[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only HonzaCholasta commented: """ @frasertweedale, is that an ACK? :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270586148 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CI: exporting test runner output
On Thu, Jan 05, 2017 at 08:53:14AM +0100, Martin Babinsky wrote: > On 01/05/2017 08:06 AM, Fraser Tweedale wrote: > > Hi all, > > > > Although it has been discussed before and met with some skepticism, > > here is a POC that exporting test runner output to, e.g. a pastebin, > > does work: > > > > - experimental commit: https://github.com/freeipa/freeipa/pull/370 > > - example paste: https://paste.fedoraproject.org/520085/ > > (it is gzipped for reasons discussed in the PR) > > > > I think we should proceed with getting these artifacts out of Travis > > and stored somewhere (it doesn't have to be > > paste.fedoraproject.org). ``tail -n 5000`` of the log file has > > proven to be not enough to diagnose all failures. > > > Wow this is great, why have I not thought about it beforehand? > > We can reduce the log size if we truncate everything before ERRORS/FAILURES > output of pytest run (we leave the log as it is if the fail occurs before > this stage), that should shave off considerable amount of cruft from the > paste unless somebody sends a PR that breaks all out tests :D. > > > If we stick with paste.fedoraproject.org, we can send to a > > "project-specific" namespace e.g. > > https://paste.fedoraproject.org/~freeipa, so that we do not clutter > > up the main archive (I think). > > > > A few questions for discussion: > > > > 1. Stick with fpaste or not? If so, use "~freeipa" namespace? > >(Keep in mind that the size limitation that exists for fpaste, > >which requires compressing the artifact, may not be a problem > >elsewhere). > > > > 2. Export log always, or only if the build job failed? > > > I would also paste the output to "freeipa" or even better "freeipa-travis" > namespace and only send it if the job fails. > I might go with "freeipa-ci". > > 3. Should pasted logs expire? If so, what should TTL be? > > > IMHO yes, but TTL is hard to determine, since the author of the PR may not > be present to review the results immediately (because he is on PTO etc.). I > think we should set TTL to something like 1 week and as a fallback keep > tailing the CI results log. > 1 week sounds reasonable. We can change it later if we need to. > > 4. Should we continue to `tail -n 5000` the log as we currently do, > >or just rely on exported log? > > > > Thanks, > > Fraser > > > > Fraser, are you OK with waiting with this effort until we push > https://github.com/freeipa/freeipa/pull/361 ?. I will just do some more > adjustments there (like result log trimming) and it should be pushed ASAP. > Yes, I was aware that there would be conflicts with this PR. I don't mind waiting. Thanks for your input. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ It is an ACK. I don't have perms to add the label tho :) """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270589226 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only mbasti-rh commented: """ @frasertweedale your permissions have been upgraded :) """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270589759 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][+ack] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ Thanks @mbasti-rh ! """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270590370 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] FreeIPA, Duo Security integration
Hi, As of now, we have FreeIPA with OTP working perfectly. Now, I am looking at possibly integrating Duo security instead of FreeIPA's 2FA. I am concerned about how it will fit in with FreeIPA... Has anyone else tried this before? If so, are there any pitfalls or problems you have encountered or any general advise? Cheers, Euqanra'l -- -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CI: exporting test runner output
On 01/05/2017 09:25 AM, Fraser Tweedale wrote: > On Thu, Jan 05, 2017 at 08:53:14AM +0100, Martin Babinsky wrote: >> On 01/05/2017 08:06 AM, Fraser Tweedale wrote: >>> Hi all, >>> >>> Although it has been discussed before and met with some skepticism, >>> here is a POC that exporting test runner output to, e.g. a pastebin, >>> does work: >>> >>> - experimental commit: https://github.com/freeipa/freeipa/pull/370 >>> - example paste: https://paste.fedoraproject.org/520085/ >>> (it is gzipped for reasons discussed in the PR) >>> >>> I think we should proceed with getting these artifacts out of Travis >>> and stored somewhere (it doesn't have to be >>> paste.fedoraproject.org). ``tail -n 5000`` of the log file has >>> proven to be not enough to diagnose all failures. >>> >> Wow this is great, why have I not thought about it beforehand? Seems like a great feature. Thanks, Fraser! >> We can reduce the log size if we truncate everything before ERRORS/FAILURES >> output of pytest run (we leave the log as it is if the fail occurs before >> this stage), that should shave off considerable amount of cruft from the >> paste unless somebody sends a PR that breaks all out tests :D. >> >>> If we stick with paste.fedoraproject.org, we can send to a >>> "project-specific" namespace e.g. >>> https://paste.fedoraproject.org/~freeipa, so that we do not clutter >>> up the main archive (I think). >>> >>> A few questions for discussion: >>> >>> 1. Stick with fpaste or not? If so, use "~freeipa" namespace? >>>(Keep in mind that the size limitation that exists for fpaste, >>>which requires compressing the artifact, may not be a problem >>>elsewhere). >>> >>> 2. Export log always, or only if the build job failed? >>> >> I would also paste the output to "freeipa" or even better "freeipa-travis" >> namespace and only send it if the job fails. >> > I might go with "freeipa-ci". +1 >>> 3. Should pasted logs expire? If so, what should TTL be? >>> >> IMHO yes, but TTL is hard to determine, since the author of the PR may not >> be present to review the results immediately (because he is on PTO etc.). I >> think we should set TTL to something like 1 week and as a fallback keep >> tailing the CI results log. >> > 1 week sounds reasonable. We can change it later if we need to. I actually wouldn't mind extending this to something like 2-4 weeks. In some cases it might be useful to have access to older logs (PTOs, or simply to just view the history for some reason). Is there any downside to keeping the logs for a bit longer? >>> 4. Should we continue to `tail -n 5000` the log as we currently do, >>>or just rely on exported log? If you're talking about the log in the travis web interface, I would keep it. It's easily accessible from the browser. >>> Thanks, >>> Fraser >> Fraser, are you OK with waiting with this effort until we push >> https://github.com/freeipa/freeipa/pull/361 ?. I will just do some more >> adjustments there (like result log trimming) and it should be pushed ASAP. >> > Yes, I was aware that there would be conflicts with this PR. I > don't mind waiting. Thanks for your input. > > Cheers, > Fraser > -- Tomas Krizek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#362][+pushed] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Title: #362: Clarify meaning of --domain and --realm in installers Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#362][closed] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Author: stlaz Title: #362: Clarify meaning of --domain and --realm in installers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/362/head:pr362 git checkout pr362 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#362][comment] Clarify meaning of --domain and --realm in installers
URL: https://github.com/freeipa/freeipa/pull/362 Title: #362: Clarify meaning of --domain and --realm in installers mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/25a6ddcce8e7b9effaf19431c421dc5b3497fa22 """ See the full comment at https://github.com/freeipa/freeipa/pull/362#issuecomment-270592688 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org frasertweedale commented: """ Additional notes about paste.fedoraproject.org projects: - seems that only names consisting entirely of alpha chars work (thus ruling out `freeipa-ci` or similar) - pastes to a project namespace appear in *both* the project archive, and the main archive. - example command: ```shell curl -v https://paste.fedoraproject.org/~freeipa/ -H Expect: \ -d api_submit=true \ -d mode=json \ -d paste_lang=text \ -d paste_data=hello+world \ -d paste_expire=300 ``` - paste can be accessed via top name space or project (or any *other*, too) """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270592924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#365][+ack] Silence pylint import errors of ipaserver in ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/365 Title: #365: Silence pylint import errors of ipaserver in ipalib and ipaclient Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#365][closed] Silence pylint import errors of ipaserver in ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/365 Author: tiran Title: #365: Silence pylint import errors of ipaserver in ipalib and ipaclient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/365/head:pr365 git checkout pr365 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#365][+pushed] Silence pylint import errors of ipaserver in ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/365 Title: #365: Silence pylint import errors of ipaserver in ipalib and ipaclient Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#365][comment] Silence pylint import errors of ipaserver in ipalib and ipaclient
URL: https://github.com/freeipa/freeipa/pull/365 Title: #365: Silence pylint import errors of ipaserver in ipalib and ipaclient mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/987d24f784e05e911bf4e87bd1156abb1dd56210 """ See the full comment at https://github.com/freeipa/freeipa/pull/365#issuecomment-270593168 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CI: exporting test runner output
On Thu, Jan 05, 2017 at 09:38:03AM +0100, Tomas Krizek wrote: > On 01/05/2017 09:25 AM, Fraser Tweedale wrote: > > On Thu, Jan 05, 2017 at 08:53:14AM +0100, Martin Babinsky wrote: > >> On 01/05/2017 08:06 AM, Fraser Tweedale wrote: > >>> Hi all, > >>> > >>> Although it has been discussed before and met with some skepticism, > >>> here is a POC that exporting test runner output to, e.g. a pastebin, > >>> does work: > >>> > >>> - experimental commit: https://github.com/freeipa/freeipa/pull/370 > >>> - example paste: https://paste.fedoraproject.org/520085/ > >>> (it is gzipped for reasons discussed in the PR) > >>> > >>> I think we should proceed with getting these artifacts out of Travis > >>> and stored somewhere (it doesn't have to be > >>> paste.fedoraproject.org). ``tail -n 5000`` of the log file has > >>> proven to be not enough to diagnose all failures. > >>> > >> Wow this is great, why have I not thought about it beforehand? > Seems like a great feature. Thanks, Fraser! > >> We can reduce the log size if we truncate everything before ERRORS/FAILURES > >> output of pytest run (we leave the log as it is if the fail occurs before > >> this stage), that should shave off considerable amount of cruft from the > >> paste unless somebody sends a PR that breaks all out tests :D. > >> > >>> If we stick with paste.fedoraproject.org, we can send to a > >>> "project-specific" namespace e.g. > >>> https://paste.fedoraproject.org/~freeipa, so that we do not clutter > >>> up the main archive (I think). > >>> I was wrong. All "project" pastes appear in main namespace as well as project namespace. Not sure if by design or not. > >>> A few questions for discussion: > >>> > >>> 1. Stick with fpaste or not? If so, use "~freeipa" namespace? > >>>(Keep in mind that the size limitation that exists for fpaste, > >>>which requires compressing the artifact, may not be a problem > >>>elsewhere). > >>> > >>> 2. Export log always, or only if the build job failed? > >>> > >> I would also paste the output to "freeipa" or even better "freeipa-travis" > >> namespace and only send it if the job fails. > >> > > I might go with "freeipa-ci". > +1 > Unfortunately fpaste can't handle this. Has to be all-alpha. So we can use "freeipaci" but given the constraint I would rather just use "freeipa". I shall file a fedora-infra ticket to see if this can be addressed. > >>> 3. Should pasted logs expire? If so, what should TTL be? > >>> > >> IMHO yes, but TTL is hard to determine, since the author of the PR may not > >> be present to review the results immediately (because he is on PTO etc.). I > >> think we should set TTL to something like 1 week and as a fallback keep > >> tailing the CI results log. > >> > > 1 week sounds reasonable. We can change it later if we need to. > I actually wouldn't mind extending this to something like 2-4 weeks. In > some cases it might be useful to have access to older logs (PTOs, or > simply to just view the history for some reason). Is there any downside > to keeping the logs for a bit longer? > Not really. I was thinking server diskspace is logs were very big but now that we're compressing I don't think it matters. 4 weeks, sure why not :) > >>> 4. Should we continue to `tail -n 5000` the log as we currently do, > >>>or just rely on exported log? > If you're talking about the log in the travis web interface, I would > keep it. It's easily accessible from the browser. > >>> Thanks, > >>> Fraser > >> Fraser, are you OK with waiting with this effort until we push > >> https://github.com/freeipa/freeipa/pull/361 ?. I will just do some more > >> adjustments there (like result log trimming) and it should be pushed ASAP. > >> > > Yes, I was aware that there would be conflicts with this PR. I > > don't mind waiting. Thanks for your input. > > > > Cheers, > > Fraser > > > -- > Tomas Krizek > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mbasti-rh commented: """ PR needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-270594446 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6f7d982fe2e2d2f042e85710b8d8d59167e5796f https://fedorahosted.org/freeipa/changeset/a5fb5f2da1be158cde585a087aaf97eca6218dd7 """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-270598125 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][closed] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][+pushed] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ Please provide PR for ipa-4-4 too """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-270598873 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][synchronized] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 From a59ecbc489393ad9d509bd4718ffb87e3197c355 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 10:11:20 +0100 Subject: [PATCH 01/10] Bump up ipa-docker-test-runner version --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e870213..c32c5d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ before_install: - pip install pep8 - > pip3 install - git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0 + git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: - > From ab0c72c08bf222c3903c6681d562284169aa2f02 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:47:31 +0100 Subject: [PATCH 02/10] travis: mark FreeIPA as python project --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c32c5d7..2855bf2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +language: python services: - docker From 0a8de3a9758459c1aab64fa475771694e3c869ff Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:01:00 +0100 Subject: [PATCH 03/10] Put the commands informing and displaying build logs on single line This prevents Travis log collector to add separate expansion marks to the echo output and the actuall log output. --- .travis.yml | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2855bf2..28f481f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,7 +39,5 @@ script: --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set after_failure: - - echo "Test runner output:" - - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log - - echo "PEP-8 errors:" - - cat pep8_errors.log +- echo "Test runner output:"; tail -n 5000 ci_results_${TRAVIS_BRANCH}.log +- echo "PEP-8 errors:"; cat pep8_errors.log From 8172ea91f1e23cfe16e5d6962a67c51e7a778af7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:55:55 +0100 Subject: [PATCH 04/10] Travis CI: a separate script to run test tasks this script is intended only for use in Travis CI and contains configuration of the test run requested: * it can run linter step separately by specifying TASK_TO_RUN="lint" environment variable in .travis.yml. In this case it also runs pep8 checker on the commits in PR. * other steps are run in developer mode in order to skip pylint run and speed up the task * in all cases the CI result log is populated and can be displayed if the job fails --- .travis_run_task.sh | 34 ++ 1 file changed, 34 insertions(+) create mode 100755 .travis_run_task.sh diff --git a/.travis_run_task.sh b/.travis_run_task.sh new file mode 100755 index 000..2163a9b --- /dev/null +++ b/.travis_run_task.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# NOTE: this script is intended to run in Travis CI only +set -ev + +test_set="" +developer_mode_opt="--developer-mode" + +if [[ "$TASK_TO_RUN" == "lint" ]] +then +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]] +then +git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||: +fi + +# disable developer mode for lint task, otherwise we get an error +developer_mode_opt="" +fi + +if [[ -n "$TESTS_TO_RUN" ]] +then +pushd ipatests +test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null | tr '\n' ' '` +popd +fi + +docker pull $TEST_RUNNER_IMAGE + +ipa-docker-test-runner -l $CI_RESULTS_LOG \ +-c $TEST_RUNNER_CONFIG \ +$developer_mode_opt \ +--container-image $TEST_RUNNER_IMAGE \ +--git-repo $TRAVIS_BUILD_DIR \ +$TASK_TO_RUN $test_set From 549b439956f063350ff8b31cc7829a4e973bc312 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:03:25 +0100 Subject: [PATCH 05/10] Travis: offload test execution to a separate script --- .travis.yml | 17 + 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 28f481f..8692dd7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,22 +22,7 @@ before_install: git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: -- > -if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; -then -git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff &> pep8_errors.log; -fi -- "pushd ipatests; test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null`; popd" -# use travis_wait so that long running tasks (tests) which produce no -# output do not cause premature termination of the build -- "docker pull ${
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: martbab commented: """ @stlaz I have implemented a simple log trimming which keeps only pytest failures if present. The original behavior is kept as a fallback for the case if the setup fails. """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270599385 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [RFC] Matching and Mapping Certificates
On Mon, Jan 02, 2017 at 09:18:47AM +0100, Jan Cholasta wrote: > On 18.10.2016 07:34, Jan Cholasta wrote: > > On 17.10.2016 16:50, Rob Crittenden wrote: > > > Jan Cholasta wrote: > > > > Hi, > > > > > > > > On 13.10.2016 18:52, Sumit Bose wrote: > > > > > = Issuer specific matching = > > > > > Although the MIT Kerberos rules allow to select the issuer of a > > > > > certificate there are use cases where a more specific selection is > > > > > needed. E.g. if there are some default matching rules for all issuers > > > > > and some other issuer specific rules where the default rules should > > > > > not apply. To make this possible with the above scheme the default > > > > > rules must have an clause which matches all but the issuer > > > > > with the specific rules. Writing regular-expressions to not match a > > > > > specific string or a list of strings is at least error-prone if not > > > > > impossible. > > > > > > > > > > To make it easier to define issuer specific rules and default rules at > > > > > the same time and optional issuer string can be added to the rule to > > > > > indicate that for the given issuer only those rules should be > > > > > considered. Given the use-case I think it is acceptable to require > > > > > that the full issuer must be specified here in LDAP order (see below) > > > > > and case-sensitive matching is used. > > > > > > > > This could also be solved by adding priority to rules - if two rules > > > > match, the one with higher priority (the issuer specific rule) is > > > > preferred over the one with lower priority (the default rule). IMO this > > > > is better than an optional issuer string as it offers greater > > > > flexibility. > > > > > > The use cases I've seen haven't had to do with priority, though that > > > would be a nice enhancement, but with only allowing certificates issued > > > by a specific CA to be allowed (this is pretty common in web servers). > > > Being able to say "only do the matching on certificates issued by foo" > > > is valuable. > > > > Sure, I'm not suggesting that matching by issuer should be removed, only > > that rule precedence should not be determined by the issuer field setting. > > > > Bump. Sumit, what is your opinion on this? I'm fine with an optional(?) priority as well. Since priorities are already used in the pwpolicies this should be already known to the experienced admin. I guess we just have stick with "A lower value indicates a higher priority" to not confuse users. That's why I think that the priority should be optional here and a missing value indicates the lowest priority (default rules). Are you thinking of using the CoS scheme here as well would a priority attribute be sufficient because we do not want to reference internal objects in the mapping rules? bye, Sumit > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a15fdea615fa4e1153fbbed234113a235135572e """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-270603889 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][+pushed] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#279][closed] installer: Stop adding distro-specific NTP servers into ntp.conf
URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][opened] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Author: frasertweedale Title: #371: Set up DS TLS on replica in CA-less topology Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6226 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/371/head:pr371 git checkout pr371 From 23bfb40e4037d9c14077cd3d472cf69f008e5c0a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 Dec 2016 23:29:22 +1000 Subject: [PATCH] Set up DS TLS on replica in CA-less topology Fixes: https://fedorahosted.org/freeipa/ticket/6226 --- ipaserver/install/dsinstance.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 26cd246..1d3ae2e 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -393,7 +393,9 @@ def create_replica(self, realm_name, master_fqdn, fqdn, if self.promote: self.step("creating DS keytab", self.__get_ds_keytab) -if self.ca_is_configured: +if self.pkcs12_info: +self.step("configuring ssl for ds instance", self.__enable_ssl) +else: self.step("retrieving DS Certificate", self.__get_ds_cert) self.step("restarting directory server", self.__restart_instance) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][synchronized] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 From a59ecbc489393ad9d509bd4718ffb87e3197c355 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 10:11:20 +0100 Subject: [PATCH 01/10] Bump up ipa-docker-test-runner version --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e870213..c32c5d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ before_install: - pip install pep8 - > pip3 install - git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0 + git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: - > From ab0c72c08bf222c3903c6681d562284169aa2f02 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:47:31 +0100 Subject: [PATCH 02/10] travis: mark FreeIPA as python project --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c32c5d7..2855bf2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +language: python services: - docker From 0a8de3a9758459c1aab64fa475771694e3c869ff Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:01:00 +0100 Subject: [PATCH 03/10] Put the commands informing and displaying build logs on single line This prevents Travis log collector to add separate expansion marks to the echo output and the actuall log output. --- .travis.yml | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2855bf2..28f481f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,7 +39,5 @@ script: --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set after_failure: - - echo "Test runner output:" - - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log - - echo "PEP-8 errors:" - - cat pep8_errors.log +- echo "Test runner output:"; tail -n 5000 ci_results_${TRAVIS_BRANCH}.log +- echo "PEP-8 errors:"; cat pep8_errors.log From 8172ea91f1e23cfe16e5d6962a67c51e7a778af7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:55:55 +0100 Subject: [PATCH 04/10] Travis CI: a separate script to run test tasks this script is intended only for use in Travis CI and contains configuration of the test run requested: * it can run linter step separately by specifying TASK_TO_RUN="lint" environment variable in .travis.yml. In this case it also runs pep8 checker on the commits in PR. * other steps are run in developer mode in order to skip pylint run and speed up the task * in all cases the CI result log is populated and can be displayed if the job fails --- .travis_run_task.sh | 34 ++ 1 file changed, 34 insertions(+) create mode 100755 .travis_run_task.sh diff --git a/.travis_run_task.sh b/.travis_run_task.sh new file mode 100755 index 000..2163a9b --- /dev/null +++ b/.travis_run_task.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# NOTE: this script is intended to run in Travis CI only +set -ev + +test_set="" +developer_mode_opt="--developer-mode" + +if [[ "$TASK_TO_RUN" == "lint" ]] +then +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]] +then +git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||: +fi + +# disable developer mode for lint task, otherwise we get an error +developer_mode_opt="" +fi + +if [[ -n "$TESTS_TO_RUN" ]] +then +pushd ipatests +test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null | tr '\n' ' '` +popd +fi + +docker pull $TEST_RUNNER_IMAGE + +ipa-docker-test-runner -l $CI_RESULTS_LOG \ +-c $TEST_RUNNER_CONFIG \ +$developer_mode_opt \ +--container-image $TEST_RUNNER_IMAGE \ +--git-repo $TRAVIS_BUILD_DIR \ +$TASK_TO_RUN $test_set From 549b439956f063350ff8b31cc7829a4e973bc312 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:03:25 +0100 Subject: [PATCH 05/10] Travis: offload test execution to a separate script --- .travis.yml | 17 + 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 28f481f..8692dd7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,22 +22,7 @@ before_install: git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: -- > -if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; -then -git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff &> pep8_errors.log; -fi -- "pushd ipatests; test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null`; popd" -# use travis_wait so that long running tasks (tests) which produce no -# output do not cause premature termination of the build -- "docker pull ${
[Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology frasertweedale commented: """ ipa-4-4 PR: #371 """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-270605522 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I might have fixed the certmonger issue, see HonzaCholasta@907ef3cff2045edd4625d4c422d1d0ae473fe51c, however I'm hitting the "No valid Negotiate header in server response" error again. Any idea what might be causing it? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270606660 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#370][comment] [EXPERIMENT] ci: send build log to paste.fedoraproject.org
URL: https://github.com/freeipa/freeipa/pull/370 Title: #370: [EXPERIMENT] ci: send build log to paste.fedoraproject.org frasertweedale commented: """ fedora-infra ticket for project name limitations: https://pagure.io/fedora-infrastructure/issue/5661 """ See the full comment at https://github.com/freeipa/freeipa/pull/370#issuecomment-270609873 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][edited] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Author: frasertweedale Title: #371: [4.4] Set up DS TLS on replica in CA-less topology Action: edited Changed field: title Original value: """ Set up DS TLS on replica in CA-less topology """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: stlaz commented: """ The change LGTM, ACK, we'll see how it works :) """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270612407 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][+ack] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][synchronized] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Author: tiran Title: #366: Use pytest conftest.py Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/366/head:pr366 git checkout pr366 From 4fad18a15221d9a5fd7b075a55a59b0a8d5fda3e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 3 Jan 2017 18:04:53 +0100 Subject: [PATCH] Use pytest conftest.py and drop pytest.ini Let's replace some ugly hacks with proper pytest conftest.py hooks. Test initialization of ipalib.api is now handled in pytest_cmdline_main(). Pytest plugins, markers and ignores are also moved into conftest.py. Additional guards make it possible to run tests without ipaserver installed. I added confcutdir to ensure that pytest does not leave our project space. Pytest used pytest.ini or setup.py before but pytest.ini is gone. Signed-off-by: Christian Heimes --- Makefile.am| 3 +- ipalib/__init__.py | 7 - ipatests/conftest.py | 76 ++ ipatests/ipa-run-tests | 13 + ipatests/pytest.ini| 23 --- ipatests/setup.py | 1 - make-test | 8 -- pytest.ini | 1 - 8 files changed, 90 insertions(+), 42 deletions(-) create mode 100644 ipatests/conftest.py delete mode 100644 ipatests/pytest.ini delete mode 12 pytest.ini diff --git a/Makefile.am b/Makefile.am index 73bd378..9bfc899 100644 --- a/Makefile.am +++ b/Makefile.am @@ -37,8 +37,7 @@ EXTRA_DIST = .mailmap \ doc \ freeipa.spec.in \ ipasetup.py.in \ - pylintrc \ - pytest.ini + pylintrc clean-local: rm -rf "$(RPMBUILD)" diff --git a/ipalib/__init__.py b/ipalib/__init__.py index aaca973..4f09090 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -949,10 +949,3 @@ def create_api(mode='dummy'): return api api = create_api(mode=None) - -if os.environ.get('IPA_UNIT_TEST_MODE', None) == 'cli_test': -from ipalib.cli import cli_plugins -api.bootstrap(context='cli', in_server=False, in_tree=True, fallback=False) -for klass in cli_plugins: -api.add_plugin(klass) -api.finalize() diff --git a/ipatests/conftest.py b/ipatests/conftest.py new file mode 100644 index 000..45920de --- /dev/null +++ b/ipatests/conftest.py @@ -0,0 +1,76 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# +from __future__ import print_function + +from ipalib import api +from ipalib.cli import cli_plugins +try: +import ipaserver +except ImportError: +ipaserver = None + + +pytest_plugins = [ +'ipatests.pytest_plugins.additional_config', +'ipatests.pytest_plugins.beakerlib', +'ipatests.pytest_plugins.declarative', +'ipatests.pytest_plugins.nose_compat', +] +# The integration plugin is not available in client-only builds. +if ipaserver is not None: +pytest_plugins.append('ipatests.pytest_plugins.integration') + + +MARKERS = [ +'tier0: basic unit tests and critical functionality', +'tier1: functional API tests', +'cs_acceptance: Acceptance test suite for Dogtag Certificate Server', +'ds_acceptance: Acceptance test suite for 389 Directory Server', +] + + +NO_RECURSE_DIRS = [ +# build directories +'ipaclient/build', +'ipalib/build', +'ipaplatform/build', +'ipapython/build', +'ipaserver/build', +'ipatests/build', +# install/share/wsgi.py +'install/share' +] + + +def pytest_configure(config): +# add pytest markers +for marker in MARKERS: +config.addinivalue_line('markers', marker) + +# do not recurse into build directories or install/share directory. +for norecursedir in NO_RECURSE_DIRS: +config.addinivalue_line('norecursedirs', norecursedir) + +# load test classes with these prefixes. +# addinivalue_line() adds duplicated entries. +python_classes = config.getini('python_classes') +for value in ['test_', 'Test']: +if value not in python_classes: +python_classes.append(value) + +# set default JUnit prefix +if config.option.junitprefix is None: +config.option.junitprefix = 'ipa' + +# always run doc tests +config.option.doctestmodules = True + + +def pytest_cmdline_main(config): +api.bootstrap( +context=u'cli', in_server=False, in_tree=True, fallback=False +) +for klass in cli_plugins: +api.add_plugin(klass) +api.finalize() diff --git a/ipatests/ipa-run-tests b/ipatests/ipa-run-tests index 53fa7b3..cafd993 100755 --- a/ipatests/ipa-run-tests +++ b/ipatests/ipa-run-tests @@ -34,12 +34,15 @@ import pytest import ipatests -# This must be set so ipalib.api gets initialized property for tests: -os.environ['IPA_UNIT_TEST_MODE'] = 'cli_test' - # This is set to store --with-xunit report in an accessible place: os.environ['IPATEST_XUNIT_PATH'] = os.path.join(os.getcwd(), 'nosetests.xml') -os.chdir(os.path
[Freeipa-devel] [freeipa PR#372][opened] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Author: tiran Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py Action: opened PR body: """ Apparently ipaplatform.paths is not available on IPA 3.x. https://fedorahosted.org/freeipa/ticket/6540 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/372/head:pr372 git checkout pr372 From fb896f46f0722113dd1345f5708685bafab06d6f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 5 Jan 2017 12:46:50 +0100 Subject: [PATCH] Restore IPA 3.0 compatibility of copy-schema-to-ca.py Apparently ipaplatform.paths is not available on IPA 3.x. https://fedorahosted.org/freeipa/ticket/6540 Signed-off-by: Christian Heimes --- install/share/copy-schema-to-ca.py | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/install/share/copy-schema-to-ca.py b/install/share/copy-schema-to-ca.py index 4daed6f..b14c3dd 100755 --- a/install/share/copy-schema-to-ca.py +++ b/install/share/copy-schema-to-ca.py @@ -17,7 +17,6 @@ from hashlib import sha1 -from ipaplatform.paths import paths from ipapython import ipautil from ipapython.ipa_log_manager import root_logger, standard_logging_setup from ipaserver.install.dsinstance import schema_dirname @@ -35,6 +34,14 @@ from ipaserver.install.cainstance import PKI_USER #pylint: disable=E0611 try: +from ipaplatform.paths import paths +USR_SHARE_IPA_DIR = paths.USR_SHARE_IPA_DIR +ETC_IPA = paths.ETC_IPA +except (ImportError, AttributeError): +USR_SHARE_IPA_DIR = "/usr/share/ipa/" +ETC_IPA = "/etc/ipa" + +try: from ipaplatform import services except ImportError: from ipapython import services # pylint: disable=no-name-in-module @@ -66,7 +73,7 @@ def add_ca_schema(): pki_pent = pwd.getpwnam(PKI_USER) ds_pent = pwd.getpwnam(DS_USER) for schema_fname in SCHEMA_FILENAMES: -source_fname = os.path.join(paths.USR_SHARE_IPA_DIR, schema_fname) +source_fname = os.path.join(USR_SHARE_IPA_DIR, schema_fname) target_fname = os.path.join(schema_dirname(SERVERID), schema_fname) if not os.path.exists(source_fname): root_logger.debug('File does not exist: %s', source_fname) @@ -114,7 +121,7 @@ def main(): standard_logging_setup(verbose=True) # In 3.0, restarting needs access to api.env -api.bootstrap_with_global_options(context='server', confdir=paths.ETC_IPA) +api.bootstrap_with_global_options(context='server', confdir=ETC_IPA) add_ca_schema() restart_pki_ds() -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][+ack] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Title: #371: [4.4] Set up DS TLS on replica in CA-less topology Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][comment] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Title: #371: [4.4] Set up DS TLS on replica in CA-less topology tomaskrizek commented: """ I re-tested CA-less and CA-full use cases in both domlvl0 and domlvl1. They all seem to work and ldapssl is running. Thanks for fixing the issue! """ See the full comment at https://github.com/freeipa/freeipa/pull/371#issuecomment-270629905 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping
On Mon, Jan 02, 2017 at 08:06:04AM +0100, Jan Cholasta wrote: > On 19.12.2016 12:13, Sumit Bose wrote: > > On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: > > > I agree with *almost* everything Sumit said. See my inline comments below. > > > > > > On 16.12.2016 11:53, Sumit Bose wrote: > > > > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: > > > > > Hi, > > > > > > > > > > I have started a feature description for the Certificate Identity > > > > > Mapping at > > > > > the following location: > > > > > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > > > > > > > > > This is a first step, focusing on the interface we would like to > > > > > provide. It > > > > > still contains open questions, some of which are linked to the > > > > > corresponding > > > > > design on SSSD side: > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > > > > > > > > > Comments, concerns and suggestions are welcome. Thanks! > > > > > > > > Hi Flo, > > > > > > > > thank you very much for setting up the page. > > > > > > > > My comments are mostly about the commands. > > > > > > > > certmappingconfig-mod: > > > > > > > > * --enable=Boolean: if this option is 'False' SSSD will basically show > > > > the current behavior and just look up the certificates directly. But I > > > > wonder if the option is needed at all because not adding any mapping > > > > rules would have the same effect. > > > > > > > > What is the scope here, only the IPA domain, or all trusted domains as > > > > well? If it is for trusted domains as well will the certmappingrule-* > > > > commands and user-{add/remove}-certmapping return an error? > > > > > > > > So, in general I see an overlap with the mapping rules and I think it > > > > would be clearer to drop this option and do the lookups according to > > > > the mapping rules. > > > > > > > > * --prompt-username=Boolean: the description implies that this option is > > > > synonymous to 1:1 mapping, but it is not. On Linux authentication in > > > > most cases use a user name either by directly asking (e.g. /bin/login) > > > > or using the current user name (e.g. sudo). So, according to its name > > > > it would only control if gdm is allowed to ask for an (optional) user > > > > name. > > > > > > > > If the option is renamed to e.g. --force-1-to-1-mapping to really > > > > enforce a 1:1 mapping then it would make sense to derived to gdm > > > > behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to > > > > ask for a user name and if it is not enforced then it makes sense to > > > > offer and optional user name input field. > > > > > > > > * --enable-username-mismatch=Boolean: I think this option can be > > > > dropped. My test so far show that if a non-matching hint is given on a > > > > Windows client authentication fails. > > > > > > > > * --alternate-attribute=STRING: I think this option isn't needed as > > > > well. For IPA server-side we should decide on an attribute name and > > > > add it to the schema for user objects. On the client side the > > > > attribute name can be taken from the mapping rule.A > > > > > > > > > > > > certmappingrule.*: > > > > > > > > * ISSUERDN: it looks like you want to use issuerName here. In > > > > certificateRecord it it used with LDAP ordering and I would prefer > > > > LDAP ordering at all points where we have a choice. Unfortunately in > > > > the > > > > issuer-subject mapping AD dictates X.500 ordering. > > > > > > LDAP ordering should indeed be preferred, as it is used everywhere else in > > > IPA. We can convert to/from X.500 ordering where necessary, when possible. > > > > > > > > > > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in > > > > the example? My intention in the SSSD design-page was to specify the > > > > domain (as in DNS domain/IPA domain/trusted domain) where the matching > > > > user should be searched. Different domains might certificates from > > > > different issuers and some domains might not even use certificates. > > > > With this information SSSD does not have to search any domain trusted > > > > by IPA from a given certificate, but look only at domains listed here > > > > (the attribute should be a multi-value one). > > > > > > > > There are objects in the LDAP tree for each trusted domain which are > > > > used by SSSD so using a DN syntax would be valid here. > > > > > > We use domain names rather than DNs to refer to domains everywhere else in > > > the framework. I don't think this place should be an exception. > > > > I'm fine with domain names as well. In fact I didn't thought of using > > DNs for this before I read DOMAINDN on the design page. > > > > > > > > > > > > > * LDAPSEARCHFILTER: I think a separate option is not n
Re: [Freeipa-devel] Certificate Identity Mapping
On Tue, Dec 20, 2016 at 10:10:29AM +0100, Florence Blanc-Renaud wrote: > Hi Sumit and Jan, > > thanks to both of you for providing detailed comments. Please find answers > inline. > > On 12/19/2016 12:13 PM, Sumit Bose wrote: > > On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: > > > I agree with *almost* everything Sumit said. See my inline comments below. > > > > > > On 16.12.2016 11:53, Sumit Bose wrote: > > > > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: > > > > > Hi, > > > > > > > > > > I have started a feature description for the Certificate Identity > > > > > Mapping at > > > > > the following location: > > > > > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > > > > > > > > > This is a first step, focusing on the interface we would like to > > > > > provide. It > > > > > still contains open questions, some of which are linked to the > > > > > corresponding > > > > > design on SSSD side: > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > > > > > > > > > Comments, concerns and suggestions are welcome. Thanks! > > > > > > > > Hi Flo, > > > > > > > > thank you very much for setting up the page. > > > > > > > > My comments are mostly about the commands. > > > > > > > > certmappingconfig-mod: > > > > > > > > * --enable=Boolean: if this option is 'False' SSSD will basically show > > > > the current behavior and just look up the certificates directly. But I > > > > wonder if the option is needed at all because not adding any mapping > > > > rules would have the same effect. > > > > > > > > What is the scope here, only the IPA domain, or all trusted domains as > > > > well? If it is for trusted domains as well will the certmappingrule-* > > > > commands and user-{add/remove}-certmapping return an error? > > > > > > > > So, in general I see an overlap with the mapping rules and I think it > > > > would be clearer to drop this option and do the lookups according to > > > > the mapping rules. > I saw this option as a convenient way to disable all the rules with a single > command, but I agree it's redundant with the mapping rules and we can live > without it. > > > > > > > > > * --prompt-username=Boolean: the description implies that this option is > > > > synonymous to 1:1 mapping, but it is not. On Linux authentication in > > > > most cases use a user name either by directly asking (e.g. /bin/login) > > > > or using the current user name (e.g. sudo). So, according to its name > > > > it would only control if gdm is allowed to ask for an (optional) user > > > > name. > > > > > > > > If the option is renamed to e.g. --force-1-to-1-mapping to really > > > > enforce a 1:1 mapping then it would make sense to derived to gdm > > > > behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to > > > > ask for a user name and if it is not enforced then it makes sense to > > > > offer and optional user name input field. > > > > > Agree, force-1-to-1-mapping is clearer. Please don't get me wrong, I just wanted to point out that switching on and off the username prompt (or hint) is not the same as forcing a 1:1 mapping. I think it is good to have the --prompt-username option to tell applications which by default might not prompt for a user name when doing Smartcard authentication, like gdm or web apps, to show a user name. This allows to reach a similar behaviour as the 'username hint' GPO in AD. I think we currently do not have a requirement to force a 1:1 mappping. bye, Sumit > > > > > * --enable-username-mismatch=Boolean: I think this option can be > > > > dropped. My test so far show that if a non-matching hint is given on a > > > > Windows client authentication fails. > OK, thanks for the heads-up. > > > > > > > > > * --alternate-attribute=STRING: I think this option isn't needed as > > > > well. For IPA server-side we should decide on an attribute name and > > > > add it to the schema for user objects. On the client side the > > > > attribute name can be taken from the mapping rule.A > OK. > > > > > > > > > > > > > certmappingrule.*: > > > > > > > > * ISSUERDN: it looks like you want to use issuerName here. In > > > > certificateRecord it it used with LDAP ordering and I would prefer > > > > LDAP ordering at all points where we have a choice. Unfortunately in > > > > the > > > > issuer-subject mapping AD dictates X.500 ordering. > > > > > > LDAP ordering should indeed be preferred, as it is used everywhere else in > > > IPA. We can convert to/from X.500 ordering where necessary, when possible. > > > > We can use the issuerName attribute with LDAP ordering and convert when > needed, as Jan suggested. > > > > > > > > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in > > > > the example? My intention in the SSSD de
[Freeipa-devel] [freeipa PR#361][-ack] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] FreeIPA, Duo Security integration
On 01/05/2017 09:36 AM, Oucema Bellagha wrote: > Hi, > As of now, we have FreeIPA with OTP working perfectly. Now, I am looking at > possibly integrating Duo security instead of FreeIPA's 2FA. I am concerned > about how it will fit in with FreeIPA... Has anyone else tried this before? > If > so, are there any pitfalls or problems you have encountered or any general > advise? > > Cheers, Euqanra'l -- > Hello Oucema, Integration with other 2FA system can be handled by RADIUS proxy feature: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/otp.html#migrating-proprietary-otp For practical experience with Duo, better ask on freeipa-users mailing list where admin community dwells. freeipa-devel is primarily used for development discussions. Btw, what is the use case or reasons to integrate with Duo instead of using FreeIPA's 2FA? -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values gkaihorodova commented: """ will do, but before let me do small changes that was requested by @stlaz in #210, to use str.format() instead of " %r " """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-270642709 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py stlaz commented: """ Is there a reason not to stick with the original `ipautil.SHARE_DIR` and without setting `confdir`? This script won't be run on servers that either need `confdir` set or have `ipaplatform.paths`, will it (I know I acked the latter, did not realize there would be trouble)? """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-270642731 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#372][comment] Restore IPA 3.0 compatibility of copy-schema-to-ca.py
URL: https://github.com/freeipa/freeipa/pull/372 Title: #372: Restore IPA 3.0 compatibility of copy-schema-to-ca.py tiran commented: """ ```SHARE_DIR``` is no longer available. I had to find another approach. The approach ```import else use well-known constants``` is safe and will not break any time soon. """ See the full comment at https://github.com/freeipa/freeipa/pull/372#issuecomment-270645628 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][synchronized] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 From a59ecbc489393ad9d509bd4718ffb87e3197c355 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 10:11:20 +0100 Subject: [PATCH 01/10] Bump up ipa-docker-test-runner version --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e870213..c32c5d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -18,7 +18,7 @@ before_install: - pip install pep8 - > pip3 install - git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-0 + git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: - > From ab0c72c08bf222c3903c6681d562284169aa2f02 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:47:31 +0100 Subject: [PATCH 02/10] travis: mark FreeIPA as python project --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index c32c5d7..2855bf2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,3 +1,4 @@ +language: python services: - docker From 0a8de3a9758459c1aab64fa475771694e3c869ff Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:01:00 +0100 Subject: [PATCH 03/10] Put the commands informing and displaying build logs on single line This prevents Travis log collector to add separate expansion marks to the echo output and the actuall log output. --- .travis.yml | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2855bf2..28f481f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -39,7 +39,5 @@ script: --git-repo ${TRAVIS_BUILD_DIR} run-tests $test_set after_failure: - - echo "Test runner output:" - - tail -n 5000 ci_results_${TRAVIS_BRANCH}.log - - echo "PEP-8 errors:" - - cat pep8_errors.log +- echo "Test runner output:"; tail -n 5000 ci_results_${TRAVIS_BRANCH}.log +- echo "PEP-8 errors:"; cat pep8_errors.log From 8172ea91f1e23cfe16e5d6962a67c51e7a778af7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 15:55:55 +0100 Subject: [PATCH 04/10] Travis CI: a separate script to run test tasks this script is intended only for use in Travis CI and contains configuration of the test run requested: * it can run linter step separately by specifying TASK_TO_RUN="lint" environment variable in .travis.yml. In this case it also runs pep8 checker on the commits in PR. * other steps are run in developer mode in order to skip pylint run and speed up the task * in all cases the CI result log is populated and can be displayed if the job fails --- .travis_run_task.sh | 34 ++ 1 file changed, 34 insertions(+) create mode 100755 .travis_run_task.sh diff --git a/.travis_run_task.sh b/.travis_run_task.sh new file mode 100755 index 000..2163a9b --- /dev/null +++ b/.travis_run_task.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +# NOTE: this script is intended to run in Travis CI only +set -ev + +test_set="" +developer_mode_opt="--developer-mode" + +if [[ "$TASK_TO_RUN" == "lint" ]] +then +if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]] +then +git diff origin/$TRAVIS_BRANCH -U0 | pep8 --diff &> $PEP8_ERROR_LOG ||: +fi + +# disable developer mode for lint task, otherwise we get an error +developer_mode_opt="" +fi + +if [[ -n "$TESTS_TO_RUN" ]] +then +pushd ipatests +test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null | tr '\n' ' '` +popd +fi + +docker pull $TEST_RUNNER_IMAGE + +ipa-docker-test-runner -l $CI_RESULTS_LOG \ +-c $TEST_RUNNER_CONFIG \ +$developer_mode_opt \ +--container-image $TEST_RUNNER_IMAGE \ +--git-repo $TRAVIS_BUILD_DIR \ +$TASK_TO_RUN $test_set From 549b439956f063350ff8b31cc7829a4e973bc312 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 20 Dec 2016 16:03:25 +0100 Subject: [PATCH 05/10] Travis: offload test execution to a separate script --- .travis.yml | 17 + 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 28f481f..8692dd7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -22,22 +22,7 @@ before_install: git+https://github.com/freeipa/ipa-docker-test-runner@release-0-2-1 script: -- > -if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]; -then -git diff origin/${TRAVIS_BRANCH} -U0 | pep8 --diff &> pep8_errors.log; -fi -- "pushd ipatests; test_set=`ls -d -1 $TESTS_TO_RUN 2> /dev/null`; popd" -# use travis_wait so that long running tasks (tests) which produce no -# output do not cause premature termination of the build -- "docker pull ${
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From 939ff144374e6ca0af0f9e94d90dffbadcbb461a Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 1/2] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 38 +++- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..d9253e5 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,45 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {}".format(sn)) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ From 941b477b91a9d5f0ba498113cd8ea3cb392748f6 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 12 Dec 2016 14:11:52 +0100 Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..e630171 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -85,6 +85,11 @@ def stageduser(request): return tracker.make_fixture(request) +@pytest.fixture(scope='class') +def stageduser_min(request): +tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin') +return tracker.make_fixture(request) + @pytest.fixture(scope='class', params=options_ok, ids=options_ids) def stageduser2(request): tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param) @@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser): @pytest.mark.tier1 class TestStagedUser(XMLRPC_test): +def test_create_with_min_values(self, stageduser_min): +""" Create user with uid not specified """ +stageduser_min.ensure_missing() +command = stageduser_min.make_create_command() +command() + def test_create_duplicate(self, stageduser): stageduser.ensure_exists() command = stageduser.make_create_command() -- Manage your subscription
[Freeipa-devel] [freeipa PR#371][+pushed] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Title: #371: [4.4] Set up DS TLS on replica in CA-less topology Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][closed] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Author: frasertweedale Title: #371: [4.4] Set up DS TLS on replica in CA-less topology Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/371/head:pr371 git checkout pr371 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#371][comment] [4.4] Set up DS TLS on replica in CA-less topology
URL: https://github.com/freeipa/freeipa/pull/371 Title: #371: [4.4] Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/cdb6ffb779b7e1e563494eb3234b2441ba74d692 """ See the full comment at https://github.com/freeipa/freeipa/pull/371#issuecomment-270651977 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][+ack] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][comment] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py apophys commented: """ Thank you for squashing the commits. """ See the full comment at https://github.com/freeipa/freeipa/pull/366#issuecomment-270653055 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#369][+ack] Catch ValueError raised by pytest.config.getoption()
URL: https://github.com/freeipa/freeipa/pull/369 Title: #369: Catch ValueError raised by pytest.config.getoption() Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I switched all endpoints to use GSSAPI (and transparently use a session cookie once one transation is successful), so there may be some parts of the code a bit surprised about it, do you have apache logs to chare that show the problem ? (enabling ipa debug would probably help too) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270654342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][opened] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: opened PR body: """ Hi, this just adds the Debian platform module. There are still other changes needed before vanilla master can be used on Debian or it's derivatives, but they need bigger changes while this is mostly standalone. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 From 593a3e7bd5d00f72bf048e64434f2f2189ac528b Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Thu, 5 Jan 2017 12:41:08 +0200 Subject: [PATCH] ipaplatform: Add Debian platform module. --- ipaplatform/debian/__init__.py | 7 ++ ipaplatform/debian/constants.py | 25 ++ ipaplatform/debian/paths.py | 98 + ipaplatform/debian/services.py | 183 ipaplatform/debian/tasks.py | 46 ++ ipaplatform/setup.py| 1 + 6 files changed, 360 insertions(+) create mode 100644 ipaplatform/debian/__init__.py create mode 100644 ipaplatform/debian/constants.py create mode 100644 ipaplatform/debian/paths.py create mode 100644 ipaplatform/debian/services.py create mode 100644 ipaplatform/debian/tasks.py diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py new file mode 100644 index 000..6305270 --- /dev/null +++ b/ipaplatform/debian/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This module contains Debian specific platform files. +""" diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py new file mode 100644 index 000..1edcb5a --- /dev/null +++ b/ipaplatform/debian/constants.py @@ -0,0 +1,25 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +''' +This Debian family platform module exports platform dependant constants. +''' + +# Fallback to default path definitions +from ipaplatform.base.constants import BaseConstantsNamespace + + +class DebianConstantsNamespace(BaseConstantsNamespace): +HTTPD_USER = "www-data" +NAMED_USER = "bind" +NAMED_GROUP = "bind" +# ntpd init variable used for daemon options +NTPD_OPTS_VAR = "NTPD_OPTS" +# quote used for daemon options +NTPD_OPTS_QUOTE = "\'" +ODS_USER = "opendnssec" +ODS_GROUP = "opendnssec" +SECURE_NFS_VAR = "NEED_GSSD" + +constants = DebianConstantsNamespace() diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py new file mode 100644 index 000..a3fa02f --- /dev/null +++ b/ipaplatform/debian/paths.py @@ -0,0 +1,98 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This Debian base platform module exports default filesystem paths as common +in Debian-based systems. +""" + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace +import sysconfig + +MULTIARCH = sysconfig.get_config_var('MULTIARCH') + +class DebianPathNamespace(BasePathNamespace): +BIN_HOSTNAMECTL = "/usr/bin/hostnamectl" +AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" +ETC_HTTPD_DIR = "/etc/apache2" +HTTPD_ALIAS_DIR = "/etc/apache2/nssdb" +ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc" +ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt" +HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/" +HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf" +HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf" +HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" +HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" +HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" +IPA_KEYTAB = "/etc/apache2/ipa.keytab" +HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" +NAMED_CONF = "/etc/bind/named.conf" +NAMED_VAR_DIR = "/var/cache/bind" +NAMED_KEYTAB = "/etc/bind/named.keytab" +NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones" +NAMED_ROOT_KEY = "/etc/bind/bind.keys" +NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys" +NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" +OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +ETC_DEBIAN_VERSION = "/etc/debian_version" +IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt" +ETC_SYSCONFIG_DIR = "/etc/default" +SYSCONFIG_AUTOFS = "/etc/default/autofs" +SYSCONFIG_DIRSRV = "/etc/default/dirsrv" +SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s" +SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd" +SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd" +SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter" +SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc" +SYSCONFIG_NAMED = "/etc/default/bind9" +SYSCONFIG_NFS = "/etc/default/nfs-common" +SYSCONFIG_NTPD = "/etc/default/ntp" +SY
[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 From 7fc38de803a12e60e506357aa8c8ac10a7b56ed1 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Thu, 5 Jan 2017 12:41:08 +0200 Subject: [PATCH] ipaplatform: Add Debian platform module. --- ipaplatform/debian/__init__.py | 7 ++ ipaplatform/debian/constants.py | 25 ++ ipaplatform/debian/paths.py | 98 + ipaplatform/debian/services.py | 183 ipaplatform/debian/tasks.py | 46 ++ ipaplatform/setup.py| 1 + 6 files changed, 360 insertions(+) create mode 100644 ipaplatform/debian/__init__.py create mode 100644 ipaplatform/debian/constants.py create mode 100644 ipaplatform/debian/paths.py create mode 100644 ipaplatform/debian/services.py create mode 100644 ipaplatform/debian/tasks.py diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py new file mode 100644 index 000..6305270 --- /dev/null +++ b/ipaplatform/debian/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This module contains Debian specific platform files. +""" diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py new file mode 100644 index 000..1edcb5a --- /dev/null +++ b/ipaplatform/debian/constants.py @@ -0,0 +1,25 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +''' +This Debian family platform module exports platform dependant constants. +''' + +# Fallback to default path definitions +from ipaplatform.base.constants import BaseConstantsNamespace + + +class DebianConstantsNamespace(BaseConstantsNamespace): +HTTPD_USER = "www-data" +NAMED_USER = "bind" +NAMED_GROUP = "bind" +# ntpd init variable used for daemon options +NTPD_OPTS_VAR = "NTPD_OPTS" +# quote used for daemon options +NTPD_OPTS_QUOTE = "\'" +ODS_USER = "opendnssec" +ODS_GROUP = "opendnssec" +SECURE_NFS_VAR = "NEED_GSSD" + +constants = DebianConstantsNamespace() diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py new file mode 100644 index 000..a3fa02f --- /dev/null +++ b/ipaplatform/debian/paths.py @@ -0,0 +1,98 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This Debian base platform module exports default filesystem paths as common +in Debian-based systems. +""" + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace +import sysconfig + +MULTIARCH = sysconfig.get_config_var('MULTIARCH') + +class DebianPathNamespace(BasePathNamespace): +BIN_HOSTNAMECTL = "/usr/bin/hostnamectl" +AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" +ETC_HTTPD_DIR = "/etc/apache2" +HTTPD_ALIAS_DIR = "/etc/apache2/nssdb" +ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc" +ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt" +HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/" +HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf" +HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf" +HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" +HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" +HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" +IPA_KEYTAB = "/etc/apache2/ipa.keytab" +HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" +NAMED_CONF = "/etc/bind/named.conf" +NAMED_VAR_DIR = "/var/cache/bind" +NAMED_KEYTAB = "/etc/bind/named.keytab" +NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones" +NAMED_ROOT_KEY = "/etc/bind/bind.keys" +NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys" +NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" +OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +ETC_DEBIAN_VERSION = "/etc/debian_version" +IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt" +ETC_SYSCONFIG_DIR = "/etc/default" +SYSCONFIG_AUTOFS = "/etc/default/autofs" +SYSCONFIG_DIRSRV = "/etc/default/dirsrv" +SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s" +SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd" +SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd" +SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter" +SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc" +SYSCONFIG_NAMED = "/etc/default/bind9" +SYSCONFIG_NFS = "/etc/default/nfs-common" +SYSCONFIG_NTPD = "/etc/default/ntp" +SYSCONFIG_ODS = "/etc/default/opendnssec" +SYSCONFIG_PKI = "/etc/dogtag/" +SYSCONFIG_PKI_TOMCAT = "/etc/default/pki-tomcat" +SYSCONFIG_PKI_TOMCAT_PKI_TOMCAT_DIR = "/etc/dogtag/tomcat/pki-tomcat" +SYSTEMD_SYSTEM_
[Freeipa-devel] [freeipa PR#361][+ack] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: stlaz commented: """ I have no more remarks on this, hopefully final ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270659749 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA
URL: https://github.com/freeipa/freeipa/pull/367 Title: #367: Remove nsslib from IPA tiran commented: """ ``` ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx.options = ssl.OP_ALL | ssl.OP_NO_COMPRESSION | ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 try: # use Fedora crypto policy # https://fedoraproject.org/wiki/Changes/CryptoPolicy ctx.set_ciphers("PROFILE=SYSTEM") except ssl.SSLError: # high ciphers without RC4, MD5, TripleDES, pre-shared key and secure remote password ctx.set_ciphers("HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP") ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/367#issuecomment-270659921 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 From 80e5a84b9774dbc876512ef97ed459d449748cd7 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:06:36 +0100 Subject: [PATCH 1/2] User Tracker: creation of user with minimal values Fix provide possibility to create user-add test with minimal values, where uid is not specified, to provide better coverage. Also provide check for non-empty unicode string for attributes required in init method https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/tracker/user_plugin.py | 42 + 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py index 4485fd9..d0881b2 100644 --- a/ipatests/test_xmlrpc/tracker/user_plugin.py +++ b/ipatests/test_xmlrpc/tracker/user_plugin.py @@ -62,22 +62,42 @@ class UserTracker(KerberosAliasMixin, Tracker): primary_keys = {u'uid', u'dn'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError( +"Invalid first name provided: {}".format(givenname) +) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: {}".format(sn)) + super(UserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN(('uid', self.uid), api.env.container_user, api.env.basedn) self.kwargs = kwargs -def make_create_command(self): -""" Make function that crates a user using user-add """ -return self.make_command( -'user_add', self.uid, -givenname=self.givenname, -sn=self.sn, **self.kwargs -) +def make_create_command(self, force=None): + +""" Make function that creates a user using user-add +with all set of attributes and with minimal values, +where uid is not specified """ + +if self.uid is not None: +return self.make_command( +'user_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'user_add', givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self, no_preserve=True, preserve=False): """ Make function that deletes a user using user-del """ From 48ca4423ebaf80b983d8005a62c2495b7561d193 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Thu, 8 Dec 2016 15:08:41 +0100 Subject: [PATCH 2/2] User Tracker: Test to create user with minimal values Test to create user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6126 --- ipatests/test_xmlrpc/test_user_plugin.py | 13 + 1 file changed, 13 insertions(+) diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py index 7508578..b90363e 100644 --- a/ipatests/test_xmlrpc/test_user_plugin.py +++ b/ipatests/test_xmlrpc/test_user_plugin.py @@ -79,6 +79,13 @@ @pytest.fixture(scope='class') +def user_min(request): +""" User tracker fixture for testing user with uid no specified """ +tracker = UserTracker(givenname=u'Testmin', sn=u'Usermin') +return tracker.make_fixture(request) + + +@pytest.fixture(scope='class') def user(request): tracker = UserTracker(name=u'user1', givenname=u'Test', sn=u'User1') return tracker.make_fixture(request) @@ -405,6 +412,12 @@ def test_rename_to_invalid_login(self, user): @pytest.mark.tier1 class TestCreate(XMLRPC_test): +def test_create_user_with_min_values(self, user_min): +""" Create user with uid not specified """ +user_min.ensure_missing() +command = user_min.make_create_command() +command() + def test_create_with_krb_ticket_policy(self): """ Try to create user with krbmaxticketlife set """ testuser = UserTracker( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Certificate Identity Mapping
On 01/05/2017 01:30 PM, Sumit Bose wrote: On Tue, Dec 20, 2016 at 10:10:29AM +0100, Florence Blanc-Renaud wrote: Hi Sumit and Jan, thanks to both of you for providing detailed comments. Please find answers inline. On 12/19/2016 12:13 PM, Sumit Bose wrote: On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: I agree with *almost* everything Sumit said. See my inline comments below. On 16.12.2016 11:53, Sumit Bose wrote: On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: Hi, I have started a feature description for the Certificate Identity Mapping at the following location: http://www.freeipa.org/page/V4/Certificate_Identity_Mapping This is a first step, focusing on the interface we would like to provide. It still contains open questions, some of which are linked to the corresponding design on SSSD side: https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities Comments, concerns and suggestions are welcome. Thanks! Hi Flo, thank you very much for setting up the page. My comments are mostly about the commands. certmappingconfig-mod: * --enable=Boolean: if this option is 'False' SSSD will basically show the current behavior and just look up the certificates directly. But I wonder if the option is needed at all because not adding any mapping rules would have the same effect. What is the scope here, only the IPA domain, or all trusted domains as well? If it is for trusted domains as well will the certmappingrule-* commands and user-{add/remove}-certmapping return an error? So, in general I see an overlap with the mapping rules and I think it would be clearer to drop this option and do the lookups according to the mapping rules. I saw this option as a convenient way to disable all the rules with a single command, but I agree it's redundant with the mapping rules and we can live without it. * --prompt-username=Boolean: the description implies that this option is synonymous to 1:1 mapping, but it is not. On Linux authentication in most cases use a user name either by directly asking (e.g. /bin/login) or using the current user name (e.g. sudo). So, according to its name it would only control if gdm is allowed to ask for an (optional) user name. If the option is renamed to e.g. --force-1-to-1-mapping to really enforce a 1:1 mapping then it would make sense to derived to gdm behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to ask for a user name and if it is not enforced then it makes sense to offer and optional user name input field. Agree, force-1-to-1-mapping is clearer. Please don't get me wrong, I just wanted to point out that switching on and off the username prompt (or hint) is not the same as forcing a 1:1 mapping. I think it is good to have the --prompt-username option to tell applications which by default might not prompt for a user name when doing Smartcard authentication, like gdm or web apps, to show a user name. This allows to reach a similar behaviour as the 'username hint' GPO in AD. I think we currently do not have a requirement to force a 1:1 mappping. Hi Summit, glad you clarified your point because I clearly got it wrong :) I will keep --prompt-username and I agree that there is no need for force-1-to-1-mapping. Flo bye, Sumit * --enable-username-mismatch=Boolean: I think this option can be dropped. My test so far show that if a non-matching hint is given on a Windows client authentication fails. OK, thanks for the heads-up. * --alternate-attribute=STRING: I think this option isn't needed as well. For IPA server-side we should decide on an attribute name and add it to the schema for user objects. On the client side the attribute name can be taken from the mapping rule.A OK. certmappingrule.*: * ISSUERDN: it looks like you want to use issuerName here. In certificateRecord it it used with LDAP ordering and I would prefer LDAP ordering at all points where we have a choice. Unfortunately in the issuer-subject mapping AD dictates X.500 ordering. LDAP ordering should indeed be preferred, as it is used everywhere else in IPA. We can convert to/from X.500 ordering where necessary, when possible. We can use the issuerName attribute with LDAP ordering and convert when needed, as Jan suggested. * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in the example? My intention in the SSSD design-page was to specify the domain (as in DNS domain/IPA domain/trusted domain) where the matching user should be searched. Different domains might certificates from different issuers and some domains might not even use certificates. With this information SSSD does not have to search any domain trusted by IPA from a given certificate, but look only at domains listed here (the attribute should be a multi-value one). There are objects in th
[Freeipa-devel] [freeipa PR#361][+pushed] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][closed] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#361][comment] This PR implements a number of improvements for our Travis CI:
URL: https://github.com/freeipa/freeipa/pull/361 Title: #361: This PR implements a number of improvements for our Travis CI: martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d86cae7748a8a629c942f1eafc0a0267f2c9611e https://fedorahosted.org/freeipa/changeset/758731088eee0294af59812dbd1976db89b9dda0 https://fedorahosted.org/freeipa/changeset/aff4e684e1f13d7da4248d17c0b8b2adf2e37033 https://fedorahosted.org/freeipa/changeset/1267e3e72305ee6bda0dd348ae1737b6f68f4371 https://fedorahosted.org/freeipa/changeset/149d86de14b00b73f625fefe73c2322a2fffac06 https://fedorahosted.org/freeipa/changeset/b8423492f5dce32183b34d718e4619fe3ca8bfef https://fedorahosted.org/freeipa/changeset/b6216756f6c7a950e9bf2afe56a582dd8195c513 https://fedorahosted.org/freeipa/changeset/f48d6fc168253209bed3f1dd5a543f15d1f54669 https://fedorahosted.org/freeipa/changeset/4abd3f554a436e6446ba59c75c09fb0ff8b7fe4a https://fedorahosted.org/freeipa/changeset/0ef55a91ef9c591cee3a7e1ff0e391cdc32423c3 """ See the full comment at https://github.com/freeipa/freeipa/pull/361#issuecomment-270669456 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#373][synchronized] ipaplatform: Add Debian platform module.
URL: https://github.com/freeipa/freeipa/pull/373 Author: tjaalton Title: #373: ipaplatform: Add Debian platform module. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/373/head:pr373 git checkout pr373 From 57d84b539a2d411858b2c22cf49806a29ad67836 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Thu, 5 Jan 2017 12:41:08 +0200 Subject: [PATCH] ipaplatform: Add Debian platform module. v2: - use redhat_services.redhat_system_units.copy - don't use wildcard imports - add some empty lines to make pep8 happy --- ipaplatform/debian/__init__.py | 7 ++ ipaplatform/debian/constants.py | 25 ++ ipaplatform/debian/paths.py | 98 + ipaplatform/debian/services.py | 185 ipaplatform/debian/tasks.py | 47 ++ ipaplatform/setup.py| 1 + 6 files changed, 363 insertions(+) create mode 100644 ipaplatform/debian/__init__.py create mode 100644 ipaplatform/debian/constants.py create mode 100644 ipaplatform/debian/paths.py create mode 100644 ipaplatform/debian/services.py create mode 100644 ipaplatform/debian/tasks.py diff --git a/ipaplatform/debian/__init__.py b/ipaplatform/debian/__init__.py new file mode 100644 index 000..6305270 --- /dev/null +++ b/ipaplatform/debian/__init__.py @@ -0,0 +1,7 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This module contains Debian specific platform files. +""" diff --git a/ipaplatform/debian/constants.py b/ipaplatform/debian/constants.py new file mode 100644 index 000..1edcb5a --- /dev/null +++ b/ipaplatform/debian/constants.py @@ -0,0 +1,25 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +''' +This Debian family platform module exports platform dependant constants. +''' + +# Fallback to default path definitions +from ipaplatform.base.constants import BaseConstantsNamespace + + +class DebianConstantsNamespace(BaseConstantsNamespace): +HTTPD_USER = "www-data" +NAMED_USER = "bind" +NAMED_GROUP = "bind" +# ntpd init variable used for daemon options +NTPD_OPTS_VAR = "NTPD_OPTS" +# quote used for daemon options +NTPD_OPTS_QUOTE = "\'" +ODS_USER = "opendnssec" +ODS_GROUP = "opendnssec" +SECURE_NFS_VAR = "NEED_GSSD" + +constants = DebianConstantsNamespace() diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py new file mode 100644 index 000..a3fa02f --- /dev/null +++ b/ipaplatform/debian/paths.py @@ -0,0 +1,98 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +""" +This Debian base platform module exports default filesystem paths as common +in Debian-based systems. +""" + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace +import sysconfig + +MULTIARCH = sysconfig.get_config_var('MULTIARCH') + +class DebianPathNamespace(BasePathNamespace): +BIN_HOSTNAMECTL = "/usr/bin/hostnamectl" +AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" +ETC_HTTPD_DIR = "/etc/apache2" +HTTPD_ALIAS_DIR = "/etc/apache2/nssdb" +ALIAS_CACERT_ASC = "/etc/apache2/nssdb/cacert.asc" +ALIAS_PWDFILE_TXT = "/etc/apache2/nssdb/pwdfile.txt" +HTTPD_CONF_D_DIR = "/etc/apache2/conf-enabled/" +HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/apache2/conf-enabled/ipa-kdc-proxy.conf" +HTTPD_IPA_PKI_PROXY_CONF = "/etc/apache2/conf-enabled/ipa-pki-proxy.conf" +HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf" +HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf" +HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf" +IPA_KEYTAB = "/etc/apache2/ipa.keytab" +HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf" +NAMED_CONF = "/etc/bind/named.conf" +NAMED_VAR_DIR = "/var/cache/bind" +NAMED_KEYTAB = "/etc/bind/named.keytab" +NAMED_RFC1912_ZONES = "/etc/bind/named.conf.default-zones" +NAMED_ROOT_KEY = "/etc/bind/bind.keys" +NAMED_BINDKEYS_FILE = "/etc/bind/bind.keys" +NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" +OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +ETC_DEBIAN_VERSION = "/etc/debian_version" +IPA_P11_KIT = "/usr/local/share/ca-certificates/ipa-ca.crt" +ETC_SYSCONFIG_DIR = "/etc/default" +SYSCONFIG_AUTOFS = "/etc/default/autofs" +SYSCONFIG_DIRSRV = "/etc/default/dirsrv" +SYSCONFIG_DIRSRV_INSTANCE = "/etc/default/dirsrv-%s" +SYSCONFIG_DIRSRV_SYSTEMD = "/etc/default/dirsrv.systemd" +SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/default/ipa-dnskeysyncd" +SYSCONFIG_IPA_ODS_EXPORTER = "/etc/default/ipa-ods-exporter" +SYSCONFIG_KRB5KDC_DIR = "/etc/default/krb5-kdc" +SYSCONFIG_NAMED = "/etc/default/bind9" +SYSCONFIG_NFS = "/etc/default/nfs-common" +SYSCONFIG_NTPD = "/etc/default/ntp" +SYSCONFIG_ODS = "/etc/default/opendnssec" +SYSCONFIG_PKI = "/etc/dogtag/" +SYSCONFIG_PKI_TOMCAT =
[Freeipa-devel] [freeipa PR#369][+pushed] Catch ValueError raised by pytest.config.getoption()
URL: https://github.com/freeipa/freeipa/pull/369 Title: #369: Catch ValueError raised by pytest.config.getoption() Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#369][closed] Catch ValueError raised by pytest.config.getoption()
URL: https://github.com/freeipa/freeipa/pull/369 Author: tiran Title: #369: Catch ValueError raised by pytest.config.getoption() Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/369/head:pr369 git checkout pr369 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#369][comment] Catch ValueError raised by pytest.config.getoption()
URL: https://github.com/freeipa/freeipa/pull/369 Title: #369: Catch ValueError raised by pytest.config.getoption() mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/3387734e6c6d47a756b5e914e7e515d2610a424f """ See the full comment at https://github.com/freeipa/freeipa/pull/369#issuecomment-270690329 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][comment] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1e06a5195bafe0224d77371987f2509f5508ca2f """ See the full comment at https://github.com/freeipa/freeipa/pull/366#issuecomment-270690800 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][+pushed] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Title: #366: Use pytest conftest.py Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#366][closed] Use pytest conftest.py
URL: https://github.com/freeipa/freeipa/pull/366 Author: tiran Title: #366: Use pytest conftest.py Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/366/head:pr366 git checkout pr366 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0 """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-270691803 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][+pushed] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#348][closed] ca: fix ca-find with --pkey-only
URL: https://github.com/freeipa/freeipa/pull/348 Author: HonzaCholasta Title: #348: ca: fix ca-find with --pkey-only Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/348/head:pr348 git checkout pr348 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][-ack] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mbasti-rh commented: """ Then, @stlaz must give final ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-270692529 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#294][+ack] client, platform: Use paths.SSH* instead of get_config_dir().
URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#294][closed] client, platform: Use paths.SSH* instead of get_config_dir().
URL: https://github.com/freeipa/freeipa/pull/294 Author: tjaalton Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/294/head:pr294 git checkout pr294 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir().
URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0ff12de338a8db32bb10e1b41f32255e7b971b6f """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-270694164 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#294][+pushed] client, platform: Use paths.SSH* instead of get_config_dir().
URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 mbasti-rh commented: """ How do you solve upgrades F25->F26? """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-270697172 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11
URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 tomaskrizek commented: """ This fix only applies to new IPA installations. Upgrade of `named.conf` will be handled separately by bind-dyndb-ldap. When a new version will be installed, a postinstall scriptet will run a script to transform `named.conf` to the new format. """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-270698221 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][+ack] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Title: #340: schema_cache: Make handling of string compatible with python3 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][+ack] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][comment] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Title: #340: schema_cache: Make handling of string compatible with python3 mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/388ed93935de56adbf1db976e9df276327c9a1e4 """ See the full comment at https://github.com/freeipa/freeipa/pull/340#issuecomment-270704477 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][closed] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Author: dkupka Title: #340: schema_cache: Make handling of string compatible with python3 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/340/head:pr340 git checkout pr340 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#340][+pushed] schema_cache: Make handling of string compatible with python3
URL: https://github.com/freeipa/freeipa/pull/340 Title: #340: schema_cache: Make handling of string compatible with python3 Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ PR needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-270705142 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap pvoborni commented: """ works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-270705015 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][+ack] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][comment] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/18425dbbe7b7c311cf947074d505225b235df769 """ See the full comment at https://github.com/freeipa/freeipa/pull/158#issuecomment-270705433 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][+pushed] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Title: #158: WebUI: update Patternfly and Bootstrap Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#158][closed] WebUI: update Patternfly and Bootstrap
URL: https://github.com/freeipa/freeipa/pull/158 Author: pvomacka Title: #158: WebUI: update Patternfly and Bootstrap Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/158/head:pr158 git checkout pr158 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvoborni commented: """ works for me, the travis failure is invalid̈́ - web ui is not related to the tests and pylint passes """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-270714291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][+ack] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5a950aeb29963ed22a2c3c1b80723589ac4097de https://fedorahosted.org/freeipa/changeset/be7865bf4f9b6774a17f31380e96b76d0473f982 """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-270715304 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][+pushed] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][closed] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Author: pvomacka Title: #327: WebUI: RPC refactoring Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/327/head:pr327 git checkout pr327 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code