From jcholast at redhat.com Thu Dec 1 07:49:05 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Thu, 1 Dec 2016 08:49:05 +0100 Subject: [Freeipa-devel] NTP in FreeIPA In-Reply-To: <583EEBA8.5010702@redhat.com> References: <583C8C43.8070202@redhat.com> <8cb49a87-bdc4-0db5-504a-d10d6dd6152e@redhat.com> <583D987F.9040102@redhat.com> <8496ee7a-d4d7-cb77-24db-4cb2d4bf24a9@redhat.com> <20161129171012.nsqmaevs4dnlrpzh@redhat.com> <292772c2-0ff4-07f4-ead0-5809ad18f682@redhat.com> <583EEBA8.5010702@redhat.com> Message-ID: <949e040a-6ad8-0ab3-404d-4bf7314438a8@redhat.com> On 30.11.2016 16:09, Rob Crittenden wrote: > David Kupka wrote: >> On 29/11/16 18:10, Alexander Bokovoy wrote: >>> Still, bug reports and users' complaints is the only external measure we >>> have. There are close to nothing in complaints about NTP functionality, >>> other than requests to support chronyd and a better discover of existing >>> NTP setups. I don't think that requires dramatic action like removal of >>> NTP support at all. >>> >> >> As Petr already pointed out, since Fedora 16 chronyd is enabled by >> default and ipa-client-install doesn't configure time synchronization >> when chronyd is enabled. >> >> I believe that majority of users haven't used '--force-ntpd' and since >> it still worked they haven't filed any ticket. >> >> IMO in this case no bug reports means no users rather than no bugs or >> requests. >> >> Unfortunately, this is just my guess and AFAIK we don't have any data >> from users showing how they use FreeIPA. > > For argument's sake, let's say NTP configuration in the client is > dropped and managed by the OS or other administrators. > > What implication does this have for configuring NTP server on masters? > Would that be stopped as well? What about existing installs? I think there should be no implication, the server is a completely different thing. The only thing I would maybe do is to detect if there is an existing NTP server configuration and if there is, do not touch it. > > I don't believe there is a precedence for removing a service from IPA. > > rob > -- Jan Cholasta From freeipa-github-notification at redhat.com Thu Dec 1 12:13:14 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Thu, 01 Dec 2016 13:13:14 +0100 Subject: [Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-181.patch Type: text/x-diff Size: 4436 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 12:19:07 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 01 Dec 2016 13:19:07 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts pvoborni commented: """ Christian, was your answer agreement to Honza's proposal? I.e. push this PR? To rest later by Honza? """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264159913 From freeipa-github-notification at redhat.com Thu Dec 1 12:19:29 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 01 Dec 2016 13:19:29 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts pvoborni commented: """ Christian, was your answer agreement to Honza's proposal? I.e. push this PR? To rest later by Honza? """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264159913 From freeipa-github-notification at redhat.com Thu Dec 1 12:28:04 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 01 Dec 2016 13:28:04 +0100 Subject: [Freeipa-devel] [freeipa PR#294][synchronized] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Author: tjaalton Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/294/head:pr294 git checkout pr294 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-294.patch Type: text/x-diff Size: 6200 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 12:28:57 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 01 Dec 2016 13:28:57 +0100 Subject: [Freeipa-devel] [freeipa PR#294][synchronized] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Author: tjaalton Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/294/head:pr294 git checkout pr294 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-294.patch Type: text/x-diff Size: 6199 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 13:13:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 14:13:30 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string mbasti-rh commented: """ ``` git rebase -i master fix-missing-translation-string ``` it will open interactive mode and you can remove all lines (commits) that you want to remove. Then save that document """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-264170165 From freeipa-github-notification at redhat.com Thu Dec 1 13:14:32 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 01 Dec 2016 14:14:32 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). tjaalton commented: """ I don't understand why travis claims it failed while the build passed fine """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-264170360 From freeipa-github-notification at redhat.com Thu Dec 1 13:22:56 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 01 Dec 2016 14:22:56 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). mirielka commented: """ Build passes fine, pep8 does not: ./ipaclient/install/client.py:1006:80: E501 line too long (82 > 79 characters) ./ipaclient/install/client.py:1029:80: E501 line too long (83 > 79 characters) """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-264171920 From freeipa-github-notification at redhat.com Thu Dec 1 13:26:03 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 14:26:03 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts tiran commented: """ @pvoborni No, my answer is an disagreement. Honza does not want the approve the PR as it stands now. My proposal is * Review this PR under the premise that it does not break current code when ```IPA_CONFDIR``` is absent. * Review the disputable code lines after my deadline and within the next two weeks. Some of them might need an explicit confdir, some might not. I need to carefully think about each call. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264172504 From freeipa-github-notification at redhat.com Thu Dec 1 13:29:37 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 14:29:37 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). tiran commented: """ @tjaalton Travis CI output is a bit confusing. PEP 8 checks are performed first. The remaining checks are still executed. @martbab What do you think about improving the output to make it friendlier to outside contributors? Either fail fast or repeat PEP 8 errors at the end of the log. """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-264173231 From freeipa-github-notification at redhat.com Thu Dec 1 13:35:28 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 01 Dec 2016 14:35:28 +0100 Subject: [Freeipa-devel] [freeipa PR#294][synchronized] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Author: tjaalton Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/294/head:pr294 git checkout pr294 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-294.patch Type: text/x-diff Size: 6252 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 13:35:50 2016 From: freeipa-github-notification at redhat.com (tjaalton) Date: Thu, 01 Dec 2016 14:35:50 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). tjaalton commented: """ oh, thanks for pointing that out.. new one pushed """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-264174457 From freeipa-github-notification at redhat.com Thu Dec 1 13:43:37 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 14:43:37 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). martbab commented: """ @tiran I agree, PEP8 errors are often overlooked in the slew of other stuff that gets printed out in the container. I will address this in https://github.com/freeipa/freeipa/pull/293 """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-264176030 From freeipa-github-notification at redhat.com Thu Dec 1 14:01:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 15:01:14 +0100 Subject: [Freeipa-devel] [freeipa PR#263][comment] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/027fc32fe0424659c5aecb4531299fe8d4a503d3 """ See the full comment at https://github.com/freeipa/freeipa/pull/263#issuecomment-264180010 From freeipa-github-notification at redhat.com Thu Dec 1 14:01:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 15:01:16 +0100 Subject: [Freeipa-devel] [freeipa PR#263][closed] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Author: tiran Title: #263: Backwards compatibility with setuptools 0.9.8 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/263/head:pr263 git checkout pr263 From freeipa-github-notification at redhat.com Thu Dec 1 14:01:17 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 15:01:17 +0100 Subject: [Freeipa-devel] [freeipa PR#263][+pushed] Backwards compatibility with setuptools 0.9.8 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/263 Title: #263: Backwards compatibility with setuptools 0.9.8 Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 1 14:01:41 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 15:01:41 +0100 Subject: [Freeipa-devel] [freeipa PR#295][opened] Issue6474 fixups Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Author: tiran Title: #295: Issue6474 fixups Action: opened PR body: """ Three small fixes that slipped through the review of #271. * ipatests for ipalib and ipapython no longer depend on ipaplatform * pylint fix for ipapython.certdb for client-only installations """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/295/head:pr295 git checkout pr295 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-295.patch Type: text/x-diff Size: 5244 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 14:20:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 15:20:50 +0100 Subject: [Freeipa-devel] [freeipa PR#267][comment] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/af0ba661889c2e2c9a35d4cff9681c2abab73649 """ See the full comment at https://github.com/freeipa/freeipa/pull/267#issuecomment-264184508 From freeipa-github-notification at redhat.com Thu Dec 1 14:20:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 01 Dec 2016 15:20:52 +0100 Subject: [Freeipa-devel] [freeipa PR#267][+pushed] ipa-replica-conncheck: do not close listening ports until required In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/267 Title: #267: ipa-replica-conncheck: do not close listening ports until required Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 1 15:05:05 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 01 Dec 2016 16:05:05 +0100 Subject: [Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups stlaz commented: """ There are some more ipaplatform imports left, some in test_xmlrpc, test_webui, test_install and test_cmdline (of which I think may interest you). Is it ok these are left there? """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264196326 From freeipa-github-notification at redhat.com Thu Dec 1 15:06:02 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 16:06:02 +0100 Subject: [Freeipa-devel] [freeipa PR#296][opened] equire python-gssapi >= 1.2.0, take 2 Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Author: tiran Title: #296: equire python-gssapi >= 1.2.0, take 2 Action: opened PR body: """ Fix version range typo in ipasetup.py.in. Sorry, the bug slipped through my internal tests. The version pinning is only relevant for make wheel_bundle. The wheel bundle target has been failing from the start because python-nss has a build bug for wheels, https://bugzilla.redhat.com/show_bug.cgi?id=1389739 https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/296/head:pr296 git checkout pr296 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-296.patch Type: text/x-diff Size: 1166 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 15:06:22 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 16:06:22 +0100 Subject: [Freeipa-devel] [freeipa PR#296][comment] equire python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Title: #296: equire python-gssapi >= 1.2.0, take 2 tiran commented: """ Fix for typo introduced in #289 """ See the full comment at https://github.com/freeipa/freeipa/pull/296#issuecomment-264196691 From freeipa-github-notification at redhat.com Thu Dec 1 15:08:58 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 16:08:58 +0100 Subject: [Freeipa-devel] [freeipa PR#296][edited] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Author: tiran Title: #296: Require python-gssapi >= 1.2.0, take 2 Action: edited Changed field: title Original value: """ equire python-gssapi >= 1.2.0, take 2 """ From freeipa-github-notification at redhat.com Thu Dec 1 15:09:35 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 16:09:35 +0100 Subject: [Freeipa-devel] [freeipa PR#296][synchronized] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Author: tiran Title: #296: Require python-gssapi >= 1.2.0, take 2 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/296/head:pr296 git checkout pr296 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-296.patch Type: text/x-diff Size: 1190 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 15:16:36 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 01 Dec 2016 16:16:36 +0100 Subject: [Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups tiran commented: """ Yes, that is fine. The other tests all depend on ipaserver package or a running FreeIPA server anyway. ipatests for ipalib and ipapython allow me to run tests on the standalone packages. (Peek preview: https://github.com/tiran/freeipa/blob/tox/tox.ini#L17 but don't tell anybody.) """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264199593 From freeipa-github-notification at redhat.com Thu Dec 1 15:26:56 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 01 Dec 2016 16:26:56 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts pvoborni commented: """ Lets push this code if it is correct but only misses usecases mentioned above". Honza will implement the missing usecases in separate PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264202590 From freeipa-github-notification at redhat.com Thu Dec 1 15:41:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 16:41:16 +0100 Subject: [Freeipa-devel] [freeipa PR#296][+ack] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Title: #296: Require python-gssapi >= 1.2.0, take 2 Label: +ack From freeipa-github-notification at redhat.com Thu Dec 1 15:41:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 16:41:52 +0100 Subject: [Freeipa-devel] [freeipa PR#296][+pushed] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Title: #296: Require python-gssapi >= 1.2.0, take 2 Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 1 15:41:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 16:41:54 +0100 Subject: [Freeipa-devel] [freeipa PR#296][comment] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Title: #296: Require python-gssapi >= 1.2.0, take 2 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5dc5960e715b378b6090935ba133d6f332427de5 """ See the full comment at https://github.com/freeipa/freeipa/pull/296#issuecomment-264207000 From freeipa-github-notification at redhat.com Thu Dec 1 15:41:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 16:41:55 +0100 Subject: [Freeipa-devel] [freeipa PR#296][closed] Require python-gssapi >= 1.2.0, take 2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/296 Author: tiran Title: #296: Require python-gssapi >= 1.2.0, take 2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/296/head:pr296 git checkout pr296 From freeipa-github-notification at redhat.com Thu Dec 1 15:42:45 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 01 Dec 2016 16:42:45 +0100 Subject: [Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups stlaz commented: """ Good :) The tests seem to pass, the changes are trivial, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264207266 From freeipa-github-notification at redhat.com Thu Dec 1 15:42:48 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 01 Dec 2016 16:42:48 +0100 Subject: [Freeipa-devel] [freeipa PR#295][+ack] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups Label: +ack From freeipa-github-notification at redhat.com Thu Dec 1 16:50:02 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 01 Dec 2016 17:50:02 +0100 Subject: [Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-293.patch Type: text/x-diff Size: 5404 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 19:03:16 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 01 Dec 2016 20:03:16 +0100 Subject: [Freeipa-devel] [freeipa PR#297][opened] Adjustments for setup requirements v2 Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Author: pvomacka Title: #297: Adjustments for setup requirements v2 Action: opened PR body: """ Remove setup requirement on wheel since it triggers download. https://fedorahosted.org/freeipa/ticket/6468 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/297/head:pr297 git checkout pr297 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-297.patch Type: text/x-diff Size: 1164 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 21:23:15 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 01 Dec 2016 22:23:15 +0100 Subject: [Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-206.patch Type: text/x-diff Size: 2359 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 1 21:23:32 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 01 Dec 2016 22:23:32 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ This new patch should fix it. """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-264299396 From freeipa-github-notification at redhat.com Thu Dec 1 21:25:05 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 01 Dec 2016 22:25:05 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @abbra this code needs rebase and I need it as dependency for solving ticket #5959, did you do any work on this ? If not I'll rebase tomorrow. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264299816 From freeipa-github-notification at redhat.com Fri Dec 2 02:33:19 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Fri, 02 Dec 2016 03:33:19 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string shanyin commented: """ Ok, I have done changes, commit and push operations on local branch. Thanks! @martbab @mbasti-rh """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-264357705 From freeipa-github-notification at redhat.com Fri Dec 2 04:32:32 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 02 Dec 2016 05:32:32 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases frasertweedale commented: """ @martbab I agree with doing the refactor you propose, but I deem it out of scope for this ticket. Doing that refactor entails a cleanup of how we handle the LDAP `;binary` transfer encoding option, because this is currently not consistent across user, host and service plugins. So... do we want to look at getting this merged soon? """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264371137 From freeipa-github-notification at redhat.com Fri Dec 2 06:40:34 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 02 Dec 2016 07:40:34 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 I did a rebase a while a go and maintain it rebased against the master. I'll submit a new PR with the rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264385190 From freeipa-github-notification at redhat.com Fri Dec 2 06:43:42 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 02 Dec 2016 07:43:42 +0100 Subject: [Freeipa-devel] [freeipa PR#298][opened] ipaldap: handle binary encoding option transparently Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Author: frasertweedale Title: #298: ipaldap: handle binary encoding option transparently Action: opened PR body: """ This patchset addresses https://fedorahosted.org/freeipa/ticket/6529. I'm publishing it for discussion and review but it should not be hastily merged because there are compatibility implications for older server versions (discussed in https://fedorahosted.org/freeipa/ticket/6530). Per RFC 4523, particular attribute syntaxes require use of the ';binary' attribute option. Attributes using these syntaxes include 'userCertificate' and 'cACertificate'. Our handling of this requirement is inconsistent with no library support (i.e. it was up to individual plugin authors to "do the right thing". Also, because 389 DS currently does not always use this encoding option (which is a defect), whether you need to read the 'userCertificate' or 'userCertificate;binary' attribute - or both - is often unclear. But technically, these both refer to the same attribute, because the 'binary' option does not specify an attribute subtype. This commit implements proper handling of the binary encoding option within ipaldap. Plugin code should now always use an attribute description *without* the binary encoding option, and allow ipaldap to automatically add it when sending attribute to the server, and strip it when reading attributes in search results. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/298/head:pr298 git checkout pr298 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-298.patch Type: text/x-diff Size: 23971 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 06:48:21 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 02 Dec 2016 07:48:21 +0100 Subject: [Freeipa-devel] [freeipa PR#299][opened] Remove "Request Certificate with SubjectAltName" permission Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6526 *Note: the ticket hasn't been triaged or even agreed to. But here is the code ^_^* subjectAltName is required or relevant in most certificate use cases (esp. TLS, where carrying DNS name in Subject DN CN attribute is deprecated). Therefore it does not really make sense to have a special permission for this, over and above "request certificate" permission. Furthermore, we already do rigorously validate SAN contents again the subject principal, and the permission is waived for self-service requests or if the operator is a host principal. So remove the permission, the associated virtual operation, and the associated code in cert_request. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-299.patch Type: text/x-diff Size: 3049 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 06:55:24 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 02 Dec 2016 07:55:24 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension frasertweedale commented: """ I'm closing this PR (and associated ticket). I felt it was an uncontroversial change (and tbh it looks like there are numbers on my side), but noone is specifically asking for this (it was just a drive-by "hey I could implement this now"), so let's not waste any more time arguing about it. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-264387094 From freeipa-github-notification at redhat.com Fri Dec 2 06:55:26 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Fri, 02 Dec 2016 07:55:26 +0100 Subject: [Freeipa-devel] [freeipa PR#228][closed] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Author: frasertweedale Title: #228: cert-request: allow directoryName in SAN extension Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/228/head:pr228 git checkout pr228 From freeipa-github-notification at redhat.com Fri Dec 2 07:06:04 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 02 Dec 2016 08:06:04 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 https://github.com/abbra/freeipa/tree/kdc-pkinit can be used for rebase of this PR """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264388468 From freeipa-github-notification at redhat.com Fri Dec 2 08:02:38 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 09:02:38 +0100 Subject: [Freeipa-devel] [freeipa PR#295][comment] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fb307ba582d4e7339b7026cbe26c3b170221e249 https://fedorahosted.org/freeipa/changeset/3e3b5462b28f2133fd4170645cad762c0a0fbb4f https://fedorahosted.org/freeipa/changeset/98f0077360884da6df31b351caaed7510dec94de """ See the full comment at https://github.com/freeipa/freeipa/pull/295#issuecomment-264396078 From freeipa-github-notification at redhat.com Fri Dec 2 08:02:40 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 09:02:40 +0100 Subject: [Freeipa-devel] [freeipa PR#295][+pushed] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Title: #295: Issue6474 fixups Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 08:02:42 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 09:02:42 +0100 Subject: [Freeipa-devel] [freeipa PR#295][closed] Issue6474 fixups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/295 Author: tiran Title: #295: Issue6474 fixups Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/295/head:pr295 git checkout pr295 From freeipa-github-notification at redhat.com Fri Dec 2 08:08:11 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 09:08:11 +0100 Subject: [Freeipa-devel] [freeipa PR#280][+ack] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts Label: +ack From freeipa-github-notification at redhat.com Fri Dec 2 08:10:33 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 09:10:33 +0100 Subject: [Freeipa-devel] [freeipa PR#280][comment] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1e6a204b4372bbbfb722a00370a5ce4e34406b9f """ See the full comment at https://github.com/freeipa/freeipa/pull/280#issuecomment-264397268 From freeipa-github-notification at redhat.com Fri Dec 2 08:10:35 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 09:10:35 +0100 Subject: [Freeipa-devel] [freeipa PR#280][closed] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Author: tiran Title: #280: Set explicit confdir option for global contexts Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/280/head:pr280 git checkout pr280 From freeipa-github-notification at redhat.com Fri Dec 2 08:10:43 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 09:10:43 +0100 Subject: [Freeipa-devel] [freeipa PR#280][+pushed] Set explicit confdir option for global contexts In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/280 Title: #280: Set explicit confdir option for global contexts Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 08:13:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 09:13:40 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ I agree that it is out of scope of this work and will open a separate ticket for the `cert-request` refactoring. You may open another ticket for the handling of binary transfer option as I feel these effort can be done independently. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264397752 From freeipa-github-notification at redhat.com Fri Dec 2 08:15:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 09:15:08 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ I agree that it is out of scope of this work and will open a separate ticket for the `cert-request` refactoring. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264397752 From freeipa-github-notification at redhat.com Fri Dec 2 08:42:11 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 09:42:11 +0100 Subject: [Freeipa-devel] [freeipa PR#297][+ack] Adjustments for setup requirements v2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Title: #297: Adjustments for setup requirements v2 Label: +ack From freeipa-github-notification at redhat.com Fri Dec 2 08:46:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 09:46:08 +0100 Subject: [Freeipa-devel] [freeipa PR#297][+pushed] Adjustments for setup requirements v2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Title: #297: Adjustments for setup requirements v2 Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 08:46:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 09:46:10 +0100 Subject: [Freeipa-devel] [freeipa PR#297][comment] Adjustments for setup requirements v2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Title: #297: Adjustments for setup requirements v2 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/7f301b00ce50814d098e7e42324ef741c71b6853 """ See the full comment at https://github.com/freeipa/freeipa/pull/297#issuecomment-264403108 From freeipa-github-notification at redhat.com Fri Dec 2 08:46:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 09:46:11 +0100 Subject: [Freeipa-devel] [freeipa PR#297][closed] Adjustments for setup requirements v2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Author: pvomacka Title: #297: Adjustments for setup requirements v2 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/297/head:pr297 git checkout pr297 From freeipa-github-notification at redhat.com Fri Dec 2 08:52:06 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 09:52:06 +0100 Subject: [Freeipa-devel] [freeipa PR#297][comment] Adjustments for setup requirements v2 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/297 Title: #297: Adjustments for setup requirements v2 tiran commented: """ The fix was originally a part of #255. Both changes got lost in a rebase. 1a8bf57 was still good. git reflog to the rescue. """ See the full comment at https://github.com/freeipa/freeipa/pull/297#issuecomment-264404117 From freeipa-github-notification at redhat.com Fri Dec 2 09:10:05 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 10:10:05 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Should I push your branch over my PR ? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264407366 From freeipa-github-notification at redhat.com Fri Dec 2 09:14:14 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 10:14:14 +0100 Subject: [Freeipa-devel] [freeipa PR#182][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-182.patch Type: text/x-diff Size: 6011 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 09:32:43 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 02 Dec 2016 10:32:43 +0100 Subject: [Freeipa-devel] [freeipa PR#300][opened] WebUI: Add support for custom table pagination size Message-ID: URL: https://github.com/freeipa/freeipa/pull/300 Author: pvomacka Title: #300: WebUI: Add support for custom table pagination size Action: opened PR body: """ New customization button opens dialog with field for setting the number of lines in tables. After saving the new value there is new topic which starts refreshing current table facet (if shown) and set all other facets expired. Therefore all tables are immediately regenerated. https://fedorahosted.org/freeipa/ticket/5742 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/300/head:pr300 git checkout pr300 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-300.patch Type: text/x-diff Size: 13626 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 09:35:46 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 10:35:46 +0100 Subject: [Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/228 Title: #228: cert-request: allow directoryName in SAN extension tiran commented: """ @frasertweedale I still think it's a useful and uncontroversial improvement. In a matter of fact I don't understand why this simple and obvious change resulted in a lengthy discussion. """ See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-264412252 From pvomacka at redhat.com Fri Dec 2 09:36:17 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Fri, 2 Dec 2016 10:36:17 +0100 Subject: [Freeipa-devel] [PATCH] 0102-0104: webui: Add support for setting custom table pagination size In-Reply-To: <41469ae1-68e8-2329-7e4f-90f9482080d2@redhat.com> References: <4f758e21-b951-9ca6-e685-29746c1cec44@redhat.com> <41469ae1-68e8-2329-7e4f-90f9482080d2@redhat.com> Message-ID: <6f604c1a-b4f1-6d59-1112-0f2ff4351a74@redhat.com> I created PR for this https://github.com/freeipa/freeipa/pull/300 On 10/26/2016 09:55 AM, Martin Basti wrote: > > > > On 11.08.2016 16:18, Pavel Vomacka wrote: >> Hello, >> >> please review attached patches. >> >> https://fedorahosted.org/freeipa/ticket/5742 >> >> >> > bump for review > > -- Pavel^3 Vomacka -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Fri Dec 2 10:18:18 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 02 Dec 2016 11:18:18 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Up to you. We can either resync yours or switch over to mine. I need to merge updater changes too before submitting it upstream, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264420882 From freeipa-github-notification at redhat.com Fri Dec 2 10:23:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 02 Dec 2016 11:23:19 +0100 Subject: [Freeipa-devel] [freeipa PR#278][comment] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands stlaz commented: """ `env` works as expected, `plugins` seems to fail as expected. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/278#issuecomment-264421876 From freeipa-github-notification at redhat.com Fri Dec 2 10:23:22 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 02 Dec 2016 11:23:22 +0100 Subject: [Freeipa-devel] [freeipa PR#278][+ack] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands Label: +ack From freeipa-github-notification at redhat.com Fri Dec 2 10:37:24 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 11:37:24 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ On Fri, 2016-12-02 at 02:18 -0800, Alexander Bokovoy wrote: > Up to you. We can either resync yours or switch over to mine. I need to merge updater changes too before submitting it upstream, though. I'll rebase for now, when it is time for the additional work, we can decide if we are better opening a new PR or continue with this one. SImo. -- Simo Sorce * Red Hat, Inc * New York """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-264424678 From freeipa-github-notification at redhat.com Fri Dec 2 10:53:18 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 11:53:18 +0100 Subject: [Freeipa-devel] [freeipa PR#301][opened] scripts, tests: explicitly set confdir in the rest of server code Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Author: jcholast Title: #301: scripts, tests: explicitly set confdir in the rest of server code Action: opened PR body: """ Commit 1e6a204b4372bbbfb722a00370a5ce4e34406b9f added explicit confdir setting to api.bootstrap() calls of a randomly selected portion of server-side scripts and tests. This commit adds it to the rest of server-side code for consistency. https://fedorahosted.org/freeipa/ticket/6389 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/301/head:pr301 git checkout pr301 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-301.patch Type: text/x-diff Size: 10439 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 11:19:51 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 02 Dec 2016 12:19:51 +0100 Subject: [Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging stlaz commented: """ Needs rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-264432666 From freeipa-github-notification at redhat.com Fri Dec 2 11:25:25 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 12:25:25 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context pvoborni commented: """ Honza, would this work? ```diff diff --git a/ipalib/config.py b/ipalib/config.py index 9d87782..6c3a0b1 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -43,7 +43,7 @@ from ipapython.dn import DN from ipalib.base import check_name from ipalib.constants import CONFIG_SECTION from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR -from ipapython.admintool import ScriptError +from ipalib.errors import EnvirontmentError if six.PY3: unicode = str @@ -466,7 +466,7 @@ class Env(object): if self.env_confdir is not None: if (not path.isabs(self.env_confdir) or not path.isdir(self.env_confdir)): - raise ScriptError( + raise EnvirontmentError( "IPA_CONFDIR env var must be an absolute path to an " "existing directory, got '{}'.".format( self.env_confdir)) diff --git a/ipalib/errors.py b/ipalib/errors.py index d1fe5f0..dfd74d7 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -865,6 +865,13 @@ class NotAForestRootError(InvocationError): errno = 3016 format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'") +class EnvirontmentError(InvocationError): + """ + **3017** Raised when a command is called with invalid environment settings + """ + + errno = 3017 + ############################################################################## # 4000 - 4999: Execution errors diff --git a/ipalib/plugable.py b/ipalib/plugable.py index 142b3e6..95e0a8a 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -718,9 +718,9 @@ class API(ReadOnly): self.log.info( "IPA_CONFDIR env sets confdir to '%s'.", self.env.confdir) else: - self.log.warn( - "IPA_CONFDIR env is overridden by an explicit confdir " - "argument.") + raise errors.EnvirontmentError( + "IPA_CONFDIR env cannot be set because explicit confdir is" + "used") for plugin in self.__plugins: if not self.env.validate_api: ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264433672 From freeipa-github-notification at redhat.com Fri Dec 2 11:32:24 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Fri, 02 Dec 2016 12:32:24 +0100 Subject: [Freeipa-devel] [freeipa PR#276][synchronized] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-276.patch Type: text/x-diff Size: 12182 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 11:34:05 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 12:34:05 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context tiran commented: """ You have a copy and paste typo: EnvironmentError, not Environ**t**mentError """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264435093 From freeipa-github-notification at redhat.com Fri Dec 2 11:39:31 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 12:39:31 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 31257 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 11:46:54 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 12:46:54 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context pvoborni commented: """ True, also thinking that it might not be the best name because it can be confused with buildin EnvironmentError so the usages should be either errors.EnvironmentError to distinguish it or different name should be used. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264437173 From freeipa-github-notification at redhat.com Fri Dec 2 12:02:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 13:02:03 +0100 Subject: [Freeipa-devel] [freeipa PR#278][comment] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/42307ae2dc4d9be06d3fd9b7e5af2e0761b8d6ad https://fedorahosted.org/freeipa/changeset/0ae7bebb7690620b69fd9c84b7a385c2086c1ee1 https://fedorahosted.org/freeipa/changeset/64a4be26febf19e427760115912a858a804208a0 """ See the full comment at https://github.com/freeipa/freeipa/pull/278#issuecomment-264439557 From freeipa-github-notification at redhat.com Fri Dec 2 12:02:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 13:02:05 +0100 Subject: [Freeipa-devel] [freeipa PR#278][+pushed] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Title: #278: Restore the original functionality of `env` and `plugins` commands Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 12:02:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 13:02:06 +0100 Subject: [Freeipa-devel] [freeipa PR#278][closed] Restore the original functionality of `env` and `plugins` commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/278 Author: martbab Title: #278: Restore the original functionality of `env` and `plugins` commands Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/278/head:pr278 git checkout pr278 From freeipa-github-notification at redhat.com Fri Dec 2 12:32:16 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 13:32:16 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 34820 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 12:52:00 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 13:52:00 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @pvoborni, yes, although it should not inherit from 'InvocationError`, since it does not happen during command invocation, but way before, during API initialization. I would inherit it directly from `PublicError` and put it into the 900-1000 errno range. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264447620 From freeipa-github-notification at redhat.com Fri Dec 2 12:52:11 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 13:52:11 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ @pvoborni, yes, although it should not inherit from `InvocationError`, since it does not happen during command invocation, but way before, during API initialization. I would inherit it directly from `PublicError` and put it into the 900-1000 errno range. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264447620 From freeipa-github-notification at redhat.com Fri Dec 2 13:11:15 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 14:11:15 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 34843 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 13:17:27 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 14:17:27 +0100 Subject: [Freeipa-devel] [freeipa PR#302][opened] Use env var IPA_CONFDIR to get confdir for 'cli' context Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Author: pvoborni Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: opened PR body: """ This is continuation of PR #182 . It contains patch from #182 and additional one which addresses the issue raised in review. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/302/head:pr302 git checkout pr302 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-302.patch Type: text/x-diff Size: 8557 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 13:27:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 02 Dec 2016 14:27:13 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string mbasti-rh commented: """ @shanyin could you force push to github remote branch to have updated PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-264453509 From freeipa-github-notification at redhat.com Fri Dec 2 13:39:38 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Fri, 02 Dec 2016 14:39:38 +0100 Subject: [Freeipa-devel] [freeipa PR#302][synchronized] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Author: pvoborni Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/302/head:pr302 git checkout pr302 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-302.patch Type: text/x-diff Size: 8808 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 14:00:06 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:00:06 +0100 Subject: [Freeipa-devel] [freeipa PR#302][+ack] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +ack From freeipa-github-notification at redhat.com Fri Dec 2 14:01:15 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:01:15 +0100 Subject: [Freeipa-devel] [freeipa PR#302][+pushed] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 14:01:17 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:01:17 +0100 Subject: [Freeipa-devel] [freeipa PR#302][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d4916254e995be1118ab8dbce5b60091305f97fe https://fedorahosted.org/freeipa/changeset/c2934aaa7eacb8390209a38029145b1c240d864c """ See the full comment at https://github.com/freeipa/freeipa/pull/302#issuecomment-264460061 From freeipa-github-notification at redhat.com Fri Dec 2 14:01:19 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:01:19 +0100 Subject: [Freeipa-devel] [freeipa PR#302][closed] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/302 Author: pvoborni Title: #302: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/302/head:pr302 git checkout pr302 From freeipa-github-notification at redhat.com Fri Dec 2 14:02:34 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:02:34 +0100 Subject: [Freeipa-devel] [freeipa PR#182][+pushed] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 2 14:02:36 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:02:36 +0100 Subject: [Freeipa-devel] [freeipa PR#182][+ack] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Label: +ack From freeipa-github-notification at redhat.com Fri Dec 2 14:02:37 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:02:37 +0100 Subject: [Freeipa-devel] [freeipa PR#182][comment] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context jcholast commented: """ Pushed with #302. """ See the full comment at https://github.com/freeipa/freeipa/pull/182#issuecomment-264460352 From freeipa-github-notification at redhat.com Fri Dec 2 14:02:38 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 02 Dec 2016 15:02:38 +0100 Subject: [Freeipa-devel] [freeipa PR#182][closed] Use env var IPA_CONFDIR to get confdir for 'cli' context In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/182 Author: tiran Title: #182: Use env var IPA_CONFDIR to get confdir for 'cli' context Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/182/head:pr182 git checkout pr182 From freeipa-github-notification at redhat.com Fri Dec 2 14:07:06 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 02 Dec 2016 15:07:06 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 35016 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 15:15:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 16:15:50 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ There are small issues I found in the patch. Please address those. @apophys can quickly you review the new test cases? they pass (except for one pointed out in review) so they should be valid and OK. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264477091 From freeipa-github-notification at redhat.com Fri Dec 2 15:18:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 16:18:34 +0100 Subject: [Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-293.patch Type: text/x-diff Size: 5409 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 15:19:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 02 Dec 2016 16:19:32 +0100 Subject: [Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer mbasti-rh commented: """ +1 """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-264478024 From freeipa-github-notification at redhat.com Fri Dec 2 16:35:25 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 02 Dec 2016 17:35:25 +0100 Subject: [Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-293.patch Type: text/x-diff Size: 5409 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 16:57:53 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 02 Dec 2016 17:57:53 +0100 Subject: [Freeipa-devel] [freeipa PR#303][opened] Add python-pyasn1-modules into dependencies Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Author: pvomacka Title: #303: Add python-pyasn1-modules into dependencies Action: opened PR body: """ Python-pyasn1-modules is required by python-ldap package, but it would be good to not rely on another package and rather say explicitely, that this package is necessary. https://fedorahosted.org/freeipa/ticket/6398 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/303/head:pr303 git checkout pr303 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-303.patch Type: text/x-diff Size: 1143 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 2 18:05:55 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 19:05:55 +0100 Subject: [Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies tiran commented: """ Good idea, please add BuildRequires for the package, too. """ See the full comment at https://github.com/freeipa/freeipa/pull/303#issuecomment-264520682 From freeipa-github-notification at redhat.com Fri Dec 2 22:45:37 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 02 Dec 2016 23:45:37 +0100 Subject: [Freeipa-devel] [freeipa PR#304][opened] Relax check for .git to support freeipa in submodules Message-ID: URL: https://github.com/freeipa/freeipa/pull/304 Author: tiran Title: #304: Relax check for .git to support freeipa in submodules Action: opened PR body: """ Let's relax the check for .git from directory to exists in order to support freeipa in a git submodule. Submodules have a .git file with content like gitdir: ../.git/modules/freeipa Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/304/head:pr304 git checkout pr304 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-304.patch Type: text/x-diff Size: 1081 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 01:19:58 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Mon, 05 Dec 2016 02:19:58 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string shanyin commented: """ Oh my god, git rebase or push command has a problem. I force push my local branch to remote branch. Is this time whether meet the requirement? """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-264748065 From freeipa-github-notification at redhat.com Mon Dec 5 08:28:09 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 05 Dec 2016 09:28:09 +0100 Subject: [Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging stlaz commented: """ Seems to work fine, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-264793827 From freeipa-github-notification at redhat.com Mon Dec 5 08:28:16 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 05 Dec 2016 09:28:16 +0100 Subject: [Freeipa-devel] [freeipa PR#276][+ack] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging Label: +ack From jcholast at redhat.com Mon Dec 5 09:25:17 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 5 Dec 2016 10:25:17 +0100 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> Message-ID: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: > Hi everybody, > > Soon I'm going to have to reduce the amount of time I spend on new > development work for the CSR autogeneration project, and I want to leave > the project in as organized a state as possible. So, I'm taking > inventory of the work I've done in order to make sure that what's ready > for review can get reviewed and the ideas that have been discussed get > prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. > > Code that's ready for review (I will continue to put in as much time as > needed to help get these ready for submission): > > - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. > > - Allow some fields to be specified by the user at creation time: > https://github.com/LiptonB/freeipa/commits/local-user-data Good idea :-) > > - Automation for the full process from getting CSR data to requesting > cert: https://github.com/LiptonB/freeipa/commits/local-cert-build LGTM, although I would prefer if this was a client-side extension of cert-request rather than a completely new command. > > Other prototypes and design ideas that aren't ready for submission yet: > > - Utility written in C to build a CertificationRequestInfo from a > SubjectPublicKeyInfo and an openssl-style config file. The purpose of > this is to take a config that my code already knows how to generate, and > put it in a form that certmonger can use. This is nearly done and > available at: > https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c Nice! As I said above, this could really make implementing the "new" csrgen interface simple. > > > - Ideally it should be possible to use this tool to reimplement the full > cert-request automation (local-cert-build branch) without a dependency > on the certutil/openssl tools. However, I don't think any of the python > crypto libraries have bindings for the functions that deal with > CertificationRequestInfo objects, so I don't think I can do this in the > short term. You can use python-cffi to write your own minimal bindings. It's fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an example of how to port C code to Python with python-cffi. > > - Certmonger "helper" program that takes in the CertificationRequestInfo > that certmonger generates, calls out to IPA for profile-specific data, > and returns an updated CertificationRequestInfo built from the data. > Certmonger doesn't currently support this type of helper, but (if I > understood correctly) this is the architecture Nalin believed would be > simplest to fit in. This is not done yet, but I intend to complete it > soon - it shouldn't require much code beyond what's in build_requestinfo.c. To me this sounds like it should be a new operation of the current helper rather than a completely new helper. Anyway, the ultimate goal is to move the csrgen code to the server, which means everything the helper will have to do is call a command over RPC. > > - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 > description of the extension. This would unblock Jan Cholasta's idea of > using XSLT for templates rather than text-based formatting. I should be > able to implement the conversion tool, but it may be a while before I > have time to demo the full XSLT idea. Was there any progress on this? > > So: currently on my to do list are the certmonger helper and the > XER->DER conversion tool. Do you have any comments about these plans, > and is there anything else I can do to wrap up the project neatly? > > Thanks, > Ben > Honza -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Dec 5 09:43:34 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Dec 2016 10:43:34 +0100 Subject: [Freeipa-devel] [freeipa PR#305][opened] Fetch correct exception in IPA_CONFDIR test Message-ID: URL: https://github.com/freeipa/freeipa/pull/305 Author: tiran Title: #305: Fetch correct exception in IPA_CONFDIR test Action: opened PR body: """ fixes c2934aaa Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/305/head:pr305 git checkout pr305 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-305.patch Type: text/x-diff Size: 1201 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 10:46:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 05 Dec 2016 11:46:41 +0100 Subject: [Freeipa-devel] [freeipa PR#304][+ack] Relax check for .git to support freeipa in submodules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 10:53:26 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Dec 2016 11:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#305][+ack] Fetch correct exception in IPA_CONFDIR test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 10:53:55 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Dec 2016 11:53:55 +0100 Subject: [Freeipa-devel] [freeipa PR#305][comment] Fetch correct exception in IPA_CONFDIR test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/34bd2b63377772f3dabc0eb36f7021238df286a6 """ See the full comment at https://github.com/freeipa/freeipa/pull/305#issuecomment-264823975 From freeipa-github-notification at redhat.com Mon Dec 5 10:53:57 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Dec 2016 11:53:57 +0100 Subject: [Freeipa-devel] [freeipa PR#305][+pushed] Fetch correct exception in IPA_CONFDIR test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/305 Title: #305: Fetch correct exception in IPA_CONFDIR test Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 5 10:53:58 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 05 Dec 2016 11:53:58 +0100 Subject: [Freeipa-devel] [freeipa PR#305][closed] Fetch correct exception in IPA_CONFDIR test In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/305 Author: tiran Title: #305: Fetch correct exception in IPA_CONFDIR test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/305/head:pr305 git checkout pr305 From freeipa-github-notification at redhat.com Mon Dec 5 10:55:19 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Dec 2016 11:55:19 +0100 Subject: [Freeipa-devel] [freeipa PR#306][opened] Ignore backup~ files like config.h.in~ Message-ID: URL: https://github.com/freeipa/freeipa/pull/306 Author: tiran Title: #306: Ignore backup~ files like config.h.in~ Action: opened PR body: """ Signed-off-by: Christian Heimes """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/306/head:pr306 git checkout pr306 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-306.patch Type: text/x-diff Size: 512 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 10:55:58 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 05 Dec 2016 11:55:58 +0100 Subject: [Freeipa-devel] [freeipa PR#306][+ack] Ignore backup~ files like config.h.in~ In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 11:09:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:09:16 +0100 Subject: [Freeipa-devel] [freeipa PR#306][comment] Ignore backup~ files like config.h.in~ In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/86295a8c2ea5c0546b070053d490b3a8b8013012 """ See the full comment at https://github.com/freeipa/freeipa/pull/306#issuecomment-264827081 From freeipa-github-notification at redhat.com Mon Dec 5 11:09:18 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:09:18 +0100 Subject: [Freeipa-devel] [freeipa PR#306][closed] Ignore backup~ files like config.h.in~ In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/306 Author: tiran Title: #306: Ignore backup~ files like config.h.in~ Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/306/head:pr306 git checkout pr306 From freeipa-github-notification at redhat.com Mon Dec 5 11:09:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:09:19 +0100 Subject: [Freeipa-devel] [freeipa PR#306][+pushed] Ignore backup~ files like config.h.in~ In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/306 Title: #306: Ignore backup~ files like config.h.in~ Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 5 11:15:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:15:20 +0100 Subject: [Freeipa-devel] [freeipa PR#304][+pushed] Relax check for .git to support freeipa in submodules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 5 11:15:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:15:22 +0100 Subject: [Freeipa-devel] [freeipa PR#304][comment] Relax check for .git to support freeipa in submodules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/304 Title: #304: Relax check for .git to support freeipa in submodules martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cac0c2d951e10d49372a038c73f796dc3beb62b9 """ See the full comment at https://github.com/freeipa/freeipa/pull/304#issuecomment-264828226 From freeipa-github-notification at redhat.com Mon Dec 5 11:15:23 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 12:15:23 +0100 Subject: [Freeipa-devel] [freeipa PR#304][closed] Relax check for .git to support freeipa in submodules In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/304 Author: tiran Title: #304: Relax check for .git to support freeipa in submodules Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/304/head:pr304 git checkout pr304 From freeipa-github-notification at redhat.com Mon Dec 5 11:26:53 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 05 Dec 2016 12:26:53 +0100 Subject: [Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-227.patch Type: text/x-diff Size: 12793 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 11:31:54 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 05 Dec 2016 12:31:54 +0100 Subject: [Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-227.patch Type: text/x-diff Size: 12793 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 12:26:53 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 05 Dec 2016 13:26:53 +0100 Subject: [Freeipa-devel] [freeipa PR#307][opened] Lowered the version of gettext Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: opened PR body: """ The lower version is needed while building on RHEL. Also regenerated Rules-quot file. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-307.patch Type: text/x-diff Size: 2770 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 12:43:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 13:43:53 +0100 Subject: [Freeipa-devel] [freeipa PR#308][opened] Add 'env_confdir' to constants Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Author: martbab Title: #308: Add 'env_confdir' to constants Action: opened PR body: """ Env confdir is always populated so it should be listed among variables set during a call to `Env._bootstrap()`. https://fedorahosted.org/freeipa/ticket/6389 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/308/head:pr308 git checkout pr308 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-308.patch Type: text/x-diff Size: 1061 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 12:46:44 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 05 Dec 2016 13:46:44 +0100 Subject: [Freeipa-devel] [freeipa PR#303][synchronized] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Author: pvomacka Title: #303: Add python-pyasn1-modules into dependencies Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/303/head:pr303 git checkout pr303 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-303.patch Type: text/x-diff Size: 1539 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 12:47:26 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 05 Dec 2016 13:47:26 +0100 Subject: [Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies pvomacka commented: """ Added, I also added more information into commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/303#issuecomment-264845609 From freeipa-github-notification at redhat.com Mon Dec 5 12:51:00 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Dec 2016 13:51:00 +0100 Subject: [Freeipa-devel] [freeipa PR#303][+ack] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 12:57:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 13:57:19 +0100 Subject: [Freeipa-devel] [freeipa PR#303][+pushed] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 5 12:57:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 13:57:21 +0100 Subject: [Freeipa-devel] [freeipa PR#303][comment] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Title: #303: Add python-pyasn1-modules into dependencies martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a8b7dbff8ac660a28faf7ef43c7a0952171423b8 """ See the full comment at https://github.com/freeipa/freeipa/pull/303#issuecomment-264847546 From freeipa-github-notification at redhat.com Mon Dec 5 12:57:22 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 13:57:22 +0100 Subject: [Freeipa-devel] [freeipa PR#303][closed] Add python-pyasn1-modules into dependencies In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/303 Author: pvomacka Title: #303: Add python-pyasn1-modules into dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/303/head:pr303 git checkout pr303 From jcholast at redhat.com Mon Dec 5 13:05:51 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 5 Dec 2016 14:05:51 +0100 Subject: [Freeipa-devel] [RFC] Matching and Mapping Certificates In-Reply-To: <20161125145543.GC11202@p.Speedport_W_724V_Typ_A_05011603_00_009> References: <20161006104930.GC22626@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161011113709.GC4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <20161013165235.GH4864@p.Speedport_W_724V_Typ_A_05011603_00_009> <8fa31830-3f04-6a99-596c-5d05421b07cf@redhat.com> <20161125145543.GC11202@p.Speedport_W_724V_Typ_A_05011603_00_009> Message-ID: On 25.11.2016 15:55, Sumit Bose wrote: > On Fri, Nov 25, 2016 at 02:19:10PM +0100, Jan Cholasta wrote: >> Bump, Sumit, have you seen my comments? I haven't heard back from you. > > Yes, I've seen it and added a comment about it on the page > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates#Matching-alternativeRFC4523syntax > To cut it short I would prefer to use a standard, but I think RFC4523 > currently does nit meet out needs. But I would be happy if there are > ways to mitigate my concerns. What I actually had in mind was not to use the full RFC 4523 syntax, but rather re-use the concepts used in it - for example, instead of using regular expressions to match subject names, we could use a scheme based on name constraints, where the subject name is matched using base + minimum distance + maximum distance, which could look like this, written down using glob-like syntax: directoryName=CN=a,O=b (base = CN=a,O=b, minimum distance = 0, maximum distance = 0) directoryName=*,O=b (base = O=b, minimum distance = 1, maximum distance = 1) directoryName=*,*,O=b (base = O=b, minimum distance = 2, maximum distance = 2) directoryName=**,*,O=b (base = O=b, minimum distance = 1, maximum distance unspecified) > > I'm working on updating and changing other sections as well and planned > to reply when I'm done with the other sections as well. OK, thanks for the heads up. > > bye, > Sumit > >> >> On 17.10.2016 09:50, Jan Cholasta wrote: >>> Hi, >>> >>> On 13.10.2016 18:52, Sumit Bose wrote: >>>> On Tue, Oct 11, 2016 at 01:37:09PM +0200, Sumit Bose wrote: >>>>> On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: >>>>>> Hi, >>>>>> >>>>>> I've started to write a SSSD design page about enhancing the current >>>>>> mapping of certificates to users and how to select/match a suitable >>>>>> certificate if multiple certificates are on a Smartcard. >>>>>> >>>>>> My currently thoughts and idea and be found at >>>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates >>>>>> >>>>>> and for your convenience below as well. >>>>>> >>>>>> Comments and suggestions are welcome. Please let me know about >>>>>> concerns, >>>>>> alternatives and missing use-cases/user-stories. >>>>>> >>>>>> bye, >>>>>> Sumit >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> Rob, Fraser, Alexander, thank you for your comments. I think both the >>>>> issuer specific matching and the OID in the SUBJECT matching are good >>>>> ideas. I updated the design page accordingly. The changes can be shown >>>>> with >>>>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=9&old_version=6 >>>>> >>>>> >>>>> The updated version can be found below as well. Of course more >>>>> comments and >>>>> suggestions are still very welcome. >>>>> >>>> >>>> I did another update. A "Compatibility with Active Director" section is >>>> added which made me realize that there are use-cases for using the >>>> issuer in the mapping as well and the sub-strings in LDAP search filters >>>> might be useful as well. >>>> >>>> The changes can be seen with >>>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates?action=diff&version=10&old_version=9 >>>> >>>> >>>> Please let me know your comments and suggestions. >>>> >>>> bye, >>>> Sumit >>>> >>>> = Matching and Mapping Certificates = >>>> >>>> Related ticket(s): >>>> * >>>> http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping >>>> >>>> >>>> === Problem statement === >>>> ==== Mapping ==== >>>> Currently it is required that a certificate used for authentication is >>>> either stored in the LDAP user entry or in a matching override. This >>>> might not always be applicable and other ways are needed to relate a >>>> user with a certificate. >>>> >>>> ==== Matching ==== >>>> Even if SSSD will support multiple certificates on a Smartcard in the >>>> context of https://fedorahosted.org/sssd/ticket/3050 it might be >>>> necessary to restrict (or relax) the current certificate selection in >>>> certain environments. >>>> >>>> === Use cases === >>>> ==== Mapping ==== >>>> In some environments it might not be possible or would cause unwanted >>>> effort to add certificates to the LDAP entry of the users to allow >>>> Smartcard based authentication. Reasons might be: >>>> * Certificates/Smartcards are issued externally >>>> * LDAP schema extension is not possible or not allowed >>>> >>>> ==== Matching ==== >>>> A user might have multiple certificate on a Smartcard which are >>>> suitable for authentication. But on some host in the environment only >>>> certificates from a specific CA (while all other CAs are trusted as >>>> well) or with some special extension should be valid for login. >>>> >>>> === Overview of the solution === >>>> To match a certificate a language/syntax has to be defined which >>>> allows to reference items from the certificate and compare the values >>>> with the expected data. To map the certificates to a user the >>>> language/syntax should allow to relate certificate items with LDAP >>>> attributes so that the value(s) from the certificate item can be used >>>> in a LDAP search filter. >>> >>> Note that in some cases it might be possible to map a certificate to a >>> user without having to do an extra LDAP search, for example when the >>> certificate contains the principal name of the user. Does the design >>> allow this? Or is there no extra LDAP search? >>> >>>> >>>> >>>> === Implementation details === >>>> ==== Matching ==== >>>> The pkinit plugin of MIT Kerberos must find a suitable certificate >>>> from a Smartcard as well and has defined the following syntax (see the >>>> pkinit_cert_match section of the krb5.conf man page or >>>> http://web.mit.edu/Kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html >>>> for details). The main components are >>>> >>>> * regular-expression >>>> * regular-expression >>>> * regular-expression >>>> * extended-key-usage-list >>>> * key-usage-list >>>> >>>> and can be grouped together with a prefixed '&&' (and) or '`||`' (or) >>>> operator ('&&' is the default). If multiple rules are given they are >>>> iterated with the order in the config file as long as a rule matches >>>> exactly one certificate. >>>> >>>> '''Question: MIT Kerberos use case-sensitive matching and POSIX >>>> Extended Regular Expression syntax, shall we do the same?''' >>>> >>>> While and are (imo) already quite flexible I can >>>> see some potential extensions for the other components. >>> >>> I don't think regular expressions are a particularly good choice for DN >>> matching. It is difficult to express assertions which are quite natural >>> for DNs (matching multi-attribute RDNs, matching the same attribute type >>> by different identifiers, respecting the defined matching rules of >>> attribute types) and at the same time it is easy to express assertions >>> which do not make much sense for DNs (matching substrings in attribute >>> names, matching accross multiple syntactical elements, etc.). >>> >>> That said, does the design have to be based on the MIT pkinit matching? >>> To me it looks like something quickly hacked together rather than >>> thoughtfully designed. I would personally base the design on the >>> concepts of CertificateMatch, which is the standard way of matching >>> certificates, defined in X.509, rather than reinvent the wheel. >>> >>>> >>>> and in MIT Kerberos only accept certain string values >>>> related to some allowed values in those field as defined in >>>> https://www.ietf.org/rfc/rfc3280.txt . The selection is basically >>>> determined by what is supported on server side of the pkinit plugin of >>>> MIT Kerberos. Since we plan to extend pkinit and support local >>>> authentication without pkinit as well I would suggest to allow OID >>>> strings for those components as well (the comparison is done on the >>>> OID level nonetheless). >>>> >>>> The component in MIT Kerberos only checks the otherName SAN >>>> component for the id-pkinit-san OID as defined in >>>> https://www.ietf.org/rfc/rfc4556.txt or the szOID_NT_PRINCIPAL_NAME >>>> OID as mentioned in https://support.microsoft.com/en-us/kb/287547. >>>> While this is sufficient for the default pkinit user case of MIT >>>> Kerberos I would suggest to extend this component by allowing to >>>> specific an OID with >>>> >>>> ===== Issuer specific matching ===== >>>> Although the MIT Kerberos rules allow to select the issuer of a >>>> certificate there are use cases where a more specific selection is >>>> needed. E.g. if there are some default matching rules for all issuers >>>> and some other issuer specific rules where the default rules should >>>> not apply. To make this possible with the above scheme the default >>>> rules must have an clause which matches all but the issuer >>>> with the specific rules. Writing regular-expressions to not match a >>>> specific string or a list of strings is at least error-prone if not >>>> impossible. >>>> >>>> To make it easier to define issuer specific rules and default rules at >>>> the same time and optional issuer string can be added to the rule to >>>> indicate that for the given issuer only those rules should be >>>> considered. Given the use-case I think it is acceptable to require >>>> that the full issuer must be specified here in LDAP order (see below) >>>> and case-sensitive matching is used. >>> >>> This could also be solved by adding priority to rules - if two rules >>> match, the one with higher priority (the issuer specific rule) is >>> preferred over the one with lower priority (the default rule). IMO this >>> is better than an optional issuer string as it offers greater flexibility. >>> >>>> >>>> How the issuer string is linked to the matching rules depends on the >>>> storage (LDAP or sssd.conf, see below for details). >>>> ==== Mapping ==== >>>> Since different certificates, e.g. issued by different CAs, might have >>>> different mapping rule, a matching rule must be added if there are >>>> more than 1 mapping rule. A single mapping rule without a matching >>>> rule might be used as default/catch-all rule in this case. >>>> >>>> If multiple rules matches the derived LDAP filter components can be >>>> grouped with the or-operator "|". >>>> >>>> A mapping rule can use a similar syntax like the matching rule where >>>> the LDAP attribute can be added with a ':', e.g. >>>> * >>>> * >>>> * >>>> >>>> where O.I.D. is either the OID or name of a RDN type or the OID or >>>> some well-known-name of the SAN component respectively. Since the >>>> SUBJECT might contain multiple RDNs of the same type always the "most >>>> specific" is selected because in general this will be the most suited >>>> one to map the certificate to a specific user. "most specific" means >>>> the last in X.500 order and the first in LDAP order (see discussion >>>> below for details). >>>> >>>> If the O.I.D. is missing the full SUBJECT/ISSUER is used for mapping. >>>> If 'DN' is used as ldapAttributeName SUBJECT is expected to be the DN >>>> of the user. If the O.I.D. is missing in the SAN case the same default >>>> as with matching (id-pkinit-san and szOID_NT_PRINCIPAL_NAME OID) is >>>> used. If both SAN values can be found in the certificate and are >>>> different the LDAP search filter will combine both with the or-operator. >>>> >>>> The optional '*' in the end indicates that a sub-string search >>>> (ldapAttributeName=*value*) should be used and not an exact match >>>> (ldapAttributeName=value). Please note that it depends on the >>>> server-side definition of the LDAP attribute if case-sensitive or >>>> case-insensitve matching is used. >>> >>> This seems like a rather quirky way to write down an LDAP filter. IMHO a >>> better way would be to use a single attribute containing a filter >>> template, e.g.: >>> >>> (&(someAttr={issuer})(someOtherAttr=*{subject:O.I.D}*)) >>> >>>> >>>> Currently I see no usage for and in mapping rules because >>>> they do not contain any user-specific data. If at some point we will >>>> have personal CAs we might consider to add based mappings. >>>> >>>> ===== Future consideration ===== >>>> Most of the interesting values from the SAN should be directly >>>> map-able to LDAP attributes. And processing the string representation >>>> of might be tricky as discussed below. Nevertheless it might >>>> be possible to add to following in a future release if more complex >>>> operations on the values are needed: >>>> >>>> * /regexp/replacement/ >>>> * /regexp/replacement/ >>>> >>>> where "/regexp/replacement/" stands for optional sed-like substitution >>>> rules. E.g. a rule like >>>> {{{ >>>> /^CN=\([^,]*\).*$/\1/ >>>> }}} >>>> would take the subject string 'CN=Certuser,CN=Users,DC=example,DC=com' >>>> from the certificate and generate a LDAP search filter component >>>> '(samAccountName=Certuser)' which can be included in a LDAP search >>>> filter which includes additional components like e.g. an objectClass. >>>> >>>> The search-and-replace does not has to be sed-like because afaik there >>>> is not library which offers this and I would like to avoid >>>> implementing it. GLib e.g. has >>>> [https://developer.gnome.org/glib/stable/glib-Perl-compatible-regular-expressions.html#g-regex-replace >>>> g_regex_replace]. Since we already have a GLib dependency in SSSD due >>>> to soem utf8 helper functions using might be acceptable as well. >>>> Nevertheless it would be nice to hear if there are alternative >>>> libraries available as well. >>>> >>>> Maybe even search-and-replace are not sufficient for all cases and >>>> something like embedded lua scripts are needed. But since certificate >>>> mapping is about access control and authorization it should be always >>>> considered if adding a new attribute to the users LDAP entry which >>>> makes mapping easy and straight-forward wouldn't be the better solution. >>>> >>>> ===== Some notes about DNs ===== >>>> The X.500 family of standards define names as "SEQUENCE OF >>>> RelativeDistinguishedName" where the sequence is "starting with the >>>> root and ending with the object being named" (see X.501 section 9.2 >>>> for details). On the other hand RFC4514 section 2.1 says "Otherwise, >>>> the output consists of the string encoding of each >>>> RelativeDistinguishedName in the RDNSequence (according to Section >>>> 2.2), starting with the last element of the sequence and moving >>>> backwards toward the first." This means that the ASN.1 encoded issuer >>>> and subject DN from the X.509 certificate can be either displayed as >>>> string in the >>>> * X.500 order: DC=com,DC=example,CN=users,CN=Certuser >>>> or in the >>>> * LDAP order: CN=Certuser,CN=Users,DC=example,DC=com >>>> >>>> As a consequence different tools will use a different order when >>>> printing the issuer and subject DN. While NSS's certutil will use the >>>> LDAP order, 'openssl x509' and gnutls's certtool will use the X.500 >>>> order (the latter might change due to >>>> https://gitlab.com/gnutls/gnutls/issues/111). >>>> >>>> This makes it important to specific the order which is used by SSSD >>>> for mapping and matching. I would prefer the LDAP order here. E.g. by >>>> default the AD CA uses the DN of the users entry in AD as subject in >>>> the issues certificate. So a matching rule like '' could >>>> tell SSSD to directly search the user based on its DN (which btw is >>>> the original intention of the subject field in the certificate, only >>>> that the DN should be looked up in a more general DAP as defined by >>>> X.500 and not in the lightweight version called LDAP) >>>> >>>> Another issue is the limited set of attribute names/types required by >>>> the RFCs (see section 4.1.2.4 of RFC 3280 and section 3 of RFC 4514). >>>> If e.g. the deprecated OID >>>> [http://www.oid-info.com/get/1.2.840.113549.1.9.1 >>>> 1.2.840.113549.1.9.1] is used all tools are able to identify it as an >>>> email address but OpenSSL displays it as >>>> 'emailAddress=user at example.com', certtool as 'EMAIL=user at example.com' >>>> and certutil as 'E=user at example.com'. So matching rules should try to >>>> avoid attribute names or only the ones from >>>> [https://www.ietf.org/rfc/rfc4514.txt RFC 4514]: >>>> * CN commonName (2.5.4.3) >>>> * L localityName (2.5.4.7) >>>> * ST stateOrProvinceName (2.5.4.8) >>>> * O organizationName (2.5.4.10) >>>> * OU organizationalUnitName (2.5.4.11) >>>> * C countryName (2.5.4.6) >>>> * STREET streetAddress (2.5.4.9) >>>> * DC domainComponent (0.9.2342.19200300.100.1.25) >>>> * UID userId (0.9.2342.19200300.100.1.1) >>>> >>>> ==== About restricting or enforcing the mapping an matching any >>>> further ==== >>>> The goal of the matching rules in MIT Kerberos is to select a single >>>> certificate from a Smartcard which will then be used for PKINIT. Since >>>> we already plan to enhance SSSD to support multiple certificates on a >>>> Smartcard and if needed prompt the user which one to use for login we >>>> should not enforce that the matching rules should return only a single >>>> certificate or nothing. >>>> >>>> Similar we plan to enhance SSSD to use the same certificate to log in >>>> with different user identities, e.g. as a user with standard >>>> privileges or as a user with administrator privileges. So it can make >>>> sense that multiple mapping rules apply to the same certificate and >>>> the related LDAP search filter components are or-ed together. >>>> >>>> In many cases the login program will first ask for a user name which >>>> will help to restrict the number of suitable certificates even further >>>> and the mapping rules are only needed to check if the certificate >>>> belongs to the user trying to log in. >>>> >>>> But gdm has a feature where gdm will detect when a Smartcard is >>>> inserted and call PAM without a user name. In this case SSSD has to >>>> determine the user name based on the certificates found on the >>>> Smartcard. If in this case multiple valid certificates are on the card >>>> and the mapping rules will return multiple users for each certificate >>>> gdm has to display a quite long selection of certificate-user pairs >>>> the user has to choose from. >>>> >>>> So it should be underlined in the documentation that the matching and >>>> mapping rules should be detailed and specific so that for the given >>>> environment they help to avoid cases where the user is prompted to >>>> select a certificate (or user name in the gdm case) when trying to log >>>> in. >>>> >>>> ==== Storing matching and mapping configuration ==== >>>> On the IPA server a new objectclass can be created to store an >>>> matching-mapping rule pair together with a specific issuer. All >>>> attributes are optional because a missing mapping rule would mean that >>>> the user entry will be search with the whole certificate. A missing >>>> matching rule will indicate catch-all rule with a default mapping. If >>>> only a specific issuer is given certificates from this issuer must be >>>> stored in the LDAP entry of the user to make authentication possible. >>>> >>>> Specifying matching-mapping rules in sssd.conf is a bit more >>>> complicated because SSSD does not respect multiple entries with the >>>> same keyword, only the last one is used. So all rules have to be added >>>> to a single line. To give it a little bit of structure the rules can >>>> be enclosed by curly-braces '{}{}{}' and each rule pair is separated >>>> by a comma ','. A single rule in curly braces indicates a matching >>>> rule and the mapping will be done with the whole certificate. A >>>> default/catch-all mapping rule will start with an empty pair of curly >>>> braces followed by a pair containing the mapping rule. Issuer specific >>>> rules will have three pairs of curly braces where the first pair must >>>> contain an issuer string. >>>> >>>> ===== Future considerations ===== >>>> If it turns out that this option is used quite often and it gets >>>> complicated to manage a larger set of rules with it and storing the >>>> rules in LDAP/IPA/AD is not an option we might add support to read the >>>> rules from a separate file (certificate_rules = >>>> FILE:///etc/sssd/cert_rules) with a more suitable format, e.g. ini >>>> where a list can be defined by given the same option multiple times. >>>> >>>> ===== Examples ===== >>>> * '''certificate_rules = {msScLogin}''': only allow certificates >>>> with have the Microsoft OID for Smartcard logon >>>> 1.3.6.1.4.1.311.20.2.2 set. use the whole certificate to look-up the >>>> user. The same result can be achieved with >>>> * '''certificate_rules = {1.3.6.1.4.1.311.20.2.2}''': see above >>>> * '''certificate_rules = >>>> {*my-company**@my-company.com$}{}''': >>>> only allow certificates form the 'my-company' issuer which have an >>>> email address from the 'my-company.com' domain in the rfc882Name SAN >>>> attribute. Use the email address in a LDAP search filter >>>> '(mail=email-address)' to find the matching user. >>>> >>>> ==== Compatibility with Active Directory ==== >>>> Active Directory uses a per-user LDAP attribute >>>> [https://msdn.microsoft.com/en-us/library/cc220106.aspx >>>> altSecurityIdentities] to allow arbitrary user-certificate mappings is >>>> there is no suitable user-principal-name entry in the SAN of the >>>> certificate. >>>> >>>> Unfortunately it is more or less undocumented how AD use the values of >>>> this attribute. The best overview I found is in >>>> https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/. >>>> >>>> >>>> It looks like the most important variant is the issuer-subject pair. >>>> This one is e.g. created when a certificate is added via the 'Name >>>> Mappings' context menu entry in AD's 'Users and Computers' utility >>>> ('Advanced Features' must be activated in the 'View' menu). The >>>> attribute value might look like >>>> {{{ >>>> altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate >>>> AuthorityDC >>>> =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co >>>> >>>> m,CN=Sumit Bose Sumit Bose >>>> }}} >>>> First it can be seen that X.500 ordering is used. Second, if RDN types >>>> not explicitly mentioned in the RFCs are used, you are on your own. As >>>> can be seen AD can translate the deprecated OID >>>> [http://www.oid-info.com/get/1.2.840.113549.1.9.1 >>>> 1.2.840.113549.1.9.1] and uses 'E' as NSS. But the OID >>>> [http://www.oid-info.com/get/0.9.2342.19200300.100.1.1 >>>> 0.9.2342.19200300.100.1.1] which is explicitly mentioned in RFC4514 is >>>> not translated as UID but the plain OID syntax is used (my guess it >>>> that Microsoft tries to be compatible with "older" versions because >>>> the UID was added in RFC2253 from 1997 but was not present in the >>>> RFC1779 from 1995 and RFC1485 from 1993). >>>> >>>> Nevertheless with the mapping rules described above a rule like >>>> {{{ >>>> >>>> }}} >>>> would product a LDAP search filter like >>>> {{{ >>>> (&(altSecurityIdentities=*Red Hat*)(altSecurityIdentities=*Sumit Bose >>>> Sumit Bose*)) >>>> }}} >>>> which should quite reliable find the right LDAP entry. >>>> >>>> As an alternative it would be possible to add special mapping rules >>>> like which would try in a best >>>> effort to produce the exact attribute value AD is using. This should >>>> work reliable with standard RDN types (see above). I think an optional >>>> 'ldapAttributeName' is useful here so that the same mapping rule can >>>> be used with different LDAP servers (e.g. IPA) where user-specific >>>> mapping attributes are used with the same content but a different >>>> attribute name. >>>> >>>> According to the blob post describing altSecurityIdentities some other >>>> additional mapping rules might be useful too. This will give us >>>> * >>>> * >>>> * >>>> * >>>> * >>>> * >>>> >>>> So far I didn't found a AD tool which creates to other mappings, if >>>> you know one, please let me know. >>>> === Configuration changes === >>>> Does your feature involve changes to configuration, like new options >>>> or options changing values? Summarize them here. There's no need to go >>>> into too many details, that's what man pages are for. >>>> >>>> === How To Test === >>>> This section should explain to a person with admin-level of SSSD >>>> understanding how this change affects run time behaviour of SSSD and >>>> how can an SSSD user test this change. If the feature is >>>> internal-only, please list what areas of SSSD are affected so that >>>> testers know where to focus. >>>> >>>> === How To Debug === >>>> Explain how to debug this feature if something goes wrong. This >>>> section might include examples of additional commands the user might >>>> run (such as keytab or certificate sanity checks) or explain what >>>> message to look for. >>>> >>>> === Authors === >>>> Give credit to authors of the design in this section. >>>> >>> >>> Honza >>> >> >> >> -- >> Jan Cholasta -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Dec 5 01:12:47 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Mon, 05 Dec 2016 02:12:47 +0100 Subject: [Freeipa-devel] [freeipa PR#288][synchronized] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Author: shanyin Title: #288: Fix missing translation string Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/288/head:pr288 git checkout pr288 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-288.patch Type: text/x-diff Size: 3860594 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 13:09:20 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 05 Dec 2016 14:09:20 +0100 Subject: [Freeipa-devel] [freeipa PR#309][opened] ipa-replica-conncheck: fix race condition Message-ID: URL: https://github.com/freeipa/freeipa/pull/309 Author: tomaskrizek Title: #309: ipa-replica-conncheck: fix race condition Action: opened PR body: """ When the thread that opens ports would execute notify() before the original thread could call wait(), the original thread would wait indefinitely for a notify() call. https://fedorahosted.org/freeipa/ticket/6487 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/309/head:pr309 git checkout pr309 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-309.patch Type: text/x-diff Size: 2160 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 13:30:38 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Mon, 05 Dec 2016 14:30:38 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases apophys commented: """ The tests look good to me. """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-264854251 From freeipa-github-notification at redhat.com Mon Dec 5 13:39:23 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 14:39:23 +0100 Subject: [Freeipa-devel] [freeipa PR#227][+ack] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 13:52:10 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 05 Dec 2016 14:52:10 +0100 Subject: [Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext pspacek commented: """ If the file `Rules-quot` is generated by `autoreconf -i`, please remove it completely and add it into `.gitignore`. """ See the full comment at https://github.com/freeipa/freeipa/pull/307#issuecomment-264858929 From freeipa-github-notification at redhat.com Mon Dec 5 13:55:27 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 05 Dec 2016 14:55:27 +0100 Subject: [Freeipa-devel] [freeipa PR#309][+ack] ipa-replica-conncheck: fix race condition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/309 Title: #309: ipa-replica-conncheck: fix race condition Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 14:07:34 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Dec 2016 15:07:34 +0100 Subject: [Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants tiran commented: """ ```env_confdir ``` was added in PR #302. This PR is required to make test passing. """ See the full comment at https://github.com/freeipa/freeipa/pull/308#issuecomment-264862403 From freeipa-github-notification at redhat.com Mon Dec 5 14:07:40 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 05 Dec 2016 15:07:40 +0100 Subject: [Freeipa-devel] [freeipa PR#308][+ack] Add 'env_confdir' to constants In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants Label: +ack From freeipa-github-notification at redhat.com Mon Dec 5 15:17:03 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 05 Dec 2016 16:17:03 +0100 Subject: [Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-279.patch Type: text/x-diff Size: 3852 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 5 15:17:31 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 05 Dec 2016 16:17:31 +0100 Subject: [Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer flo-renaud commented: """ @martbab @mbasti-rh: I checked the code and some parts already use api.env.startup_timeout for certmonger requests (in ipa_certupdate.py or ipa_cacert_manage.py for instance). Is it OK for you if I replace my hardcoded value with api.env.startup_timeout? """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-264880484 From freeipa-github-notification at redhat.com Mon Dec 5 15:25:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 16:25:49 +0100 Subject: [Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer martbab commented: """ IMHO anything is better than hardcoded values so you have my blessing. """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-264882789 From freeipa-github-notification at redhat.com Mon Dec 5 15:31:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 16:31:08 +0100 Subject: [Freeipa-devel] [freeipa PR#308][closed] Add 'env_confdir' to constants In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Author: martbab Title: #308: Add 'env_confdir' to constants Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/308/head:pr308 git checkout pr308 From freeipa-github-notification at redhat.com Mon Dec 5 15:31:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 16:31:10 +0100 Subject: [Freeipa-devel] [freeipa PR#308][+pushed] Add 'env_confdir' to constants In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 5 15:31:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 16:31:11 +0100 Subject: [Freeipa-devel] [freeipa PR#308][comment] Add 'env_confdir' to constants In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/308 Title: #308: Add 'env_confdir' to constants martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1300381d45a23073261e62cb031cf4285a34f641 """ See the full comment at https://github.com/freeipa/freeipa/pull/308#issuecomment-264884316 From freeipa-github-notification at redhat.com Mon Dec 5 15:32:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 05 Dec 2016 16:32:11 +0100 Subject: [Freeipa-devel] [freeipa PR#293][synchronized] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-293.patch Type: text/x-diff Size: 5409 bytes Desc: not available URL: From blipton at redhat.com Mon Dec 5 15:48:27 2016 From: blipton at redhat.com (Ben Lipton) Date: Mon, 5 Dec 2016 10:48:27 -0500 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> Message-ID: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: > Hi Ben, > > On 3.11.2016 00:12, Ben Lipton wrote: >> Hi everybody, >> >> Soon I'm going to have to reduce the amount of time I spend on new >> development work for the CSR autogeneration project, and I want to leave >> the project in as organized a state as possible. So, I'm taking >> inventory of the work I've done in order to make sure that what's ready >> for review can get reviewed and the ideas that have been discussed get >> prototyped or at least recorded so they won't be forgotten. > > Thanks, I have some questions and comments, see below. > >> >> Code that's ready for review (I will continue to put in as much time as >> needed to help get these ready for submission): >> >> - Current PR: https://github.com/freeipa/freeipa/pull/10 > > How hard would it be to update the PR to use the "new" interface from > the design thread? By this I mean that currently there is a command > (cert_get_requestdata), which creates a CSR from profile id + > principal + helper, but in the design we discussed a command which > creates a CertificationRequestInfo from profile id + principal + > public key. > > Internally it could use the OpenSSL helper, no need to implement the > full "new" design. With your build_requestinfo.c code below it looks > like it should be pretty straightforward. This is probably doable with the cffi, but I'm concerned about usability. A user can run the current command to get a (reusable) script, and run the script to get a CSR. It works with keys in both PEM files and NSS databases already. If we change to outputting a CertificationRequestInfo, in order to make this usable on the command line, we'll need: - An additional tool to sign a CSR given a CertificationRequestInfo (for both types of key storage). - A way to extract a SubjectPublicKeyInfo structure from a key within the ipa command (like [1] but we need it for both types of key storage) Since as far as I know there's no standard encoding for files containing only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be writing and distributing these ourselves. I think that's where most of the extra work will come in. Would it be ok to stick with the current design in this PR? I'd feel much better if we could get the basic functionality into the repo and then iterate on it rather than changing the plan at this point. I can create a separate PR to change cert_get_requestdata to this new interface and at the same time add the necessary adapters (bullet points above) to make it user-friendly. I would probably just implement the adapters within the cert_build/cert_request client code unless you think having standalone tools is valuable. I suppose certmonger is going to need these features too, but I don't know how well sharing code between them is going to work. > >> >> - Allow some fields to be specified by the user at creation time: >> https://github.com/LiptonB/freeipa/commits/local-user-data > > Good idea :-) > >> >> - Automation for the full process from getting CSR data to requesting >> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build > > LGTM, although I would prefer if this was a client-side extension of > cert-request rather than a completely new command. I did try that at first, but I struggled to figure out the interface for the modified cert-request. (Not that the current solution is so great, what with the copying of options from cert_request and certreq.) If I remember correctly, I was uncertain how to implement parameters that are required/invalid based on other parameters: the current cert-request takes a signed CSR (required), a principal (required), and a profile ID; the new cert-request (what I implemented as cert-build) takes a principal (required), a profile ID (required), and a key location (required). I can't remember if that was the only problem, but I'll try again to merge the commands and get back to you. > >> >> Other prototypes and design ideas that aren't ready for submission yet: >> >> - Utility written in C to build a CertificationRequestInfo from a >> SubjectPublicKeyInfo and an openssl-style config file. The purpose of >> this is to take a config that my code already knows how to generate, and >> put it in a form that certmonger can use. This is nearly done and >> available at: >> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >> > > Nice! As I said above, this could really make implementing the "new" > csrgen interface simple. > >> >> >> - Ideally it should be possible to use this tool to reimplement the full >> cert-request automation (local-cert-build branch) without a dependency >> on the certutil/openssl tools. However, I don't think any of the python >> crypto libraries have bindings for the functions that deal with >> CertificationRequestInfo objects, so I don't think I can do this in the >> short term. > > You can use python-cffi to write your own minimal bindings. It's > fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an > example of how to port C code to Python with python-cffi. Thank you for the example. I will take a look. > >> >> - Certmonger "helper" program that takes in the CertificationRequestInfo >> that certmonger generates, calls out to IPA for profile-specific data, >> and returns an updated CertificationRequestInfo built from the data. >> Certmonger doesn't currently support this type of helper, but (if I >> understood correctly) this is the architecture Nalin believed would be >> simplest to fit in. This is not done yet, but I intend to complete it >> soon - it shouldn't require much code beyond what's in >> build_requestinfo.c. > > To me this sounds like it should be a new operation of the current > helper rather than a completely new helper. Maybe so. I certainly wouldn't call this a finished design, I just wanted to have some kind of proof of concept for how the certmonger integration could work. For what it's worth, that prototype is now available at [2]. > > Anyway, the ultimate goal is to move the csrgen code to the server, > which means everything the helper will have to do is call a command > over RPC. > >> >> - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 >> description of the extension. This would unblock Jan Cholasta's idea of >> using XSLT for templates rather than text-based formatting. I should be >> able to implement the conversion tool, but it may be a while before I >> have time to demo the full XSLT idea. > > Was there any progress on this? I have started working on implementing it with asn1c, and I'm already seeing some of the inconvenience (security issues aside) of building on the server. Libtasn1 seems like a much better model, but doesn't seem to have XER support. Anyway, don't quite have results here yet but I think I should have the XER->DER demo with asn1c ready in a week or two. > >> >> So: currently on my to do list are the certmonger helper and the >> XER->DER conversion tool. Do you have any comments about these plans, >> and is there anything else I can do to wrap up the project neatly? >> >> Thanks, >> Ben >> > > Honza > [1] https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c [2] https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c From freeipa-github-notification at redhat.com Mon Dec 5 16:47:16 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 05 Dec 2016 17:47:16 +0100 Subject: [Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI stlaz commented: """ Since I recently run into issues with ipa-server-install and low entropy somewhere around creation of kdb proxy which drastically increased install time, would it make sense to install haveged atop of our rpms to possibly mitigate the problem? """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-264906938 From freeipa-github-notification at redhat.com Mon Dec 5 18:24:38 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 05 Dec 2016 19:24:38 +0100 Subject: [Freeipa-devel] [freeipa PR#292][synchronized] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Author: flo-renaud Title: #292: Increase the timeout waiting for certificate issuance in installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/292/head:pr292 git checkout pr292 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-292.patch Type: text/x-diff Size: 1600 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 07:08:22 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 06 Dec 2016 08:08:22 +0100 Subject: [Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-279.patch Type: text/x-diff Size: 3844 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 07:53:50 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 06 Dec 2016 08:53:50 +0100 Subject: [Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf pspacek commented: """ NACK """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-265084090 From freeipa-github-notification at redhat.com Tue Dec 6 08:10:28 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 06 Dec 2016 09:10:28 +0100 Subject: [Freeipa-devel] [freeipa PR#279][synchronized] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Author: dkupka Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/279/head:pr279 git checkout pr279 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-279.patch Type: text/x-diff Size: 3890 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 08:57:38 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 06 Dec 2016 09:57:38 +0100 Subject: [Freeipa-devel] [freeipa PR#310][opened] WIP: CLI testing Message-ID: URL: https://github.com/freeipa/freeipa/pull/310 Author: mirielka Title: #310: WIP: CLI testing Action: opened PR body: """ Here is basic part of CLI testing for you to take a look at and provide feedback, before it's all done and polished up. How it works: so far it's only tuned to run stageuser tests, so use `./make-tests ipatests/test_xmlrpc/test_stageuser_plugin.py --cli` to run in CLI mode, or of course without the --cli option to run original API tests. Note that last three tests are expected to fail in CLI mode as group tracker has not been modified for CLI testing yet. What gets changed: - '--cli' option is added - base tracker: changes that should ensure the basic functionality to run existing tests in CLI mode, this includes way how to execute commands and mapping of defined API options and output values to the CLI style (the idea of the mapping was to convert the text output from CLI to API style output so that more extensive methods to compare CLI output with expected values do not have to be created) - specific trackers: changes are needed because CLI calls have different output than API calls (some messages are different, some items of API output are not present in CLI). So far I've modified stageuser tracker fully (i.e. that one should be final) and user tracker partly (just so that stageuser tests that use user tracker work properly, but user tests will not work in CLI mode yet). - xmlrpc_test.py: unfortunately I failed to find a way how to raise the exception from subprocess so that it would fit the exception comparison using raises_exact method, so I chose to raise ExecutionError when it occurs in subprocess and compare just the error message in stderr. Since I expect the CLI tests to be run along with API tests, any change in type of raised error should be cought by API tests. So far I observed: - positives: no tests need to be changed, all the necessary changes are in trackers (which was the intention) - negatives: only works for tracker based tests, i.e. not for declarative tests or tests that use just api.Command style; tests run longer that API tests So please, if you have any comment and suggestions, I'll be glad to hear them so that I can polish this and finish the modifications. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/310/head:pr310 git checkout pr310 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-310.patch Type: text/x-diff Size: 40729 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 10:09:39 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Tue, 06 Dec 2016 11:09:39 +0100 Subject: [Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mirielka commented: """ Please check inline comments. Also suggestion for more test cases: - try to create a user whose automatically generated uid would be too long (>32 characters) - try to create a user whose automatically generated uid would contain invalid characters (other than letters, numbers, _, -, . and $). Also goes for PR #210 """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-265110867 From freeipa-github-notification at redhat.com Tue Dec 6 10:28:44 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 11:28:44 +0100 Subject: [Freeipa-devel] [freeipa PR#311][opened] bindinstance: use LDAP to determine configuration status Message-ID: URL: https://github.com/freeipa/freeipa/pull/311 Author: martbab Title: #311: bindinstance: use LDAP to determine configuration status Action: opened PR body: """ Instead of checking sysrestore status which leads to incorrect evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, use server roles API to query DNS server role status on the master. Use the default implementation only if LDAP connection is unavailable or stale. https://fedorahosted.org/freeipa/ticket/6503 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/311/head:pr311 git checkout pr311 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-311.patch Type: text/x-diff Size: 1813 bytes Desc: not available URL: From jcholast at redhat.com Tue Dec 6 10:37:24 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Tue, 6 Dec 2016 11:37:24 +0100 Subject: [Freeipa-devel] [PATCH 0058] Make get_entries not ignore its size_limit argument In-Reply-To: References: <7a64f453-df5a-0691-746c-1b04c7171f8a@redhat.com> <47ac8912-1caf-bdd8-bb32-fdb29dffffb8@redhat.com> <3b23492e-17e7-13e1-1099-16cfb0963c98@redhat.com> <0a43fba5-a300-27e6-2ef3-c4f8d907cda4@redhat.com> <0eb715f5-5001-a3b2-743d-18fcd38e1a7e@redhat.com> <4c4890fc-8f13-267c-bd65-2d4475ae644a@redhat.com> <0914dd3d-899a-6cd5-9800-b9dbed818437@redhat.com> Message-ID: <527bb3c5-07e1-24f3-d43d-8adbd8398254@redhat.com> On 21.11.2016 17:08, Standa Laznicka wrote: > On 10/10/2016 08:47 AM, Standa Laznicka wrote: >> On 10/10/2016 07:53 AM, Jan Cholasta wrote: >>> On 7.10.2016 12:23, Standa Laznicka wrote: >>>> On 10/07/2016 08:31 AM, Jan Cholasta wrote: >>>>> On 17.8.2016 13:47, Stanislav Laznicka wrote: >>>>>> On 08/11/2016 02:59 PM, Stanislav Laznicka wrote: >>>>>>> On 08/11/2016 07:49 AM, Jan Cholasta wrote: >>>>>>>> On 2.8.2016 13:47, Stanislav Laznicka wrote: >>>>>>>>> On 07/19/2016 09:20 AM, Jan Cholasta wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> On 14.7.2016 14:36, Stanislav Laznicka wrote: >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> This patch fixes https://fedorahosted.org/freeipa/ticket/5640. >>>>>>>>>>> >>>>>>>>>>> With not so much experience with the framework, it raises >>>>>>>>>>> question >>>>>>>>>>> in my >>>>>>>>>>> head whether ipaldap.get_entries is used properly throughout the >>>>>>>>>>> system >>>>>>>>>>> - does it always assume that it gets ALL the requested >>>>>>>>>>> entries or >>>>>>>>>>> just a >>>>>>>>>>> few of those as configured by the 'ipaSearchRecordsLimit' >>>>>>>>>>> attribute of >>>>>>>>>>> ipaConfig.etc which it actually gets? >>>>>>>>>> >>>>>>>>>> That depends. If you call get_entries() on the ldap2 plugin >>>>>>>>>> (which is >>>>>>>>>> usually the case in the framework), then ipaSearchRecordsLimit is >>>>>>>>>> used. If you call it on some arbitrary LDAPClient instance, the >>>>>>>>>> hardcoded default (= unlimited) is used. >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> One spot that I know the get_entries method was definitely >>>>>>>>>>> not used >>>>>>>>>>> properly before this patch is in the >>>>>>>>>>> baseldap.LDAPObject.get_memberindirect() method: >>>>>>>>>>> >>>>>>>>>>> 692 result = self.backend.get_entries( >>>>>>>>>>> 693 self.api.env.basedn, >>>>>>>>>>> 694 filter=filter, >>>>>>>>>>> 695 attrs_list=['member'], >>>>>>>>>>> 696 size_limit=-1, # paged search will get >>>>>>>>>>> everything >>>>>>>>>>> anyway >>>>>>>>>>> 697 paged_search=True) >>>>>>>>>>> >>>>>>>>>>> which to me seems kind of important if the environment >>>>>>>>>>> size_limit >>>>>>>>>>> is not >>>>>>>>>>> set properly :) The patch does not fix the non-propagation of >>>>>>>>>>> the >>>>>>>>>>> paged_search, though. >>>>>>>>>> >>>>>>>>>> Why do you think size_limit is not used properly here? >>>>>>>>> AFAIU it is desired that the search is unlimited. However, due >>>>>>>>> to the >>>>>>>>> fact that neither size_limit nor paged_search are passed from >>>>>>>>> ldap2.get_entries() to ldap2.find_entries() (methods inherited >>>>>>>>> from >>>>>>>>> LDAPClient), only the number of records specified by >>>>>>>>> ipaSearchRecordsLimit is returned. That could eventually cause >>>>>>>>> problems >>>>>>>>> should ipaSearchRecordsLimit be set to a low value as in the >>>>>>>>> ticket. >>>>>>>> >>>>>>>> I see. This is *not* intentional, the **kwargs of get_entries() >>>>>>>> should be passed to find_entries(). This definitely needs to be >>>>>>>> fixed. >>>>>>>> >>>>>>>>>> >>>>>>>>>> Anyway, this ticket is not really easily fixable without more >>>>>>>>>> profound >>>>>>>>>> changes. Often, multiple LDAP searches are done during command >>>>>>>>>> execution. What do you do with the size limit then? Do you >>>>>>>>>> pass the >>>>>>>>>> same size limit to all the searches? Do you subtract the >>>>>>>>>> result size >>>>>>>>>> from the size limit after each search? Do you do something >>>>>>>>>> else with >>>>>>>>>> it? ... The answer is that it depends on the purpose of each >>>>>>>>>> individual LDAP search (like in get_memberindirect() above, we >>>>>>>>>> have to >>>>>>>>>> do unlimited search, otherwise the resulting entry would be >>>>>>>>>> incomplete), and fixing this accross the whole framework is a >>>>>>>>>> non-trivial task. >>>>>>>>>> >>>>>>>>> I do realize that the proposed fix for the permission plugin is >>>>>>>>> not >>>>>>>>> perfect, it would probably be better to subtract the number of >>>>>>>>> currently >>>>>>>>> loaded records from the sizelimit, although in the end the >>>>>>>>> number of >>>>>>>>> returned values will not be higher than the given size_limit. >>>>>>>>> However, >>>>>>>>> it seems reasonable that if get_entries is passed a size limit, it >>>>>>>>> should apply it over current ipaSearchRecordsLimit rather than >>>>>>>>> ignoring >>>>>>>>> it. Then, any use of get_entries could be fixed accordingly if >>>>>>>>> someone >>>>>>>>> sees fit. >>>>>>>>> >>>>>>>> >>>>>>>> Right. Anyway, this is a different issue than above, so please put >>>>>>>> this into a separate commit. >>>>>>>> >>>>>>> Please see the attached patches, then. >>>>>>> >>>>>> Self-NACK, with Honza's help I found there was a mistake in the >>>>>> code. I >>>>>> also found an off-by-one bug which I hope I could stick to the >>>>>> other two >>>>>> patches (attaching only the modified and new patches). >>>>> >>>>> Works for me, but this bit in patch 0064 looks suspicious to me: >>>>> >>>>> + if max_entries > 0 and len(entries) == >>>>> max_entries: >>>>> >>>>> Shouldn't it rather be: >>>>> >>>>> + if max_entries > 0 and len(entries) >= >>>>> max_entries: >>>>> >>>>> ? >>>>> >>>> The length of entries list should not exceed max_entries if size_limit >>>> is properly implemented. Therefore the list you get from execute() >>>> should not have more then max_entries entries. You shouldn't also be >>>> able to append a legacy entry to entries list if this check is the >>>> first >>>> thing you do. >>> >>> That's a lot of shoulds :-) I would expect at least an assert >>> statement to make sure everything is right. >>> >>>> >>>> That being said, >= could be used but then some popping of entries from >>>> entries list would be necessary. But it's perhaps safer to do, although >>>> if there's a bug, it won't be that obvious :) >>> >>> OK, nevermind then, just add the assert please, to make bugs *very* >>> obvious. >>> >> An assert seems like a very good idea, attached is an asserting patch. >> >> >> > Attached is the patch rebased on the current master. Renumbered it a bit > as previous numbers could've been confusing so I also omitted the > revision number. ACK. Removed a stray **kwargs from find_entries() in patch 0065 (as agreed with Standa offline) and pushed to master: 2663a966dad138160a850e6af97c38a88ec83f93 -- Jan Cholasta From freeipa-github-notification at redhat.com Tue Dec 6 11:04:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 12:04:03 +0100 Subject: [Freeipa-devel] [freeipa PR#311][comment] bindinstance: use LDAP to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/311 Title: #311: bindinstance: use LDAP to determine configuration status martbab commented: """ OK I will then close this PR and create a separate one against ipa-4-4 """ See the full comment at https://github.com/freeipa/freeipa/pull/311#issuecomment-265122383 From freeipa-github-notification at redhat.com Tue Dec 6 11:04:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 12:04:05 +0100 Subject: [Freeipa-devel] [freeipa PR#311][closed] bindinstance: use LDAP to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/311 Author: martbab Title: #311: bindinstance: use LDAP to determine configuration status Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/311/head:pr311 git checkout pr311 From freeipa-github-notification at redhat.com Tue Dec 6 11:04:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 12:04:11 +0100 Subject: [Freeipa-devel] [freeipa PR#311][+rejected] bindinstance: use LDAP to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/311 Title: #311: bindinstance: use LDAP to determine configuration status Label: +rejected From freeipa-github-notification at redhat.com Tue Dec 6 11:28:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 12:28:01 +0100 Subject: [Freeipa-devel] [freeipa PR#312][opened] bindinstance: use data in named.conf to determine configuration status Message-ID: URL: https://github.com/freeipa/freeipa/pull/312 Author: martbab Title: #312: bindinstance: use data in named.conf to determine configuration status Action: opened PR body: """ Instead of checking sysrestore status which leads to incorrect evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look into named.conf to see whther it was already modified by IPA installer. https://fedorahosted.org/freeipa/ticket/6503 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/312/head:pr312 git checkout pr312 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-312.patch Type: text/x-diff Size: 1362 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 11:47:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 12:47:57 +0100 Subject: [Freeipa-devel] [freeipa PR#309][+pushed] ipa-replica-conncheck: fix race condition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/309 Title: #309: ipa-replica-conncheck: fix race condition Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 6 11:47:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 12:47:59 +0100 Subject: [Freeipa-devel] [freeipa PR#309][comment] ipa-replica-conncheck: fix race condition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/309 Title: #309: ipa-replica-conncheck: fix race condition mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a44974cdf8a6c53f2e86dac92aa579ba45f666e4 """ See the full comment at https://github.com/freeipa/freeipa/pull/309#issuecomment-265130759 From freeipa-github-notification at redhat.com Tue Dec 6 11:48:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 12:48:00 +0100 Subject: [Freeipa-devel] [freeipa PR#309][closed] ipa-replica-conncheck: fix race condition In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/309 Author: tomaskrizek Title: #309: ipa-replica-conncheck: fix race condition Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/309/head:pr309 git checkout pr309 From freeipa-github-notification at redhat.com Tue Dec 6 11:52:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 12:52:46 +0100 Subject: [Freeipa-devel] [freeipa PR#312][+ack] bindinstance: use data in named.conf to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/312 Title: #312: bindinstance: use data in named.conf to determine configuration status Label: +ack From freeipa-github-notification at redhat.com Tue Dec 6 12:05:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:05:49 +0100 Subject: [Freeipa-devel] [freeipa PR#276][closed] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Author: tomaskrizek Title: #276: replica-conncheck: improve error msg + logging Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/276/head:pr276 git checkout pr276 From freeipa-github-notification at redhat.com Tue Dec 6 12:05:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:05:50 +0100 Subject: [Freeipa-devel] [freeipa PR#276][+pushed] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 6 12:05:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:05:52 +0100 Subject: [Freeipa-devel] [freeipa PR#276][comment] replica-conncheck: improve error msg + logging In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/276 Title: #276: replica-conncheck: improve error msg + logging mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/eb6905bbb45d246f9beddeea69da2236cf67bc68 https://fedorahosted.org/freeipa/changeset/de981d348efed6dc58b2e355e65244853f06ebc1 """ See the full comment at https://github.com/freeipa/freeipa/pull/276#issuecomment-265134104 From freeipa-github-notification at redhat.com Tue Dec 6 12:10:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:10:35 +0100 Subject: [Freeipa-devel] [freeipa PR#288][comment] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string mbasti-rh commented: """ I pushed just commit `fix missing translation string` * 0499ba5795cf483756ac980604fd2c26fda7ba39 fix missing translation string Thank you! """ See the full comment at https://github.com/freeipa/freeipa/pull/288#issuecomment-265134988 From freeipa-github-notification at redhat.com Tue Dec 6 12:10:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:10:39 +0100 Subject: [Freeipa-devel] [freeipa PR#288][closed] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Author: shanyin Title: #288: Fix missing translation string Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/288/head:pr288 git checkout pr288 From freeipa-github-notification at redhat.com Tue Dec 6 12:10:42 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:10:42 +0100 Subject: [Freeipa-devel] [freeipa PR#288][+pushed] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 6 12:10:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 06 Dec 2016 13:10:43 +0100 Subject: [Freeipa-devel] [freeipa PR#288][+ack] Fix missing translation string In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/288 Title: #288: Fix missing translation string Label: +ack From freeipa-github-notification at redhat.com Tue Dec 6 12:50:11 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Tue, 06 Dec 2016 13:50:11 +0100 Subject: [Freeipa-devel] [freeipa PR#292][synchronized] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Author: flo-renaud Title: #292: Increase the timeout waiting for certificate issuance in installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/292/head:pr292 git checkout pr292 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-292.patch Type: text/x-diff Size: 1566 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 15:14:10 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Tue, 06 Dec 2016 16:14:10 +0100 Subject: [Freeipa-devel] [freeipa PR#313][opened] ipaclient.plugins: Use api_version from internally called commands Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Author: dkupka Title: #313: ipaclient.plugins: Use api_version from internally called commands Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6539 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/313/head:pr313 git checkout pr313 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-313.patch Type: text/x-diff Size: 2974 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 15:14:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 16:14:13 +0100 Subject: [Freeipa-devel] [freeipa PR#227][+pushed] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 6 15:14:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 16:14:14 +0100 Subject: [Freeipa-devel] [freeipa PR#227][comment] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Title: #227: cert-request: match names against principal aliases martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7 """ See the full comment at https://github.com/freeipa/freeipa/pull/227#issuecomment-265175103 From freeipa-github-notification at redhat.com Tue Dec 6 15:14:16 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 16:14:16 +0100 Subject: [Freeipa-devel] [freeipa PR#227][closed] cert-request: match names against principal aliases In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 From freeipa-github-notification at redhat.com Tue Dec 6 15:26:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 16:26:07 +0100 Subject: [Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI martbab commented: """ We bind mount (non-blocking) /dev/urandom as /dev/random inside the container so we should actually never get stuck on low entropy in there. """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-265178421 From flo at redhat.com Tue Dec 6 15:39:10 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Tue, 6 Dec 2016 16:39:10 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping Message-ID: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> Hi, I have started a feature description for the Certificate Identity Mapping at the following location: http://www.freeipa.org/page/V4/Certificate_Identity_Mapping This is a first step, focusing on the interface we would like to provide. It still contains open questions, some of which are linked to the corresponding design on SSSD side: https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities Comments, concerns and suggestions are welcome. Thanks! Flo. From freeipa-github-notification at redhat.com Tue Dec 6 16:02:49 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:02:49 +0100 Subject: [Freeipa-devel] [freeipa PR#314][opened] RFC: privilege separation for ipa framework code Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: opened PR body: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 168909 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 16:39:13 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:39:13 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 169883 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 16:40:37 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:40:37 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 35990 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 16:41:56 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:41:56 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Rebased on latest master """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265201018 From freeipa-github-notification at redhat.com Tue Dec 6 16:57:50 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:57:50 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 36183 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 16:58:41 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 17:58:41 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ Rebasing this code is becoming a little difficult, @frasertweedale can you take a look and confirm the changes in cert.py are ok ? """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265206007 From freeipa-github-notification at redhat.com Tue Dec 6 17:17:37 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 06 Dec 2016 18:17:37 +0100 Subject: [Freeipa-devel] [freeipa PR#315][opened] [ipa-4-4] gracefully handle setting replica bind dn group on old masters Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Author: martbab Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6532 This PR is for ipa-4-4 branch only. I will prepare separate PR for master since the replication code was changed quite a b it during installer refactoring. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/315/head:pr315 git checkout pr315 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-315.patch Type: text/x-diff Size: 3668 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 6 17:55:11 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Tue, 06 Dec 2016 18:55:11 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ @simo5 TravisCI's pep8 checker is complaining about some PEP8 violations: ``` ./ipalib/install/kinit.py:64:1: E302 expected 2 blank lines, found 1 ./ipalib/rpc.py:702:80: E501 line too long (93 > 79 characters) ./ipaplatform/redhat/tasks.py:437:13: E128 continuation line under-indented for visual indent ./ipaserver/install/httpinstance.py:117:1: E302 expected 2 blank lines, found 1 ./ipaserver/install/httpinstance.py:127:1: E302 expected 2 blank lines, found 1 ./ipaserver/rpcserver.py:428:80: E501 line too long (83 > 79 characters) ./ipaserver/rpcserver.py:625:80: E501 line too long (82 > 79 characters) ./ipaserver/rpcserver.py:932:80: E501 line too long (111 > 79 characters) ./ipaserver/rpcserver.py:941:80: E501 line too long (80 > 79 characters) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265221871 From freeipa-github-notification at redhat.com Tue Dec 6 18:41:24 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 06 Dec 2016 19:41:24 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Yeah going through those right now """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514 From freeipa-github-notification at redhat.com Wed Dec 7 08:28:49 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 09:28:49 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ But could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 From freeipa-github-notification at redhat.com Wed Dec 7 08:59:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 09:59:41 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ I would like rather explicit pylint version than autodetection """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265392287 From freeipa-github-notification at redhat.com Wed Dec 7 09:17:51 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 10:17:51 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Could you make `ca-find` return the cert/chain as well if (and only if) `--all` is specified? Do not add the `--chain` and `--certificate-out` options to it though. This is for consistency with `cert-find`, `host-find`, `service-find`, etc. Not a blocker. Also see inline comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265386388 From freeipa-github-notification at redhat.com Wed Dec 7 09:28:26 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Dec 2016 10:28:26 +0100 Subject: [Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI stlaz commented: """ Good. I see the tests pass now and both @tiran's nitpicks and @mbasti-rh's comment have been resolved, so an ACK is in order. """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-265398313 From freeipa-github-notification at redhat.com Wed Dec 7 09:28:28 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Dec 2016 10:28:28 +0100 Subject: [Freeipa-devel] [freeipa PR#293][+ack] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI Label: +ack From freeipa-github-notification at redhat.com Wed Dec 7 09:33:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 10:33:08 +0100 Subject: [Freeipa-devel] [freeipa PR#293][+pushed] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 7 09:33:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 10:33:10 +0100 Subject: [Freeipa-devel] [freeipa PR#293][comment] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Title: #293: Run out-of-tree tests in Travis CI mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/5ecaea6bc4f49c2665597ca38fc52f4fae8a9d24 https://fedorahosted.org/freeipa/changeset/6d6fbc010ec2b607a11e0ff69c8cbdcd3c1d47d9 """ See the full comment at https://github.com/freeipa/freeipa/pull/293#issuecomment-265399332 From freeipa-github-notification at redhat.com Wed Dec 7 09:33:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 10:33:11 +0100 Subject: [Freeipa-devel] [freeipa PR#293][closed] Run out-of-tree tests in Travis CI In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/293 Author: martbab Title: #293: Run out-of-tree tests in Travis CI Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/293/head:pr293 git checkout pr293 From freeipa-github-notification at redhat.com Wed Dec 7 09:36:43 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 10:36:43 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient mbasti-rh commented: """ could you please fix PEP8? ``` ./ipalib/rpc.py:702:80: E501 line too long (93 > 79 characters) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265400122 From freeipa-github-notification at redhat.com Wed Dec 7 10:06:27 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 11:06:27 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ Yes, getting there, be patient, I discovered other stuff as I fixed pylint per single patch :) """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265406741 From freeipa-github-notification at redhat.com Wed Dec 7 10:10:52 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 11:10:52 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient simo5 commented: """ Sorry I thought this PR was the priv sep one, I have fixes for this, pushing in a moment. """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265407701 From freeipa-github-notification at redhat.com Wed Dec 7 10:11:35 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 07 Dec 2016 11:11:35 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 21929 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 10:13:17 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 07 Dec 2016 11:13:17 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast returning cert and chain in `ca_find` when `--all` is given will incur `n * 2` additional round-trips to Dogtag. I am hesitant to do it unless/until Dogtag provides a better way. Let's open tickets. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252 From freeipa-github-notification at redhat.com Wed Dec 7 10:14:03 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 07 Dec 2016 11:14:03 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast returning cert and chain in `ca_find` when `--all` is given will incur `n * 2` additional round-trips to Dogtag where `n` = number of IPA-managed CAs. I am hesitant to do it unless/until Dogtag provides a better way. Let's open tickets. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265408252 From freeipa-github-notification at redhat.com Wed Dec 7 10:21:38 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 11:21:38 +0100 Subject: [Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-206.patch Type: text/x-diff Size: 2387 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 10:22:41 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 11:22:41 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 178303 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 10:24:18 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 11:24:18 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Updated branch, hopefully lint will be happy. While there I discovered dcerpc.py ws using the HTTP keytab, after discussing with @abbra we decided to just remove such use for now and see later if we need any changes. The use was rare and in the importnat cases we have already a better option in the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793 From freeipa-github-notification at redhat.com Wed Dec 7 10:59:24 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Dec 2016 11:59:24 +0100 Subject: [Freeipa-devel] [freeipa PR#316][opened] Fix error in permission-find post_callback search Message-ID: URL: https://github.com/freeipa/freeipa/pull/316 Author: stlaz Title: #316: Fix error in permission-find post_callback search Action: opened PR body: """ This pull requests fixes a bug introduced when fixing a different issue in https://github.com/freeipa/freeipa/commit/29aa4877eec89894cc3a6e50c4b6817a713d3177 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/316/head:pr316 git checkout pr316 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-316.patch Type: text/x-diff Size: 4804 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 11:10:16 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 12:10:16 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, yep, I'm aware of that - `cert-find` does the same. Not a big deal IMO since it has to be explicitly requested by the user. But tickets are certainly a good idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265420461 From freeipa-github-notification at redhat.com Wed Dec 7 11:18:42 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 07 Dec 2016 12:18:42 +0100 Subject: [Freeipa-devel] [freeipa PR#307][synchronized] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-307.patch Type: text/x-diff Size: 1084 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 11:31:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:31:11 +0100 Subject: [Freeipa-devel] [freeipa PR#312][comment] bindinstance: use data in named.conf to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/312 Title: #312: bindinstance: use data in named.conf to determine configuration status mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f0e09c42b76f229486e5dea097cd2b6602999943 ipa-4-4: https://fedorahosted.org/freeipa/changeset/bf28d79afeff4575adc9ba0618b5acbf0cf51009 """ See the full comment at https://github.com/freeipa/freeipa/pull/312#issuecomment-265424471 From freeipa-github-notification at redhat.com Wed Dec 7 11:31:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:31:13 +0100 Subject: [Freeipa-devel] [freeipa PR#312][+pushed] bindinstance: use data in named.conf to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/312 Title: #312: bindinstance: use data in named.conf to determine configuration status Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 7 11:31:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:31:14 +0100 Subject: [Freeipa-devel] [freeipa PR#312][closed] bindinstance: use data in named.conf to determine configuration status In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/312 Author: martbab Title: #312: bindinstance: use data in named.conf to determine configuration status Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/312/head:pr312 git checkout pr312 From freeipa-github-notification at redhat.com Wed Dec 7 11:33:48 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 07 Dec 2016 12:33:48 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code pspacek commented: """ @simo5 Please extend the design page with image description which explains each of the steps. There are numbers and letters in the image which are not explained anywhere. A detailed end-to-end example of interaction could be useful for detailed review. Thank you! """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265424963 From freeipa-github-notification at redhat.com Wed Dec 7 11:34:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Dec 2016 12:34:01 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ I have a few small comments on this PR, nothing serious. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265425006 From freeipa-github-notification at redhat.com Wed Dec 7 11:36:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:36:27 +0100 Subject: [Freeipa-devel] [freeipa PR#294][comment] client, platform: Use paths.SSH* instead of get_config_dir(). In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/294 Title: #294: client, platform: Use paths.SSH* instead of get_config_dir(). mbasti-rh commented: """ @tjaalton just one nitpick, otherwise it looks good to me """ See the full comment at https://github.com/freeipa/freeipa/pull/294#issuecomment-265425410 From freeipa-github-notification at redhat.com Wed Dec 7 11:40:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:40:11 +0100 Subject: [Freeipa-devel] [freeipa PR#284][comment] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Title: #284: ipautil: check for open ports on all resolved IPs mbasti-rh commented: """ needs rebase """ See the full comment at https://github.com/freeipa/freeipa/pull/284#issuecomment-265426083 From freeipa-github-notification at redhat.com Wed Dec 7 11:48:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 12:48:25 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer mbasti-rh commented: """ @jcholast any update? Should reject this PR and wait for `argparse` or fix it with `optparse` as well? IMO fixing it now is better for UX, we dont know when or if we migrate to argparse. """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265427657 From freeipa-github-notification at redhat.com Wed Dec 7 11:58:32 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 07 Dec 2016 12:58:32 +0100 Subject: [Freeipa-devel] [freeipa PR#317][opened] Unify password generation across FreeIPA Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: opened PR body: """ When installing FreeIPA in FIPS mode I noticed that there were often different ways of generating passwords in different spots raising the same issue with password requirements. Handling password generation at one centralized spot should allow us handle any password requirements issues at this very spot. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-317.patch Type: text/x-diff Size: 5995 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 12:01:31 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:01:31 +0100 Subject: [Freeipa-devel] [freeipa PR#316][+ack] Fix error in permission-find post_callback search In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/316 Title: #316: Fix error in permission-find post_callback search Label: +ack From freeipa-github-notification at redhat.com Wed Dec 7 12:02:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:02:32 +0100 Subject: [Freeipa-devel] [freeipa PR#316][+pushed] Fix error in permission-find post_callback search In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/316 Title: #316: Fix error in permission-find post_callback search Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 7 12:02:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:02:34 +0100 Subject: [Freeipa-devel] [freeipa PR#316][comment] Fix error in permission-find post_callback search In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/316 Title: #316: Fix error in permission-find post_callback search mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0c044cb084780ee45860169dd5d12689cf05fa49 https://fedorahosted.org/freeipa/changeset/a77627dd8cca43bd1131a7e186de0ab159763761 """ See the full comment at https://github.com/freeipa/freeipa/pull/316#issuecomment-265430295 From freeipa-github-notification at redhat.com Wed Dec 7 12:02:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:02:35 +0100 Subject: [Freeipa-devel] [freeipa PR#316][closed] Fix error in permission-find post_callback search In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/316 Author: stlaz Title: #316: Fix error in permission-find post_callback search Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/316/head:pr316 git checkout pr316 From freeipa-github-notification at redhat.com Wed Dec 7 12:13:52 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 13:13:52 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Note: this PR also depends on and includes commits from #206 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380 From freeipa-github-notification at redhat.com Wed Dec 7 12:13:54 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 13:13:54 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @mbasti-rh, I don't care as long as it's done right (i.e. without hardcoding `cli_metavar` in knob definitions). """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265432383 From freeipa-github-notification at redhat.com Wed Dec 7 12:26:17 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 13:26:17 +0100 Subject: [Freeipa-devel] [freeipa PR#318][opened] server install: fix external CA install Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Author: jcholast Title: #318: server install: fix external CA install Action: opened PR body: """ Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/318/head:pr318 git checkout pr318 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-318.patch Type: text/x-diff Size: 10256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 12:47:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:47:01 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ NACK You replaced os.random() by ipa_generate_password, but ipa_generate password does not generate random bytes but random printable characters (entropy--) so you have to recalculate a new password length accordingly or edit ipa_generate_password function to generate random bytes. Also I noticed you removed base64encoding, are you sure that places where it was used can handle all bytes characters (nonprintable, etc)? I would stay with base64 there. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265438520 From freeipa-github-notification at redhat.com Wed Dec 7 12:57:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 13:57:56 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ Please replace this by something sane, ``` return sha1(ipautil.ipa_generate_password()).hexdigest() ``` security by obscurity worked well in Roman empire, but now please generate directly password with entropy 128bits without using sha1 """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651 From freeipa-github-notification at redhat.com Wed Dec 7 13:25:33 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 14:25:33 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 35610 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 13:25:50 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 14:25:50 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 177730 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 13:25:56 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Wed, 07 Dec 2016 14:25:56 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer Akasurde commented: """ @jcholast @mbasti-rh I will work on modifying `Knob()` to handle metavar """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265446264 From freeipa-github-notification at redhat.com Wed Dec 7 13:29:35 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 07 Dec 2016 14:29:35 +0100 Subject: [Freeipa-devel] [freeipa PR#209][comment] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Title: #209: Enumerate available options in IPA installer jcholast commented: """ @Akasurde, `Knob()` already handles metavar properly, you need to work on the interface between the installer and `optparse` - `ipapython.install.cli`. """ See the full comment at https://github.com/freeipa/freeipa/pull/209#issuecomment-265447065 From freeipa-github-notification at redhat.com Wed Dec 7 14:28:38 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 07 Dec 2016 15:28:38 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ It makes more sense to follow the principal *test what you build, build what you test*. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265460797 From freeipa-github-notification at redhat.com Wed Dec 7 14:39:40 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 07 Dec 2016 15:39:40 +0100 Subject: [Freeipa-devel] [freeipa PR#284][synchronized] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-284.patch Type: text/x-diff Size: 4037 bytes Desc: not available URL: From chad.cravens at ossys.com Wed Dec 7 14:58:46 2016 From: chad.cravens at ossys.com (Chad Cravens) Date: Wed, 7 Dec 2016 09:58:46 -0500 Subject: [Freeipa-devel] Reading Attributes from LDAP Client Message-ID: Hello: We are working with RedHat IDM and I'm trying to understand how Permissions and Roles are represented/stored in the LDAP Directory Server. What we would like to do is create roles in the web GUI and programmatically retrieve the Roles and Permissions, as well as who they are associated with, programmatically using an LDAP client (written in C). Any guidance on how to do such a thing would be greatly appreciated, thanks! -- Kindest Regards, Chad Cravens (843) 291-8340 [image: http://www.ossys.com] [image: http://www.linkedin.com/company/open-source-systems-llc] [image: https://www.facebook.com/OpenSrcSys] [image: https://twitter.com/OpenSrcSys] [image: http://www.youtube.com/OpenSrcSys] [image: http://www.ossys.com/feed] [image: contact at ossys.com] Chad Cravens (843) 291-8340 chad.cravens at ossys.com http://www.ossys.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Wed Dec 7 15:01:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:01:19 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ But we build both 2/3 versions at once """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265469455 From freeipa-github-notification at redhat.com Wed Dec 7 15:12:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:12:45 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ Or we can run both pylints as far as we wants py2/3 compatible versions """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265472634 From freeipa-github-notification at redhat.com Wed Dec 7 15:28:21 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Dec 2016 16:28:21 +0100 Subject: [Freeipa-devel] [freeipa PR#319][opened] [master] gracefully handle setting replica bind dn group on old masters Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Author: martbab Title: #319: [master] gracefully handle setting replica bind dn group on old masters Action: opened PR body: """ This is the version of https://github.com/freeipa/freeipa/pull/315 for master branch only https://fedorahosted.org/freeipa/ticket/6532 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/319/head:pr319 git checkout pr319 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-319.patch Type: text/x-diff Size: 3662 bytes Desc: not available URL: From rcritten at redhat.com Wed Dec 7 15:29:35 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 7 Dec 2016 10:29:35 -0500 Subject: [Freeipa-devel] Reading Attributes from LDAP Client In-Reply-To: References: Message-ID: <58482ADF.1030107@redhat.com> Chad Cravens wrote: > Hello: > > We are working with RedHat IDM and I'm trying to understand how > Permissions and Roles are represented/stored in the LDAP Directory > Server. What we would like to do is create roles in the web GUI and > programmatically retrieve the Roles and Permissions, as well as who they > are associated with, programmatically using an LDAP client (written in C). > > Any guidance on how to do such a thing would be greatly appreciated, thanks! Retrieve the role and look at the member and memberof attributes. A member is a direct member of the role and will be (from memory) only user or group DNs. To see what the role can do you'll need to examine the container of the memberof DN to know why type of thing it is (privilege or permission). rob From freeipa-github-notification at redhat.com Wed Dec 7 15:29:56 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:29:56 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ I had discussion with Petr, and currently we cannot run both pylints in build system and it is not easy to add it there. So we have to manually override pylint versions in travis tests, so I would stay with the current version of commits """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265477567 From freeipa-github-notification at redhat.com Wed Dec 7 15:32:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:32:33 +0100 Subject: [Freeipa-devel] [freeipa PR#284][closed] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Author: tomaskrizek Title: #284: ipautil: check for open ports on all resolved IPs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/284/head:pr284 git checkout pr284 From freeipa-github-notification at redhat.com Wed Dec 7 15:32:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:32:34 +0100 Subject: [Freeipa-devel] [freeipa PR#284][comment] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Title: #284: ipautil: check for open ports on all resolved IPs mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a24cd01304aaef77b66d0e178585c9ec8bbce9b5 """ See the full comment at https://github.com/freeipa/freeipa/pull/284#issuecomment-265478337 From freeipa-github-notification at redhat.com Wed Dec 7 15:32:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:32:35 +0100 Subject: [Freeipa-devel] [freeipa PR#284][+pushed] ipautil: check for open ports on all resolved IPs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/284 Title: #284: ipautil: check for open ports on all resolved IPs Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 7 15:34:54 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 07 Dec 2016 16:34:54 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ It's easily possible with my proposal, just saying: ```make pylint PYTHON=python3``` ```make pylint PYTHON=python2``` """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265479049 From freeipa-github-notification at redhat.com Wed Dec 7 15:39:29 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 07 Dec 2016 16:39:29 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ PS: I'd rather not run both linters in parallel. We use pylint in parallel mode, which runs as many workers as CPU cores. ```make pylint``` already uses up 90-100% CPU cycles on all cores. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265480425 From freeipa-github-notification at redhat.com Wed Dec 7 15:42:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:42:32 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ Ok if Petr agree we can go with your proposal """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265481358 From freeipa-github-notification at redhat.com Wed Dec 7 15:53:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:53:26 +0100 Subject: [Freeipa-devel] [freeipa PR#292][+ack] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer Label: +ack From freeipa-github-notification at redhat.com Wed Dec 7 15:54:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:54:09 +0100 Subject: [Freeipa-devel] [freeipa PR#292][+pushed] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 7 15:54:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:54:10 +0100 Subject: [Freeipa-devel] [freeipa PR#292][comment] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Title: #292: Increase the timeout waiting for certificate issuance in installer mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9e3c17c6ded868b4261aa76137c703a4fb866578 """ See the full comment at https://github.com/freeipa/freeipa/pull/292#issuecomment-265485148 From freeipa-github-notification at redhat.com Wed Dec 7 15:54:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 07 Dec 2016 16:54:12 +0100 Subject: [Freeipa-devel] [freeipa PR#292][closed] Increase the timeout waiting for certificate issuance in installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/292 Author: flo-renaud Title: #292: Increase the timeout waiting for certificate issuance in installer Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/292/head:pr292 git checkout pr292 From freeipa-github-notification at redhat.com Wed Dec 7 16:10:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Dec 2016 17:10:08 +0100 Subject: [Freeipa-devel] [freeipa PR#320][opened] add missing attribute to ipaca replica during CA topology update Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Author: martbab Title: #320: add missing attribute to ipaca replica during CA topology update Action: opened PR body: """ The previous fix for missing 'nsds5replicabinddngroupcheckinterval' fails when the first CA master is being set up. The attribute addition from update file has to be moved to the update plugin with a proper logic that determines the presence of o=ipaca replica entry. https://fedorahosted.org/freeipa/ticket/6508 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/320/head:pr320 git checkout pr320 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-320.patch Type: text/x-diff Size: 2864 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 16:23:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 07 Dec 2016 17:23:13 +0100 Subject: [Freeipa-devel] [freeipa PR#320][synchronized] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Author: martbab Title: #320: add missing attribute to ipaca replica during CA topology update Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/320/head:pr320 git checkout pr320 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-320.patch Type: text/x-diff Size: 2864 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 22:44:29 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 23:44:29 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 38154 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 7 22:47:05 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 07 Dec 2016 23:47:05 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @martbab your concerns should be addressed in this revision I also started adding upgrade code, but it is still not fully tested. In the process I locally get 2 pylint errors about the hostname property used on 2 out of 3 Principal() objects in cert.py, I am sorta baffled at why that is, but it is late here, so I decided to push the code and see if anyone has an idea. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265598252 From freeipa-github-notification at redhat.com Thu Dec 8 08:43:51 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 08 Dec 2016 09:43:51 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast updated PR to include `certificate` and `certificate_chain` in `ca_find` output when `--all` is specified. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-265684968 From freeipa-github-notification at redhat.com Thu Dec 8 08:44:05 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 08 Dec 2016 09:44:05 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 22251 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 08:46:12 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Dec 2016 09:46:12 +0100 Subject: [Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-317.patch Type: text/x-diff Size: 6256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 08:51:14 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Dec 2016 09:51:14 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ The passwords should have around the same entropy now. SHA-1 actually produces 160bit outputs (hence 40-characters long hexadecimal digests), so I recounted it for 20-bytes entropy. As ipa_generate_password creates passwords of only printable characters (and a space) by default, base64 should not be a requirement here. However, a space could be a problem somewhere I guess, should it be removed as well from the defaul behavior of the password generator? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265686352 From freeipa-github-notification at redhat.com Thu Dec 8 09:00:35 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 08 Dec 2016 10:00:35 +0100 Subject: [Freeipa-devel] [freeipa PR#318][+ack] server install: fix external CA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install Label: +ack From freeipa-github-notification at redhat.com Thu Dec 8 09:00:40 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Thu, 08 Dec 2016 10:00:40 +0100 Subject: [Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install flo-renaud commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/318#issuecomment-265688266 From freeipa-github-notification at redhat.com Thu Dec 8 09:34:43 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 10:34:43 +0100 Subject: [Freeipa-devel] [freeipa PR#206][synchronized] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-206.patch Type: text/x-diff Size: 2387 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 09:49:00 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 10:49:00 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I'm fine with `make pylint PYTHON=python3` as long as you can agree on it :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265698399 From freeipa-github-notification at redhat.com Thu Dec 8 10:30:56 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 11:30:56 +0100 Subject: [Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 15426 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 10:36:41 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 11:36:41 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've implemented tiran's proposal and rebased the patchset. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265708628 From freeipa-github-notification at redhat.com Thu Dec 8 10:37:26 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 11:37:26 +0100 Subject: [Freeipa-devel] [freeipa PR#307][+ack] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: +ack From freeipa-github-notification at redhat.com Thu Dec 8 10:37:51 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 11:37:51 +0100 Subject: [Freeipa-devel] [freeipa PR#307][-ack] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: -ack From freeipa-github-notification at redhat.com Thu Dec 8 10:39:55 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 11:39:55 +0100 Subject: [Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext pspacek commented: """ @pvomacka Pavel, you did not remove the `po/Rules-quot` file. Adding it to `.gitignore` is not enough. NACK (sorry for messing with the label, too fat fingers) """ See the full comment at https://github.com/freeipa/freeipa/pull/307#issuecomment-265709221 From freeipa-github-notification at redhat.com Thu Dec 8 11:00:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:00:58 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ > The passwords should have around the same entropy now. SHA-1 actually produces 160bit outputs (hence 40-characters long hexadecimal digests), so I recounted it for 20-bytes entropy. Sure, my bad As we discussed offline, due NSS FIPS requirements, we should get rid off base64 encoding. I wouldn't remove space from there, can you check if NSS supports it? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265713667 From freeipa-github-notification at redhat.com Thu Dec 8 11:01:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:01:54 +0100 Subject: [Freeipa-devel] [freeipa PR#206][+ack] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient Label: +ack From freeipa-github-notification at redhat.com Thu Dec 8 11:03:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:03:32 +0100 Subject: [Freeipa-devel] [freeipa PR#206][+pushed] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 8 11:03:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:03:34 +0100 Subject: [Freeipa-devel] [freeipa PR#206][comment] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Title: #206: Properly handle multiple cookies in rpcclient mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/560ab9e3176af8e59163155207cc2c1d631915dd https://fedorahosted.org/freeipa/changeset/f1678693713dc2a573493e325e93f6f557a5ad5a """ See the full comment at https://github.com/freeipa/freeipa/pull/206#issuecomment-265714183 From freeipa-github-notification at redhat.com Thu Dec 8 11:03:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:03:35 +0100 Subject: [Freeipa-devel] [freeipa PR#206][closed] Properly handle multiple cookies in rpcclient In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/206 Author: simo5 Title: #206: Properly handle multiple cookies in rpcclient Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/206/head:pr206 git checkout pr206 From freeipa-github-notification at redhat.com Thu Dec 8 11:05:08 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 12:05:08 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 181843 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 11:09:16 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:09:16 +0100 Subject: [Freeipa-devel] [freeipa PR#318][comment] server install: fix external CA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4fff09978eab520d130d87c0112b5caac907e651 """ See the full comment at https://github.com/freeipa/freeipa/pull/318#issuecomment-265715262 From freeipa-github-notification at redhat.com Thu Dec 8 11:09:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:09:18 +0100 Subject: [Freeipa-devel] [freeipa PR#318][+pushed] server install: fix external CA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Title: #318: server install: fix external CA install Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 8 11:09:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:09:19 +0100 Subject: [Freeipa-devel] [freeipa PR#318][closed] server install: fix external CA install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/318 Author: jcholast Title: #318: server install: fix external CA install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/318/head:pr318 git checkout pr318 From freeipa-github-notification at redhat.com Thu Dec 8 11:31:50 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 08 Dec 2016 12:31:50 +0100 Subject: [Freeipa-devel] [freeipa PR#321][opened] certdb: fix PKCS#12 import with empty password Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Author: jcholast Title: #321: certdb: fix PKCS#12 import with empty password Action: opened PR body: """ Since commit f919ab4ee0ec26d77ee6978e75de5daba4073402, a temporary file is used to give passwords to pk12util. When a password is empty, the temporary will be empty as well, which pk12util does not like. Add new line after the password in the temporary file to please pk12util. https://fedorahosted.org/freeipa/ticket/6541 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/321/head:pr321 git checkout pr321 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-321.patch Type: text/x-diff Size: 1227 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 11:39:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Dec 2016 12:39:19 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ NSS does support spaces in its passwords it seems. My hopes are that HTTP will be able to understand spaces in its password.conf file. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265720579 From freeipa-github-notification at redhat.com Thu Dec 8 11:44:01 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 08 Dec 2016 12:44:01 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time tiran commented: """ * CI is failing: ```12-08 10:53 ipadocker.cli ERROR Command echo Secret123 | kinit admin && ipa ping failed (exit code 1)```. I have kicked Travis. Let's see if the problem persists. * please sync the version requirements of python3-cryptography and python3-gssapi with Python 2 versions. * Regarding your workaround and setuptools comment: I have been meaning to move all scripts to setuptools' entry points for a while. Setuptools only supports one script directory, which defaults to PREFIX/bin. I need to come up with a workaround. But that's a topic for another PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265721361 From freeipa-github-notification at redhat.com Thu Dec 8 11:57:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:57:08 +0100 Subject: [Freeipa-devel] [freeipa PR#101][closed] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Author: stlaz Title: #101: Improved vault-show error message Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/101/head:pr101 git checkout pr101 From freeipa-github-notification at redhat.com Thu Dec 8 11:57:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 12:57:14 +0100 Subject: [Freeipa-devel] [freeipa PR#101][+rejected] Improved vault-show error message In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/101 Title: #101: Improved vault-show error message Label: +rejected From freeipa-github-notification at redhat.com Thu Dec 8 12:12:35 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 13:12:35 +0100 Subject: [Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 15786 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 12:13:31 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Thu, 08 Dec 2016 13:13:31 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've synchronized `python-cryptography` and `python-gssapi` versions. Thank you for noticing. Let's see if CI tests pass or not. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265726303 From freeipa-github-notification at redhat.com Thu Dec 8 12:59:49 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 13:59:49 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @pspacek I added workflows to the Design page, please verify """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321 From freeipa-github-notification at redhat.com Thu Dec 8 13:20:11 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Thu, 08 Dec 2016 14:20:11 +0100 Subject: [Freeipa-devel] [freeipa PR#307][synchronized] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-307.patch Type: text/x-diff Size: 3621 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 13:30:21 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Dec 2016 14:30:21 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Apparently, spaces are ok even in HTTP password.conf so I guess we can leave it there. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265739766 From freeipa-github-notification at redhat.com Thu Dec 8 14:12:37 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Thu, 08 Dec 2016 15:12:37 +0100 Subject: [Freeipa-devel] [freeipa PR#181][synchronized] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Author: gkaihorodova Title: #181: Tests : User Tracker creation of user with minimal values Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/181/head:pr181 git checkout pr181 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-181.patch Type: text/x-diff Size: 4448 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 14:27:33 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 15:27:33 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stiaz, SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stiaz, spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 From freeipa-github-notification at redhat.com Thu Dec 8 14:28:04 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 15:28:04 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ @stlaz SHA-1 DOES NOT add entropy at all, you need the right number of bits in INPUT for whatever trasformation you use. @mbasti-rh in what way FIPS is incompatible with base64 encoding ? @stlaz spaces may cause issues in some places where passwords are stored in files or passed (annoyingly) as shell arguments, soit is safer to avoid them in the final output, and given the way the code deal with space that would also simplify the random generator and avoid the bias on 1st and last charcter of the password. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265752256 From freeipa-github-notification at redhat.com Thu Dec 8 14:59:06 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 08 Dec 2016 15:59:06 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ Please don't use a hack like sha1() to turn a random byte sequence into a hex value. At best sha1 keeps the entropy of the input. I also don't like the fact that the function only cares about the length of the output. The actual length is irrelevant. We care about the entropy of the output. Let's drop pwd_len and apply proper math instead: ``` import math import random import string alnum = string.ascii_letters + string.digits sysrandom = random.SystemRandom() # uses os.urandom() as RNG def mkpasswd(entropy_bits=128, symbols=alnum): length = int(math.ceil(entropy_bits / math.log(len(symbols), 2))) return ''.join(sysrandom.choice(symbols) for _ in range(length)) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265760379 From freeipa-github-notification at redhat.com Thu Dec 8 15:03:38 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 08 Dec 2016 16:03:38 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ @simo5 I was actually trying to get rid of SHA-1 and I am aware that entropy will not be raised, that part of the code draw a smile on some of our faces here, really :) As for the spaces, I did not encounter issues with them in password.conf files which is awesome but I agree they're potentially dangerous. However, removing them from default set of password chars would not make our life easier as the check would have to stay there in case someone passes them as a possible character as an argument to ipa_generate_password (although they should probably know what they're doing, right?). We may be able to get rid off the `characters` argument should the cases where it's used are found invalid though (currently in `host`, `user` passwords and in `dnskeysync`). @tiran Regarding sha1 - did you see the patch? ;) However I agree that the length is not a good argument for password-generating function, I will have a look at transforming it to entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265761543 From freeipa-github-notification at redhat.com Thu Dec 8 15:07:32 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 16:07:32 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA simo5 commented: """ We may need a max length argument if we are dealing with some stuff that has issues with more then max length caracters ... In that case we can warn (or raise, we'll have to decide) not enough entropy will be available is max length is not sufficient to hold the desired entropy. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265762543 From freeipa-github-notification at redhat.com Thu Dec 8 15:23:25 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 08 Dec 2016 16:23:25 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ @stlaz Your patch looks good. My comment regarding SHA1 was aimed at comment https://github.com/freeipa/freeipa/pull/317#issuecomment-265440651 . The suggestion of SHA1 is a *Verschlimmbesserung* (improvement for the worse) of the current code. I studied the implementation ```ipa_generate_password```. The special cases for white space makes it more complicated. If you combine @simo5 's suggestion and my function, you can write the function in like 6 to 7 lines of simple code. It might be good idea to use only alpha numeric chars, too. ```#!='"%${}.?*``` have special meaning in bash, C, ini files etc. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265766597 From freeipa-github-notification at redhat.com Thu Dec 8 15:56:30 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 08 Dec 2016 16:56:30 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ @simo5 I tried to run the branch as an upgrade against Fedora 25 version (4.4.2-1.fc25) and it failed at first because I was running in SELinux enforcing: Unexpected error - see /var/log/ipaupgrade.log for details: DBusException: org.fedorahosted.certmonger.bad_arg: The parent of location "/var/kerberos/krb5kdc/kdc.crt" could not be accessed due to insufficient permissions. The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Re-running `ipa-server-upgrade` with 'setenforce 0', I get different error: 2016-12-08T15:52:28Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2016-12-08T15:52:28Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1820, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1755, in upgrade_configuration enable_anonymous_principal(krb) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1498, in enable_anonymous_principal dn = DN(('krbprincipalname', princ_realm), krb.get_realm_suffix()) File "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py", line 74, in get_realm_suffix return DN(('cn', self.realm), ('cn', 'kerberos'), self.suffix) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1107, in __init__ self.rdns = self._rdns_from_sequence(args) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1148, in _rdns_from_sequence rdn = self._rdns_from_value(item) File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 1141, in _rdns_from_value % type(value)) 2016-12-08T15:52:28Z DEBUG The ipa-server-upgrade command failed, exception: TypeError: must be str, unicode, tuple, Name, RDN or DN, got instead 2016-12-08T15:52:28Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: TypeError: must be str, unicode, tuple, Name, RDN or DN, got instead """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265775539 From freeipa-github-notification at redhat.com Thu Dec 8 16:23:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Dec 2016 17:23:41 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install martbab commented: """ @simo5 I highlighted the code givin pylint issues, basically you forgot to update ca_kdc_check signature. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265783165 From freeipa-github-notification at redhat.com Thu Dec 8 16:25:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Dec 2016 17:25:19 +0100 Subject: [Freeipa-devel] [freeipa PR#270][+ack] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master Label: +ack From freeipa-github-notification at redhat.com Thu Dec 8 16:26:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Dec 2016 17:26:34 +0100 Subject: [Freeipa-devel] [freeipa PR#270][+pushed] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 8 16:26:35 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Dec 2016 17:26:35 +0100 Subject: [Freeipa-devel] [freeipa PR#270][comment] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Title: #270: Test: uniqueness of certificate renewal master martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fad87a9962ee33cfebc4fa59aba589e98b076cea """ See the full comment at https://github.com/freeipa/freeipa/pull/270#issuecomment-265783934 From freeipa-github-notification at redhat.com Thu Dec 8 16:26:36 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 08 Dec 2016 17:26:36 +0100 Subject: [Freeipa-devel] [freeipa PR#270][closed] Test: uniqueness of certificate renewal master In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/270 Author: ofayans Title: #270: Test: uniqueness of certificate renewal master Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/270/head:pr270 git checkout pr270 From freeipa-github-notification at redhat.com Thu Dec 8 16:35:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 17:35:20 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran @simo5 If you read my comments properly I was happy with removing sha1() and I pointed out that ipa_generate_password() must generate entropy 160bits as was probably originally aimed by using sha1() @simo5 I'm fine with removing space then @simo5 Standa found out that when FIPS is enabled NSS is not willing to accept some password, it requires some special chars AFAIK @stlaz knows details @tiran I'm afraid we need to keep special chracters there as I mentioned above ^ @tiran thank you for nice code snippet @tiran AFAIK you misunderstood my comment, I wanted to "replace sha1 with something sane" or I don't understand what is wrong with my comment. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265786411 From freeipa-github-notification at redhat.com Thu Dec 8 16:47:51 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 08 Dec 2016 17:47:51 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ @mbasti-rh I probably misunderstood your intention. I read your comment as "Replace it with something sane, the sane thing is sha1". By the way I'm currently tangled up in a twitter discussion about Python's new secrets module and entropy. The module doc has a nice recipe to generate passwords with special properties https://docs.python.org/3.6/library/secrets.html#recipes-and-best-practices . I asked a friend of mine and real (tm) cryptographer about entropy for black box tokens. He told me > 128 if you don't care about quantum computing; 256 if you do """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265789981 From freeipa-github-notification at redhat.com Thu Dec 8 17:06:39 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 18:06:39 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @martbab sometimes you are blind to your own code ... """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795306 From freeipa-github-notification at redhat.com Thu Dec 8 17:07:26 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 18:07:26 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install simo5 commented: """ @abbra I have an idea of what it might be """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-265795485 From freeipa-github-notification at redhat.com Thu Dec 8 17:25:02 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 18:25:02 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 38206 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 17:37:27 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 08 Dec 2016 18:37:27 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ ``` #!/usr/bin/python3 import math import random import string class TokenGenerator(object): """Simple, tunable token generator TokenGenerator(uppercase=3, lowercase=3, digits=0, special=None) At least 3 upper and 3 lower case ASCII chars, may contain digits, no special chars. 128 bits entropy: secure 256 bits of entropy: secure enough if you care about quantum computers """ uppercase = frozenset(string.ascii_uppercase) lowercase = frozenset(string.ascii_lowercase) digits = frozenset(string.digits) # without: = # ' " \ ` special = frozenset('!$%&()*+,-./:;<>?@[]^_{|}~') def __init__(self, uppercase=1, lowercase=1, digits=1, special=1): self.rng = random.SystemRandom() self.requirements = dict( uppercase=uppercase, lowercase=lowercase, digits=digits, special=special ) chars = set() for symclass, req in self.requirements.items(): if req is not None: chars.update(getattr(self, symclass)) self.chars = tuple(chars) def __call__(self, entropy_bits=128): length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))) while True: token = ''.join(self.rng.choice(self.chars) for _ in range(length)) tokenset = set(token) token_ok = True for symclass, req in self.requirements.items(): if req is None or req <= 0: continue reqchars = getattr(self, symclass) if len(tokenset.intersection(reqchars)) < req: token_ok = False break if token_ok: return token if __name__ == '__main__': pwgen = TokenGenerator(special=None) for i in range(100): print(pwgen()) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265803218 From freeipa-github-notification at redhat.com Thu Dec 8 17:43:12 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Thu, 08 Dec 2016 18:43:12 +0100 Subject: [Freeipa-devel] [freeipa PR#322][opened] masters DS<1.3.3 do not support bind group Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Author: tbordaz Title: #322: masters DS<1.3.3 do not support bind group Action: opened PR body: """ Check the instance version before setting nsds5replicabbinddngroup and nsds5replicabinddngroupcheckinterval https://fedorahosted.org/freeipa/ticket/6532 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/322/head:pr322 git checkout pr322 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-322.patch Type: text/x-diff Size: 3465 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 18:41:56 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 19:41:56 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 38218 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 18:59:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 08 Dec 2016 19:59:13 +0100 Subject: [Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update mbasti-rh commented: """ IMO #322 this might be related, @martbab can you please check it? """ See the full comment at https://github.com/freeipa/freeipa/pull/320#issuecomment-265823807 From freeipa-github-notification at redhat.com Thu Dec 8 20:46:28 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 21:46:28 +0100 Subject: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: edited Changed field: body Original value: """ As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). In order to allow trying the code, I made two copr repos with the necessary changes available here: - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. There are 2 fundamental changes in this code: - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) This required two changes in the form-based authentication workflow: * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. @jcholast @pvoborni Please provide comments on the framework changes. @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? """ From freeipa-github-notification at redhat.com Thu Dec 8 21:03:15 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 22:03:15 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 182302 bytes Desc: not available URL: From simo at redhat.com Thu Dec 8 21:47:20 2016 From: simo at redhat.com (Simo Sorce) Date: Thu, 08 Dec 2016 16:47:20 -0500 Subject: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: <1481233640.7156.12.camel@redhat.com> On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: > URL: https://github.com/freeipa/freeipa/pull/314 > Author: simo5 > Title: #314: RFC: privilege separation for ipa framework code > Action: edited > > Changed field: body > Original value: > """ > As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 > > The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. > > This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). > In order to allow trying the code, I made two copr repos with the necessary changes available here: > - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ > - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ > > I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. > > There are 2 fundamental changes in this code: > - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. > - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) > This required two changes in the form-based authentication workflow: > * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) > * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. > > @jcholast @pvoborni Please provide comments on the framework changes. > @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? > """ > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code There seem to be a bug in the mailing list posting script when someone edits a PR description, I see the original text here but not the new text! Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Thu Dec 8 21:51:52 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 22:51:52 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 39626 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 8 21:57:42 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 08 Dec 2016 22:57:42 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 183826 bytes Desc: not available URL: From mbasti at redhat.com Fri Dec 9 07:31:30 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 9 Dec 2016 08:31:30 +0100 Subject: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code In-Reply-To: <1481233640.7156.12.camel@redhat.com> References: <1481233640.7156.12.camel@redhat.com> Message-ID: <08f2a3c4-083d-59ad-dd92-eb0c881c48a8@redhat.com> On 08.12.2016 22:47, Simo Sorce wrote: > On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: >> URL: https://github.com/freeipa/freeipa/pull/314 >> Author: simo5 >> Title: #314: RFC: privilege separation for ipa framework code >> Action: edited >> >> Changed field: body >> Original value: >> """ >> As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 >> >> The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. >> >> This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). >> In order to allow trying the code, I made two copr repos with the necessary changes available here: >> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ >> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ >> >> I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. >> >> There are 2 fundamental changes in this code: >> - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. >> - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) >> This required two changes in the form-based authentication workflow: >> * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) >> * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. >> >> @jcholast @pvoborni Please provide comments on the framework changes. >> @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? >> """ >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > There seem to be a bug in the mailing list posting script when someone > edits a PR description, I see the original text here but not the new > text! > > Simo. > It is expected, Changed field: body Original value: I just haven't had time to implement sending a new values (because of format, of github messages it is not so simple) I may try to finish github notification RFEs today Martin From freeipa-github-notification at redhat.com Fri Dec 9 07:50:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 08:50:29 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran IMO you need check `length > uppercase + lowercase + num + special`, otherwise infinity loop but generally LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265954172 From freeipa-github-notification at redhat.com Fri Dec 9 08:02:35 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 09:02:35 +0100 Subject: [Freeipa-devel] [freeipa PR#307][+ack] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: +ack From pspacek at redhat.com Fri Dec 9 08:05:54 2016 From: pspacek at redhat.com (Petr Spacek) Date: Fri, 9 Dec 2016 09:05:54 +0100 Subject: [Freeipa-devel] using Reviewer field on Github instead of Trac Message-ID: Dear FreeIPA developers, I just noticed that Github PRs now have Reviewers field. Can we replace reviewed-by field in Trac with Reviewers field on Github? It is easier to set myself as Reviewer on Github as it does not force me to edit ticket. Assuming the Github workflow works, the ipatool could pick up this value automatically and add it to commit messages as needed... Given that Trac is going away is sounds like good move to me :-) -- Petr^2 Spacek From mbasti at redhat.com Fri Dec 9 08:37:00 2016 From: mbasti at redhat.com (Martin Basti) Date: Fri, 9 Dec 2016 09:37:00 +0100 Subject: [Freeipa-devel] using Reviewer field on Github instead of Trac In-Reply-To: References: Message-ID: <7d58ce81-9f53-674b-1ebd-07784cf156ae@redhat.com> On 09.12.2016 09:05, Petr Spacek wrote: > Dear FreeIPA developers, > > I just noticed that Github PRs now have Reviewers field. > > Can we replace reviewed-by field in Trac with Reviewers field on Github? It is > easier to set myself as Reviewer on Github as it does not force me to edit > ticket. Assuming the Github workflow works, the ipatool could pick up this > value automatically and add it to commit messages as needed... > > Given that Trac is going away is sounds like good move to me :-) > I tried it yesterday, but reviewers are not shown in list of PRs https://github.com/freeipa/freeipa/pulls So you have to still assign yourself (as assignee) to PR to show others that PR has reviewer. Martin^2 From freeipa-github-notification at redhat.com Fri Dec 9 09:28:27 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 09 Dec 2016 10:28:27 +0100 Subject: [Freeipa-devel] [freeipa PR#321][comment] certdb: fix PKCS#12 import with empty password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password dkupka commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/321#issuecomment-265970429 From freeipa-github-notification at redhat.com Fri Dec 9 09:28:28 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Fri, 09 Dec 2016 10:28:28 +0100 Subject: [Freeipa-devel] [freeipa PR#321][+ack] certdb: fix PKCS#12 import with empty password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password Label: +ack From freeipa-github-notification at redhat.com Fri Dec 9 09:46:33 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 09 Dec 2016 10:46:33 +0100 Subject: [Freeipa-devel] [freeipa PR#315][+ack] [ipa-4-4] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters Label: +ack From freeipa-github-notification at redhat.com Fri Dec 9 09:46:37 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 09 Dec 2016 10:46:37 +0100 Subject: [Freeipa-devel] [freeipa PR#315][comment] [ipa-4-4] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters flo-renaud commented: """ Hi, thanks for the patch. Everything works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/315#issuecomment-265973960 From simo at redhat.com Fri Dec 9 09:51:53 2016 From: simo at redhat.com (Simo Sorce) Date: Fri, 09 Dec 2016 04:51:53 -0500 Subject: [Freeipa-devel] [freeipa PR#314][edited] RFC: privilege separation for ipa framework code In-Reply-To: <08f2a3c4-083d-59ad-dd92-eb0c881c48a8@redhat.com> References: <1481233640.7156.12.camel@redhat.com> <08f2a3c4-083d-59ad-dd92-eb0c881c48a8@redhat.com> Message-ID: <1481277113.7156.13.camel@redhat.com> On Fri, 2016-12-09 at 08:31 +0100, Martin Basti wrote: > > On 08.12.2016 22:47, Simo Sorce wrote: > > On Thu, 2016-12-08 at 21:46 +0100, simo5 wrote: > >> URL: https://github.com/freeipa/freeipa/pull/314 > >> Author: simo5 > >> Title: #314: RFC: privilege separation for ipa framework code > >> Action: edited > >> > >> Changed field: body > >> Original value: > >> """ > >> As part of the External Authentication work this PR implements the privilege separation portion of the design available here: https://www.freeipa.org/page/V4/External_Authentication and implements tickets: https://fedorahosted.org/freeipa/ticket/5959 and https://fedorahosted.org/freeipa/ticket/4189 > >> > >> The update process from an old server has not been implemented yet, so this is just an RFC request at this stage. Please look at the code and let me know if you notice any major issue with it so we can correct mistakes early. > >> > >> This PR depends on improvements and fixes to two dependencies: mod_auth_gssapi and gssproxy, which are not released/accepted upstream yet (all PRs filed, and will be available soon). > >> In order to allow trying the code, I made two copr repos with the necessary changes available here: > >> - https://copr.fedorainfracloud.org/coprs/simo/mod_auth_gssapi/ > >> - https://copr.fedorainfracloud.org/coprs/simo/gssproxy/ > >> > >> I tested a new install and both gssapi as well as password authentication work (via command line and web browser). I have not tested OTP authentication yet. > >> > >> There are 2 fundamental changes in this code: > >> - the session handling code has been dropped in favor of deferring session handling to mod_auth_gssapi, simplifying the code greatly. As part of this change we stop using memcached. > >> - the framework configuration is changed to work as a different user from the Apache framework and depends on gssproxy in order to be able to access necessary credentials. (Apache itself is also using gssproxy and does not have direct access to the HTTP keytab.) > >> This required two changes in the form-based authentication workflow: > >> * The armor cache is obtained via anonymous pkinit as we do not have access anymore to the HTTP keytab. This means this PR depends on #62 (until it is accepted commits from that PR are in this PR) > >> * The actual authentication is done via a loopback HTTP request to apache after we obtain a TGT, this is done in order to obtain a session cookie from mod_auth_gssapi as well as to be able to immediately discard the TGT and just keep the HTTP ticket instead. > >> > >> @jcholast @pvoborni Please provide comments on the framework changes. > >> @rcritten @abbra do you have ideas on how to deal with dropping a service (memcached) on upgrade ? > >> """ > >> > >> -- > >> Manage your subscription for the Freeipa-devel mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-devel > >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > There seem to be a bug in the mailing list posting script when someone > > edits a PR description, I see the original text here but not the new > > text! > > > > Simo. > > > It is expected, > > Changed field: body > Original value: > > I just haven't had time to implement sending a new values (because of format, of github messages it is not so simple) I may try to finish github notification RFEs today Ok thanks, just wanted to make sure you knew about this. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Fri Dec 9 09:58:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 10:58:01 +0100 Subject: [Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands mbasti-rh commented: """ Can you please provide better commit description in commit message? What, why and how it fixes? Think about our future us when we will be doing git archaeology """ See the full comment at https://github.com/freeipa/freeipa/pull/313#issuecomment-265976235 From freeipa-github-notification at redhat.com Fri Dec 9 10:01:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 11:01:29 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ ACK, but travis runs tests under PY3 and should be, I tried locally and tests works for me (ipa-run-tests is still py2 by default), so there is an issue with travis tests. I prefer to fix travis first before pushing this to not blocking tests for other PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265976899 From freeipa-github-notification at redhat.com Fri Dec 9 10:01:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 11:01:54 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ ACK, but travis runs tests under PY3 and should be, I tried locally and tests works for me (ipa-run-tests is still py2 by default), so there is an issue with travis tests. I prefer to fix travis first before pushing this to not blocking tests for other PRs. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265976899 From freeipa-github-notification at redhat.com Fri Dec 9 10:14:14 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Fri, 09 Dec 2016 11:14:14 +0100 Subject: [Freeipa-devel] [freeipa PR#322][comment] masters DS<1.3.3 do not support bind group In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group flo-renaud commented: """ Hi, there is already an open PR for this issue: https://github.com/freeipa/freeipa/pull/319 for master and https://github.com/freeipa/freeipa/pull/315 for ipa-4-4. You may want to synchronize with @martbab and decide which solution to implement. """ See the full comment at https://github.com/freeipa/freeipa/pull/322#issuecomment-265979368 From freeipa-github-notification at redhat.com Fri Dec 9 10:20:39 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Fri, 09 Dec 2016 11:20:39 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA tiran commented: """ @mbasti-rh ```uppercase + lowercase + num + special``` should be limited to a sensible value. A large value invalidates the formula that calculates the length of the token. As far as I remember my math, formula assumes a uniform distribution of distinct values. Additional restrictions reduce the sample space of the result. I'm not clever enough to come up with an algorithm to calculate the length with additional restrictions. My gut feeling tells me that less than 15% per character class (3 for upper/lower case and symbols, 1 for digit) should be ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-265980552 From freeipa-github-notification at redhat.com Fri Dec 9 10:43:12 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Fri, 09 Dec 2016 11:43:12 +0100 Subject: [Freeipa-devel] [freeipa PR#322][comment] masters DS<1.3.3 do not support bind group In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group tbordaz commented: """ Oppss I missed that thanks for the heads up. PR #319 and #315 are better fixes for this issue. #322 should be discard """ See the full comment at https://github.com/freeipa/freeipa/pull/322#issuecomment-265984866 From freeipa-github-notification at redhat.com Fri Dec 9 11:11:43 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 12:11:43 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ @martbab Can I do something in the build system to make your CI implementation easier? """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-265990053 From freeipa-github-notification at redhat.com Fri Dec 9 12:28:21 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 13:28:21 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran True, I would like to have there at least assert witch prevents devs to use more than let say 15% per class and more than 50% together, to prevent silly mistakes. It will also reduces possibility of starvation when too many password doesn't match requirements Do you want to send this as PR or are you fine by adding it to this PR by Standa? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266002689 From freeipa-github-notification at redhat.com Fri Dec 9 12:28:51 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 13:28:51 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ @tiran True, I would like to have there at least assert witch prevents devs to use more than let say 15% per class and more than 50% together, to prevent silly mistakes. It will also reduces possibility of starvation when too many passwords don't match requirements Do you want to send this as PR or are you fine by adding it to this PR by Standa? """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266002689 From freeipa-github-notification at redhat.com Fri Dec 9 12:34:11 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:34:11 +0100 Subject: [Freeipa-devel] [freeipa PR#322][+rejected] masters DS<1.3.3 do not support bind group In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group Label: +rejected From freeipa-github-notification at redhat.com Fri Dec 9 12:34:25 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:34:25 +0100 Subject: [Freeipa-devel] [freeipa PR#322][closed] masters DS<1.3.3 do not support bind group In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Author: tbordaz Title: #322: masters DS<1.3.3 do not support bind group Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/322/head:pr322 git checkout pr322 From freeipa-github-notification at redhat.com Fri Dec 9 12:34:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:34:27 +0100 Subject: [Freeipa-devel] [freeipa PR#322][comment] masters DS<1.3.3 do not support bind group In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/322 Title: #322: masters DS<1.3.3 do not support bind group martbab commented: """ OK closing and marking as rejected. """ See the full comment at https://github.com/freeipa/freeipa/pull/322#issuecomment-266003647 From freeipa-github-notification at redhat.com Fri Dec 9 12:35:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:35:10 +0100 Subject: [Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update martbab commented: """ @tbordaz mentioned that this fix is better and that we should discard https://github.com/freeipa/freeipa/pull/322. Please continue review. """ See the full comment at https://github.com/freeipa/freeipa/pull/320#issuecomment-266003753 From freeipa-github-notification at redhat.com Fri Dec 9 12:35:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:35:57 +0100 Subject: [Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters martbab commented: """ PR #322 was closed, it was agreed that this fix is better. """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266003850 From freeipa-github-notification at redhat.com Fri Dec 9 12:44:04 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:44:04 +0100 Subject: [Freeipa-devel] [freeipa PR#315][+pushed] [ipa-4-4] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 9 12:44:06 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:44:06 +0100 Subject: [Freeipa-devel] [freeipa PR#315][closed] [ipa-4-4] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Author: martbab Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/315/head:pr315 git checkout pr315 From freeipa-github-notification at redhat.com Fri Dec 9 12:44:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:44:07 +0100 Subject: [Freeipa-devel] [freeipa PR#315][comment] [ipa-4-4] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/315 Title: #315: [ipa-4-4] gracefully handle setting replica bind dn group on old masters martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/e94046f646d85e1c1ef62e0931b447883026f685 """ See the full comment at https://github.com/freeipa/freeipa/pull/315#issuecomment-266005163 From freeipa-github-notification at redhat.com Fri Dec 9 12:51:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 13:51:57 +0100 Subject: [Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update martbab commented: """ @mbasti-rh also this PR solves a bit different issue that the others (https://github.com/freeipa/freeipa/pull/315 and https://github.com/freeipa/freeipa/pull/319) and that is that the upgrade path for CA replicas was broken. It supplements the two PR so that everything is set up correctly also for o=ipaca suffix, not only the domain one. """ See the full comment at https://github.com/freeipa/freeipa/pull/320#issuecomment-266006470 From freeipa-github-notification at redhat.com Fri Dec 9 12:54:30 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 13:54:30 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ `make install` put `#!/usr/bin/python` into `ipa-run-tests` and it causes that on F25 our tests are running by default under PY3 Probably travis tests uses make install (haven't looked) """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266006874 From freeipa-github-notification at redhat.com Fri Dec 9 13:01:27 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 14:01:27 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time martbab commented: """ Travis installs the built RPMs and then runs server install and outoftree test suite. It does not use `make install`. BTW does this mean that Travis is actually running tests using Py3? Sorry but I am just trying to get up to speed. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266008067 From freeipa-github-notification at redhat.com Fri Dec 9 13:02:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:02:18 +0100 Subject: [Freeipa-devel] [freeipa PR#307][+pushed] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 9 13:03:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:03:09 +0100 Subject: [Freeipa-devel] [freeipa PR#307][comment] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Title: #307: Lowered the version of gettext mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/e5686c0ccb4a71fa0ab460fd45280d9adba91cca """ See the full comment at https://github.com/freeipa/freeipa/pull/307#issuecomment-266008212 From freeipa-github-notification at redhat.com Fri Dec 9 13:03:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:03:14 +0100 Subject: [Freeipa-devel] [freeipa PR#307][closed] Lowered the version of gettext In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/307 Author: pvomacka Title: #307: Lowered the version of gettext Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/307/head:pr307 git checkout pr307 From freeipa-github-notification at redhat.com Fri Dec 9 13:03:17 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 09 Dec 2016 14:03:17 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 39613 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 9 13:03:28 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 14:03:28 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ `make install` will install whatever is auto-detected during configure (or overriden by `$PYTHON` variable while calling `make install`). So, how are you caling the stuff? If you want to always run Python 2 tests, specify `PYTHON=/usr/bin/python2`. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266008502 From freeipa-github-notification at redhat.com Fri Dec 9 13:06:08 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 14:06:08 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ Relevant parts of SPEC file are here: https://github.com/freeipa/freeipa/pull/272/commits/684f4f5d4fbcfc62c555f7ef856dc2da467cd40c#diff-021f8f69d8c0598dcead3341b439283aR778 """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266009162 From freeipa-github-notification at redhat.com Fri Dec 9 13:07:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:07:05 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ @martbab Yes for this PR travis run tests under PY3, see tracebacks it is from python3.5 site-packages """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266009384 From freeipa-github-notification at redhat.com Fri Dec 9 13:07:27 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:07:27 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ @martbab Yes for this PR travis run tests under PY3, see tracebacks it is from python3.5 site-packages """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266009384 From freeipa-github-notification at redhat.com Fri Dec 9 13:09:08 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Fri, 09 Dec 2016 14:09:08 +0100 Subject: [Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-139.patch Type: text/x-diff Size: 84373 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 9 13:12:06 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 09 Dec 2016 14:12:06 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 39540 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 9 13:42:12 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 14:42:12 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ To be sure I re-built RPMs from this PR using `makerpms.sh` script. My findings are: - `/usr/bin/ipa-run-tests` is a symlink to `/usr/bin/ipa-run-tests-2.7` - `/usr/bin/ipa-run-tests-2.7` has shebang `#!/usr/bin/python2` I have no idea why it should fail in Travis. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266016360 From freeipa-github-notification at redhat.com Fri Dec 9 13:46:42 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 14:46:42 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ Have you tried on F25? it might be related to it """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266017285 From freeipa-github-notification at redhat.com Fri Dec 9 13:47:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 14:47:20 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time martbab commented: """ I have re-built RPMs in the F25 image and found out that the /usr/bin/ipa command has the following shebang: ``` #!/usr/bin/python3 ``` so this one is the culprit. `ipa-run-tests` has python2 shebang. Keep in mind that before running tests `ipa ping` is called to a) test the functionality of the installation and b) to prepare ~/.ipa directory for tests. I can remove this call if needed but IMHO it is a bug. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266017423 From freeipa-github-notification at redhat.com Fri Dec 9 13:53:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 14:53:07 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time martbab commented: """ Yep, running `ipa ping` on Fedora 25 confirms this: ``` # ipa ping ipa: ERROR: AttributeError: 'str' object has no attribute 'decode' Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipaclient/remote_plugins/__init__.py", line 109, in get_package plugins = api._remote_plugins AttributeError: 'API' object has no attribute '_remote_plugins' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1348, in run api.finalize() File "/usr/lib/python3.5/site-packages/ipalib/plugable.py", line 714, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python3.5/site-packages/ipalib/plugable.py", line 421, in __do_if_not_done getattr(self, name)() File "/usr/lib/python3.5/site-packages/ipalib/plugable.py", line 592, in load_plugins for package in self.packages: File "/usr/lib/python3.5/site-packages/ipalib/__init__.py", line 919, in packages ipaclient.remote_plugins.get_package(self), File "/usr/lib/python3.5/site-packages/ipaclient/remote_plugins/__init__.py", line 111, in get_package server_info = ServerInfo(api) File "/usr/lib/python3.5/site-packages/ipaclient/remote_plugins/__init__.py", line 25, in __init__ hostname = DNSName(api.env.server).ToASCII() File "/usr/lib/python3.5/site-packages/ipapython/dnsutil.py", line 74, in ToASCII return self.to_text().decode('ascii') # must be unicode string AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266018649 From freeipa-github-notification at redhat.com Fri Dec 9 14:34:19 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 15:34:19 +0100 Subject: [Freeipa-devel] [freeipa PR#320][+ack] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update Label: +ack From freeipa-github-notification at redhat.com Fri Dec 9 14:45:18 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 15:45:18 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Guys, I'm confused. What exactly is the purpose of `TokenGenerator`? The docstring does not explain to me what is relation between arguments in `__init__` and `__call__`. Of course I can guess but this should be clearly defined first. If we are clever enough we can get away with the `while` loop and make it deterministic. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266030088 From freeipa-github-notification at redhat.com Fri Dec 9 14:47:38 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 15:47:38 +0100 Subject: [Freeipa-devel] [freeipa PR#320][+pushed] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 9 14:47:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 15:47:40 +0100 Subject: [Freeipa-devel] [freeipa PR#320][comment] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Title: #320: add missing attribute to ipaca replica during CA topology update martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6086a6dbad21d93ed584d508f9844d73f64a4542 https://fedorahosted.org/freeipa/changeset/6d0e450c8226a8e23d88cf21487a77db66a2968b ipa-4-4: https://fedorahosted.org/freeipa/changeset/0ae9cd75cd8495a85c78f9781c7fab721b464230 https://fedorahosted.org/freeipa/changeset/b0acb23ff378d3c4fd8b54123696a8b48e6cd472 """ See the full comment at https://github.com/freeipa/freeipa/pull/320#issuecomment-266030631 From freeipa-github-notification at redhat.com Fri Dec 9 14:47:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 15:47:41 +0100 Subject: [Freeipa-devel] [freeipa PR#320][closed] add missing attribute to ipaca replica during CA topology update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/320 Author: martbab Title: #320: add missing attribute to ipaca replica during CA topology update Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/320/head:pr320 git checkout pr320 From freeipa-github-notification at redhat.com Fri Dec 9 15:31:59 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:31:59 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ It generates random tokens than can be used as: - passwords - anything else that should be random It is written in class docstring Yes we can randomly generate strings for each class with specified length, then generate randomly the rest, and finally make order of characters random. However I'm not sure if this is from crypto point of view equal to generate random string at once and then check validity, there can be something we don't see, but probably not. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266041887 From freeipa-github-notification at redhat.com Fri Dec 9 15:39:02 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:39:02 +0100 Subject: [Freeipa-devel] [freeipa PR#282][+ack] replicainstall: give correct error message on DL mismatch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/282 Title: #282: replicainstall: give correct error message on DL mismatch Label: +ack From freeipa-github-notification at redhat.com Fri Dec 9 15:41:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:41:10 +0100 Subject: [Freeipa-devel] [freeipa PR#282][+pushed] replicainstall: give correct error message on DL mismatch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/282 Title: #282: replicainstall: give correct error message on DL mismatch Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 9 15:41:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:41:12 +0100 Subject: [Freeipa-devel] [freeipa PR#282][comment] replicainstall: give correct error message on DL mismatch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/282 Title: #282: replicainstall: give correct error message on DL mismatch mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2dcbc9416f1de708336a9afe92a138da9360ec5b """ See the full comment at https://github.com/freeipa/freeipa/pull/282#issuecomment-266044281 From freeipa-github-notification at redhat.com Fri Dec 9 15:41:14 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:41:14 +0100 Subject: [Freeipa-devel] [freeipa PR#282][closed] replicainstall: give correct error message on DL mismatch In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/282 Author: stlaz Title: #282: replicainstall: give correct error message on DL mismatch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/282/head:pr282 git checkout pr282 From freeipa-github-notification at redhat.com Fri Dec 9 15:44:20 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 09 Dec 2016 16:44:20 +0100 Subject: [Freeipa-devel] [freeipa PR#323][opened] ipactl: pass api as argument to services Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Author: mbasti-rh Title: #323: ipactl: pass api as argument to services Action: opened PR body: """ Commit 6409abf1 removes hard dependency of ipalib in ipalatform to avoid cyclic dependenies, this commit updates ipactl accordingly Removes ugly warnings: ``` [root at vm-028 ~]# ipactl stop /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('ipa-dnskeysyncd', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping ipa-dnskeysyncd Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('ipa-otpd', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping ipa-otpd Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatCAService('pki-tomcatd', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping pki-tomcatd Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('ntpd', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping ntpd Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('ipa-custodia', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping ipa-custodia Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('httpd', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping httpd Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('ipa_memcached', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping ipa_memcached Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('named', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping named Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('kadmin', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) Stopping kadmin Service /usr/lib/python2.7/site-packages/ipaplatform/base/services.py:193: RuntimeWarning: RedHatService('krb5kdc', api=None) is deprecated. super(SystemdService, self).__init__(service_name, api=api) ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/323/head:pr323 git checkout pr323 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-323.patch Type: text/x-diff Size: 3132 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 9 15:48:02 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Fri, 09 Dec 2016 16:48:02 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ @mbasti-rh You are missing the point and thus do not answer my question: The docstring does not tell anything about relation of 'entropy' and the output. What is the relation? Does it assume that attacker knows init parameters of TokenGenerator? Or not? How can we do analysis without knowing threat model first? Does `entropy` mean that the output string simply codes `xxx` bits of entropy, or does it mean that attacker has to guess `xxx` bits of entropy? That should be spelled out. I would argue that for any IPA-internal passwords we must assume that attacker knows the input parameters because he can easily read the source code. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266046041 From freeipa-github-notification at redhat.com Fri Dec 9 18:22:25 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Fri, 09 Dec 2016 19:22:25 +0100 Subject: [Freeipa-devel] [freeipa PR#324][opened] Check for conflict entries before raising domain level Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: opened PR body: """ Checking of conflicts is not only done in topology container as tests showed it can occurs elsewhere https://fedorahosted.org/freeipa/ticket/6534 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-324.patch Type: text/x-diff Size: 2183 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 9 19:01:10 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 20:01:10 +0100 Subject: [Freeipa-devel] [freeipa PR#324][comment] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Title: #324: Check for conflict entries before raising domain level martbab commented: """ I have some comments regarding the logic of the check. These will also fix the warning reported by pylint checker. """ See the full comment at https://github.com/freeipa/freeipa/pull/324#issuecomment-266093655 From freeipa-github-notification at redhat.com Fri Dec 9 19:10:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 09 Dec 2016 20:10:05 +0100 Subject: [Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters martbab commented: """ @flo-renaud I was able to reproduce the issue you observed when trying to test the patch. I have opened an upstream ticket for it https://fedorahosted.org/freeipa/ticket/6549. I think it is a regression caused by installer refactoring and is unrelated to this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266095914 From freeipa-github-notification at redhat.com Sun Dec 11 13:33:52 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Sun, 11 Dec 2016 14:33:52 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install abbra commented: """ Thanks @simo5. Except SELinux changes this PR is ready to be accepted. TODO as separate pull requests: * SELinux policy needs to be updated to allow certmonger to write to /var/kerberos/krb5kdc/: allow certmonger_t krb5kdc_conf_t:dir { add_name write } allow certmonger_t krb5kdc_conf_t:file create; * For CA-less setup we need to add `ipa-pkinit-manage` to allow adding externally provided PKCS#12 package with KDC certificate after the installation Also, to document the decisions we made when moving forward with this PR, anonymous PKINIT principal is created in all configurations. Its use for non-PKINIT case will be detailed in the privilege separation patchset: * for embedded CA, Anonymous PKINIT is used for password/2FA login FAST wrapping * If Anonymous PKINIT does not work (CA-less or external CA case with not configured PKINIT), Kerberos keytab with Anonymous principal will be used for FAST wrapping * Finally, if both of these cases don't work, privilege separation will degrade 2FA logon. This allows us to fully utilize Anonymous Kerberos principal potential. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-266282332 From freeipa-github-notification at redhat.com Sun Dec 11 13:34:09 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Sun, 11 Dec 2016 14:34:09 +0100 Subject: [Freeipa-devel] [freeipa PR#62][+ack] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install Label: +ack From freeipa-github-notification at redhat.com Sun Dec 11 17:22:45 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Sun, 11 Dec 2016 18:22:45 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 195782 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 06:24:21 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 07:24:21 +0100 Subject: [Freeipa-devel] [freeipa PR#321][comment] certdb: fix PKCS#12 import with empty password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a35f5181c0af459e9f054838805628f31316cbe9 """ See the full comment at https://github.com/freeipa/freeipa/pull/321#issuecomment-266352292 From freeipa-github-notification at redhat.com Mon Dec 12 06:24:23 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 07:24:23 +0100 Subject: [Freeipa-devel] [freeipa PR#321][+pushed] certdb: fix PKCS#12 import with empty password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Title: #321: certdb: fix PKCS#12 import with empty password Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 06:24:25 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 07:24:25 +0100 Subject: [Freeipa-devel] [freeipa PR#321][closed] certdb: fix PKCS#12 import with empty password In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/321 Author: jcholast Title: #321: certdb: fix PKCS#12 import with empty password Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/321/head:pr321 git checkout pr321 From freeipa-github-notification at redhat.com Mon Dec 12 06:36:27 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 07:36:27 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, thanks. What about [this](https://github.com/freeipa/freeipa/pull/177/files#r91243228)? """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266353770 From freeipa-github-notification at redhat.com Mon Dec 12 07:12:17 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 12 Dec 2016 08:12:17 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ On Sun, Dec 11, 2016 at 10:36:27PM -0800, Jan Cholasta wrote: > @frasertweedale, thanks. What about [this](https://github.com/freeipa/freeipa/pull/177/files#r91243228)? > It is a worthwhile change (thank you for reminding me). Let's address any remaining issues for this feature and get it merged. The proposed PKCS #7 refactoring can be tacked separately. I filed a ticket https://fedorahosted.org/freeipa/ticket/6550 Thanks. > -- > You are receiving this because you were mentioned. > Reply to this email directly or view it on GitHub: > https://github.com/freeipa/freeipa/pull/177#issuecomment-266353770 """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266358091 From freeipa-github-notification at redhat.com Mon Dec 12 07:22:52 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 08:22:52 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ @frasertweedale, I'm afraid we can't do that. As I said in the comment, you cannot unconditionally import from `ipaplatform` to `ipalib` anymore, so you either have to make the change to PyASN1, or make the import conditional: ```python try: from ipaplatform.paths import paths except ImportError: OPENSSL = '/usr/bin/openssl' else: OPENSSL = paths.OPENSSL ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266359452 From freeipa-github-notification at redhat.com Mon Dec 12 07:42:41 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 08:42:41 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length with additional restrictions. My gut feeling tells me that less than 15% per character class (3 for upper/lower case and symbols, 1 for digit) should be ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 From freeipa-github-notification at redhat.com Mon Dec 12 07:42:52 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 08:42:52 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length with additional restrictions. My gut feeling tells me that less than 15% per character class (3 for upper/lower case and symbols, 1 for digit) should be ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 From freeipa-github-notification at redhat.com Mon Dec 12 07:50:06 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 08:50:06 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA stlaz commented: """ Correct me if I'm wrong here but I believe we're going for the scenario where the attacker has to guess the `xxx` bits of entropy and they know that they have to do it. We're not actually coding `xxx` bits of entropy as we need more entropy bits to get a sufficient result (hence `length = int(math.ceil(entropy_bits / math.log(len(self.chars), 2))`). However! To the very first question of yours - unfortunately, there is a very small relation between the arguments in `__init__` and `__call__` as @tiran says: > I'm not clever enough to come up with an algorithm to calculate the length with additional restrictions. My gut feeling tells me that less than 15% per character class (3 for upper/lower case and symbols, 1 for digit) should be ok. From the code you can see that if a certain class of characters should not be used, it's not accounted for in the calculation of the final length of the password but that's about it - if a further restriction is made (>1 character of the give character class), this restriction is also not accounted for. But since we're the ones who'll be using this token generator, I think we could live with this. There should be a warning in a docstring somewhere, though. edit: Just realized - the code is wrong, the restriction to a certain class == None should just mean that the characters from the given class could but don't have to appear in the password (thus still need to be accounted for), the restriction of a certain class == 0 should mean the character should not appear in the password and should not be accounted for in the length calculation. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266362288 From freeipa-github-notification at redhat.com Mon Dec 12 08:21:52 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 09:21:52 +0100 Subject: [Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Do we need a ticket for this? I notice the original commit did not have it either. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266368348 From cheimes at redhat.com Mon Dec 12 08:42:32 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 12 Dec 2016 09:42:32 +0100 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy Message-ID: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Regards, Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From jcholast at redhat.com Mon Dec 12 08:52:02 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 12 Dec 2016 09:52:02 +0100 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> Message-ID: <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> On 5.12.2016 16:48, Ben Lipton wrote: > Hi Jan, thanks for the comments. > > > On 12/05/2016 04:25 AM, Jan Cholasta wrote: >> Hi Ben, >> >> On 3.11.2016 00:12, Ben Lipton wrote: >>> Hi everybody, >>> >>> Soon I'm going to have to reduce the amount of time I spend on new >>> development work for the CSR autogeneration project, and I want to leave >>> the project in as organized a state as possible. So, I'm taking >>> inventory of the work I've done in order to make sure that what's ready >>> for review can get reviewed and the ideas that have been discussed get >>> prototyped or at least recorded so they won't be forgotten. >> >> Thanks, I have some questions and comments, see below. >> >>> >>> Code that's ready for review (I will continue to put in as much time as >>> needed to help get these ready for submission): >>> >>> - Current PR: https://github.com/freeipa/freeipa/pull/10 >> >> How hard would it be to update the PR to use the "new" interface from >> the design thread? By this I mean that currently there is a command >> (cert_get_requestdata), which creates a CSR from profile id + >> principal + helper, but in the design we discussed a command which >> creates a CertificationRequestInfo from profile id + principal + >> public key. >> >> Internally it could use the OpenSSL helper, no need to implement the >> full "new" design. With your build_requestinfo.c code below it looks >> like it should be pretty straightforward. > > This is probably doable with the cffi, but I'm concerned about > usability. A user can run the current command to get a (reusable) > script, and run the script to get a CSR. It works with keys in both PEM > files and NSS databases already. If we change to outputting a > CertificationRequestInfo, in order to make this usable on the command > line, we'll need: > - An additional tool to sign a CSR given a CertificationRequestInfo (for > both types of key storage). > - A way to extract a SubjectPublicKeyInfo structure from a key within > the ipa command (like [1] but we need it for both types of key storage) > Since as far as I know there's no standard encoding for files containing > only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be > writing and distributing these ourselves. I think that's where most of > the extra work will come in. For PEM files, this is easily doable using python-cryptography (to extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and PyASN1 (to create a CSR from the CertificationRequestInfo and the signature). For NSS databases, this will be trickier and will require calling C functions, as neither certutil nor python-nss provide a way to a) address existing keys in the database by key ID b) get SubjectPublicKeyInfo for a given key. As for encoding, the obvious choice is DER. It does not really matter there is no standard file format, as we won't be transferring these as files anyway. > > Would it be ok to stick with the current design in this PR? I'd feel > much better if we could get the basic functionality into the repo and > then iterate on it rather than changing the plan at this point. I can > create a separate PR to change cert_get_requestdata to this new > interface and at the same time add the necessary adapters (bullet points > above) to make it user-friendly. Works for me. > > I would probably just implement the adapters within the > cert_build/cert_request client code unless you think having standalone > tools is valuable. I suppose certmonger is going to need these features > too, but I don't know how well sharing code between them is going to work. cert-request is exactly the place where it should be :-) I wouldn't bother with certmonger until we have a server-side csrgen. >> >>> >>> - Allow some fields to be specified by the user at creation time: >>> https://github.com/LiptonB/freeipa/commits/local-user-data >> >> Good idea :-) >> >>> >>> - Automation for the full process from getting CSR data to requesting >>> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build >> >> LGTM, although I would prefer if this was a client-side extension of >> cert-request rather than a completely new command. > > I did try that at first, but I struggled to figure out the interface for > the modified cert-request. (Not that the current solution is so great, > what with the copying of options from cert_request and certreq.) If I > remember correctly, I was uncertain how to implement parameters that are > required/invalid based on other parameters: the current cert-request > takes a signed CSR (required), a principal (required), and a profile ID; > the new cert-request (what I implemented as cert-build) takes a > principal (required), a profile ID (required), and a key location > (required). I can't remember if that was the only problem, but I'll try > again to merge the commands and get back to you. To make the CSR argument optional on the client, you can do this: def get_options(self): for option in super(cert_request, self).get_options(): if option.name == 'csr': option = option.clone(required=False) yield IMO profile ID should default to caIPAserviceCert on the client as well. >> >>> >>> Other prototypes and design ideas that aren't ready for submission yet: >>> >>> - Utility written in C to build a CertificationRequestInfo from a >>> SubjectPublicKeyInfo and an openssl-style config file. The purpose of >>> this is to take a config that my code already knows how to generate, and >>> put it in a form that certmonger can use. This is nearly done and >>> available at: >>> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >>> >> >> Nice! As I said above, this could really make implementing the "new" >> csrgen interface simple. >> >>> >>> >>> - Ideally it should be possible to use this tool to reimplement the full >>> cert-request automation (local-cert-build branch) without a dependency >>> on the certutil/openssl tools. However, I don't think any of the python >>> crypto libraries have bindings for the functions that deal with >>> CertificationRequestInfo objects, so I don't think I can do this in the >>> short term. >> >> You can use python-cffi to write your own minimal bindings. It's >> fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an >> example of how to port C code to Python with python-cffi. > > Thank you for the example. I will take a look. >> >>> >>> - Certmonger "helper" program that takes in the CertificationRequestInfo >>> that certmonger generates, calls out to IPA for profile-specific data, >>> and returns an updated CertificationRequestInfo built from the data. >>> Certmonger doesn't currently support this type of helper, but (if I >>> understood correctly) this is the architecture Nalin believed would be >>> simplest to fit in. This is not done yet, but I intend to complete it >>> soon - it shouldn't require much code beyond what's in >>> build_requestinfo.c. >> >> To me this sounds like it should be a new operation of the current >> helper rather than a completely new helper. > > Maybe so. I certainly wouldn't call this a finished design, I just > wanted to have some kind of proof of concept for how the certmonger > integration could work. For what it's worth, that prototype is now > available at [2]. OK. >> >> Anyway, the ultimate goal is to move the csrgen code to the server, >> which means everything the helper will have to do is call a command >> over RPC. >> >>> >>> - Tool to convert an XER-encoded cert extension to DER, given the ASN.1 >>> description of the extension. This would unblock Jan Cholasta's idea of >>> using XSLT for templates rather than text-based formatting. I should be >>> able to implement the conversion tool, but it may be a while before I >>> have time to demo the full XSLT idea. >> >> Was there any progress on this? > > I have started working on implementing it with asn1c, and I'm already > seeing some of the inconvenience (security issues aside) of building on > the server. Libtasn1 seems like a much better model, but doesn't seem to > have XER support. Anyway, don't quite have results here yet but I think > I should have the XER->DER demo with asn1c ready in a week or two. Implementing XER codec on top of libtasn1 shouldn't be too hard; I have a WIP which I will post soon. >> >>> >>> So: currently on my to do list are the certmonger helper and the >>> XER->DER conversion tool. Do you have any comments about these plans, >>> and is there anything else I can do to wrap up the project neatly? >>> >>> Thanks, >>> Ben >>> >> >> Honza >> > [1] https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c > [2] > https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c -- Jan Cholasta From abokovoy at redhat.com Mon Dec 12 08:54:15 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Dec 2016 10:54:15 +0200 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> Message-ID: <20161212085415.4ywhrj74gg7jzipl@redhat.com> On ma, 12 joulu 2016, Christian Heimes wrote: >Hi Simo, > >I'm wondering if we need to change kdcproxy for anon pkinit. What kind >of Kerberos requests are performed by anon pkinit and to establish a >FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Dec 12 08:54:28 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Dec 2016 09:54:28 +0100 Subject: [Freeipa-devel] [freeipa PR#325][opened] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Author: pvomacka Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Action: opened PR body: """ There was missing default value for evaluator adapter. In that case the adapter variable could be undefined and it crashes on building adapter. Therefore it did not evaluate all evaluators. That is the reason why 'Delete' and 'Add' buttons were incorrectly shown. Default value is now set to empty object. https://fedorahosted.org/freeipa/ticket/6546 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/325/head:pr325 git checkout pr325 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-325.patch Type: text/x-diff Size: 1140 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 09:01:43 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 10:01:43 +0100 Subject: [Freeipa-devel] [freeipa PR#326][opened] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: opened PR body: """ Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-326.patch Type: text/x-diff Size: 3100 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 09:09:50 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 10:09:50 +0100 Subject: [Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-326.patch Type: text/x-diff Size: 3059 bytes Desc: not available URL: From cheimes at redhat.com Mon Dec 12 09:11:16 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 12 Dec 2016 10:11:16 +0100 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <20161212085415.4ywhrj74gg7jzipl@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> <20161212085415.4ywhrj74gg7jzipl@redhat.com> Message-ID: <70f10fb2-5085-b06f-03a2-e1ee688139a0@redhat.com> On 2016-12-12 09:54, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Christian Heimes wrote: >> Hi Simo, >> >> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >> of Kerberos requests are performed by anon pkinit and to establish a >> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >> and AP-REQ+KRB-PRV. Responses are not filtered. > Anonymous principal as configured in FreeIPA can only be used to obtain > a TGT, nothing else. > > See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Dec 12 09:18:53 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Dec 2016 10:18:53 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvomacka commented: """ @mbasti-rh Thank you for review. 1. Fixed 2. Fixed Additionally I fixed two more issues which I found during testing. The tables on User Vaults or Service Vaults didn't show different (different users/services) vaults which have the same name - FIXED now. The second issue was that when i.e. admin add user/share vault on service page, the search page with new vault was not refreshed - FIXED now. 3. My User Vaults calls vault-find which returns all Vaults which have currently logged user is in Owners or Members group. It is called without --pkey-only, because we want to get also information about vault type in response. User Vaults shows all user vaults (of all users) and there is --pkey-only because we call vault-show for each user vault which is returned and in each vault-show response we get all (and several more) information which are also in vault-find (without --pkey-only). So, we don't need to transfer data (those parts which are in both responses) twice. I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-266378821 From abokovoy at redhat.com Mon Dec 12 09:21:34 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Dec 2016 11:21:34 +0200 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <70f10fb2-5085-b06f-03a2-e1ee688139a0@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> <20161212085415.4ywhrj74gg7jzipl@redhat.com> <70f10fb2-5085-b06f-03a2-e1ee688139a0@redhat.com> Message-ID: <20161212092134.3nvhkql4ikthhyie@redhat.com> On ma, 12 joulu 2016, Christian Heimes wrote: >On 2016-12-12 09:54, Alexander Bokovoy wrote: >> On ma, 12 joulu 2016, Christian Heimes wrote: >>> Hi Simo, >>> >>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >>> of Kerberos requests are performed by anon pkinit and to establish a >>> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >>> and AP-REQ+KRB-PRV. Responses are not filtered. >> Anonymous principal as configured in FreeIPA can only be used to obtain >> a TGT, nothing else. >> >> See https://tools.ietf.org/html/rfc6112 for a spec definition. > >That doesn't answer my question for me. Or does 'only TGT' imply that >request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >about the two request types. You can only obtain a TGT and this TGT can only be used for FAST channel. You cannot obtain any service ticket with this TGT. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Dec 12 09:37:01 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Dec 2016 11:37:01 +0200 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <20161212092134.3nvhkql4ikthhyie@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> <20161212085415.4ywhrj74gg7jzipl@redhat.com> <70f10fb2-5085-b06f-03a2-e1ee688139a0@redhat.com> <20161212092134.3nvhkql4ikthhyie@redhat.com> Message-ID: <20161212093701.ldqgxcejmjx5p4xd@redhat.com> On ma, 12 joulu 2016, Alexander Bokovoy wrote: >On ma, 12 joulu 2016, Christian Heimes wrote: >>On 2016-12-12 09:54, Alexander Bokovoy wrote: >>>On ma, 12 joulu 2016, Christian Heimes wrote: >>>>Hi Simo, >>>> >>>>I'm wondering if we need to change kdcproxy for anon pkinit. What kind >>>>of Kerberos requests are performed by anon pkinit and to establish a >>>>FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >>>>and AP-REQ+KRB-PRV. Responses are not filtered. >>>Anonymous principal as configured in FreeIPA can only be used to obtain >>>a TGT, nothing else. >>> >>>See https://tools.ietf.org/html/rfc6112 for a spec definition. >> >>That doesn't answer my question for me. Or does 'only TGT' imply that >>request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >>about the two request types. >You can only obtain a TGT and this TGT can only be used for FAST >channel. You cannot obtain any service ticket with this TGT. To close the loop, no changes in kdcproxy are needed because PKINIT is a pre-authentication scheme and it works just fine with kdcproxy as it is. I just tested this. -- / Alexander Bokovoy From cheimes at redhat.com Mon Dec 12 09:46:38 2016 From: cheimes at redhat.com (Christian Heimes) Date: Mon, 12 Dec 2016 10:46:38 +0100 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <20161212093701.ldqgxcejmjx5p4xd@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> <20161212085415.4ywhrj74gg7jzipl@redhat.com> <70f10fb2-5085-b06f-03a2-e1ee688139a0@redhat.com> <20161212092134.3nvhkql4ikthhyie@redhat.com> <20161212093701.ldqgxcejmjx5p4xd@redhat.com> Message-ID: On 2016-12-12 10:37, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Alexander Bokovoy wrote: >> On ma, 12 joulu 2016, Christian Heimes wrote: >>> On 2016-12-12 09:54, Alexander Bokovoy wrote: >>>> On ma, 12 joulu 2016, Christian Heimes wrote: >>>>> Hi Simo, >>>>> >>>>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >>>>> of Kerberos requests are performed by anon pkinit and to establish a >>>>> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >>>>> and AP-REQ+KRB-PRV. Responses are not filtered. >>>> Anonymous principal as configured in FreeIPA can only be used to obtain >>>> a TGT, nothing else. >>>> >>>> See https://tools.ietf.org/html/rfc6112 for a spec definition. >>> >>> That doesn't answer my question for me. Or does 'only TGT' imply that >>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >>> about the two request types. >> You can only obtain a TGT and this TGT can only be used for FAST >> channel. You cannot obtain any service ticket with this TGT. > To close the loop, no changes in kdcproxy are needed because PKINIT is a > pre-authentication scheme and it works just fine with kdcproxy as it is. > I just tested this. Alexander, thanks for your tests! I have created an issue to add test cases to kdcproxy to ensure that we stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23 Christian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: OpenPGP digital signature URL: From freeipa-github-notification at redhat.com Mon Dec 12 09:48:01 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Mon, 12 Dec 2016 10:48:01 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ I'll review the patch by the end of the week. Some changes are not required. """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-266384886 From simo at redhat.com Mon Dec 12 10:17:45 2016 From: simo at redhat.com (Simo Sorce) Date: Mon, 12 Dec 2016 05:17:45 -0500 Subject: [Freeipa-devel] Anonymous PKINIT and kdcproxy In-Reply-To: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> References: <122b40df-3e0a-790e-6c99-f265bffb4ea1@redhat.com> Message-ID: <1481537865.7156.20.camel@redhat.com> On Mon, 2016-12-12 at 09:42 +0100, Christian Heimes wrote: > Hi Simo, > > I'm wondering if we need to change kdcproxy for anon pkinit. What kind > of Kerberos requests are performed by anon pkinit and to establish a > FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. No changes needed, we only use AS and TGS request types. Simo. -- Simo Sorce * Red Hat, Inc * New York From freeipa-github-notification at redhat.com Mon Dec 12 10:45:24 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 12 Dec 2016 11:45:24 +0100 Subject: [Freeipa-devel] [freeipa PR#319][+ack] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 10:45:28 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Mon, 12 Dec 2016 11:45:28 +0100 Subject: [Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters flo-renaud commented: """ Hi, thanks for the patch. It works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266396960 From freeipa-github-notification at redhat.com Mon Dec 12 10:49:50 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 12 Dec 2016 11:49:50 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ The main problem here is that we are mixing two approaches together, i.e. entropy specification using bits + specification using character classes etc. which used to be means of expressing entropy requirements in a way understandable by ordinary users. If I understand it correctly, the encoding here is just to please password-quality checkers because the real password strength should be provided by the `entropy` parameter. So I propose to use character classes only for encoding but not during generation. That should simplify the code and make it easier to understand. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266397912 From freeipa-github-notification at redhat.com Mon Dec 12 10:55:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 11:55:41 +0100 Subject: [Freeipa-devel] [freeipa PR#319][+pushed] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 10:55:42 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 11:55:42 +0100 Subject: [Freeipa-devel] [freeipa PR#319][closed] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Author: martbab Title: #319: [master] gracefully handle setting replica bind dn group on old masters Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/319/head:pr319 git checkout pr319 From freeipa-github-notification at redhat.com Mon Dec 12 10:55:43 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 11:55:43 +0100 Subject: [Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/95e602598a481f9c4a3b69ce8a861bf3816aa8ba """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266399054 From freeipa-github-notification at redhat.com Mon Dec 12 11:03:28 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 12 Dec 2016 12:03:28 +0100 Subject: [Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-177.patch Type: text/x-diff Size: 22330 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 11:04:29 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 12 Dec 2016 12:04:29 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast right you are. PR updated with conditional import. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266400860 From freeipa-github-notification at redhat.com Mon Dec 12 11:45:20 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 12:45:20 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Pylint complaints about undefined function because you made a typo. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266408970 From freeipa-github-notification at redhat.com Mon Dec 12 11:53:55 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 12:53:55 +0100 Subject: [Freeipa-devel] [freeipa PR#177][+ack] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 11:56:01 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 12:56:01 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ > I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket. I have, you can extend vault-find command :) """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-266413702 From freeipa-github-notification at redhat.com Mon Dec 12 11:58:51 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 12:58:51 +0100 Subject: [Freeipa-devel] [freeipa PR#177][closed] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From freeipa-github-notification at redhat.com Mon Dec 12 11:58:52 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 12:58:52 +0100 Subject: [Freeipa-devel] [freeipa PR#177][+pushed] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 11:58:53 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 12:58:53 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266414213 From freeipa-github-notification at redhat.com Mon Dec 12 12:03:53 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 13:03:53 +0100 Subject: [Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services mbasti-rh commented: """ I don't know """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266415165 From freeipa-github-notification at redhat.com Mon Dec 12 12:05:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:05:51 +0100 Subject: [Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file martbab commented: """ @jcholast @frasertweedale I hope you did notice those failures in Travis CI before acking/pushing... """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266415516 From freeipa-github-notification at redhat.com Mon Dec 12 12:06:05 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 13:06:05 +0100 Subject: [Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-326.patch Type: text/x-diff Size: 3060 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 12:06:50 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 13:06:50 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Thanks, fixed it. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266415709 From freeipa-github-notification at redhat.com Mon Dec 12 12:10:15 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:10:15 +0100 Subject: [Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-266416346 From freeipa-github-notification at redhat.com Mon Dec 12 12:17:40 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Dec 2016 13:17:40 +0100 Subject: [Freeipa-devel] [freeipa PR#327][opened] WebUI: RPC refactoring Message-ID: URL: https://github.com/freeipa/freeipa/pull/327 Author: pvomacka Title: #327: WebUI: RPC refactoring Action: opened PR body: """ Moved from ML ( https://www.redhat.com/archives/freeipa-devel/2016-November/msg00338.html ) to PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/327/head:pr327 git checkout pr327 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-327.patch Type: text/x-diff Size: 24578 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 12:17:50 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Dec 2016 13:17:50 +0100 Subject: [Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvomacka commented: """ The last comment from pvoborni: "patch 84: Looks good, works fine, it just needed rebase(I could provide that). Idea, but that doesn't have to be implemented, or sometime in future, right now it is not useful: What about providing the rpc object in the event, and having unique id for each rpc call so that we could track all rpc which are executed. patch 101: 1. It's event name but the property name looks like that it contains a text: that.change_text = 'change-activity-text'; Should it be rather: that.change_text_event. Or even, why does it compare previous text? Does it matter? Wouldn't be better to have 'set-activity' event. And then the handler would call something new set_text method: set_text(new_activity) that.dots = 0 that.text = new_activity that.make_step() -- Petr Vobornik" """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-266417734 From freeipa-github-notification at redhat.com Mon Dec 12 12:19:57 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:19:57 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups martbab commented: """ Any update on this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-266418147 From freeipa-github-notification at redhat.com Mon Dec 12 12:20:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:20:52 +0100 Subject: [Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-266418295 From freeipa-github-notification at redhat.com Mon Dec 12 12:23:29 2016 From: freeipa-github-notification at redhat.com (apophys) Date: Mon, 12 Dec 2016 13:23:29 +0100 Subject: [Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ The rewrite to integration test is in my queue. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-266418775 From freeipa-github-notification at redhat.com Mon Dec 12 12:24:26 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Mon, 12 Dec 2016 13:24:26 +0100 Subject: [Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-324.patch Type: text/x-diff Size: 2097 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 12:26:48 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Mon, 12 Dec 2016 13:26:48 +0100 Subject: [Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvomacka commented: """ Patch 84: Yes, that is really good idea, but as you said - we don't have usecase for it right now. But I created a ticket to not forget about it. https://fedorahosted.org/freeipa/ticket/6553 Patch 101: I changed the name of event to 'set-activity-event', now it accepts one parameter which is new text of activity widget. But it can be extended in the future to accept more parameters and set more attributes. I think that creating new method "that.set_text" or something similar can lead to calling that method instead of using topics (events). That's the reason why I left the setting of text in anonymous function (event listener). """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-266419398 From pvomacka at redhat.com Mon Dec 12 12:27:35 2016 From: pvomacka at redhat.com (Pavel Vomacka) Date: Mon, 12 Dec 2016 13:27:35 +0100 Subject: [Freeipa-devel] [PATCH] webui: 0084, 0101: refactoring rpc module In-Reply-To: <9c4a9170-6465-3597-ae7c-709100109a7d@redhat.com> References: <9c4a9170-6465-3597-ae7c-709100109a7d@redhat.com> Message-ID: <3f52f42a-327c-28cc-178f-3c4cece056b2@redhat.com> Moved to PR: https://github.com/freeipa/freeipa/pull/327 On 11/10/2016 07:47 PM, Petr Vobornik wrote: > On 08/09/2016 01:29 PM, Pavel Vomacka wrote: >> Hello, >> >> please review attached patches. >> >> The rpc module is now separated from display layer >> and changing activity text while loading metadata. >> >> https://fedorahosted.org/freeipa/ticket/6144 >> >> >> > patch 84: > > Looks good, works fine, it just needed rebase(I could provide that). > > Idea, but that doesn't have to be implemented, or sometime in future, > right now it is not useful: What about providing the rpc object in the > event, and having unique id for each rpc call so that we could track all > rpc which are executed. > > > patch 101: > > 1. It's event name but the property name looks like that it contains a text: > that.change_text = 'change-activity-text'; > > Should it be rather: that.change_text_event. > > Or even, why does it compare previous text? Does it matter? Wouldn't be > better to have 'set-activity' event. And then the handler would call > something new set_text method: > > set_text(new_activity) > that.dots = 0 > that.text = new_activity > that.make_step() > > -- Pavel^3 Vomacka From freeipa-github-notification at redhat.com Mon Dec 12 12:28:59 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 12 Dec 2016 13:28:59 +0100 Subject: [Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-62.patch Type: text/x-diff Size: 39540 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 12:32:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:32:50 +0100 Subject: [Freeipa-devel] [freeipa PR#324][comment] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Title: #324: Check for conflict entries before raising domain level martbab commented: """ I am still not happy with the the PR, see review comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/324#issuecomment-266420463 From freeipa-github-notification at redhat.com Mon Dec 12 12:34:49 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 13:34:49 +0100 Subject: [Freeipa-devel] [freeipa PR#62][+pushed] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 12:34:50 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 13:34:50 +0100 Subject: [Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-266420855 From freeipa-github-notification at redhat.com Mon Dec 12 12:34:52 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 12 Dec 2016 13:34:52 +0100 Subject: [Freeipa-devel] [freeipa PR#62][closed] Configure Anonymous PKINIT on server install In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From freeipa-github-notification at redhat.com Mon Dec 12 12:43:36 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Mon, 12 Dec 2016 13:43:36 +0100 Subject: [Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 62517 bytes Desc: not available URL: From ftweedal at redhat.com Mon Dec 12 12:49:27 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 22:49:27 +1000 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> Message-ID: <20161212124927.GN4232@dhcp-40-8.bne.redhat.com> (This is a tangential discussion, but...) On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: > IMO profile ID should default to caIPAserviceCert on the client as well. > NACK. Default profile (although fixed at the present time) should be considered server-side policy. If we eventually make it configurable, we don't want older clients overriding it. Thanks, Fraser From freeipa-github-notification at redhat.com Mon Dec 12 12:51:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 13:51:13 +0100 Subject: [Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ I have put on my Travis moustache and found these two failing tests, you will have to fix them: ``` =================================== FAILURES =================================== test_permission_legacy.test_command[0000: permission_find: Check that some legacy permission is found in $SUFFIX] self = index = 0 declarative_test_definition = {'command': ('permission_find', [], {'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=test'), 'version': '2.216'}), 'desc...6e430230>, 'truncated': False}, 'nice': '0000: permission_find: Check that some legacy permission is found in $SUFFIX'} def test_command(self, index, declarative_test_definition): """Run an individual test The arguments are provided by the pytest plugin. """ if callable(declarative_test_definition): declarative_test_definition(self) else: > self.check(**declarative_test_definition) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:318: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:330: in check self.check_output(nice, cmd, args, options, expected, extra_check) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:379: in check_output assert_deepequal(expected, got, nice) /usr/lib/python2.7/site-packages/ipatests/util.py:388: in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (key,)) /usr/lib/python2.7/site-packages/ipatests/util.py:390: in assert_deepequal if not expected(got): _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ results = [{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': ('permission',), ...}, ...] def check_legacy_results(results): """Check that the expected number of legacy permissions are in $SUFFIX""" legacy_permissions = [p for p in results if not p.get('ipapermissiontype')] print(legacy_permissions) > assert len(legacy_permissions) == 9, len(legacy_permissions) E AssertionError: 8 E assert 8 == 9 E + where 8 = len([{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': ('permission',), ...}, ...]) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_permission_plugin.py:3128: AssertionError ``` I also wonder if there is a possibility for this removal to break replica install against older (IPA v3) masters. """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-266423674 From jcholast at redhat.com Mon Dec 12 13:04:37 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 12 Dec 2016 14:04:37 +0100 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <20161212124927.GN4232@dhcp-40-8.bne.redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> <20161212124927.GN4232@dhcp-40-8.bne.redhat.com> Message-ID: <26ed00ea-c0e2-cecb-87ce-5d87f2c991b7@redhat.com> On 12.12.2016 13:49, Fraser Tweedale wrote: > (This is a tangential discussion, but...) > > On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: >> IMO profile ID should default to caIPAserviceCert on the client as well. >> > NACK. Default profile (although fixed at the present time) should > be considered server-side policy. If we eventually make it > configurable, we don't want older clients overriding it. I didn't mean the default value should be overriden on the clients, just that profile ID should stay optional on the client and use the default profile ID when unspecified. > > Thanks, > Fraser > -- Jan Cholasta From freeipa-github-notification at redhat.com Mon Dec 12 13:10:38 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 14:10:38 +0100 Subject: [Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Works as expected. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266427247 From freeipa-github-notification at redhat.com Mon Dec 12 13:10:42 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 12 Dec 2016 14:10:42 +0100 Subject: [Freeipa-devel] [freeipa PR#323][+ack] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 13:20:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 14:20:09 +0100 Subject: [Freeipa-devel] [freeipa PR#323][+pushed] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 13:20:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 14:20:10 +0100 Subject: [Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/15351ab6e7c188fb492e6815026d1d75c4d4d29b """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266429139 From freeipa-github-notification at redhat.com Mon Dec 12 13:20:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 14:20:12 +0100 Subject: [Freeipa-devel] [freeipa PR#323][closed] ipactl: pass api as argument to services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/323 Author: mbasti-rh Title: #323: ipactl: pass api as argument to services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/323/head:pr323 git checkout pr323 From ftweedal at redhat.com Mon Dec 12 13:22:59 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 23:22:59 +1000 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <26ed00ea-c0e2-cecb-87ce-5d87f2c991b7@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> <20161212124927.GN4232@dhcp-40-8.bne.redhat.com> <26ed00ea-c0e2-cecb-87ce-5d87f2c991b7@redhat.com> Message-ID: <20161212132259.GO4232@dhcp-40-8.bne.redhat.com> On Mon, Dec 12, 2016 at 02:04:37PM +0100, Jan Cholasta wrote: > On 12.12.2016 13:49, Fraser Tweedale wrote: > > (This is a tangential discussion, but...) > > > > On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: > > > IMO profile ID should default to caIPAserviceCert on the client as well. > > > > > NACK. Default profile (although fixed at the present time) should > > be considered server-side policy. If we eventually make it > > configurable, we don't want older clients overriding it. > > I didn't mean the default value should be overriden on the clients, just > that profile ID should stay optional on the client and use the default > profile ID when unspecified. > OK, thanks for clarifying. > > > > Thanks, > > Fraser > > > > > -- > Jan Cholasta From freeipa-github-notification at redhat.com Mon Dec 12 13:28:25 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Mon, 12 Dec 2016 14:28:25 +0100 Subject: [Freeipa-devel] [freeipa PR#313][synchronized] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Author: dkupka Title: #313: ipaclient.plugins: Use api_version from internally called commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/313/head:pr313 git checkout pr313 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-313.patch Type: text/x-diff Size: 3297 bytes Desc: not available URL: From andrewponomarenko at yandex.ru Mon Dec 12 13:35:47 2016 From: andrewponomarenko at yandex.ru (Ponomarenko Andrey) Date: Mon, 12 Dec 2016 16:35:47 +0300 Subject: [Freeipa-devel] ABI report for Samba libraries Message-ID: <1597131481549747@web29j.yandex.ru> Hello, The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ Hope the report will be helpful for users and maintainers of Samba libraries. It is generated by the open-source ABICC 2.0 tool: https://github.com/lvc/abi-compliance-checker Thank you. From abokovoy at redhat.com Mon Dec 12 13:39:28 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Dec 2016 15:39:28 +0200 Subject: [Freeipa-devel] ABI report for Samba libraries In-Reply-To: <1597131481549747@web29j.yandex.ru> References: <1597131481549747@web29j.yandex.ru> Message-ID: <20161212133928.slakdkvpztmoae4q@redhat.com> Hi Andrey, On ma, 12 joulu 2016, Ponomarenko Andrey wrote: >Hello, > >The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ > >Hope the report will be helpful for users and maintainers of Samba libraries. Yes, thank you for the report. Are you going to keep reports generating with each upstream release? -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Dec 12 13:42:55 2016 From: freeipa-github-notification at redhat.com (gkaihorodova) Date: Mon, 12 Dec 2016 14:42:55 +0100 Subject: [Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-210.patch Type: text/x-diff Size: 4681 bytes Desc: not available URL: From andrewponomarenko at yandex.ru Mon Dec 12 13:47:07 2016 From: andrewponomarenko at yandex.ru (Ponomarenko Andrey) Date: Mon, 12 Dec 2016 16:47:07 +0300 Subject: [Freeipa-devel] ABI report for Samba libraries In-Reply-To: <20161212133928.slakdkvpztmoae4q@redhat.com> References: <1597131481549747@web29j.yandex.ru> <20161212133928.slakdkvpztmoae4q@redhat.com> Message-ID: <2384551481550427@web6g.yandex.ru> An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon Dec 12 14:00:41 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 12 Dec 2016 16:00:41 +0200 Subject: [Freeipa-devel] ABI report for Samba libraries In-Reply-To: <2384551481550427@web6g.yandex.ru> References: <1597131481549747@web29j.yandex.ru> <20161212133928.slakdkvpztmoae4q@redhat.com> <2384551481550427@web6g.yandex.ru> Message-ID: <20161212140041.qy7xect4upmbsi7l@redhat.com> On ma, 12 joulu 2016, Ponomarenko Andrey wrote: >Hi Alexander, >? >The report is updated on Mon,Wed and Fri at 11:00 UTC: https://abi- >laboratory.pro/index.php?view=abi-tracker Ok, thanks. Could you please extend the report to include all libraries that are built as part of Samba? E.g. not only public ones but also the privately used by the Samba itself. -- / Alexander Bokovoy From freeipa-github-notification at redhat.com Mon Dec 12 14:08:51 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 12 Dec 2016 15:08:51 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Talk is cheap so here is the code! ~~~ import math import string import random class TokenGenerator(object): """Tunable token generator.""" # without: = # ' " \ ` _special = '!$%&()*+,-./:;<>?@[]^_{|}~' def_charsets = { 'uppercase': {'chars': string.ascii_uppercase, 'entropy': math.log(len(string.ascii_uppercase), 2)}, 'lowercase': {'chars': string.ascii_lowercase, 'entropy': math.log(len(string.ascii_lowercase), 2)}, 'digits': {'chars': string.digits, 'entropy': math.log(len(string.digits), 2)}, 'special': {'chars': _special, 'entropy': math.log(len(_special), 2)}, } def __init__(self, uppercase=0, lowercase=0, digits=0, special=0, min_len=0): """Specify character contraints on generated tokens. Integer values specify minimal number of characters from given character class and length. Value False prevents given character from appearing in the token. Example: TokenGenerator(uppercase=3, lowercase=3, digits=0, special=False) At least 3 upper and 3 lower case ASCII chars, may contain digits, no special chars. """ self.rng = random.SystemRandom() self.min_len = min_len self.req_classes = dict( uppercase=uppercase, lowercase=lowercase, digits=digits, special=special ) self.todo_charsets = self.def_charsets.copy() # 'all' class is used when adding entropy to too-short tokens # it contains characters from all allowed classes self.todo_charsets['all'] = {'chars': ''.join( [charclass['chars'] for charclass_name, charclass in self.todo_charsets.items() if self.req_classes[charclass_name] is not False] )} self.todo_charsets['all']['entropy'] = math.log( len(self.todo_charsets['all']['chars']), 2) def __call__(self, req_entropy=128): """Generate token containing at least req_entropy bits. req_entropy is minimal number of entropy bits attacker has to guess: 128 bits entropy: secure 256 bits of entropy: secure enough if you care about quantum computers The generated token will fulfill containts specified in init. """ todo_entropy = req_entropy password = '' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. for charclass_name in ['digits', 'uppercase', 'lowercase', 'special']: charclass = self.todo_charsets[charclass_name] todo_characters = self.req_classes[charclass_name] while todo_characters > 0: password += random.choice(charclass['chars']) todo_entropy -= charclass['entropy'] todo_characters -= 1 # required character classes do not provide sufficient entropy # or does not fulfill minimal length constraint allchars = self.todo_charsets['all'] while todo_entropy > 0 or len(password) < self.min_len: password += random.choice(allchars['chars']) todo_entropy -= allchars['entropy'] return password if __name__ == '__main__': pwgen = TokenGenerator() for i in range(100): print(pwgen(256)) ~~~ This code deterministically generates passwords. If character constraints are specified, the code might generate slightly longer passwords than the brute-force method. For example, 256 bit password with FIPS-compliant constrains (3 character classes) the difference is 41 vs. 40 characters. Given this different, I think that determinism trumphs shorter passwords. Also, I think that it does not make sense to have `req_entropy` parameter in `__call__`. IMHO it makes sense to specify it along with other constrains in `__init__`. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266439544 From freeipa-github-notification at redhat.com Mon Dec 12 14:46:27 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Mon, 12 Dec 2016 15:46:27 +0100 Subject: [Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-324.patch Type: text/x-diff Size: 2069 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 14:59:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 15:59:34 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ The branch needs a rebase. Otherwise works as expected and has no PEP8 errors despite what crazy Travis CI claims. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266452154 From freeipa-github-notification at redhat.com Mon Dec 12 15:07:11 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 16:07:11 +0100 Subject: [Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-326.patch Type: text/x-diff Size: 3053 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 15:07:56 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Mon, 12 Dec 2016 16:07:56 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Rebased to git master. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266454397 From freeipa-github-notification at redhat.com Mon Dec 12 15:33:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 16:33:52 +0100 Subject: [Freeipa-devel] [freeipa PR#326][+ack] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 15:39:58 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 16:39:58 +0100 Subject: [Freeipa-devel] [freeipa PR#326][+pushed] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 15:40:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 16:40:00 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/38cc01b1c92da36653e0ce4d8f7066282fd1d102 """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266463244 From freeipa-github-notification at redhat.com Mon Dec 12 15:40:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 16:40:01 +0100 Subject: [Freeipa-devel] [freeipa PR#326][closed] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 From freeipa-github-notification at redhat.com Mon Dec 12 15:42:01 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 12 Dec 2016 16:42:01 +0100 Subject: [Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Rebased and pushed to ipa-4-4 https://fedorahosted.org/freeipa/changeset/fd8c17252fbc3efccad66cdcd373195c0fc53ce3 """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266463807 From freeipa-github-notification at redhat.com Mon Dec 12 16:09:02 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 12 Dec 2016 17:09:02 +0100 Subject: [Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-272.patch Type: text/x-diff Size: 16272 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 12 16:09:33 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 12 Dec 2016 17:09:33 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've found the root cause - incorrect order of operations in freeipa.spec.in. Now it should work. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266471594 From freeipa-github-notification at redhat.com Mon Dec 12 17:17:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 18:17:29 +0100 Subject: [Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands mbasti-rh commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/313#issuecomment-266491681 From freeipa-github-notification at redhat.com Mon Dec 12 17:17:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 18:17:33 +0100 Subject: [Freeipa-devel] [freeipa PR#313][+ack] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 17:29:38 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 12 Dec 2016 18:29:38 +0100 Subject: [Freeipa-devel] [freeipa PR#325][+ack] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Label: +ack From freeipa-github-notification at redhat.com Mon Dec 12 17:29:40 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 12 Dec 2016 18:29:40 +0100 Subject: [Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views pvoborni commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/325#issuecomment-266495026 From freeipa-github-notification at redhat.com Mon Dec 12 17:30:33 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 12 Dec 2016 18:30:33 +0100 Subject: [Freeipa-devel] [freeipa PR#325][+pushed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 12 17:30:34 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 12 Dec 2016 18:30:34 +0100 Subject: [Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/17392b0ef754781775a10973b2fee8a6d1697f5d ipa-4-4: https://fedorahosted.org/freeipa/changeset/cd62808c0e62013f594b0a31acf5bc65f4ce0683 """ See the full comment at https://github.com/freeipa/freeipa/pull/325#issuecomment-266495282 From freeipa-github-notification at redhat.com Mon Dec 12 17:30:36 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Mon, 12 Dec 2016 18:30:36 +0100 Subject: [Freeipa-devel] [freeipa PR#325][closed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/325 Author: pvomacka Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/325/head:pr325 git checkout pr325 From freeipa-github-notification at redhat.com Mon Dec 12 17:31:52 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 12 Dec 2016 18:31:52 +0100 Subject: [Freeipa-devel] [freeipa PR#328][opened] fix: regression in API version comparison Message-ID: URL: https://github.com/freeipa/freeipa/pull/328 Author: mbasti-rh Title: #328: fix: regression in API version comparison Action: opened PR body: """ Commint 2cbaf156045769b54150e4d4c3c1071f164a16fb introduced a regression in API version comparison. In case that newer client is trying to call older server an error is returned, but it should work. This commit fixes it. https://fedorahosted.org/freeipa/ticket/6468 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/328/head:pr328 git checkout pr328 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-328.patch Type: text/x-diff Size: 1207 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 00:56:03 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 01:56:03 +0100 Subject: [Freeipa-devel] [freeipa PR#329][opened] experiment: did pull/177 break ci? Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: opened PR body: """ This PR reverts the commits from pull/177 to test the hypothesis that something in these commits broke CI. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-329.patch Type: text/x-diff Size: 21611 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 01:32:26 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 02:32:26 +0100 Subject: [Freeipa-devel] [freeipa PR#329][comment] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Title: #329: experiment: did pull/177 break ci? frasertweedale commented: """ Yes, it looks like I broke CI. Feel free to merge this PR if I don't find a fix quickly enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/329#issuecomment-266608752 From mbabinsk at redhat.com Tue Dec 13 08:41:40 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Dec 2016 09:41:40 +0100 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 Message-ID: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> Hi list, https://github.com/freeipa/freeipa/pull/177 was recently merged despite causing nearly half of the tests in our Travis CI gating to fail. This broke Travis CI for all other PR that were rebased after this merge, causing false negative errors everywhere. Fraser reverted the offending commits in https://github.com/freeipa/freeipa/pull/329 which restored Travis to original state (never mind PEP8 errors they were in the original code already). Regarding this issues I have two questions: a) should I merge https://github.com/freeipa/freeipa/pull/329 and thus revert the breakage in order to unblock other contributors? Given the current traffic I think it is sufficient to wait for us to investigate and produce a fix. If not, please scream loudly. b) what can we improve to make the results of CI more visible to contributors? I think that I should sit down with Martin 2 and investigate the possibility to send notifications about negative CI results (sufficient IMO) to the mailing list. In the meanwhile I would like to ask all reviewers to carefully check the output of failed Travis CI runs. If the job fails, you will see the results at the very end of the log. There are two sections: PEP8 errors and test output. You can expand both of them to see what went wrong and report it to the PR author if necessary. The reviewer and author can then use the very same tool used in CI [1] to reproduce the failures locally. Using '--no-cleanup' option during the run [2] leaves behind a running container which you can attach to and investigate further. [1] https://github.com/freeipa/ipa-docker-test-runner [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md If you have any additional questions/suggestions about Travis feel free to contact me. -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Dec 13 09:03:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 13 Dec 2016 10:03:19 +0100 Subject: [Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code stlaz commented: """ @tiran I find all the changes actually required. I think ACK is in order unless you spell out those which you think are not necessary. """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-266683420 From freeipa-github-notification at redhat.com Tue Dec 13 09:07:57 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 10:07:57 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-329.patch Type: text/x-diff Size: 12584 bytes Desc: not available URL: From slaznick at redhat.com Tue Dec 13 09:42:14 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Tue, 13 Dec 2016 10:42:14 +0100 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> Message-ID: <2434fbc6-4c55-b1eb-55ba-e88180071bd0@redhat.com> On 12/13/2016 09:41 AM, Martin Babinsky wrote: > Hi list, > > https://github.com/freeipa/freeipa/pull/177 was recently merged > despite causing nearly half of the tests in our Travis CI gating to > fail. This broke Travis CI for all other PR that were rebased after > this merge, causing false negative errors everywhere. > > Fraser reverted the offending commits in > https://github.com/freeipa/freeipa/pull/329 which restored Travis to > original state (never mind PEP8 errors they were in the original code > already). > > Regarding this issues I have two questions: > > a) > > should I merge https://github.com/freeipa/freeipa/pull/329 and thus > revert the breakage in order to unblock other contributors? Given the > current traffic I think it is sufficient to wait for us to investigate > and produce a fix. If not, please scream loudly. > > b) > > what can we improve to make the results of CI more visible to > contributors? I think that I should sit down with Martin 2 and > investigate the possibility to send notifications about negative CI > results (sufficient IMO) to the mailing list. > > In the meanwhile I would like to ask all reviewers to carefully check > the output of failed Travis CI runs. If the job fails, you will see > the results at the very end of the log. There are two sections: PEP8 > errors and test output. You can expand both of them to see what went > wrong and report it to the PR author if necessary. > > The reviewer and author can then use the very same tool used in CI [1] > to reproduce the failures locally. Using '--no-cleanup' option during > the run [2] leaves behind a running container which you can attach to > and investigate further. > > [1] https://github.com/freeipa/ipa-docker-test-runner > [2] > https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md > > If you have any additional questions/suggestions about Travis feel > free to contact me. > Hello, I would personally wait for a proper fix in the a) case. We've been able to perform well even without Travis up until recently plus 99% of the pull requests are created and reviewed by team members who are aware of the situation. as for b): I can't quite imagine how sending mails to the devel list would work but I assume you'd come up with some kind of sane solution. Standa From freeipa-github-notification at redhat.com Tue Dec 13 09:57:31 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 13 Dec 2016 10:57:31 +0100 Subject: [Freeipa-devel] [freeipa PR#330][opened] Build: forbid builds in working directories containing white spaces Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Author: pspacek Title: #330: Build: forbid builds in working directories containing white spaces Action: opened PR body: """ Spaces are causing problems in libtool, makefiles, autoconf itself, gettextize framework etc. so this issue cannot be easily fixed. Return on investment is too small to invest into this. Let's detect the whitespace early and error out with descriptive error message. https://fedorahosted.org/freeipa/ticket/6537 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/330/head:pr330 git checkout pr330 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-330.patch Type: text/x-diff Size: 1218 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 13 10:22:25 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Tue, 13 Dec 2016 11:22:25 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][opened] Add GDB pretty-printers for plugin data structures to contrib. Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Author: pspacek Title: #5: Add GDB pretty-printers for plugin data structures to contrib. Action: opened PR body: """ These are convenience scripts I created over time to ease digging in bind-dyndb-ldap data structures. It might make sense to include these in the main repo... """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/5/head:pr5 git checkout pr5 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-5.patch Type: text/x-diff Size: 6236 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 10:22:54 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 11:22:54 +0100 Subject: [Freeipa-devel] [freeipa PR#329][closed] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From freeipa-github-notification at redhat.com Tue Dec 13 10:22:56 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 11:22:56 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From freeipa-github-notification at redhat.com Tue Dec 13 10:25:32 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 11:25:32 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From freeipa-github-notification at redhat.com Tue Dec 13 10:25:34 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 11:25:34 +0100 Subject: [Freeipa-devel] [freeipa PR#329][reopened] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From freeipa-github-notification at redhat.com Tue Dec 13 10:49:12 2016 From: freeipa-github-notification at redhat.com (tbordaz) Date: Tue, 13 Dec 2016 11:49:12 +0100 Subject: [Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-324.patch Type: text/x-diff Size: 2143 bytes Desc: not available URL: From ftweedal at redhat.com Tue Dec 13 11:20:05 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 13 Dec 2016 21:20:05 +1000 Subject: [Freeipa-devel] CI failures - I need your help Message-ID: <20161213112004.GT4232@dhcp-40-8.bne.redhat.com> Hi all, The CI failures caused by one of my recent commits have me baffled. It is exactly this commit[1] at which the problems begin. I cannot see anything in the commit to point a finger at. In-tree tests run fine. [1] https://github.com/freeipa/freeipa/commit/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d In terms of symptoms: a Travis run has two jobs, one dealing with `test_xmlrpc/test_[a-k]*.py' and the other dealing with `test_xmlrpc/test_[l-z]*.py' as well as `test_install/', `test_ipalib/', `test_ipapython/', `test_ipaserver/' and `test_pkcs10'. See [2] for an example of a failing build: the first job (which includes tests for the ca plugin, which is what the patch relates to) does succeed, but the second fails catastrophically with myriad occurences of: E NetworkError: cannot connect to 'https://master1.ipa.test/ipa/session/json': (SSL_ERROR_NO_CIPHERS_SUPPORTED) No cipher suites are present and enabled in this program. Leading to the unfortunate outcome: ======= 254 failed, 576 passed, 98 skipped, 1756 error in 254.59 seconds ======= [2] https://travis-ci.org/freeipa/freeipa/builds/183544973 I have been unsuccessful in running `ipa-docker-test-runner' on my own machine due to Java thread creation problems, so I need the help of others to analyse and fix this issue. If someone was able to analyse a running container that had the test failures, send logs, or even make an image of the container and upload it somewhere for me, it might lead to some answers. Thanks for your help. Fraser (P.S. I hope it is not a trivial thing I have overlook ^_^) From freeipa-github-notification at redhat.com Tue Dec 13 11:24:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 12:24:26 +0100 Subject: [Freeipa-devel] [freeipa PR#324][+ack] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Title: #324: Check for conflict entries before raising domain level Label: +ack From freeipa-github-notification at redhat.com Tue Dec 13 11:26:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 12:26:40 +0100 Subject: [Freeipa-devel] [freeipa PR#324][comment] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Title: #324: Check for conflict entries before raising domain level martbab commented: """ There were some PEP8 errors but I fixed them and pushed to: ipa-4-4: https://fedorahosted.org/freeipa/changeset/d028d23c5f0c3e1b18c15fad67a0893870f5d27c master: https://fedorahosted.org/freeipa/changeset/26bd7ebfa27d15221e5d3fa1e3871a0085c31e0f """ See the full comment at https://github.com/freeipa/freeipa/pull/324#issuecomment-266714549 From freeipa-github-notification at redhat.com Tue Dec 13 11:26:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 12:26:41 +0100 Subject: [Freeipa-devel] [freeipa PR#324][closed] Check for conflict entries before raising domain level In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 From freeipa-github-notification at redhat.com Tue Dec 13 11:28:56 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 12:28:56 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-329.patch Type: text/x-diff Size: 892 bytes Desc: not available URL: From ftweedal at redhat.com Tue Dec 13 12:07:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 13 Dec 2016 22:07:26 +1000 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> Message-ID: <20161213120726.GU4232@dhcp-40-8.bne.redhat.com> On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote: > Hi list, > > https://github.com/freeipa/freeipa/pull/177 was recently merged despite > causing nearly half of the tests in our Travis CI gating to fail. This broke > Travis CI for all other PR that were rebased after this merge, causing false > negative errors everywhere. > > Fraser reverted the offending commits in > https://github.com/freeipa/freeipa/pull/329 which restored Travis to > original state (never mind PEP8 errors they were in the original code > already). > > Regarding this issues I have two questions: > > a) > > should I merge https://github.com/freeipa/freeipa/pull/329 and thus revert > the breakage in order to unblock other contributors? Given the current > traffic I think it is sufficient to wait for us to investigate and produce a > fix. If not, please scream loudly. > Definitely not, I am using this PR as a playground to poke the CI in various ways. Also, proper fix would be best :) See also my other mail (I would have replied here but fetchmail was not fetching mail and I missed it until just now >_<). > b) > > what can we improve to make the results of CI more visible to contributors? > I think that I should sit down with Martin 2 and investigate the possibility > to send notifications about negative CI results (sufficient IMO) to the > mailing list. > Or the commit author. It would be *great* if the test job, in event of failure, would collect all the obvious logs and dump them somewhere as artifacts. > In the meanwhile I would like to ask all reviewers to carefully check the > output of failed Travis CI runs. If the job fails, you will see the results > at the very end of the log. There are two sections: PEP8 errors and test > output. You can expand both of them to see what went wrong and report it to > the PR author if necessary. > > The reviewer and author can then use the very same tool used in CI [1] to > reproduce the failures locally. Using '--no-cleanup' option during the run > [2] leaves behind a running container which you can attach to and > investigate further. > > [1] https://github.com/freeipa/ipa-docker-test-runner > [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md > > If you have any additional questions/suggestions about Travis feel free to > contact me. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code From freeipa-github-notification at redhat.com Tue Dec 13 12:11:24 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 13:11:24 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-329.patch Type: text/x-diff Size: 1634 bytes Desc: not available URL: From mbabinsk at redhat.com Tue Dec 13 12:11:37 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Dec 2016 13:11:37 +0100 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <20161213120726.GU4232@dhcp-40-8.bne.redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> <20161213120726.GU4232@dhcp-40-8.bne.redhat.com> Message-ID: <7554b9a1-87f7-14ef-5eb2-447616b54a73@redhat.com> On 12/13/2016 01:07 PM, Fraser Tweedale wrote: > On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote: >> Hi list, >> >> https://github.com/freeipa/freeipa/pull/177 was recently merged despite >> causing nearly half of the tests in our Travis CI gating to fail. This broke >> Travis CI for all other PR that were rebased after this merge, causing false >> negative errors everywhere. >> >> Fraser reverted the offending commits in >> https://github.com/freeipa/freeipa/pull/329 which restored Travis to >> original state (never mind PEP8 errors they were in the original code >> already). >> >> Regarding this issues I have two questions: >> >> a) >> >> should I merge https://github.com/freeipa/freeipa/pull/329 and thus revert >> the breakage in order to unblock other contributors? Given the current >> traffic I think it is sufficient to wait for us to investigate and produce a >> fix. If not, please scream loudly. >> > Definitely not, I am using this PR as a playground to poke the CI in > various ways. Also, proper fix would be best :) See also my other > mail (I would have replied here but fetchmail was not fetching mail > and I missed it until just now >_<). > >> b) >> >> what can we improve to make the results of CI more visible to contributors? >> I think that I should sit down with Martin 2 and investigate the possibility >> to send notifications about negative CI results (sufficient IMO) to the >> mailing list. >> > Or the commit author. > > It would be *great* if the test job, in event of failure, would > collect all the obvious logs and dump them somewhere as artifacts. > That would be great but AFAIK Travis CI does support only archiving artifacts into a running AWS instance[1] which we do not have and would have to buy, run and maintain ourselves. For now we have to inspect the log dumps generated in the job output. >> In the meanwhile I would like to ask all reviewers to carefully check the >> output of failed Travis CI runs. If the job fails, you will see the results >> at the very end of the log. There are two sections: PEP8 errors and test >> output. You can expand both of them to see what went wrong and report it to >> the PR author if necessary. >> >> The reviewer and author can then use the very same tool used in CI [1] to >> reproduce the failures locally. Using '--no-cleanup' option during the run >> [2] leaves behind a running container which you can attach to and >> investigate further. >> >> [1] https://github.com/freeipa/ipa-docker-test-runner >> [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md >> >> If you have any additional questions/suggestions about Travis feel free to >> contact me. >> >> -- >> Martin^3 Babinsky >> >> -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code [1] https://docs.travis-ci.com/user/uploading-artifacts/ -- Martin^3 Babinsky From mbabinsk at redhat.com Tue Dec 13 12:21:29 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Dec 2016 13:21:29 +0100 Subject: [Freeipa-devel] CI failures - I need your help In-Reply-To: <20161213112004.GT4232@dhcp-40-8.bne.redhat.com> References: <20161213112004.GT4232@dhcp-40-8.bne.redhat.com> Message-ID: <0558460d-ab63-98ba-06f9-f8f016ebd358@redhat.com> On 12/13/2016 12:20 PM, Fraser Tweedale wrote: > Hi all, > > The CI failures caused by one of my recent commits have me baffled. > It is exactly this commit[1] at which the problems begin. I cannot > see anything in the commit to point a finger at. In-tree tests run > fine. > > [1] https://github.com/freeipa/freeipa/commit/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d > > In terms of symptoms: a Travis run has two jobs, one dealing with > `test_xmlrpc/test_[a-k]*.py' and the other dealing with > `test_xmlrpc/test_[l-z]*.py' as well as `test_install/', > `test_ipalib/', `test_ipapython/', `test_ipaserver/' and > `test_pkcs10'. See [2] for an example of a failing build: the first > job (which includes tests for the ca plugin, which is what the patch > relates to) does succeed, but the second fails catastrophically with > myriad occurences of: > > E NetworkError: cannot connect to > 'https://master1.ipa.test/ipa/session/json': > (SSL_ERROR_NO_CIPHERS_SUPPORTED) No cipher suites are present > and enabled in this program. > > Leading to the unfortunate outcome: > > ======= 254 failed, 576 passed, 98 skipped, 1756 error in 254.59 seconds ======= > > [2] https://travis-ci.org/freeipa/freeipa/builds/183544973 > > > I have been unsuccessful in running `ipa-docker-test-runner' on my > own machine due to Java thread creation problems, so I need the help > of others to analyse and fix this issue. If someone was able to > analyse a running container that had the test failures, send logs, > or even make an image of the container and upload it somewhere for > me, it might lead to some answers. > > Thanks for your help. > Fraser > > (P.S. I hope it is not a trivial thing I have overlook ^_^) > Hi Fraser, I am also playing around with this issue and have observed that when I run XMLRPC tests alone all is green, so the error must first occur in some other suite and then propagate to tests ran later. This also agrees with the observation that the half which does not run non-XMLRPC tests always passes. I have observed that the first failure comes in test_ipaserver/test_serverroles suite at teardown with SEC_ERROR_LEGACY_DATABASE thrown from nss: https://paste.fedoraproject.org/505681/14816316/ I will investigate further and keep you posted.\ -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Dec 13 12:31:10 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 13 Dec 2016 13:31:10 +0100 Subject: [Freeipa-devel] [freeipa PR#331][opened] WebUI: don't change casing of Auth Indicators values Message-ID: URL: https://github.com/freeipa/freeipa/pull/331 Author: pvomacka Title: #331: WebUI: don't change casing of Auth Indicators values Action: opened PR body: """ All values were previously converted to lowercase which was not coresponding with CLI behaviour. Now they stay as they are inserted. I also have to change the strings to lowercase because the otp and radius should be inserted as lowercase words. https://fedorahosted.org/freeipa/ticket/6308 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/331/head:pr331 git checkout pr331 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-331.patch Type: text/x-diff Size: 5730 bytes Desc: not available URL: From ftweedal at redhat.com Tue Dec 13 12:41:42 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 13 Dec 2016 22:41:42 +1000 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <7554b9a1-87f7-14ef-5eb2-447616b54a73@redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> <20161213120726.GU4232@dhcp-40-8.bne.redhat.com> <7554b9a1-87f7-14ef-5eb2-447616b54a73@redhat.com> Message-ID: <20161213124142.GX4232@dhcp-40-8.bne.redhat.com> On Tue, Dec 13, 2016 at 01:11:37PM +0100, Martin Babinsky wrote: > On 12/13/2016 01:07 PM, Fraser Tweedale wrote: > > On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote: > > > Hi list, > > > > > > https://github.com/freeipa/freeipa/pull/177 was recently merged despite > > > causing nearly half of the tests in our Travis CI gating to fail. This broke > > > Travis CI for all other PR that were rebased after this merge, causing false > > > negative errors everywhere. > > > > > > Fraser reverted the offending commits in > > > https://github.com/freeipa/freeipa/pull/329 which restored Travis to > > > original state (never mind PEP8 errors they were in the original code > > > already). > > > > > > Regarding this issues I have two questions: > > > > > > a) > > > > > > should I merge https://github.com/freeipa/freeipa/pull/329 and thus revert > > > the breakage in order to unblock other contributors? Given the current > > > traffic I think it is sufficient to wait for us to investigate and produce a > > > fix. If not, please scream loudly. > > > > > Definitely not, I am using this PR as a playground to poke the CI in > > various ways. Also, proper fix would be best :) See also my other > > mail (I would have replied here but fetchmail was not fetching mail > > and I missed it until just now >_<). > > > > > b) > > > > > > what can we improve to make the results of CI more visible to contributors? > > > I think that I should sit down with Martin 2 and investigate the possibility > > > to send notifications about negative CI results (sufficient IMO) to the > > > mailing list. > > > > > Or the commit author. > > > > It would be *great* if the test job, in event of failure, would > > collect all the obvious logs and dump them somewhere as artifacts. > > > > That would be great but AFAIK Travis CI does support only archiving > artifacts into a running AWS instance[1] which we do not have and would have > to buy, run and maintain ourselves. For now we have to inspect the log dumps > generated in the job output. > Do the containers not have internet access? That is all you really need, surely. The log dumps are not enough... `tail -n 5000' is not enough :) Even if there is no other way besides S3, it might still be worth it. > > > In the meanwhile I would like to ask all reviewers to carefully check the > > > output of failed Travis CI runs. If the job fails, you will see the results > > > at the very end of the log. There are two sections: PEP8 errors and test > > > output. You can expand both of them to see what went wrong and report it to > > > the PR author if necessary. > > > > > > The reviewer and author can then use the very same tool used in CI [1] to > > > reproduce the failures locally. Using '--no-cleanup' option during the run > > > [2] leaves behind a running container which you can attach to and > > > investigate further. > > > > > > [1] https://github.com/freeipa/ipa-docker-test-runner > > > [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md > > > > > > If you have any additional questions/suggestions about Travis feel free to > > > contact me. > > > > > > -- > > > Martin^3 Babinsky > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > [1] https://docs.travis-ci.com/user/uploading-artifacts/ > > -- > Martin^3 Babinsky From mbabinsk at redhat.com Tue Dec 13 12:44:49 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Dec 2016 13:44:49 +0100 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <20161213124142.GX4232@dhcp-40-8.bne.redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> <20161213120726.GU4232@dhcp-40-8.bne.redhat.com> <7554b9a1-87f7-14ef-5eb2-447616b54a73@redhat.com> <20161213124142.GX4232@dhcp-40-8.bne.redhat.com> Message-ID: On 12/13/2016 01:41 PM, Fraser Tweedale wrote: > On Tue, Dec 13, 2016 at 01:11:37PM +0100, Martin Babinsky wrote: >> On 12/13/2016 01:07 PM, Fraser Tweedale wrote: >>> On Tue, Dec 13, 2016 at 09:41:40AM +0100, Martin Babinsky wrote: >>>> Hi list, >>>> >>>> https://github.com/freeipa/freeipa/pull/177 was recently merged despite >>>> causing nearly half of the tests in our Travis CI gating to fail. This broke >>>> Travis CI for all other PR that were rebased after this merge, causing false >>>> negative errors everywhere. >>>> >>>> Fraser reverted the offending commits in >>>> https://github.com/freeipa/freeipa/pull/329 which restored Travis to >>>> original state (never mind PEP8 errors they were in the original code >>>> already). >>>> >>>> Regarding this issues I have two questions: >>>> >>>> a) >>>> >>>> should I merge https://github.com/freeipa/freeipa/pull/329 and thus revert >>>> the breakage in order to unblock other contributors? Given the current >>>> traffic I think it is sufficient to wait for us to investigate and produce a >>>> fix. If not, please scream loudly. >>>> >>> Definitely not, I am using this PR as a playground to poke the CI in >>> various ways. Also, proper fix would be best :) See also my other >>> mail (I would have replied here but fetchmail was not fetching mail >>> and I missed it until just now >_<). >>> >>>> b) >>>> >>>> what can we improve to make the results of CI more visible to contributors? >>>> I think that I should sit down with Martin 2 and investigate the possibility >>>> to send notifications about negative CI results (sufficient IMO) to the >>>> mailing list. >>>> >>> Or the commit author. >>> >>> It would be *great* if the test job, in event of failure, would >>> collect all the obvious logs and dump them somewhere as artifacts. >>> >> >> That would be great but AFAIK Travis CI does support only archiving >> artifacts into a running AWS instance[1] which we do not have and would have >> to buy, run and maintain ourselves. For now we have to inspect the log dumps >> generated in the job output. >> > Do the containers not have internet access? That is all you really > need, surely. > > The log dumps are not enough... `tail -n 5000' is not enough :) > > Even if there is no other way besides S3, it might still be worth > it. > Travis imposes hard 10k line limit in the job logs that's why I had to truncate them, we have discussed this issue ad nauseum. And AFAIK the workers are not accessible from outside. >>>> In the meanwhile I would like to ask all reviewers to carefully check the >>>> output of failed Travis CI runs. If the job fails, you will see the results >>>> at the very end of the log. There are two sections: PEP8 errors and test >>>> output. You can expand both of them to see what went wrong and report it to >>>> the PR author if necessary. >>>> >>>> The reviewer and author can then use the very same tool used in CI [1] to >>>> reproduce the failures locally. Using '--no-cleanup' option during the run >>>> [2] leaves behind a running container which you can attach to and >>>> investigate further. >>>> >>>> [1] https://github.com/freeipa/ipa-docker-test-runner >>>> [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md >>>> >>>> If you have any additional questions/suggestions about Travis feel free to >>>> contact me. >>>> >>>> -- >>>> Martin^3 Babinsky >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> >> [1] https://docs.travis-ci.com/user/uploading-artifacts/ >> >> -- >> Martin^3 Babinsky -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Dec 13 12:45:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 13:45:05 +0100 Subject: [Freeipa-devel] [freeipa PR#328][+ack] fix: regression in API version comparison In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/328 Title: #328: fix: regression in API version comparison Label: +ack From freeipa-github-notification at redhat.com Tue Dec 13 12:46:29 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 13:46:29 +0100 Subject: [Freeipa-devel] [freeipa PR#329][synchronized] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-329.patch Type: text/x-diff Size: 2283 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 12:53:47 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 13:53:47 +0100 Subject: [Freeipa-devel] [freeipa PR#328][+pushed] fix: regression in API version comparison In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/328 Title: #328: fix: regression in API version comparison Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 13 12:53:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 13:53:48 +0100 Subject: [Freeipa-devel] [freeipa PR#328][comment] fix: regression in API version comparison In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/328 Title: #328: fix: regression in API version comparison mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0663faf2585be4af3501965934703da0ede41610 """ See the full comment at https://github.com/freeipa/freeipa/pull/328#issuecomment-266731072 From freeipa-github-notification at redhat.com Tue Dec 13 12:53:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 13:53:49 +0100 Subject: [Freeipa-devel] [freeipa PR#328][closed] fix: regression in API version comparison In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/328 Author: mbasti-rh Title: #328: fix: regression in API version comparison Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/328/head:pr328 git checkout pr328 From freeipa-github-notification at redhat.com Tue Dec 13 13:35:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 14:35:49 +0100 Subject: [Freeipa-devel] [freeipa PR#272][+ack] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Label: +ack From freeipa-github-notification at redhat.com Tue Dec 13 13:36:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 14:36:45 +0100 Subject: [Freeipa-devel] [freeipa PR#272][+pushed] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 13 13:36:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 14:36:46 +0100 Subject: [Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b7d70baee73c64898de91e2fa59b3f9f417c8e01 https://fedorahosted.org/freeipa/changeset/21a0987601dc4fa9de3fe63a18a604337a5edb7b https://fedorahosted.org/freeipa/changeset/9c87c39e65547004031284080749bc66dab1a8f9 """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266739980 From freeipa-github-notification at redhat.com Tue Dec 13 13:36:48 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Tue, 13 Dec 2016 14:36:48 +0100 Subject: [Freeipa-devel] [freeipa PR#272][closed] Build: makerpms.sh generates Python 2 & 3 packages at the same time In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 From freeipa-github-notification at redhat.com Tue Dec 13 14:26:46 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 15:26:46 +0100 Subject: [Freeipa-devel] [freeipa PR#332][opened] Fix regression in test suite Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Author: frasertweedale Title: #332: Fix regression in test suite Action: opened PR body: """ 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d introduced a regression in test_serverroles.py, caused by ca_find attempting to log into the Dogtag REST API. (ca_find is called by cert_find which is caused by server_del during cleanup). Avoid logging into Dogtag in cert_find unless something actually needs to be retrieved. Fixes: https://fedorahosted.org/freeipa/ticket/6178 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/332/head:pr332 git checkout pr332 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-332.patch Type: text/x-diff Size: 2057 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 14:27:46 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 15:27:46 +0100 Subject: [Freeipa-devel] [freeipa PR#329][closed] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From freeipa-github-notification at redhat.com Tue Dec 13 14:48:55 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 13 Dec 2016 15:48:55 +0100 Subject: [Freeipa-devel] [freeipa PR#332][synchronized] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Author: frasertweedale Title: #332: Fix regression in test suite Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/332/head:pr332 git checkout pr332 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-332.patch Type: text/x-diff Size: 2091 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 15:45:57 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Tue, 13 Dec 2016 16:45:57 +0100 Subject: [Freeipa-devel] [freeipa PR#333][opened] Remove named-pkcs11 workarounds from DNSSEC tests. Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Author: pspacek Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Action: opened PR body: """ As far as I can tell the tests are passing for some time in Jenkins so maybe a bug in some underlying component was fixed. Let's remove workarounds to make tests actually test real setups. https://fedorahosted.org/freeipa/ticket/5348 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/333/head:pr333 git checkout pr333 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-333.patch Type: text/x-diff Size: 6488 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 13 16:03:33 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 17:03:33 +0100 Subject: [Freeipa-devel] [freeipa PR#332][comment] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Title: #332: Fix regression in test suite martbab commented: """ Thanks for pinpointing the issue, looks like Travis is happy with your fix. ? """ See the full comment at https://github.com/freeipa/freeipa/pull/332#issuecomment-266779010 From freeipa-github-notification at redhat.com Tue Dec 13 16:06:19 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 17:06:19 +0100 Subject: [Freeipa-devel] [freeipa PR#332][+ack] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Title: #332: Fix regression in test suite Label: +ack From freeipa-github-notification at redhat.com Tue Dec 13 16:26:23 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 17:26:23 +0100 Subject: [Freeipa-devel] [freeipa PR#332][+pushed] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Title: #332: Fix regression in test suite Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 13 16:26:25 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 17:26:25 +0100 Subject: [Freeipa-devel] [freeipa PR#332][comment] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Title: #332: Fix regression in test suite martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/74b8cf2c4a8dd36577d76c35a9ef08352ef025b7 """ See the full comment at https://github.com/freeipa/freeipa/pull/332#issuecomment-266785937 From freeipa-github-notification at redhat.com Tue Dec 13 16:26:26 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 13 Dec 2016 17:26:26 +0100 Subject: [Freeipa-devel] [freeipa PR#332][closed] Fix regression in test suite In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/332 Author: frasertweedale Title: #332: Fix regression in test suite Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/332/head:pr332 git checkout pr332 From mbabinsk at redhat.com Tue Dec 13 16:29:01 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Tue, 13 Dec 2016 17:29:01 +0100 Subject: [Freeipa-devel] Travis CI broke after merging PR 177 In-Reply-To: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> References: <50f0de90-cd0c-eaed-9fda-c01630489163@redhat.com> Message-ID: <3eaf170a-3fdf-e044-f678-886bb6e41430@redhat.com> On 12/13/2016 09:41 AM, Martin Babinsky wrote: > Hi list, > > https://github.com/freeipa/freeipa/pull/177 was recently merged despite > causing nearly half of the tests in our Travis CI gating to fail. This > broke Travis CI for all other PR that were rebased after this merge, > causing false negative errors everywhere. > > Fraser reverted the offending commits in > https://github.com/freeipa/freeipa/pull/329 which restored Travis to > original state (never mind PEP8 errors they were in the original code > already). > > Regarding this issues I have two questions: > > a) > > should I merge https://github.com/freeipa/freeipa/pull/329 and thus > revert the breakage in order to unblock other contributors? Given the > current traffic I think it is sufficient to wait for us to investigate > and produce a fix. If not, please scream loudly. > > b) > > what can we improve to make the results of CI more visible to > contributors? I think that I should sit down with Martin 2 and > investigate the possibility to send notifications about negative CI > results (sufficient IMO) to the mailing list. > > In the meanwhile I would like to ask all reviewers to carefully check > the output of failed Travis CI runs. If the job fails, you will see the > results at the very end of the log. There are two sections: PEP8 errors > and test output. You can expand both of them to see what went wrong and > report it to the PR author if necessary. > > The reviewer and author can then use the very same tool used in CI [1] > to reproduce the failures locally. Using '--no-cleanup' option during > the run [2] leaves behind a running container which you can attach to > and investigate further. > > [1] https://github.com/freeipa/ipa-docker-test-runner > [2] https://github.com/freeipa/ipa-docker-test-runner/blob/master/README.md > > If you have any additional questions/suggestions about Travis feel free > to contact me. > The PR fixing failing Travis CI wss merged to master now. If you rebase and sync your branches the checks should be green again (well unless you broke something in your PR but you can not blame the regression for that anymore ;)). -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Tue Dec 13 22:57:30 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Tue, 13 Dec 2016 23:57:30 +0100 Subject: [Freeipa-devel] [freeipa PR#10][synchronized] Client-side CSR autogeneration In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/10 Author: LiptonB Title: #10: Client-side CSR autogeneration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/10/head:pr10 git checkout pr10 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-10.patch Type: text/x-diff Size: 205336 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 00:55:56 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 14 Dec 2016 01:55:56 +0100 Subject: [Freeipa-devel] [freeipa PR#245][comment] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Title: #245: Allow full customisability of IPA CA subject DN frasertweedale commented: """ @jcholast: new tickets pertaining to subject_base / certmap.conf config: - **do not update ipaCertificateSubjectBase and certmap.conf in CA-less mode** - https://fedorahosted.org/freeipa/ticket/6556 - **do not set (or look up) subject_base in sysupgrade file** - https://fedorahosted.org/freeipa/ticket/6557 Other review comments will be addressed in due course. Thanks for reviewing. """ See the full comment at https://github.com/freeipa/freeipa/pull/245#issuecomment-266910282 From blipton at redhat.com Wed Dec 14 01:53:59 2016 From: blipton at redhat.com (Ben Lipton) Date: Tue, 13 Dec 2016 20:53:59 -0500 Subject: [Freeipa-devel] Travis CI unexpected PEP8 errors Message-ID: <558a904d-14ec-376f-630f-f8c443705af3@redhat.com> Hi all, I'm pretty sure this is unrelated to the CI issues discussed in other threads recently, but they reminded me that I've been having this odd issue. https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most recent run on my pull request, https://github.com/freeipa/freeipa/pull/10. For a while now, every time the CI runs on my PR, it fails due to several PEP8 errors that are not detected when I run `git diff master -U0 | pep8 --diff` on my local copy. In fact, the errors are all in files not touched by my PR, which doesn't make much sense to me based on the behavior of `git diff`. I noticed that the top of the travis build says: - Commit 1f50550 - #10: Client-side CSR autogeneration - Branch master I'm not sure what the "commit" link actually means, but that commit seems to have nothing to do with my PR nor the current master. Could Travis be diffing against the wrong code? Or if not, do you have any idea what might be causing these failures? Thanks, Ben From slaznick at redhat.com Wed Dec 14 08:00:51 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Wed, 14 Dec 2016 09:00:51 +0100 Subject: [Freeipa-devel] Travis CI unexpected PEP8 errors In-Reply-To: <558a904d-14ec-376f-630f-f8c443705af3@redhat.com> References: <558a904d-14ec-376f-630f-f8c443705af3@redhat.com> Message-ID: <174c1ebb-1a7d-1976-9ec1-90721d361006@redhat.com> On 12/14/2016 02:53 AM, Ben Lipton wrote: > Hi all, > > I'm pretty sure this is unrelated to the CI issues discussed in other > threads recently, but they reminded me that I've been having this odd > issue. > > https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most > recent run on my pull request, > https://github.com/freeipa/freeipa/pull/10. For a while now, every > time the CI runs on my PR, it fails due to several PEP8 errors that > are not detected when I run `git diff master -U0 | pep8 --diff` on my > local copy. In fact, the errors are all in files not touched by my PR, > which doesn't make much sense to me based on the behavior of `git diff`. > > I noticed that the top of the travis build says: > > - Commit 1f50550 > - #10: Client-side CSR autogeneration > - Branch master > > I'm not sure what the "commit" link actually means, but that commit > seems to have nothing to do with my PR nor the current master. Could > Travis be diffing against the wrong code? Or if not, do you have any > idea what might be causing these failures? > > Thanks, > Ben > Hi Ben, I was going through the Travis CI log of and noticed what might have caused the issue: $ cd freeipa/freeipa $ git fetch origin +refs/pull/109/merge: It seems that for your pull request #10 (and for some reason for your pull request only), Travis fetched a different (old) pull request which it then tried to merge with current master, hence the errors. I don't think it was testing your code at all. I do not have an explanation for this other than it might be a Travis bug, CCing Martin for a better answer. Standa -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbabinsk at redhat.com Wed Dec 14 08:42:45 2016 From: mbabinsk at redhat.com (Martin Babinsky) Date: Wed, 14 Dec 2016 09:42:45 +0100 Subject: [Freeipa-devel] Travis CI unexpected PEP8 errors In-Reply-To: <174c1ebb-1a7d-1976-9ec1-90721d361006@redhat.com> References: <558a904d-14ec-376f-630f-f8c443705af3@redhat.com> <174c1ebb-1a7d-1976-9ec1-90721d361006@redhat.com> Message-ID: <93500661-58ef-bf66-d117-ed0f5586cb73@redhat.com> On 12/14/2016 09:00 AM, Standa Laznicka wrote: > On 12/14/2016 02:53 AM, Ben Lipton wrote: >> Hi all, >> >> I'm pretty sure this is unrelated to the CI issues discussed in other >> threads recently, but they reminded me that I've been having this odd >> issue. >> >> https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most >> recent run on my pull request, >> https://github.com/freeipa/freeipa/pull/10. For a while now, every >> time the CI runs on my PR, it fails due to several PEP8 errors that >> are not detected when I run `git diff master -U0 | pep8 --diff` on my >> local copy. In fact, the errors are all in files not touched by my PR, >> which doesn't make much sense to me based on the behavior of `git diff`. >> >> I noticed that the top of the travis build says: >> >> - Commit 1f50550 >> - #10: Client-side CSR autogeneration >> - Branch master >> >> I'm not sure what the "commit" link actually means, but that commit >> seems to have nothing to do with my PR nor the current master. Could >> Travis be diffing against the wrong code? Or if not, do you have any >> idea what might be causing these failures? >> >> Thanks, >> Ben >> > Hi Ben, > > I was going through the Travis CI log of and noticed what might have > caused the issue: > > $ cd freeipa/freeipa > $ git fetch origin +refs/pull/109/merge: > > It seems that for your pull request #10 (and for some reason for your > pull request only), Travis fetched a different (old) pull request which > it then tried to merge with current master, hence the errors. I don't > think it was testing your code at all. > > I do not have an explanation for this other than it might be a Travis > bug, CCing Martin for a better answer. > > Standa Yes indeed for some reason Travis fetches completely wrong PR for tests. I have no idea why it does this. I have tried to restart the build with the same results. We will probably have to contact Travis support for this issue. In the meanwhile, can you prepare a separate PR from completely new branch with the same commits so that we can see if it catches up this time? -- Martin^3 Babinsky From freeipa-github-notification at redhat.com Wed Dec 14 09:09:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 10:09:09 +0100 Subject: [Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces martbab commented: """ I agree that a safeguard that fails early is sufficient for this corner-case unless someone proves us otherwise. PRs are welcome in that case. """ See the full comment at https://github.com/freeipa/freeipa/pull/330#issuecomment-266981383 From freeipa-github-notification at redhat.com Wed Dec 14 09:09:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 10:09:14 +0100 Subject: [Freeipa-devel] [freeipa PR#330][+ack] Build: forbid builds in working directories containing white spaces In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 09:09:44 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 10:09:44 +0100 Subject: [Freeipa-devel] [freeipa PR#330][+pushed] Build: forbid builds in working directories containing white spaces In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 09:09:46 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 10:09:46 +0100 Subject: [Freeipa-devel] [freeipa PR#330][comment] Build: forbid builds in working directories containing white spaces In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Title: #330: Build: forbid builds in working directories containing white spaces martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/19aba7c555edf065b9f2fa95142da81b92396264 """ See the full comment at https://github.com/freeipa/freeipa/pull/330#issuecomment-266981513 From freeipa-github-notification at redhat.com Wed Dec 14 09:09:47 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 10:09:47 +0100 Subject: [Freeipa-devel] [freeipa PR#330][closed] Build: forbid builds in working directories containing white spaces In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/330 Author: pspacek Title: #330: Build: forbid builds in working directories containing white spaces Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/330/head:pr330 git checkout pr330 From freeipa-github-notification at redhat.com Wed Dec 14 09:42:25 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 10:42:25 +0100 Subject: [Freeipa-devel] [freeipa PR#334][opened] Py3: Fix ToASCII method Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: opened PR body: """ in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5887 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-334.patch Type: text/x-diff Size: 4324 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 10:36:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:36:39 +0100 Subject: [Freeipa-devel] [freeipa PR#333][comment] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. mbasti-rh commented: """ Please fix the issue reported by pylint ``` ************* Module ipatests.test_integration.test_dnssec ipatests/test_integration/test_dnssec.py:9: [W0611(unused-import), ] Unused import pytest) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/333#issuecomment-267000804 From freeipa-github-notification at redhat.com Wed Dec 14 10:42:38 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:42:38 +0100 Subject: [Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-334.patch Type: text/x-diff Size: 4324 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 10:43:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:43:05 +0100 Subject: [Freeipa-devel] [freeipa PR#334][edited] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: edited Changed field: body Original value: """ in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method returns Py3 default (unicode) string. So only in Py2 we have to decode str to unicode. https://fedorahosted.org/freeipa/ticket/5887 """ From freeipa-github-notification at redhat.com Wed Dec 14 10:47:03 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:47:03 +0100 Subject: [Freeipa-devel] [freeipa PR#329][+rejected] experiment: did pull/177 break ci? In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/329 Title: #329: experiment: did pull/177 break ci? Label: +rejected From freeipa-github-notification at redhat.com Wed Dec 14 10:50:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:50:57 +0100 Subject: [Freeipa-devel] [freeipa PR#313][+pushed] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 10:50:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:50:58 +0100 Subject: [Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d841a79dc104521f736469eff7154c2f4266082b ipa-4-4: https://fedorahosted.org/freeipa/changeset/6ef666ed12fd73026f0f1d49faba152ae27d6082 """ See the full comment at https://github.com/freeipa/freeipa/pull/313#issuecomment-267003891 From freeipa-github-notification at redhat.com Wed Dec 14 10:51:00 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 11:51:00 +0100 Subject: [Freeipa-devel] [freeipa PR#313][closed] ipaclient.plugins: Use api_version from internally called commands In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/313 Author: dkupka Title: #313: ipaclient.plugins: Use api_version from internally called commands Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/313/head:pr313 git checkout pr313 From freeipa-github-notification at redhat.com Wed Dec 14 10:51:12 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 14 Dec 2016 11:51:12 +0100 Subject: [Freeipa-devel] [freeipa PR#333][synchronized] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Author: pspacek Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/333/head:pr333 git checkout pr333 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-333.patch Type: text/x-diff Size: 6677 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 13:57:23 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Wed, 14 Dec 2016 14:57:23 +0100 Subject: [Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method tiran commented: """ I left a comment """ See the full comment at https://github.com/freeipa/freeipa/pull/334#issuecomment-267039776 From freeipa-github-notification at redhat.com Wed Dec 14 14:20:44 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 15:20:44 +0100 Subject: [Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-334.patch Type: text/x-diff Size: 5956 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 14:57:56 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 14 Dec 2016 15:57:56 +0100 Subject: [Freeipa-devel] [freeipa PR#335][opened] Add compatibility code to retrieve headers Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Author: simo5 Title: #335: Add compatibility code to retrieve headers Action: opened PR body: """ The recent fixes for getting cookies from headers broken python3. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/335/head:pr335 git checkout pr335 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-335.patch Type: text/x-diff Size: 1048 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 14:59:24 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 15:59:24 +0100 Subject: [Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers mbasti-rh commented: """ Works for me, just waiting for travis :) """ See the full comment at https://github.com/freeipa/freeipa/pull/335#issuecomment-267055413 From freeipa-github-notification at redhat.com Wed Dec 14 15:25:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 16:25:45 +0100 Subject: [Freeipa-devel] [freeipa PR#336][opened] [py3] pki: add missing depedency pki-base[-python3] Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Author: mbasti-rh Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: opened PR body: """ FreeIPA server modules requires pki module https://fedorahosted.org/freeipa/ticket/4985 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-336.patch Type: text/x-diff Size: 1046 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 15:42:55 2016 From: freeipa-github-notification at redhat.com (LiptonB) Date: Wed, 14 Dec 2016 16:42:55 +0100 Subject: [Freeipa-devel] [freeipa PR#337][opened] Client-side CSR autogeneration (take 2) Message-ID: URL: https://github.com/freeipa/freeipa/pull/337 Author: LiptonB Title: #337: Client-side CSR autogeneration (take 2) Action: opened PR body: """ Clone of PR #10 to see if CI picks up the right commits this time """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/337/head:pr337 git checkout pr337 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-337.patch Type: text/x-diff Size: 205336 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 15:47:45 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 16:47:45 +0100 Subject: [Freeipa-devel] [freeipa PR#337][comment] Client-side CSR autogeneration (take 2) In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/337 Title: #337: Client-side CSR autogeneration (take 2) martbab commented: """ From Travis CI logs it looks like a correct branch was fetched this time. """ See the full comment at https://github.com/freeipa/freeipa/pull/337#issuecomment-267069024 From freeipa-github-notification at redhat.com Wed Dec 14 15:59:13 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 16:59:13 +0100 Subject: [Freeipa-devel] [freeipa PR#338][opened] password policy: Add explicit default password policy for hosts and services Message-ID: URL: https://github.com/freeipa/freeipa/pull/338 Author: dkupka Title: #338: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/338/head:pr338 git checkout pr338 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-338.patch Type: text/x-diff Size: 15711 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:19:15 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:19:15 +0100 Subject: [Freeipa-devel] [freeipa PR#339][opened] freeipa-4.4.3: update translations Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Author: mbasti-rh Title: #339: freeipa-4.4.3: update translations Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/339/head:pr339 git checkout pr339 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-339.patch Type: text/x-diff Size: 718262 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:20:05 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:20:05 +0100 Subject: [Freeipa-devel] [freeipa PR#339][edited] freeipa-4.4.3: update translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Author: mbasti-rh Title: #339: freeipa-4.4.3: update translations Action: edited Changed field: body Original value: """ """ From freeipa-github-notification at redhat.com Wed Dec 14 16:27:32 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:27:32 +0100 Subject: [Freeipa-devel] [freeipa PR#340][opened] schema_cache: Make handling of string compatible with python3 Message-ID: URL: https://github.com/freeipa/freeipa/pull/340 Author: dkupka Title: #340: schema_cache: Make handling of string compatible with python3 Action: opened PR body: """ https://fedorahosted.org/freeipa/ticket/6559 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/340/head:pr340 git checkout pr340 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-340.patch Type: text/x-diff Size: 2871 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:30:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:30:26 +0100 Subject: [Freeipa-devel] [freeipa PR#341][opened] certprofile-mod: correctly authorise config update Message-ID: URL: https://github.com/freeipa/freeipa/pull/341 Author: mbasti-rh Title: #341: certprofile-mod: correctly authorise config update Action: opened PR body: """ Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/341/head:pr341 git checkout pr341 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-341.patch Type: text/x-diff Size: 1787 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:36:18 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:36:18 +0100 Subject: [Freeipa-devel] [freeipa PR#342][opened] password policy: Add explicit default password policy for hosts and services Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ Set explicitly krbPwdPolicyReference attribute to all hosts (entries in cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's CoS so no attributes are really added. The default policies effectively disable any enforcement or lockout for hosts and services. Since hosts and services use keytabs passwords enforcements doesn't make much sense. Also the lockout policy could be used for easy and cheap DoS. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/342/head:pr342 git checkout pr342 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-342.patch Type: text/x-diff Size: 7697 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:38:21 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 14 Dec 2016 17:38:21 +0100 Subject: [Freeipa-devel] [freeipa PR#338][+ack] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 16:40:03 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 17:40:03 +0100 Subject: [Freeipa-devel] [freeipa PR#339][+ack] freeipa-4.4.3: update translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 16:40:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 17:40:51 +0100 Subject: [Freeipa-devel] [freeipa PR#339][+pushed] freeipa-4.4.3: update translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 16:40:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 17:40:52 +0100 Subject: [Freeipa-devel] [freeipa PR#339][comment] freeipa-4.4.3: update translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Title: #339: freeipa-4.4.3: update translations martbab commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/2a2652187eaddec5d2a9cd757cec5874597213bc """ See the full comment at https://github.com/freeipa/freeipa/pull/339#issuecomment-267084622 From freeipa-github-notification at redhat.com Wed Dec 14 16:40:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 14 Dec 2016 17:40:53 +0100 Subject: [Freeipa-devel] [freeipa PR#339][closed] freeipa-4.4.3: update translations In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/339 Author: mbasti-rh Title: #339: freeipa-4.4.3: update translations Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/339/head:pr339 git checkout pr339 From freeipa-github-notification at redhat.com Wed Dec 14 16:41:29 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:41:29 +0100 Subject: [Freeipa-devel] [freeipa PR#343][opened] [4.3] certprofile-mod: correctly authorise config update Message-ID: URL: https://github.com/freeipa/freeipa/pull/343 Author: mbasti-rh Title: #343: [4.3] certprofile-mod: correctly authorise config update Action: opened PR body: """ Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/343/head:pr343 git checkout pr343 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-343.patch Type: text/x-diff Size: 1772 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:44:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:44:35 +0100 Subject: [Freeipa-devel] [freeipa PR#342][edited] [4.3] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Action: edited Changed field: title Original value: """ password policy: Add explicit default password policy for hosts and services """ From freeipa-github-notification at redhat.com Wed Dec 14 16:46:38 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:46:38 +0100 Subject: [Freeipa-devel] [freeipa PR#338][+pushed] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 16:46:40 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:46:40 +0100 Subject: [Freeipa-devel] [freeipa PR#338][comment] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/338 Title: #338: password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6f1d927467e7907fd1991f88388d96c67c9bff61 https://fedorahosted.org/freeipa/changeset/b1a20599c4f9fdcd208998694185b65460126703 """ See the full comment at https://github.com/freeipa/freeipa/pull/338#issuecomment-267086391 From freeipa-github-notification at redhat.com Wed Dec 14 16:46:42 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:46:42 +0100 Subject: [Freeipa-devel] [freeipa PR#338][closed] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/338 Author: dkupka Title: #338: password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/338/head:pr338 git checkout pr338 From freeipa-github-notification at redhat.com Wed Dec 14 16:53:46 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:53:46 +0100 Subject: [Freeipa-devel] [freeipa PR#335][+ack] Add compatibility code to retrieve headers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 16:54:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:54:33 +0100 Subject: [Freeipa-devel] [freeipa PR#335][comment] Add compatibility code to retrieve headers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/397f2be9dfd6475127742c0b710b37b443d97d67 """ See the full comment at https://github.com/freeipa/freeipa/pull/335#issuecomment-267088796 From freeipa-github-notification at redhat.com Wed Dec 14 16:54:34 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:54:34 +0100 Subject: [Freeipa-devel] [freeipa PR#335][+pushed] Add compatibility code to retrieve headers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Title: #335: Add compatibility code to retrieve headers Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 16:54:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:54:35 +0100 Subject: [Freeipa-devel] [freeipa PR#335][closed] Add compatibility code to retrieve headers In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/335 Author: simo5 Title: #335: Add compatibility code to retrieve headers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/335/head:pr335 git checkout pr335 From freeipa-github-notification at redhat.com Wed Dec 14 16:57:06 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 17:57:06 +0100 Subject: [Freeipa-devel] [freeipa PR#344][opened] password policy: Add explicit default password policy for hosts and services Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: password policy: Add explicit default password policy for hosts and services Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/344/head:pr344 git checkout pr344 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-344.patch Type: text/x-diff Size: 15707 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 16:57:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 17:57:45 +0100 Subject: [Freeipa-devel] [freeipa PR#344][edited] [4.4] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Action: edited Changed field: title Original value: """ password policy: Add explicit default password policy for hosts and services """ From freeipa-github-notification at redhat.com Wed Dec 14 17:07:52 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 14 Dec 2016 18:07:52 +0100 Subject: [Freeipa-devel] [freeipa PR#344][+ack] [4.4] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 17:08:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:08:18 +0100 Subject: [Freeipa-devel] [freeipa PR#341][+ack] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 17:08:54 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:08:54 +0100 Subject: [Freeipa-devel] [freeipa PR#341][+pushed] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 17:08:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:08:55 +0100 Subject: [Freeipa-devel] [freeipa PR#341][comment] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/341 Title: #341: certprofile-mod: correctly authorise config update mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/fec4c32ff15a96736740cf7d2f713a21af0b227e ipa-4-4: https://fedorahosted.org/freeipa/changeset/c12a52f0d78b30931713a3548b22e799d41f3622 """ See the full comment at https://github.com/freeipa/freeipa/pull/341#issuecomment-267093122 From freeipa-github-notification at redhat.com Wed Dec 14 17:08:57 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:08:57 +0100 Subject: [Freeipa-devel] [freeipa PR#341][closed] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/341 Author: mbasti-rh Title: #341: certprofile-mod: correctly authorise config update Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/341/head:pr341 git checkout pr341 From freeipa-github-notification at redhat.com Wed Dec 14 17:09:13 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:09:13 +0100 Subject: [Freeipa-devel] [freeipa PR#340][synchronized] schema_cache: Make handling of string compatible with python3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/340 Author: dkupka Title: #340: schema_cache: Make handling of string compatible with python3 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/340/head:pr340 git checkout pr340 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-340.patch Type: text/x-diff Size: 2976 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 14 17:10:13 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:10:13 +0100 Subject: [Freeipa-devel] [freeipa PR#343][+ack] [4.3] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 17:10:47 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:10:47 +0100 Subject: [Freeipa-devel] [freeipa PR#343][+pushed] [4.3] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 17:10:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:10:49 +0100 Subject: [Freeipa-devel] [freeipa PR#343][comment] [4.3] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/343 Title: #343: [4.3] certprofile-mod: correctly authorise config update mbasti-rh commented: """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/278d7cf4708f1c6ac05d5fcb21db582d9aa7bab3 """ See the full comment at https://github.com/freeipa/freeipa/pull/343#issuecomment-267093601 From freeipa-github-notification at redhat.com Wed Dec 14 17:10:50 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 18:10:50 +0100 Subject: [Freeipa-devel] [freeipa PR#343][closed] [4.3] certprofile-mod: correctly authorise config update In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/343 Author: mbasti-rh Title: #343: [4.3] certprofile-mod: correctly authorise config update Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/343/head:pr343 git checkout pr343 From freeipa-github-notification at redhat.com Wed Dec 14 17:14:54 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:14:54 +0100 Subject: [Freeipa-devel] [freeipa PR#344][+pushed] [4.4] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 17:14:56 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:14:56 +0100 Subject: [Freeipa-devel] [freeipa PR#344][comment] [4.4] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream ipa-4-4: https://fedorahosted.org/freeipa/changeset/08e7af9f0f8acac3dcd8dde1eee53261e5d25f1f https://fedorahosted.org/freeipa/changeset/171bc3e6853f905184584e414cefa4f7296c02ea """ See the full comment at https://github.com/freeipa/freeipa/pull/344#issuecomment-267094656 From freeipa-github-notification at redhat.com Wed Dec 14 17:14:57 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:14:57 +0100 Subject: [Freeipa-devel] [freeipa PR#344][closed] [4.4] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/344 Author: dkupka Title: #344: [4.4] password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/344/head:pr344 git checkout pr344 From freeipa-github-notification at redhat.com Wed Dec 14 17:16:02 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Wed, 14 Dec 2016 18:16:02 +0100 Subject: [Freeipa-devel] [freeipa PR#342][+ack] [4.3] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Label: +ack From freeipa-github-notification at redhat.com Wed Dec 14 17:17:48 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:17:48 +0100 Subject: [Freeipa-devel] [freeipa PR#342][+pushed] [4.3] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 14 17:17:49 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:17:49 +0100 Subject: [Freeipa-devel] [freeipa PR#342][comment] [4.3] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services dkupka commented: """ Fixed upstream ipa-4-3: https://fedorahosted.org/freeipa/changeset/42263a5a729096135702c0b974f255a058c0cdaf """ See the full comment at https://github.com/freeipa/freeipa/pull/342#issuecomment-267095446 From freeipa-github-notification at redhat.com Wed Dec 14 17:17:50 2016 From: freeipa-github-notification at redhat.com (dkupka) Date: Wed, 14 Dec 2016 18:17:50 +0100 Subject: [Freeipa-devel] [freeipa PR#342][closed] [4.3] password policy: Add explicit default password policy for hosts and services In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/342 Author: dkupka Title: #342: [4.3] password policy: Add explicit default password policy for hosts and services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/342/head:pr342 git checkout pr342 From freeipa-github-notification at redhat.com Wed Dec 14 18:00:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 19:00:49 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ NACK: DNS records page is broken """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-267106705 From freeipa-github-notification at redhat.com Wed Dec 14 18:26:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 14 Dec 2016 19:26:09 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ Server roles page is broken too, or at least it looks weird, probably server names are missing """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-267114366 From freeipa-github-notification at redhat.com Wed Dec 14 21:39:29 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 14 Dec 2016 22:39:29 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 197189 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 08:43:55 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 15 Dec 2016 09:43:55 +0100 Subject: [Freeipa-devel] [freeipa PR#210][+ack] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation Label: +ack From freeipa-github-notification at redhat.com Thu Dec 15 08:44:37 2016 From: freeipa-github-notification at redhat.com (mirielka) Date: Thu, 15 Dec 2016 09:44:37 +0100 Subject: [Freeipa-devel] [freeipa PR#181][+ack] Tests : User Tracker creation of user with minimal values In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values Label: +ack From freeipa-github-notification at redhat.com Thu Dec 15 10:34:34 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 15 Dec 2016 11:34:34 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 197269 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 14:35:27 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Thu, 15 Dec 2016 15:35:27 +0100 Subject: [Freeipa-devel] [freeipa PR#345][opened] ipa-kdb: search for password policies globally Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Author: abbra Title: #345: ipa-kdb: search for password policies globally Action: opened PR body: """ With the CoS templates now used to create additional password policies per object type that are placed under the object subtrees, DAL driver needs to search for the policies in the whole tree. Individual policies referenced by the krbPwdPolicyReference attribute are always searched by their full DN and with the base scope. However, when KDC asks a DAL driver to return a password policy by name, we don't have any specific base to search. The original code did search by the realm subtree. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1404910 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/345/head:pr345 git checkout pr345 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-345.patch Type: text/x-diff Size: 1457 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 14:59:32 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 15 Dec 2016 15:59:32 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ BuildRequires has no python3 dependency and a different minimal version. ``` BuildRequires: pki-base >= 10.2.1 ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267348102 From freeipa-github-notification at redhat.com Thu Dec 15 15:28:32 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 16:28:32 +0100 Subject: [Freeipa-devel] [freeipa PR#336][synchronized] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Author: mbasti-rh Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-336.patch Type: text/x-diff Size: 1042 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 15:28:49 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 16:28:49 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] mbasti-rh commented: """ It has Py3 Build dependency Fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267355819 From freeipa-github-notification at redhat.com Thu Dec 15 15:29:02 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Dec 2016 16:29:02 +0100 Subject: [Freeipa-devel] [freeipa PR#117][synchronized] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Author: stlaz Title: #117: Make ipa-replica-install run in interactive mode Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/117/head:pr117 git checkout pr117 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-117.patch Type: text/x-diff Size: 8367 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 15:32:06 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Dec 2016 16:32:06 +0100 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode stlaz commented: """ Rebase done. I wanted to wait until some more changes to api bootstrapping to be able to call client installation from module using the latest installer system from the installers refactoring but we agreen with @jcholast that it'd be better to do that later. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-267356755 From freeipa-github-notification at redhat.com Thu Dec 15 15:32:15 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Thu, 15 Dec 2016 16:32:15 +0100 Subject: [Freeipa-devel] [freeipa PR#117][comment] Make ipa-replica-install run in interactive mode In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/117 Title: #117: Make ipa-replica-install run in interactive mode stlaz commented: """ Rebase done. I wanted to wait until some more changes to api bootstrapping to be able to call client installation from module using the latest installer system from the installers refactoring but we agreed with @jcholast that it'd be better to do that later. """ See the full comment at https://github.com/freeipa/freeipa/pull/117#issuecomment-267356755 From freeipa-github-notification at redhat.com Thu Dec 15 15:48:36 2016 From: freeipa-github-notification at redhat.com (tiran) Date: Thu, 15 Dec 2016 16:48:36 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] tiran commented: """ What I meant with different minimal version, FreeIPA requires pki-ca and kra 10.3.5 and newer. ``` Requires: pki-ca >= 10.3.5-6 Requires: pki-kra >= 10.3.5-6 ``` Is there a reason why the minimal version for the pki-base package is smaller? All Dogtag PKI packages pull in other PKI packages with exactly the same version (e.g. ```pki-base = %{version}-%{release}```). Even more import, there is no Python 3 pki-base package for 10.2! I added the new package for 10.3. :) Lastly pki-base just happens to provide Python 2 packages for now. In 10.4 or 10.5 we may switch over the Python 3. If you need ```pki``` Python package with guaranteed Python 2 support, then please depend on pki-base-python2 (currently provided by pki-base). """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267361403 From freeipa-github-notification at redhat.com Thu Dec 15 15:54:33 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 16:54:33 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] mbasti-rh commented: """ Ah my previous patch was right then. BuildRequires version is lower because build works with lower version. I can raise that version just to be sure that pylint is checking the right packages """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267362994 From freeipa-github-notification at redhat.com Thu Dec 15 16:00:58 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 17:00:58 +0100 Subject: [Freeipa-devel] [freeipa PR#336][synchronized] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Author: mbasti-rh Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-336.patch Type: text/x-diff Size: 2102 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 16:30:23 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 17:30:23 +0100 Subject: [Freeipa-devel] [freeipa PR#336][synchronized] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Author: mbasti-rh Title: #336: [py3] pki: add missing depedency pki-base[-python3] Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/336/head:pr336 git checkout pr336 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-336.patch Type: text/x-diff Size: 3427 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 16:31:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:31:52 +0100 Subject: [Freeipa-devel] [freeipa PR#345][+ack] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally Label: +ack From freeipa-github-notification at redhat.com Thu Dec 15 16:34:32 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:34:32 +0100 Subject: [Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally martbab commented: """ I have taken the liberty to fix the commit message to reference https://fedorahosted.org/freeipa/ticket/6561 instead to BZ and pushed it to: ipa-4-3: https://fedorahosted.org/freeipa/changeset/b9b919e127c453eda02ea142d7cd80c16aa5ca31 ipa-4-4: https://fedorahosted.org/freeipa/changeset/84f6df6349b5c412467746777e905d9e4f8792ca master: https://fedorahosted.org/freeipa/changeset/73f33569c8893610e246b2f44a7aeaec872b37e6 """ See the full comment at https://github.com/freeipa/freeipa/pull/345#issuecomment-267374473 From freeipa-github-notification at redhat.com Thu Dec 15 16:34:34 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:34:34 +0100 Subject: [Freeipa-devel] [freeipa PR#345][closed] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Author: abbra Title: #345: ipa-kdb: search for password policies globally Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/345/head:pr345 git checkout pr345 From freeipa-github-notification at redhat.com Thu Dec 15 16:34:37 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:34:37 +0100 Subject: [Freeipa-devel] [freeipa PR#345][+pushed] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 15 16:40:14 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:40:14 +0100 Subject: [Freeipa-devel] [freeipa PR#346][opened] Minimal test suite for kadmin.local Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Author: martbab Title: #346: Minimal test suite for kadmin.local Action: opened PR body: """ This ensures that we do not break it (much) in the future like we did recently https://fedorahosted.org/freeipa/ticket/6561 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/346/head:pr346 git checkout pr346 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-346.patch Type: text/x-diff Size: 5922 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 16:41:00 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 17:41:00 +0100 Subject: [Freeipa-devel] [freeipa PR#346][synchronized] Minimal test suite for kadmin.local In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Author: martbab Title: #346: Minimal test suite for kadmin.local Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/346/head:pr346 git checkout pr346 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-346.patch Type: text/x-diff Size: 5922 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 15 17:58:05 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 18:58:05 +0100 Subject: [Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation martbab commented: """ Can we get this PR rebased against current master to see whether Travis CI is okay. The current checks are polluted by regression that should be fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-267396224 From freeipa-github-notification at redhat.com Thu Dec 15 17:58:13 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 15 Dec 2016 18:58:13 +0100 Subject: [Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation martbab commented: """ Can we get this PR rebased against current master to see whether Travis CI is okay? The current checks are polluted by regression that should be fixed. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-267396224 From freeipa-github-notification at redhat.com Thu Dec 15 18:01:09 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 15 Dec 2016 19:01:09 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese mbasti-rh commented: """ @shanyin Your translations will be released in FreeIPA 4.4.3 soon """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-267396991 From freeipa-github-notification at redhat.com Thu Dec 15 21:33:52 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Thu, 15 Dec 2016 22:33:52 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 200721 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 16 00:39:05 2016 From: freeipa-github-notification at redhat.com (shanyin) Date: Fri, 16 Dec 2016 01:39:05 +0100 Subject: [Freeipa-devel] [freeipa PR#286][comment] fix miss translation in Chinese In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/286 Title: #286: fix miss translation in Chinese shanyin commented: """ Ok, I see. Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/286#issuecomment-267486735 From mharmsen at redhat.com Fri Dec 16 01:32:08 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 15 Dec 2016 18:32:08 -0700 Subject: [Freeipa-devel] Karma Requests for pki-core-10.3.5-9 Message-ID: <3077f1ef-58bc-e1f0-1ab1-05cc27cc259b@redhat.com> *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24* o *pki-core-10.3.5-9.fc24 * * *Fedora 25* o *pki-core-10.3.5-9.fc25 * * *Fedora 26* o *pki-core-10.3.5-9.fc26 * *These builds address the following PKI tickets:* * *PKI TRAC Ticket #1517 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure * * *PKI TRAC Ticket #1897 - [MAN] Man page for logging configuration. * * *PKI TRAC Ticket #1920 - [MAN] Man page for PKCS #12 utilities * * *PKI TRAC Ticket #2226 - KRA installation: NullPointerException in ProxyRealm.findSecurityConstraints * * *PKI TRAC Ticket #2289 - [MAN] pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any * * *PKI TRAC Ticket #2523 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI * * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status * * *PKI TRAC Ticket #2543 - Unable to install subordinate CA with HSM in FIPS mode * * *PKI TRAC Ticket #2544 - TPS throws "err=6" when attempting to format and enroll G&D Cards * * *PKI TRAC Ticket #2552 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config * *Please provide Karma for the following builds:* * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-346c2e1366 pki-core-10.3.5-9.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9100653751 pki-core-10.3.5-9.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From blipton at redhat.com Fri Dec 16 03:32:26 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 15 Dec 2016 22:32:26 -0500 Subject: [Freeipa-devel] Travis CI unexpected PEP8 errors In-Reply-To: <93500661-58ef-bf66-d117-ed0f5586cb73@redhat.com> References: <558a904d-14ec-376f-630f-f8c443705af3@redhat.com> <174c1ebb-1a7d-1976-9ec1-90721d361006@redhat.com> <93500661-58ef-bf66-d117-ed0f5586cb73@redhat.com> Message-ID: <2bf08b2d-73f8-d18c-d5cb-642e443ce28a@redhat.com> On 12/14/2016 03:42 AM, Martin Babinsky wrote: > On 12/14/2016 09:00 AM, Standa Laznicka wrote: >> On 12/14/2016 02:53 AM, Ben Lipton wrote: >>> Hi all, >>> >>> I'm pretty sure this is unrelated to the CI issues discussed in other >>> threads recently, but they reminded me that I've been having this odd >>> issue. >>> >>> https://travis-ci.org/freeipa/freeipa/jobs/183756995 is the most >>> recent run on my pull request, >>> https://github.com/freeipa/freeipa/pull/10. For a while now, every >>> time the CI runs on my PR, it fails due to several PEP8 errors that >>> are not detected when I run `git diff master -U0 | pep8 --diff` on my >>> local copy. In fact, the errors are all in files not touched by my PR, >>> which doesn't make much sense to me based on the behavior of `git >>> diff`. >>> >>> I noticed that the top of the travis build says: >>> >>> - Commit 1f50550 >>> - #10: Client-side CSR autogeneration >>> - Branch master >>> >>> I'm not sure what the "commit" link actually means, but that commit >>> seems to have nothing to do with my PR nor the current master. Could >>> Travis be diffing against the wrong code? Or if not, do you have any >>> idea what might be causing these failures? >>> >>> Thanks, >>> Ben >>> >> Hi Ben, >> >> I was going through the Travis CI log of and noticed what might have >> caused the issue: >> >> $ cd freeipa/freeipa >> $ git fetch origin +refs/pull/109/merge: >> >> It seems that for your pull request #10 (and for some reason for your >> pull request only), Travis fetched a different (old) pull request which >> it then tried to merge with current master, hence the errors. I don't >> think it was testing your code at all. >> >> I do not have an explanation for this other than it might be a Travis >> bug, CCing Martin for a better answer. >> >> Standa > > Yes indeed for some reason Travis fetches completely wrong PR for > tests. I have no idea why it does this. I have tried to restart the > build with the same results. > > We will probably have to contact Travis support for this issue. In the > meanwhile, can you prepare a separate PR from completely new branch > with the same commits so that we can see if it catches up this time? > Evidently there was something special about my first pull request, since the new one works fine (as you pointed out). Thanks for confirming that it wasn't something I was doing wrong. From blipton at redhat.com Fri Dec 16 04:11:05 2016 From: blipton at redhat.com (Ben Lipton) Date: Thu, 15 Dec 2016 23:11:05 -0500 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> Message-ID: On 12/12/2016 03:52 AM, Jan Cholasta wrote: > On 5.12.2016 16:48, Ben Lipton wrote: >> Hi Jan, thanks for the comments. >> >> >> On 12/05/2016 04:25 AM, Jan Cholasta wrote: >>> Hi Ben, >>> >>> On 3.11.2016 00:12, Ben Lipton wrote: >>>> Hi everybody, >>>> >>>> Soon I'm going to have to reduce the amount of time I spend on new >>>> development work for the CSR autogeneration project, and I want to >>>> leave >>>> the project in as organized a state as possible. So, I'm taking >>>> inventory of the work I've done in order to make sure that what's >>>> ready >>>> for review can get reviewed and the ideas that have been discussed get >>>> prototyped or at least recorded so they won't be forgotten. >>> >>> Thanks, I have some questions and comments, see below. >>> >>>> >>>> Code that's ready for review (I will continue to put in as much >>>> time as >>>> needed to help get these ready for submission): >>>> >>>> - Current PR: https://github.com/freeipa/freeipa/pull/10 >>> >>> How hard would it be to update the PR to use the "new" interface from >>> the design thread? By this I mean that currently there is a command >>> (cert_get_requestdata), which creates a CSR from profile id + >>> principal + helper, but in the design we discussed a command which >>> creates a CertificationRequestInfo from profile id + principal + >>> public key. >>> >>> Internally it could use the OpenSSL helper, no need to implement the >>> full "new" design. With your build_requestinfo.c code below it looks >>> like it should be pretty straightforward. >> >> This is probably doable with the cffi, but I'm concerned about >> usability. A user can run the current command to get a (reusable) >> script, and run the script to get a CSR. It works with keys in both PEM >> files and NSS databases already. If we change to outputting a >> CertificationRequestInfo, in order to make this usable on the command >> line, we'll need: >> - An additional tool to sign a CSR given a CertificationRequestInfo (for >> both types of key storage). >> - A way to extract a SubjectPublicKeyInfo structure from a key within >> the ipa command (like [1] but we need it for both types of key storage) >> Since as far as I know there's no standard encoding for files containing >> only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be >> writing and distributing these ourselves. I think that's where most of >> the extra work will come in. > > For PEM files, this is easily doable using python-cryptography (to > extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and > PyASN1 (to create a CSR from the CertificationRequestInfo and the > signature). I didn't realize that python-cryptography knew about SubjectPublicKeyInfo structures, but indeed this seems to be pretty straightforward: key = load_pem_private_key(key_bytes, None, default_backend()) pubkey_info = key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) Thanks for letting me know this functionality already existed. > > For NSS databases, this will be trickier and will require calling C > functions, as neither certutil nor python-nss provide a way to a) > address existing keys in the database by key ID b) get > SubjectPublicKeyInfo for a given key. > > As for encoding, the obvious choice is DER. It does not really matter > there is no standard file format, as we won't be transferring these as > files anyway. Agreed. I just meant there aren't tools already because this isn't a type of file one often needs to process. > >> >> Would it be ok to stick with the current design in this PR? I'd feel >> much better if we could get the basic functionality into the repo and >> then iterate on it rather than changing the plan at this point. I can >> create a separate PR to change cert_get_requestdata to this new >> interface and at the same time add the necessary adapters (bullet points >> above) to make it user-friendly. > > Works for me. Updated the PR to fix conflicts with master. Had some trouble with CI but creating a new PR with the same commits fixed it (https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed permanently, so I guess I'll just keep the two PRs synchronized now, or we could close the old one. > >> >> I would probably just implement the adapters within the >> cert_build/cert_request client code unless you think having standalone >> tools is valuable. I suppose certmonger is going to need these features >> too, but I don't know how well sharing code between them is going to >> work. > > cert-request is exactly the place where it should be :-) I wouldn't > bother with certmonger until we have a server-side csrgen. > >>> >>>> >>>> - Allow some fields to be specified by the user at creation time: >>>> https://github.com/LiptonB/freeipa/commits/local-user-data >>> >>> Good idea :-) >>> >>>> >>>> - Automation for the full process from getting CSR data to requesting >>>> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build >>> >>> LGTM, although I would prefer if this was a client-side extension of >>> cert-request rather than a completely new command. >> >> I did try that at first, but I struggled to figure out the interface for >> the modified cert-request. (Not that the current solution is so great, >> what with the copying of options from cert_request and certreq.) If I >> remember correctly, I was uncertain how to implement parameters that are >> required/invalid based on other parameters: the current cert-request >> takes a signed CSR (required), a principal (required), and a profile ID; >> the new cert-request (what I implemented as cert-build) takes a >> principal (required), a profile ID (required), and a key location >> (required). I can't remember if that was the only problem, but I'll try >> again to merge the commands and get back to you. > > To make the CSR argument optional on the client, you can do this: > > def get_options(self): > for option in super(cert_request, self).get_options(): > if option.name == 'csr': > option = option.clone(required=False) > yield > > IMO profile ID should default to caIPAserviceCert on the client as well. I originally had it doing so, but changed it to a required option based on feedback in this email: https://www.redhat.com/archives/freeipa-devel/2016-August/msg00021.html: "In general use I think that 'caIPAserviceCert' is unlikely to be used a majory of the time, and it is a new command so there are no compatibility issues; therefore why not make the profile option mandatory?" I guess since we're talking about cert-request now, the compatibility issues are back. https://github.com/LiptonB/freeipa/commits/local-cert-build has now been updated to change the cert_request command rather than adding a new command. It seems to work now (thanks for the advice on making the argument optional), the only thing I'm having trouble with is the default for the profile_id argument. Previously, the default was applied by this code in cert_request.execute: profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) But now, in the client, I need the default to pass to cert_get_requestdata if no profile is specified. I'm not sure I can access backends from the client to get it the same way the server code does. Should I just import ipapython/dogtag.py and use the DEFAULT_PROFILE set in there? Is there a way I can give the option a default that will be seen in both the server and the client? > >>> >>>> >>>> Other prototypes and design ideas that aren't ready for submission >>>> yet: >>>> >>>> - Utility written in C to build a CertificationRequestInfo from a >>>> SubjectPublicKeyInfo and an openssl-style config file. The purpose of >>>> this is to take a config that my code already knows how to >>>> generate, and >>>> put it in a form that certmonger can use. This is nearly done and >>>> available at: >>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >>>> >>>> >>> >>> Nice! As I said above, this could really make implementing the "new" >>> csrgen interface simple. >>> >>>> >>>> >>>> - Ideally it should be possible to use this tool to reimplement the >>>> full >>>> cert-request automation (local-cert-build branch) without a dependency >>>> on the certutil/openssl tools. However, I don't think any of the >>>> python >>>> crypto libraries have bindings for the functions that deal with >>>> CertificationRequestInfo objects, so I don't think I can do this in >>>> the >>>> short term. >>> >>> You can use python-cffi to write your own minimal bindings. It's >>> fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an >>> example of how to port C code to Python with python-cffi. >> >> Thank you for the example. I will take a look. >>> >>>> >>>> - Certmonger "helper" program that takes in the >>>> CertificationRequestInfo >>>> that certmonger generates, calls out to IPA for profile-specific data, >>>> and returns an updated CertificationRequestInfo built from the data. >>>> Certmonger doesn't currently support this type of helper, but (if I >>>> understood correctly) this is the architecture Nalin believed would be >>>> simplest to fit in. This is not done yet, but I intend to complete it >>>> soon - it shouldn't require much code beyond what's in >>>> build_requestinfo.c. >>> >>> To me this sounds like it should be a new operation of the current >>> helper rather than a completely new helper. >> >> Maybe so. I certainly wouldn't call this a finished design, I just >> wanted to have some kind of proof of concept for how the certmonger >> integration could work. For what it's worth, that prototype is now >> available at [2]. > > OK. > >>> >>> Anyway, the ultimate goal is to move the csrgen code to the server, >>> which means everything the helper will have to do is call a command >>> over RPC. >>> >>>> >>>> - Tool to convert an XER-encoded cert extension to DER, given the >>>> ASN.1 >>>> description of the extension. This would unblock Jan Cholasta's >>>> idea of >>>> using XSLT for templates rather than text-based formatting. I >>>> should be >>>> able to implement the conversion tool, but it may be a while before I >>>> have time to demo the full XSLT idea. >>> >>> Was there any progress on this? >> >> I have started working on implementing it with asn1c, and I'm already >> seeing some of the inconvenience (security issues aside) of building on >> the server. Libtasn1 seems like a much better model, but doesn't seem to >> have XER support. Anyway, don't quite have results here yet but I think >> I should have the XER->DER demo with asn1c ready in a week or two. > > Implementing XER codec on top of libtasn1 shouldn't be too hard; I > have a WIP which I will post soon. > >>> >>>> >>>> So: currently on my to do list are the certmonger helper and the >>>> XER->DER conversion tool. Do you have any comments about these plans, >>>> and is there anything else I can do to wrap up the project neatly? >>>> >>>> Thanks, >>>> Ben >>>> >>> >>> Honza >>> >> [1] https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c >> [2] >> https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c >> > From freeipa-github-notification at redhat.com Fri Dec 16 07:20:10 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 16 Dec 2016 08:20:10 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] jcholast commented: """ @mbasti-rh, please don't bump BuildRequires unless it is actually necessary for the build to not fail. Raising the version does not guarantee that the package version used during build will be the same as the version used during run time anyway, so the change achieves nothing. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267532993 From freeipa-github-notification at redhat.com Fri Dec 16 07:23:09 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Fri, 16 Dec 2016 08:23:09 +0100 Subject: [Freeipa-devel] [freeipa PR#336][comment] [py3] pki: add missing depedency pki-base[-python3] In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/336 Title: #336: [py3] pki: add missing depedency pki-base[-python3] jcholast commented: """ @mbasti-rh, please don't bump BuildRequires unless it is actually necessary for the build to not fail. Raising the version does not guarantee that the package version used during build and checked by pylint will be the same as the version used during run time anyway, so the change achieves nothing. """ See the full comment at https://github.com/freeipa/freeipa/pull/336#issuecomment-267532993 From flo at redhat.com Fri Dec 16 08:34:33 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Fri, 16 Dec 2016 09:34:33 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping In-Reply-To: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> References: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> Message-ID: On 12/06/2016 04:39 PM, Florence Blanc-Renaud wrote: > Hi, > > I have started a feature description for the Certificate Identity > Mapping at the following location: > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > This is a first step, focusing on the interface we would like to > provide. It still contains open questions, some of which are linked to > the corresponding design on SSSD side: > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > > Comments, concerns and suggestions are welcome. Thanks! > > Flo. > Hi, the design page for Certificate Identity Mapping [1] has been updated with a schema proposal and an example of configuration data. Please share your comments, concerns, suggestions before January 7, so that we can finalize the API and start the implementation. Thanks, Flo. [1] http://www.freeipa.org/page/V4/Certificate_Identity_Mapping From freeipa-github-notification at redhat.com Fri Dec 16 08:45:38 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Dec 2016 09:45:38 +0100 Subject: [Freeipa-devel] [freeipa PR#210][-ack] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation Label: -ack From freeipa-github-notification at redhat.com Fri Dec 16 08:52:50 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Fri, 16 Dec 2016 09:52:50 +0100 Subject: [Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation stlaz commented: """ I just wanted to remove the ACK till @martbab's comment is worked in so nobody pushes it but I found some minor issues that I would like to see fixed in the rebase as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-267546613 From freeipa-github-notification at redhat.com Fri Dec 16 09:10:35 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Dec 2016 10:10:35 +0100 Subject: [Freeipa-devel] [freeipa PR#346][+ack] Minimal test suite for kadmin.local In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Title: #346: Minimal test suite for kadmin.local Label: +ack From freeipa-github-notification at redhat.com Fri Dec 16 09:38:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 16 Dec 2016 10:38:52 +0100 Subject: [Freeipa-devel] [freeipa PR#346][+pushed] Minimal test suite for kadmin.local In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Title: #346: Minimal test suite for kadmin.local Label: +pushed From freeipa-github-notification at redhat.com Fri Dec 16 09:38:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 16 Dec 2016 10:38:54 +0100 Subject: [Freeipa-devel] [freeipa PR#346][closed] Minimal test suite for kadmin.local In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Author: martbab Title: #346: Minimal test suite for kadmin.local Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/346/head:pr346 git checkout pr346 From freeipa-github-notification at redhat.com Fri Dec 16 09:38:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 16 Dec 2016 10:38:55 +0100 Subject: [Freeipa-devel] [freeipa PR#346][comment] Minimal test suite for kadmin.local In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/346 Title: #346: Minimal test suite for kadmin.local martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/f59673506493e0199c17000538adb7c80b477aa0 https://fedorahosted.org/freeipa/changeset/d95bdbbfd505dde1348413fc7a1233ac834ce344 ipa-4-4: https://fedorahosted.org/freeipa/changeset/f0f48ec14f3ff55852393927533ffd253cb5a04b https://fedorahosted.org/freeipa/changeset/e02323c1c3b3c3dadd57d9f1885ec1af046718de """ See the full comment at https://github.com/freeipa/freeipa/pull/346#issuecomment-267554697 From sbose at redhat.com Fri Dec 16 10:53:21 2016 From: sbose at redhat.com (Sumit Bose) Date: Fri, 16 Dec 2016 11:53:21 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping In-Reply-To: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> References: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> Message-ID: <20161216105321.GH3623@p.Speedport_W_724V_Typ_A_05011603_00_011> On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: > Hi, > > I have started a feature description for the Certificate Identity Mapping at > the following location: > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > This is a first step, focusing on the interface we would like to provide. It > still contains open questions, some of which are linked to the corresponding > design on SSSD side: > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > Comments, concerns and suggestions are welcome. Thanks! Hi Flo, thank you very much for setting up the page. My comments are mostly about the commands. certmappingconfig-mod: * --enable=Boolean: if this option is 'False' SSSD will basically show the current behavior and just look up the certificates directly. But I wonder if the option is needed at all because not adding any mapping rules would have the same effect. What is the scope here, only the IPA domain, or all trusted domains as well? If it is for trusted domains as well will the certmappingrule-* commands and user-{add/remove}-certmapping return an error? So, in general I see an overlap with the mapping rules and I think it would be clearer to drop this option and do the lookups according to the mapping rules. * --prompt-username=Boolean: the description implies that this option is synonymous to 1:1 mapping, but it is not. On Linux authentication in most cases use a user name either by directly asking (e.g. /bin/login) or using the current user name (e.g. sudo). So, according to its name it would only control if gdm is allowed to ask for an (optional) user name. If the option is renamed to e.g. --force-1-to-1-mapping to really enforce a 1:1 mapping then it would make sense to derived to gdm behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to ask for a user name and if it is not enforced then it makes sense to offer and optional user name input field. * --enable-username-mismatch=Boolean: I think this option can be dropped. My test so far show that if a non-matching hint is given on a Windows client authentication fails. * --alternate-attribute=STRING: I think this option isn't needed as well. For IPA server-side we should decide on an attribute name and add it to the schema for user objects. On the client side the attribute name can be taken from the mapping rule.A certmappingrule.*: * ISSUERDN: it looks like you want to use issuerName here. In certificateRecord it it used with LDAP ordering and I would prefer LDAP ordering at all points where we have a choice. Unfortunately in the issuer-subject mapping AD dictates X.500 ordering. * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in the example? My intention in the SSSD design-page was to specify the domain (as in DNS domain/IPA domain/trusted domain) where the matching user should be searched. Different domains might certificates from different issuers and some domains might not even use certificates. With this information SSSD does not have to search any domain trusted by IPA from a given certificate, but look only at domains listed here (the attribute should be a multi-value one). There are objects in the LDAP tree for each trusted domain which are used by SSSD so using a DN syntax would be valid here. * LDAPSEARCHFILTER: I think a separate option is not need. LDAP search filters should just be a special kind of mapping rules. I can image in syntax like: . I think the difficult part with the LDAP filters will to define sensible templates. But as long as we keep the general mapping rule syntax flexible the LDAP filter rules can be added in a later version. * enable/disable: I think this is a good idea and would be consistent with other rules like HBAC and sudo * user-{add/mod} LOGIN --certmappingdata DATA: I think it might be better to not add this option and only implement the 'user-{add/remove}-certmapping' commands * user-{add/remove}-certmapping: you say '... almost any type of mapping, or a more user-friendly API ...'. I would not say 'or' but 'and' and implement both * ipaCertMappingEnableMismatch and ipaCertMappingAlternateIdAttribute; I think both are note needed, see above * altSecurityIdentities: I would prefer to use a different name and OID. Using the same definition as AD would imo imply that it can be used in the same way as in AD. But e.g. AD also supports other content like KERBEROS:alternative_user_principal at AD.DOMAIN which we will not support. * issuerName vs ipaCAIssuerDN: I would prefer issuerName because it is general UTF-8 and not DN syntax (1.3.6.1.4.1.1466.115.121.1.12). Since the issuer DN in general will not be a DN from the local LDAP tree I think the UTF-8 version fits better. * nsslapd-certmap-basedn, see DOMAINDN above * altSecurityIdentities example: X.500 ordering is used by AD here and unfortunately I think we have to adopt it at least for this specific usage, here is an ldapsearch output from AD: altSecurityIdentities: X509:DC=devel,DC=ad,CN=ad-AD-SERVER-CADC=devel,DC =ad,CN=Users,CN=t u,E=test.user at email.domain altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate AuthorityDC =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co m,CN=Sumit Bose Sumit Bose * Certificate Mapping Administrators or re-use Certificate Administrators: I would prefer a new 'Certificate Mapping Administrators' * Users can manage their own X.509 certificate mappings? I'm not sure here, at the first glance I would say no. How are OTP tokens handled? Maybe this would be a candidate for certmappingconfig-* option? That's all :-) bye, Sumit From freeipa-github-notification at redhat.com Fri Dec 16 11:10:01 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 16 Dec 2016 12:10:01 +0100 Subject: [Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally simo5 commented: """ I know this is already closed but NACK. The problem here is in searching "base" this means ending up serhing also in things like slapi-nis. We need to change the code to search in cn=REALM, and, if that fails, search again in cn=accounts. I do not know if we should revert or just patch on top. """ See the full comment at https://github.com/freeipa/freeipa/pull/345#issuecomment-267571798 From freeipa-github-notification at redhat.com Fri Dec 16 11:14:56 2016 From: freeipa-github-notification at redhat.com (abbra) Date: Fri, 16 Dec 2016 12:14:56 +0100 Subject: [Freeipa-devel] [freeipa PR#345][comment] ipa-kdb: search for password policies globally In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/345 Title: #345: ipa-kdb: search for password policies globally abbra commented: """ NACK to @simo5 concerns. We are not affected by slapi-nis on searches from KDC. """ See the full comment at https://github.com/freeipa/freeipa/pull/345#issuecomment-267572619 From tkrizek at redhat.com Fri Dec 16 11:22:46 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Fri, 16 Dec 2016 12:22:46 +0100 Subject: [Freeipa-devel] Announcing bind-dyndb-ldap version 11.0 Message-ID: <49b328f1-0050-2fce-7c6e-30d6093683ad@redhat.com> The FreeIPA team is proud to announce bind-dyndb-ldap version 11.0. It can be downloaded fromhttps://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora Rawhide. Latest news: 11.0 ==== [1] The plugin was ported to BIND 9.11. Minimal BIND version is now 9.11.0rc1. https://fedorahosted.org/bind-dyndb-ldap/ticket/161 [2] Configuration format in named.conf is different and incompatible with all previous versions. Please see README.md. [3] Obsolete plugin options were removed: cache_ttl, psearch, serial_autoincrement, zone_refresh. == Upgrading == A server can be upgraded by installing updated RPM. If your named.conf has configuration for dyndb, you need to manually update it to reflect the new configuration format. Please see README.md for more information. BIND has to be manually restarted afterwards. == Limited compatibility with BIND 9 == bind-dyndb-ldap version 11.0 is only compatible with BIND 9.11 and newer. == Known Issues == There are the following issues in Fedora Rawhide: - 1403352: New FreeIPA installations generate old and incompatible configuration in named.conf. - 1404409: Using GSSAPI authentication for 389-ds results in an error, simple bind is not affected. - named-pkcs11 does not start with dyndb configured. named is not affected. We are currently working on resolving these issues. == Feedback == Please provide comments, report bugs, and send any other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users -- Tomas Krizek From slaznick at redhat.com Fri Dec 16 12:26:36 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Fri, 16 Dec 2016 13:26:36 +0100 Subject: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question Message-ID: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> Hello, I started a design page for FreeIPA on FIPS-enabled systems: https://www.freeipa.org/page/V4/FreeIPA-on-FIPS Me and Tom?? are still investigating what of all things will need to change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed to install and run patched FreeIPA server and client and connect them together. There are some issues with NSS when trying to create an HTTPS request (apparently, NSS requires an NSS database password to set up an SSL connection). I am actually thinking of removing NSSConnection from the client altogether. Best regards, Standa P.S: we've got some Ansible scripts that help us setup FIPS in our testing environment and build FreeIPA on RHEL 7.3 in our internal IdM gitlab (sorry, communities, we'll release them to the public later, they might currently make your eyes bleed as we're not so good w/ Ansible yet). From rcritten at redhat.com Fri Dec 16 14:23:38 2016 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 16 Dec 2016 09:23:38 -0500 Subject: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question In-Reply-To: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> References: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> Message-ID: <5853F8EA.7060104@redhat.com> Standa Laznicka wrote: > Hello, > > I started a design page for FreeIPA on FIPS-enabled systems: > https://www.freeipa.org/page/V4/FreeIPA-on-FIPS > > Me and Tom?? are still investigating what of all things will need to > change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed > to install and run patched FreeIPA server and client and connect them > together. > > There are some issues with NSS when trying to create an HTTPS request > (apparently, NSS requires an NSS database password to set up an SSL > connection). I am actually thinking of removing NSSConnection from the > client altogether. Can you expand on this a bit? NSS should only need a pin when it needs access to a private key. What connection(s) are you talking about, and what would you replace NSSConnection with? rob From freeipa-github-notification at redhat.com Fri Dec 16 15:25:07 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Fri, 16 Dec 2016 16:25:07 +0100 Subject: [Freeipa-devel] [freeipa PR#347][opened] Improvements in {get|set}_directive functions Message-ID: URL: https://github.com/freeipa/freeipa/pull/347 Author: martbab Title: #347: Improvements in {get|set}_directive functions Action: opened PR body: """ These should fix https://fedorahosted.org/freeipa/ticket/6460 and future-proof the code a bit """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/347/head:pr347 git checkout pr347 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-347.patch Type: text/x-diff Size: 6772 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Fri Dec 16 16:02:39 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Dec 2016 17:02:39 +0100 Subject: [Freeipa-devel] [freeipa PR#333][+ack] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Label: +ack From freeipa-github-notification at redhat.com Fri Dec 16 16:10:55 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Fri, 16 Dec 2016 17:10:55 +0100 Subject: [Freeipa-devel] [freeipa PR#340][comment] schema_cache: Make handling of string compatible with python3 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/340 Title: #340: schema_cache: Make handling of string compatible with python3 mbasti-rh commented: """ Works for me on both PY2/3 """ See the full comment at https://github.com/freeipa/freeipa/pull/340#issuecomment-267629124 From freeipa-github-notification at redhat.com Mon Dec 19 07:30:19 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 19 Dec 2016 08:30:19 +0100 Subject: [Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/347 Title: #347: Improvements in {get|set}_directive functions pspacek commented: """ Please see my in-line comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/347#issuecomment-267899165 From slaznick at redhat.com Mon Dec 19 08:12:51 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Mon, 19 Dec 2016 09:12:51 +0100 Subject: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question In-Reply-To: <5853F8EA.7060104@redhat.com> References: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> <5853F8EA.7060104@redhat.com> Message-ID: On 12/16/2016 03:23 PM, Rob Crittenden wrote: > Standa Laznicka wrote: >> Hello, >> >> I started a design page for FreeIPA on FIPS-enabled systems: >> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS >> >> Me and Tom?? are still investigating what of all things will need to >> change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed >> to install and run patched FreeIPA server and client and connect them >> together. >> >> There are some issues with NSS when trying to create an HTTPS request >> (apparently, NSS requires an NSS database password to set up an SSL >> connection). I am actually thinking of removing NSSConnection from the >> client altogether. > Can you expand on this a bit? NSS should only need a pin when it needs > access to a private key. What connection(s) are you talking about, and > what would you replace NSSConnection with? > > rob Hello Rob, Thank you for this excellent question, in order to cut the email short I seem to have omitted quite a few information. One of the very first problems I had with FreeIPA with FIPS was that NSS was always asking for password/pin. I was discussing this with the NSS guys on their IRC chat last week and it turns out that NSS tries to create a private key every time you want to use it as a backend for an SSL connection on FIPS. I still don't think this is quite right so I may open a bugzilla for that. Anyway, the guys suggested me that we could try to create the database with an empty password and everything will work. I don't quite like that, too, but it's at least something if you don't want the `ipa` command to always bug you for password you have no way knowing if you're just a regular user. What I think would be a better way to go is to use httplib.HTTPSConnection. We have the needed certificates in /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion with Honza this morning and it seems that with this approach we may get rid of the NSSConnection class altogether (although I still need to check a few spots) and start the process of moving away from NSS which was discussed some year ago in an internal mailing list (for some reason). Will be happy to hear thoughts on this, Standa From Oucema.Bellagha at hotmail.com Mon Dec 19 08:41:29 2016 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Mon, 19 Dec 2016 08:41:29 +0000 Subject: [Freeipa-devel] require n out of m keys/users to authenticate an ssh session? Message-ID: I'm looking for an option - eventually to extend standard ssh - in such a way that I need (at least) two people/keys out of m possible to authenticate a session instead of one out of m known once... e.g: to authenticate to server X : I need two people A and (B or C) together. anyone seen this or know how to do? I know there is key + password (which is kind of this direction) but not exactly what I'm looking for... Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcholast at redhat.com Mon Dec 19 09:02:58 2016 From: jcholast at redhat.com (Jan Cholasta) Date: Mon, 19 Dec 2016 10:02:58 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping In-Reply-To: <20161216105321.GH3623@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> <20161216105321.GH3623@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: I agree with *almost* everything Sumit said. See my inline comments below. On 16.12.2016 11:53, Sumit Bose wrote: > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: >> Hi, >> >> I have started a feature description for the Certificate Identity Mapping at >> the following location: >> http://www.freeipa.org/page/V4/Certificate_Identity_Mapping >> >> This is a first step, focusing on the interface we would like to provide. It >> still contains open questions, some of which are linked to the corresponding >> design on SSSD side: >> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates >> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities >> >> Comments, concerns and suggestions are welcome. Thanks! > > Hi Flo, > > thank you very much for setting up the page. > > My comments are mostly about the commands. > > certmappingconfig-mod: > > * --enable=Boolean: if this option is 'False' SSSD will basically show > the current behavior and just look up the certificates directly. But I > wonder if the option is needed at all because not adding any mapping > rules would have the same effect. > > What is the scope here, only the IPA domain, or all trusted domains as > well? If it is for trusted domains as well will the certmappingrule-* > commands and user-{add/remove}-certmapping return an error? > > So, in general I see an overlap with the mapping rules and I think it > would be clearer to drop this option and do the lookups according to > the mapping rules. > > * --prompt-username=Boolean: the description implies that this option is > synonymous to 1:1 mapping, but it is not. On Linux authentication in > most cases use a user name either by directly asking (e.g. /bin/login) > or using the current user name (e.g. sudo). So, according to its name > it would only control if gdm is allowed to ask for an (optional) user > name. > > If the option is renamed to e.g. --force-1-to-1-mapping to really > enforce a 1:1 mapping then it would make sense to derived to gdm > behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to > ask for a user name and if it is not enforced then it makes sense to > offer and optional user name input field. > > * --enable-username-mismatch=Boolean: I think this option can be > dropped. My test so far show that if a non-matching hint is given on a > Windows client authentication fails. > > * --alternate-attribute=STRING: I think this option isn't needed as > well. For IPA server-side we should decide on an attribute name and > add it to the schema for user objects. On the client side the > attribute name can be taken from the mapping rule.A > > > certmappingrule.*: > > * ISSUERDN: it looks like you want to use issuerName here. In > certificateRecord it it used with LDAP ordering and I would prefer > LDAP ordering at all points where we have a choice. Unfortunately in the > issuer-subject mapping AD dictates X.500 ordering. LDAP ordering should indeed be preferred, as it is used everywhere else in IPA. We can convert to/from X.500 ordering where necessary, when possible. > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in > the example? My intention in the SSSD design-page was to specify the > domain (as in DNS domain/IPA domain/trusted domain) where the matching > user should be searched. Different domains might certificates from > different issuers and some domains might not even use certificates. > With this information SSSD does not have to search any domain trusted > by IPA from a given certificate, but look only at domains listed here > (the attribute should be a multi-value one). > > There are objects in the LDAP tree for each trusted domain which are > used by SSSD so using a DN syntax would be valid here. We use domain names rather than DNs to refer to domains everywhere else in the framework. I don't think this place should be an exception. > > * LDAPSEARCHFILTER: I think a separate option is not need. LDAP search > filters should just be a special kind of mapping rules. I can image in > syntax like: . I > think the difficult part with the LDAP filters will to define sensible > templates. I'm not sure I understand. Could you please elaborate a little bit? > But as long as we keep the general mapping rule syntax > flexible the LDAP filter rules can be added in a later version. IMHO it should be the other way round and LDAP filters should be implemented first, as they offer all the flexibility we need (all of the other fields can be easily implemented on top of LDAP filters) and are by default extensible without having to update servers and clients. > > * enable/disable: I think this is a good idea and would be consistent > with other rules like HBAC and sudo > > * user-{add/mod} LOGIN --certmappingdata DATA: I think it might be > better to not add this option and only implement the > 'user-{add/remove}-certmapping' commands > > * user-{add/remove}-certmapping: you say '... almost any type of mapping, > or a more user-friendly API ...'. I would not say 'or' but 'and' and > implement both > > * ipaCertMappingEnableMismatch and ipaCertMappingAlternateIdAttribute; I > think both are note needed, see above > > * altSecurityIdentities: I would prefer to use a different name and OID. > Using the same definition as AD would imo imply that it can be used in > the same way as in AD. But e.g. AD also supports other content like > KERBEROS:alternative_user_principal at AD.DOMAIN which we will not > support. > > * issuerName vs ipaCAIssuerDN: I would prefer issuerName because it is > general UTF-8 and not DN syntax (1.3.6.1.4.1.1466.115.121.1.12). Since > the issuer DN in general will not be a DN from the local LDAP tree I > think the UTF-8 version fits better. I think it's worth mentioning that if the attribute used DN syntax and matching, we wouldn't have to worry about normalizing the issuer name before searching for it, as DS would do that for us. > > * nsslapd-certmap-basedn, see DOMAINDN above > > * altSecurityIdentities example: X.500 ordering is used by AD here and > unfortunately I think we have to adopt it at least for this specific > usage, here is an ldapsearch output from AD: > > altSecurityIdentities: > X509:DC=devel,DC=ad,CN=ad-AD-SERVER-CADC=devel,DC > =ad,CN=Users,CN=t u,E=test.user at email.domain > altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate > AuthorityDC > =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co > m,CN=Sumit Bose Sumit Bose > > * Certificate Mapping Administrators or re-use Certificate > Administrators: I would prefer a new 'Certificate Mapping > Administrators' > > * Users can manage their own X.509 certificate mappings? I'm not sure > here, at the first glance I would say no. How are OTP tokens handled? > Maybe this would be a candidate for certmappingconfig-* option? I think a better question is "How is userCertificate handled?" Anyway, self-service permissions can be enabled/disabled, so there is really no need for a new certmappingconfig option. > > That's all :-) > > bye, > Sumit > -- Jan Cholasta From abokovoy at redhat.com Mon Dec 19 09:06:51 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 19 Dec 2016 11:06:51 +0200 Subject: [Freeipa-devel] require n out of m keys/users to authenticate an ssh session? In-Reply-To: References: Message-ID: <20161219090651.xpceuzdem3fyzit6@redhat.com> On ma, 19 joulu 2016, Oucema Bellagha wrote: >I'm looking for an option - eventually to extend standard ssh - in such >a way that I need (at least) two people/keys out of m possible to >authenticate a session instead of one out of m known once... > >e.g: >to authenticate to server X : I need two people A and (B or C) together. > >anyone seen this or know how to do? > >I know there is key + password (which is kind of this direction) but >not exactly what I'm looking for... You can use the very same directive AuthenticationMethods to ask for multiple keys too. AuthenticationMethods "publickey,publickey,publickey" would require three different public keys to authenticate. However, there is nothing in SSH protocol that would enforce different people to be involved at the client side. -- / Alexander Bokovoy From abokovoy at redhat.com Mon Dec 19 09:21:23 2016 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 19 Dec 2016 11:21:23 +0200 Subject: [Freeipa-devel] require n out of m keys/users to authenticate an ssh session? In-Reply-To: References: <20161219090651.xpceuzdem3fyzit6@redhat.com> Message-ID: <20161219092123.oppproalefd4flqs@redhat.com> On ma, 19 joulu 2016, Oucema Bellagha wrote: >Hi folks, > > >Thanks for the feedback, I already tried the AuthenticationMethods >"publickey,publickey" but is there any tool allowing this kind of >connection from two clients to the server in the same time using >ssh-Key cause it's not possible using putty .. No, as I said, it is not designed in the SSH protocol P.S. Answer to the list, not personally. > > >Cheers, > > >________________________________ >From: Alexander Bokovoy >Sent: Monday, December 19, 2016 9:06:51 AM >To: Oucema Bellagha >Cc: freeipa-devel at redhat.com >Subject: Re: [Freeipa-devel] require n out of m keys/users to authenticate an ssh session? > >On ma, 19 joulu 2016, Oucema Bellagha wrote: >>I'm looking for an option - eventually to extend standard ssh - in such >>a way that I need (at least) two people/keys out of m possible to >>authenticate a session instead of one out of m known once... >> >>e.g: >>to authenticate to server X : I need two people A and (B or C) together. >> >>anyone seen this or know how to do? >> >>I know there is key + password (which is kind of this direction) but >>not exactly what I'm looking for... >You can use the very same directive AuthenticationMethods to ask for >multiple keys too. > > AuthenticationMethods "publickey,publickey,publickey" > >would require three different public keys to authenticate. > >However, there is nothing in SSH protocol that would enforce different >people to be involved at the client side. >-- >/ Alexander Bokovoy -- / Alexander Bokovoy From sbose at redhat.com Mon Dec 19 11:13:44 2016 From: sbose at redhat.com (Sumit Bose) Date: Mon, 19 Dec 2016 12:13:44 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping In-Reply-To: References: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> <20161216105321.GH3623@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20161219111344.GB26807@p.Speedport_W_724V_Typ_A_05011603_00_011> On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: > I agree with *almost* everything Sumit said. See my inline comments below. > > On 16.12.2016 11:53, Sumit Bose wrote: > > On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: > > > Hi, > > > > > > I have started a feature description for the Certificate Identity Mapping at > > > the following location: > > > http://www.freeipa.org/page/V4/Certificate_Identity_Mapping > > > > > > This is a first step, focusing on the interface we would like to provide. It > > > still contains open questions, some of which are linked to the corresponding > > > design on SSSD side: > > > https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates > > > https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities > > > > > > Comments, concerns and suggestions are welcome. Thanks! > > > > Hi Flo, > > > > thank you very much for setting up the page. > > > > My comments are mostly about the commands. > > > > certmappingconfig-mod: > > > > * --enable=Boolean: if this option is 'False' SSSD will basically show > > the current behavior and just look up the certificates directly. But I > > wonder if the option is needed at all because not adding any mapping > > rules would have the same effect. > > > > What is the scope here, only the IPA domain, or all trusted domains as > > well? If it is for trusted domains as well will the certmappingrule-* > > commands and user-{add/remove}-certmapping return an error? > > > > So, in general I see an overlap with the mapping rules and I think it > > would be clearer to drop this option and do the lookups according to > > the mapping rules. > > > > * --prompt-username=Boolean: the description implies that this option is > > synonymous to 1:1 mapping, but it is not. On Linux authentication in > > most cases use a user name either by directly asking (e.g. /bin/login) > > or using the current user name (e.g. sudo). So, according to its name > > it would only control if gdm is allowed to ask for an (optional) user > > name. > > > > If the option is renamed to e.g. --force-1-to-1-mapping to really > > enforce a 1:1 mapping then it would make sense to derived to gdm > > behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to > > ask for a user name and if it is not enforced then it makes sense to > > offer and optional user name input field. > > > > * --enable-username-mismatch=Boolean: I think this option can be > > dropped. My test so far show that if a non-matching hint is given on a > > Windows client authentication fails. > > > > * --alternate-attribute=STRING: I think this option isn't needed as > > well. For IPA server-side we should decide on an attribute name and > > add it to the schema for user objects. On the client side the > > attribute name can be taken from the mapping rule.A > > > > > > certmappingrule.*: > > > > * ISSUERDN: it looks like you want to use issuerName here. In > > certificateRecord it it used with LDAP ordering and I would prefer > > LDAP ordering at all points where we have a choice. Unfortunately in the > > issuer-subject mapping AD dictates X.500 ordering. > > LDAP ordering should indeed be preferred, as it is used everywhere else in > IPA. We can convert to/from X.500 ordering where necessary, when possible. > > > > > * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in > > the example? My intention in the SSSD design-page was to specify the > > domain (as in DNS domain/IPA domain/trusted domain) where the matching > > user should be searched. Different domains might certificates from > > different issuers and some domains might not even use certificates. > > With this information SSSD does not have to search any domain trusted > > by IPA from a given certificate, but look only at domains listed here > > (the attribute should be a multi-value one). > > > > There are objects in the LDAP tree for each trusted domain which are > > used by SSSD so using a DN syntax would be valid here. > > We use domain names rather than DNs to refer to domains everywhere else in > the framework. I don't think this place should be an exception. I'm fine with domain names as well. In fact I didn't thought of using DNs for this before I read DOMAINDN on the design page. > > > > > * LDAPSEARCHFILTER: I think a separate option is not need. LDAP search > > filters should just be a special kind of mapping rules. I can image in > > syntax like: . I > > think the difficult part with the LDAP filters will to define sensible > > templates. > > I'm not sure I understand. Could you please elaborate a little bit? A LDAP search filter which would cover the AD behavior would look like: (|(altSecurityIdentities=%A%B)(userPrincipalName=%C)(samAccountName=%D)) where %A: must be replaced with the issuer of the certificate in X.500 order %B: must be replaced with the subject of the certificate in X.500 order it would be possible of course to use a specific template here which would generate the complete search attribute value. %C: must be replaced by the principal from AD's SAN szOID_NT_PRINCIPAL_NAME %D: must be replaced with only then name component (the part before the realm) of the principal from szOID_NT_PRINCIPAL_NAME As %C and %D imply this filter will only work for certificates which have szOID_NT_PRINCIPAL_NAME but for those it must be used to be compatible with AD. For certificates without (altSecurityIdentities=%A%B) is sufficient. It is possible to select the right filter with matching rules. So we have to find suitable names for the %A, %B, %C and %D templates and also allow different representations (e.g. LDAP or X.500 order for DNs). > > > But as long as we keep the general mapping rule syntax > > flexible the LDAP filter rules can be added in a later version. > > IMHO it should be the other way round and LDAP filters should be implemented > first, as they offer all the flexibility we need (all of the other fields > can be easily implemented on top of LDAP filters) and are by default > extensible without having to update servers and clients. In general I agree, as long we can find a suitable scheme to handle the templates to add content from the certificate in a specific format to the search filters. But from the user/admin perspective there should be special rules for common use-cases which do not require to know too much details about certificates and LDAP trees. E.g. for AD (either via direct or indirect integration) there should be a rule which just does all which AD would do depending on the certificate type. For IPA something like might be a good start for handling external certificates which do not contain user specific data which can be mapped to user object because the syntax is already known from AD. > > > > > * enable/disable: I think this is a good idea and would be consistent > > with other rules like HBAC and sudo > > > > * user-{add/mod} LOGIN --certmappingdata DATA: I think it might be > > better to not add this option and only implement the > > 'user-{add/remove}-certmapping' commands > > > > * user-{add/remove}-certmapping: you say '... almost any type of mapping, > > or a more user-friendly API ...'. I would not say 'or' but 'and' and > > implement both > > > > * ipaCertMappingEnableMismatch and ipaCertMappingAlternateIdAttribute; I > > think both are note needed, see above > > > > * altSecurityIdentities: I would prefer to use a different name and OID. > > Using the same definition as AD would imo imply that it can be used in > > the same way as in AD. But e.g. AD also supports other content like > > KERBEROS:alternative_user_principal at AD.DOMAIN which we will not > > support. > > > > * issuerName vs ipaCAIssuerDN: I would prefer issuerName because it is > > general UTF-8 and not DN syntax (1.3.6.1.4.1.1466.115.121.1.12). Since > > the issuer DN in general will not be a DN from the local LDAP tree I > > think the UTF-8 version fits better. > > I think it's worth mentioning that if the attribute used DN syntax and > matching, we wouldn't have to worry about normalizing the issuer name before > searching for it, as DS would do that for us. Good point, but I think the main use case for this attribute is on the client side to determine if a rule should be applied to a certificate or not. So I guess LDAP searches with this attribute would be rare because the client will load all rules in one run. > > > > > * nsslapd-certmap-basedn, see DOMAINDN above > > > > * altSecurityIdentities example: X.500 ordering is used by AD here and > > unfortunately I think we have to adopt it at least for this specific > > usage, here is an ldapsearch output from AD: > > > > altSecurityIdentities: > > X509:DC=devel,DC=ad,CN=ad-AD-SERVER-CADC=devel,DC > > =ad,CN=Users,CN=t u,E=test.user at email.domain > > altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate > > AuthorityDC > > =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co > > m,CN=Sumit Bose Sumit Bose > > > > * Certificate Mapping Administrators or re-use Certificate > > Administrators: I would prefer a new 'Certificate Mapping > > Administrators' > > > > * Users can manage their own X.509 certificate mappings? I'm not sure > > here, at the first glance I would say no. How are OTP tokens handled? > > Maybe this would be a candidate for certmappingconfig-* option? > > I think a better question is "How is userCertificate handled?" > > Anyway, self-service permissions can be enabled/disabled, so there is really > no need for a new certmappingconfig option. Yes, this makes sense. bye, Sumit > > > > > That's all :-) > > > > bye, > > Sumit > > > > > -- > Jan Cholasta From freeipa-github-notification at redhat.com Mon Dec 19 11:47:09 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Dec 2016 12:47:09 +0100 Subject: [Freeipa-devel] [freeipa PR#348][opened] ca: fix ca-find with --pkey-only Message-ID: URL: https://github.com/freeipa/freeipa/pull/348 Author: jcholast Title: #348: ca: fix ca-find with --pkey-only Action: opened PR body: """ Since commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d, ca-find will fail with internal error if --pkey-only is specified, because the code to look up the CA certificate and certificate chain assumes that the ipaCAId attribute is always present in the result. Fix this by not attempting to lookup the certificate / chain at all when --pkey-only is specified. https://fedorahosted.org/freeipa/ticket/6178 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/348/head:pr348 git checkout pr348 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-348.patch Type: text/x-diff Size: 1330 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 11:58:41 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 12:58:41 +0100 Subject: [Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-334.patch Type: text/x-diff Size: 7213 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 12:01:18 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 13:01:18 +0100 Subject: [Freeipa-devel] [freeipa PR#334][comment] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Title: #334: Py3: Fix ToASCII method mbasti-rh commented: """ I reworked commit: - keep python-dns 1.15 in build requires at it changed return type of to_text function - removed .encode() check """ See the full comment at https://github.com/freeipa/freeipa/pull/334#issuecomment-267948095 From freeipa-github-notification at redhat.com Mon Dec 19 12:02:29 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Dec 2016 13:02:29 +0100 Subject: [Freeipa-devel] [freeipa PR#349][opened] spec file: do not define with_lint inside a comment Message-ID: URL: https://github.com/freeipa/freeipa/pull/349 Author: jcholast Title: #349: spec file: do not define with_lint inside a comment Action: opened PR body: """ RPM expands macros even inside comments in spec files, so the with_lint macro is unintentionally always defined. Escape the percent sign in '%global' in the comment to prevent this. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/349/head:pr349 git checkout pr349 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-349.patch Type: text/x-diff Size: 797 bytes Desc: not available URL: From tkrizek at redhat.com Mon Dec 19 12:04:12 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 19 Dec 2016 13:04:12 +0100 Subject: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread Message-ID: Hi Thierry, could you please take a look at this bind-dyndb-ldap patch? I was trying to fix https://fedorahosted.org/bind-dyndb-ldap/ticket/149 I wasn't able to reproduce the issue, but I think the problem is fixed now. Petr Spacek was helping me with this, but I think it would be good if you could take a look as well. We were able to identify two causes: a) isc_thread_create fails and ldap_inst->watcher is undefined (fixed by setting it to 0) and b) the thread terminates for some reason (i.e. some checks fail) and then a signal can't be sent to it. This was addressed by removing the REQUIRE and logging an error instead. Thanks. -- Tomas Krizek -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-handle-termination-of-syncrepl-watcher-thread.patch Type: text/x-patch Size: 1537 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 12:07:45 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 13:07:45 +0100 Subject: [Freeipa-devel] [freeipa PR#334][synchronized] Py3: Fix ToASCII method In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/334 Author: mbasti-rh Title: #334: Py3: Fix ToASCII method Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/334/head:pr334 git checkout pr334 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-334.patch Type: text/x-diff Size: 4563 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 12:11:08 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 13:11:08 +0100 Subject: [Freeipa-devel] [freeipa PR#333][comment] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8bc677512296a7e94c29edd0c1a96aa7273f352a """ See the full comment at https://github.com/freeipa/freeipa/pull/333#issuecomment-267949826 From freeipa-github-notification at redhat.com Mon Dec 19 12:11:10 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 13:11:10 +0100 Subject: [Freeipa-devel] [freeipa PR#333][+pushed] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 19 12:11:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Mon, 19 Dec 2016 13:11:11 +0100 Subject: [Freeipa-devel] [freeipa PR#333][closed] Remove named-pkcs11 workarounds from DNSSEC tests. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/333 Author: pspacek Title: #333: Remove named-pkcs11 workarounds from DNSSEC tests. Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/333/head:pr333 git checkout pr333 From freeipa-github-notification at redhat.com Mon Dec 19 12:19:26 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Mon, 19 Dec 2016 13:19:26 +0100 Subject: [Freeipa-devel] [freeipa PR#350][opened] spec file: revert to the previous Release tag Message-ID: URL: https://github.com/freeipa/freeipa/pull/350 Author: jcholast Title: #350: spec file: revert to the previous Release tag Action: opened PR body: """ Revert from the current Release tag value `upstream` to the previously used `0%{?dist}`, because: * `0` sorts before `1`, which is usually used as the initial release number in downstream packages, * the information provided by `%{?dist}` is useful, as packages built on one OS are not always installable on another OS. https://fedorahosted.org/freeipa/ticket/6418 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/350/head:pr350 git checkout pr350 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-350.patch Type: text/x-diff Size: 1010 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 12:20:45 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 19 Dec 2016 13:20:45 +0100 Subject: [Freeipa-devel] [freeipa PR#349][+ack] spec file: do not define with_lint inside a comment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/349 Title: #349: spec file: do not define with_lint inside a comment Label: +ack From freeipa-github-notification at redhat.com Mon Dec 19 12:28:26 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Dec 2016 13:28:26 +0100 Subject: [Freeipa-devel] [freeipa PR#351][opened] [fedora-26] named.conf template: update API for bind 9.11 Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Author: tomaskrizek Title: #351: [fedora-26] named.conf template: update API for bind 9.11 Action: opened PR body: """ Please **do not merge** this patch upstream, we need to have BIND 9.11 available before we do, otherwise it will break DNS installation. This patch is intended for Fedora 26 downstream and I'm only posting it for review. This patch only fixes DNS for new IPA installations. Another patch for fixing existing named configs is necessary. This will most likely be fixed in bind-dyndb-ldap upstream. --- Use the new API for bind 9.11. Removed deprecated "serial_autoincrement" and updated the rest of configuration to conform to the new format. https://fedorahosted.org/freeipa/ticket/6565 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/351/head:pr351 git checkout pr351 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-351.patch Type: text/x-diff Size: 1307 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 12:39:38 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 19 Dec 2016 13:39:38 +0100 Subject: [Freeipa-devel] [freeipa PR#349][closed] spec file: do not define with_lint inside a comment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/349 Author: jcholast Title: #349: spec file: do not define with_lint inside a comment Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/349/head:pr349 git checkout pr349 From freeipa-github-notification at redhat.com Mon Dec 19 12:39:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 19 Dec 2016 13:39:40 +0100 Subject: [Freeipa-devel] [freeipa PR#349][+pushed] spec file: do not define with_lint inside a comment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/349 Title: #349: spec file: do not define with_lint inside a comment Label: +pushed From freeipa-github-notification at redhat.com Mon Dec 19 12:39:41 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Mon, 19 Dec 2016 13:39:41 +0100 Subject: [Freeipa-devel] [freeipa PR#349][comment] spec file: do not define with_lint inside a comment In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/349 Title: #349: spec file: do not define with_lint inside a comment martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/1b85e59ceeb115dfb24e9c6bacb665b935f9543c """ See the full comment at https://github.com/freeipa/freeipa/pull/349#issuecomment-267954848 From pspacek at redhat.com Mon Dec 19 12:48:52 2016 From: pspacek at redhat.com (Petr Spacek) Date: Mon, 19 Dec 2016 13:48:52 +0100 Subject: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread In-Reply-To: References: Message-ID: <834637e0-3ae3-74bb-6b77-1d4c3590ae36@redhat.com> On 19.12.2016 13:04, Tomas Krizek wrote: > Hi Thierry, > > could you please take a look at this bind-dyndb-ldap patch? I was trying > to fix https://fedorahosted.org/bind-dyndb-ldap/ticket/149 > > I wasn't able to reproduce the issue, but I think the problem is fixed > now. Petr Spacek was helping me with this, but I think it would be good > if you could take a look as well. > > We were able to identify two causes: a) isc_thread_create fails and > ldap_inst->watcher is undefined (fixed by setting it to 0) and b) the > thread terminates for some reason (i.e. some checks fail) and then a > signal can't be sent to it. This was addressed by removing the REQUIRE > and logging an error instead. Please send this as PR on Github and abandon this thread ;-) -- Petr^2 Spacek From tbordaz at redhat.com Mon Dec 19 13:04:03 2016 From: tbordaz at redhat.com (thierry bordaz) Date: Mon, 19 Dec 2016 14:04:03 +0100 Subject: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread In-Reply-To: References: Message-ID: <5857DAC3.9000906@redhat.com> Hi Tomas, The patch looks good to me. Just a minor remark. ldap_inst->exiting=TRUE and signaling the watcher thread is the same action. Ideally the signal handler would set 'existing=TRUE', but there is no nice way for the signal handler to retrieve/set the 'existing' flag. Do you think we could move 'ldap_inst->exiting=TRUE' and pthread_kill in a same wrapper function (for example watcher_shutdown). thanks thierry On 12/19/2016 01:04 PM, Tomas Krizek wrote: > Hi Thierry, > > could you please take a look at this bind-dyndb-ldap patch? I was trying > to fix https://fedorahosted.org/bind-dyndb-ldap/ticket/149 > > I wasn't able to reproduce the issue, but I think the problem is fixed > now. Petr Spacek was helping me with this, but I think it would be good > if you could take a look as well. > > We were able to identify two causes: a) isc_thread_create fails and > ldap_inst->watcher is undefined (fixed by setting it to 0) and b) the > thread terminates for some reason (i.e. some checks fail) and then a > signal can't be sent to it. This was addressed by removing the REQUIRE > and logging an error instead. > > Thanks. > From bind-dyndb-ldap-github-notification at redhat.com Mon Dec 19 13:07:24 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Dec 2016 14:07:24 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][opened] handle termination of syncrepl watcher thread Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Author: tomaskrizek Title: #6: handle termination of syncrepl watcher thread Action: opened PR body: """ In some cases, the thread could have been already terminated and sending a signal to the thread using pthread_kill() would result in an error. Now if the thread has already been terminated for some reason, only an error message is logged. https://fedorahosted.org/bind-dyndb-ldap/ticket/149 """ To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/6/head:pr6 git checkout pr6 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-6.patch Type: text/x-diff Size: 1550 bytes Desc: not available URL: From jdennis at redhat.com Mon Dec 19 14:07:08 2016 From: jdennis at redhat.com (John Dennis) Date: Mon, 19 Dec 2016 09:07:08 -0500 Subject: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question In-Reply-To: References: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> <5853F8EA.7060104@redhat.com> Message-ID: <54dddd8f-37e0-6dec-1cf7-aee1e70cb745@redhat.com> On 12/19/2016 03:12 AM, Standa Laznicka wrote: > On 12/16/2016 03:23 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> Hello, >>> >>> I started a design page for FreeIPA on FIPS-enabled systems: >>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS >>> >>> Me and Tom?? are still investigating what of all things will need to >>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed >>> to install and run patched FreeIPA server and client and connect them >>> together. >>> >>> There are some issues with NSS when trying to create an HTTPS request >>> (apparently, NSS requires an NSS database password to set up an SSL >>> connection). I am actually thinking of removing NSSConnection from the >>> client altogether. >> Can you expand on this a bit? NSS should only need a pin when it needs >> access to a private key. What connection(s) are you talking about, and >> what would you replace NSSConnection with? >> >> rob > > Hello Rob, > > Thank you for this excellent question, in order to cut the email short I > seem to have omitted quite a few information. > > One of the very first problems I had with FreeIPA with FIPS was that NSS > was always asking for password/pin. I was discussing this with the NSS > guys on their IRC chat last week and it turns out that NSS tries to > create a private key every time you want to use it as a backend for an > SSL connection on FIPS. I still don't think this is quite right so I may > open a bugzilla for that. I don't understand, I thought the case you were having problems with was the FreeIPA client, not the server. I assume when you use the term "backend" you mean server, and yes when NSS is in server mode it will access to keys. So isn't the problem NSS is not being initialized correctly so that it recognizes it is in client mode and not server mode? > > Anyway, the guys suggested me that we could try to create the database > with an empty password and everything will work. I don't quite like > that, too, but it's at least something if you don't want the `ipa` > command to always bug you for password you have no way knowing if you're > just a regular user. > > What I think would be a better way to go is to use > httplib.HTTPSConnection. We have the needed certificates in > /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion > with Honza this morning and it seems that with this approach we may get > rid of the NSSConnection class altogether (although I still need to > check a few spots) and start the process of moving away from NSS which > was discussed some year ago in an internal mailing list (for some reason). > > Will be happy to hear thoughts on this, > Standa I'm not a big fan of NSS, it has it's issues. As the author of the Python binding I'm quite aware of all the nasty behaviors NSS has and needs to be worked around. I wouldn't be sad to see it go but OpenSSL has it's own issues too. If you remove NSS you're also removing the option to support smart cards, HSM's etc. Perhaps before removing functionality it would be good to assess what the requirements are. -- John From freeipa-github-notification at redhat.com Mon Dec 19 14:12:57 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 19 Dec 2016 15:12:57 +0100 Subject: [Freeipa-devel] [freeipa PR#352][opened] Clarify meaning of --domain and --realm in installers Message-ID: URL: https://github.com/freeipa/freeipa/pull/352 Author: pspacek Title: #352: Clarify meaning of --domain and --realm in installers Action: opened PR body: """ Man pages need bigger overhaul. Take this as hot-fix for FAQ. https://fedorahosted.org/freeipa/ticket/6574 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/352/head:pr352 git checkout pr352 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-352.patch Type: text/x-diff Size: 15575 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 15:05:23 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 19 Dec 2016 16:05:23 +0100 Subject: [Freeipa-devel] [freeipa PR#353][opened] [RFE] Pwdpolicy Message-ID: URL: https://github.com/freeipa/freeipa/pull/353 Author: simo5 Title: #353: [RFE] Pwdpolicy Action: opened PR body: """ Untested but I am seeking feedback on the actual approach. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/353/head:pr353 git checkout pr353 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-353.patch Type: text/x-diff Size: 8351 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 15:07:18 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Mon, 19 Dec 2016 16:07:18 +0100 Subject: [Freeipa-devel] [freeipa PR#279][comment] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf pspacek commented: """ ACK """ See the full comment at https://github.com/freeipa/freeipa/pull/279#issuecomment-267986862 From slaznick at redhat.com Mon Dec 19 15:41:16 2016 From: slaznick at redhat.com (Standa Laznicka) Date: Mon, 19 Dec 2016 16:41:16 +0100 Subject: [Freeipa-devel] [DESIGN] FreeIPA on FIPS + NSS question In-Reply-To: <54dddd8f-37e0-6dec-1cf7-aee1e70cb745@redhat.com> References: <3ea71617-5479-018c-835e-c951cec75e4e@redhat.com> <5853F8EA.7060104@redhat.com> <54dddd8f-37e0-6dec-1cf7-aee1e70cb745@redhat.com> Message-ID: On 12/19/2016 03:07 PM, John Dennis wrote: > On 12/19/2016 03:12 AM, Standa Laznicka wrote: >> On 12/16/2016 03:23 PM, Rob Crittenden wrote: >>> Standa Laznicka wrote: >>>> Hello, >>>> >>>> I started a design page for FreeIPA on FIPS-enabled systems: >>>> https://www.freeipa.org/page/V4/FreeIPA-on-FIPS >>>> >>>> Me and Tom?? are still investigating what of all things will need to >>>> change in order to have FreeIPA on FIPS-enabled RHEL. So far I managed >>>> to install and run patched FreeIPA server and client and connect them >>>> together. >>>> >>>> There are some issues with NSS when trying to create an HTTPS request >>>> (apparently, NSS requires an NSS database password to set up an SSL >>>> connection). I am actually thinking of removing NSSConnection from the >>>> client altogether. >>> Can you expand on this a bit? NSS should only need a pin when it needs >>> access to a private key. What connection(s) are you talking about, and >>> what would you replace NSSConnection with? >>> >>> rob >> >> Hello Rob, >> >> Thank you for this excellent question, in order to cut the email short I >> seem to have omitted quite a few information. >> >> One of the very first problems I had with FreeIPA with FIPS was that NSS >> was always asking for password/pin. I was discussing this with the NSS >> guys on their IRC chat last week and it turns out that NSS tries to >> create a private key every time you want to use it as a backend for an >> SSL connection on FIPS. I still don't think this is quite right so I may >> open a bugzilla for that. > > I don't understand, I thought the case you were having problems with > was the FreeIPA client, not the server. I assume when you use the term > "backend" you mean server, and yes when NSS is in server mode it will > access to keys. So isn't the problem NSS is not being initialized > correctly so that it recognizes it is in client mode and not server mode? > What I meant was "a client backend for an SSL connection" - we're using NSS implementation of SSL (via python-nss) for HTTPS connections from client to server during which we're getting a CA cert from an NSS database but this eventually leads to a password prompt. >> >> Anyway, the guys suggested me that we could try to create the database >> with an empty password and everything will work. I don't quite like >> that, too, but it's at least something if you don't want the `ipa` >> command to always bug you for password you have no way knowing if you're >> just a regular user. >> >> What I think would be a better way to go is to use >> httplib.HTTPSConnection. We have the needed certificates in >> /etc/ipa/ca.crt anyway so why not use them instead. We had a discussion >> with Honza this morning and it seems that with this approach we may get >> rid of the NSSConnection class altogether (although I still need to >> check a few spots) and start the process of moving away from NSS which >> was discussed some year ago in an internal mailing list (for some >> reason). >> >> Will be happy to hear thoughts on this, >> Standa > > I'm not a big fan of NSS, it has it's issues. As the author of the > Python binding I'm quite aware of all the nasty behaviors NSS has and > needs to be worked around. I wouldn't be sad to see it go but OpenSSL > has it's own issues too. If you remove NSS you're also removing the > option to support smart cards, HSM's etc. Perhaps before removing > functionality it would be good to assess what the requirements are. > I'm sorry I generalized too much, the original topic was moving away from python-nss (of which I am even more sorry as you're the author). From freeipa-github-notification at redhat.com Mon Dec 19 15:43:40 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 19 Dec 2016 16:43:40 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 200767 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 15:45:07 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Mon, 19 Dec 2016 16:45:07 +0100 Subject: [Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think this code is ready to be included. I am still playing with a minor change in mod_auth_gssapi, but that can also go in later. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-267997245 From freeipa-github-notification at redhat.com Mon Dec 19 15:49:05 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Mon, 19 Dec 2016 16:49:05 +0100 Subject: [Freeipa-devel] [freeipa PR#279][+ack] installer: Stop adding distro-specific NTP servers into ntp.conf In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/279 Title: #279: installer: Stop adding distro-specific NTP servers into ntp.conf Label: +ack From freeipa-github-notification at redhat.com Mon Dec 19 15:58:18 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Dec 2016 16:58:18 +0100 Subject: [Freeipa-devel] [freeipa PR#351][synchronized] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Author: tomaskrizek Title: #351: [fedora-26] named.conf template: update API for bind 9.11 Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/351/head:pr351 git checkout pr351 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-351.patch Type: text/x-diff Size: 2932 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Mon Dec 19 16:05:51 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Dec 2016 17:05:51 +0100 Subject: [Freeipa-devel] [freeipa PR#351][comment] [fedora-26] named.conf template: update API for bind 9.11 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/351 Title: #351: [fedora-26] named.conf template: update API for bind 9.11 tomaskrizek commented: """ The version of BIND in `freeipa.spec.in` is also subject to change. There is currently a bug that affects `named-pkcs11`, but not `named`. I also have a [COPR repo](https://copr.fedorainfracloud.org/coprs/tkrizek/bind-9.11/) with bind 9.11 for F25. I'm going to add bind-dyndb-ldap v11.0 there as well. I'll also try to build for Fedora 24. """ See the full comment at https://github.com/freeipa/freeipa/pull/351#issuecomment-268003008 From bind-dyndb-ldap-github-notification at redhat.com Mon Dec 19 18:01:33 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Mon, 19 Dec 2016 19:01:33 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][synchronized] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Author: tomaskrizek Title: #6: handle termination of syncrepl watcher thread Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/6/head:pr6 git checkout pr6 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-6.patch Type: text/x-diff Size: 3080 bytes Desc: not available URL: From tkrizek at redhat.com Mon Dec 19 18:04:15 2016 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 19 Dec 2016 19:04:15 +0100 Subject: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread In-Reply-To: <5857DAC3.9000906@redhat.com> References: <5857DAC3.9000906@redhat.com> Message-ID: <9383aad9-27ff-03c3-2f39-e93ad8206acc@redhat.com> On 12/19/2016 02:04 PM, thierry bordaz wrote: > Hi Tomas, > > The patch looks good to me. > Just a minor remark. > ldap_inst->exiting=TRUE and signaling the watcher thread is the same > action. Ideally the signal handler would set 'existing=TRUE', but > there is no nice way for the signal handler to retrieve/set the > 'existing' flag. Do you think we could move 'ldap_inst->exiting=TRUE' > and pthread_kill in a same wrapper function (for example > watcher_shutdown). > > thanks > thierry > > On 12/19/2016 01:04 PM, Tomas Krizek wrote: >> Hi Thierry, >> >> could you please take a look at this bind-dyndb-ldap patch? I was trying >> to fix https://fedorahosted.org/bind-dyndb-ldap/ticket/149 >> >> I wasn't able to reproduce the issue, but I think the problem is fixed >> now. Petr Spacek was helping me with this, but I think it would be good >> if you could take a look as well. >> >> We were able to identify two causes: a) isc_thread_create fails and >> ldap_inst->watcher is undefined (fixed by setting it to 0) and b) the >> thread terminates for some reason (i.e. some checks fail) and then a >> signal can't be sent to it. This was addressed by removing the REQUIRE >> and logging an error instead. >> >> Thanks. >> > Moved the ldap_inst-> exiting and pthread_kill to a wrapper function. Please continue the review at https://github.com/freeipa/bind-dyndb-ldap/pull/6 -- Tomas Krizek From blipton at redhat.com Mon Dec 19 20:59:27 2016 From: blipton at redhat.com (Ben Lipton) Date: Mon, 19 Dec 2016 15:59:27 -0500 Subject: [Freeipa-devel] CSR autogeneration next steps In-Reply-To: References: <4d31f26b-e332-7362-2b8e-3382a0109067@redhat.com> <2ac0c9af-ef4a-65fe-0cb9-2d161bb7eba0@redhat.com> Message-ID: <77684b8f-c0f5-b1ad-cf7c-075184b5ee39@redhat.com> On 12/15/2016 11:11 PM, Ben Lipton wrote: > > On 12/12/2016 03:52 AM, Jan Cholasta wrote: >> On 5.12.2016 16:48, Ben Lipton wrote: >>> Hi Jan, thanks for the comments. >>> >>> >>> On 12/05/2016 04:25 AM, Jan Cholasta wrote: >>>> Hi Ben, >>>> >>>> On 3.11.2016 00:12, Ben Lipton wrote: >>>>> Hi everybody, >>>>> >>>>> Soon I'm going to have to reduce the amount of time I spend on new >>>>> development work for the CSR autogeneration project, and I want to >>>>> leave >>>>> the project in as organized a state as possible. So, I'm taking >>>>> inventory of the work I've done in order to make sure that what's >>>>> ready >>>>> for review can get reviewed and the ideas that have been discussed >>>>> get >>>>> prototyped or at least recorded so they won't be forgotten. >>>> >>>> Thanks, I have some questions and comments, see below. >>>> >>>>> >>>>> Code that's ready for review (I will continue to put in as much >>>>> time as >>>>> needed to help get these ready for submission): >>>>> >>>>> - Current PR: https://github.com/freeipa/freeipa/pull/10 >>>> >>>> How hard would it be to update the PR to use the "new" interface from >>>> the design thread? By this I mean that currently there is a command >>>> (cert_get_requestdata), which creates a CSR from profile id + >>>> principal + helper, but in the design we discussed a command which >>>> creates a CertificationRequestInfo from profile id + principal + >>>> public key. >>>> >>>> Internally it could use the OpenSSL helper, no need to implement the >>>> full "new" design. With your build_requestinfo.c code below it looks >>>> like it should be pretty straightforward. >>> >>> This is probably doable with the cffi, but I'm concerned about >>> usability. A user can run the current command to get a (reusable) >>> script, and run the script to get a CSR. It works with keys in both PEM >>> files and NSS databases already. If we change to outputting a >>> CertificationRequestInfo, in order to make this usable on the command >>> line, we'll need: >>> - An additional tool to sign a CSR given a CertificationRequestInfo >>> (for >>> both types of key storage). >>> - A way to extract a SubjectPublicKeyInfo structure from a key within >>> the ipa command (like [1] but we need it for both types of key storage) >>> Since as far as I know there's no standard encoding for files >>> containing >>> only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be >>> writing and distributing these ourselves. I think that's where most of >>> the extra work will come in. >> >> For PEM files, this is easily doable using python-cryptography (to >> extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and >> PyASN1 (to create a CSR from the CertificationRequestInfo and the >> signature). > > I didn't realize that python-cryptography knew about > SubjectPublicKeyInfo structures, but indeed this seems to be pretty > straightforward: > > key = load_pem_private_key(key_bytes, None, default_backend()) > pubkey_info = key.public_key().public_bytes(Encoding.DER, > PublicFormat.SubjectPublicKeyInfo) > > Thanks for letting me know this functionality already existed. >> >> For NSS databases, this will be trickier and will require calling C >> functions, as neither certutil nor python-nss provide a way to a) >> address existing keys in the database by key ID b) get >> SubjectPublicKeyInfo for a given key. >> >> As for encoding, the obvious choice is DER. It does not really matter >> there is no standard file format, as we won't be transferring these >> as files anyway. > > Agreed. I just meant there aren't tools already because this isn't a > type of file one often needs to process. >> >>> >>> Would it be ok to stick with the current design in this PR? I'd feel >>> much better if we could get the basic functionality into the repo and >>> then iterate on it rather than changing the plan at this point. I can >>> create a separate PR to change cert_get_requestdata to this new >>> interface and at the same time add the necessary adapters (bullet >>> points >>> above) to make it user-friendly. >> >> Works for me. > > Updated the PR to fix conflicts with master. Had some trouble with CI > but creating a new PR with the same commits fixed it > (https://github.com/freeipa/freeipa/pull/337). Not sure if it's fixed > permanently, so I guess I'll just keep the two PRs synchronized now, > or we could close the old one. >> >>> >>> I would probably just implement the adapters within the >>> cert_build/cert_request client code unless you think having standalone >>> tools is valuable. I suppose certmonger is going to need these features >>> too, but I don't know how well sharing code between them is going to >>> work. >> >> cert-request is exactly the place where it should be :-) I wouldn't >> bother with certmonger until we have a server-side csrgen. >> >>>> >>>>> >>>>> - Allow some fields to be specified by the user at creation time: >>>>> https://github.com/LiptonB/freeipa/commits/local-user-data >>>> >>>> Good idea :-) >>>> >>>>> >>>>> - Automation for the full process from getting CSR data to requesting >>>>> cert: https://github.com/LiptonB/freeipa/commits/local-cert-build >>>> >>>> LGTM, although I would prefer if this was a client-side extension of >>>> cert-request rather than a completely new command. >>> >>> I did try that at first, but I struggled to figure out the interface >>> for >>> the modified cert-request. (Not that the current solution is so great, >>> what with the copying of options from cert_request and certreq.) If I >>> remember correctly, I was uncertain how to implement parameters that >>> are >>> required/invalid based on other parameters: the current cert-request >>> takes a signed CSR (required), a principal (required), and a profile >>> ID; >>> the new cert-request (what I implemented as cert-build) takes a >>> principal (required), a profile ID (required), and a key location >>> (required). I can't remember if that was the only problem, but I'll try >>> again to merge the commands and get back to you. >> >> To make the CSR argument optional on the client, you can do this: >> >> def get_options(self): >> for option in super(cert_request, self).get_options(): >> if option.name == 'csr': >> option = option.clone(required=False) >> yield >> >> IMO profile ID should default to caIPAserviceCert on the client as well. > > I originally had it doing so, but changed it to a required option > based on feedback in this email: > https://www.redhat.com/archives/freeipa-devel/2016-August/msg00021.html: > "In general use I think that 'caIPAserviceCert' is unlikely to be used > a majory of the time, and it is a new command so there are no > compatibility issues; therefore why not make the profile option > mandatory?" I guess since we're talking about cert-request now, the > compatibility issues are back. > > https://github.com/LiptonB/freeipa/commits/local-cert-build has now > been updated to change the cert_request command rather than adding a > new command. It seems to work now (thanks for the advice on making the > argument optional), the only thing I'm having trouble with is the > default for the profile_id argument. Previously, the default was > applied by this code in cert_request.execute: > > profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE) > > But now, in the client, I need the default to pass to > cert_get_requestdata if no profile is specified. I'm not sure I can > access backends from the client to get it the same way the server code > does. Should I just import ipapython/dogtag.py and use the > DEFAULT_PROFILE set in there? Is there a way I can give the option a > default that will be seen in both the server and the client? >> >>>> >>>>> >>>>> Other prototypes and design ideas that aren't ready for submission >>>>> yet: >>>>> >>>>> - Utility written in C to build a CertificationRequestInfo from a >>>>> SubjectPublicKeyInfo and an openssl-style config file. The purpose of >>>>> this is to take a config that my code already knows how to >>>>> generate, and >>>>> put it in a form that certmonger can use. This is nearly done and >>>>> available at: >>>>> https://github.com/LiptonB/freeipa-prototypes/blob/master/build_requestinfo.c >>>>> >>>>> >>>> >>>> Nice! As I said above, this could really make implementing the "new" >>>> csrgen interface simple. >>>> >>>>> >>>>> >>>>> - Ideally it should be possible to use this tool to reimplement >>>>> the full >>>>> cert-request automation (local-cert-build branch) without a >>>>> dependency >>>>> on the certutil/openssl tools. However, I don't think any of the >>>>> python >>>>> crypto libraries have bindings for the functions that deal with >>>>> CertificationRequestInfo objects, so I don't think I can do this >>>>> in the >>>>> short term. >>>> >>>> You can use python-cffi to write your own minimal bindings. It's >>>> fairly straightforward, take a look at FreeIPA commit 500ee7e2 for an >>>> example of how to port C code to Python with python-cffi. >>> >>> Thank you for the example. I will take a look. >>>> >>>>> >>>>> - Certmonger "helper" program that takes in the >>>>> CertificationRequestInfo >>>>> that certmonger generates, calls out to IPA for profile-specific >>>>> data, >>>>> and returns an updated CertificationRequestInfo built from the data. >>>>> Certmonger doesn't currently support this type of helper, but (if I >>>>> understood correctly) this is the architecture Nalin believed >>>>> would be >>>>> simplest to fit in. This is not done yet, but I intend to complete it >>>>> soon - it shouldn't require much code beyond what's in >>>>> build_requestinfo.c. >>>> >>>> To me this sounds like it should be a new operation of the current >>>> helper rather than a completely new helper. >>> >>> Maybe so. I certainly wouldn't call this a finished design, I just >>> wanted to have some kind of proof of concept for how the certmonger >>> integration could work. For what it's worth, that prototype is now >>> available at [2]. >> >> OK. >> >>>> >>>> Anyway, the ultimate goal is to move the csrgen code to the server, >>>> which means everything the helper will have to do is call a command >>>> over RPC. >>>> >>>>> >>>>> - Tool to convert an XER-encoded cert extension to DER, given the >>>>> ASN.1 >>>>> description of the extension. This would unblock Jan Cholasta's >>>>> idea of >>>>> using XSLT for templates rather than text-based formatting. I >>>>> should be >>>>> able to implement the conversion tool, but it may be a while before I >>>>> have time to demo the full XSLT idea. >>>> >>>> Was there any progress on this? >>> >>> I have started working on implementing it with asn1c, and I'm already >>> seeing some of the inconvenience (security issues aside) of building on >>> the server. Libtasn1 seems like a much better model, but doesn't >>> seem to >>> have XER support. Anyway, don't quite have results here yet but I think >>> I should have the XER->DER demo with asn1c ready in a week or two. >> >> Implementing XER codec on top of libtasn1 shouldn't be too hard; I >> have a WIP which I will post soon. It took me some experimentation to get this to work, but the solution with asn1c is actually quite simple because the tool automatically provides a sample C file that converts between different formats. So, this very basic shell script is able to do the conversion: https://github.com/LiptonB/freeipa-prototypes/blob/master/xer2der.sh $ cat ExtKeyUsage.xer 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 $ cat KeyUsage.asn1 KUModule DEFINITIONS ::= BEGIN KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to contentCommitment keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId KeyPurposeId ::= OBJECT IDENTIFIER END $ ./xer2der.sh KeyUsage.asn1 ExtKeyUsageSyntax ExtKeyUsage.xer 2>/dev/null | xxd 00000000: 3014 0608 2b06 0105 0507 0302 0608 2b06 0...+.........+. 00000010: 0105 0507 0304 ...... >> >>>> >>>>> >>>>> So: currently on my to do list are the certmonger helper and the >>>>> XER->DER conversion tool. Do you have any comments about these plans, >>>>> and is there anything else I can do to wrap up the project neatly? >>>>> >>>>> Thanks, >>>>> Ben >>>>> >>>> >>>> Honza >>>> >>> [1] >>> https://github.com/LiptonB/freeipa-prototypes/blob/master/key2spki.c >>> [2] >>> https://github.com/LiptonB/freeipa-prototypes/blob/master/cm_ipa_csrgen.c >>> >> > From freeipa-github-notification at redhat.com Tue Dec 20 01:12:04 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 20 Dec 2016 02:12:04 +0100 Subject: [Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ IMO the current change is fine, but I would also implement a defensive guard within `set_certificate_attrs` in case this somehow happens in some other command. ```python def set_certificate_attrs(entry, options, want_cert=True): if 'ipacaid' not in entry: return ca_id = entry['ipacaid'][0] ... ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268125375 From freeipa-github-notification at redhat.com Tue Dec 20 06:52:38 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 20 Dec 2016 07:52:38 +0100 Subject: [Freeipa-devel] [freeipa PR#354][opened] Fix DL1 replica installation in CA-less topology Message-ID: URL: https://github.com/freeipa/freeipa/pull/354 Author: frasertweedale Title: #354: Fix DL1 replica installation in CA-less topology Action: opened PR body: """ Commit dbb98765d73519289ee22f3de1a5ccde140f6f5d changed certmonger requests for DS and HTTP certificates during installation to raise on error (https://fedorahosted.org/freeipa/ticket/6514). This introduced a regression in DL1 replica installation in CA-less topology. A certificate was requested, but prior to the aforementioned commit this would fail silently and installation continued, whereas now installation fails. Guard the certificate request with a check that the topology is CA-ful. Fixes: https://fedorahosted.org/freeipa/ticket/6573 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/354/head:pr354 git checkout pr354 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-354.patch Type: text/x-diff Size: 1478 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 08:02:33 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Tue, 20 Dec 2016 09:02:33 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][comment] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread pspacek commented: """ We are almost there. Just minor changes will make it perfect :-) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/6#issuecomment-268179553 From Oucema.Bellagha at hotmail.com Tue Dec 20 08:20:06 2016 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Tue, 20 Dec 2016 08:20:06 +0000 Subject: [Freeipa-devel] require n out of m keys/users to authenticate an ssh session? Message-ID: I'm looking for an option - eventually to extend standard ssh - in such a way that I need (at least) two people/keys out of m possible to authenticate a session instead of one out of m known once... e.g: to authenticate to server X: we need user a AND (user b OR c) anyone seen this or know how to do? [https://media.licdn.com/mpr/mpr/shrinknp_200_200/AAEAAQAAAAAAAAk9AAAAJGYxOTFhYzdjLWIyMTgtNDQ2Yy1iOWI5LWQ2NDgxMWFjMWU5ZQ.jpg] Oucema Bellagha DevOps Engineer specialized in Cloud Computing and IT infrastructures m: +4915781042392 e: oucema.bellagha at hotmail.com [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/twitter_sig.png] [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/linkedin_sig.png] -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Tue Dec 20 09:00:45 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 10:00:45 +0100 Subject: [Freeipa-devel] [freeipa PR#354][+ack] Fix DL1 replica installation in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/354 Title: #354: Fix DL1 replica installation in CA-less topology Label: +ack From flo at redhat.com Tue Dec 20 09:10:29 2016 From: flo at redhat.com (Florence Blanc-Renaud) Date: Tue, 20 Dec 2016 10:10:29 +0100 Subject: [Freeipa-devel] Certificate Identity Mapping In-Reply-To: <20161219111344.GB26807@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <3f7fdd64-df25-69c3-e472-585a4d33eb94@redhat.com> <20161216105321.GH3623@p.Speedport_W_724V_Typ_A_05011603_00_011> <20161219111344.GB26807@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: Hi Sumit and Jan, thanks to both of you for providing detailed comments. Please find answers inline. On 12/19/2016 12:13 PM, Sumit Bose wrote: > On Mon, Dec 19, 2016 at 10:02:58AM +0100, Jan Cholasta wrote: >> I agree with *almost* everything Sumit said. See my inline comments below. >> >> On 16.12.2016 11:53, Sumit Bose wrote: >>> On Tue, Dec 06, 2016 at 04:39:10PM +0100, Florence Blanc-Renaud wrote: >>>> Hi, >>>> >>>> I have started a feature description for the Certificate Identity Mapping at >>>> the following location: >>>> http://www.freeipa.org/page/V4/Certificate_Identity_Mapping >>>> >>>> This is a first step, focusing on the interface we would like to provide. It >>>> still contains open questions, some of which are linked to the corresponding >>>> design on SSSD side: >>>> https://fedorahosted.org/sssd/wiki/DesignDocs/MatchingAndMappingCertificates >>>> https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities >>>> >>>> Comments, concerns and suggestions are welcome. Thanks! >>> >>> Hi Flo, >>> >>> thank you very much for setting up the page. >>> >>> My comments are mostly about the commands. >>> >>> certmappingconfig-mod: >>> >>> * --enable=Boolean: if this option is 'False' SSSD will basically show >>> the current behavior and just look up the certificates directly. But I >>> wonder if the option is needed at all because not adding any mapping >>> rules would have the same effect. >>> >>> What is the scope here, only the IPA domain, or all trusted domains as >>> well? If it is for trusted domains as well will the certmappingrule-* >>> commands and user-{add/remove}-certmapping return an error? >>> >>> So, in general I see an overlap with the mapping rules and I think it >>> would be clearer to drop this option and do the lookups according to >>> the mapping rules. I saw this option as a convenient way to disable all the rules with a single command, but I agree it's redundant with the mapping rules and we can live without it. >>> >>> * --prompt-username=Boolean: the description implies that this option is >>> synonymous to 1:1 mapping, but it is not. On Linux authentication in >>> most cases use a user name either by directly asking (e.g. /bin/login) >>> or using the current user name (e.g. sudo). So, according to its name >>> it would only control if gdm is allowed to ask for an (optional) user >>> name. >>> >>> If the option is renamed to e.g. --force-1-to-1-mapping to really >>> enforce a 1:1 mapping then it would make sense to derived to gdm >>> behavior. I.e. if 1:1 mapping is enforce it makes no sense for gdm to >>> ask for a user name and if it is not enforced then it makes sense to >>> offer and optional user name input field. >>> Agree, force-1-to-1-mapping is clearer. >>> * --enable-username-mismatch=Boolean: I think this option can be >>> dropped. My test so far show that if a non-matching hint is given on a >>> Windows client authentication fails. OK, thanks for the heads-up. >>> >>> * --alternate-attribute=STRING: I think this option isn't needed as >>> well. For IPA server-side we should decide on an attribute name and >>> add it to the schema for user objects. On the client side the >>> attribute name can be taken from the mapping rule.A OK. >>> >>> >>> certmappingrule.*: >>> >>> * ISSUERDN: it looks like you want to use issuerName here. In >>> certificateRecord it it used with LDAP ordering and I would prefer >>> LDAP ordering at all points where we have a choice. Unfortunately in the >>> issuer-subject mapping AD dictates X.500 ordering. >> >> LDAP ordering should indeed be preferred, as it is used everywhere else in >> IPA. We can convert to/from X.500 ordering where necessary, when possible. >> We can use the issuerName attribute with LDAP ordering and convert when needed, as Jan suggested. >>> >>> * DOMAINDN: does this refer to the nsslapd-certmap-basedn attribute in >>> the example? My intention in the SSSD design-page was to specify the >>> domain (as in DNS domain/IPA domain/trusted domain) where the matching >>> user should be searched. Different domains might certificates from >>> different issuers and some domains might not even use certificates. >>> With this information SSSD does not have to search any domain trusted >>> by IPA from a given certificate, but look only at domains listed here >>> (the attribute should be a multi-value one). >>> >>> There are objects in the LDAP tree for each trusted domain which are >>> used by SSSD so using a DN syntax would be valid here. >> >> We use domain names rather than DNs to refer to domains everywhere else in >> the framework. I don't think this place should be an exception. > > I'm fine with domain names as well. In fact I didn't thought of using > DNs for this before I read DOMAINDN on the design page. > I don't have any objection against using a domain name rather than a base DN. >> >>> >>> * LDAPSEARCHFILTER: I think a separate option is not need. LDAP search >>> filters should just be a special kind of mapping rules. I can image in >>> syntax like: . I >>> think the difficult part with the LDAP filters will to define sensible >>> templates. >> >> I'm not sure I understand. Could you please elaborate a little bit? > > A LDAP search filter which would cover the AD behavior would look like: > > (|(altSecurityIdentities=%A%B)(userPrincipalName=%C)(samAccountName=%D)) > > where > > %A: must be replaced with the issuer of the certificate in X.500 order > %B: must be replaced with the subject of the certificate in X.500 order > > it would be possible of course to use a specific template here which > would generate the complete search attribute value. > > %C: must be replaced by the principal from AD's SAN > szOID_NT_PRINCIPAL_NAME > %D: must be replaced with only then name component (the part before the > realm) of the principal from szOID_NT_PRINCIPAL_NAME > > As %C and %D imply this filter will only work for certificates which > have szOID_NT_PRINCIPAL_NAME but for those it must be used to be > compatible with AD. For certificates without > > (altSecurityIdentities=%A%B) > > is sufficient. It is possible to select the right filter with matching > rules. > > So we have to find suitable names for the %A, %B, %C and %D templates > and also allow different representations (e.g. LDAP or X.500 order for > DNs). > >> >>> But as long as we keep the general mapping rule syntax >>> flexible the LDAP filter rules can be added in a later version. >> >> IMHO it should be the other way round and LDAP filters should be implemented >> first, as they offer all the flexibility we need (all of the other fields >> can be easily implemented on top of LDAP filters) and are by default >> extensible without having to update servers and clients. > > In general I agree, as long we can find a suitable scheme to handle the > templates to add content from the certificate in a specific format to > the search filters. > > But from the user/admin perspective there should be special rules for > common use-cases which do not require to know too much details about > certificates and LDAP trees. E.g. for AD (either via direct or indirect > integration) there should be a rule which just does all which > AD would do depending on the certificate type. For IPA something like > might be a good start for handling external > certificates which do not contain user specific data which can be mapped > to user object because the syntax is already known from AD. > >> >>> >>> * enable/disable: I think this is a good idea and would be consistent >>> with other rules like HBAC and sudo >>> >>> * user-{add/mod} LOGIN --certmappingdata DATA: I think it might be >>> better to not add this option and only implement the >>> 'user-{add/remove}-certmapping' commands Agree, I prefer providing a single method to configure the user mapping. >>> >>> * user-{add/remove}-certmapping: you say '... almost any type of mapping, >>> or a more user-friendly API ...'. I would not say 'or' but 'and' and >>> implement both Agree. >>> >>> * ipaCertMappingEnableMismatch and ipaCertMappingAlternateIdAttribute; I >>> think both are note needed, see above Agree. >>> >>> * altSecurityIdentities: I would prefer to use a different name and OID. >>> Using the same definition as AD would imo imply that it can be used in >>> the same way as in AD. But e.g. AD also supports other content like >>> KERBEROS:alternative_user_principal at AD.DOMAIN which we will not >>> support. Agree. >>> >>> * issuerName vs ipaCAIssuerDN: I would prefer issuerName because it is >>> general UTF-8 and not DN syntax (1.3.6.1.4.1.1466.115.121.1.12). Since >>> the issuer DN in general will not be a DN from the local LDAP tree I >>> think the UTF-8 version fits better. >> >> I think it's worth mentioning that if the attribute used DN syntax and >> matching, we wouldn't have to worry about normalizing the issuer name before >> searching for it, as DS would do that for us. > I agree with Jan, leveraging DN syntax would definitely be a pro, even if the issuer DN is outside of the local tree. If we use UTF-8 instead, would you apply format checks or also accept any value non-DN conformant? > Good point, but I think the main use case for this attribute is on the > client side to determine if a rule should be applied to a certificate or > not. So I guess LDAP searches with this attribute would be rare because > the client will load all rules in one run. > >> >>> >>> * nsslapd-certmap-basedn, see DOMAINDN above OK for a domain instead of a DN, we could reuse associatedDomain instead. >>> >>> * altSecurityIdentities example: X.500 ordering is used by AD here and >>> unfortunately I think we have to adopt it at least for this specific >>> usage, here is an ldapsearch output from AD: >>> >>> altSecurityIdentities: >>> X509:DC=devel,DC=ad,CN=ad-AD-SERVER-CADC=devel,DC >>> =ad,CN=Users,CN=t u,E=test.user at email.domain >>> altSecurityIdentities: X509:O=Red Hat,OU=prod,CN=Certificate >>> AuthorityDC >>> =com,DC=redhat,OU=users,OID.0.9.2342.19200300.100.1.1=sbose,E=sbose at redhat.co >>> m,CN=Sumit Bose Sumit Bose OK. >>> >>> * Certificate Mapping Administrators or re-use Certificate >>> Administrators: I would prefer a new 'Certificate Mapping >>> Administrators' >>> >>> * Users can manage their own X.509 certificate mappings? I'm not sure >>> here, at the first glance I would say no. How are OTP tokens handled? >>> Maybe this would be a candidate for certmappingconfig-* option? >> >> I think a better question is "How is userCertificate handled?" >> There is already a self-service permission "Users can manage their own X509 certificates". Same thing for OTP tokens, users are allowed to add a token to their own account. Flo. >> Anyway, self-service permissions can be enabled/disabled, so there is really >> no need for a new certmappingconfig option. > > Yes, this makes sense. > > bye, > Sumit >> >>> >>> That's all :-) >>> >>> bye, >>> Sumit >>> >> >> >> -- >> Jan Cholasta > From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 09:15:21 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 10:15:21 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][synchronized] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Author: tomaskrizek Title: #6: handle termination of syncrepl watcher thread Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/6/head:pr6 git checkout pr6 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-6.patch Type: text/x-diff Size: 3604 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 09:19:51 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 10:19:51 +0100 Subject: [Freeipa-devel] [freeipa PR#354][+pushed] Fix DL1 replica installation in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/354 Title: #354: Fix DL1 replica installation in CA-less topology Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 20 09:19:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 10:19:53 +0100 Subject: [Freeipa-devel] [freeipa PR#354][comment] Fix DL1 replica installation in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/354 Title: #354: Fix DL1 replica installation in CA-less topology martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4028ad73e74fe62bd4871e842dbb69ff660125f9 """ See the full comment at https://github.com/freeipa/freeipa/pull/354#issuecomment-268193878 From freeipa-github-notification at redhat.com Tue Dec 20 09:19:54 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 10:19:54 +0100 Subject: [Freeipa-devel] [freeipa PR#354][closed] Fix DL1 replica installation in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/354 Author: frasertweedale Title: #354: Fix DL1 replica installation in CA-less topology Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/354/head:pr354 git checkout pr354 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 09:52:47 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tbordaz) Date: Tue, 20 Dec 2016 10:52:47 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][comment] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread tbordaz commented: """ The patch looks good to me. ACK """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/6#issuecomment-268201031 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 11:22:48 2016 From: bind-dyndb-ldap-github-notification at redhat.com (pspacek) Date: Tue, 20 Dec 2016 12:22:48 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][+ack] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 11:38:03 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 12:38:03 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][synchronized] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Author: tomaskrizek Title: #6: handle termination of syncrepl watcher thread Action: synchronized To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/6/head:pr6 git checkout pr6 -------------- next part -------------- A non-text attachment was scrubbed... Name: bind-dyndb-ldap-pr-6.patch Type: text/x-diff Size: 3065 bytes Desc: not available URL: From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 11:54:11 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 12:54:11 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][closed] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Author: tomaskrizek Title: #6: handle termination of syncrepl watcher thread Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/6/head:pr6 git checkout pr6 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 11:54:12 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 12:54:12 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][comment] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread tomaskrizek commented: """ Fixed upstream: [edd8c0552eb7e977a961c9492eb18c177685e438](https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=edd8c0552eb7e977a961c9492eb18c177685e438) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/6#issuecomment-268225002 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:20:56 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:20:56 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][comment] Add GDB pretty-printers for plugin data structures to contrib. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Title: #5: Add GDB pretty-printers for plugin data structures to contrib. tomaskrizek commented: """ Seems like a good addition for debugging, thanks! """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/5#issuecomment-268241265 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:20:59 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:20:59 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][+ack] Add GDB pretty-printers for plugin data structures to contrib. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Title: #5: Add GDB pretty-printers for plugin data structures to contrib. Label: +ack From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:32:27 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:32:27 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][comment] Add GDB pretty-printers for plugin data structures to contrib. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Title: #5: Add GDB pretty-printers for plugin data structures to contrib. tomaskrizek commented: """ Fixed upstream: [0f9c9584a697147a2c56858acf5dec07ed8365bc](https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=0f9c9584a697147a2c56858acf5dec07ed8365bc) """ See the full comment at https://github.com/freeipa/bind-dyndb-ldap/pull/5#issuecomment-268243722 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:32:28 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:32:28 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][closed] Add GDB pretty-printers for plugin data structures to contrib. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Author: pspacek Title: #5: Add GDB pretty-printers for plugin data structures to contrib. Action: closed To pull the PR as Git branch: git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap git fetch ghbind-dyndb-ldap pull/5/head:pr5 git checkout pr5 From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:32:33 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:32:33 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#5][+pushed] Add GDB pretty-printers for plugin data structures to contrib. In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/5 Title: #5: Add GDB pretty-printers for plugin data structures to contrib. Label: +pushed From bind-dyndb-ldap-github-notification at redhat.com Tue Dec 20 13:32:48 2016 From: bind-dyndb-ldap-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 14:32:48 +0100 Subject: [Freeipa-devel] [bind-dyndb-ldap PR#6][+pushed] handle termination of syncrepl watcher thread In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/bind-dyndb-ldap/pull/6 Title: #6: handle termination of syncrepl watcher thread Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 20 13:51:27 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 20 Dec 2016 14:51:27 +0100 Subject: [Freeipa-devel] [freeipa PR#355][opened] Set up DS TLS on replica in CA-less topology Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: opened PR body: """ Fixes: https://fedorahosted.org/freeipa/ticket/6226 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-355.patch Type: text/x-diff Size: 1021 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 13:58:17 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 20 Dec 2016 14:58:17 +0100 Subject: [Freeipa-devel] [freeipa PR#356][opened] server install: fix KRA agent PEM file not being created Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Author: jcholast Title: #356: server install: fix KRA agent PEM file not being created Action: opened PR body: """ In commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 the call to create the KRA agent PEM file was accidentally removed from the server installer. Call into the KRA installer from the server installer to create the file again. https://fedorahosted.org/freeipa/ticket/6392 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/356/head:pr356 git checkout pr356 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-356.patch Type: text/x-diff Size: 2256 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 14:25:56 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Tue, 20 Dec 2016 15:25:56 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology jcholast commented: """ This is basically the same as 89de60c5d8ba64d619101a7498b8c4469b6e50ae which had to be reverted because it is not the proper fix. I would rather wait for the proper fix (#41), which has not been merged yet because it is blocked by https://bugzilla.redhat.com/show_bug.cgi?id=1377413. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268255672 From freeipa-github-notification at redhat.com Tue Dec 20 15:02:41 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 20 Dec 2016 16:02:41 +0100 Subject: [Freeipa-devel] [freeipa PR#139][synchronized] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Author: pvomacka Title: #139: WebUI: Vault Management Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/139/head:pr139 git checkout pr139 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-139.patch Type: text/x-diff Size: 86490 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 15:11:09 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:11:09 +0100 Subject: [Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ Bumping this PR as it seems a bit forgotten. """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268267300 From freeipa-github-notification at redhat.com Tue Dec 20 15:16:49 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:16:49 +0100 Subject: [Freeipa-devel] [freeipa PR#347][comment] Improvements in {get|set}_directive functions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/347 Title: #347: Improvements in {get|set}_directive functions martbab commented: """ Please see my in-line replies to your in-line comments :). """ See the full comment at https://github.com/freeipa/freeipa/pull/347#issuecomment-268268766 From freeipa-github-notification at redhat.com Tue Dec 20 15:17:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:17:53 +0100 Subject: [Freeipa-devel] [freeipa PR#357][opened] Travis ci improvements Message-ID: URL: https://github.com/freeipa/freeipa/pull/357 Author: martbab Title: #357: Travis ci improvements Action: opened PR body: """ Test PR against my own fork to test Travis CI improvements. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/357/head:pr357 git checkout pr357 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-357.patch Type: text/x-diff Size: 6423 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 15:18:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:18:39 +0100 Subject: [Freeipa-devel] [freeipa PR#357][closed] Travis ci improvements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/357 Author: martbab Title: #357: Travis ci improvements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/357/head:pr357 git checkout pr357 From freeipa-github-notification at redhat.com Tue Dec 20 15:18:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:18:53 +0100 Subject: [Freeipa-devel] [freeipa PR#357][+rejected] Travis ci improvements In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/357 Title: #357: Travis ci improvements Label: +rejected From freeipa-github-notification at redhat.com Tue Dec 20 15:20:26 2016 From: freeipa-github-notification at redhat.com (pvomacka) Date: Tue, 20 Dec 2016 16:20:26 +0100 Subject: [Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvomacka commented: """ @mbasti-rh Both bugs fixed, thank you. Back to the difference between My User Vault and User Vault. I forgot to mention that My User Vault shows only vaults which are created for the user (who is logged in) and where that user is in Member or Owner group. I think that it is consistent with CLI, or not? """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-268269736 From freeipa-github-notification at redhat.com Tue Dec 20 15:25:19 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Dec 2016 16:25:19 +0100 Subject: [Freeipa-devel] [freeipa PR#356][+ack] server install: fix KRA agent PEM file not being created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created Label: +ack From freeipa-github-notification at redhat.com Tue Dec 20 15:25:25 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Tue, 20 Dec 2016 16:25:25 +0100 Subject: [Freeipa-devel] [freeipa PR#356][comment] server install: fix KRA agent PEM file not being created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created stlaz commented: """ Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/356#issuecomment-268271111 From freeipa-github-notification at redhat.com Tue Dec 20 15:26:50 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:26:50 +0100 Subject: [Freeipa-devel] [freeipa PR#356][+pushed] server install: fix KRA agent PEM file not being created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created Label: +pushed From freeipa-github-notification at redhat.com Tue Dec 20 15:26:52 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:26:52 +0100 Subject: [Freeipa-devel] [freeipa PR#356][comment] server install: fix KRA agent PEM file not being created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Title: #356: server install: fix KRA agent PEM file not being created martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/998c87af2b7b2c704d34dd27fe99bda495a59e23 """ See the full comment at https://github.com/freeipa/freeipa/pull/356#issuecomment-268271487 From freeipa-github-notification at redhat.com Tue Dec 20 15:26:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Tue, 20 Dec 2016 16:26:53 +0100 Subject: [Freeipa-devel] [freeipa PR#356][closed] server install: fix KRA agent PEM file not being created In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/356 Author: jcholast Title: #356: server install: fix KRA agent PEM file not being created Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/356/head:pr356 git checkout pr356 From freeipa-github-notification at redhat.com Tue Dec 20 15:53:22 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Tue, 20 Dec 2016 16:53:22 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology tomaskrizek commented: """ 89de60c was reveted because while it fixed this particular use case, it broke others. IIRC it broke regular replica promotion with CA. The proper fix is not yet ready, nor on the IPA side (#41 is a step in the right direction, but it also requires some more code fixes, especially properly closing some ad hoc LDAP connections), nor on the NSS side (ETA unknown). If this patch works and doesn't break other use cases, I would merge it and keep the ticket open. After the NSS bug is fixed, we can fix this properly. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268278842 From freeipa-github-notification at redhat.com Tue Dec 20 17:55:20 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Tue, 20 Dec 2016 18:55:20 +0100 Subject: [Freeipa-devel] [freeipa PR#358][opened] Use the tar Posix option for tarballs Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: opened PR body: """ This is necessary to be able to successfully build archives in environments controlled by an IPA domain which may have large uidNumbers for user accounts. https://fedorahosted.org/freeipa/ticket/6418 Signed-off-by: Simo Sorce """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-358.patch Type: text/x-diff Size: 836 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 20 22:28:48 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Tue, 20 Dec 2016 23:28:48 +0100 Subject: [Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission frasertweedale commented: """ On Tue, Dec 20, 2016 at 07:11:08AM -0800, Martin Babinsky wrote: > Bumping this PR as it seems a bit forgotten. > Cheers. Not forgotten, just not my top priority right now. """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268377852 From freeipa-github-notification at redhat.com Wed Dec 21 03:31:15 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 04:31:15 +0100 Subject: [Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 88335 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 04:27:10 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 05:27:10 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology frasertweedale commented: """ FWIW, this one does not break CA-ful replica promotion. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268432611 From freeipa-github-notification at redhat.com Wed Dec 21 05:10:57 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 06:10:57 +0100 Subject: [Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-245.patch Type: text/x-diff Size: 88327 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 06:52:53 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 07:52:53 +0100 Subject: [Freeipa-devel] [freeipa PR#299][synchronized] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-299.patch Type: text/x-diff Size: 3735 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 06:54:57 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 07:54:57 +0100 Subject: [Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission frasertweedale commented: """ @martbab I don't think this will break migrations from v3; it does not actively remove the permission from existing deployments, it just doesn't add it for new installations. (Admittedly, it is the next thing to test but I have not done so yet). """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268450765 From freeipa-github-notification at redhat.com Wed Dec 21 06:57:19 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Dec 2016 07:57:19 +0100 Subject: [Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ `ipaldap` is not the proper place to handle this - it implements a (almost) generic LDAP client, not a 389 DS client, and as such should not contain any 389 DS specific hacks. The premise is that the server gets exactly what the user of `ipaldap` requested, and the user gets exactly what the server returned. The binary transfer option is currently handled in code of the affected commands. The next layer below is `baseldap`, which is where the handling should be moved to make it generic for all commands. Also note that the real bug in 389 DS is that it defines the attribute types to use octet string syntax, rather than the certificate syntax as defined in RFC 4523. It actually behaves correctly, not enforcing the binary transfer option on attribute types with octet string syntax. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268451076 From freeipa-github-notification at redhat.com Wed Dec 21 07:37:10 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 08:37:10 +0100 Subject: [Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs pspacek commented: """ Please add a note *why* it is necessary. Something like "ustar format we used before could not handle files with > 65535" or so. This will help a lot with Git archaeology. """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268456543 From freeipa-github-notification at redhat.com Wed Dec 21 07:40:45 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 08:40:45 +0100 Subject: [Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ @jcholast I disagree. If `ipaldap` is a generic LDAP client, it should obey the RFCs and always transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) with the `;binary` encoding option, and it should expect to see it when reading the relevant attributes from the server. IMO `ipaldap` should handle this transparently because it is part of the LDAP protocol. There is no 389DS-specific hack in my proposed change (but I'm curious about what part of it you feel is). This would also avoid inconsistent handling of relevant attributes between different plugins, which is the situation we currently have. But apart from the inconsisency (which is a nusiance) we have a bigger problem - in several plugins we specifically try to read `userCertificate`, but a RFC 4522 compliant server (which 389DS is not now, but hopefully one day will be) will always return `userCertificate;binary`. So, our current code breaks if/when that happens. Furthermore, other RFC 4522-compliant programs that correctly use the `;binary` transfer encoding option to, e.g. write certificates to user entries, will cause those certificates to be unreadable but *currenty* IPA code. This is not good enough. > Also note that the real bug in 389 DS is that it defines the attribute types to use octet string syntax, rather than the certificate syntax as defined in RFC 4523. It actually behaves correctly, not enforcing the binary transfer option on attribute types with octet string syntax. 389DS does not behave correctly; it's treatment of `;binary` is wrong in several ways, apart from the incorrect attribute syntax for relevant attributes. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268457017 From freeipa-github-notification at redhat.com Wed Dec 21 07:41:47 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 08:41:47 +0100 Subject: [Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs pspacek commented: """ CondACK if the message is corrected. """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268457165 From freeipa-github-notification at redhat.com Wed Dec 21 07:44:28 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 08:44:28 +0100 Subject: [Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ @jcholast I disagree. If `ipaldap` is a generic LDAP client, it should obey the RFCs and always transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) with the `;binary` encoding option, and it should expect to see it when reading the relevant attributes from the server. IMO `ipaldap` should handle this transparently because it is part of the LDAP protocol. There is no 389DS-specific hack in my proposed change (but I'm curious about what part of it you feel is). This would also avoid inconsistent handling of relevant attributes between different plugins, which is the situation we currently have. But apart from the inconsisency (which is a nusiance) we have a bigger problem - in several plugins we specifically try to read `userCertificate`, but a RFC 4522 compliant server (which 389DS is not now, but hopefully one day will be) will always return `userCertificate;binary`. So, our current code breaks if/when that happens. Furthermore, other RFC 4522-compliant programs that correctly use the `;binary` transfer encoding option to, e.g. write certificates to user entries, will cause those certificates to be unreadable by *current* IPA plugin code. This is not good enough. > Also note that the real bug in 389 DS is that it defines the attribute types to use octet string syntax, rather than the certificate syntax as defined in RFC 4523. It actually behaves correctly, not enforcing the binary transfer option on attribute types with octet string syntax. 389DS does not behave correctly; it's treatment of `;binary` is wrong in several ways, apart from the incorrect attribute syntax for relevant attributes. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268457017 From freeipa-github-notification at redhat.com Wed Dec 21 09:39:37 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Dec 2016 10:39:37 +0100 Subject: [Freeipa-devel] [freeipa PR#359][opened] dogtag: search past the first 100 certificates Message-ID: URL: https://github.com/freeipa/freeipa/pull/359 Author: jcholast Title: #359: dogtag: search past the first 100 certificates Action: opened PR body: """ Dogtag requires a size limit to be specified when searching for certificates. When no limit is specified in the dogtag plugin, a limit of 100 entries is assumed. As a result, an unlimited certificate search returns data only for a maximum of 100 certificates. Raise the "unlimited" limit to the maximum value Dogtag accepts. https://fedorahosted.org/freeipa/ticket/6564 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/359/head:pr359 git checkout pr359 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-359.patch Type: text/x-diff Size: 1222 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 11:55:02 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Dec 2016 12:55:02 +0100 Subject: [Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently jcholast commented: """ > If `ipaldap` is a generic LDAP client, it should obey the RFCs and always transfer the relevant attributes (`userCertificate`, `cACertificate`, etc) with the `;binary` encoding option, and it should expect to see it when reading the relevant attributes from the server. No, it should respect whatever is defined on the server, otherwise it's not a generic LDAP client. If the server does something wrong, it has to be fixed there, on the server. The goal of `ipaldap` is not to make buggy or non-LDAPv3 (e.g. AD) servers look like they are LDAPv3-compliant, the goal is to interpret attributes according to the server-defined schema. > IMO `ipaldap` should handle this transparently because it is part of the LDAP protocol. Nowhere in the RFCs is it mandated that a compliant client cannot request the attributes without the option, nor that it must not accept the attributes without the option in server responses. If this was true, it would have to be fixed in OpenLDAP libs anyway, not in `ipaldap`. > There is no 389DS-specific hack in my proposed change (but I'm curious about what part of it you feel is). The part where you implicitly add the binary transfer option to attribute names (although not mandated on clients by any RFC) without knowing how the attribute types are defined on the server (although mandated only on attribute types with the certificate syntax by RFC 4523) . > This would also avoid inconsistent handling of relevant attributes between different plugins, which is the situation we currently have. This is because of historical reasons (the original implementation of `host` and `service` plugins used `userCertificate` instead of `userCertificate;binary`) and will have to stay this way at least until all of the buggy 389 DS / IPA releases go out of support. > But apart from the inconsisency (which is a nusiance) we have a bigger problem - in several plugins we specifically try to read `userCertificate`, but a RFC 4522 compliant server (which 389DS is not now, but hopefully one day will be) will always return `userCertificate;binary`. So, our current code breaks if/when that happens. Furthermore, other RFC 4522-compliant programs that correctly use the ;binary transfer encoding option to, e.g. write certificates to user entries, will cause those certificates to be unreadable by current IPA plugin code. This is not good enough. We can easily fix the plugins to read from `userCertificate;binary` in addition to `userCertificate`. We have to continue to write to `userCertificate` only though, because of backward compatibility with older servers. > 389DS does not behave correctly; it's treatment of `;binary` is wrong in several ways, apart from the incorrect attribute syntax for relevant attributes. Not enforcing `;binary` on attribute types with octet string syntax *is* correct. I was not trying to imply anything else. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268505078 From freeipa-github-notification at redhat.com Wed Dec 21 12:00:02 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Dec 2016 13:00:02 +0100 Subject: [Freeipa-devel] [freeipa PR#348][synchronized] ca: fix ca-find with --pkey-only In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/348 Author: jcholast Title: #348: ca: fix ca-find with --pkey-only Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/348/head:pr348 git checkout pr348 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-348.patch Type: text/x-diff Size: 1647 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 12:04:46 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 21 Dec 2016 13:04:46 +0100 Subject: [Freeipa-devel] [freeipa PR#358][synchronized] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-358.patch Type: text/x-diff Size: 968 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 12:05:15 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Wed, 21 Dec 2016 13:05:15 +0100 Subject: [Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs simo5 commented: """ Amended """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268507057 From freeipa-github-notification at redhat.com Wed Dec 21 12:12:21 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 13:12:21 +0100 Subject: [Freeipa-devel] [freeipa PR#298][comment] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Title: #298: ipaldap: handle binary encoding option transparently frasertweedale commented: """ OK, let's just fix all the plugins / other routines that deal with the relevant attributes to explicitly read both `userCertificate` and `userCertificate;binary` and concat the results. I think there is a lot more we could and should do to improve usability w.r.t. these attributes but it will do for now. Closing this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/298#issuecomment-268508499 From freeipa-github-notification at redhat.com Wed Dec 21 12:12:23 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 13:12:23 +0100 Subject: [Freeipa-devel] [freeipa PR#298][closed] ipaldap: handle binary encoding option transparently In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/298 Author: frasertweedale Title: #298: ipaldap: handle binary encoding option transparently Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/298/head:pr298 git checkout pr298 From freeipa-github-notification at redhat.com Wed Dec 21 12:16:40 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 13:16:40 +0100 Subject: [Freeipa-devel] [freeipa PR#348][comment] ca: fix ca-find with --pkey-only In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/348 Title: #348: ca: fix ca-find with --pkey-only frasertweedale commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/348#issuecomment-268509213 From freeipa-github-notification at redhat.com Wed Dec 21 13:17:45 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 21 Dec 2016 14:17:45 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology tomaskrizek commented: """ I've tested the following use cases: - CA-less replica promotion domlvl1: *ldapssl running*; but the following behaviour is present: If `ipa-ca-install` is executed on replica, it finishes. But next `ipa-ca-install`, i.e. on master, will fail with CA did not start after 300 seconds. Relevant parts of pki and dirsrv logs: ``` [21/Dec/2016:12:43:46][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host vm-058-045.abc.idm.lab.eng.brq.redhat.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) --- [21/Dec/2016:12:43:46.640540945 +0100] conn=4 fd=66 slot=66 SSL connection from 10.34.58.45 to 10.34.58.45 [21/Dec/2016:12:43:46.653170560 +0100] conn=4 TLS1.2 128-bit AES [21/Dec/2016:12:43:46.665708312 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [21/Dec/2016:12:43:46.667668986 +0100] conn=4 op=0 RESULT err=48 tag=97 nentries=0 etime=0 ``` The same behavior is present when `ipa-ca-install` is first installed on master and then on replica. Basically, the second `ipa-ca-install` will fail. Running `ipa-certupdate` on the second server fixes the issue. This seems to be a separate issue, so I will file a bug for this. - CA-full replica promotion domlvl1: *lpadssl running* - CA-less replica installation domlvl0: *ldapssl running* - CA-full replica installation domlvl0: *ldapssl running* The fix seems to properly start the ldapssl both with CA-less and CA-full, therefore I'd accept this as a proper fix for the issue. Please address the minor improvement I suggested inline. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268520740 From freeipa-github-notification at redhat.com Wed Dec 21 13:51:04 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 14:51:04 +0100 Subject: [Freeipa-devel] [freeipa PR#358][+ack] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +ack From freeipa-github-notification at redhat.com Wed Dec 21 13:51:10 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 14:51:10 +0100 Subject: [Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs pspacek commented: """ Thanks, ACK! """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527273 From freeipa-github-notification at redhat.com Wed Dec 21 13:54:29 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 14:54:29 +0100 Subject: [Freeipa-devel] [freeipa PR#358][+pushed] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 21 13:54:31 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 14:54:31 +0100 Subject: [Freeipa-devel] [freeipa PR#358][comment] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Title: #358: Use the tar Posix option for tarballs martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2bc01ec5b4a91a805912bdada429a91ab08ed196 """ See the full comment at https://github.com/freeipa/freeipa/pull/358#issuecomment-268527981 From freeipa-github-notification at redhat.com Wed Dec 21 13:54:32 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 14:54:32 +0100 Subject: [Freeipa-devel] [freeipa PR#358][closed] Use the tar Posix option for tarballs In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/358 Author: simo5 Title: #358: Use the tar Posix option for tarballs Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/358/head:pr358 git checkout pr358 From freeipa-github-notification at redhat.com Wed Dec 21 14:17:59 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 21 Dec 2016 15:17:59 +0100 Subject: [Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-317.patch Type: text/x-diff Size: 22423 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 14:27:38 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Wed, 21 Dec 2016 15:27:38 +0100 Subject: [Freeipa-devel] [freeipa PR#360][opened] x509: use PyASN1 to parse PKCS#7 Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Author: jcholast Title: #360: x509: use PyASN1 to parse PKCS#7 Action: opened PR body: """ Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a subprocess. https://fedorahosted.org/freeipa/ticket/6550 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/360/head:pr360 git checkout pr360 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-360.patch Type: text/x-diff Size: 2760 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 14:28:42 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 21 Dec 2016 15:28:42 +0100 Subject: [Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-317.patch Type: text/x-diff Size: 22762 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 14:28:47 2016 From: freeipa-github-notification at redhat.com (tomaskrizek) Date: Wed, 21 Dec 2016 15:28:47 +0100 Subject: [Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates tomaskrizek commented: """ With this fix, more than 100 certificates are displayed and click-able from WebUI overview. However, I'm still getting an error message pop up saying ``` Search result has been truncated: Configured size limit exceeded ``` And there is also this message at the bottom of the page: ``` Query returned more results than the configured size limit. Displaying the first 110 results. ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268535538 From freeipa-github-notification at redhat.com Wed Dec 21 14:39:35 2016 From: freeipa-github-notification at redhat.com (stlaz) Date: Wed, 21 Dec 2016 15:39:35 +0100 Subject: [Freeipa-devel] [freeipa PR#317][synchronized] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Author: stlaz Title: #317: Unify password generation across FreeIPA Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/317/head:pr317 git checkout pr317 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-317.patch Type: text/x-diff Size: 22746 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 14:52:11 2016 From: freeipa-github-notification at redhat.com (flo-renaud) Date: Wed, 21 Dec 2016 15:52:11 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology flo-renaud commented: """ @tomaskrizek FYI, the current documentation states that ipa-certupdate must be run after ipa-ca-install (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268541323 From freeipa-github-notification at redhat.com Wed Dec 21 16:01:48 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 17:01:48 +0100 Subject: [Freeipa-devel] [freeipa PR#361][opened] This PR implements a number of improvements for our Travis CI: Message-ID: URL: https://github.com/freeipa/freeipa/pull/361 Author: martbab Title: #361: This PR implements a number of improvements for our Travis CI: Action: opened PR body: """ * split out the test runner part into a standalone script, .travis.yml should now only define test matrix, set environment variables and process output after failure * mark the project as Python one, implement support for running builds using different python version (future-proofing against incoming Python2/3 CI) and cache job dependencies * use separate job for pep8/linters. This shaves off ca 6-8 minutes from overall build time. You should get CI results in 26 min compared to previous 33 min """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/361/head:pr361 git checkout pr361 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-361.patch Type: text/x-diff Size: 8978 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Wed Dec 21 16:04:08 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 17:04:08 +0100 Subject: [Freeipa-devel] [freeipa PR#299][+ack] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +ack From freeipa-github-notification at redhat.com Wed Dec 21 16:04:38 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 17:04:38 +0100 Subject: [Freeipa-devel] [freeipa PR#299][+pushed] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission Label: +pushed From freeipa-github-notification at redhat.com Wed Dec 21 16:04:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 17:04:39 +0100 Subject: [Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/bdbb1c34a2f5ef864cd3a943dcd047cde20de681 """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-268560529 From freeipa-github-notification at redhat.com Wed Dec 21 16:04:40 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Wed, 21 Dec 2016 17:04:40 +0100 Subject: [Freeipa-devel] [freeipa PR#299][closed] Remove "Request Certificate with SubjectAltName" permission In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/299 Author: frasertweedale Title: #299: Remove "Request Certificate with SubjectAltName" permission Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/299/head:pr299 git checkout pr299 From freeipa-github-notification at redhat.com Wed Dec 21 16:07:26 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Dec 2016 17:07:26 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ > @tomaskrizek FYI, the current documentation states that ipa-certupdate must be run after ipa-ca-install (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/CA-less-to-CA.html). Bad UX, please open a RFE ticket for ipa-ca-install to execute certupdate automatically when needed """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268561239 From freeipa-github-notification at redhat.com Wed Dec 21 16:59:43 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 17:59:43 +0100 Subject: [Freeipa-devel] [freeipa PR#317][+ack] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: +ack From freeipa-github-notification at redhat.com Wed Dec 21 16:59:59 2016 From: freeipa-github-notification at redhat.com (pspacek) Date: Wed, 21 Dec 2016 17:59:59 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Works for me, server installation including DNSSEC worked fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268575899 From freeipa-github-notification at redhat.com Wed Dec 21 17:03:12 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Dec 2016 18:03:12 +0100 Subject: [Freeipa-devel] [freeipa PR#317][-ack] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA Label: -ack From freeipa-github-notification at redhat.com Wed Dec 21 17:04:40 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Wed, 21 Dec 2016 18:04:40 +0100 Subject: [Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA mbasti-rh commented: """ I would like to review this as well, so removing ACK to prevent pushing this to master """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-268577216 From freeipa-github-notification at redhat.com Wed Dec 21 22:09:01 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Wed, 21 Dec 2016 23:09:01 +0100 Subject: [Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-355.patch Type: text/x-diff Size: 1053 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 22 03:34:41 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 22 Dec 2016 04:34:41 +0100 Subject: [Freeipa-devel] [freeipa PR#359][comment] dogtag: search past the first 100 certificates In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/359 Title: #359: dogtag: search past the first 100 certificates frasertweedale commented: """ This change is working for me, including having the expected behaviour for WebUI. @tomaskrizek please provide steps to reproduce your WebUI behaviour. """ See the full comment at https://github.com/freeipa/freeipa/pull/359#issuecomment-268710308 From freeipa-github-notification at redhat.com Thu Dec 22 03:38:07 2016 From: freeipa-github-notification at redhat.com (frasertweedale) Date: Thu, 22 Dec 2016 04:38:07 +0100 Subject: [Freeipa-devel] [freeipa PR#355][synchronized] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Author: frasertweedale Title: #355: Set up DS TLS on replica in CA-less topology Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/355/head:pr355 git checkout pr355 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-355.patch Type: text/x-diff Size: 1053 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 22 08:00:53 2016 From: freeipa-github-notification at redhat.com (jcholast) Date: Thu, 22 Dec 2016 09:00:53 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology jcholast commented: """ @mbasti-rh, `ipa-certupdate` has to be run on *all* systems in the domain after installing a CA. How do you propose we do that from `ipa-ca-install`? Anyway, the behavior @tomaskrizek is observing happens if you don't run `ipa-certupdate` *before* `ipa-ca-install` *on replica* and is caused by `ipa-ca-install` using local files rather than LDAP when looking for CA certificates. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268741247 From freeipa-github-notification at redhat.com Thu Dec 22 09:18:23 2016 From: freeipa-github-notification at redhat.com (pvoborni) Date: Thu, 22 Dec 2016 10:18:23 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology pvoborni commented: """ Running `ipa-certupdate` on all systems after `ipa-ca-install` is problematic. But we can at least make sure that `ipa-ca-install` on replica will get whatever is possible automatically at beginning (e.g. run equivalent of `ipa-certupdate`) and also that it have usable state after finishing `ipa-ca-install`, i.e., it will run IPA whatever IPA calls it needs and possible. Anyway it is for other ticket. Maybe it already exists. """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268754796 From freeipa-github-notification at redhat.com Thu Dec 22 09:20:48 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 10:20:48 +0100 Subject: [Freeipa-devel] [freeipa PR#360][comment] x509: use PyASN1 to parse PKCS#7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Title: #360: x509: use PyASN1 to parse PKCS#7 martbab commented: """ The failure comes from occasional hiccups in Travis CI DNS infra. """ See the full comment at https://github.com/freeipa/freeipa/pull/360#issuecomment-268755216 From freeipa-github-notification at redhat.com Thu Dec 22 09:21:04 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 10:21:04 +0100 Subject: [Freeipa-devel] [freeipa PR#360][+ack] x509: use PyASN1 to parse PKCS#7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Title: #360: x509: use PyASN1 to parse PKCS#7 Label: +ack From freeipa-github-notification at redhat.com Thu Dec 22 09:22:53 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 10:22:53 +0100 Subject: [Freeipa-devel] [freeipa PR#360][+pushed] x509: use PyASN1 to parse PKCS#7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Title: #360: x509: use PyASN1 to parse PKCS#7 Label: +pushed From freeipa-github-notification at redhat.com Thu Dec 22 09:22:55 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 10:22:55 +0100 Subject: [Freeipa-devel] [freeipa PR#360][comment] x509: use PyASN1 to parse PKCS#7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Title: #360: x509: use PyASN1 to parse PKCS#7 martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/556fc21482e8061847556c653095edba7e7531f1 """ See the full comment at https://github.com/freeipa/freeipa/pull/360#issuecomment-268755618 From freeipa-github-notification at redhat.com Thu Dec 22 09:22:56 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 10:22:56 +0100 Subject: [Freeipa-devel] [freeipa PR#360][closed] x509: use PyASN1 to parse PKCS#7 In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/360 Author: jcholast Title: #360: x509: use PyASN1 to parse PKCS#7 Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/360/head:pr360 git checkout pr360 From phinojosa at kanteron.com Thu Dec 22 11:22:40 2016 From: phinojosa at kanteron.com (Pablo Hinojosa) Date: Thu, 22 Dec 2016 12:22:40 +0100 Subject: [Freeipa-devel] Certificate expiration consequences Message-ID: Hi all, I have realized my Freeipa webui ssl certificate is near to expire. It is supposed to auto-renew but it seems I am affected by this bug/defect (maybe due to a missconfigured installation). Here you can check current status with getcert list. My main priority is to know if LDAP login will work when certificated is expired. Will I have problems with it? Will login blocked? or it will work as expected. Thanks for your support Cheers, -- Pablo Hinojosa System administrator Kanteron Systems (kanteron.com) -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa-github-notification at redhat.com Thu Dec 22 11:57:11 2016 From: freeipa-github-notification at redhat.com (mbasti-rh) Date: Thu, 22 Dec 2016 12:57:11 +0100 Subject: [Freeipa-devel] [freeipa PR#355][comment] Set up DS TLS on replica in CA-less topology In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/355 Title: #355: Set up DS TLS on replica in CA-less topology mbasti-rh commented: """ @jcholast anyway I still see ways how to improve UX - print big fat message to user at the end of ipa-ca-install to run ipa-certupdate everywhere when needed (instead of finding solution in the darkest corners in docs) - automatically run it at least on the current replica Still worth ticket IMO @pvoborni +1 """ See the full comment at https://github.com/freeipa/freeipa/pull/355#issuecomment-268785240 From freeipa-github-notification at redhat.com Thu Dec 22 13:06:39 2016 From: freeipa-github-notification at redhat.com (martbab) Date: Thu, 22 Dec 2016 14:06:39 +0100 Subject: [Freeipa-devel] [freeipa PR#347][synchronized] Improvements in {get|set}_directive functions In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/347 Author: martbab Title: #347: Improvements in {get|set}_directive functions Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/347/head:pr347 git checkout pr347 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-347.patch Type: text/x-diff Size: 5534 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Thu Dec 22 23:28:13 2016 From: freeipa-github-notification at redhat.com (simo5) Date: Fri, 23 Dec 2016 00:28:13 +0100 Subject: [Freeipa-devel] [freeipa PR#314][synchronized] RFC: privilege separation for ipa framework code In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/314 Author: simo5 Title: #314: RFC: privilege separation for ipa framework code Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/314/head:pr314 git checkout pr314 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-314.patch Type: text/x-diff Size: 228313 bytes Desc: not available URL: From freeipa-github-notification at redhat.com Tue Dec 27 10:40:05 2016 From: freeipa-github-notification at redhat.com (Akasurde) Date: Tue, 27 Dec 2016 11:40:05 +0100 Subject: [Freeipa-devel] [freeipa PR#209][synchronized] Enumerate available options in IPA installer In-Reply-To: References: Message-ID: URL: https://github.com/freeipa/freeipa/pull/209 Author: Akasurde Title: #209: Enumerate available options in IPA installer Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/209/head:pr209 git checkout pr209 -------------- next part -------------- A non-text attachment was scrubbed... Name: freeipa-pr-209.patch Type: text/x-diff Size: 1091 bytes Desc: not available URL: From Oucema.Bellagha at hotmail.com Fri Dec 30 15:02:21 2016 From: Oucema.Bellagha at hotmail.com (Oucema Bellagha) Date: Fri, 30 Dec 2016 15:02:21 +0000 Subject: [Freeipa-devel] IPA-AD user authentication to Linux servers using ssh-key? Message-ID: Hi folks, After establishing the trust between AD and IPA, users from AD can authenticate to Linux servers using password, but I want to add a another authentication method using ssh-key. I can add SSH-key to AD users by adding a new schema attribute but then the ssh-key can't be managed by IPA. Is there another way to manage ssh-key for AD users from IPA ? or another method simply allowing ssh-key authentication of AD users to Linux servers ? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Fri Dec 30 21:39:48 2016 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Fri, 30 Dec 2016 22:39:48 +0100 Subject: [Freeipa-devel] IPA-AD user authentication to Linux servers using ssh-key? In-Reply-To: References: Message-ID: <20161230213947.GC22314@10.4.128.1> On (30/12/16 15:02), Oucema Bellagha wrote: >Hi folks, > >After establishing the trust between AD and IPA, users from AD can authenticate to Linux servers using password, but I want to add a another authentication method using ssh-key. > >I can add SSH-key to AD users by adding a new schema attribute but then the ssh-key can't be managed by IPA. > >Is there another way to manage ssh-key for AD users from IPA ? or another method simply allowing ssh-key authentication of AD users to Linux servers ? > If you have freeIPA >= 4.1.3 then you can try ipa overrides https://fedorahosted.org/freeipa/ticket/4868 LS