[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology jcholast commented: """ @mbasti-rh, `ipa-certupdate` has to be run on *all* systems in the domain after installing a CA. How do you propose we do that from `ipa-ca-install`? Anyway, the behavior @tomaskrizek is observing happens if you don't run `ipa-certupdate` *before* `ipa-ca-install` *on replica* and is caused by `ipa-ca-install` using local files rather than LDAP when looking for CA certificates. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268741247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#360][opened] x509: use PyASN1 to parse PKCS#7
URL: https://github.com/freeipa/freeipa/pull/360
Author: jcholast
Title: #360: x509: use PyASN1 to parse PKCS#7
Action: opened
PR body:
"""
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/360/head:pr360
git checkout pr360
From e795b5d53d1a58ea1247668e13be9b45e0652298 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 14:05:57 +0100
Subject: [PATCH] x509: use PyASN1 to parse PKCS#7
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
---
ipalib/x509.py | 48 +++-
1 file changed, 31 insertions(+), 17 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 851af5a..13327c1 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -42,21 +42,13 @@
import cryptography.x509
from pyasn1.type import univ, char, namedtype, tag
from pyasn1.codec.der import decoder, encoder
-from pyasn1_modules import rfc2459
+from pyasn1_modules import rfc2315, rfc2459
import six
from ipalib import api
from ipalib import util
from ipalib import errors
from ipapython.dn import DN
-from ipapython import ipautil
-
-try:
-from ipaplatform.paths import paths
-except ImportError:
-OPENSSL = '/usr/bin/openssl'
-else:
-OPENSSL = paths.OPENSSL
if six.PY3:
unicode = str
@@ -160,16 +152,38 @@ def pkcs7_to_pems(data, datatype=PEM):
Extract certificates from a PKCS #7 object.
Return a ``list`` of X.509 PEM strings.
+"""
+if datatype == PEM:
+match = re.match(
+r'-BEGIN PKCS7-(.*?)-END PKCS7-',
+data,
+re.DOTALL)
+if not match:
+raise ValueError("not a valid PKCS#7 PEM")
-May throw ``ipautil.CalledProcessError`` on invalid data.
+data = base64.b64decode(match.group(1))
-"""
-cmd = [
-OPENSSL, "pkcs7", "-print_certs",
-"-inform", "PEM" if datatype == PEM else "DER",
-]
-result = ipautil.run(cmd, stdin=data, capture_output=True)
-return PEM_REGEX.findall(result.output)
+content_info, tail = decoder.decode(data, rfc2315.ContentInfo())
+if tail:
+raise ValueError("not a valid PKCS#7 message")
+
+if content_info['contentType'] != rfc2315.signedData:
+raise ValueError("not a PKCS#7 signed data message")
+
+signed_data, tail = decoder.decode(bytes(content_info['content']),
+ rfc2315.SignedData())
+if tail:
+raise ValueError("not a valid PKCS#7 signed data message")
+
+result = []
+
+for certificate in signed_data['certificates']:
+certificate = encoder.encode(certificate)
+certificate = base64.b64encode(certificate)
+certificate = make_pem(certificate)
+result.append(certificate)
+
+return result
def is_self_signed(certificate, datatype=PEM):
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][synchronized] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348
Author: jcholast
Title: #348: ca: fix ca-find with --pkey-only
Action: synchronized
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/348/head:pr348
git checkout pr348
From fde228a0e0cffe754c7b420a3a1d87af46f7d995 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Fri, 16 Dec 2016 14:19:00 +0100
Subject: [PATCH] ca: fix ca-find with --pkey-only
Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
---
ipaserver/plugins/ca.py | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 2510a79..f02c144 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -162,7 +162,10 @@ class ca(LDAPObject):
def set_certificate_attrs(entry, options, want_cert=True):
-ca_id = entry['ipacaid'][0]
+try:
+ca_id = entry['ipacaid'][0]
+except KeyError:
+return
full = options.get('all', False)
want_chain = options.get('chain', False)
@@ -192,8 +195,9 @@ class ca_find(LDAPSearch):
def execute(self, *keys, **options):
ca_enabled_check()
result = super(ca_find, self).execute(*keys, **options)
-for entry in result['result']:
-set_certificate_attrs(entry, options, want_cert=False)
+if not options.get('pkey_only', False):
+for entry in result['result']:
+set_certificate_attrs(entry, options, want_cert=False)
return result
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ > If `ipaldap` is a generic LDAP client, it should obey the RFCs and always > transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) > with the `;binary` encoding option, and it should expect to see it when > reading the relevant attributes from the server. No, it should respect whatever is defined on the server, otherwise it's not a generic LDAP client. If the server does something wrong, it has to be fixed there, on the server. The goal of `ipaldap` is not to make buggy or non-LDAPv3 (e.g. AD) servers look like they are LDAPv3-compliant, the goal is to interpret attributes according to the server-defined schema. > IMO `ipaldap` should handle this transparently because it is part of the LDAP > protocol. Nowhere in the RFCs is it mandated that a compliant client cannot request the attributes without the option, nor that it must not accept the attributes without the option in server responses. If this was true, it would have to be fixed in OpenLDAP libs anyway, not in `ipaldap`. > There is no 389DS-specific hack in my proposed change (but I'm curious about > what part of it you feel is). The part where you implicitly add the binary transfer option to attribute names (although not mandated on clients by any RFC) without knowing how the attribute types are defined on the server (although mandated only on attribute types with the certificate syntax by RFC 4523) . > This would also avoid inconsistent handling of relevant attributes between > different plugins, which is the situation we currently have. This is because of historical reasons (the original implementation of `host` and `service` plugins used `userCertificate` instead of `userCertificate;binary`) and will have to stay this way at least until all of the buggy 389 DS / IPA releases go out of support. > But apart from the inconsisency (which is a nusiance) we have a bigger > problem - in several plugins we specifically try to read `userCertificate`, > but a RFC 4522 compliant server (which 389DS is not now, but hopefully one > day will be) will always return `userCertificate;binary`. So, our current > code breaks if/when that happens. Furthermore, other RFC 4522-compliant > programs that correctly use the ;binary transfer encoding option to, e.g. > write certificates to user entries, will cause those certificates to be > unreadable by current IPA plugin code. This is not good enough. We can easily fix the plugins to read from `userCertificate;binary` in addition to `userCertificate`. We have to continue to write to `userCertificate` only though, because of backward compatibility with older servers. > 389DS does not behave correctly; it's treatment of `;binary` is wrong in > several ways, apart from the incorrect attribute syntax for relevant > attributes. Not enforcing `;binary` on attribute types with octet string syntax *is* correct. I was not trying to imply anything else. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268505078 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#359][opened] dogtag: search past the first 100 certificates
URL: https://github.com/freeipa/freeipa/pull/359
Author: jcholast
Title: #359: dogtag: search past the first 100 certificates
Action: opened
PR body:
"""
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/359/head:pr359
git checkout pr359
From 9281047feaf12ae484223a68f15af85b67406033 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Wed, 21 Dec 2016 09:55:40 +0100
Subject: [PATCH] dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.
Raise the "unlimited" limit to the maximum value Dogtag accepts.
https://fedorahosted.org/freeipa/ticket/6564
---
ipaserver/plugins/dogtag.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 73c14ed..f5f9ebe 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1914,7 +1914,7 @@ def convert_time(value):
url = 'http://%s/ca/rest/certs/search?size=%d' % (
ipautil.format_netloc(self.ca_host, 8080),
-options.get('sizelimit', 100))
+options.get('sizelimit', 0x7fff))
opener = urllib.request.build_opener()
opener.addheaders = [('Accept-Encoding', 'gzip, deflate'),
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently
URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ `ipaldap` is not the proper place to handle this - it implements a (almost) generic LDAP client, not a 389 DS client, and as such should not contain any 389 DS specific hacks. The premise is that the server gets exactly what the user of `ipaldap` requested, and the user gets exactly what the server returned. The binary transfer option is currently handled in code of the affected commands. The next layer below is `baseldap`, which is where the handling should be moved to make it generic for all commands. Also note that the real bug in 389 DS is that it defines the attribute types to use octet string syntax, rather than the certificate syntax as defined in RFC 4523. It actually behaves correctly, not enforcing the binary transfer option on attribute types with octet string syntax. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268451076 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology jcholast commented: """ This is basically the same as 89de60c5d8ba64d619101a7498b8c4469b6e50ae which had to be reverted because it is not the proper fix. I would rather wait for the proper fix (#41), which has not been merged yet because it is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1377413. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268255672 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#356][opened] server install: fix KRA agent PEM file not being created
URL: https://github.com/freeipa/freeipa/pull/356 Author: jcholast Title: #356: server install: fix KRA agent PEM file not being created Action: opened PR body: """ In commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 the call to create the KRA agent PEM file was accidentally removed from the server installer. Call into the KRA installer from the server installer to create the file again. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/356/head:pr356 git checkout pr356 From 032dd28fcc4e435c11db55255c22399e08a5a969 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 20 Dec 2016 14:51:40 +0100 Subject: [PATCH] server install: fix KRA agent PEM file not being created In commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 the call to create the KRA agent PEM file was accidentally removed from the server installer. Call into the KRA installer from the server installer to create the file again. https://fedorahosted.org/freeipa/ticket/6392 --- ipaserver/install/ipa_kra_install.py | 1 + ipaserver/install/kra.py | 2 +- ipaserver/install/server/install.py | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index a545f2b..340a993 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -181,6 +181,7 @@ def run(self): self.options.dm_password = self.options.password self.options.setup_ca = False +self.options.setup_kra = True api.Backend.ldap2.connect() diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index e7e11dd..0d1ed8e 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -77,7 +77,7 @@ def install(api, replica_config, options): pkcs12_info = None master_host = None -ra_only = False +ra_only = not options.setup_kra promote = False else: krafile = os.path.join(replica_config.dir, 'kracert.p12') diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b5b9cb4..fc319d9 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -609,6 +609,7 @@ def install_check(installer): if setup_ca: ca.install_check(False, None, options) +kra.install_check(api, None, options) if options.setup_dns: dns.install_check(False, api, False, options, host_name) @@ -809,6 +810,7 @@ def install(installer): if setup_ca: ca.install_step_1(False, None, options) +kra.install(api, None, options) # The DS instance is created before the keytab, add the SSL cert we # generated -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#350][opened] spec file: revert to the previous Release tag
URL: https://github.com/freeipa/freeipa/pull/350
Author: jcholast
Title: #350: spec file: revert to the previous Release tag
Action: opened
PR body:
"""
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/350/head:pr350
git checkout pr350
From 0c8451d3e9b86b7e397b49a7dd25b9b3e5a0a222 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 5 Dec 2016 12:18:54 +0100
Subject: [PATCH] spec file: revert to the previous Release tag
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..c58c057 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -41,7 +41,7 @@
Name: freeipa
Version:%{IPA_VERSION}
-Release:upstream
+Release:0%{?dist}
Summary:The Identity, Policy and Audit system
Group: System Environment/Base
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#349][opened] spec file: do not define with_lint inside a comment
URL: https://github.com/freeipa/freeipa/pull/349
Author: jcholast
Title: #349: spec file: do not define with_lint inside a comment
Action: opened
PR body:
"""
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.
Escape the percent sign in '%global' in the comment to prevent this.
https://fedorahosted.org/freeipa/ticket/6418
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/349/head:pr349
git checkout pr349
From 8c3b11e059e32c826694a39d8b886ca1230ea6a8 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Mon, 5 Dec 2016 12:17:54 +0100
Subject: [PATCH] spec file: do not define with_lint inside a comment
RPM expands macros even inside comments in spec files, so the with_lint
macro is unintentionally always defined.
Escape the percent sign in '%global' in the comment to prevent this.
https://fedorahosted.org/freeipa/ticket/6418
---
freeipa.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbb3945..831df4f 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -9,7 +9,7 @@
%endif
# lint is not executed during rpmbuild
-# %global with_lint 1
+# %%global with_lint 1
%global alt_name ipa
%if 0%{?rhel}
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][opened] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348
Author: jcholast
Title: #348: ca: fix ca-find with --pkey-only
Action: opened
PR body:
"""
Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/348/head:pr348
git checkout pr348
From dda67fc7ed2d45bf90ee795a7e20edd41931ceb1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Fri, 16 Dec 2016 14:19:00 +0100
Subject: [PATCH] ca: fix ca-find with --pkey-only
Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
---
ipaserver/plugins/ca.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 2510a79..72f5443 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -192,8 +192,9 @@ class ca_find(LDAPSearch):
def execute(self, *keys, **options):
ca_enabled_check()
result = super(ca_find, self).execute(*keys, **options)
-for entry in result['result']:
-set_certificate_attrs(entry, options, want_cert=False)
+if not options.get('pkey_only', False):
+for entry in result['result']:
+set_certificate_attrs(entry, options, want_cert=False)
return result
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] jcholast commented: """ @mbasti-rh, please don't bump BuildRequires unless it is actually necessary for the build to not fail. Raising the version does not guarantee that the package version used during build and checked by pylint will be the same as the version used during run time anyway, so the change achieves nothing. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267532993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3]
URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] jcholast commented: """ @mbasti-rh, please don't bump BuildRequires unless it is actually necessary for the build to not fail. Raising the version does not guarantee that the package version used during build will be the same as the version used during run time anyway, so the change achieves nothing. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267532993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][+pushed] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][closed] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-266420855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][closed] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][+pushed] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266414213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][+ack] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, I'm afraid we can't do that. As I said in the comment, you cannot unconditionally import from `ipaplatform` to `ipalib` anymore, so you either have to make the change to PyASN1, or make the import conditional: ```python try: from ipaplatform.paths import paths except ImportError: OPENSSL = '/usr/bin/openssl' else: OPENSSL = paths.OPENSSL ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266359452 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, thanks. What about [this](https://github.com/freeipa/freeipa/pull/177/files#r91243228)? """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266353770 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#321][closed] certdb: fix PKCS#12 import with empty password
URL: https://github.com/freeipa/freeipa/pull/321 Author: jcholast Title: #321: certdb: fix PKCS#12 import with empty password Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/321/head:pr321 git checkout pr321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#321][+pushed] certdb: fix PKCS#12 import with empty password
URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#321][comment] certdb: fix PKCS#12 import with empty password
URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a35f5181c0af459e9f054838805628f31316cbe9 """ See the full comment at https://github.com/freeipa/freeipa/pull/321#issuecomment-266352292 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#321][opened] certdb: fix PKCS#12 import with empty password
URL: https://github.com/freeipa/freeipa/pull/321 Author: jcholast Title: #321: certdb: fix PKCS#12 import with empty password Action: opened PR body: """ Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is used to give passwords to pk12util. When a password is empty, the temporary will be empty as well, which pk12util does not like. Add new line after the password in the temporary file to please pk12util. https://fedorahosted.org/freeipa/ticket/6541 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/321/head:pr321 git checkout pr321 From 5fdd380fce3ad6527a5a980f723f6552f0a70a9d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 8 Dec 2016 12:26:06 +0100 Subject: [PATCH] certdb: fix PKCS#12 import with empty password Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is used to give passwords to pk12util. When a password is empty, the temporary will be empty as well, which pk12util does not like. Add new line after the password in the temporary file to please pk12util. https://fedorahosted.org/freeipa/ticket/6541 --- ipapython/certdb.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..4e05b78 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -168,7 +168,7 @@ def import_pkcs12(self, pkcs12_filename, db_password_filename, "-k", db_password_filename, '-v'] pkcs12_password_file = None if pkcs12_passwd is not None: -pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd) +pkcs12_password_file = ipautil.write_tmp_file(pkcs12_passwd + '\n') args = args + ["-w", pkcs12_password_file.name] try: ipautil.run(args) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer
URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @Akasurde, `Knob()` already handles metavar properly, you need to work on the interface between the installer and `optparse` - `ipapython.install.cli`. """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265447065 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#318][opened] server install: fix external CA install
URL: https://github.com/freeipa/freeipa/pull/318 Author: jcholast Title: #318: server install: fix external CA install Action: opened PR body: """ Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/318/head:pr318 git checkout pr318 From ae5f464174f3ade82336a58a860b275a464095a6 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 30 Nov 2016 13:55:38 +0100 Subject: [PATCH] server install: fix external CA install Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 --- ipaclient/install/client.py | 3 + ipalib/install/service.py | 4 -- ipaserver/install/ca.py | 1 - ipaserver/install/ipa_server_install.py | 10 ++-- ipaserver/install/server/__init__.py| 100 +++- ipaserver/install/server/install.py | 3 - 6 files changed, 54 insertions(+), 67 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 0954c2b..0eec5bd 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -3571,6 +3571,9 @@ class ClientInstall(ClientInstallInterface, Client installer """ +replica_file = None +dm_password = None + ca_cert_files = knob( bases=ClientInstallInterface.ca_cert_files, ) diff --git a/ipalib/install/service.py b/ipalib/install/service.py index 2544e5b..fc430fb 100644 --- a/ipalib/install/service.py +++ b/ipalib/install/service.py @@ -146,7 +146,6 @@ def domain_name(self, value): str, None, description="a file generated by ipa-replica-prepare", ) -replica_file = enroll_only(replica_file) replica_file = replica_install_only(replica_file) dm_password = knob( @@ -154,8 +153,6 @@ def domain_name(self, value): sensitive=True, description="Directory Manager password (for the existing master)", ) -dm_password = enroll_only(dm_password) -dm_password = replica_install_only(dm_password) class ServiceAdminInstallInterface(ServiceInstallInterface): @@ -175,4 +172,3 @@ class ServiceAdminInstallInterface(ServiceInstallInterface): sensitive=True, ) admin_password = enroll_only(admin_password) -admin_password = replica_install_only(admin_password) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index efc8c87..4f64d99 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -338,7 +338,6 @@ class CAInstallInterface(dogtag.DogtagInstallInterface, ['-w']), ) admin_password = enroll_only(admin_password) -admin_password = replica_install_only(admin_password) external_ca = knob( None, diff --git a/ipaserver/install/ipa_server_install.py b/ipaserver/install/ipa_server_install.py index 3b6cb81..e708040 100644 --- a/ipaserver/install/ipa_server_install.py +++ b/ipaserver/install/ipa_server_install.py @@ -15,16 +15,16 @@ class CompatServerMasterInstall(ServerMasterInstall): no_sudo = False request_cert = False -new_dm_password = knob( +dm_password = knob( # pylint: disable=no-member -bases=ServerMasterInstall.new_dm_password, +bases=ServerMasterInstall.dm_password, cli_names=['--ds-password', '-p'], ) -new_admin_password = knob( +admin_password = knob( # pylint: disable=no-member -bases=ServerMasterInstall.new_admin_password, -cli_names=(list(ServerMasterInstall.new_admin_password.cli_names) + +bases=ServerMasterInstall.admin_password, +cli_names=(list(ServerMasterInstall.admin_password.cli_names) + ['-a']), ) diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index c518ec9..0237702 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -21,7 +21,6 @@ prepares, prepare_only, replica_install_only) -from ipalib.util import validate_domain_name from ipapython import ipautil from ipapython.dnsutil import check_zone_overlap from ipapython.
[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer
URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @mbasti-rh, I don't care as long as it's done right (i.e. without hardcoding `cli_metavar` in knob definitions). """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265432383 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, yep, I'm aware of that - `cert-find` does the same. Not a big deal IMO since it has to be explicitly requested by the user. But tickets are certainly a good idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265420461 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ But could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][closed] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Author: tiran Title: #305: Fetch correct exception in IPA_CONFDIR test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/305/head:pr305 git checkout pr305 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][+pushed] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][comment] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/34bd2b6332f3dabc0eb36f7021238df286a6 """ See the full comment at https://github.com/freeipa/freeipa/pull/305#issuecomment-264823975 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#305][+ack] Fetch correct exception in IPA_CONFDIR test
URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Pushed with #302. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264460352 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][+ack] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][closed] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][+pushed] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#302][closed] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/302 Author: pvoborni Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/302/head:pr302 git checkout pr302 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#302][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d4916254e995be1118ab8dbce5b60091305f97fe https://fedorahosted.org/freeipa/changeset/c2934aaa7eacb8390209a38029145b1c240d864c """ See the full comment at https://github.com/freeipa/freeipa/pull/302#issuecomment-264460061 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#302][+pushed] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#302][+ack] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @pvoborni, yes, although it should not inherit from 'InvocationError`, since it does not happen during command invocation, but way before, during API initialization. I would inherit it directly from `PublicError` and put it into the 900-1000 errno range. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264447620 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @pvoborni, yes, although it should not inherit from `InvocationError`, since it does not happen during command invocation, but way before, during API initialization. I would inherit it directly from `PublicError` and put it into the 900-1000 errno range. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264447620 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][opened] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301
Author: jcholast
Title: #301: scripts, tests: explicitly set confdir in the rest of server code
Action: opened
PR body:
"""
Commit 1e6a204b4372bbbfb722a00370a5ce4e34406b9f added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/301/head:pr301
git checkout pr301
From 23f6d46675b9614cc654bd17c1cc3377d2539211 Mon Sep 17 00:00:00 2001
From: Jan Cholasta
Date: Fri, 2 Dec 2016 09:10:41 +0100
Subject: [PATCH] scripts, tests: explicitly set confdir in the rest of server
code
Commit 1e6a204b4372bbbfb722a00370a5ce4e34406b9f added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
---
doc/guide/wsgi.py.txt | 6 --
install/tools/ipa-compat-manage | 5 -
install/tools/ipa-csreplica-manage | 6 +-
install/tools/ipa-managed-entries | 3 ++-
ipaserver/advise/base.py| 9 +++--
ipaserver/dnssec/ldapkeydb.py | 4 +++-
ipaserver/install/ipa_cacert_manage.py | 2 +-
ipaserver/install/ipa_kra_install.py| 2 +-
ipaserver/install/ipa_otptoken_import.py| 3 ++-
ipaserver/install/ipa_replica_prepare.py| 2 +-
ipaserver/install/ipa_server_certinstall.py | 2 +-
ipatests/test_ipaserver/test_ldap.py| 3 ++-
ipatests/test_ipaserver/test_serverroles.py | 5 -
13 files changed, 37 insertions(+), 15 deletions(-)
diff --git a/doc/guide/wsgi.py.txt b/doc/guide/wsgi.py.txt
index 8566a25..1b72516 100644
--- a/doc/guide/wsgi.py.txt
+++ b/doc/guide/wsgi.py.txt
@@ -1,3 +1,4 @@
+from ipaplatform.paths import paths
from ipalib import api
from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG
@@ -6,11 +7,12 @@ from ipalib.constants import DEFAULT_CONFIG
# by reading in the configuration file(s). The server always reads
# default.conf and will also read in `context'.conf.
env = Env()
-env._bootstrap(context='server', log=None)
+env._bootstrap(context='server', log=None, confdir=paths.ETC_IPA)
env._finalize_core(**dict(DEFAULT_CONFIG))
# Initialize the API with the proper debug level
-api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap)
+api.bootstrap(context='server', confdir=paths.ETC_IPA,
+ debug=env.debug, log=None) (ref:wsgi-app-bootstrap)
try:
api.finalize() (ref:wsgi-app-finalize)
except Exception as e:
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 77468b4..a29a92f 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -100,7 +100,10 @@ def main():
if dirman_password is None:
sys.exit("Directory Manager password required")
-api.bootstrap(context='cli', in_server=True, debug=options.debug)
+api.bootstrap(context='cli',
+ in_server=True,
+ debug=options.debug,
+ confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect()
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index f494380..990ec38 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -413,7 +413,11 @@ def main():
api_env['log'] = None # turn off logging for non-root
api.bootstrap(
-context='cli', in_server=True, verbose=options.verbose, **api_env
+context='cli',
+in_server=True,
+verbose=options.verbose,
+confdir=paths.ETC_IPA,
+**api_env
)
api.finalize()
diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index 59f14fc..efcf3ec 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -24,6 +24,7 @@ import re
import sys
from optparse import OptionParser # pylint: disable=deprecated-module
+from ipaplatform.paths import paths
from ipapython import config
from ipaserver.install import installutils
from ipalib import api, errors
@@ -72,7 +73,7 @@ def main():
sys.exit("Unrecognized action [" + args[0] + "]")
standard_logging_setup(None, debug=options.debug)
-api.bootstrap(context='cli', debug=options.debug)
+api.bootstrap(context='cli', debug=options.debug, confdir=paths.ETC_IPA)
api.finalize()
api.Backend.ldap2.connect(bind_pw=options.dirman_password
[Freeipa-devel] [freeipa PR#280][closed] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][+pushed] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1e6a204b4372bbbfb722a00370a5ce4e34406b9f """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264397268 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][+ack] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][+pushed] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][comment] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Title: #291: replica install: track the RA agent certificate again jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4221266562778806f02748fee2dfbd814261f2b4 """ See the full comment at https://github.com/freeipa/freeipa/pull/291#issuecomment-263867421 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][closed] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#291][opened] replica install: track the RA agent certificate again
URL: https://github.com/freeipa/freeipa/pull/291 Author: jcholast Title: #291: replica install: track the RA agent certificate again Action: opened PR body: """ During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/291/head:pr291 git checkout pr291 From 0de63c3588c09bde309a409ba57fd7778663850a Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 30 Nov 2016 12:25:24 +0100 Subject: [PATCH] replica install: track the RA agent certificate again During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 --- ipaserver/install/cainstance.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 1aa6b8d..6b2b272 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -647,7 +647,7 @@ def enable_pkix(self): 'NSS_ENABLE_PKIX_VERIFY', '1', quotes=False, separator='=') -def import_ra_cert(self, rafile, configure_renewal=True): +def import_ra_cert(self, rafile): """ Cloned RAs will use the same RA agent cert as the master so we need to import from a PKCS#12 file. @@ -663,11 +663,15 @@ def import_ra_cert(self, rafile, configure_renewal=True): finally: os.remove(agent_name) +self.configure_agent_renewal() + def __import_ra_key(self): custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn, realm=self.realm) custodia.import_ra_key(self.master_host) +self.configure_agent_renewal() + def __create_ca_agent(self): """ Create CA agent, assign a certificate, and add the user to -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ Ok, > Why do you see a relationship between the subject DN of a X.509 and the > directoryName general name in SAN X.509v3 extension? According to RFC 5280 section 4.1.2.6 the subject DN and SANs are equivallent in terms of identifying the subject entity: > The subject field identifies the entity associated with the public > key stored in the subject public key field. The subject name MAY be > carried in the subject field and/or the subjectAltName extension. Compare how the subject DN is defined in RFC 5280 section 4.1.2.6: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. ... with how the DN SAN is defined in RFC 5280 section 4.2.1.6: > When the subjectAltName extension contains a DN in the directoryName, > the encoding rules are the same as those specified for the issuer > field in Section 4.1.2.4. The DN MUST be unique for each subject > entity certified by the one CA as defined by the issuer field. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. See that there is no mention of any semantical difference between them as means of identifying the subject entity. Further specifications such as the name constraints extension also treat them equally. RFC 5280 section 4.2.1.10: > Restrictions of the form directoryName MUST be applied to the subject > field in the certificate (when the certificate includes a non-empty > subject field) and to any names of type directoryName in the > subjectAltName extension. > The subject follows different rules, e.g. a disjunct set of RDN attributes. I could not find any mention of this in RFC 5280 nor the X.500 series of standards. I'm assuming it's because it's not there. > Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject. Neither RFC 5280 nor the X.500 series of standards impose any restrictions on the attributes used. However, RFC 5280 section 4.1.2.4 says: > In addition, **implementations of this specification MUST be prepared** > **to receive the domainComponent attribute**, as defined in [RFC4519]. > With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up > with different subject DNs but with the same directoryName GN SAN entry. Currently we in fact end up with the same subject DN. Which is just fine, as they refer to the same subject entity. > The directoryName is designed to hold a LDAP DN. I don't think that's true, as there is no mention of this in the directoryName SAN specification (see above). > A certificate's Subject DN is not really a distinguishing name in the sense > of a unique identifier. Let me quote RFC 5280 section 4.1.2.6 again: > Where it is non-empty, the subject field MUST contain an X.500 > distinguished name (DN). **The DN MUST be unique for each subject** > **entity certified by the one CA as defined by the issuer field**. A CA > MAY issue more than one certificate with the same DN to the same > subject entity. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263574255 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Please explain, all of the affected scripts are server-only and thus not related to the integration effort and most probably won't work correctly with non-server configuration anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263540749 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @tiran, could you please stay on topic? I haven't said anything about it being mandatory, and it's not the point anyway (consistency between subject DN and DN SAN validation is). About CA being allowed to issue multiple certs with the same subject DN, thanks for stating the obvious, but again, not the point here. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263539133 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension
URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension jcholast commented: """ @frasertweedale, if the subject DN need not match the LDAP DN, then DN SANs need not match it as well - both the subject DN and DN SANs are supposed to identify the subject in the directory, and for us the directory is LDAP. There should be no special casing one way or the other, if something is allowed for the subject DN it must be allowed for DN SANs and vice-versa (with the exception of the special handling of the most specific CN in subject DN of server certificates). The fact that we currently require a non-LDAP subject DN in `cert-request` is a different issue. All I'm asking for is consistency. If we first allowed the subject DN to match the LDAP DN I would be perfectly happy with this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263521018 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts
URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ You missed a few: ``` daemons/dnssec/ipa-dnskeysync-replica:124:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-dnskeysyncd:23:api.bootstrap(in_server=True, log=None) # no logging to file daemons/dnssec/ipa-ods-exporter:618:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file doc/guide/wsgi.py.txt:9:env._bootstrap(context='server', log=None) doc/guide/wsgi.py.txt:13:api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap) install/restart_scripts/renew_ra_cert:39:api.bootstrap(in_server=True, context='restart') install/tools/ipa-adtrust-install:269:api.bootstrap(**cfg) install/tools/ipa-ca-install:262:api.bootstrap(in_server=True, ra_plugin='dogtag') install/tools/ipa-compat-manage:105:api.bootstrap(context='cli', in_server=True, debug=options.debug) install/tools/ipa-csreplica-manage:418:api.bootstrap(**api_env) install/tools/ipa-dns-install:139:api.bootstrap(**cfg) install/tools/ipa-managed-entries:75:api.bootstrap(context='cli', debug=options.debug) install/tools/ipa-nis-manage:118:api.bootstrap(context='cli', debug=options.debug, in_server=True) install/tools/ipa-replica-manage:1512:api.bootstrap(**api_env) ipapython/dnssec/ldapkeydb.py:417:ipalib.api.bootstrap(in_server=True, log=None) # no logging to file ipaserver/advise/base.py:238:api.bootstrap(in_server=False, context='cli') ipaserver/advise/base.py:240:advise_api.bootstrap(in_server=False, context='cli') ipaserver/install/ipa_cacert_manage.py:99:api.bootstrap(in_server=True) ipaserver/install/ipa_kra_install.py:80:api.bootstrap(in_server=True) ipaserver/install/ipa_otptoken_import.py:512: api.bootstrap(in_server=True) ipaserver/install/ipa_replica_prepare.py:183: api.bootstrap(in_server=True) ipaserver/install/ipa_server_certinstall.py:102: api.bootstrap(in_server=True) ipatests/test_ipaserver/test_ldap.py:114:myapi.bootstrap(context='cli', in_server=True) ipatests/test_ipaserver/test_serverroles.py:472: test_api.bootstrap(in_server=True, ldap_uri=api.env.ldap_uri) lite-server.py:130:(options, args) = api.bootstrap_with_global_options(parser, context='lite') ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-263513330 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Yes, my above comment is wrong (sorry). """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-263505232 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient jcholast commented: """ @stlaz, [this thread at freeipa-devel](https://www.redhat.com/archives/freeipa-devel/2016-November/msg00776.html) should answer your question. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262918453 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ To continue the discussion from the mailing list: >> My point exactly - ca-show output should be equivalent to cert-show on the >> CA certificate, as far as the certificate and chain are concerned. >> > I reused `BaseCertObject.takes_params' and `BaseCertObject._parse' > to define the params and do most of the work. There is some overlap > with what `BaseCertObject' defines and fields of the `ca' LDAP > attribute so these are ignored/removed. What I actually meant is that `cert-show` should also have a `chain` option and `certificate_chain` param in the future, which should work the same as in `ca-show`. Adding everything from BaseCertObject is an overkill IMHO, and out of the scope of ticket 6178. >> I think I would prefer if the certificate was always returned by the server, >> but the chain only if --chain (or --all) is specified. >> >> Additionally, ca-add should also get the new options and do all of this. >> > I've implemented this. `--chain' implies `--all' but otherwise > remains a client-side only param. This does not scale well - if a new unrelated attribute is added to the CA LDAP entry, or if a new param is added to the CA object, `--chain` will imply retrieving them, which is not something we want. It should really be the other way around and `--all` should imply `--chain`, which also means `--chain` has to be defined on the server side. >> Generator expressions are generally preferred over map(): >> >> data = '\n'.join(to_pem(der) for der in ders) >> > Preferred by whom? ;) Pythonistas, I believe :) """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-262916556 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#271][comment] Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/271 Title: #271: Remove hard dependency on ipaplatform from ipapython, ipalib and ipaclient jcholast commented: """ @tiran, how much granular PRs would you prefer? As @stlaz pointed out, there isn't actually much going on in this PR besides moving stuff around. """ See the full comment at https://github.com/freeipa/freeipa/pull/271#issuecomment-262798189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell
URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell jcholast commented: """ I'm OK with it. """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262797665 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][edited] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: edited Changed field: body Original value: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. https://fedorahosted.org/freeipa/ticket/6408 """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][comment] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Title: #266: ipapython: simplify Env object initialization jcholast commented: """ Only now I have noticed that this won't actually help fixing [ticket 6482](https://fedorahosted.org/freeipa/ticket/6482). Nevermind this PR then. """ See the full comment at https://github.com/freeipa/freeipa/pull/266#issuecomment-262507414 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#266][opened] ipapython: simplify Env object initialization
URL: https://github.com/freeipa/freeipa/pull/266 Author: jcholast Title: #266: ipapython: simplify Env object initialization Action: opened PR body: """ Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. Remove locking and related code from Env as it is never used. https://fedorahosted.org/freeipa/ticket/6408 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/266/head:pr266 git checkout pr266 From 1f3bfa0bd13af4e8cba51b8149c397ceeccdcf14 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 22 Nov 2016 12:42:40 +0100 Subject: [PATCH 1/3] wsgi, oddjob: remove needless uses of Env Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determining the configured debug level on its own. https://fedorahosted.org/freeipa/ticket/6408 --- doc/guide/wsgi.py.txt | 12 +--- install/oddjob/com.redhat.idm.trust-fetch-domains | 9 + install/share/wsgi.py | 12 +--- 3 files changed, 3 insertions(+), 30 deletions(-) diff --git a/doc/guide/wsgi.py.txt b/doc/guide/wsgi.py.txt index 8566a25..71d7a2b 100644 --- a/doc/guide/wsgi.py.txt +++ b/doc/guide/wsgi.py.txt @@ -1,16 +1,6 @@ from ipalib import api -from ipalib.config import Env -from ipalib.constants import DEFAULT_CONFIG -# Determine what debug level is configured. We can only do this -# by reading in the configuration file(s). The server always reads -# default.conf and will also read in `context'.conf. -env = Env() -env._bootstrap(context='server', log=None) -env._finalize_core(**dict(DEFAULT_CONFIG)) - -# Initialize the API with the proper debug level -api.bootstrap(context='server', debug=env.debug, log=None) (ref:wsgi-app-bootstrap) +api.bootstrap(context='server', log=None) (ref:wsgi-app-bootstrap) try: api.finalize() (ref:wsgi-app-finalize) except Exception as e: diff --git a/install/oddjob/com.redhat.idm.trust-fetch-domains b/install/oddjob/com.redhat.idm.trust-fetch-domains index b663daa..e053474 100755 --- a/install/oddjob/com.redhat.idm.trust-fetch-domains +++ b/install/oddjob/com.redhat.idm.trust-fetch-domains @@ -5,8 +5,6 @@ from ipaserver.install.installutils import is_ipa_configured, ScriptError from ipapython import config, ipautil from ipalib import api from ipapython.dn import DN -from ipalib.config import Env -from ipalib.constants import DEFAULT_CONFIG from ipapython.ipautil import kinit_keytab from ipaplatform.constants import constants import sys @@ -89,12 +87,7 @@ if len(args) != 1: trusted_domain = ipautil.fsdecode(args[0]).lower() -env = Env() -env._bootstrap(debug=options.debug, log=None) -env._finalize_core(**dict(DEFAULT_CONFIG)) - -# Initialize the API with the proper debug level -api.bootstrap(in_server=True, debug=env.debug, log=None, context='server') +api.bootstrap(in_server=True, debug=options.debug, log=None, context='server') api.finalize() # Only import trust plugin after api is initialized or internal imports diff --git a/install/share/wsgi.py b/install/share/wsgi.py index ee9311e..88316f6 100644 --- a/install/share/wsgi.py +++ b/install/share/wsgi.py @@ -24,18 +24,8 @@ WSGI appliction for IPA server. """ from ipalib import api -from ipalib.config import Env -from ipalib.constants import DEFAULT_CONFIG -# Determine what debug level is configured. We can only do this -# by reading in the configuration file(s). The server always reads -# default.conf and will also read in `context'.conf. -env = Env() -env._bootstrap(context='server', log=None) -env._finalize_core(**dict(DEFAULT_CONFIG)) - -# Initialize the API with the proper debug level -api.bootstrap(context='server', debug=env.debug, log=None) +api.bootstrap(context='server', log=None) try: api.finalize() except Exception as e: From 5c9290bcc6dda2dc8582f45e9cf6baaafa663309 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 22 Nov 2016 12:46:17 +0100 Subject: [PATCH 2/3] ipapython: simplify Env object initialization Fully initialize Env objects in Env() instead of having to call their private methods to complete the initialization later. https://fedorahosted.org/freeipa/ticket/6408 --- install/tools/ipa-pki-retrieve-key | 1 - ipaclient/install/client.py| 5 + ipalib/config.py | 6 ++--- ipalib/plugable.py | 5 + ipaserver/install/server/replicainstall.py | 4 +--- ipatests/test_ipalib/test_config.py| 35 ++ 6
[Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function
URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function jcholast commented: """ There was no reason, I just forgot, so go ahead. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-262290033 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#244][comment] Add templating to ipaplatform path [RFC]
URL: https://github.com/freeipa/freeipa/pull/244 Title: #244: Add templating to ipaplatform path [RFC] jcholast commented: """ Also LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/244#issuecomment-262162424 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#258][comment] Break ipaplatform / ipalib import cycle of hell
URL: https://github.com/freeipa/freeipa/pull/258 Title: #258: Break ipaplatform / ipalib import cycle of hell jcholast commented: """ The original code is broken by design IMO. The API object is used only to get the configured service startup timeout and to guess our DS instance name. None of this is platform specific, so I would prefer if we removed this from `ipaplatform` altogether instead of "just" fixing the import issue. Anyway, given that the current plan is to make `ipaclient` _not_ depend on `ipaplatform`, is this change still necessary? """ See the full comment at https://github.com/freeipa/freeipa/pull/258#issuecomment-262161616 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand
URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand jcholast commented: """ Reopened 6490. """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261881844 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#247][comment] Add 'ipa local-env' subcommand
URL: https://github.com/freeipa/freeipa/pull/247 Title: #247: Add 'ipa local-env' subcommand jcholast commented: """ Sorry, but this is wrong. `ipa env` is supposed to return local settings unless run with `--server`. Why was it not fixed instead of adding a new redundant command? """ See the full comment at https://github.com/freeipa/freeipa/pull/247#issuecomment-261878779 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#113][comment] ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri
URL: https://github.com/freeipa/freeipa/pull/113 Title: #113: ipalib.constants: Remove default domain, realm, basedn, xmlrpc_uri, ldap_uri jcholast commented: """ Actually it should be created from domain name, which is the primary identifier of an IPA domain, not from realm name. """ See the full comment at https://github.com/freeipa/freeipa/pull/113#issuecomment-261875920 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer
URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @mbasti-rh: `knob()` already handles choices, it's the built-in `optparse` module which does not display them. Once the installer code is migrated to `argparse`, this problem will go away. """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-261873288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#232][comment] Installer refactoring
URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/eac6f52957c361c219ad6048b515ddb62da31154 https://fedorahosted.org/freeipa/changeset/83e72d704630b9cc5a1f713dfee30601950eb5e9 https://fedorahosted.org/freeipa/changeset/7279ef1d0f28dae9f3203362ca9e2245e56e111f https://fedorahosted.org/freeipa/changeset/2fdc2d0cb7fa98992fe6c2070cb5dc34c500ac09 https://fedorahosted.org/freeipa/changeset/b1283c1e56976a3019c81c3be88fa821431ac6a6 https://fedorahosted.org/freeipa/changeset/8a7e79a7a6fad8dc87c8f148cb5098434f988ea3 https://fedorahosted.org/freeipa/changeset/0e232b5f526168af6bb0b52244f79dfacb43a9b7 https://fedorahosted.org/freeipa/changeset/dc38d53de1eff71570ec5ef55db6de2c6f9b5bbd https://fedorahosted.org/freeipa/changeset/0933e080aa9635bba12efc53d904d524b309027f https://fedorahosted.org/freeipa/changeset/f98faec47847022879b8bceb63839fcfd6e45402 https://fedorahosted.org/freeipa/changeset/5c16608a0d5d4abe98319a077917f5424b72d031 https://fedorahosted.org/freeipa/changeset/49f201e2b2523c83fa2b20fe91c91733e2ee947f https://fedorahosted.org/freeipa/changeset/cc6efb97985bb93e3cdb2a6c2943d45e1132e122 https://fedorahosted.org/freeipa/changeset/c30b45ab157f611312c0cd0f4f7c3a12d7a02c11 https://fedorahosted.org/freeipa/changeset/1c9267803c6f41cc7d7485024f8864fbd62c9128 https://fedorahosted.org/freeipa/changeset/31a9ef4f8b8e2d6bb11f68ce34a7575ced9816aa https://fedorahosted.org/freeipa/changeset/2dedfe5d33062fc7121bf36be12d7b423b62120a https://fedorahosted.org/freeipa/changeset/cf1c4e84e74ea15fe5cf7219872cf131bd53281e https://fedorahosted.org/freeipa/changeset/bddd4fac462c07458297d1cea5272bde97fb3707 https://fedorahosted.org/freeipa/changeset/822e1bc82af3a6c1556546c4fbe96eeafad45762 https://fedorahosted.org/freeipa/changeset/89bb5ed1ebc0b5952a1d5eae34e0f39c5ba540d7 https://fedorahosted.org/freeipa/changeset/8e36e030910a4a6ec5ddb37cc19824f37b25ab51 https://fedorahosted.org/freeipa/changeset/3d5161d7e943fc6d4d092d18fc980fd40d21a59f https://fedorahosted.org/freeipa/changeset/a6ec37255441294285fac58c9bf08129db110fac https://fedorahosted.org/freeipa/changeset/19912796edf5d6427920ff67c33e6288223e0466 https://fedorahosted.org/freeipa/changeset/33537f555636db935dd809b62498e2415d765e8e https://fedorahosted.org/freeipa/changeset/2c226ebc27e2a4e2677549003c4c70a94296 https://fedorahosted.org/freeipa/changeset/3f690a0a3a7e039183eca1578a3cb13f2c0632ef https://fedorahosted.org/freeipa/changeset/fcea3b3fb88ede0e9414f83ac2372e000e728587 https://fedorahosted.org/freeipa/changeset/83fe6b626fd2fb7f43ddf3568aaffca1ce569079 https://fedorahosted.org/freeipa/changeset/1f65c07524c8cf80996de9f6250a4e19c3a043c9 https://fedorahosted.org/freeipa/changeset/8cbbb5359155446be22a5efb1e2372e527d2d745 https://fedorahosted.org/freeipa/changeset/bbad08900bbe8f76e59b159cd2af800f5c089ca1 https://fedorahosted.org/freeipa/changeset/b3786730e50080fa4dadeffa86388592c10b3a62 https://fedorahosted.org/freeipa/changeset/c38ce49e8d280e52c61f722b0e5ad7aa9f53cc1a https://fedorahosted.org/freeipa/changeset/5249eb817efbb5708d097173a8d5f1e322fb201e https://fedorahosted.org/freeipa/changeset/847b6eddab00973740413b4c46f86940cb73d25a https://fedorahosted.org/freeipa/changeset/0914a3aeb778986dea4020ddf8ca550ebef02bad https://fedorahosted.org/freeipa/changeset/990e1acb1a667b90619e7799bb96e2cd81e97e61 https://fedorahosted.org/freeipa/changeset/b068d3336ad65748881d0dc74505f41dac9f0f13 https://fedorahosted.org/freeipa/changeset/a3c9def4e982bcc90e9ece0900993ace53777906 https://fedorahosted.org/freeipa/changeset/8cb315af627d712dd21396164cfa2b5d03ccb466 https://fedorahosted.org/freeipa/changeset/87c3c1abecdfb8b5eb227239eeacfbee386a7ed7 https://fedorahosted.org/freeipa/changeset/bde1d82ebe32be339c30c85048fd18e1ce99867d https://fedorahosted.org/freeipa/changeset/ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24 https://fedorahosted.org/freeipa/changeset/1fc128b05fd13a3f400346cc6d2e7fb5f66875ac https://fedorahosted.org/freeipa/changeset/500327b7754e032738ab88ae19fad287f2d8cdab https://fedorahosted.org/freeipa/changeset/2de43e7aca7d4d4873ad3e5053ad75311e81dc68 https://fedorahosted.org/freeipa/changeset/e40d6a2a53a931b4d2be3e45c84da99950e60a84 https://fedorahosted.org/freeipa/changeset/0b68899779e4500d231e974f11e428f8a3577538 https://fedorahosted.org/freeipa/changeset/928a4aa6f281df55e0f655d5cbf5a327794507b6 https://fedorahosted.org/freeipa/changeset/606cac1c9e85633f54b1cc1c9fc1351e6d1a545f https://fedorahosted.org/freeipa/changeset/835923750bff4f26d9b90df9870a961d16728488 https://fedorahosted.org/freeipa/changeset/bc2e3386e7fa30211a46c0c2284d901cc2509147 https://fedorahosted.org/freeipa/changeset/37578cfc2bbec99d75b19c94c337c406bf6a6ef7 https://fedorahosted.org/freeipa/changeset/1e6366bc9f10de66de84b9506341f021fb3650d9 https://fedorahosted.org/freeipa/changeset/15f282cf2c4a5315aa3e259bd923718685d88245 https://fedorahosted.org/fr
[Freeipa-devel] [freeipa PR#232][closed] Installer refactoring
URL: https://github.com/freeipa/freeipa/pull/232 Author: jcholast Title: #232: Installer refactoring Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/232/head:pr232 git checkout pr232 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#232][+pushed] Installer refactoring
URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#232][+ack] Installer refactoring
URL: https://github.com/freeipa/freeipa/pull/232 Title: #232: Installer refactoring Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#214][comment] ipaldap: remove do_bind from LDAPClient
URL: https://github.com/freeipa/freeipa/pull/214 Title: #214: ipaldap: remove do_bind from LDAPClient jcholast commented: """ DM password may be `None` in `dns_container_exists()` and `dnssec_container_exists()` (for example in `BindInstance.setup()`), so you can't simple bind unconditionally. """ See the full comment at https://github.com/freeipa/freeipa/pull/214#issuecomment-259916767 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#214][reopened] ipaldap: remove do_bind from LDAPClient
URL: https://github.com/freeipa/freeipa/pull/214 Author: tomaskrizek Title: #214: ipaldap: remove do_bind from LDAPClient Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/214/head:pr214 git checkout pr214 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#173][+pushed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs
URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#173][comment] Ensure correct IPA CA nickname in DS and HTTP NSSDBs
URL: https://github.com/freeipa/freeipa/pull/173 Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cdd41e06e6ef97efafd36ee9e4c8d3be9e4099e7 """ See the full comment at https://github.com/freeipa/freeipa/pull/173#issuecomment-259887677 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#173][closed] Ensure correct IPA CA nickname in DS and HTTP NSSDBs
URL: https://github.com/freeipa/freeipa/pull/173 Author: frasertweedale Title: #173: Ensure correct IPA CA nickname in DS and HTTP NSSDBs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/173/head:pr173 git checkout pr173 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Turns out the request does not time out in certmonger, but the 60 seconds wait in `request_and_wait_for_cert()` it too short. """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259692618 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][+ack] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#229][comment] Remove the renewal lock file upon uninstall
URL: https://github.com/freeipa/freeipa/pull/229 Title: #229: Remove the renewal lock file upon uninstall jcholast commented: """ The file is owned by the server, not the client, so it should be deleted in `ipa-server-install --uninstall`, not in `ipa-client-install --uninstall`. """ See the full comment at https://github.com/freeipa/freeipa/pull/229#issuecomment-259683231 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ For example, if your `IPA_CONFDIR` PR was merged, setting the variable could break `ipa-client-install`, because the hard coded half of it assumes that the configuration directory is always `/etc/ipa`, but the API half would use something else. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259681181 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Sorry, but I just don't see an explanation in the comment you linked, just that you think it's easier to set an environment variable rather than an argument. Yes, it is easier, but it also make the configuration implicit - say this PR was merged, now look at this: ``` $ ipa ping ``` Can you tell me which configuration directory will this command use? The fact is you can't, as opposed to: ``` $ ipa -e confdir=/path/to/confdir ``` where it is clear just by looking at the command. This is the part I have a problem with. The links you posted only show that environment variables are used to override configuration in a few pieces of software, not that it is a standard like you say. I could as easily compile a list of software which _doesn't_ do it. All of the examples are doable by setting `confdir` explicitly in `ipa -e` or `api.bootstrap()` as well. I would like to see something more concrete. I will read your proposal once you send it to freeipa-devel for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259679930 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#219][comment] Refactor installer code requesting certificates
URL: https://github.com/freeipa/freeipa/pull/219 Title: #219: Refactor installer code requesting certificates jcholast commented: """ Can we fix this in a separate PR to unblock the merge of this one? """ See the full comment at https://github.com/freeipa/freeipa/pull/219#issuecomment-259671468 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Care to point me to some actual standard which recommends this? Using explicit configuration via library initialization arguments is no NIH, everyone else does it as well and it is a solution we already have in place. Still zero examples to support you claim that environment variable is a must. EDIT: There is no link to your proposal here nor is there a thread on freeipa-devel. I would be glad to read it but please follow our process for new feature designs. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ Sure, just please keep this in mind for your other changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259670294 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Care to point me to some actual standard which recommends this? Using explicit configuration via library initialization arguments is no NIH, everyone else does it as well and it is a solution we already have in place. Still zero examples to support you claim that environment variable is a must. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259670126 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#180][comment] Make api.env.nss_dir relative to api.env.confdir
URL: https://github.com/freeipa/freeipa/pull/180 Title: #180: Make api.env.nss_dir relative to api.env.confdir jcholast commented: """ See my comment on #143. """ See the full comment at https://github.com/freeipa/freeipa/pull/180#issuecomment-259663799 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#143][comment] Issue6386 nss dir
URL: https://github.com/freeipa/freeipa/pull/143 Title: #143: Issue6386 nss dir jcholast commented: """ OK, but you should at least make sure that where the code depends on hard-coded paths, the API is bootstrapped with a hard coded `confdir` as well, otherwise things might break. """ See the full comment at https://github.com/freeipa/freeipa/pull/143#issuecomment-259663631 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ "Everyone else does it" is not really a good argument to anything. Just saying. Also you still haven't provided a single example of where explicitly setting confdir can't be used and thus the environment variable must be used, and just keep repeating how required it is, so sorry I'm a little bit sceptical. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259662631 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @tiran, setting `confdir` explicitly is not a hack, but the proper way to set the config directory path and there is nothing that makes the environment variable better as an API for integrators. I would argue that it's actually worse, because it is implicit and optimized towards the less common usage (everyone who wants to use the default path has to unset the variable now to make sure that's what they actually get), and while some software does indeed allow changing configuration using environment variables, there is other software (such as GNU grep) which is actually deprecating this way of changing configuration. If majority of people think it is a good idea, I won't push back, but NACK on respecting the variable only in certain contexts. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @tiran, setting `confdir` explicitly is not a hack, but the proper way to set the config directory path and there is nothing that makes the environment variable better as an API for integrators. I would argue that it's actually worse, because it is implicit and optimized towards the less common usage (everyone who wants to use the default path has to unset the variable now to make sure that's what they actually get), and while some software does indeed allow changing configuration using environment variables, there is other software (such as GNU grep) which is actually deprecating this way of changing configuration. If majority of people think it is a good idea, I won't push back, but NACK on respecting the variable only in specific contexts. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-259635859 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#182][-ack] Use env var IPA_CONFDIR to get confdir for 'cli' context
URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
