Re: [Freeipa-devel] [PATCH 0269] Server upgrade: disconnect ldap2 connection before restart

2015-06-29 Thread Martin Basti
On 29/06/15 17:40, Martin Basti wrote: Attached patch solves issue when DS was restarted but code still tried to use old invalid connection. This patch is not needed after reworking CA patches. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.r

Re: [Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink

2015-06-29 Thread Christian Heimes
On 2015-06-29 17:28, Petr Vobornik wrote: > On 06/29/2015 03:22 PM, Fraser Tweedale wrote: >> On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote: >>> Hello, >>> >>> the attached patch fixes the first bug, that was reported by Fraser >>> today. installutils.remove_file() uses os.path.e

Re: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes

2015-06-29 Thread Martin Basti
On 29/06/15 16:03, Fraser Tweedale wrote: On Thu, Jun 25, 2015 at 11:23:01AM +0200, Martin Basti wrote: On 19/06/15 09:28, Fraser Tweedale wrote: The attached patches fix upgrade issues when pki is also updated >from pre 10.2.4. pki dependency is bumped to 10.2.5 - the official builds should

[Freeipa-devel] [PATCH 0269] Server upgrade: disconnect ldap2 connection before restart

2015-06-29 Thread Martin Basti
Attached patch solves issue when DS was restarted but code still tried to use old invalid connection. -- Martin Basti From b6ab7ddc531bf119c1b9c119fa4d725df3714a69 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 29 Jun 2015 17:22:24 +0200 Subject: [PATCH] server upgrade: disconnect ldap

Re: [Freeipa-devel] Fix upgrade of HTTPInstance for KDC Proxy

2015-06-29 Thread Petr Vobornik
On 06/29/2015 03:33 PM, Fraser Tweedale wrote: On Mon, Jun 29, 2015 at 11:43:32AM +0200, Christian Heimes wrote: Hello, the attached patch makes sure that HTTPInstance has an admin_conn LDAP connection. Without the LDAP connection, HTTPInstance.enable_kdcproxy() fails. Christian ACK; upgrade

Re: [Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink

2015-06-29 Thread Petr Vobornik
On 06/29/2015 03:22 PM, Fraser Tweedale wrote: On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote: Hello, the attached patch fixes the first bug, that was reported by Fraser today. installutils.remove_file() uses os.path.exists() to check if the file still exists, which in turn us

Re: [Freeipa-devel] [PATCH 0015] fix coverity issues

2015-06-29 Thread Petr Vobornik
On 06/29/2015 04:18 PM, Martin Basti wrote: On 16/06/15 11:42, Ludwig Krispenz wrote: This patch addresses coverity issues 13290 and 13291 ACK Pushed to master: 5e92c981b0e433ee28b953d222a1b531b525ff1c -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https

Re: [Freeipa-devel] [PATCH 0039] ipa-kdb: common function to get key encodings/salt types

2015-06-29 Thread Petr Vobornik
On 06/29/2015 04:20 PM, Martin Basti wrote: On 15/06/15 18:38, Martin Babinsky wrote: On 05/28/2015 02:55 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:43 +0200, Martin Babinsky wrote: A small improvement upon simo's fix for https://fedorahosted.org/freeipa/ticket/4914 -- Martin^3 Babinsky

Re: [Freeipa-devel] [PATCH] 0023 Fix certprofile doc error

2015-06-29 Thread Petr Vobornik
On 06/29/2015 04:52 PM, Martin Basti wrote: On 29/06/15 16:48, Fraser Tweedale wrote: Attached patch fixes a small error in certprofile plugin documentation. Thanks, Fraser ACK Pushed to master: 7f923f922a28aa34eb6ee3b0e94c1cba223d285c -- Petr Vobornik -- Manage your subscription for the

Re: [Freeipa-devel] [PATCH] 877 fix force-sync, re-initialize of replica and a check for replication agreement existence

2015-06-29 Thread Petr Vobornik
On 06/29/2015 03:33 PM, David Kupka wrote: On 15/06/15 19:27, Petr Vobornik wrote: in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedoraho

Re: [Freeipa-devel] [PATCH] 878 topology: check topology in ipa-replica-manage del

2015-06-29 Thread Petr Vobornik
On 06/29/2015 03:33 PM, David Kupka wrote: On 26/06/15 14:15, Petr Vobornik wrote: On 06/17/2015 02:00 PM, Petr Vobornik wrote: ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports

Re: [Freeipa-devel] [PATCH] 879 Verify replication topology for a suffix

2015-06-29 Thread Petr Vobornik
On 06/29/2015 03:33 PM, David Kupka wrote: On 26/06/15 14:15, Petr Vobornik wrote: On 06/17/2015 04:11 PM, Petr Vobornik wrote: On 06/17/2015 02:15 PM, Ludwig Krispenz wrote: On 06/17/2015 02:04 PM, Petr Vobornik wrote: With patch "878 topology: check topology in ipa-replica-manage del" we

Re: [Freeipa-devel] [PATCH] 0023 Fix certprofile doc error

2015-06-29 Thread Martin Basti
On 29/06/15 16:48, Fraser Tweedale wrote: Attached patch fixes a small error in certprofile plugin documentation. Thanks, Fraser ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [PATCH] 0023 Fix certprofile doc error

2015-06-29 Thread Fraser Tweedale
Attached patch fixes a small error in certprofile plugin documentation. Thanks, Fraser From 6de3a4fd9d3d250e09a75721ef7b7f0831c47ea6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 29 Jun 2015 10:28:25 -0400 Subject: [PATCH] certprofile: fix doc error --- ipalib/plugins/certprofile.py

Re: [Freeipa-devel] [PATCH 0039] ipa-kdb: common function to get key encodings/salt types

2015-06-29 Thread Martin Basti
On 15/06/15 18:38, Martin Babinsky wrote: On 05/28/2015 02:55 PM, Simo Sorce wrote: On Thu, 2015-05-28 at 14:43 +0200, Martin Babinsky wrote: A small improvement upon simo's fix for https://fedorahosted.org/freeipa/ticket/4914 -- Martin^3 Babinsky LGTM. Simo. Anyone else to review this p

Re: [Freeipa-devel] [PATCH 0015] fix coverity issues

2015-06-29 Thread Martin Basti
On 16/06/15 11:42, Ludwig Krispenz wrote: This patch addresses coverity issues 13290 and 13291 ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contrib

Re: [Freeipa-devel] [PATCH] 0020..0022 pki-related upgrade fixes

2015-06-29 Thread Fraser Tweedale
On Thu, Jun 25, 2015 at 11:23:01AM +0200, Martin Basti wrote: > On 19/06/15 09:28, Fraser Tweedale wrote: > >The attached patches fix upgrade issues when pki is also updated > >from pre 10.2.4. > > > >pki dependency is bumped to 10.2.5 - the official builds should be > >done Friday (US time) but it

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

2015-06-29 Thread Martin Basti
On 29/06/15 13:46, Jakub Hrozek wrote: On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote: Thanks. Updated patch attached. On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek wrote: On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: How should ​ https://www.redhat.com/archives/f

Re: [Freeipa-devel] Fix upgrade of HTTPInstance for KDC Proxy

2015-06-29 Thread Fraser Tweedale
On Mon, Jun 29, 2015 at 11:43:32AM +0200, Christian Heimes wrote: > Hello, > > the attached patch makes sure that HTTPInstance has an admin_conn LDAP > connection. Without the LDAP connection, HTTPInstance.enable_kdcproxy() > fails. > > Christian ACK; upgrade from 4.1.4 to master+patch works. -

Re: [Freeipa-devel] [PATCH] 879 Verify replication topology for a suffix

2015-06-29 Thread David Kupka
On 26/06/15 14:15, Petr Vobornik wrote: On 06/17/2015 04:11 PM, Petr Vobornik wrote: On 06/17/2015 02:15 PM, Ludwig Krispenz wrote: On 06/17/2015 02:04 PM, Petr Vobornik wrote: With patch "878 topology: check topology in ipa-replica-manage del" we can use the same logic for POC of ipa topo

Re: [Freeipa-devel] [PATCH] 878 topology: check topology in ipa-replica-manage del

2015-06-29 Thread David Kupka
On 26/06/15 14:15, Petr Vobornik wrote: On 06/17/2015 02:00 PM, Petr Vobornik wrote: ipa-replica-manage del now: - checks the whole current topology(before deletion), reports issues - simulates deletion of server and checks the topology again, reports issues Asks admin if he wants to continue w

Re: [Freeipa-devel] [PATCH] 877 fix force-sync, re-initialize of replica and a check for replication agreement existence

2015-06-29 Thread David Kupka
On 15/06/15 19:27, Petr Vobornik wrote: in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Works for me

Re: [Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink

2015-06-29 Thread Fraser Tweedale
On Mon, Jun 29, 2015 at 10:54:50AM +0200, Christian Heimes wrote: > Hello, > > the attached patch fixes the first bug, that was reported by Fraser > today. installutils.remove_file() uses os.path.exists() to check if the > file still exists, which in turn uses stat(2). I have modified the > functi

Re: [Freeipa-devel] [PATCHES 0252-0253, 268] DNSSEC: allow to move DNSSEC key master to another IPA server

2015-06-29 Thread Martin Basti
On 25/06/15 13:46, Petr Spacek wrote: On 17.6.2015 13:37, Martin Basti wrote: On 17/06/15 13:26, Petr Spacek wrote: On 16.6.2015 15:40, Martin Basti wrote: On 05/06/15 12:54, Petr Spacek wrote: On 20.5.2015 18:00, Martin Basti wrote: This patch allows to disable DNSSEC key master on IPA serv

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Tomas Babej
On 06/29/2015 01:36 PM, Tomas Babej wrote: > > > On 06/29/2015 01:14 PM, Martin Basti wrote: >> On 26/06/15 18:55, Petr Spacek wrote: >>> Hello, >>> >>> attached patches implement a portion of improvements for ticket >>> https://fedorahosted.org/freeipa/ticket/4657 >>> >>> It came to my mind that

Re: [Freeipa-devel] [PATCH] 881 add python-setuptools to requires

2015-06-29 Thread Tomas Babej
On 06/26/2015 01:18 PM, Martin Basti wrote: > On 19/06/15 14:06, Petr Vobornik wrote: >> Commit 9f049ca14403f3696d54d186e6b1b15181f055df introduced dependency on >> python-setuptools on line: >> from pkg_resources import parse_version >> >> This dependency is missing on *minimal* installation a

Re: [Freeipa-devel] [PATCH 0038] Add hint how to re-run IPA upgrade

2015-06-29 Thread Tomas Babej
On 06/26/2015 06:05 PM, Petr Vobornik wrote: > On 06/26/2015 12:41 PM, Petr Spacek wrote: >> Hello, >> >> Add hint how to re-run IPA upgrade. >> > > ACK Pushed to master: d5a07b50b4d8900c16dd8672e21de34647fff9ec -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.

Re: [Freeipa-devel] [PATCH 0014] correct handling of one directional segments

2015-06-29 Thread Tomas Babej
On 06/29/2015 01:50 PM, thierry bordaz wrote: > On 06/29/2015 12:47 PM, Martin Basti wrote: >> On 17/06/15 11:05, Ludwig Krispenz wrote: >>> >>> On 06/17/2015 10:35 AM, thierry bordaz wrote: On 06/17/2015 09:25 AM, Ludwig Krispenz wrote: > Hi, > thanks for review, see answers inline.

Re: [Freeipa-devel] [PATCH] 00015 User life cycle: permission to delete a preserved user

2015-06-29 Thread Tomas Babej
On 06/29/2015 10:44 AM, Martin Basti wrote: > On 22/06/15 17:08, thierry bordaz wrote: >> Add the permission to Stage users administrators to delete already >> preserved user >> >> >> >> > > ACK > > -- > Martin Basti > > > Pushed to master: ffd6b039a755016c3de22a11fec037eca7180a79 -- Man

Re: [Freeipa-devel] [PATCH 0014] correct handling of one directional segments

2015-06-29 Thread thierry bordaz
On 06/29/2015 12:47 PM, Martin Basti wrote: On 17/06/15 11:05, Ludwig Krispenz wrote: On 06/17/2015 10:35 AM, thierry bordaz wrote: On 06/17/2015 09:25 AM, Ludwig Krispenz wrote: Hi, thanks for review, see answers inline. On 06/16/2015 05:17 PM, thierry bordaz wrote: On 06/16/2015 11:41 AM,

Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.

2015-06-29 Thread Tomas Babej
On 06/29/2015 11:05 AM, Petr Spacek wrote: > On 29.6.2015 09:22, David Kupka wrote: >> On 26/06/15 19:45, Rob Crittenden wrote: >>> Petr Vobornik wrote: On 06/26/2015 10:54 AM, David Kupka wrote: > https://fedorahosted.org/freeipa/ticket/5080 > > ACK >>> >>> Is there a

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

2015-06-29 Thread Jakub Hrozek
On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote: > Thanks. Updated patch attached. > > On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek wrote: > > > On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: > > > How should ​ > > > https://www.redhat.com/archives/freeipa-users/2015-Ju

Re: [Freeipa-devel] [PATCH] 1113 Hosts add their own services

2015-06-29 Thread Tomas Babej
On 06/29/2015 12:24 PM, Martin Basti wrote: > On 22/06/15 19:48, Rob Crittenden wrote: >> Add an ACI to allow a host to add its own services. This only grants >> add access. It can't subsequently delete or modify the entry. >> >> This requires 389-ds-1.3.4.0 GA. >> >> rob >> >> > ACK > > -- > M

Re: [Freeipa-devel] [PATCH 0267] Fix broken indicies

2015-06-29 Thread Tomas Babej
On 06/29/2015 01:23 PM, Martin Babinsky wrote: > On 06/26/2015 05:50 PM, Martin Basti wrote: >> Patch fixes wrong value for ntUserDomainId and ntUniqueId indicies. >> >> Patch attached. >> >> >> > ACK > Pushed to master: 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 -- Manage your subscription for

Re: [Freeipa-devel] [PATCH 0039] Rate-limit while loop in SystemdService.is_active()

2015-06-29 Thread Tomas Babej
On 06/29/2015 01:28 PM, Martin Basti wrote: > On 26/06/15 15:58, Petr Spacek wrote: >> Hello, >> >> Rate-limit while loop in SystemdService.is_active(). >> >> Previously is_active() was frenetically calling systemctl is_active in >> tight loop which in fact made the process slower. >> > ACK > Pus

Re: [Freeipa-devel] [PATCH] 865 fix handling of ldap.LDAPError in installer

2015-06-29 Thread Tomas Babej
On 06/04/2015 05:19 PM, Petr Vobornik wrote: > based on: http://fpaste.org/228856/25049143/ > > The patch is not tested. > > Description: > 'info' is optional component in LDAPError > > http://www.python-ldap.org/doc/html/ldap.html#exceptions > > Pushed to master: 29c01e5ef4d4bb8c608720c3e0

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Tomas Babej
On 06/29/2015 01:14 PM, Martin Basti wrote: > On 26/06/15 18:55, Petr Spacek wrote: >> Hello, >> >> attached patches implement a portion of improvements for ticket >> https://fedorahosted.org/freeipa/ticket/4657 >> >> It came to my mind that it will be better to review them at once - the >> previ

Re: [Freeipa-devel] [PATCH 0036] Bump minimal BIND version for CentOS

2015-06-29 Thread Tomas Babej
On 06/26/2015 09:43 AM, Martin Basti wrote: > On 23/06/15 14:14, Petr Spacek wrote: >> Hello, >> >> Bump minimal BIND version for CentOS. >> >> DNSSEC support added dependency on bind-pkcs11 sub-package. >> >> https://fedorahosted.org/freeipa/ticket/4657 >> >> >> > ACK > > -- > Martin Basti >

Re: [Freeipa-devel] [PATCH] 865 fix handling of ldap.LDAPError in installer

2015-06-29 Thread Martin Basti
On 04/06/15 17:19, Petr Vobornik wrote: based on: http://fpaste.org/228856/25049143/ The patch is not tested. Description: 'info' is optional component in LDAPError http://www.python-ldap.org/doc/html/ldap.html#exceptions ACK -- Martin Basti -- Manage your subscription for the Freeipa-de

Re: [Freeipa-devel] [PATCH 0039] Rate-limit while loop in SystemdService.is_active()

2015-06-29 Thread Martin Basti
On 26/06/15 15:58, Petr Spacek wrote: Hello, Rate-limit while loop in SystemdService.is_active(). Previously is_active() was frenetically calling systemctl is_active in tight loop which in fact made the process slower. ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel ma

Re: [Freeipa-devel] [PATCH 0267] Fix broken indicies

2015-06-29 Thread Martin Babinsky
On 06/26/2015 05:50 PM, Martin Basti wrote: Patch fixes wrong value for ntUserDomainId and ntUniqueId indicies. Patch attached. ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeI

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Martin Basti
On 26/06/15 18:55, Petr Spacek wrote: Hello, attached patches implement a portion of improvements for ticket https://fedorahosted.org/freeipa/ticket/4657 It came to my mind that it will be better to review them at once - the previous threads with my patches 40 and 41 can be abandoned. I'm sorr

Re: [Freeipa-devel] [PATCH 0014] correct handling of one directional segments

2015-06-29 Thread Martin Basti
On 17/06/15 11:05, Ludwig Krispenz wrote: On 06/17/2015 10:35 AM, thierry bordaz wrote: On 06/17/2015 09:25 AM, Ludwig Krispenz wrote: Hi, thanks for review, see answers inline. On 06/16/2015 05:17 PM, thierry bordaz wrote: On 06/16/2015 11:41 AM, Ludwig Krispenz wrote: this patch adresses i

Re: [Freeipa-devel] [PATCH] 1113 Hosts add their own services

2015-06-29 Thread Martin Basti
On 22/06/15 19:48, Rob Crittenden wrote: Add an ACI to allow a host to add its own services. This only grants add access. It can't subsequently delete or modify the entry. This requires 389-ds-1.3.4.0 GA. rob ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing l

[Freeipa-devel] Fix upgrade of HTTPInstance for KDC Proxy

2015-06-29 Thread Christian Heimes
Hello, the attached patch makes sure that HTTPInstance has an admin_conn LDAP connection. Without the LDAP connection, HTTPInstance.enable_kdcproxy() fails. Christian From b10dc05edb26b10f4364e64d04ca0f41d7f35794 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 29 Jun 2015 11:35:07 +02

Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.

2015-06-29 Thread Petr Spacek
On 29.6.2015 09:22, David Kupka wrote: > On 26/06/15 19:45, Rob Crittenden wrote: >> Petr Vobornik wrote: >>> On 06/26/2015 10:54 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5080 >>> >>> ACK >> >> Is there a reason we don't simply start certmonger and quit if it fa

Re: [Freeipa-devel] ipa-kdc-proxy.conf broken symlink after uninstalling ipa

2015-06-29 Thread Christian Heimes
On 2015-06-29 07:31, Fraser Tweedale wrote: > Hi Christian, > > With the kdcproxy change landed, if IPA has been installed and then > uninstalled, and then freeipa-server package erased or downgraded, > the /etc/httpd/conf.d/ipa-kdc-proxy.conf symlink remains, and is > broken, resulting in an inab

[Freeipa-devel] Fix removal of ipa-kdc-proxy.conf symlink

2015-06-29 Thread Christian Heimes
Hello, the attached patch fixes the first bug, that was reported by Fraser today. installutils.remove_file() uses os.path.exists() to check if the file still exists, which in turn uses stat(2). I have modified the function to use os.path.lexists() instead. It doesn't follow symlinks. Because http

Re: [Freeipa-devel] [PATCH] 00015 User life cycle: permission to delete a preserved user

2015-06-29 Thread Martin Basti
On 22/06/15 17:08, thierry bordaz wrote: Add the permission to Stage users administrators to delete already preserved user ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: htt

Re: [Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries

2015-06-29 Thread Martin Babinsky
On 06/23/2015 01:49 PM, Martin Babinsky wrote: This patchset implements new API commands for manipulating user/host/service userCertificate attribute alongside some underlying plumbing. PATCH 0045 is a small test suite that I slapped together since manual testing of this stuff is very cumbersome

Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.

2015-06-29 Thread David Kupka
On 26/06/15 19:45, Rob Crittenden wrote: Petr Vobornik wrote: On 06/26/2015 10:54 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5080 ACK Is there a reason we don't simply start certmonger and quit if it fails to start? Woudln't that be friendlier? rob Yes. The certmon