8842 upgrade: add missing suffix to http 
instance
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/767#issuecomment-300098076
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#767][+pushed] [4.5] upgrade: add missing DN suffix when enabling KDC proxy

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/767
Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

pvoborni commented:
"""
Let's first clarify the problem to solve.  If I understand @rcritten right, the 
problem is that if ipa-ca-install fail then one must reinstall the whole 
replica because the failed installation left a garbage and  subsequent 
installer is not able to handle the garbage.

Uninstallation of successful CA installation is not the intend, right? If so 
then it seems to me that both of you are in agreement. And I would add that I 
completely agree with CA uninstall not being a goal because it would add just 
another use case to support with a benefit I don't see.

So if goal is repeatable ipa-ca-install then let's not talk about creating a CA 
uninstaller but rather about CA cleanup and let's hide/remove the `--uninstall` 
option and figure out how it should behave - i.e. let it be internal.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/764#issuecomment-300097665
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT

stlaz commented:
"""
External CA (rebased on current master to be able to install):
```
$ kinit -n
kinit: Invalid certificate while getting initial credentials
$ /usr/bin/kinit -n -c /var/run/ipa/ccaches/armor_9588 -X 
X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X 
X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
kinit: Invalid certificate while getting initial credentials
```
and on replica:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
=> this breaks WebUI on external CA installations.

=
CA-less with `--no-pkinit`:
```
$ kinit -n
kinit: Preauthentication failed while getting initial credentials
```
but I guess that's expected, WebUI works since the following does work as well:
```
$ /usr/bin/kinit -n -X X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt -X 
X509_anchors=FILE:/var/kerberos/krb5kdc/cacert.pem
```
=
In CA-less with PKINIT options, `kinit -n` works fine, although replica 
installation will produce:
```
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
ipa : ERRORPKINIT certificate request failed: Certificate issuance 
failed (CA_UNREACHABLE)
ipa : ERRORFailed to configure PKINIT
Done configuring Kerberos KDC (krb5kdc).
```
when run with own PKINIT certificate from `--pkinit-cert-file` option. I don't 
think it should be asking any CA for a certificate if we already have the 
certificate.


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/758#issuecomment-300097018
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#767][+ack] [4.5] upgrade: add missing DN suffix when enabling KDC proxy

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/767
Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#764][comment] Basic uninstaller for the CA

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/764
Title: #764: Basic uninstaller for the CA

martbab commented:
"""
@rcritten If it is expected to not clean up properly after a fai;ed 
installation then I would rather not advertise it as an uninstaller, otherwise 
users will start to get ideas like "I do not want to use built-in CA anymore, 
let's just uninstall it and use 3rd party certs everywhere" and will run into 
problems with leftover certificates and such.

I would rather provide some rollback after failed install but again, I think 
there should be a more extensive discussion about a generic solution applicable 
to all service installers.

Also I would not claim that we actually do not have a service uninstaller 
framework since every service installer has a copy-pasted code in an ad-hoc 
coded uninstall method repeated ad nauseam. From what I have glimpsed from 
`ipa-4-5` branch, `Service` class does not even provide `uninstall` abstract 
method to override, only `SimpleServiceInstance` does that.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/764#issuecomment-300090846
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#767][opened] [4.5] upgrade: add missing DN suffix when enabling KDC proxy

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/767
Author: tomaskrizek
 Title: #767: [4.5] upgrade: add missing DN suffix when enabling KDC proxy
Action: opened

PR body:
"""
Original PR: #752 

---

This issue prevented from upgrading from IPA 4.1.

I also discovered a missing python dependency when I was running the 
ipa-server-upgrade manually. For packagers: the Python version that has the 
required symbols in CentOS is 2.7.5-24

https://pagure.io/freeipa/issue/6920
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/767/head:pr767
git checkout pr767
From f8aa9c33f530ebf875b707a80068106853158bb1 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 18:32:34 +0200
Subject: [PATCH 1/3] python2-ipalib: add missing python dependency

Commit dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 started to use
ssl symbols like ssl.OP_NO_SSLv2 that were introduced in Python 2.7.9.

Related https://pagure.io/freeipa/issue/6920
---
 freeipa.spec.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3b7410b..1dd550b 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -639,6 +639,7 @@ Requires: python-gssapi >= 1.2.0
 Requires: gnupg
 Requires: keyutils
 Requires: pyOpenSSL
+Requires: python >= 2.7.9
 Requires: python-nss >= 0.16
 Requires: python-cryptography >= 1.4
 Requires: python-netaddr

From 3c96c97a82fbf6907aca7f885fdd1051389e0e57 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 18:42:13 +0200
Subject: [PATCH 2/3] installer service: fix typo in service entry

The typo would result in incorrect resolution of existing keys and
their existence wasn't properly logged as intended.

Related https://pagure.io/freeipa/issue/6920
---
 ipaserver/install/service.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 6b5e69c..1aa49ed 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -181,7 +181,7 @@ def set_service_entry_config(name, fqdn, config_values,
 except errors.NotFound:
 pass
 else:
-existing_values = entry.get('ipaConnfigString', [])
+existing_values = entry.get('ipaConfigString', [])
 for value in config_values:
 if case_insensitive_attr_has_value(existing_values, value):
 root_logger.debug(

From e39ca833903a109c112073ffd67ae17076b57c27 Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Tue, 2 May 2017 19:26:04 +0200
Subject: [PATCH 3/3] upgrade: add missing suffix to http instance

During an upgrade, http.suffix is used to identify ldap entry when
configuring kdc proxy. When the suffix is missing, the script crashed
when enabling KDC proxy, because it used invalid DN.

Fixes https://pagure.io/freeipa/issue/6920
---
 ipaserver/install/server/upgrade.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 4d8fd66..9aec2d8 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1638,6 +1638,7 @@ def upgrade_configuration():
 http = httpinstance.HTTPInstance(fstore)
 http.fqdn = fqdn
 http.realm = api.env.realm
+http.suffix = ipautil.realm_to_suffix(api.env.realm)
 http.configure_selinux_for_httpd()
 http.change_mod_nss_port_from_http()
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/728
Author: HonzaCholasta
 Title: #728: ipa-cacert-manage: add --external-ca-type
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/728/head:pr728
git checkout pr728
From c0c79f0b0fdaf0b5a1bfe0d92018f3bf12373907 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 24 Apr 2017 05:24:24 +
Subject: [PATCH 1/7] renew agent: respect CA renewal master setting

Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799
---
 install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +-
 ipaserver/install/cainstance.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 7a3d955..f253fd9 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -535,7 +535,7 @@ def main():
 
 profile = os.environ.get('CERTMONGER_CA_PROFILE')
 if is_replicated():
-if profile or is_renewal_master():
+if is_renewal_master():
 handler = request_and_store_cert
 else:
 handler = retrieve_cert_continuous
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d72feb8..97baa60 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -822,7 +822,7 @@ def __request_ra_certificate(self):
  "-out", chain_file.name,
  ], stdin=data, capture_output=False)
 
-agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
+agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT,
   "--dbdir", self.tmp_agent_db,
   "--nickname", "ipa-ca-agent",
   "--cafile", chain_file.name,

From 9e9bcaa70bc8e7b307ecd99e247311796b9fd32d Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 28 Feb 2017 10:55:54 +
Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request

Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.

This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799
---
 ipaserver/install/server/upgrade.py | 28 +++-
 1 file changed, 7 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 9aec2d8..84692d3 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http):
 template = paths.CERTMONGER_COMMAND_TEMPLATE
 serverid = installutils.realm_to_serverid(api.env.realm)
 
-# bump version when requests is changed
-version = 6
 requests = [
 {
 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR,
@@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http):
 }
 ]
 
-root_logger.info("[Update certmonger certificate renewal configuration to "
- "version %d]" % version)
+root_logger.info("[Update certmonger certificate renewal configuration]")
 if not ca.is_configured():
 root_logger.info('CA is not configured')
 return False
 
-state = 'certificate_renewal_update_%d' % version
-if sysupgrade.get_upgrade_state('dogtag', state):
-return False
-
 # State not set, lets see if we are already configured
 for request in requests:
 request_id = certmonger.get_request_id(request)
 if request_id is None:
 break
 else:
-sysupgrade.set_upgrade_state('dogtag', state, True)
-root_logger.info("Certmonger certificate renewal configuration is "
- "already at version %d" % version)
 return False
 
 # Ok, now we need to stop tracking, then we can start tracking them
@@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http):
 ds.stop_tracking_certificates(serverid)
 http.stop_tracking_certificates()
 
-if not sysupgrade.get_upgrade_state('dogtag',
-'certificate_renewal_update_1'):
-filename = paths.CERTMONGER_CAS_CA_RENEWAL
-if